-```text

- <OutputClaim ClaimTypeReferenceId="email" Required="true" />

- <OutputClaim ClaimTypeReferenceId="password" Required="true" />

- <Predicate Id="AllowedAADCharacters" Method="MatchesRegex" HelpText="An invalid character was provided.">

-In this sample tutorial, you'll learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with Rampart by WhoIAM. Rampart provides features for a fully integrated helpdesk and invitation-gated user registration experience. It allows support specialists to perform tasks like resetting passwords and multi-factor authentication without using Azure. It also enables apps and role-based access control (RBAC) for end-users of Azure AD B2C.

-To get started, you'll need:

-WhoIAM Rampart is built entirely in Azure and runs in your Azure environment. The following components comprise the Rampart solution with Azure AD B2C:

-## Step 1 - Onboard with Rampart

-Contact [WhoIAM](https://www.whoiam.ai/contact-us/) to start the onboarding process. Automated templates will deploy all necessary Azure resources, and they'll configure your DevOps instance with the required code and configuration according to your needs.

-## Step 2 - Configure and integrate Rampart with Azure AD B2C

-The tight integration of this solution with Azure AD B2C requires custom policies. WhoIAM provides these policies and assists with integrating them with your applications or existing policies, or both.

-Follow the steps mentioned in [Authorization policy execution](https://docs.gatekeeper.whoiamdemos.com/#/setup-guide?id=authorization-policy-execution) for details on the custom policies provided by WhoIAM.

-## Step 3 - Test the solution

-The image shows an example of how WhoIAM Rampart displays a list of app registrations in your Azure AD B2C tenant. WhoIAM validates the implementation by testing all features and health check status endpoints.

-The applications screen should display a list of all user-created applications in your Azure AD B2C tenant.

-Likewise, the user's screen should display a list of all users in your Azure AD B2C directory and user management functions such as invitations, approvals, and RBAC management.

-For more information, review the following articles:

-This article describes the general steps for managing automatic user account provisioning and de-provisioning for applications that support it. *User account provisioning* is the act of creating, updating, and/or disabling user account records in an applicationΓÇÖs local user profile store. Most cloud and SaaS applications store the users role and permissions in the user's own local user profile store, and presence of such a user record in the user's local store is *required* for single sign-on and access to work. To learn more about automatic user account provisioning, see [Automate User Provisioning and Deprovisioning to SaaS Applications with Azure Active Directory](user-provisioning.md).

-* **Automatic** - This option is shown if Azure AD supports automatic API-based provisioning or de-provisioning of user accounts to this application. Select this mode to display an interface that helps administrators:

-Expand **Settings** to set an email address to receive notifications and whether to receive alerts on errors. You can also select the scope of users to sync. You can choose to sync all users and groups or only those that are assigned.

-If provisioning is being enabled for the first time for an application, turn on the service by changing the **Provisioning Status** to **On**. This change causes the Azure AD provisioning service to run an initial cycle. It reads the users assigned in the **Users and groups** section, queries the target application for them, and then runs the provisioning actions defined in the Azure AD **Mappings** section. During this process, the provisioning service stores cached data about what user accounts it's managing, so non-managed accounts inside the target applications that were never in scope for assignment aren't affected by de-provisioning operations. After the initial cycle, the provisioning service automatically synchronizes user and group objects on a forty-minute interval.

-This article describes how to use scoping filters in the Azure Active Directory (Azure AD) provisioning service to define attribute-based rules that determine which users or groups are provisioned.

-A single clause defines a single condition for a single attribute value. If multiple clauses are created in a single scoping filter, they're evaluated together by using "AND" logic. This means all clauses must evaluate to "true" in order for a user to be provisioned.

-Finally, multiple scoping filters can be created for a single application. If multiple scoping filters are present, they're evaluated together by using "OR" logic. This means that if all the clauses in any of the configured scoping filters evaluate to "true", the user is provisioned.

- h. **NOT REGEX MATCH**. Clause returns "true" if the evaluated attribute doesn't match a regular expression pattern. It will return "false" if the attribute is null / empty.

-|userPrincipalName|REGEX MATCH|`.\*@domain.com`|All users with userPrincipal that has the domain @domain.com will be in scope for provisioning|

-|userPrincipalName|NOT REGEX MATCH|`.\*@domain.com`|All users with userPrincipal that has the domain @domain.com will be out of scope for provisioning|

-|workerID|REGEX MATCH|`(1[0-9][0-9][0-9][0-9][0-9][0-9])`| All employees with workerIDs between 1000000 and 2000000 are in scope for provisioning.|

-Some CORS issues can't be resolved, such as when your app redirects to *login.microsoftonline.com* to authenticate, and the access token expires. The CORS call then fails. A workaround for this scenario is to extend the lifetime of the access token, to prevent it from expiring during a userΓÇÖs session. For more information about how to do this, see [Configurable token lifetimes in Azure AD](../develop/active-directory-configurable-token-lifetimes.md).

-In addition to Smart lockout, Azure AD also protects against attacks by analyzing signals including IP traffic and identifying anomalous behavior. Azure AD will block these malicious sign-ins by default and return [AADSTS50053 - IdsLocked error code](../develop/reference-aadsts-error-codes.md), regardless of the password validity.

-If you aren't using CAE-capable clients, your default access token lifetime will remain 1 hour. The default only changes if you configured your access token lifetime with the [Configurable Token Lifetime (CTL)](../develop/active-directory-configurable-token-lifetimes.md) preview feature.

-> If you are using the [configurable token lifetime](../develop/active-directory-configurable-token-lifetimes.md) feature currently in public preview, please note that we donΓÇÖt support creating two different policies for the same user or app combination: one with this feature and another one with configurable token lifetime feature. Microsoft retired the configurable token lifetime feature for refresh and session token lifetimes on January 30, 2021 and replaced it with the Conditional Access authentication session management feature.

-More information about error codes can be found in the article [Azure AD Authentication and authorization error codes](../develop/reference-aadsts-error-codes.md). Error codes in the list appear with a prefix of `AADSTS` followed by the code seen in the browser, for example `AADSTS53002`.

-Adjust the lifetime of an access token to control how often the client application expires the application session, and how often it requires the user to reauthenticate (either silently or interactively). To override the default access token lifetime variation, use [Configurable token lifetime (CTL)](active-directory-configurable-token-lifetimes.md).

-Organizations can use [token lifetime configuration](active-directory-configurable-token-lifetimes.md) to alter the lifetime of refresh tokens Some tokens can go without use. For example, the user doesn't open the application for three months and then the token expires. Applications can encounter scenarios where the login server rejects a refresh token due to its age.

-For more information, see [configurable token lifetimes](active-directory-configurable-token-lifetimes.md).

-You can adjust the lifetime of an ID token to control how often the client application expires the application session, and how often it requires the user to re-authenticate either silently or interactively. For more information, read [Configurable token lifetimes](active-directory-configurable-token-lifetimes.md).

- Read and understand the [Microsoft Platform Policies](/legal/microsoft-identity-platform/terms-of-use). Ensure that your application adheres to the terms outlined as they're designed to protect users and the platform.

- Make sure the information associated with the account you used to register and manage apps is up-to-date.

-.

-. Make sure your name and logo are representative of your company/product so that users can make informed decisions. Ensure that you're not violating any trademarks.

- Provide links to your app's terms of service and privacy statement.

- Manage your redirect URIs: <ul><li>Maintain ownership of all your redirect URIs and keep the DNS records for them up-to-date.</li><li>Don't use wildcards (*) in your URIs.</li><li>For web apps, make sure all URIs are secure and encrypted (for example, using https schemes).</li><li>For public clients, use platform-specific redirect URIs if applicable (mainly for iOS and Android). Otherwise, use redirect URIs with a high amount of randomness to prevent collisions when calling back to your app.</li><li>If your app is being used from an isolated web agent, you may use `https://login.microsoftonline.com/common/oauth2/nativeclient`.</li><li>Review and trim all unused or unnecessary redirect URIs on a regular basis.</li></ul>

- If your app is registered in a directory, minimize and manually monitor the list of app registration owners.

-.

-.

- to store and regularly rotate your credentials.

-. Only use application permissions if necessary; use delegated permissions where possible. For a full list of Microsoft Graph permissions, see this [permissions reference](/graph/permissions-reference).

- If you're securing an API using the Microsoft identity platform, carefully think through the permissions it should expose. Consider what's the right granularity for your solution and which permission(s) require admin consent. Check for expected permissions in the incoming tokens before making any authorization decisions.

-) to securely sign in users.

-. If you must hand-code for the authentication protocols, you should follow the [Microsoft SDL](https://www.microsoft.com/sdl/default.aspx) or similar development methodology. Pay close attention to the security considerations in the standards specifications for each protocol.

- apps.

- For mobile apps, configure each platform using the application registration experience. In order for your application to take advantage of the Microsoft Authenticator or Microsoft Company Portal for single sign-in, your app needs a ΓÇ£broker redirect URIΓÇ¥ configured. This allows Microsoft to return control to your application after authentication. When configuring each platform, the app registration experience will guide you through the process. Use the quickstart to download a working example. On iOS, use brokers and system webview whenever possible.

-.

- If the data your app requires is available through [Microsoft Graph](https://developer.microsoft.com/graph), request permissions for this data using the Microsoft Graph endpoint rather than the individual API.

- Don't look at the access token value, or attempt to parse it as a client. They can change values, formats, or even become encrypted without warning - always use the id_token if your client needs to learn something about the user, or call Microsoft Graph. Only web APIs should parse access tokens (since they are the ones defining the format and setting the encryption keys).

- and configure the pieces of your appΓÇÖs consent prompt so that end users and admins have enough information to determine if they trust your app.

- Minimize the number of times a user needs to enter login credentials while using your app by attempting silent authentication (silent token acquisition) before interactive flows.

- Don't use ΓÇ£prompt=consentΓÇ¥ for every sign-in. Only use prompt=consent if youΓÇÖve determined that you need to ask for consent for additional permissions (for example, if youΓÇÖve changed your appΓÇÖs required permissions).

- Where applicable, enrich your application with user data. Using the [Microsoft Graph API](https://developer.microsoft.com/graph) is an easy way to do this. The [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) tool that can help you get started.

- at run time to help users understand why your app is requesting permissions that may concern or confuse users when requested on first start.

- Implement a [clean single sign-out experience](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut). ItΓÇÖs a privacy and a security requirement, and makes for a good user experience.

- Test for [Conditional Access policies](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-6-SignOut) that may affect your usersΓÇÖ ability to use your application.

- Test your application with all possible accounts that you plan to support (for example, work or school accounts, personal Microsoft accounts, child accounts, and sovereign accounts).

-When processing exceptions and errors, you can use the exception type itself and the error code to distinguish between exceptions. For a list of error codes, see [Authentication and authorization error codes](reference-aadsts-error-codes.md).

-If [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception) is thrown, try [Authentication and authorization error codes](reference-aadsts-error-codes.md) to see if the code is listed there.

-When an error is returned, the `"error_description"` key also contains a human-readable message, and there is typically also an `"error_code"` key which contains a machine-readable Microsoft identity platform error code. For more information about the various Microsoft identity platform error codes, see [Authentication and authorization error codes](./reference-aadsts-error-codes.md).

-As a reminder, your application code shouldn't make decisions based on error code strings like `AADSTS50105`. Instead, [follow our error-handling guidance](reference-aadsts-error-codes.md#handling-error-codes-in-your-application) and use the [standardized authentication responses](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) like `interaction_required` and `login_required` found in the standard `error` field in the response. The other response fields are intended for consumption only by humans troubleshooting their issues.

-// .NET Standard (this will be on all platforms at runtime, but only on NetStandard at build time)

-The pattern for acquiring tokens for APIs with [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js) is to first attempt a silent token request by using the `acquireTokenSilent` method. When this method is called, the library first checks the cache in browser storage to see if a non-expired access token exists and returns it. If no access token is found or the access token found has expired, it attempts to use its refresh token to get a fresh access token. If the refresh token's 24-hour lifetime has also expired, MSAL.js will open a hidden iframe to silently request a new authorization code by leveraging the existing active session with Azure AD (if any), which will then be exchanged for a fresh set of tokens (access _and_ refresh tokens). For more information about single sign-on (SSO) session and token lifetime values in Azure AD, see [Token lifetimes](active-directory-configurable-token-lifetimes.md). For more information on MSAL.js cache lookup policy, see: [Acquiring an Access Token](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/acquire-token.md#acquiring-an-access-token).

-#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.

-Token lifetime policies can currently only be managed through PowerShell. Read about [configurable token lifetimes](active-directory-configurable-token-lifetimes.md) to learn about identifying any token lifetime policies that apply to your whole production organization. Copy those policies to your test tenant.

-In this tutorial, you build an Angular single-page application (SPA) that signs in users and calls the Microsoft Graph API by using the authorization code flow with PKCE. The SPA you build uses the Microsoft Authentication Library (MSAL) for Angular v2.

-> * Create an Angular project with `npm`

-## Create your project

-Once you have [Node.js](https://nodejs.org/en/download/) installed, open up a terminal window and then run the following commands to generate a new Angular application:

-```bash

-npm install -g @angular/cli # Install the Angular CLI

-ng new msal-angular-tutorial --routing=true --style=css --strict=false # Generate a new Angular app

-cd msal-angular-tutorial # Change to the app directory

-npm install @angular/material @angular/cdk # Install the Angular Material component library (optional, for UI)

-npm install @azure/msal-browser @azure/msal-angular # Install MSAL Browser and MSAL Angular in your application

-ng generate component home # To add a home page

-ng generate component profile # To add a profile page

-```

-## Register your application

-Follow the [instructions to register a single-page application](./scenario-spa-app-registration.md) in the Azure portal.

-On the app **Overview** page of your registration, note the **Application (client) ID** value for later use.

-Register your **Redirect URI** value as **http://localhost:4200/** and type as 'SPA'.

-## Configure the application

-1. In the *src/app* folder, edit *app.module.ts* and add `MsalModule` and `MsalInterceptor` to `imports` as well as the `isIE` constant. Your code should look like this:

- import { MsalModule } from '@azure/msal-angular';

- bootstrap: [AppComponent]

- Replace these values:

- |Value name|About|

- |||

- |Enter_the_Application_Id_Here|On the **Overview** page of your application registration, this is your **Application (client) ID** value. |

- |Enter_the_Cloud_Instance_Id_Here|This is the instance of the Azure cloud. For the main or global Azure cloud, enter **https://login.microsoftonline.com**. For national clouds (for example, China), see [National clouds](./authentication-national-cloud.md).|

- |Enter_the_Tenant_Info_Here| Set to one of the following options: If your application supports *accounts in this organizational directory*, replace this value with the directory (tenant) ID or tenant name (for example, **contoso.microsoft.com**). If your application supports *accounts in any organizational directory*, replace this value with **organizations**. If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with **common**. To restrict support to *personal Microsoft accounts only*, replace this value with **consumers**. |

- |Enter_the_Redirect_Uri_Here|Replace with **http://localhost:4200**.|

- For more information about available configurable options, see [Initialize client applications](msal-js-initializing-client-applications.md).

-2. Add routes to the home and profile components in the *src/app/app-routing.module.ts*. Your code should look like the following:

-## Replace base UI

-1. Replace the placeholder code in *src/app/app.component.html* with the following:

-2. Add material modules to *src/app/app.module.ts*. Your `AppModule` should look like this:

- ```javascript

- import { BrowserModule } from '@angular/platform-browser';

- import { BrowserAnimationsModule } from '@angular/platform-browser/animations';

- import { NgModule } from '@angular/core';

- import { MatButtonModule } from '@angular/material/button';

- import { MatToolbarModule } from '@angular/material/toolbar';

- import { MatListModule } from '@angular/material/list';

- import { AppRoutingModule } from './app-routing.module';

- import { AppComponent } from './app.component';

- import { HomeComponent } from './home/home.component';

- import { ProfileComponent } from './profile/profile.component';

- import { MsalModule } from '@azure/msal-angular';

- import { PublicClientApplication } from '@azure/msal-browser';

- const isIE = window.navigator.userAgent.indexOf('MSIE ') > -1 || window.navigator.userAgent.indexOf('Trident/') > -1;

- @NgModule({

- declarations: [

- AppComponent,

- HomeComponent,

- ProfileComponent

- ],

- imports: [

- BrowserModule,

- BrowserAnimationsModule,

- AppRoutingModule,

- MatButtonModule,

- MatToolbarModule,

- MatListModule,

- MsalModule.forRoot( new PublicClientApplication({

- auth: {

- clientId: 'Enter_the_Application_Id_here',

- authority: 'Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here',

- redirectUri: 'Enter_the_Redirect_Uri_Here'

- },

- cache: {

- cacheLocation: 'localStorage',

- storeAuthStateInCookie: isIE,

- }

- }), null, null)

- ],

- providers: [],

- bootstrap: [AppComponent]

- })

- export class AppModule { }

- ```

-3. (OPTIONAL) Add CSS to *src/style.css*:

-4. (OPTIONAL) Add CSS to *src/app/app.component.css*:

-## Sign in a user

-Add the code from the following sections to invoke login using a pop-up window or a full-frame redirect:

-### Sign in using pop-ups

-1. Change the code in *src/app/app.component.ts* to the following to sign in a user using a pop-up window:

-> [!NOTE]

-> The rest of this tutorial uses the `loginRedirect` method with Microsoft Internet Explorer because of a [known issue](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/internet-explorer.md) related to the handling of pop-up windows by Internet Explorer.

-### Sign in using redirects

-1. Update *src/app/app.module.ts* to bootstrap the `MsalRedirectComponent`. This is a dedicated redirect component which will handle redirects. Your code should now look like this:

- import { BrowserModule } from '@angular/platform-browser';

- import { BrowserAnimationsModule } from '@angular/platform-browser/animations';

- import { NgModule } from '@angular/core';

- import { MatButtonModule } from '@angular/material/button';

- import { MatToolbarModule } from '@angular/material/toolbar';

- import { MatListModule } from '@angular/material/list';

- import { AppRoutingModule } from './app-routing.module';

- import { AppComponent } from './app.component';

- import { HomeComponent } from './home/home.component';

- import { ProfileComponent } from './profile/profile.component';

- import { PublicClientApplication } from '@azure/msal-browser';

- const isIE = window.navigator.userAgent.indexOf('MSIE ') > -1 || window.navigator.userAgent.indexOf('Trident/') > -1;

- @NgModule({

- declarations: [

- AppComponent,

- HomeComponent,

- ProfileComponent

- ],

- imports: [

- BrowserModule,

- BrowserAnimationsModule,

- AppRoutingModule,

- MatButtonModule,

- MatToolbarModule,

- MatListModule,

- MsalModule.forRoot( new PublicClientApplication({

- auth: {

- clientId: 'Enter_the_Application_Id_here',

- authority: 'Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here',

- redirectUri: 'Enter_the_Redirect_Uri_Here'

- },

- cache: {

- cacheLocation: 'localStorage',

- storeAuthStateInCookie: isIE,

- }

- }), null, null)

- ],

- providers: [],

- })

- export class AppModule { }

-2. Add the `<app-redirect>` selector to *src/https://docsupdatetracker.net/index.html*. This selector is used by the `MsalRedirectComponent`. Your *src/https://docsupdatetracker.net/index.html* should look like this:

-3. Replace the code in *src/app/app.component.ts* with the following to sign in a user using a full-frame redirect:

-4. Replace existing code in *src/app/home/home.component.ts* to subscribe to the `LOGIN_SUCCESS` event. This will allow you to access the result from the successful login with redirect. Your code should look like this:

-In order to render certain UI only for authenticated users, components have to subscribe to the `MsalBroadcastService` to see if users have been signed in and interaction has completed.

-## Guarding routes

-### Angular Guard

-MSAL Angular provides `MsalGuard`, a class you can use to protect routes and require authentication before accessing the protected route. The steps below add the `MsalGuard` to the `Profile` route. Protecting the `Profile` route means that even if a user does not sign in using the `Login` button, if they try to access the `Profile` route or click the `Profile` button, the `MsalGuard` will prompt the user to authenticate via pop-up or redirect before showing the `Profile` page.

-`MsalGuard` is a convenience class you can use improve the user experience, but it should not be relied upon for security. Attackers can potentially get around client-side guards, and you should ensure that the server does not return any data the user should not access.

-1. Add the `Interceptor` class as a provider to your application in *src/app/app.module.ts*, with its configurations. Your code should now look like this:

- |Value name| About|

- |-||

- |`Enter_the_Graph_Endpoint_Here`| The instance of the Microsoft Graph API the application should communicate with. For the **global** Microsoft Graph API endpoint, replace both instances of this string with `https://graph.microsoft.com`. For endpoints in **national** cloud deployments, see [National cloud deployments](/graph/deployments) in the Microsoft Graph documentation.|

-2. Replace the code in *src/app/profile/profile.component.ts* to retrieve a user's profile with an HTTP request:

-3. Replace the UI in *src/app/profile/profile.component.html* to display profile information:

-Update the code in *src/app/app.component.html* to conditionally display a `Logout` button:

-```HTML

-<mat-toolbar color="primary">

- <a class="title" href="/">{{ title }}</a>

- <div class="toolbar-spacer"></div>

- <a mat-button [routerLink]="['profile']">Profile</a>

- <button mat-raised-button *ngIf="!loginDisplay" (click)="login()">Login</button>

- <button mat-raised-button *ngIf="loginDisplay" (click)="logout()">Logout</button>

-</mat-toolbar>

-<div class="container">

- <!--This is to avoid reload during acquireTokenSilent() because of hidden iframe -->

- <router-outlet *ngIf="!isIframe"></router-outlet>

-</div>

-```

-Update the code in *src/app/app.component.ts* to sign out a user using redirects:

-```javascript

-import { Component, OnInit, OnDestroy, Inject } from '@angular/core';

-import { MsalService, MsalBroadcastService, MSAL_GUARD_CONFIG, MsalGuardConfiguration } from '@azure/msal-angular';

-import { InteractionStatus, RedirectRequest } from '@azure/msal-browser';

-import { Subject } from 'rxjs';

-import { filter, takeUntil } from 'rxjs/operators';

-@Component({

- selector: 'app-root',

- templateUrl: './app.component.html',

- styleUrls: ['./app.component.css']

-})

-export class AppComponent implements OnInit, OnDestroy {

- title = 'msal-angular-tutorial';

- isIframe = false;

- loginDisplay = false;

- private readonly _destroying$ = new Subject<void>();

- constructor(@Inject(MSAL_GUARD_CONFIG) private msalGuardConfig: MsalGuardConfiguration, private broadcastService: MsalBroadcastService, private authService: MsalService) { }

- ngOnInit() {

- this.isIframe = window !== window.parent && !window.opener;

- this.broadcastService.inProgress$

- .pipe(

- filter((status: InteractionStatus) => status === InteractionStatus.None),

- takeUntil(this._destroying$)

- )

- .subscribe(() => {

- this.setLoginDisplay();

- })

- }

- login() {

- if (this.msalGuardConfig.authRequest){

- this.authService.loginRedirect({...this.msalGuardConfig.authRequest} as RedirectRequest);

- } else {

- this.authService.loginRedirect();

- }

- logout() { // Add log out function here

- this.authService.logoutRedirect({

- postLogoutRedirectUri: 'http://localhost:4200'

- });

- }

- setLoginDisplay() {

- this.loginDisplay = this.authService.instance.getAllAccounts().length > 0;

- }

- ngOnDestroy(): void {

- this._destroying$.next(undefined);

- this._destroying$.complete();

- }

-}

-```

-Update the code in *src/app/app.component.ts* to sign out a user using pop-ups:

-```javascript

-import { Component, OnInit, OnDestroy, Inject } from '@angular/core';

-import { MsalService, MsalBroadcastService, MSAL_GUARD_CONFIG, MsalGuardConfiguration } from '@azure/msal-angular';

-import { InteractionStatus, PopupRequest } from '@azure/msal-browser';

-import { Subject } from 'rxjs';

-import { filter, takeUntil } from 'rxjs/operators';

-@Component({

- selector: 'app-root',

- templateUrl: './app.component.html',

- styleUrls: ['./app.component.css']

-})

-export class AppComponent implements OnInit, OnDestroy {

- title = 'msal-angular-tutorial';

- isIframe = false;

- loginDisplay = false;

- private readonly _destroying$ = new Subject<void>();

- constructor(@Inject(MSAL_GUARD_CONFIG) private msalGuardConfig: MsalGuardConfiguration, private broadcastService: MsalBroadcastService, private authService: MsalService) { }

- ngOnInit() {

- this.isIframe = window !== window.parent && !window.opener;

- this.broadcastService.inProgress$

- .pipe(

- filter((status: InteractionStatus) => status === InteractionStatus.None),

- takeUntil(this._destroying$)

- )

- .subscribe(() => {

- this.setLoginDisplay();

- })

- }

- login() {

- if (this.msalGuardConfig.authRequest){

- this.authService.loginPopup({...this.msalGuardConfig.authRequest} as PopupRequest)

- .subscribe({

- next: (result) => {

- console.log(result);

- this.setLoginDisplay();

- },

- error: (error) => console.log(error)

- });

- } else {

- this.authService.loginPopup()

- .subscribe({

- next: (result) => {

- console.log(result);

- this.setLoginDisplay();

- },

- error: (error) => console.log(error)

- }

- logout() { // Add log out function here

- this.authService.logoutPopup({

- mainWindowRedirectUri: "/"

- });

- }

- setLoginDisplay() {

- this.loginDisplay = this.authService.instance.getAllAccounts().length > 0;

- }

- ngOnDestroy(): void {

- this._destroying$.next(undefined);

- this._destroying$.complete();

- }

-}

-```

-1. Start the web server to listen to the port by running the following commands at a command-line prompt from the application folder:

-1. In your browser, enter **http://localhost:4200** or **http://localhost:{port}**, where *port* is the port that your web server is listening on. You should see a page that looks like the one below.

-### Provide consent for application access

-The first time that you start to sign in to your application, you're prompted to grant it access to your profile and allow it to sign you in:

-If you consent to the requested permissions, the web application shows a successful login page:

-### Call the Graph API

-After you sign in, select **Profile** to view the user profile information returned in the response from the call to the Microsoft Graph API:

-The Microsoft Graph API requires the _User.Read_ scope to read a user's profile. The _User.Read_ scope is added automatically to every app registration you create in the Azure portal. Other APIs for Microsoft Graph, as well as custom APIs for your back-end server, might require additional scopes. For example, the Microsoft Graph API requires the _Mail.Read_ scope in order to list the user's email.

-As you add scopes, your users might be prompted to provide additional consent for the added scopes.

-Delve deeper into single-page application (SPA) development on the Microsoft identity platform in our the multi-part article series.

-> If the application uses the default system webview, check the information about "Confirm My Sign-In" functionality and error code AADSTS50199 in [Azure AD authentication and authorization error codes](reference-aadsts-error-codes.md).

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

-## January 2023

-### New articles

-### Updated articles

-* Use the sample application in [Azure-samples/Remove-unmanaged-guests](https://github.com/Azure-Samples/Remove-Unmanaged-Guests)

-* Use PowerShell cmdlets in [AzureAD/MSIdentityTools](https://github.com/AzureAD/MSIdentityTools/wiki/)

-## Resources

-See, [Get-MSIdUnmanagedExternalUser](https://github.com/AzureAD/MSIdentityTools/wiki/Get-MsIdUnmanagedExternalUser). The tool returns a list of external unmanaged users, or viral users, in the tenant.

-| Azure AD roles assignment| High| Require justification for activation.Require approval to activate. Set two-level approver process. On activation, require Azure AD Multi-Factor Authentication (MFA). Set maximum elevation duration to 8 hrs.| Privileged Role Administration, Global Administrator| A privileged role administrator can customize PIM in their Azure AD organization, including changing the experience for users activating an eligible role assignment. |

-Refresh and session token lifetimes configurability in CTL are retired. Azure Active Directory no longer honors refresh and session token configuration in existing policies. [Learn more](../develop/active-directory-configurable-token-lifetimes.md#token-lifetime-policies-for-refresh-tokens-and-session-tokens).

-1. How long a user who has been denied continued access is able to continue to use a federated application will depend upon the application's own session lifetime, and on the access token lifetime. If the applications used Kerberos, since Kerberos caches the group memberships of a user when they sign into a domain, the users may continue to have access until their Kerberos tickets expire. To learn more about controlling the lifetime of access tokens, see [configurable token lifetimes](../develop/active-directory-configurable-token-lifetimes.md).

-1. **Document the token lifetime and application's session settings.** How long a user who has been denied continued access can continue to use a federated application will depend upon the application's own session lifetime, and on the access token lifetime. The session lifetime for an application depends upon the application itself. To learn more about controlling the lifetime of access tokens, see [configurable token lifetimes](../develop/active-directory-configurable-token-lifetimes.md).

-> Example: `(Get-AzureADDirectorySetting | ? { $_.DisplayName -eq "Group.Unified"} | Select-Object -ExpandProperty Values`

-* [Azure AD Authentication and authorization error codes](../develop/reference-aadsts-error-codes.md)

-* [Azure AD Authentication and authorization error codes](../develop/reference-aadsts-error-codes.md)

-description: Learn to secure SAP ERP using Azure Active Directory (Azure AD), through F5ΓÇÖs BIG-IP Easy Button guided configuration.

-# Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for SSO to SAP ERP

-In this article, learn to secure SAP ERP using Azure Active Directory (Azure AD), through F5ΓÇÖs BIG-IP Easy Button guided configuration.

-Integrating a BIG-IP with Azure Active Directory (Azure AD) provides many benefits, including:

-* [Improved Zero Trust governance](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) through Azure AD pre-authentication and [Conditional Access](../conditional-access/overview.md)

-* Full SSO between Azure AD and BIG-IP published services

-* Manage identities and access from a single control plane, the [Azure portal](https://portal.azure.com/)

-To learn about all of the benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).

-This scenario looks at the classic **SAP ERP application using Kerberos authentication** to manage access to protected content.

-Being legacy, the application lacks modern protocols to support a direct integration with Azure AD. The application can be modernized, but it is costly, requires careful planning, and introduces risk of potential downtime. Instead, an F5 BIG-IP Application Delivery Controller (ADC) is used to bridge the gap between the legacy application and the modern ID control plane, through protocol transitioning.

-Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and headers-based SSO, significantly improving the overall security posture of the application.

-The SHA solution for this scenario is made up of the following:

-**SAP ERP application:** BIG-IP published service to be protected by and Azure AD SHA.

-**Azure AD:** Security Assertion Markup Language (SAML) Identity Provider (IdP) responsible for verification of user credentials, Conditional Access (CA), and SAML based SSO to the BIG-IP.

-**BIG-IP:** Reverse proxy and SAML service provider (SP) to the application, delegating authentication to the SAML IdP before performing header-based SSO to the SAP service.

-SHA for this scenario supports both SP and IdP initiated flows. The following image illustrates the SP initiated flow.

-

-| Steps| Description|

-| -- |-|

-| 1| User connects to application endpoint (BIG-IP) |

-| 2| BIG-IP APM access policy redirects user to Azure AD (SAML IdP) |

-| 3| Azure AD pre-authenticates user and applies any enforced Conditional Access policies |

-| 4| User is redirected to BIG-IP (SAML SP) and SSO is performed using issued SAML token |

-| 5| BIG-IP requests Kerberos ticket from KDC |

-| 6| BIG-IP sends request to backend application, along with Kerberos ticket for SSO |

-| 7| Application authorizes request and returns payload |

-Prior BIG-IP experience isnΓÇÖt necessary, but you will need:

-* An Azure AD free subscription or above

-* An existing BIG-IP or [deploy a BIG-IP Virtual Edition (VE) in Azure](./f5-bigip-deployment-guide.md)

-* Any of the following F5 BIG-IP license offers

- * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php).

-* User identities [synchronized](../hybrid/how-to-connect-sync-whatis.md) from an on-premises directory to Azure AD, or created directly within Azure AD and flowed back to your on-premises directory

-* An account with Azure AD Application admin [permissions](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)

-* An [SSL Web certificate](./f5-bigip-deployment-guide.md) for publishing services over HTTPS, or use default BIG-IP certs while testing

-* An existing SAP ERP environment configured for Kerberos authentication

-There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the latest Guided Configuration 16.1 offering an Easy button template.

-With the Easy Button, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The deployment and policy management is handled directly between the APMΓÇÖs Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures that applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.

->[!NOTE]

-> All example strings or values referenced throughout this guide should be replaced with those for your actual environment.

-Before a client or service can access Microsoft Graph, it must be trusted by the [Microsoft identity platform.](../develop/quickstart-register-app.md)

-The Easy Button client must also be registered in Azure AD, before it is allowed to establish a trust between each SAML SP instance of a BIG-IP published application, and Azure AD as the SAML IdP.

-1. Sign-in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights

-2. From the left navigation pane, select the **Azure Active Directory** service

-3. Under Manage, select **App registrations > New registration**

-4. Enter a display name for your application. For example, *F5 BIG-IP Easy Button*

-5. Specify who can use the application > **Accounts in this organizational directory only**

-6. Select **Register** to complete the initial app registration

-7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**:

-8. Grant admin consent for your organization

-9. In the **Certificates & Secrets** blade, generate a new **client secret** and note it down

-10. From the **Overview** blade, note the **Client ID** and **Tenant ID**

-## Configure Easy Button

-Initiate the APM's **Guided Configuration** to launch the **Easy Button** Template.

-1. From a browser, sign-in to the **F5 BIG-IP management console**

-2. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**.

- 

-3. Review the list of configuration steps and select **Next**

- 

-4. Follow the sequence of steps required to publish your application.

- 

-These are general and service account properties. The **Configuration Properties** tab creates a BIG-IP application config and SSO object. Consider the **Azure Service Account Details** section to represent the client you registered in your Azure AD tenant earlier, as an application. These settings allow a BIG-IP's OAuth client to individually register a SAML SP directly in your tenant, along with the SSO properties you would normally configure manually. Easy Button does this for every BIG-IP service being published and enabled for SHA.

-Some of these are global settings so can be re-used for publishing more applications, further reducing deployment time and effort.

-1. Provide a unique **Configuration Name** so admins can easily distinguish between Easy Button configurations

-2. Enable **Single Sign-On (SSO) & HTTP Headers**

-3. Enter the **Tenant Id, Client ID,** and **Client Secret** you noted when registering the Easy Button client in your tenant

-4. Confirm the BIG-IP can successfully connect to your tenant and select **Next**

- 

-The Service Provider settings define the properties for the SAML SP instance of the application protected through SHA.

-1. Enter **Host**. This is the public FQDN of the application being secured

-2. Enter **Entity ID.** This is the identifier Azure AD will use to identify the SAML SP requesting a token

- 

- The optional **Security Settings** specify whether Azure AD should encrypt issued SAML assertions. Encrypting assertions between Azure AD and the BIG-IP APM provides additional assurance that the content tokens canΓÇÖt be intercepted, and personal or corporate data be compromised.

-3. From the **Assertion Decryption Private Key** list, select **Create New**

- 

-4. Select **OK**. This opens the **Import SSL Certificate and Keys** dialog in a new tab

-5. Select **PKCS 12 (IIS)** to import your certificate and private key. Once provisioned close the browser tab to return to the main tab

- 

-6. Check **Enable Encrypted Assertion**

-7. If you have enabled encryption, select your certificate from the **Assertion Decryption Private Key** list. This is the private key for the certificate that BIG-IP APM will use to decrypt Azure AD assertions

-8. If you have enabled encryption, select your certificate from the **Assertion Decryption Certificate** list. This is the certificate that BIG-IP will upload to Azure AD for encrypting the issued SAML assertions

- 

-This section defines all properties that you would normally use to manually configure a new BIG-IP SAML application within your Azure AD tenant.

-Easy Button provides a set of pre-defined application templates for Oracle PeopleSoft, Oracle E-business Suite, Oracle JD Edwards, SAP ERP as well as generic SHA template for any other apps. For this scenario, select **SAP ERP Central Component > Add** to start the Azure configurations.

- 

-1. Enter **Display Name** of app that the BIG-IP creates in your Azure AD tenant, and the icon that the users will see in [MyApps portal](https://myapplications.microsoft.com/)

-2. Leave the **Sign On URL (optional)** blank to enable IdP initiated sign-on

- 

-3. Select the refresh icon next to the **Signing Key** and **Signing Certificate** to locate the certificate you imported earlier

-

-5. Enter the certificateΓÇÖs password in **Signing Key Passphrase**

-6. Enable **Signing Option** (optional). This ensures that BIG-IP only accepts tokens and claims that are signed by Azure AD

- 

-7. **User and User Groups** are dynamically queried from your Azure AD tenant and used to authorize access to the application. Add a user or group that you can use later for testing, otherwise all access will be denied

- 

-When a user successfully authenticates to Azure AD, it issues a SAML token with a default set of claims and attributes uniquely identifying the user. The **User Attributes & Claims tab** shows the default claims to issue for the new application. It also lets you configure more claims.

-As our example AD infrastructure is based on a .com domain suffix used both, internally and externally, we donΓÇÖt require any additional attributes to achieve a functional KCD SSO implementation. See the [advanced tutorial](./f5-big-ip-kerberos-advanced.md) for cases where you have multiple domains or userΓÇÖs login using an alternate suffix.

- 

-You can include additional Azure AD attributes, if necessary, but for this scenario SAP ERP only requires the default attributes.

-The **Additional User Attributes** tab can support a variety of distributed systems requiring attributes stored in other directories, for session augmentation. Attributes fetched from an LDAP source can then be injected as additional SSO headers to further control access based on roles, Partner IDs, etc.

- 

->[!NOTE]

->This feature has no correlation to Azure AD but is another source of attributes.

-CA policies are enforced post Azure AD pre-authentication, to control access based on device, application, location, and risk signals.

-The **Available Policies** view, by default, will list all CA policies that do not include user based actions.

-The **Selected Policies** view, by default, displays all policies targeting All cloud apps. These policies cannot be deselected or moved to the Available Policies list as they are enforced at a tenant level.

-To select a policy to be applied to the application being published:

-1. Select the desired policy in the **Available Policies** list

-2. Select the right arrow and move it to the **Selected Policies** list

-Selected policies should either have an **Include** or **Exclude** option checked. If both options are checked, the selected policy is not enforced.

-

->[!NOTE]

->The policy list is enumerated only once when first switching to this tab. A refresh button is available to manually force the wizard to query your tenant, but this button is displayed only when the application has been deployed.

-A virtual server is a BIG-IP data plane object represented by a virtual IP address listening for client requests to the application. Any received traffic is processed and evaluated against the APM profile associated with the virtual server, before being directed according to the policy results and settings.

-1. Enter **Destination Address**. This is any available IPv4/IPv6 address that the BIG-IP can use to receive client traffic. A corresponding record should also exist in DNS, enabling clients to resolve the external URL of your BIG-IP published application to this IP, instead of the appllication itself. Using a test PC's localhost DNS is fine for testing

-2. Enter **Service Port** as *443* for HTTPS

-3. Check **Enable Redirect Port** and then enter **Redirect Port**. It redirects incoming HTTP client traffic to HTTPS

-4. The Client SSL Profile enables the virtual server for HTTPS, so that client connections are encrypted over TLS. Select the **Client SSL Profile** you created as part of the prerequisites or leave the default whilst testing

- 

-The **Application Pool tab** details the services behind a BIG-IP, represented as a pool containing one or more application servers.

-1. Choose from **Select a Pool.** Create a new pool or select an existing one

-2. Choose the **Load Balancing Method** as *Round Robin*

-3. For **Pool Servers** select an existing server node or specify an IP and port for the backend node hosting the header-based application

- 

-Enabling SSO allows users to access BIG-IP published services without having to enter credentials. The **Easy Button wizard** supports Kerberos, OAuth Bearer, and HTTP authorization headers for SSO. You will need the Kerberos delegation account created earlier to complete this step.

-Enable **Kerberos** and **Show Advanced Setting** to enter the following:

-* **Username Source:** Specifies the preferred username to cache for SSO. You can provide any session variable as the source of the user ID, but *session.saml.last.identity* tends to work best as it holds the Azure AD claim containing the logged in user ID

-* **User Realm Source:** Required if the user domain is different to the BIG-IPΓÇÖs kerberos realm. In that case, the APM session variable would contain the logged in user domain. For example,*session.saml.last.attr.name.domain*

- 

-* **KDC:** IP of a Domain Controller (Or FQDN if DNS is configured & efficient)

-* **UPN Support:** Enable for the APM to use the UPN for kerberos ticketing

-* **SPN Pattern:** Use HTTP/%h to inform the APM to use the host header of the client request and build the SPN that it is requesting a kerberos token for.

-* **Send Authorization:** Disable for applications that prefer negotiating authentication instead of receiving the kerberos token in the first request. For example, *Tomcat.*

- 

-The BIG-IPs session management settings are used to define the conditions under which user sessions are terminated or allowed to continue, limits for users and IP addresses, and corresponding user info. Consult [F5 documentation]( https://support.f5.com/csp/article/K18390492) for details on these settings.

-What isnΓÇÖt covered however is Single Log-Out (SLO) functionality, which ensures all sessions between the IdP, the BIG-IP, and the user agent are terminated as users log off.

- When the Easy Button deploys a SAML application to your Azure AD tenant, it also populates the Logout Url with the APMΓÇÖs SLO endpoint. That way IdP initiated sign-outs from the Microsoft [MyApps portal]( https://support.microsoft.com/en-us/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510) also terminate the session between the BIG-IP and a client.

-During deployment, the SAML federation metadata for the published application is imported from your tenant, providing the APM the SAML logout endpoint for Azure AD. This helps SP initiated sign-outs terminate the session between a client and Azure AD.

-## Summary

-This last step provides a breakdown of your configurations. Select **Deploy** to commit all settings and verify that the application now exists in your tenants list of Enterprise applications.

-## Next steps

-From a browser, **connect** to the applicationΓÇÖs external URL or select the **applicationΓÇÖs icon** in the [Microsoft MyApps portal](https://myapps.microsoft.com/). After authenticating to Azure AD, youΓÇÖll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.

-For increased security, organizations using this pattern could also consider blocking all direct access to the application, thereby forcing a strict path through the BIG-IP.

-There may be cases where the Guided Configuration templates lacks the flexibility to achieve more specific requirements. For those scenarios, see [Advanced Configuration for kerberos-based SSO](./f5-big-ip-kerberos-advanced.md).

-Alternatively, the BIG-IP gives you the option to disable **Guided ConfigurationΓÇÖs strict management mode**. This allows you to manually tweak your configurations, even though bulk of your configurations are automated through the wizard-based templates.

-You can navigate to **Access > Guided Configuration** and select the **small padlock icon** on the far right of the row for your applicationsΓÇÖ configs.

-

- 

-At that point, changes via the wizard UI are no longer possible, but all BIG-IP objects associated with the published instance of the application will be unlocked for direct management.

->[!NOTE]

->Re-enabling strict mode and deploying a configuration will overwrite any settings performed outside of the Guided Configuration UI, therefore we recommend the advanced configuration method for production services.

-You can fail to access the SHA protected application due to any number of factors, including a misconfiguration.

-* Kerberos is time sensitive, so requires that servers and clients be set to the correct time and where possible synchronized to a reliable time source

-* Ensure the hostname for the domain controller and web application are resolvable in DNS

-* Ensure there are no duplicate SPNs in your AD environment by executing the following query at the command line on a domain PC: setspn -q HTTP/my_target_SPN

-You can refer to our [App Proxy guidance](../app-proxy/application-proxy-back-end-kerberos-constrained-delegation-how-to.md) to validate an IIS application is configured appropriately for KCD. F5ΓÇÖs article on [how the APM handles Kerberos SSO](https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-single-sign-on-concepts-configuration/kerberos-single-sign-on-method.html) is also a valuable resource.

-BIG-IP logging can help quickly isolate all sorts of issues with connectivity, SSO, policy violations, or misconfigured variable mappings. Start troubleshooting by increasing the log verbosity level.

-1. Navigate to **Access Policy > Overview > Event Logs > Settings**

-2. Select the row for your published application, then **Edit > Access System Logs**

-3. Select **Debug** from the SSO list, and then select **OK**

-Reproduce your issue, then inspect the logs, but remember to switch this back when finished as verbose mode generates lots of data.

-If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.

-1. Navigate to **Access > Overview > Access reports**

-2. Run the report for the last hour to see logs provide any clues. The **View session variables** link for your session will also help understand if the APM is receiving the expected claims from Azure AD.

-If you donΓÇÖt see a BIG-IP error page, then the issue is probably more related to the backend request or SSO from the BIG-IP to the application.

-1. Navigate to **Access Policy > Overview > Active Sessions**

-2. Select the link for your active session. The **View Variables** link in this location may also help determine root cause KCD issues, particularly if the BIG-IP APM fails to obtain the right user and domain identifiers from session variables

-See [BIG-IP APM variable assign examples]( https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference]( https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

-## January 2023

-### New articles

-### Updated articles

-For a list of error codes related to Azure AD authentication and authorization, see the [Azure AD authentication and authorization error codes](../develop/reference-aadsts-error-codes.md) article. In some cases, the [sign-in error lookup tool](https://login.microsoftonline.com/error) may provide remediation steps. Enter the **Error code** provided in the sign-in log details into the tool and select the **Submit** button.

-For a list of error codes related to Azure AD authentication and authorization, see the [Azure AD authentication and authorization error codes](../develop/reference-aadsts-error-codes.md) article. In some cases, the [sign-in error lookup tool](https://login.microsoftonline.com/error) may provide remediation steps. Enter the **Error code** provided in the sign-in log details into the tool and select the **Submit** button.

-7. You can get additional information, including ideas for remediation, by searching for the error code, **50126** in this example, in the [sign-ins error codes reference](../develop/reference-aadsts-error-codes.md).

-This lifetime cannot be customized in the Azure portal, or using a conditional access policy, but it can be done by creating a [custom token lifetime policy](../develop/active-directory-configurable-token-lifetimes.md) and apply it to the enterprise application created for SharePoint.

-| **IA-04 Identifier Management**<br>The organization manages information system identifiers for users and devices by:<br>**(a.)** Receiving authorization from [*FedRAMP Assignment at a minimum, the ISSO (or similar role within the organization)*] to assign an individual, group, role, or device identifier;<br>**(b.)** Selecting an identifier that identifies an individual, group, role, or device;<br>**(c.)** Assigning the identifier to the intended individual, group, role, or device;<br>**(d.)** Preventing reuse of identifiers for [*FedRAMP Assignment: at least two (2) years*]; and<br>**(e.)** Disabling the identifier after [*FedRAMP Assignment: thirty-five (35) days (see additional requirements and guidance)*]<br>**IA-4e Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines the time period of inactivity for device identifiers.<br>**Guidance:** For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP http://iase.disa.mil/cloud_security/Pages/index.aspx.<br><br>**IA-4(4)**<br>The organization manages individual identifiers by uniquely identifying each individual as [*FedRAMP Assignment: contractors; foreign nationals*]. | **Disable account identifiers after 35 days of inactivity and prevent their reuse for two years. Manage individual identifiers by uniquely identifying each individual (for example, contractors and foreign nationals).**<p>Assign and manage individual account identifiers and status in Azure AD in accordance with existing organizational policies defined in AC-02. Follow AC-02(3) to automatically disable user and device accounts after 35 days of inactivity. Ensure that organizational policy maintains all accounts that remain in the disabled state for at least two years. After this time, you can remove them. <p>Determine inactivity<br> <li>[Manage inactive user accounts in Azure AD](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br> <li>[Manage stale devices in Azure AD](../devices/manage-stale-devices.md)<br> <li>[See AC-02 guidance](fedramp-access-controls.md) |

-Part of the AKS cluster lifecycle involves performing periodic upgrades to the latest Kubernetes version. ItΓÇÖs important you apply the latest security releases, or upgrade to get the latest features. Before learning about auto-upgrade, make sure you understand upgrade fundamentals by reading [Upgrade an AKS cluster][upgrade-aks-cluster].

-> Any upgrade operation, whether performed manually or automatically, will upgrade the node image version if not already on the latest. The latest version is contingent on a full AKS release, and can be determined by visiting the [AKS release tracker][release-tracker].

-> Auto-upgrade will first upgrade the control plane, and then proceed to upgrade agent pools one by one.

-Cluster auto-upgrade provides a set once and forget mechanism that yields tangible time and operational cost benefits. By enabling auto-upgrade, you can ensure your clusters are up to date and don't miss the latest AKS features or patches from AKS and upstream Kubernetes.

-Customers can specify cluster auto-upgrade specifics in the following guidance. These upgrades occur based on the cadence the customer specifies and are recommended for customers to remain on supported Kubernetes versions.

-If youΓÇÖre using cluster auto-upgrade, you can no longer upgrade the control plane first, and then upgrade the individual node pools. Cluster auto-upgrade always upgrades the control plane and the node pools together. There's no ability of upgrading the control plane only, and trying to run the command `az aks upgrade --control-plane-only` raises the following error: `NotAllAgentPoolOrchestratorVersionSpecifiedAndUnchanged: Using managed cluster api, all Agent pools' OrchestratorVersion must be all specified or all unspecified. If all specified, they must be stay unchanged or the same with control plane.`

-## Using cluster auto-upgrade

-Automatically completed upgrades are functionally the same as manual upgrades. The timing of upgrades is determined by the [selected auto-upgrade channel][planned-maintenance]. When making changes to auto-upgrade, allow 24 hours for the changes to take effect.

-| `none`| disables auto-upgrades and keeps the cluster at its current version of Kubernetes| Default setting if left unchanged|

-| `patch`| automatically upgrade the cluster to the latest supported patch version when it becomes available while keeping the minor version the same.| For example, if a cluster is running version *1.17.7* and versions *1.17.9*, *1.18.4*, *1.18.6*, and *1.19.1* are available, your cluster is upgraded to *1.17.9*|

-| `stable`| automatically upgrade the cluster to the latest supported patch release on minor version *N-1*, where *N* is the latest supported minor version.| For example, if a cluster is running version *1.17.7* and versions *1.17.9*, *1.18.4*, *1.18.6*, and *1.19.1* are available, your cluster is upgraded to *1.18.6*.

-| `rapid`| automatically upgrade the cluster to the latest supported patch release on the latest supported minor version.| In cases where the cluster is at a version of Kubernetes that is at an *N-2* minor version where *N* is the latest supported minor version, the cluster first upgrades to the latest supported patch version on *N-1* minor version. For example, if a cluster is running version *1.17.7* and versions *1.17.9*, *1.18.4*, *1.18.6*, and *1.19.1* are available, your cluster first is upgraded to *1.18.6*, then is upgraded to *1.19.1*.

-| `node-image`| automatically upgrade the node image to the latest version available.| Microsoft provides patches and new images for image nodes frequently (usually weekly), but your running nodes don't get the new images unless you do a node image upgrade. Turning on the node-image channel automatically updates your node images whenever a new version is available. If you use this channel, Linux [unattended upgrades] are disabled by default.|

-> Cluster auto-upgrade only updates to GA versions of Kubernetes and will not update to preview versions.

-> [!NOTE]

-> With AKS, you can create a cluster without specifying the exact patch version. When you create a cluster without designating a patch, the cluster will run the minor version's latest GA patch. To Learn more [AKS support window][supported-kubernetes-versions]

-> [!NOTE]

-> Auto-upgrade requires the cluster's Kubernetes version to be within the [AKS support window][supported-kubernetes-versions], even if using the `node-image` channel.

-> [!NOTE]

-> If using the preview API `11-02-preview` or later, if you select the `node-image` cluster auto-upgrade channel the [node image auto-upgrade channel][node-image-auto-upgrade] will automatically be set to `NodeImage`.

-Automatically upgrading a cluster follows the same process as manually upgrading a cluster. For more information, see [Upgrade an AKS cluster][upgrade-aks-cluster].

-To set the auto-upgrade channel when creating a cluster, use the *auto-upgrade-channel* parameter, similar to the following example.

-```azurecli-interactive

-az aks create --resource-group myResourceGroup --name myAKSCluster --auto-upgrade-channel stable --generate-ssh-keys

-```

-To set the auto-upgrade channel on existing cluster, update the *auto-upgrade-channel* parameter, similar to the following example.

-```azurecli-interactive

-az aks update --resource-group myResourceGroup --name myAKSCluster --auto-upgrade-channel stable

-```

-If you're using the Azure portal, you can find auto-upgrade settings under the *Settings* > *Cluster configuration* blade by selecting *Upgrade version*. By default, the `Patch` channel is selected.

-The Azure portal also highlights all the deprecated APIs between your current version and newer, available versions you intend to migrate to. For more information, see [the Kubernetes API Removal and Deprecation process][k8s-deprecation].

-## Using auto-upgrade with Planned Maintenance

-If youΓÇÖre using Planned Maintenance and cluster auto-upgrade, your upgrade starts during your specified maintenance window.

-> To ensure proper functionality, use a maintenance window of four hours or more.

-[node-image-auto-upgrade]: auto-upgrade-node-image.md

-```console

- ```console

-```console

-```console

-```console

-```bash

- ```bash

- ```bash

- ```bash

-```azurecli

-```azurecli

- ```bash

- ```console

-```console

- ```console

- ```console

- ```console

- ```console

- ```console

- ```console

-```console

- ```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```basj

-```bash

-```console

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```bash

-```console

-```bash

-```console

-```bash

-```bash

-```bash

-```bash

-```bash

- ```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

- ```console

- ```console

- ```console

- ```console

- ```console

- ```console

- ```console

- ```console

- ```console

- ```console

- ```console

- ```console

-description: Learn how to use the cluster autoscaler to automatically scale your cluster to meet application demands in an Azure Kubernetes Service (AKS) cluster.

-To keep up with application demands in Azure Kubernetes Service (AKS), you may need to adjust the number of nodes that run your workloads. The cluster autoscaler component can watch for pods in your cluster that can't be scheduled because of resource constraints. When issues are detected, the number of nodes in a node pool is increased to meet the application demand. Nodes are also regularly checked for a lack of running pods, with the number of nodes then decreased as needed. This ability to automatically scale up or down the number of nodes in your AKS cluster lets you run an efficient, cost-effective cluster.

-Both the horizontal pod autoscaler and cluster autoscaler can also decrease the number of pods and nodes as needed. The cluster autoscaler decreases the number of nodes when there has been unused capacity for a period of time. Pods on a node to be removed by the cluster autoscaler are safely scheduled elsewhere in the cluster. For more information about how scaling down works, see [How does scale-down work?](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-scale-down-work).

-The cluster autoscaler uses startup parameters for things like time intervals between scale events and resource thresholds. For more information on what parameters the cluster autoscaler uses, see [Using the autoscaler profile](#using-the-autoscaler-profile).

-The cluster and horizontal pod autoscalers can work together, and are often both deployed in a cluster. When combined, the horizontal pod autoscaler is focused on running the number of pods required to meet application demand. The cluster autoscaler is focused on running the number of nodes required to support the scheduled pods.

-> Manual scaling is disabled when you use the cluster autoscaler. Let the cluster autoscaler determine the required number of nodes. If you want to manually scale your cluster, [disable the cluster autoscaler](#disable-the-cluster-autoscaler).

-## Create an AKS cluster and enable the cluster autoscaler

-If you need to create an AKS cluster, use the [az aks create][az-aks-create] command. To enable and configure the cluster autoscaler on the node pool for the cluster, use the `--enable-cluster-autoscaler` parameter, and specify a node `--min-count` and `--max-count`.

-The following example creates an AKS cluster with a single node pool backed by a virtual machine scale set. It also enables the cluster autoscaler on the node pool for the cluster and sets a minimum of *1* and maximum of *3* nodes:

-```azurecli-interactive

-# First create a resource group

-az group create --name myResourceGroup --location eastus

-# Now create the AKS cluster and enable the cluster autoscaler

-az aks create \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --node-count 1 \

- --vm-set-type VirtualMachineScaleSets \

- --load-balancer-sku standard \

- --enable-cluster-autoscaler \

- --min-count 1 \

- --max-count 3

-```

-It takes a few minutes to create the cluster and configure the cluster autoscaler settings.

-## Update an existing AKS cluster to enable the cluster autoscaler

-Use the [az aks update][az-aks-update] command to enable and configure the cluster autoscaler on the node pool for the existing cluster. Use the `--enable-cluster-autoscaler` parameter, and specify a node `--min-count` and `--max-count`.

-The following example updates an existing AKS cluster to enable the cluster autoscaler on the node pool for the cluster and sets a minimum of *1* and maximum of *3* nodes:

-```azurecli-interactive

-az aks update \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --enable-cluster-autoscaler \

- --min-count 1 \

- --max-count 3

-```

-It takes a few minutes to update the cluster and configure the cluster autoscaler settings.

-> If you have multiple node pools in your AKS cluster, skip to the [autoscale with multiple agent pools section](#use-the-cluster-autoscaler-with-multiple-node-pools-enabled). Clusters with multiple agent pools require use of the `az aks nodepool` command set to change node pool specific properties instead of `az aks`.

-In the previous step to create an AKS cluster or update an existing node pool, the cluster autoscaler minimum node count was set to *1*, and the maximum node count was set to *3*. As your application demands change, you may need to adjust the cluster autoscaler node count.

-To change the node count, use the [az aks update][az-aks-update] command.

-```azurecli-interactive

-az aks update \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --update-cluster-autoscaler \

- --min-count 1 \

- --max-count 5

-```

-The above example updates cluster autoscaler on the single node pool in *myAKSCluster* to a minimum of *1* and maximum of *5* nodes.

-> The cluster autoscaler will enforce the minimum count in cases where the actual count drops below the minimum due to external factors, such as during a spot eviction or when changing the minimum count value from the AKS API.

-## Using the autoscaler profile

-You can also configure more granular details of the cluster autoscaler by changing the default values in the cluster-wide autoscaler profile. For example, a scale down event happens after nodes are under-utilized after 10 minutes. If you had workloads that ran every 15 minutes, you may want to change the autoscaler profile to scale down under utilized nodes after 15 or 20 minutes. When you enable the cluster autoscaler, a default profile is used unless you specify different settings. The cluster autoscaler profile has the following settings that you can update:

-| expander | Type of node pool [expander](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#what-are-expanders) to be used in scale up. Possible values: `most-pods`, `random`, `least-waste`, `priority` | random |

-| skip-nodes-with-system-pods | If true cluster autoscaler will never delete nodes with pods from kube-system (except for DaemonSet or mirror pods) | true |

-| max-node-provision-time | Maximum time the autoscaler waits for a node to be provisioned | 15 minutes |

-> The cluster autoscaler profile affects all node pools that use the cluster autoscaler. You can't set an autoscaler profile per node pool.

-> The cluster autoscaler profile requires version *2.11.1* or greater of the Azure CLI. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

-### Set the cluster autoscaler profile on an existing AKS cluster

-Use the [az aks update][az-aks-update-preview] command with the *cluster-autoscaler-profile* parameter to set the cluster autoscaler profile on your cluster. The following example configures the scan interval setting as 30s in the profile.

-```azurecli-interactive

-az aks update \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --cluster-autoscaler-profile scan-interval=30s

-```

-When you enable the cluster autoscaler on node pools in the cluster, these node pools with CA enabled will also use the cluster autoscaler profile. For example:

-```azurecli-interactive

-az aks nodepool update \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name mynodepool \

- --enable-cluster-autoscaler \

- --min-count 1 \

- --max-count 3

-```

-> [!IMPORTANT]

-> When you set the cluster autoscaler profile, any existing node pools with the cluster autoscaler enabled will start using the profile immediately.

-### Set the cluster autoscaler profile when creating an AKS cluster

-You can also use the *cluster-autoscaler-profile* parameter when you create your cluster. For example:

-```azurecli-interactive

-az aks create \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --node-count 1 \

- --enable-cluster-autoscaler \

- --min-count 1 \

- --max-count 3 \

- --cluster-autoscaler-profile scan-interval=30s

-```

-The above command creates an AKS cluster and defines the scan interval as 30 seconds for the cluster-wide autoscaler profile. The command also enables the cluster autoscaler on the initial node pool, sets the minimum node count to 1 and the maximum node count to 3.

-Use the [az aks update][az-aks-update-preview] command to reset the cluster autoscaler profile on your cluster.

-```azurecli-interactive

-az aks update \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --cluster-autoscaler-profile ""

-```

-## Disable the cluster autoscaler

-If you no longer wish to use the cluster autoscaler, you can disable it using the [az aks update][az-aks-update-preview] command, specifying the `--disable-cluster-autoscaler` parameter. Nodes aren't removed when the cluster autoscaler is disabled.

-```azurecli-interactive

-az aks update \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --disable-cluster-autoscaler

-```

-You can manually scale your cluster after disabling the cluster autoscaler by using the [az aks scale][az-aks-scale] command. If you use the horizontal pod autoscaler, that feature continues to run with the cluster autoscaler disabled, but pods may end up unable to be scheduled if all node resources are in use.

-## Re-enable a disabled cluster autoscaler

-If you wish to re-enable the cluster autoscaler on an existing cluster, you can re-enable it using the [az aks update][az-aks-update-preview] command, specifying the `--enable-cluster-autoscaler`, `--min-count`, and `--max-count` parameters.

-## Retrieve cluster autoscaler logs and status

-To diagnose and debug autoscaler events, logs and status can be retrieved from the cluster autoscaler.

-AKS manages the cluster autoscaler on your behalf and runs it in the managed control plane. You can enable control plane node to see the logs and operations from CA.

-To configure logs to be pushed from the cluster autoscaler into Log Analytics, follow these steps.

-1. Set up a rule for resource logs to push cluster-autoscaler logs to Log Analytics. [Instructions are detailed here][aks-view-master-logs], ensure you check the box for `cluster-autoscaler` when selecting options for "Logs".

-1. Select the "Logs" section on your cluster via the Azure portal.

-1. Input the following example query into Log Analytics:

-```kusto

-AzureDiagnostics

-| where Category == "cluster-autoscaler"

-You should see logs similar to the following example as long as there are logs to retrieve.

-

-The cluster autoscaler will also write out health status to a `configmap` named `cluster-autoscaler-status`. To retrieve these logs, execute the following `kubectl` command. A health status will be reported for each node pool configured with the cluster autoscaler.

-```bash

-kubectl get configmap -n kube-system cluster-autoscaler-status -o yaml

-```

-To learn more about what is logged from the autoscaler, read the FAQ on the [Kubernetes/autoscaler GitHub project][kubernetes-faq].

-## Use the cluster autoscaler with multiple node pools enabled

-The cluster autoscaler can be used together with [multiple node pools][aks-multiple-node-pools] enabled. Follow that document to learn how to enable multiple node pools and add additional node pools to an existing cluster. When using both features together, you enable the cluster autoscaler on each individual node pool in the cluster and can pass unique autoscaling rules to each.

-The below command assumes you followed the [initial instructions](#create-an-aks-cluster-and-enable-the-cluster-autoscaler) earlier in this document and you want to update an existing node pool's max-count from *3* to *5*. Use the [az aks nodepool update][az-aks-nodepool-update] command to update an existing node pool's settings.

-```azurecli-interactive

-az aks nodepool update \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name nodepool1 \

- --update-cluster-autoscaler \

- --min-count 1 \

- --max-count 5

-```

-The cluster autoscaler can be disabled with [az aks nodepool update][az-aks-nodepool-update] and passing the `--disable-cluster-autoscaler` parameter.

-```azurecli-interactive

-az aks nodepool update \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name nodepool1 \

- --disable-cluster-autoscaler

-```

-If you wish to re-enable the cluster autoscaler on an existing cluster, you can re-enable it using the [az aks nodepool update][az-aks-nodepool-update] command, specifying the `--enable-cluster-autoscaler`, `--min-count`, and `--max-count` parameters.

-> If you are planning on using the cluster autoscaler with nodepools that span multiple zones and leverage scheduling features related to zones such as volume topological scheduling, the recommendation is to have one nodepool per zone and enable the `--balance-similar-node-groups` through the autoscaler profile. This will ensure that the autoscaler will scale up succesfully and try and keep the sizes of the nodepools balanced.

-Kubernetes supports [horizontal pod autoscaling][kubernetes-hpa] to adjust the number of pods in a deployment depending on CPU utilization or other select metrics. The [Metrics Server][metrics-server] is used to provide resource utilization to Kubernetes. You can configure horizontal pod autoscaling through the `kubectl autoscale` command or through a manifest. For more details on using the horizontal pod autoscaler, see [HorizontalPodAutoscaler Walkthrough][kubernetes-hpa-walkthrough].

-```azurecli

-```azurecli

-```

-```

-```

- ```azurecli

- ```azurecli

-```

-```bash

-```bash

- ```bash

- ```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

-The default expiration time for the service principal credentials is one year. If your credentials are older than one year, you can [reset the existing credentials](/update-credentials#reset-the-existing-service-principal-credentials) or [create a new service principal](/update-credentials#create-a-new-service-principal).

-The default expiration time for the service principal credentials is one year. If your credentials are older than one year, you can [reset the existing credentials](/update-credentials#reset-the-existing-service-principal-credentials) or [create a new service principal](/update-credentials#create-a-new-service-principal).

-```bash

-```bash

-```azurecli

-```azurepowershell

-```bash

-```console

-```console

-```console

-The same principle applies to Managed Identities used for any other pod/node pool when accessing other Azure resources. Any access provided via Managed Identity needs to be updated to reflect the new node pool. To view update and sign-in activities, see [How to view Managed Identity activity](../active-directory/managed-identities-azure-resources/how-to-view-managed-identity-activity.md).

-```azurecli

-```azurecli

-```azurecli

-```azurecli

-```azurecli

-```azurecli

-```azurecli

-```azurecli

-```azurecli

-```console

-```console

-```azurecli

-```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

- ```bash

-```azurecli

-[start-stop-nodepools]: /start-stop-nodepools.md

-```azurecli

-```azurecli

-$ az aks nodepool show -g myResourceGroup --cluster-name myAKSCluster -n mywasipool --query workloadRuntime

-```azurecli

-$ kubectl get nodes -o wide

-$ kubectl describe node aks-mywasipool-12456878-vmss000000

-```azurecli-interactive

-```azurecli-interactive

-$ kubectl get svc

-$ curl http://EXTERNAL-IP/hello

-```azurecli-interactive

-```azurecli

-```azurecli

- ```azurecli

- ```azurecli

- ```azurecli

- ```bash

- ```bash

- ```bash

- ```bash

- ```azurecli

-```bash

-```bash

-```bash

-```azurecli

-```azurecli

-```azurecli

-```azurecli

-```azurecli-interactive

- ```azurecli

-```azurecli

- ```azurecli

- ```azurecli

-```azurecli

-```azurecli

- ```azurecli

-In this quickstart, you'll deploy a Go web app to Azure App Service. Azure App Service is a fully managed web hosting service that supports Go 1.18 and higher apps hosted in a Linux server environment.

-az webapp up --runtime GO:1.18 --os linux --sku B1

- "runtime_version": "go|1.18",

-[WordPress](https://www.wordpress.org) is an open source content management system (CMS) used by over 40% of the web to create websites, blogs, and other applications. WordPress can be run on a few different Azure

-# Migrate Azure Application Gateway and Web Application Firewall from v1 to v2

-[Azure Application Gateway and Web Application Firewall (WAF) v2](application-gateway-autoscaling-zone-redundant.md) is now available, offering additional features such as autoscaling and availability-zone redundancy. However, existing v1 gateways aren't automatically upgraded to v2. If you want to migrate from v1 to v2, follow the steps in this article.

-This article covers configuration migration. Client traffic migration varies depending on your specific environment. However, some high-level, general recommendations [are provided](#migrate-client-traffic).

-## Migration overview

-An Azure PowerShell script is available that does the following:

-### Caveats\Limitations

-* The new v2 gateway has new public and private IP addresses. It isn't possible to move the IP addresses associated with the existing v1 gateway seamlessly to v2. However, you can allocate an existing (unallocated) public or private IP address to the new v2 gateway.

-* You must provide an IP address space for another subnet within your virtual network where your v1 gateway is located. The script can't create the v2 gateway in any existing subnets that already have a v1 gateway. However, if the existing subnet already has a v2 gateway, that may still work provided there's enough IP address space.

-* If you have a network security group or user defined routes associated to the v2 gateway subnet, make sure they adhere to the [NSG requirements](../application-gateway/configuration-infrastructure.md#network-security-groups) and [UDR requirements](../application-gateway/configuration-infrastructure.md#supported-user-defined-routes) for a successful migration

-* [Virtual network service endpoint policies](../virtual-network/virtual-network-service-endpoint-policies-overview.md) are currently not supported in an Application Gateway subnet.

-* To migrate a TLS/SSL configuration, you must specify all the TLS/SSL certs used in your v1 gateway.

-* If you have FIPS mode enabled for your V1 gateway, it won't be migrated to your new v2 gateway. FIPS mode isn't supported in v2.

-* In case of Private IP only V1 gateway, the script will generate a private and public IP address for the new V2 gateway. The Private IP only V2 gateway is currently in public preview. Once it becomes generally available, customers can utilize the script to transfer their private IP only V1 gateway to a private IP only V2 gateway.

-* Headers with names containing anything other than letters, digits, and hyphens are not passed to your application. This only applies to header names, not header values. This is a breaking change from v1.

-* NTLM and Kerberos authentication is not supported by Application Gateway v2. The script is unable to detect if the gateway is serving this type of traffic and may pose as a breaking change from v1 to v2 gateways if run.

-## Download the script

-Download the migration script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureAppGWMigration).

-## Use the script

-### Install using the Install-Script method

-### Install using the script directly

-## Migrate client traffic

-## ApplicationGateway V2 pricing

-The pricing models are different for the Application Gateway v1 and v2 SKUs. Please review the pricing at [Application Gateway pricing](https://azure.microsoft.com/pricing/details/application-gateway/) page before migrating from V1 to V2.

-## Common questions

-### Are there any limitations with the Azure PowerShell script to migrate the configuration from v1 to v2?

-Yes. See [Caveats/Limitations](#caveatslimitations).

-### Is this article and the Azure PowerShell script applicable for Application Gateway WAF product as well?

-Yes.

-### Does the Azure PowerShell script also switch over the traffic from my v1 gateway to the newly created v2 gateway?

-No. The Azure PowerShell script only migrates the configuration. Actual traffic migration is your responsibility and in your control.

-### Is the new v2 gateway created by the Azure PowerShell script sized appropriately to handle all of the traffic that is currently served by my v1 gateway?

-The Azure PowerShell script creates a new v2 gateway with an appropriate size to handle the traffic on your existing v1 gateway. Autoscaling is disabled by default, but you can enable AutoScaling when you run the script.

-### I configured my v1 gateway to send logs to Azure storage. Does the script replicate this configuration for v2 as well?

-No. The script doesn't replicate this configuration for v2. You must add the log configuration separately to the migrated v2 gateway.

-### Does this script support certificates uploaded to Azure KeyVault ?

-No. Currently the script doesn't support certificates in KeyVault. However, this is being considered for a future version.

-### I ran into some issues with using this script. How can I get help?

-You can contact Azure Support under the topic "Configuration and Setup/Migrate to V2 SKU". Learn more about [Azure support here](https://azure.microsoft.com/support/options/).

-### Print text in preview (API version 2022-06-30-preview)

-|Herero | `hz` |Soga | `xog`|

-|Hiligaynon | `hil` |Somali (Latin) | `so-latn` |

-|Iban | `iba`|Songhai | `son` |

-|Igbo |`ig`|South Ndebele | `nr`|

-|Iloko | `ilo`|Southern Altai | `alt`|

-|Ingush |`inh`|Southern Sotho | `st` |

-|Jola-Fonyi |`dyo`|Sundanese | `su` |

-|Kabardian | `kbd` | Swati | `ss` |

-|Kalenjin | `kln` |Tabassaran| `tab` |

-|Kalmyk | `xal` | Tachelhit| `shi` |

-|Kanuri | `kr`|Tahitian | `ty`|

-|Khakas | `kjh` |Taita | `dav` |

-The custom TCB baseline enforcement feature in Azure Attestation will empower you to perform SGX attestation against a desired TCB baseline. It is always recommended for [Azure Confidential Computing](../confidential-computing/overview.md) (ACC) SGX customers to install the latest PSW version supported by Intel and configure their SGX attestation policy with the latest TCB baseline supported by Azure.

-If the environment is set to get updates from WSUS, ensure that it is approved in WSUS before the update deployment. For more information, see [WSUS configuration settings](../update-management/configure-wuagent.md#make-wsus-configuration-settings). If your environment is not using WSUS, ensure that you remove the WSUS server settings and [reset Windows update component](https://learn.microsoft.com/windows/deployment/update/windows-update-resources#how-do-i-reset-windows-update-components).

-To fix the issue, disable the **AutoUpdate** feature. Set it to Disabled in the local group policy Configure Automatic Updates. For more information, see [Configure automatic updates](https://learn.microsoft.com/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#configure-automatic-updates).

-RuleName : .Net Framework 4.6.2+

-For the ASP.NET Core feature management API reference documentation, see [Microsoft.FeatureManagement Namespace](https://www.nuget.org/packages/Microsoft.FeatureManagement/).

-By default, the feature manager retrieves feature flag configuration from the `"FeatureManagement"` section of the .NET Core configuration data. To use the default configuration location, call the AddFeatureManagement method of the **IServiceCollection** passed into the **ConfigureServices** method of the **Startup** class.

-If you use filters in your feature flags, you must include the [Microsoft.FeatureManagement.FeatureFilters](/dotnet/api/microsoft.azure.management.storsimple8000series.models.featurefilter) namespace and add a call to AddFeatureFilters specifying the type name of the filter you want to use as the generic type of the method. For more information on using feature filters to dynamically enable and disable functionality, see [Enable staged rollout of features for targeted audiences](./howto-targetingfilter-aspnet-core.md).

-For some operations, such as manually checking feature flag values, you need to get an instance of IFeatureManager. In ASP.NET Core MVC, you can access the feature manager `IFeatureManager` through dependency injection. In the following example, an argument of type `IFeatureManager` is added to the signature of the constructor for a controller. The runtime automatically resolves the reference and provides an of the interface when calling the constructor. If you're using an application template in which the controller already has one or more dependency injection arguments in the constructor, such as `ILogger`, you can just add `IFeatureManager` as an additional argument:

-When an MVC controller or action is blocked because the controlling feature flag is *off*, a registered IDisabledFeaturesHandler interface is called. The default `IDisabledFeaturesHandler` interface returns a 404 status code to the client with no response body.

-* [Microsoft.FeatureManagement documentation](https://www.nuget.org/packages/Microsoft.FeatureManagement/)

-[Get logs to troubleshoot Azure Arc-enabled data services](troubleshooting-get-logs.md)

-[Kubernetes RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) provides granular filtering of user actions. With Kubernetes RBAC, You assign users or groups permission to create and modify resources or view logs from running application workloads. You can create roles to define permissions, and then assign those roles to users with role bindings. Permissions may be scoped to a single namespace or across the entire cluster.

- return AsgiMiddleware(app).handle(req, context)

-For a full example, see [Use Flask Framework with Azure Functions](/samples/azure-samples/flask-app-on-azure-functions/azure-functions-python-create-flask-app/).

-[Configurable token lifetimes in the Microsoft identity platform (preview)]: ../active-directory/develop/active-directory-configurable-token-lifetimes.md

-[Truck Route]: https://samples.azuremaps.com/?sample=car-vs-truck-route

-[Data-driven style expressions]: data-driven-style-expressions-web-sdk.md

- ```

- ```

- sudo update-alternatives --install /usr/bin/python python /usr/bin/python2 1

-Deploy Azure Monitor Agent on all new virtual machines, scale sets, and on-premises servers to collect data for [supported services and features](#supported-services-and-features).

-In addition to the generally available data collection listed above, Azure Monitor Agent also supports these Azure Monitor features in preview:

-| Azure Monitor feature | Current support | Other extensions installed | More information |

-| : | : | : | : |

-| [VM insights](../vm/vminsights-overview.md) | Public preview | Dependency Agent extension, if youΓÇÖre using the Map Services feature | [Enable VM Insights](../vm/vminsights-enable-overview.md) |

-| [Container insights](../containers/container-insights-overview.md) | Public preview | Containerized Azure Monitor agent | [Enable Container Insights](../containers/container-insights-onboard.md) |

-In addition to the generally available data collection listed above, Azure Monitor Agent also supports these Azure services in preview:

-| Azure service | Current support | Other extensions installed | More information |

-| : | : | : | : |

-| [Microsoft Defender for Cloud](../../security-center/security-center-introduction.md) | Public preview | <ul><li>Azure Security Agent extension</li><li>SQL Advanced Threat Protection extension</li><li>SQL Vulnerability Assessment extension</li></ul> | [Auto-deployment of Azure Monitor Agent (Preview)](../../defender-for-cloud/auto-deploy-azure-monitoring-agent.md) |

-| [Microsoft Sentinel](../../sentinel/overview.md) | <ul><li>Windows Security Events: [Generally available](../../sentinel/connect-windows-security-events.md?tabs=AMA)</li><li>Windows Forwarding Event (WEF): [Public preview](../../sentinel/data-connectors/windows-forwarded-events.md)</li><li>Windows DNS logs: [Public preview](../../sentinel/connect-dns-ama.md)</li><li>Linux Syslog CEF: [Public preview](../../sentinel/connect-cef-ama.md#set-up-the-common-event-format-cef-via-ama-connector)</li></ul> | Sentinel DNS extension, if youΓÇÖre collecting DNS logs. For all other data types, you just need the Azure Monitor Agent extension. | - |

-| [Change Tracking and Inventory Management](../../automation/change-tracking/overview.md) | Public preview | Change Tracking extension | [Change Tracking and Inventory using Azure Monitor Agent](../../automation/change-tracking/overview-monitoring-agent.md) |

-| [Network Watcher](../../network-watcher/network-watcher-monitoring-overview.md) | Connection Monitor: Public preview | Azure NetworkWatcher extension | [Monitor network connectivity by using Azure Monitor Agent](../../network-watcher/azure-monitor-agent-with-connection-monitor.md) |

-| Azure Stack HCI Insights | private preview | No additional extension installed | [Sign up here](https://aka.ms/amadcr-privatepreviews) |

-| Azure Virtual Desktop (AVD) Insights | private preview | No additional extension installed | [Sign up here](https://aka.ms/amadcr-privatepreviews) |

-> [!NOTE]

-> Features and services listed above in preview **may not be available in Azure Government and China clouds**. They will be available typically within a month *after* the features/services become generally available.

-Azure Monitor Agent is available in all public regions, Azure Government anmd China clouds, for generally available features. It's not yet supported in air-gapped clouds. For more information, see [Product availability by region](https://azure.microsoft.com/global-infrastructure/services/?products=monitor&rar=true&regions=all).

-| | Microsoft Sentinel | X ([View scope](#supported-services-and-features)) | X | |

-| | Update Management | X (Public preview, independent of monitoring agents) | X | |

-| | Microsoft Sentinel | X ([View scope](#supported-services-and-features)) | X | |

-Azure Monitor Agent (AMA) replaces the Log Analytics Agent (MM) include enhanced security, cost-effectiveness, performance, manageability and reliability. This article explains how to use the AMA Migration Helper and DCR Config Generator tools to help automate and track the migration from Log Analytics Agent to Azure Monitor Agent.

-> Do not remove the legacy agents if being used by other [Azure solutions or services](./azure-monitor-agent-overview.md#supported-services-and-features). Use the migration helper to discover which solutions/services you use today.

-> DCR Config Generator does not currently support additional configuration for [Azure solutions or services](./azure-monitor-agent-overview.md#supported-services-and-features) dependent on Log Analytics Agent.

- Option 1: Outputs **ready-to-deploy ARM template files** only that will create the generated DCR in the specified subscription and resource group, when deployed.

- If the Log Analytics workspace was not [configured to collect data](./log-analytics-agent.md#data-collected) from connected agents, the generated files will be empty. This is a scenario in which the agent was connected to a Log Analytics workspace, but was not configured to send any data from the host machine.

-1. [Deploy the generated ARM template](../../azure-resource-manager/templates/deployment-tutorial-local-template.md) to associate the generated data collection rules with virtual machines running the new agent.

-[Azure Monitor Agent (AMA)](./agents-overview.md) replaces the Log Analytics agent (also known as MMA and OMS) for both Windows and Linux machines, in both Azure and non-Azure (on-premises and third-party clouds) environments. It introduces a simplified, flexible method of configuring collection configuration called [data collection rules (DCRs)](../essentials/data-collection-rule-overview.md). This article outlines the benefits of migrating to Azure Monitor Agent and provides guidance on how to implement a successful migration.

-> The Log Analytics agent will be [retired on **August 31, 2024**](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). If you're currently using the Log Analytics agent with Azure Monitor or [other supported features and services](./agents-overview.md#supported-services-and-features), you should start planning your migration to Azure Monitor Agent by using the information in this article and the availability of other solutions/services.

-In addition to consolidating and improving upon legacy Log Analytics agents, Azure Monitor Agent provides additional immediate benefits for **cost savings, simplified management experience, security and performance.** [Learn more about these benefits](./azure-monitor-agent-overview.md#benefits)

-### Before you begin

-1. Review and follow the **[prerequisites](./azure-monitor-agent-manage.md#prerequisites)** for use with Azure Monitor Agent.

- - For non-Azure and on premises servers, [installing the Azure Arc agent](../../azure-arc/servers/agent-overview.md) is required though it's not mandatory to use Azure Arc for management overall. As such, this should incur no additional cost for Arc.

-2. Service (legacy Solutions) requirements - The legacy Log Analytics agents are used by various Azure services to collect required data. If you're not using any additional Azure service, you may skip this step altogether.

- - Use the [AMA Migration Helper](./azure-monitor-agent-migration-tools.md#using-ama-migration-helper) to **discover solutions enabled** on your workspace(s) that use the legacy agents, including the **per-solution migration recommendation<sup>1</sup>** shown under `Workspace overview` tab.

- - If you use Microsoft Sentinel, see [Gap analysis for Microsoft Sentinel](../../sentinel/ama-migrate.md#gap-analysis-between-agents) for a comparison of the extra data collected by Microsoft Sentinel.

-3. **Agent coexistence:** If you're setting up a *new environment* with resources, such as deployment scripts and onboarding templates, install Azure Monitor Agent together with a legacy agent in your new environment to decrease the migration effort later.

- - Be careful when you collect **duplicate data** from the same machine, as this could skew query results, affect downstream features like alerts, dashboards, workbooks and generate **additional cost/charges** for data ingestion and retention. Here are some things that can help

- - If possible, configure the agents to *send the data to different destinations*, i.e. either different workspaces or different tables in same workspace

- - If not used, disable any duplicate data collection from legacy agents by [removing the workspace configurations](./agent-data-sources.md#configure-data-sources)

- - For **Defender for Cloud**, the experiences natively deduplicate data if using both agents. Also you will only be [billed once per machine](../../defender-for-cloud/auto-deploy-azure-monitoring-agent.md#impact-of-running-with-both-the-log-analytics-and-azure-monitor-agents) when running both agents

- - For **Sentinel**, you can easily [disable the legacy connector](../../sentinel/ama-migrate.md#recommended-migration-plan) to stop ingestion of logs from legacy agents.

- - Running two telemetry agents on the same machine **consumes double the resources**, including but not limited to CPU, memory, storage space, and network bandwidth.

-<sup>1</sup> Start testing your scenarios during the preview phase. This will save time, avoid surprises later and ensure you're ready to deploy to production as soon as the service becomes generally available. Moreover you benefit from added security and reduced cost immediately.

-1. **[Create data collection rules](./data-collection-rule-azure-monitor-agent.md#create-a-data-collection-rule)**. You can use the [DCR generator](./azure-monitor-agent-migration-tools.md#installing-and-using-dcr-config-generator)<sup>1</sup> to **automatically convert your legacy agent configuration into data collection rule templates**. Review the generated rules before you create them, to leverage benefits like filtering, granular targeting (per machine), and other optimizations.

-2. Deploy extensions and DCR-associations:

- 1. **Test first** by deploying extensions<sup>2</sup> and DCR-Associations on a few non-production machines. You can also deploy side-by-side on machines running legacy agents (see [agent coexistence](#before-you-begin) section above)

- 2. Once data starts flowing via Azure Monitor agent, **compare it with legacy agent data** to ensure there are no gaps. You can do this by joining with the `Category` column in the [Heartbeat](/azure/azure-monitor/reference/tables/heartbeat) table which indicates 'Azure Monitor Agent' for the new data collection.

- 3. If you are required to run both agents and wish to **avoid double ingestion**, you can disable data collection from legacy agents without uninstalling them yet, by simply [removing the workspace configurations for legacy agents](./agent-data-sources.md#configure-data-sources)

- 4. Post testing, you can **roll out broadly** using [built-in policies](./azure-monitor-agent-manage.md#use-azure-policy) for at-scale deployment of extensions and DCR-associations. **Using policy will also ensure automatic deployment of extensions and DCR-associations for any new machines in future.**

- 5. Throughout this process, use the [AMA Migration Helper](./azure-monitor-agent-migration-tools.md#using-ama-migration-helper) to **monitor the at-scale migration** across your machines

-3. **Validate** that Azure Monitor Agent is collecting data as expected and all **downstream dependencies**, such as dashboards, alerts, and workbooks, function properly. You can do this by joining with/looking at the `Category` column in the [Heartbeat](/azure/azure-monitor/reference/tables/heartbeat) table which indicates 'Azure Monitor Agent' vs 'Direct Agent' (for legacy).

-4. Clean up: After you confirm that Azure Monitor Agent is collecting data properly, you may **choose to either disable or uninstall the legacy Log Analytics agents**

- 1. If you have need to continue using both agents, skip uninstallation and only [disable the legacy data collection](./agent-data-sources.md#configure-data-sources), also described above.

- 2. If you've migrated to Azure Monitor agent for all your requirements, you may [uninstall the Log Analytics agent](./agent-manage.md#uninstall-agent) from monitored resources. Clean up any configuration files, workspace keys, or certificates that were used previously by the Log Analytics agent.

- 3. Don't uninstall the legacy agent if you need to use it for uploading data to System Center Operations Manager.

-<sup>1</sup> The DCR generator only converts the configurations for Windows event logs, Linux syslog and performance counters. Support for additional features and solutions will be available soon

-<sup>2</sup> In addition to the Azure Monitor agent extension, you need to deploy additional extensions required for specific solutions. See [other extensions to be installed here](./agents-overview.md#supported-services-and-features)

-2. Open an elevated admin command prompt window and update path to the location where you downloaded the installer.

-# Create and manage alert rules in Log Analytics with REST API

-> As [announced](https://azure.microsoft.com/updates/switch-api-preference-log-alerts/), Log Analytics workspaces created after *June 1, 2019* manage alert rules by using the current [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules). Customers are encouraged to [switch to the current API](./alerts-log-api-switch.md) in older workspaces to take advantage of Azure Monitor scheduledQueryRules [benefits](./alerts-log-api-switch.md#benefits). This article describes management of alert rules by using the legacy API.

-> The naming of AppFilter in this context can be confusing, `AppFilter` sets the application name regex filter (HostingEnvironment.SiteName in the case of .Net on IIS). `VirtualPathFilter` sets the virtual path regex filter (HostingEnvironment.ApplicationVirtualPath in the case of .Net on IIS). To instrument a single app you would use the VirtualPathFilter as follows: `Enable-ApplicationInsightsMonitoring -InstrumentationKeyMap @(@{VirtualPathFilter="^/MyAppName$"; InstrumentationSettings=@{InstrumentationKey='<your ikey>'}})`

-* **.NET Core version**: All officially [supported .NET Core versions](https://dotnet.microsoft.com/download/dotnet-core) that aren't in preview

-> [!NOTE]

-> ASP.NET Core 6.0 requires [Application Insights 2.19.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore/2.19.0) or later.

-

-

-

-

-

-

-* SDK versions 2.7.1 and later collect performance counters if the application is running in Windows and targets `NETSTANDARD2.0` or later.

-|RequestCollectionOptions.TrackExceptions | Enable/Disable reporting of unhandled exception tracking by the request collection module. | False in NETSTANDARD2.0 (because exceptions are tracked with `ApplicationInsightsLoggerProvider`). True otherwise.

-### Does Application Insights support ASP.NET Core 3.X?

-Yes. Update to [Application Insights SDK for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) version 2.8.0 or later. Earlier versions of the SDK don't support ASP.NET Core 3.X.

-Also, if you're [enabling server-side telemetry based on Visual Studio](#enable-application-insights-server-side-telemetry-visual-studio), update to the latest version of Visual Studio 2019 (16.3.0) to onboard. Earlier versions of Visual Studio don't support automatic onboarding for ASP.NET Core 3.X apps.

-While users can publish any custom `EventCounters` to meet their needs, .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) and higher runtime publishes a set of these counters by default. This document will walk through the steps required to collect and view `EventCounters` (system defined or user defined) in Azure Application Insights.

-For our examples, we're going to use a basic .NET Core 3.1 worker service application. If you want to replicate the test environment used with these examples, follow steps 1-6 in the [Monitoring worker service article](worker-service.md#net-core-lts-worker-service-application). These steps add Application Insights to a basic worker service project template. The concepts apply to any general application where the SDK can be used, including web apps and console apps.

-* [Metrics - Get - REST API](https://learn.microsoft.com/rest/api/application-insights/metrics/get)

-Check the data flow by going to the Azure portal and navigating to the Application Insights resource that you've enabled the SDK for. From there, you can view the data in the "Live Metrics Stream" or "Metrics" sections.

-* [JavaScript SDK advanced topics](javascript-sdk-advanced.md)

-> Monitoring ASP.NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) applications requires Application Insights version 2.8.0 or above. To enable Application Insights, ensure that it's activated in the Azure portal and that the Application Insights NuGet package is included. Without the NuGet package, some telemetry is sent to Application Insights, but that telemetry won't show in Live Metrics.

-## .NET Core LTS Worker Service application

-1. Download and install .NET Core [Long Term Support (LTS)](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

-1. Install the [Microsoft.ApplicationInsights.WorkerService](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService) package to the application.

- Use the same `appsettings.json` from the preceding .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) Worker Service example.

-As mentioned in the beginning of this article, the new package can be used to enable Application Insights telemetry from even a regular console application. This package targets [`NetStandard2.0`](/dotnet/standard/net-standard), so it can be used for console apps in .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) or higher, and .NET Framework [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) or higher.

-The full example is shared at this [GitHub page](https://github.com/microsoft/ApplicationInsights-dotnet/tree/develop/examples/ConsoleApp).

-`EventCounterCollectionModule` is enabled by default, and it will collect a default set of counters from .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) apps. The [EventCounter](eventcounters.md) tutorial lists the default set of counters collected. It also has instructions on how to customize the list.

-No. [Azure Monitor Application Insights Agent](./application-insights-asp-net-agent.md) currently supports .NET [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) only.

-Use this sample if you have a .NET Core [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) Worker Service application in accordance with [official guidance](/aspnet/core/fundamentals/host/hosted-services?tabs=visual-studio#worker-service-template).

-You can adjust your ingestion using the [cost optimization settings](../containers/container-insights-cost-config.md) and/or migrating to the Prometheus metrics addon (../essentials/prometheus-metrics-overview.md)

- - Verify you're using [.NET Framework 4.6.1](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed) or later.

-## Configure snapshot collection for apps by using ASP.NET Core LTS or above

-.NET Core versions prior to LTS are out of support and we don't recommend their use.

-|`mount.nfs: access denied by server when mounting volume <SMB_SERVER_NAME-XXX.DOMAIN_NAME>/<VOLUME_NAME>` <br> Example: `smb-test-64d9.contoso.com:/nfs41-vol101` | <ol><li> Ensure that the A/PTR records are properly set up and exist in the Active Directory for the server name `smb-test-64d9.contoso.com`. <br> In the NFS client, if `nslookup` of `smb-test-64d9.contoso.com` resolves to IP address IP1 (that is, `10.1.1.68`), then `nslookup` of IP1 must resolve to only one record (that is, `smb-test-64d9.contoso.com`). `nslookup` of IP1 *must* not resolve to multiple names. </li> <li>Set AES-256 for the NFS machine account of type `NFS-<Smb NETBIOS NAME>-<few random characters>` on AD using either PowerShell or the UI. <br> Example commands: <ul><li>`Set-ADComputer <NFS_MACHINE_ACCOUNT_NAME> -KerberosEncryptionType AES256` </li><li>`Set-ADComputer NFS-SMB-TEST-64 -KerberosEncryptionType AES256` </li></ul> </li> <li>Ensure that the time of the NFS client, AD, and Azure NetApp Files storage software is synchronized with each other and is within a five-minute skew range. </li> <li>Get the Kerberos ticket on the NFS client using the command `kinit <administrator>`.</li> <li>Reduce the NFS client hostname to fewer than 15 characters and perform the realm join again. </li><li>Restart the NFS client and the `rpcgssd` service as follows. The command might vary depending on the OS.<br> RHEL 7: <br> `service nfs restart` <br> `service rpcgssd restart` <br> CentOS 8: <br> `systemctl enable nfs-client.target && systemctl start nfs-client.target` <br> Ubuntu: <br> (Restart the `rpc-gssd` service.) <br> `sudo systemctl start rpc-gssd.service` </ul>|

-1. Press F12 to launch the developer tools. You can also launch the tools from the toolbar menu under **More tools** > **Developer tools**.

-1. By default, the browser keeps trace information only for the page that's currently loaded. Set the following options so the browser keeps all trace information, even if your repro steps require going to more than one page:

- 1. Select the **Network** tab, then select **Preserve log**.

-resource storageAcct 'Microsoft.Storage/storageAccounts@2021-06-01' = [for i in range(0, storageCount): {

-resource storageAcct 'Microsoft.Storage/storageAccounts@2021-06-01' = [for name in storageNames: {

-resource storageAccountResources 'Microsoft.Storage/storageAccounts@2021-06-01' = [for (config, i) in storageConfigurations: {

-resource storageAcct 'Microsoft.Storage/storageAccounts@2021-06-01' = [for i in range(0, 4): {

-resource stg 'Microsoft.Storage/storageAccounts@2021-06-01' = {

-resource stg 'Microsoft.Storage/storageAccounts@2021-06-01' = {

-If you're managed application definition is less than 120 MB and you don't want to use your own storage account, go to [Quickstart: Create and publish an Azure Managed Application definition](publish-service-catalog-app.md).

-description: Learn how to attach an Azure disk pool surfaced through an iSCSI target as the VMware vSphere datastore of an Azure VMware Solution private cloud. Once the datastore is configured, you can create volumes on it and consume them from your Azure VMware Solution private cloud.

-#Customer intent: As an Azure service administrator, I want to scale my AVS hosts using disk pools instead of scaling clusters. So that I can use block storage for active working sets and tier less frequently accessed data from vSAN to disks. I can also replicate data from on-premises or primary VMware vSphere environment to disk storage for the secondary site.

-# Attach disk pools to Azure VMware Solution hosts

-[Azure disk pools](../virtual-machines/disks-pools.md) offer persistent block storage to applications and workloads backed by Azure Disks. You can use disks as the persistent storage for Azure VMware Solution for optimal cost and performance. For example, you can scale up by using disk pools instead of scaling clusters if you host storage-intensive workloads. You can also use disks to replicate data from on-premises or primary VMware vSphere environments to disk storage for the secondary site. To scale storage independent of the Azure VMware Solution hosts, we support surfacing [ultra disks](../virtual-machines/disks-types.md#ultra-disks), [premium SSD](../virtual-machines/disks-types.md#premium-ssds) and [standard SSD](../virtual-machines/disks-types.md#standard-ssds) as the datastores.

->[!IMPORTANT]

->We are officially halting the preview of Azure Disk Pools, and it will not be made generally available.

->New customers will not be able to register the `Microsoft.StoragePool` resource provider on their subscription and deploy new Disk Pools.

-> Existing subscriptions registered with Microsoft.StoragePool may continue to deploy and manage disk pools for the time being.

-Azure managed disks are attached to one iSCSI controller virtual machine deployed under the Azure VMware Solution resource group. Disks get deployed as storage targets to a disk pool, and each storage target shows as an iSCSI LUN under the iSCSI target. You can expose a disk pool as an iSCSI target connected to Azure VMware Solution hosts as a datastore. A disk pool surfaces as a single endpoint for all underlying disks added as storage targets. Each disk pool can have only one iSCSI controller.

-The diagram shows how disk pools work with Azure VMware Solution hosts. Each iSCSI controller accesses managed disk using a standard Azure protocol, and the Azure VMware Solution hosts can access the iSCSI controller over iSCSI.

-## Supported regions

-You can only connect the disk pool to an Azure VMware Solution private cloud in the same region. For a list of supported regions, see [Regional availability](../virtual-machines/disks-pools.md#regional-availability). If your private cloud is deployed in a non-supported region, you can redeploy it in a supported region. Azure VMware Solution private cloud and disk pool colocation provide the best performance with minimal network latency.

-## Prerequisites

- - If you select ultra disks, use an Ultra Performance ExpressRoute virtual network gateway for the disk pool network connection to your Azure VMware Solution private cloud and then [enable ExpressRoute FastPath](../expressroute/expressroute-howto-linkvnet-arm.md#configure-expressroute-fastpath).

- - If you select premium SSDs or standard SSDs, use a Standard (1 Gbps) or High Performance (2 Gbps) ExpressRoute virtual network gateway for the disk pool network connection to your Azure VMware Solution private cloud.

- >[!IMPORTANT]

- > The disk pool must be deployed in the same subscription as the VMware cluster, and it must be attached to the same VNET as the VMware cluster.

-## Add a disk pool to your private cloud

-You'll attach to a disk pool surfaced through an iSCSI target as the VMware datastore of an Azure VMware Solution private cloud.

->[!IMPORTANT]

->While in **Public Preview**, only attach a disk pool to a test or non-production cluster.

-# [Azure CLI](#tab/azure-cli)

-Check if the subscription is registered to `Microsoft.AVS`.

-```azurecli

-az provider show -n "Microsoft.AVS" --query registrationState

-```

-If it's not already registered, then register it.

-```azurecli

-az provider register -n "Microsoft.AVS"

-```

-Check if the subscription is registered to `CloudSanExperience` AFEC in Microsoft.AVS.

-```azurecli

-az feature show --name "CloudSanExperience" --namespace "Microsoft.AVS"

-```

-If it's not already registered, then register it.

-```azurecli

-az feature register --name "CloudSanExperience" --namespace "Microsoft.AVS"

-```

-The registration may take approximately 15 minutes to complete, you can use the following command to check status:

-```azurecli

-az feature show --name "CloudSanExperience" --namespace "Microsoft.AVS" --query properties.state

-```

->[!TIP]

->If the registration is stuck in an intermediate state for longer than 15 minutes to complete, unregister and then re-register the flag.

->

->```azurecli

->az feature unregister --name "CloudSanExperience" --namespace "Microsoft.AVS"

->az feature register --name "CloudSanExperience" --namespace "Microsoft.AVS"

->```

-Check if the `vmware `extension is installed.

-```azurecli

-az extension show --name vmware

-```

-If the extension is already installed, check if the version is **3.0.0**. If an older version is installed, update the extension.

-```azurecli

-az extension update --name vmware

-```

-If it's not already installed, install it.

-```azurecli

-az extension add --name vmware

-```

-### Attach the iSCSI LUN

-Create and attach an iSCSI datastore in the Azure VMware Solution private cloud cluster using `Microsoft.StoragePool` provided iSCSI target. The disk pool attaches to a virtual network through a delegated subnet, which is done with the Microsoft.StoragePool/diskPools resource provider. If the subnet isn't delegated, the deployment fails.

-```azurecli

-#Initialize input parameters

-resourceGroupName='<yourRGName>'

-name='<desiredDataStoreName>'

-cluster='<desiredCluster>'

-privateCloud='<privateCloud>'

-lunName='<desiredLunName>'

-az vmware datastore disk-pool-volume create --name $name --resource-group $resourceGroupName --cluster $cluster --private-cloud $privateCloud --target-id /subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/ResourceGroup1/providers/Microsoft.StoragePool/diskPools/mpio-diskpool/iscsiTargets/mpio-iscsi-target --lun-name $lunName

-```

->[!TIP]

->You can display the help on the datastores.

->

-> ```azurecli

-> az vmware datastore -h

-> ```

-To confirm that the attach succeeded, you can use the following commands:

-Show the details of an iSCSI datastore in a private cloud cluster.

-```azurecli

-az vmware datastore show --name MyCloudSANDatastore1 --resource-group MyResourceGroup --cluster -Cluster-1 --private-cloud MyPrivateCloud

-```

-List all the datastores in a private cloud cluster.

-```azurecli

-az vmware datastore list --resource-group MyResourceGroup --cluster Cluster-1 --private-cloud MyPrivateCloud

-```

-# [Portal](#tab/azure-portal)

-### Preview registration

-First, register your subscription to the Microsoft.AVS and CloudSanExperience.

-1. Sign in to the [Azure portal](https://portal.azure.com/).

-1. Search for and select **Subscriptions**.

-1. Select the subscription you want to use and select **Resource providers** under **Settings**.

-1. Search for **Microsoft.AVS**, select it, and select **Register**.

-1. Select **Preview features** under **Settings**.

-1. Search for and register **CloudSanExperience**.

-### Connect your disk pool

-Now that your subscription has been properly registered, you can connect your disk pool to your Azure VMware Solution private cloud cluster.

-> [!IMPORTANT]

-> Your disk pool attaches to a virtual network through a delegated subnet, which is done with the Microsoft.StoragePool resource provider. If the subnet isn't delegated, the deployment fails. See [Delegate subnet permission](../virtual-machines/disks-pools-deploy.md#delegate-subnet-permission) for details.

-1. Navigate to your Azure VMware Solution.

-1. Select **Storage (preview)** under **Manage**.

-1. Select **Connect a disk pool**.

-1. Select the subscription you'd like to use.

-1. Select your disk pool, and the client cluster you'd like to connect it to.

-1. Enable your LUNs (if any), provide a datastore name (by default, the LUN is used), and select **Connect**.

-When the connection succeeds, you will see the datastores added in vCenter.

-## Disconnect a disk pool from your private cloud

-When you disconnect a disk pool, the disk pool resources aren't deleted. There's no maintenance window required for this operation. But, be careful when you do it.

-First, power off the VMs and remove all objects associated with the disk pool datastores, which includes:

- - VMs (remove from inventory)

- - Templates

- - Snapshots

-Then, delete the private cloud datastore.

-1. Navigate to your Azure VMware Solution in the Azure portal.

-1. Select **Storage** under **Manage**.

-1. Select the disk pool you want to disconnect from and select **Disconnect**.

-## Next steps

-Now that you've attached a disk pool to your Azure VMware Solution hosts, you may want to learn about:

- If you have chosen the vaulted backup policy in step 4, you can also select specific containers to backup. Click "Change" under the "Selected containers" column. In the context blade, choose "browse containers to backup" and unselect the ones you don't want to backup.

-| [H16r, H16mr, A8, A9](../virtual-machines/sizes-hpc.md)<br/>[NC24r, NC24rs_v2, NC24rs_v3, ND24rs<sup>*</sup>](../virtual-machines/linux/n-series-driver-setup.md#rdma-network-connectivity) | RDMA | Ubuntu 22.04 LTS, or<br/>CentOS-based HPC<br/>(Azure Marketplace) | Intel MPI 5<br/><br/>Linux RDMA drivers | Enable inter-node communication, disable concurrent task execution |

-| [NC, NCv2, NCv3, NDv2 series](../virtual-machines/linux/n-series-driver-setup.md) | NVIDIA Tesla GPU (varies by series) | Ubuntu 22.04 LTS, or<br/>CentOS 7.3 or 7.4<br/>(Azure Marketplace) | NVIDIA CUDA or CUDA Toolkit drivers | N/A |

-| [NV, NVv2 series](../virtual-machines/linux/n-series-driver-setup.md) | NVIDIA Tesla M60 GPU | Ubuntu 22.04 LTS, or<br/>CentOS 7.3<br/>(Azure Marketplace) | NVIDIA GRID drivers | N/A |

-| [H16r, H16mr, A8, A9](../virtual-machines/sizes-hpc.md)<br/>[NC24r, NC24rs_v2, NC24rs_v3, ND24rs<sup>*</sup>](../virtual-machines/windows/n-series-driver-setup.md#rdma-network-connectivity) | RDMA | Windows Server 2016, 2012 R2, or<br/>2012 (Azure Marketplace) | Microsoft MPI 2012 R2 or later, or<br/> Intel MPI 5<br/><br/>Windows RDMA drivers | Enable inter-node communication, disable concurrent task execution |

-| [NV, NVv2 series](../virtual-machines/windows/n-series-driver-setup.md) | NVIDIA Tesla M60 GPU | Windows Server 2016 or<br/>2012 R2 (Azure Marketplace) | NVIDIA GRID drivers | N/A |

-| [H16r, H16mr, A8, A9](../virtual-machines/sizes-hpc.md) | RDMA | Windows Server 2016, 2012 R2, 2012, or<br/>2008 R2 (Guest OS family) | Microsoft MPI 2012 R2 or later, or<br/>Intel MPI 5<br/><br/>Windows RDMA drivers | Enable inter-node communication,<br/> disable concurrent task execution |

- * [CentOS-based 7.4 HPC](https://azuremarketplace.microsoft.com/marketplace/apps/openlogic.centos-hpc?tab=Overview) - includes RDMA drivers and Intel MPI 5.1

-To run CUDA applications on a pool of Linux NC nodes, you need to install necessary NVIDIA Tesla GPU drivers from the CUDA Toolkit. The following sample steps create and deploy a custom Ubuntu 16.04 LTS image with the GPU drivers:

-To run MPI applications on a pool of Linux H-series nodes, one option is to use the [CentOS-based 7.4 HPC](https://azuremarketplace.microsoft.com/marketplace/apps/openlogic.centos-hpc?tab=Overview) image from the Azure Marketplace. Linux RDMA drivers and Intel MPI are preinstalled. This image also supports Docker container workloads.

-| **Sku** | 7.4 |

- GET https://<accountname>.<region>.batch.azure.com/pools/test3/nodes/tvmps_a3ce79db285d6c124399c5bd3f3cf308d652c89675d9f1f14bfc184476525278_d/extensions/secretext?api-version=2010-01-01

-Specify which visual features you'd like to extract in your analysis. See the [VisualFeatureTypes](/javascript/api/@azure/cognitiveservices-computervision/visualfeaturetypes?view=azure-node-latest&preserve-view=true) enum for a complete list.

-Use the **language** property of the [ComputerVisionClientAnalyzeImageOptionalParams](/javascript/api/@azure/cognitiveservices-computervision/computervisionclientanalyzeimageoptionalparams) input in your Analyze call to specify a language. A method call that specifies a language might look like the following.

-* See the [API reference](https://aka.ms/vision-4-0-ref) to learn more about the API functionality.

-* Speech SDK 1.27.0 was released in April 2023.

-* Requests that use the REST API for short audio and transmit audio directly can contain no more than 60 seconds of audio. The input [audio formats](#audio-formats) are more limited compared to the [Speech SDK](speech-sdk.md).

-| Translator connected |`2` cores, 2-GB memory |`4` cores, 8-GB memory | 4 |

-The Translator container image can be found on the `mcr.microsoft.com` container registry syndicate. It resides within the `azure-cognitive-services/translator` repository and is named `text-translation`. The fully qualified container image name is `mcr.microsoft.com/azure-cognitive-services/translator/text-translation:1.0.019410001-amd64-preview`.

-To use the latest version of the container, you can use the `latest` tag. You can also find a full list of [tags on the MCR](https://mcr.microsoft.com/product/azure-cognitive-services/translator/text-translation/tags).

-mcr.microsoft.com/azure-cognitive-services/translator/text-translation:1.0.019410001-amd64-preview

-| ```suffix```| string | Optional | null | he suffix that comes after a completion of inserted text. |

-echo export AZURE_OPENAI_API_KEY="REPLACE_WITH_YOUR_KEY_VALUE_HERE" >> /etc/environment && source /etc/environment

-```

-```Bash

-echo export AZURE_OPENAI_ENDPOINT="REPLACE_WITH_YOUR_ENDPOINT_HERE" >> /etc/environment && source /etc/environment

-**Output:**

-```cmd

-**Output:**

-```cmd

-**Output:**

-```cmd

-**Output:**

-```cmd

-**Output:**

-```cmd

-We're adding new capabilities to Azure Communication Services all the time, so we created this page to share the latest developments in the platform. Bookmark this page and make it your go-to resource to find out all the latest capabilities of Azure Communication Services.

-## Updated documentation

-We heard your feedback and made it easier to find the documentation you need as quickly and easily as possible. We're making our docs more readable, easier to understand, and more up-to-date. There's a new landing page design and an updated, better organized table of contents. We've added some of the content you've told us you need and will be continuing to do so, and we're editing existing documentation as well. Don't hesitate to use the feedback link at the top of each page to tell us if a page needs refreshing. Thanks!

-## Teams interoperability (General Availability)

-Azure Communication Services can be used to build custom applications and experiences that enable interaction with Microsoft Teams users over voice, video, chat, and screen sharing. The [Communication Services UI Library](./concepts/ui-library/ui-library-overview.md) provides customizable, production-ready UI components that can be easily added to these applications. The following video demonstrates some of the capabilities of Teams interoperability:

-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGTqQ]

-To learn more about teams interoperability, visit the [teams interop overview page](./concepts/teams-interop.md)

-## New calling features

-Our calling team has been working hard to expand and improve our feature set in response to your requests. Some of the new features we've enabled include:

-### Background blur and custom backgrounds (Public Preview)

-Background blur gives users a way to remove visual distractions behind a participant so that callers can engage in a conversation without disruptive activity or confidential information appearing in the background. This feature is especially useful in a context such as telehealth, where a provider or patient might want to obscure their surroundings to protect sensitive information. Background blur can be applied across all virtual appointment scenarios to protect user privacy, including telebanking and virtual hearings. In addition to enhanced confidentiality, the custom backgrounds capability allows for more creativity of expression, allowing users to upload custom backgrounds to host a more fun, personalized calling experience. This feature is currently available on Web Desktop and will be expanding to other platforms in the future.

-*Figure 1: Custom background*

-To learn more about custom backgrounds and background blur, visit the overview on [adding visual effects to your call](./concepts/voice-video-calling/video-effects.md).

-### Raw media access (Public Preview)

-The video media access API provides support for developers to get real-time access to video streams so that they can capture, analyze, and process video content during active calls. Developers can access the incoming call video stream directly on the call object and send custom outgoing video stream during the call. This feature sets the foreground services to support different kinds of video and audio manipulation. Outgoing video access can be captured and implemented with screen sharing, background blur, and video filters before being published to the recipient, allowing viewers to build privacy into their calling experience. In more complex scenarios, video access can be fitted with a virtual environment to support augmented reality. Spatial audio can be injected into remote incoming audio to add music to enhance a waiting room lobby.

-To learn more about raw media access visit the [media access overview](./concepts/voice-video-calling/media-access.md)

-Other new calling features include:

-Take a look at our feature update blog posts from [January](https://techcommunity.microsoft.com/t5/azure-communication-services/azure-communication-services-calling-features-update/ba-p/3735073) and [February](https://techcommunity.microsoft.com/t5/azure-communication-services/azure-communication-services-february-2023-feature-updates/ba-p/3737486) for more detailed information and links to numerous quickstarts.

-## Rooms (Public Preview)

-Azure Communication Services provides a concept of a room for developers who are building structured conversations such as virtual appointments or virtual events. Rooms currently allow voice and video calling.

-To learn more about rooms, visit the [overview page](./concepts/rooms/room-concept.md)

-## Sample Builder Rooms integration

-**We are excited to announce that we have integrated Rooms into our Virtual Appointment Sample.**

-Azure Communication Services (ACS) provides the concept of a room. Rooms allow developers to build structured conversations such as scheduled virtual appointments or virtual events. Rooms allow control through roles and permissions and enable invite-only experiences. Rooms currently allow voice and video calling.

-## Enabling a faster sample building experience

-Data indicates that ~40% of customers abandon the Sample Builder due to the challenging nature of the configuration process, particularly during the Microsoft Bookings setup. To address this issue, we've implemented a solution that streamlines the deployment process by using Rooms for direct virtual appointment creation within the Sample Builder. This change results in a significant reduction of deployment time, as the configuration of Microsoft Bookings isn't enforced, but rather transformed into an optional feature that can be configured in the deployed Sample. Additionally, we've incorporated a feedback button into the Sample Builder and made various enhancements to its accessibility. With Sample Builder, customers can effortlessly customize and deploy their applications to Azure or their Git repository, without the need for any coding expertise.

-*Figure 2: Scheduling experience options.*

-*Figure 3:  Feedback form.*

-Sample Builder is already in General Availability and can be accessed [on Azure portal](https://ms.portal.azure.com/#@microsoft.onmicrosoft.com/resource/subscriptions/50ad1522-5c2c-4d9a-a6c8-67c11ecb75b8/resourceGroups/serooney-tests/providers/Microsoft.Communication/CommunicationServices/email-tests/sample_applications).

-## Call Automation (Public Preview)

-Azure Communication Services Call Automation provides developers the ability to build server-based, intelligent call workflows, and call recording for voice and PSTN channels. The SDKs, available for .NET and Java, uses an action-event model to help you build personalized customer interactions. Your communication applications can listen to real-time call events and perform control plane actions (like answer, transfer, play audio, start recording, etc.) to steer and control calls based on your business logic.

-ACS Call Automation can be used to build calling workflows for customer service scenarios, as depicted in the following high-level architecture. You can answer inbound calls or make outbound calls. Execute actions like playing a welcome message, connecting the customer to a live agent on an ACS Calling SDK client app to answer the incoming call request. With support for ACS PSTN or Direct Routing, you can then connect this workflow back to your contact center.

-*Figure 4: Call Automation Architecture*

-To learn more, visit our [Call Automation overview article](./concepts/call-automation/call-automation.md).

-## Phone number expansion now in General Availability (Generally Available)

- We're excited to announce that we have launched Phone numbers in Canada, United Kingdom, Italy, Ireland and Sweden from Public Preview into General Availability. ACS Direct Offers are now generally available in the following countries and regions: **United States, Puerto Rico, Canada, United Kingdom, Italy, Ireland** and **Sweden**.

-To learn more about the different ways you can acquire a phone number in these regions, visit the [article on how to get and manage phone numbers](./quickstarts/telephony/get-phone-number.md), or [reaching out to the IC3 Service Desk](https://github.com/Azure/Communication/blob/master/special-order-numbers.md). 

- > For more information, see [Configurable token lifetimes in Azure Active Directory](../active-directory/develop/active-directory-configurable-token-lifetimes.md).

- > For more information, see [Configurable token lifetimes in Azure Active Directory](../active-directory/develop/active-directory-configurable-token-lifetimes.md).

-> Secondary index is not supported on the following objects:

-The default cluster size is four driver nodes and four worker nodes (small). As you process more data, larger clusters are recommended. Below are the possible sizing options:

-Dataflow divides the data into partitions and transforms it using different processes. If the data size in a partition is more than the process can hold in memory, the process fails with OOM(out of memory) errors. If dataflow contains huge amounts of data having joins/aggregations, you may want to try changing shuffle partitions in incremental way. You can set it from 50 up to 2000, to avoid OOM errors. **Compute Custom properties** in dataflow runtime, is a way to control your compute requirements. Property name is **Shuffle partitions** and it's integer type. This customization should only be used in known scenarios, otherwise it can cause unnecessary dataflow failures.

-While increasing the shuffle partitions, make sure data is spread across well. A rough number is to have approximately 1.5 GB of data per partition. If data is skewed, increasing the "Shuffle partitions" won't be helpful. For example, if you have 500 GB of data, having a value between 400 to 500 should work. Default limit for shuffle partitions is 200 that works well for approximately 300 GB of data.

-Here are the steps on how it's set in a custom integration runtime. You can't set it for autoresolve integrtaion runtime.

-You can do same by editing JSON file of runtime by adding an array with property name and value after an existing property like *cleanup* property.

-> The JSON editor in Azure Portal for authoring & deploying ADF v1 pipelines will be turned OFF on 31st July 2019. After 31st July 2019, you can continue to use [ADF v1 PowerShell cmdlets](/powershell/module/az.datafactory/), [ADF v1 .Net SDK](/dotnet/api/microsoft.azure.management.datafactories.models), [ADF v1 REST APIs](/rest/api/datafactory/) to author & deploy your ADF v1 pipelines.

-description: Provides information on API throttling limits to plan usage.

-# API throttling guidance for Azure Data Manager for Agriculture.

-The API throttling in Azure Data Manager for Agriculture allows more consistent performance within a time span for customers calling our service APIs. Throttling limits, the number of requests to our service in a time span to prevent overuse of resources. Azure Data Manager for Agriculture is designed to handle a high volume of requests, if an overwhelming number of requests occur by few customers, throttling helps maintain optimal performance and reliability for all customers.

-## DPS API limits

-Per Month |1,000,000 |200,000

-Cascade delete| 1,000| 500,000

-Weather| 500| 250,000

-Cascade delete| 1,000| 100,000

-Weather| 500| 50,000

-VM.Windows_KnownCredentialAccessTools | Suspicious process executed | High

-VM.Windows_SuspiciousAccountCreation | Suspicious Account Creation Detected | Medium

-1. Select **Save and run**.

-1. To commit the pipeline, select **Save and run**.

- > [!NOTE]

- > Currently, this information is available only for GitHub repositories.

-Currently, OSS vulnerabilities, IaC scanning vulnerabilities, and Total code scanning vulnerabilities are only available for GitHub repositories.

-Azure DevOps repositories only have the total exposed secrets available and will show `N/A` for all other fields. You can learn more about how to [Review your findings](defender-for-devops-introduction.md).

-Learn how to add and configure a [catalog](./concept-environments-key-concepts.md#catalogs) in your Azure Deployment Environments Preview dev center. You can use a catalog to provide your development teams with a curated set of infrastructure as code (IaC) templates called [catalog items](./concept-environments-key-concepts.md#catalog-items).

-As of May 2, 2023, the following Azure Digital Twins preview control plane APIs will be retired:

-description: This article provides an overview of Schema Registry support by Azure Event Hubs.

-There's more than one way to deploy Azure Firewall Manager, but the following general process is recommended.

-|Ensure rsync service is not enabled<br /><sub>(181)</sub> |Description: The `rsyncd` service presents a security risk as it uses unencrypted protocols for communication. |Run one of the following commands to disable `rsyncd` : `chkconfig rsyncd off`, `systemctl disable rsyncd`, `update-rc.d rsyncd disable` or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-rsysnc' |

-* Signature, as shown in the image below. For more information, see [Azure access tokens](../active-directory/develop/active-directory-configurable-token-lifetimes.md).

-> For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2 or recent version. If the application is dependent on .Net framework, it should be updated as well. You can also make the registry changes mentioned in [this article](/troubleshoot/azure/active-directory/enable-support-tls-environment) to explicitly enable the use of TLS 1.2 at OS level and for .Net framework. To meet with compliance obligations and to improve security posture, Key Vault connections via TLS 1.0 & 1.1 are considered a security risk, and any connections using old TLS protocols will be disallowed in 2023. You can monitor TLS version used by clients by monitoring Key Vault logs with sample Kusto query [here](monitor-key-vault.md#sample-kusto-queries).

-The key creation tool reads the service principal credentials from the environment variables MHSM_CLIENT_ID and MHSM_CLIENT_SECRET.

-The following section describes different approaches to implement access control for the TLS Offload Library service principal.

-By using [Azure role-based access control (RBAC)](../role-based-access-control/overview.md) for access to lab plans and labs, you can assign the following roles:

- An administrator who creates a lab plan is automatically assigned the lab plan Owner role. The Owner role can:

- - Change the lab plan settings.

- - Grant other administrators access to the lab plan as an Owner or Contributor.

- - Grant educators access to labs as a Creator, Owner, or Contributor.

- - Create and manage all labs in the lab plan.

- An administrator who is assigned the Contributor role can:

- - Change the lab plan settings.

- - Create and manage all labs in the lab plan.

- However, the Contributor *can't* grant other users access to either lab plans or labs.

- When set on the lab plan, this role enables the user account to create labs from the lab plan. The user account can also see existing labs that are in the same resource group as the lab plan. When applied to a resource group, this role enables the user to view existing lab and create new labs. They'll have full control over any labs they create as they're assigned as Owner to those created labs. For more information, see [Add a user to the Lab Creator role](./quick-create-resources.md#add-a-user-to-the-lab-creator-role).

- When applied to an existing lab, this role enables the user to fully manage the lab. When applied to a resource group, this role enables the user account to fully manage existing labs and create new labs in that resource group.

- A key difference between the lab Owner and Contributor roles is that only an Owner can grant other users access to manage a lab. A Contributor *can't* grant other users access to manage a lab.

- When applied to a resource group or a lab, this role enables the user to have limited ability to manage existing labs. This role won't give the user the ability to create new labs. In an existing lab, the user can manage users, adjust individual users' quota, manage schedules, and start/stop VMs. The user account will be able to publish a lab. The user won't have the ability to change lab capacity or change quota at the lab level. The user won't be able to change the template title or description.

- When applied to a resource group or a lab, this role enables the user to view an existing lab. Lab assistants can only perform actions on the lab VMs (reset, start, stop, connect) and send invitations to the lab. They don't have the ability to change a lab, create a lab, publish a lab, change lab capacity, or manage lab quota, individual quota nor schedules.

- When applied to a resource group, enables the user to fully control all Lab Services scenarios in that resource group.

- When applied to a resource group, enables the user to view, but not change, all lab plans and lab resources. External resources like image galleries and virtual networks that may be connected to a lab plan aren't included.

-When you're assigning roles, it helps to follow these tips:

-For more detail about the permissions assigned to each role, see [Azure built-in roles](../role-based-access-control/built-in-roles.md#lab-assistant)

-1. Confirm that you see all the labs in the selected resource group. On the lab's tile, you see the number of virtual machines in the lab and the quota for each user.

- 

- 

-

-* Standard SKU public IP.

-## Ubuntu (17.10 or higher)

-1. Edit the **`/etc/dhcp/dhclient.conf`** file, and add the following line:

- timeout 10;

-2. Create a new file in the cloud.cfg.d folder that will retain your configuration through reboots. **The information in this file will override the default [NETPLAN]( https://netplan.io) config (in YAML configuration files at this location: /etc/netplan/*.yaml)**.

- Create a */etc/cloud/cloud.config.d/91-azure-network.cfg* file. Ensure that **`dhcp6: true`** is reflected under the required interface, as shown by the sample below:

- ```config

- network:

- version: 2

- ethernets:

- eth0:

- dhcp4: true

- dhcp6: true

- match:

- driver: hv_netvsc

- set-name: eth0

-3. Save the file and reboot.

-4. Use **`ifconfig`** to verify virtual machine received IPv6 address.

- If **`ifconfig`** isn't installed, run the following commands:

- sudo apt update

- sudo apt install net-tools

- :::image type="content" source="./media/load-balancer-ipv6-for-linux/ipv6-ip-address-ifconfig.png" alt-text="Screenshot of ifconfig showing IPv6 IP address.":::

-## Debian

-1. Edit the */etc/dhcp/dhclient6.conf* file, and add the following line:

- ```config

- timeout 10;

-2. Edit the */etc/network/interfaces* file, and add the following configuration:

- iface eth0 inet6 auto

- up sleep 5

- up dhclient -1 -6 -cf /etc/dhcp/dhclient6.conf -lf /var/lib/dhcp/dhclient6.eth0.leases -v eth0 || true

- ```

- ```

-## RHEL, CentOS, and Oracle Linux

-1. Edit the */etc/sysconfig/network* file, and add the following parameter:

- NETWORKING_IPV6=yes

-2. Edit the */etc/sysconfig/network-scripts/ifcfg-eth0* file, and add the following two parameters:

- IPV6INIT=yes

- DHCPV6C=yes

- ```

-## SLES 11 and openSUSE 13

-Recent SUSE Linux Enterprise Server (SLES) and openSUSE images in Azure have been pre-configured with DHCPv6. No other changes are required when you use these images. If you have a VM that's based on an older or custom SUSE image, follow the steps below:

-1. Install the `dhcp-client` package, if needed:

- ```bash

- sudo zypper install dhcp-client

-2. Edit the */etc/sysconfig/network/ifcfg-eth0* file, and add the following parameter:

- ```config

- DHCLIENT6_MODE='managed'

-

-3. Renew the IPv6 address:

- sudo ifdown eth0 && sudo ifup eth0

-## SLES 12 and openSUSE Leap

-Recent SLES and openSUSE images in Azure have been pre-configured with DHCPv6. No other changes are required when you use these images. If you have a VM that's based on an older or custom SUSE image, follow the steps below:

-1. Edit the */etc/sysconfig/network/ifcfg-eth0* file, and replace the `#BOOTPROTO='dhcp4'` parameter with the following value:

- BOOTPROTO='dhcp'

-2. To the */etc/sysconfig/network/ifcfg-eth0* file, add the following parameter:

- DHCLIENT6_MODE='managed'

-3. Renew the IPv6 address:

-## CoreOS

-Recent CoreOS images in Azure have been pre-configured with DHCPv6. No other changes are required when you use these images. If you have a VM based on an older or custom CoreOS image, follow the steps below:

- 1. Get a handle to the subscription. `ml_client` will be used in all the Python code in this article.

- * (Optional) If you're working on a [sovereign cloud](reference-machine-learning-cloud-parity.md)**, specify the sovereign cloud to authenticate with into the `DefaultAzureCredential`..

-* If you're using Azure Container Registry (ACR), Storage Account, Key Vault, or Application Insights in the different subscription than the workspace, you cannot use network isolation with managed online endpoints. If you want to use network isolation with managed online endpoints, you must have ACR, Storage Account, Key Vault, and Application Insights in the same subscription with the workspace. For limitations that apply to network isolation with managed online endpoints, see [How to secure online endpoint](how-to-secure-online-endpoint.md#limitations).

-You can create a workspace [directly in Azure Machine Learning studio](./quickstart-create-resources.md#create-the-workspace), with limited options available. Or use one of the methods below for more control of options.

-* **Default specification.** By default, dependent resources and the resource group will be created automatically. This code creates a workspace named `myworkspace` and a resource group named `myresourcegroup` in `eastus2`.

-1. When you're finished configuring the workspace, select **Review + Create**. Optionally, use the [Networking](#networking) and [Advanced](#advanced) sections to configure more settings for the workspace.

-> Selecting high business impact can only be done when creating a workspace. You cannot change this setting after workspace creation.

-> Before following these steps, you must first perform the following actions:

-If you'll be running your code on a [compute instance](quickstart-create-resources.md), skip this step. The compute instance will create and store copy of this file for you.

-* **With a configuration file:** This code will read the contents of the configuration file to find your workspace. You'll get a prompt to sign in if you aren't already authenticated.

-The Azure Machine Learning workspace uses Azure Container Registry (ACR) for some operations. It will automatically create an ACR instance when it first needs one.

-| East Asia (Hong Kong) | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |

-| [Multi-tier web application built for high availability and disaster recovery ](/azure/architecture/example-scenario/infrastructure/multi-tier-app-disaster-recovery) | Deploys resilient multi-tier applications built for high availability and disaster recovery. If the primary region becomes unavailable, Traffic Manager fails over to the secondary region. |

-The following table includes articles that describe how protect your network resources using Azure Networking services.

-|Display name|Metric ID|Unit|Description|

-|||||

-|**Active Connections**|`active_connections`|Count|Number of connections to your server.|

-|**Backup Storage Used**|`backup_storage_used`|Bytes|Amount of backup storage used. This metric represents the sum of storage that's consumed by all the full backups, differential backups, and log backups that are retained based on the backup retention period that's set for the server. The frequency of the backups is service managed. For geo-redundant storage, backup storage usage is twice the usage for locally redundant storage.|

-|**Failed Connections**|`connections_failed`|Count|Number of failed connections.|

-|**Succeeded Connections** |`connections_succeeded`|Count |Number of succeeded connections.|

-|**CPU Credits Consumed**|`cpu_credits_consumed` |Count |Number of credits used by the flexible server. Applies to the Burstable tier.|

-|**CPU Credits Remaining** |`cpu_credits_remaining`|Count |Number of credits available to burst. Applies to the Burstable tier. |

-|**CPU percent** |`cpu_percent`|Percent |Percentage of CPU in use.|

-|**Disk Queue Depth**|`disk_queue_depth` |Count |Number of outstanding I/O operations to the data disk.|

-|**IOPS**|`iops` |Count |Number of I/O operations to disk per second.|

-|**Maximum Used Transaction IDs**|`maximum_used_transactionIDs`|Count |Maximum number of transaction IDs in use. |

-|**Memory percent**|`memory_percent` |Percent |Percentage of memory in use. |

-|**Network Out** |`network_bytes_egress` |Bytes |Amount of outgoing network traffic.|

-|**Network In**|`network_bytes_ingress`|Bytes |Amount of incoming network traffic.|

-|**Read IOPS** |`read_iops`|Count |Number of data disk I/O read operations per second. |

-|**Read Throughput** |`read_throughput`|Bytes |Bytes read per second from disk. |

-|**Storage Free**|`storage_free` |Bytes |Amount of storage space that's available.|

-|**Storage percent** |`storage_percent`|Percentage|Percent of storage space that's used. The storage that's used by the service can include database files, transaction logs, and server logs.|

-|**Storage Used**|`storage_used` |Bytes |Amount of storage space that's used. The storage that's used by the service can include the database files, transaction logs, and the server logs.|

-|**Transaction Log Storage Used**|`txlogs_storage_used`|Bytes |Amount of storage space that's used by the transaction logs. |

-|**Write Throughput**|`write_throughput` |Bytes |Bytes written to disk per second.|

-|**Write IOPS**|`write_iops` |Count |Number of data disk I/O write operations per second.|

-Is-db-alive is an database server availability metric for Azure Postgres Flexible Server, that returns boolean `[1 for available]` and `[0 for not-available]`. Each metric is emitted at a *1 minute* frequency, and has up to *93 days* of retention. Customers can configure alerts on the metric.

-|**Database Is Alive** (Preview) |is-db-alive |Boolean|Indicates if the database is up or not |N/a |Yes |

-| Azure API Management | All public regions | | Preview <br/> [Connect privately to API Management using a private endpoint.](../api-management/private-endpoint.md) |

-[Azure Energy Data Services](reliability-energy-data-services.md )|

-Azure Route Server, however, will advertise a larger subnet than the VNet address space that is learned from the NVA. It's possible to advertise from the NVA a supernet of what you have in your virtual network. For example, if your virtual network uses the RFC 1918 address space `10.0.0.0/16`, your NVA can advertise `10.0.0.0/8` to the Azure Route Server and these prefixes will be injected into the hub and spoke VNets. This VNet behavior is referenced in [About BGP with VPN Gateway](../vpn-gateway/vpn-gateway-bgp-overview.md#can-i-advertise-the-exact-prefixes-as-my-virtual-network-prefixes).

-You can integrate with an exiting Private DNS Zone by providing the following values in your tfvars files:

-| **References** | [Crypto Obfuscation For .Net](https://www.ssware.com/cryptoobfuscator/obfuscator-net.htm) |

-description: Monitor linux-based devices by forwarding syslog data to a Log Analytics workspace.

-| [DNS Activity](normalization-schema-dns.md) | 0.1.6 | Preview |

-| [File Activity](normalization-schema-file-event.md) | 0.2 | Preview |

-| [Network Session](normalization-schema.md) | 0.2.5 | Preview |

-| <a name="usertype"></a>**UserType** | Optional | UserType | The type of source user. Supported values include: `Regular`, `Machine`, `Admin`, `System`, `Application`, `Service Principal`, and `Other`. The value might be provided in the source record by using different terms, which should be normalized to these values. Store the original value in the [OriginalUserType](#originalusertype) field. |

-description: In this tutorial, learn how to detect exploits of the Apache Log4j vulnerability in any of your susceptible systems with Microsoft Sentinel analytics rules, taking advantage of alert enrichment capabilities to surface as much information as possible to benefit an investigation.

-# Tutorial: Detect Log4j vulnerability exploits in your systems and produce enriched alerts

-# Tutorial: Use playbooks with automation rules in Microsoft Sentinel

-| **Windows Security events** | 4624: An account was successfully logged on<br>4625: An account failed to log on<br>4648: A logon was attempted using explicit credentials<br>4672: Special privileges assigned to new logon<br>4688: A new process has been created |

-### Microsoft Defender for Identity alerts now available in Government Community Cloud

-Microsoft Defender for Identity alerts are now available in Government Community Cloud (GCC).

-If you previously used the MDI alerts connector, with the introduction of the new alerts, the `UniqueExternalId` field is no longer populated. The ID represents the alert, and was formerly located in the `ExternalProperties` field. You can now be obtain the ID through the `AlertName` field, which contains the alert’s name.

-If you've used this ID in your custom queries, we recommend that you adjust your queries accordingly. Review the [Security alert name mapping and unique external IDs](/defender-for-identity/alerts-overview#security-alert-name-mapping-and-unique-external-ids).

-| Java |  | |  |  |

-> Deployment of Service Fabric applications with managed identities are supported starting with API version `"2019-06-01-preview"`. You can also use the same API version for application type, application type version and service resources. The minimum supported Service Fabric runtime is 6.5 CU2. In addition, the build / package environment should also have the SF .Net SDK at CU2 or higher

- ```bash

- ```

- ./uninstall.sh -Y

-To use your default subscription, create the context by calling the `New-AzStorageContext` cmdlet. Include the `-UseConnectedAccount` parameter so that data operations will be performed using your Azure AD credentials.

-All blob data is stored within containers, so you'll need at least one container resource before you can upload data. If needed, use the following example to create a storage container. For more information, see [Managing blob containers using PowerShell](blob-containers-powershell.md).

-When you use the following examples, you'll need to replace the placeholder values in brackets with your own values. For more information about signing into Azure with PowerShell, see [Sign in with Azure PowerShell](/powershell/azure/authenticate-azureps).

-To upload a file to a block blob, pass the required parameter values to the `Set-AzStorageBlobContent` cmdlet. Supply the path and file name with the `-File` parameter, and the name of the container with the `-Container` parameter. You'll also need to provide a reference to the context object with the `-Context` parameter.

-To download a single named blob, you can call the cmdlet directly and supply values for the `-Blob` and `-Container` parameters. The blob will be downloaded to the working PowerShell directory by default, but an alternate location can be specified. To change the target location, a valid, existing path must be passed with the `-Destination` parameter. Because the operation can't create a destination, it will fail with an error if your specified path doesn't exist.

-The result displays a list of the blob's properties as shown below.

-Blob metadata is an optional set of name/value pairs associated with a blob. As shown in the previous example, there's no metadata associated with a blob initially, though it can be added when necessary. To update blob metadata, you'll use the `BlobClient.UpdateMetadata` method. This method only accepts key-value pairs stored in a generic `IDictionary` object. For more information, see the [BlobClient](/dotnet/api/azure.storage.blobs.blobclient) class definition.

-The result returns the blob's newly updated metadata as shown below.

-The source blob for a copy operation may be a block blob, an append blob, a page blob, or a snapshot. If the destination blob already exists, it must be of the same blob type as the source blob. An existing destination blob will be overwritten.

-Changing tiers from **Cool** or **Hot** to **Archive** take place almost immediately. After a blob is moved to the **Archive** tier, it's considered to be offline, and can't be read or modified. Before you can read or modify an archived blob's data, you'll need to rehydrate it to an online tier. Read more about [Blob rehydration from the Archive tier](archive-rehydrate-overview.md).

-The following example illustrates how to add blob index tags to a series of blobs. The example reads data from an XML file and uses it to create index tags on several blobs. To use the sample code, create a local *blob-list.xml* file in your *C:\temp* directory. The XML data is provided below.

-You can delete either a single blob or series of blobs with the `Remove-AzStorageBlob` cmdlet. When deleting multiple blobs, you can utilize conditional operations, loops, or the PowerShell pipeline as shown in the examples below.

-In some cases, it's possible to retrieve blobs that have been deleted. If your storage account's soft delete data protection option is enabled, the `-IncludeDeleted` parameter will return blobs deleted within the associated retention period. To learn more about soft delete, refer to the [Soft delete for blobs](soft-delete-blob-overview.md) article.

-If blob versioning and blob soft delete are both enabled, then modifying, overwriting, deleting, or restoring a blob automatically creates a new version. The method you'll use to restore a deleted blob will depend upon whether versioning is enabled on your storage account.

-Before you can follow this example, you'll need to enable soft delete or versioning on at least one of your storage accounts.

- # Get all blobs and versions using -Unique

- # to avoid processing duplicates/versions

- $blobs = Get-AzStorageBlob `

- -Container $containerName `

- -Context $ctx -IncludeVersion | `

- Where-Object {$_.VersionId -ne $null} | `

- Sort-Object -Property Name -Unique

- # Iterate the collection

- foreach ($blob in $blobs)

- # Process versions

- if($blob.VersionId -ne $null)

-

- # Get all versions of the blob, newest to oldest

- $delBlob = Get-AzStorageBlob `

- -Container $containerName `

- -Context $ctx `

- -Prefix $blob.Name `

- -IncludeDeleted -IncludeVersion | `

- Sort-Object -Property VersionId -Descending

- # Verify that the newest version is NOT the latest (that the version is "deleted")

- if (-Not $delBlob[0].IsLatestVersion)

- $delBlob[0] | Copy-AzStorageBlob `

- -DestContainer $containerName `

- -DestBlob $delBlob[0].Name

- }

- #Dispose the temporary object

- $delBlob = $null

- > [!IMPORTANT]

- > There may be a delay of a few minutes after validation is complete before the Prepare button is enabled.

- 1. Under **Issue type**, select **Technical**.

- 1. Under **Subscription**, select your subscription.

- 1. Under **Service**, select **My services**.

- 1. Under **Service type**, search for and select **Storage Account Management**.

- 1. Under **Resource**, select the resource you want to migrate.

- 1. Under **Summary**, type a description of your issue.

- 1. Under **Problem type**, select **Migrate a classic storage account to Azure Resource Manager**.

-| Windows 10, version 22H2 | SMB 3.1.1 | Yes | AES-256-GCM |

-Azure Stream Analytics jobs can be easily stopped or deleted through the Azure portal, Azure PowerShell, Azure SDK for .Net, or REST API. A Stream Analytics job cannot be recovered once it has been deleted.