+ Title: Glossary of terms in the Microsoft identity platform

+description: Definitions of terms commonly found in Microsoft identity platform documentation, Azure portal, and authentication SDKs like the Microsoft Authentication Library (MSAL).

+# Glossary: Microsoft identity platform

+You'll see these terms when you use our documentation, the Azure portal, our authentication libraries, and the Microsoft Graph API. Some terms are Microsoft-specific while others are related to protocols like OAuth or other technologies you use with the Microsoft identity platform.

+A type of [security token](#security-token) issued by an [authorization server](#authorization-server) and used by a [client application](#client-application) to access a [protected resource server](#resource-server). Typically in the form of a [JSON Web Token (JWT)][JWT], the token embodies the authorization granted to the client by the [resource owner](#resource-owner), for a requested level of access. The token contains all applicable [claims](#claim) about the subject, enabling the client application to use it as a form of credential when accessing a given resource. This also eliminates the need for the resource owner to expose credentials to the client.

+Access tokens are only valid for a short period of time and can't be revoked. An authorization server may also issue a [refresh token](#refresh-token) when the access token is issued. Refresh tokens are typically provided only to confidential client applications.

+- ["Authorization code" authorization grant](#authorization-grant), the end user authenticates first as the resource owner, delegating authorization to the client to access the resource. The client authenticates afterward when obtaining the access token. The token can sometimes be referred to more specifically as a "User+App" token, as it represents both the user that authorized the client application, and the application.

+- ["Client credentials" authorization grant](#authorization-grant), the client provides the sole authentication, functioning without the resource-owner's authentication/authorization, so the token can sometimes be referred to as an "App-Only" token.

+Another term for the [client application](#client-application). The actor is the party acting on behalf of a subject ([resource owner](#resource-owner)).

+## Application (client) ID

+The application ID, or _[client ID](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2)_, is a value the Microsoft identity platform assigns to your application when you register it in Azure AD. The application ID is a GUID value that uniquely identifies the application and its configuration within the identity platform. You add the app ID to your application's code, and authentication libraries include the value in their requests to the identity platform at application runtime. The application (client) ID isn't a secret - don't use it as a password or other credential.

+When you register/update an application in the [Azure portal][AZURE-portal], the portal creates/updates both an application object and a corresponding [service principal object](#service-principal-object) for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where it has access), providing a template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant).

+In order to allow an application to integrate with and delegate Identity and Access Management functions to Azure AD, it must be registered with an Azure AD [tenant](#tenant). When you register your application with Azure AD, you're providing an identity configuration for your application, allowing it to integrate with Azure AD and use features like:

+- Robust management of Single Sign-On using Azure AD Identity Management and [OpenID Connect][OpenIDConnect] protocol implementation

+- Brokered access to [protected resources](#resource-server) by [client applications](#client-application), via OAuth 2.0 [authorization server](#authorization-server)

+- [Consent framework](#consent) for managing client access to protected resources, based on resource owner authorization.

+The act of challenging a party for legitimate credentials, providing the basis for creation of a security principal to be used for identity and access control. During an [OAuth 2.0 authorization grant](#authorization-grant) for example, the party authenticating is filling the role of either [resource owner](#resource-owner) or [client application](#client-application), depending on the grant used.

+- During an [OAuth 2.0 authorization grant](#authorization-grant) flow: when the [resource owner](#resource-owner) grants authorization to the [client application](#client-application), allowing the client to access the resource owner's resources.

+- During resource access by the client: as implemented by the [resource server](#resource-server), using the [claim](#claim) values present in the [access token](#access-token) to make access control decisions based upon them.

+A short-lived value provided by the [authorization endpoint](#authorization-endpoint) to a [client application](#client-application) during the OAuth 2.0 _authorization code grant flow_, one of the four OAuth 2.0 [authorization grants](#authorization-grant). Also called an _auth code_, the authorization code is returned to the client application in response to the authentication of a [resource owner](#resource-owner). The auth code indicates the resource owner has delegated authorization to the client application to access their resources. As part of the flow, the auth code is later redeemed for an [access token](#access-token).

+One of the endpoints implemented by the [authorization server](#authorization-server), used to interact with the [resource owner](#resource-owner) to provide an [authorization grant](#authorization-grant) during an OAuth 2.0 authorization grant flow. Depending on the authorization grant flow used, the actual grant provided can vary, including an [authorization code](#authorization-code) or [security token](#security-token).

+See the OAuth 2.0 specification's [authorization grant types][OAuth2-AuthZ-Grant-Types] and [authorization endpoint][OAuth2-AuthZ-Endpoint] sections, and the [OpenIDConnect specification][OpenIDConnect-AuthZ-Endpoint] for more details.

+A credential representing the [resource owner's](#resource-owner) [authorization](#authorization) to access its protected resources, granted to a [client application](#client-application). A client application can use one of the [four grant types defined by the OAuth 2.0 Authorization Framework][OAuth2-AuthZ-Grant-Types] to obtain a grant, depending on client type/requirements: "authorization code grant", "client credentials grant", "implicit grant", and "resource owner password credentials grant". The credential returned to the client is either an [access token](#access-token), or an [authorization code](#authorization-code) (exchanged later for an access token), depending on the type of authorization grant used.

+As defined by the [OAuth 2.0 Authorization Framework][OAuth2-Role-Def], the server responsible for issuing access tokens to the [client](#client-application) after successfully authenticating the [resource owner](#resource-owner) and obtaining its authorization. A [client application](#client-application) interacts with the authorization server at runtime via its [authorization](#authorization-endpoint) and [token](#token-endpoint) endpoints, in accordance with the OAuth 2.0 defined [authorization grants](#authorization-grant).

+Claims are name/values pairs in a [security token](#security-token) that provide assertions made by one entity to another. These entities are typically the [client application](#client-application) or a [resource owner](#resource-owner) providing assertions to a [resource server](#resource-server). Claims relay facts about the token subject like the ID of the security principal that was authenticated by the [authorization server](#authorization-server). The claims present in a token can vary and depend on several factors like the type of token, type of credential used for authenticating the subject, the application configuration, and others.

+Also known as the "[actor](#actor)". As defined by the [OAuth 2.0 Authorization Framework][OAuth2-Role-Def], an application that makes protected resource requests on behalf of the [resource owner](#resource-owner). They receive permissions from the resource owner in the form of scopes. The term "client" doesn't imply any particular hardware implementation characteristics (for instance, whether the application executes on a server, a desktop, or other devices).

+A client application requests [authorization](#authorization) from a resource owner to participate in an [OAuth 2.0 authorization grant](#authorization-grant) flow, and may access APIs/data on the resource owner's behalf. The OAuth 2.0 Authorization Framework [defines two types of clients][OAuth2-Client-Types], "confidential" and "public", based on the client's ability to maintain the confidentiality of its credentials. Applications can implement a [web client (confidential)](#web-client) which runs on a web server, a [native client (public)](#native-client) installed on a device, or a [user-agent-based client (public)](#user-agent-based-client) which runs in a device's browser.

+An [OpenID Connect][OpenIDConnect-ID-Token] [security token](#security-token) provided by an [authorization server's](#authorization-server) [authorization endpoint](#authorization-endpoint), which contains [claims](#claim) pertaining to the authentication of an end user [resource owner](#resource-owner). Like an access token, ID tokens are also represented as a digitally signed [JSON Web Token (JWT)][JWT]. Unlike an access token though, an ID token's claims aren't used for purposes related to resource access and specifically access control.

+The Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) identity service and developer platform. It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or APIs that developers have built. It's a full-featured platform that consists of an authentication service, libraries, application registration and configuration, full developer documentation, code samples, and other developer content. The Microsoft identity platform supports industry standard protocols such as OAuth 2.0 and OpenID Connect.

+A type of [client application](#client-application) that is installed natively on a device. Since all code is executed on a device, it's considered a "public" client due to its inability to store credentials privately/confidentially. See [OAuth 2.0 client types and profiles][OAuth2-Client-Types] for more details.

+- "Delegated" permissions, which specify [scope-based](#scopes) access using delegated authorization from the signed-in [resource owner](#resource-owner), are presented to the resource at run-time as ["scp" claims](#claim) in the client's [access token](#access-token). These indicate the permission granted to the [actor](#actor) by the [subject](#subject).

+- "Application" permissions, which specify [role-based](#roles) access using the client application's credentials/identity, are presented to the resource at run-time as ["roles" claims](#claim) in the client's access token. These indicate permissions granted to the [subject](#subject) by the tenant.

+A type of [security token](#security-token) issued by an [authorization server](#authorization-server). Before an access token expires, a [client application](#client-application) includes its associated refresh token when it requests a new [access token](#access-token) from the authorization server. Refresh tokens are typically formatted as a [JSON Web Token (JWT)][JWT].

+Unlike access tokens, refresh tokens can be revoked. An authorization server denies any request from a client application that includes a refresh token that has been revoked. When the authorization server denies a request that includes a revoked refresh token, the client application loses the permission to access the [resource server](#resource-server) on behalf of the [resource owner](#resource-owner).

+As defined by the [OAuth 2.0 Authorization Framework][OAuth2-Role-Def], an entity capable of granting access to a protected resource. When the resource owner is a person, it's referred to as an end user. For example, when a [client application](#client-application) wants to access a user's mailbox through the [Microsoft Graph API][Microsoft-Graph], it requires permission from the resource owner of the mailbox. The "resource owner" is also sometimes called the [subject](#subject).

+Every [security token](#security-token) represents a resource owner. The resource owner is what the subject [claim](#claim), object ID claim, and personal data in the token represent. Resource owners are the party that grants delegated permissions to a client application, in the form of scopes. Resource owners are also the recipients of [roles](#roles) that indicate expanded permissions within a tenant or on an application.

+As defined by the [OAuth 2.0 Authorization Framework][OAuth2-Role-Def], a server that hosts protected resources, capable of accepting and responding to protected resource requests by [client applications](#client-application) that present an [access token](#access-token). Also known as a protected resource server, or resource application.

+Like [scopes](#scopes), app roles provide a way for a [resource server](#resource-server) to govern access to its protected resources. Unlike scopes, roles represent privileges that the [subject](#subject) has been granted beyond the baseline - this is why reading your own email is a scope, while being an email administrator that can read everyone's email is a role.

+App roles can support two assignment types: "user" assignment implements role-based access control for users/groups that require access to the resource, while "application" assignment implements the same for [client applications](#client-application) that require access. An app role can be defined as user-assignable, app-assignabnle, or both.

+A signed document containing claims, such as an OAuth 2.0 token or SAML 2.0 assertion. For an OAuth 2.0 [authorization grant](#authorization-grant), an [access token](#access-token) (OAuth2), [refresh token](#refresh-token), and an [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) are types of security tokens, all of which are implemented as a [JSON Web Token (JWT)][JWT].

+When you register/update an application in the [Azure portal][AZURE-portal], the portal creates/updates both an [application object](#application-object) and a corresponding service principal object for that tenant. The application object _defines_ the application's identity configuration globally (across all tenants where the associated application has been granted access), and is the template from which its corresponding service principal object(s) are _derived_ for use locally at run-time (in a specific tenant).

+The process of a [client application](#client-application) initiating end-user authentication and capturing related state for requesting a [security token](#security-token) and scoping the application session to that state. State can include artifacts like user profile information, and information derived from token claims.

+Also known as the [resource owner](#resource-owner).

+- a registry service for integrated applications

+- authentication of user accounts and registered applications

+- REST endpoints required to support various protocols including OAuth 2.0 and SAML, including the [authorization endpoint](#authorization-endpoint), [token endpoint](#token-endpoint) and the "common" endpoint used by [multi-tenant applications](#multi-tenant-application).

+One of the endpoints implemented by the [authorization server](#authorization-server) to support OAuth 2.0 [authorization grants](#authorization-grant). Depending on the grant, it can be used to acquire an [access token](#access-token) (and related "refresh" token) to a [client](#client-application), or [ID token](#id-token) when used with the [OpenID Connect][OpenIDConnect] protocol.

+A type of [client application](#client-application) that downloads code from a web server and executes within a user-agent (for instance, a web browser), such as a single-page application (SPA). Since all code is executed on a device, it is considered a "public" client due to its inability to store credentials privately/confidentially. For more information, see [OAuth 2.0 client types and profiles][OAuth2-Client-Types].

+Similar to the way a service principal object is used to represent an application instance, a user principal object is another type of security principal, which represents a user. The Microsoft Graph [User resource type][Graph-User-Resource] defines the schema for a user object, including user-related properties like first and last name, user principal name, directory role membership, etc. This provides the user identity configuration for Azure AD to establish a user principal at run-time. The user principal is used to represent an authenticated user for Single Sign-On, recording [consent](#consent) delegation, making access control decisions, etc.

+A type of [client application](#client-application) that executes all code on a web server, functioning as a _confidential client_ because it can securely store its credentials on the server. For more information, see [OAuth 2.0 client types and profiles][OAuth2-Client-Types].

+An identity used by a software workload like an application, service, script, or container to authenticate and access other services and resources. In Azure AD, workload identities are apps, service principals, and managed identities. For more information, see [workload identity overview](workload-identities-overview.md).

+Many of the terms in this glossary are related to the OAuth 2.0 and OpenID Connect protocols. Though you don't need to know how the protocols work "on the wire" to use the identity platform, knowing some protocol basics can help you more easily build and debug authentication and authorization in your apps:

+- [OAuth 2.0 and OpenID Connect (OIDC) in the Microsoft identity platform](active-directory-v2-protocols.md)

+[OpenIDConnect-ID-Token]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

+ Title: "Tutorial: Create an iOS or macOS app that uses the Microsoft identity platform for authentication"

+description: Build an iOS or macOS app that uses the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API on their behalf.

+When you've completed the tutorial, your application will accept sign-ins of personal Microsoft accounts (including outlook.com, live.com, and others) and work or school accounts from any company or organization that uses Azure Active Directory. This tutorial is applicable to both iOS and macOS apps. Some steps are different between the two platforms.

+1. Enter your project's Bundle ID. If downloaded the code sample, the Bundle ID is `com.microsoft.identitysample.MSALiOS`. If you're creating your own project, select your project in Xcode and open the **General** tab. The bundle identifier appears in the **Identity** section.

+1. Select **Configure** and save the **MSAL Configuration** that appears in the **MSAL configuration** page so you can enter it when you configure your app later.

+1. If you're using [CocoaPods](https://cocoapods.org/), install `MSAL` by first creating an empty file called _podfile_ in the same folder as your project's _.xcodeproj_ file. Add the following to _podfile_:

+3. In a terminal window, navigate to the folder that contains the _podfile_ you created and run `pod install` to install the MSAL library.

+If you're using [Carthage](https://github.com/Carthage/Carthage), install `MSAL` by adding it to your _Cartfile_:

+From a terminal window, in the same directory as the updated _Cartfile_, run the following command to have Carthage update the dependencies in your project.

+First, add the following import statement to the top of the _ViewController.swift_ file and either _AppDelegate.swift_ or _SceneDelegate.swift_:

+Next, add the following code to _ViewController.swift_ before to `viewDidLoad()`:

+The only value you modify above is the value assigned to `kClientID` to be your [Application ID](./developer-glossary.md#application-client-id). This value is part of the MSAL Configuration data that you saved during the step at the beginning of this tutorial to register the application in the Azure portal.

+In this step, you'll register `CFBundleURLSchemes` so that the user can be redirected back to the app after sign in. By the way, `LSApplicationQueriesSchemes` also allows your app to make use of Microsoft Authenticator.

+In Xcode, open _Info.plist_ as a source code file, and add the following inside of the `<dict>` section. Replace `[BUNDLE_ID]` with the value you used in the Azure portal. If you downloaded the code, the bundle identifier is `com.microsoft.identitysample.MSALiOS`. If you're creating your own project, select your project in Xcode and open the **General** tab. The bundle identifier appears in the **Identity** section.

+Now create a UI that includes a button to call the Microsoft Graph API, another to sign out, and a text view to see some output by adding the following code to the `ViewController` class:

+To the `ViewController` class, add the `initMSAL` method:

+Still in the `ViewController` class and after the `initMSAL` method, add the `initWebViewParams` method:

+### Handle the sign-in callback (iOS only)

+Open the _AppDelegate.swift_ file. To handle the callback after sign-in, add `MSALPublicClientApplication.handleMSALResponse` to the `appDelegate` class like this:

+**If you are using Xcode 11**, you should place MSAL callback into the _SceneDelegate.swift_ instead.

+MSAL exposes two primary methods for getting tokens: `acquireTokenSilently()` and `acquireTokenInteractively()`.

+- `acquireTokenSilently()` attempts to sign in a user and get tokens without user interaction as long as an account is present. `acquireTokenSilently()` require a valid `MSALAccount` which can be retrieved by using one of MSAL's account enumeration APIs. This tutorial uses `applicationContext.getCurrentAccount(with: msalParameters, completionBlock: {})` to retrieve the current account.

+The following code snippet gets a token for the first time by creating an `MSALInteractiveTokenParameters` object and calling `acquireToken`. Next you'll add code that:

+### iOS only: get additional device information

+This app is built for a single account scenario. MSAL also supports multi-account scenarios, but it requires more application work. You'll need to create UI to help users select which account they want to use for each action that requires tokens. Alternatively, your app can implement a heuristic to select which account to use by querying all accounts from MSAL. For example, see `accountsFromDeviceForParameters:completionBlock:` [API](https://azuread.github.io/microsoft-authentication-library-for-objc/Classes/MSALPublicClientApplication.html#/c:objc(cs)MSALPublicClientApplication(im)accountsFromDeviceForParameters:completionBlock:)

+The first time a user signs into your app, they'll be prompted by Microsoft identity to consent to the permissions requested. While most users are capable of consenting, some Azure AD tenants have disabled user consent, which requires admins to consent on behalf of all users. To support this scenario, register your app's scopes in the Azure portal.

+ Title: 'Tutorial: Azure AD SSO integration with BMIS - Battery Management Information System'

+description: Learn how to configure single sign-on between Azure Active Directory and BMIS - Battery Management Information System.

+# Tutorial: Azure AD SSO integration with BMIS - Battery Management Information System

+In this tutorial, you'll learn how to integrate BMIS - Battery Management Information System with Azure Active Directory (Azure AD). When you integrate BMIS - Battery Management Information System with Azure AD, you can:

+* Control in Azure AD who has access to BMIS - Battery Management Information System.

+* Enable your users to be automatically signed-in to BMIS - Battery Management Information System with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* BMIS - Battery Management Information System single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* BMIS - Battery Management Information System supports **IDP** initiated SSO.

+## Add BMIS - Battery Management Information System from the gallery

+To configure the integration of BMIS - Battery Management Information System into Azure AD, you need to add BMIS - Battery Management Information System from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **BMIS - Battery Management Information System** in the search box.

+1. Select **BMIS - Battery Management Information System** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for BMIS - Battery Management Information System

+Configure and test Azure AD SSO with BMIS - Battery Management Information System using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in BMIS - Battery Management Information System.

+To configure and test Azure AD SSO with BMIS - Battery Management Information System, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure BMIS - Battery Management Information System SSO](#configure-bmisbattery-management-information-system-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create BMIS - Battery Management Information System test user](#create-bmisbattery-management-information-system-test-user)** - to have a counterpart of B.Simon in BMIS - Battery Management Information System that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **BMIS - Battery Management Information System** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.

+1. BMIS - Battery Management Information System application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, BMIS - Battery Management Information System application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirement.

+ | Name | Source Attribute |

+ |-| |

+ | email | user.mail |

+ | first_name | user.givenname |

+ | last_name | user.surname |

+ | user_name | user.mail |

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up BMIS - Battery Management Information System** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to BMIS - Battery Management Information System.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **BMIS - Battery Management Information System**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure BMIS - Battery Management Information System SSO

+To configure single sign-on on **BMIS - Battery Management Information System** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [BMIS - Battery Management Information System support team](mailto:bmissupport@midtronics.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create BMIS - Battery Management Information System test user

+In this section, you create a user called Britta Simon in BMIS - Battery Management Information System. Work with [BMIS - Battery Management Information System support team](mailto:bmissupport@midtronics.com) to add the users in the BMIS - Battery Management Information System platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the BMIS - Battery Management Information System for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the BMIS - Battery Management Information System tile in the My Apps, you should be automatically signed in to the BMIS - Battery Management Information System for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure BMIS - Battery Management Information System you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with E2open LSP'

+description: Learn how to configure single sign-on between Azure Active Directory and E2open LSP.

+# Tutorial: Azure AD SSO integration with E2open LSP

+In this tutorial, you'll learn how to integrate E2open LSP with Azure Active Directory (Azure AD). When you integrate E2open LSP with Azure AD, you can:

+* Control in Azure AD who has access to E2open LSP.

+* Enable your users to be automatically signed-in to E2open LSP with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* E2open LSP single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* E2open LSP supports **SP** initiated SSO.

+## Add E2open LSP from the gallery

+To configure the integration of E2open LSP into Azure AD, you need to add E2open LSP from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **E2open LSP** in the search box.

+1. Select **E2open LSP** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for E2open LSP

+Configure and test Azure AD SSO with E2open LSP using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in E2open LSP.

+To configure and test Azure AD SSO with E2open LSP, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure E2open LSP SSO](#configure-e2open-lsp-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create E2open LSP test user](#create-e2open-lsp-test-user)** - to have a counterpart of B.Simon in E2open LSP that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **E2open LSP** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a URL using the following pattern:

+ `https://<Customer name>-<Environment>.tms-lsp.blujaysolutions.net/navi/saml/metadata`

+

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://<Customer name>-<Environment>.tms-lsp.blujaysolutions.net/navi/sam`

+ c. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<Customer name>-<Environment>.tms-lsp.blujaysolutions.net/navi/`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [E2open LSP Client support team](mailto:customersupport@e2open.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to E2open LSP.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **E2open LSP**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure E2open LSP SSO

+To configure single sign-on on **E2open LSP** side, you need to send the **App Federation Metadata Url** to [E2open LSP support team](mailto:customersupport@e2open.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create E2open LSP test user

+In this section, you create a user called Britta Simon in E2open LSP. Work with [E2open LSP support team](mailto:customersupport@e2open.com) to add the users in the E2open LSP platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to E2open LSP Sign-on URL where you can initiate the login flow.

+* Go to E2open LSP Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the E2open LSP tile in the My Apps, this will redirect to E2open LSP Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure E2open LSP you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ 

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.

+ 

+ 

+ c. Upload the **Federation Metadata XML** file from the Azure portal into the **File upload** textbox by clicking **Browse** option.

+ Title: 'Tutorial: Azure AD SSO integration with GitHub Enterprise Server'

+description: Learn how to configure single sign-on between Azure Active Directory and GitHub Enterprise Server.

+# Tutorial: Azure AD SSO integration with GitHub Enterprise Server

+In this tutorial, you'll learn how to integrate GitHub Enterprise Server with Azure Active Directory (Azure AD). When you integrate GitHub Enterprise Server with Azure AD, you can:

+* Control in Azure AD who has access to GitHub Enterprise Server.

+* Enable your users to be automatically signed-in to GitHub Enterprise Server with their Azure AD accounts.

+* GitHub Enterprise Server, ready for [initialization](https://docs.github.com/github-ae@latest/admin/configuration/initializing-github-ae).

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* GitHub Enterprise Server supports **SP** and **IDP** initiated SSO.

+* GitHub Enterprise Server supports **Just In Time** user provisioning.

+* GitHub Enterprise Server supports [Automated user provisioning](github-ae-provisioning-tutorial.md).

+## Adding GitHub Enterprise Server from the gallery

+To configure the integration of GitHub Enterprise Server into Azure AD, you need to add GitHub Enterprise Server from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **GitHub Enterprise Server** in the search box.

+1. Select **GitHub Enterprise Server** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for GitHub Enterprise Server

+Configure and test Azure AD SSO with GitHub Enterprise Server using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in GitHub Enterprise Server.

+To configure and test Azure AD SSO with GitHub Enterprise Server, perform the following steps:

+1. **[Configure GitHub Enterprise Server SSO](#configure-github-enterprise-server-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create GitHub Enterprise Server test user](#create-github-enterprise-server-test-user)** - to have a counterpart of B.Simon in GitHub Enterprise Server that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **GitHub Enterprise Server** application integration page, find the **Manage** section and select **single sign-on**.

+ 

+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [GitHub Enterprise Server Client support team](mailto:support@github.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. GitHub Enterprise Server application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+ 

+ 

+1. On the **Set up GitHub Enterprise Server** section, copy the appropriate URL(s) based on your requirement.

+ 

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to GitHub Enterprise Server.

+1. In the applications list, select **GitHub Enterprise Server**.

+## Configure GitHub Enterprise Server SSO

+To configure SSO on GitHub Enterprise Server side, you need to follow the instructions mentioned [here](https://docs.github.com/github-ae@latest/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise#enabling-saml-sso).

+### Create GitHub Enterprise Server test user

+In this section, a user called B.Simon is created in GitHub Enterprise Server. GitHub Enterprise Server supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in GitHub Enterprise Server, a new one is created after authentication.

+GitHub Enterprise Server also supports automatic user provisioning, you can find more details [here](./github-ae-provisioning-tutorial.md) on how to configure automatic user provisioning.

+* Click on **Test this application** in Azure portal. This will redirect to GitHub Enterprise Server Sign on URL where you can initiate the login flow.

+* Go to GitHub Enterprise Server Sign-on URL directly and initiate the login flow from there.

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the GitHub Enterprise Server for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the GitHub Enterprise Server tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the GitHub Enterprise Server for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+* Once you configure GitHub Enterprise Server you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with S4 - Digitsec'

+description: Learn how to configure single sign-on between Azure Active Directory and S4 - Digitsec.

+# Tutorial: Azure AD SSO integration with S4 - Digitsec

+In this tutorial, you'll learn how to integrate S4 - Digitsec with Azure Active Directory (Azure AD). When you integrate S4 - Digitsec with Azure AD, you can:

+* Control in Azure AD who has access to S4 - Digitsec.

+* Enable your users to be automatically signed-in to S4 - Digitsec with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* S4 - Digitsec single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* S4 - Digitsec supports **SP and IDP** initiated SSO.

+* S4 - Digitsec supports **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add S4 - Digitsec from the gallery

+To configure the integration of S4 - Digitsec into Azure AD, you need to add S4 - Digitsec from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **S4 - Digitsec** in the search box.

+1. Select **S4 - Digitsec** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for S4 - Digitsec

+Configure and test Azure AD SSO with S4 - Digitsec using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in S4 - Digitsec.

+To configure and test Azure AD SSO with S4 - Digitsec, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure S4 - Digitsec SSO](#configure-s4digitsec-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create S4 - Digitsec test user](#create-s4digitsec-test-user)** - to have a counterpart of B.Simon in S4 - Digitsec that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **S4 - Digitsec** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+

+ In the **Sign-on URL** text box, type the URL:

+ `https://s4.digitsec.com`

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up S4 - Digitsec** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to S4 - Digitsec.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **S4 - Digitsec**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure S4 - Digitsec SSO

+To configure single sign-on on S4 - Digitsec side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [S4 - Digitsec support team](mailto:Support@digitsec.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create S4 - Digitsec test user

+In this section, a user called B.Simon is created in S4 - Digitsec. S4 - Digitsec supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in S4 - Digitsec, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to S4 - Digitsec Sign on URL where you can initiate the login flow.

+* Go to S4 - Digitsec Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the S4 - Digitsec for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the S4 - Digitsec tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the S4 - Digitsec for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure S4 - Digitsec you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Standard for Success K-12'

+description: Learn how to configure single sign-on between Azure Active Directory and Standard for Success K-12.

+# Tutorial: Azure AD SSO integration with Standard for Success K-12

+In this tutorial, you'll learn how to integrate Standard for Success K-12 with Azure Active Directory (Azure AD). When you integrate Standard for Success K-12 with Azure AD, you can:

+* Control in Azure AD who has access to Standard for Success K-12.

+* Enable your users to be automatically signed-in to Standard for Success K-12 with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Standard for Success K-12 single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Standard for Success K-12 supports **SP** and **IDP** initiated SSO.

+## Add Standard for Success K-12 from the gallery

+To configure the integration of Standard for Success K-12 into Azure AD, you need to add Standard for Success K-12 from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Standard for Success K-12** in the search box.

+1. Select **Standard for Success K-12** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Standard for Success K-12

+Configure and test Azure AD SSO with Standard for Success K-12 using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Standard for Success K-12.

+To configure and test Azure AD SSO with Standard for Success K-12, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Standard for Success K-12 SSO](#configure-standard-for-success-k-12-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Standard for Success K-12 test user](#create-standard-for-success-k-12-test-user)** - to have a counterpart of B.Simon in Standard for Success K-12 that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Standard for Success K-12** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a value using the following pattern:

+ `api://<ApplicationId>`

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://edu.standardforsuccess.com/access/mssaml_consume?did=<INSTITUTION-ID>`

+1. Click **Set additional URLs** and perform the following steps if you wish to configure the application in SP initiated mode:

+ a. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://edu.standardforsuccess.com/access/mssaml_int?did=<INSTITUTION-ID>`

+ b. In the **Relay State** text box, type a URL using the following pattern:

+ `https://edu.standardforsuccess.com/access/mssaml_consume?did=<INSTITUTION-ID>`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier, Reply URL, Sign-on URL and Relay State. Contact [Standard for Success K-12 Client support team](mailto:help@standardforsuccess.com) to get the INSTITUTION-ID value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

+1. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog.

+ 

+1. In the **SAML Signing Certificate** section, copy the **Thumbprint Value** and save it on your computer.

+ 

+1. On the **Set up Standard for Success K-12** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Standard for Success K-12.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Standard for Success K-12**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Standard for Success K-12 SSO

+1. Log in to your Standard for Success K-12 company site as an administrator with superuser access.

+1. From the menu, navigate to **Utilities** -> **Tools & Features**.

+1. Scroll down to **Single Sign On Settings** and click the **Microsoft Azure Single Sign On** link and perform the following steps:

+ 

+ a. Select **Enable Azure Single Sign On** checkbox.

+ b. In the **Login URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.

+ c. In the **Azure AD Identifier** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.

+

+ d. Fill the **Application ID** in the **Application ID** text box.

+ e. In the **Certificate Thumbprint** text box, paste the **Thumbprint Value** that you copied from the Azure portal.

+ f. Click **Save**.

+### Create Standard for Success K-12 test user

+1. In a different web browser window, log into your Standard for Success K-12 website as an administrator with superuser privileges.

+1. From the menu, navigate to **Utilites** -> **Accounts Manager**, then click **Create New User** and perform the following steps:

+ 

+ a. In **First Name** text box, enter the first name of the user.

+ b. In **Last Name** text box, enter the last name of the user.

+ c. In **Email** text box, enter the email address which you have added within Azure.

+ d. Scroll to the bottom and Click **Create User**.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Standard for Success K-12 Sign on URL where you can initiate the login flow.

+* Go to Standard for Success K-12 Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Standard for Success K-12 for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Standard for Success K-12 tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Standard for Success K-12 for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Standard for Success K-12 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with TVU Service'

+description: Learn how to configure single sign-on between Azure Active Directory and TVU Service.

+# Tutorial: Azure AD SSO integration with TVU Service

+In this tutorial, you'll learn how to integrate TVU Service with Azure Active Directory (Azure AD). When you integrate TVU Service with Azure AD, you can:

+* Control in Azure AD who has access to TVU Service.

+* Enable your users to be automatically signed-in to TVU Service with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* TVU Service single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* TVU Service supports **IDP** initiated SSO.

+## Add TVU Service from the gallery

+To configure the integration of TVU Service into Azure AD, you need to add TVU Service from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **TVU Service** in the search box.

+1. Select **TVU Service** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for TVU Service

+Configure and test Azure AD SSO with TVU Service using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TVU Service.

+To configure and test Azure AD SSO with TVU Service, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure TVU Service SSO](#configure-tvu-service-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create TVU Service test user](#create-tvu-service-test-user)** - to have a counterpart of B.Simon in TVU Service that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **TVU Service** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+

+ 

+1. On the **Basic SAML Configuration** section, the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.

+1. TVU Service application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, TVU Service application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | surname | user.surname |

+ | firstName | user.givenname |

+ | lastName | user.surname |

+ | email | user.mail |

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TVU Service.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **TVU Service**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure TVU Service SSO

+To configure single sign-on on **TVU Service** side, you need to send the **App Federation Metadata Url** to [TVU Service support team](mailto:support@tvunetworks.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create TVU Service test user

+In this section, you create a user called Britta Simon in TVU Service. Work with [TVU Service support team](mailto:support@tvunetworks.com) to add the users in the TVU Service platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the TVU Service for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the TVU Service tile in the My Apps, you should be automatically signed in to the TVU Service for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure TVU Service you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+> [!NOTE]

+> Conditional Forwarding doesn't support subdomains.

+* WindowsAdminCenter (if [using Windows Admin Center to manage Arc-enabled servers](/windows-server/manage/windows-admin-center/azure/manage-arc-hybrid-machines))

+|`*servicebus.windows.net`|For Windows Admin Center and SSH scenarios|If using SSH or Windows Admin Center from Azure|Public|

+| <ul><li>[Python function using Visual Studio Code](./create-first-function-vs-code-python.md)</li><li>[Python function with terminal/command prompt](./create-first-function-cli-python.md)</li></ul> | <ul><li>[Developer guide](functions-reference.md)</li><li>[Hosting options](functions-scale.md)</li><li>[Performance&nbsp;considerations](functions-best-practices.md)</li></ul> | <ul><li>[Image classification with PyTorch](machine-learning-pytorch.md)</li><li>[Azure Automation sample](/samples/azure-samples/azure-functions-python-list-resource-groups/azure-functions-python-sample-list-resource-groups/)</li><li>[Machine learning with TensorFlow](functions-machine-learning-tensorflow.md)</li><li>[Browse Python samples](/samples/browse/?products=azure-functions&languages=python)</li></ul> |

+You can use WSGI and ASGI-compatible frameworks such as Flask and FastAPI with your HTTP-triggered Python functions. This section shows how to modify your functions to support these frameworks.

+To learn more about Azure Functions runtime support policy, refer to this [article](./language-support-policy.md)

+To see the full list of supported Python versions functions apps, refer to this [article](./supported-languages.md)

+|**[Premium plan]**|Automatically scales based on demand using pre-warmed workers, which run applications with no delay after being idle, runs on more powerful instances, and connects to virtual networks. <br/><br/>Consider the Azure Functions Premium plan in the following situations: <br/><br/>Γ£ö Your function apps run continuously, or nearly continuously.<br/>Γ£ö You have a high number of small executions and a high execution bill, but low GB seconds in the Consumption plan.<br/>Γ£ö You need more CPU or memory options than what is provided by the Consumption plan.<br/>Γ£ö Your code needs to run longer than the maximum execution time allowed on the Consumption plan.<br/>Γ£ö You require features that aren't available on the Consumption plan, such as virtual network connectivity.<br/>Γ£ö You want to provide a custom Linux image on which to run your functions. |

+¹ During scale-out, there's currently a limit of 500 instances per subscription per hour for Linux apps on a Consumption plan. <br/>

+| **[Premium plan]** | Premium plan is based on the number of core seconds and memory used across needed and pre-warmed instances. At least one instance per plan must always be kept warm. This plan provides the most predictable pricing. |

+In this article, you learn the high-level concepts surrounding functions triggers and bindings.

+Triggers cause a function to run. A trigger defines how a function is invoked and a function must have exactly one trigger. Triggers have associated data, which is often provided as the payload of the function.

+These examples aren't meant to be exhaustive, but are provided to illustrate how you can use triggers and bindings together.

+You create an alert rule by combining:

+ - The resource(s) to be monitored.

+ - The signal or telemetry from the resource

+ - Conditions

+And then defining these elements of the triggered alert:

+ - Alert processing rules

+ - Action groups

+ "retentionInDays": "[parameters('retentionInDays')]",

+ "ImmediatePurgeDataOn30Days": "[parameters('ImmediatePurgeDataOn30Days')]"

+* `<ExcludedTypes>type;type</ExcludedTypes>`

+* `<IncludedTypes>type;type</IncludedTypes>`

+# [Portal](#tab/portal-1)

+To configure a table for Basic Logs or Analytics Logs in the Azure portal:

+1. From the **Log Analytics workspaces** menu, select **Tables (preview)**.

+ The **Tables (preview)** screen lists all of the tables in the workspace.

+1. Select the context menu for the table you want to configure and select **Manage table**.

+ :::image type="content" source="media/basic-logs-configure/log-analytics-table-configuration.png" lightbox="media/basic-logs-configure/log-analytics-table-configuration.png" alt-text="Screenshot showing the Manage table button for one of the tables in a workspace.":::

+1. From the **Table plan** dropdown on the table configuration screen, select **Basic** or **Analytics**.

+ The **Table plan** dropdown is enabled only for [tables that support Basic Logs](#which-tables-support-basic-logs).

+ :::image type="content" source="media/basic-logs-configure/log-analytics-configure-table-plan.png" lightbox="media/basic-logs-configure/log-analytics-configure-table-plan.png" alt-text="Screenshot showing the Table plan dropdown on the table configuration screen.":::

+1. Select **Save**.

+# [Portal](#tab/portal-2)

+To check table configuration in the Azure portal, you can open the table configuration screen, as described in [Set table configuration](#set-table-configuration).

+Alternatively:

+ You can also hover over a table name for the table information view, which indicates whether the table is configured as Basic Logs:

+* Existing *saves searches* are removed from your workspace. Copy any *saves searches* that you need before this configuration. You can view your *saved-searches* using [PowerShell](/powershell/module/az.operationalinsights/get-azoperationalinsightssavedsearch).

+* Query 'history' and 'pin to dashboard' aren't supported when linking Storage Account for queries.

+You can set the workspace default retention policy in the Azure portal to 30, 31, 60, 90, 120, 180, 270, 365, 550, and 730 days. You can set a different policy for specific tables by [configuring retention and archive policy at the table level](#set-retention-and-archive-policy-by-table). If you're on the *free* tier, you'll need to upgrade to the paid tier to change the data retention period.

+By default, all tables in your workspace inherit the workspace's interactive retention setting and have no archive policy. You can modify the retention and archive policies of individual tables, except for workspaces in the legacy Free Trial pricing tier.

+# [Portal](#tab/portal-1)

+To set the retention and archive duration for a table in the Azure portal:

+1. From the **Log Analytics workspaces** menu, select **Tables (preview)**.

+ The **Tables (preview)** screen lists all of the tables in the workspace.

+1. Select the context menu for the table you want to configure and select **Manage table**.

+ :::image type="content" source="media/basic-logs-configure/log-analytics-table-configuration.png" lightbox="media/basic-logs-configure/log-analytics-table-configuration.png" alt-text="Screenshot showing the Manage table button for one of the tables in a workspace.":::

+1. Configure the retention and archive duration in **Data retention settings** section of the table configuration screen.

+ :::image type="content" source="media/data-retention-configure/log-analytics-configure-table-retention-archive.png" lightbox="media/data-retention-configure/log-analytics-configure-table-retention-archive.png" alt-text="Screenshot showing the data retention settings on the table configuration screen.":::

+> You don't explicitly specify the archive duration in the API call. Instead, you set the total retention, which is the sum of the interactive retention plus the archive duration.

+# [Portal](#tab/portal-2)

+To view the retention and archive duration for a table in the Azure portal, from the **Log Analytics workspaces** menu, select **Tables (preview)**.

+The **Tables (preview)** screen shows the interactive retention and archive period for all of the tables in the workspace.

+| [Azure Data Explorer insights](/azure/data-explorer/data-explorer-insights) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/adxClusterInsights) | Azure Data Explorer Insights provides comprehensive monitoring of your clusters by delivering a unified view of your cluster performance, operations, usage, and failures. |

+| summarize TimeGenerated=max(TimeGenerated) by Computer, _ResourceId

+- [Azure Data Explorer Insights](/azure/data-explorer/data-explorer-insights)

+## May (2205) Release

+- Operating System

+ - Latest security updates on BIND, Node.js, Cyrus SASL, libxml2, and OpenSSL packages.

+

+May Service Release (2205): [Azure-Percept-DK-1.0.20220511.1756-public_preview_1.0.zip](<https://download.microsoft.com/download/c/7/7/c7738a05-819c-48d9-8f30-e4bf64e19f11/Azure-Percept-DK-1.0.20220511.1756-public_preview_1.0.zip>)

+|May Service Release (2205)|[Azure-Percept-DK-1.0.20220511.1756-public_preview_1.0.zip](<https://download.microsoft.com/download/c/7/7/c7738a05-819c-48d9-8f30-e4bf64e19f11/Azure-Percept-DK-1.0.20220511.1756-public_preview_1.0.zip>)||

+Starting August 1st 2021, Azure Video Indexer enabled [Reserved Units](/azure/media-services/latest/concept-media-reserved-units)(MRUs) auto scaling by [Azure Media Services](/azure/media-services/latest/media-services-overview) (AMS), as a result you do not need to manage them through Azure Video Indexer. That will allow price optimization, e.g. price reduction in many cases, based on your business needs as it is being auto scaled.

+* An Azure Media Services (AMS) account. You can create one for free through the [Create AMS Account](/azure/media-services/latest/account-create-how-to).

+For a list of file formats that you can use with Azure Video Indexer, see [Standard Encoder formats and codecs](/azure/media-services/latest/encode-media-encoder-standard-formats-reference).

+The default setting is [content-aware encoding](/azure/media-services/latest/encode-content-aware-concept).

+Starting August 1st 2021, Azure Video Indexer enabled [Media Reserved Units (MRUs)](/azure/media-services/latest/concept-media-reserved-units) auto scaling by [Azure Media Services](/azure/media-services/latest/media-services-overview), as a result you do not need to manage them through Azure Video Indexer. That will allow price optimization, for example price reduction in many cases, based on your business needs as it is being auto scaled.

+* Use existing an Azure Media Services asset by providing the [asset ID](/azure/media-services/latest/assets-concept). This option is supported in paid accounts only.

+The default setting is [content-aware encoding](/azure/media-services/latest/encode-content-aware-concept).

+> [!TIP]

+> The produced JSON output contains `Insights` and `SummarizedInsights` elements. We highly recommend using `Insights` and not using `SummarizedInsights` (which is present for backward compatibility).

+> [!TIP]

+> The produced JSON output contains `Insights` and `SummarizedInsights` elements. We highly recommend using `Insights` and not using `SummarizedInsights` (which is present for backward compatibility).

+> [!NOTE]

+> The service is now rebranded from Azure Video Analyzer for Media to **Azure Video Indexer**. Click [here](https://vi.microsoft.com) to read more.

+- [Pricing](https://azure.microsoft.com/pricing/details/video-indexer/)

+This script demonstrates how to add an application for use with an Azure Batch pool or task. To set up an application to add to your Batch account, package your executable, together with any dependencies, into a zip file.

+## Sample script

+### Create batch account and new application

+### Create batch application package

+An application can reference multiple application executable packages of different versions. The executables and any dependencies need to be zipped up for the package. Once uploaded, the CLI attempts to activate the package so that it's ready for use.

+```azurecli

+az batch application package create \

+ --resource-group $resourceGroup \

+ --name $batchAccount \

+ --application-name "MyApplication" \

+ --package-file my-application-exe.zip \

+ --version-name 1.0

+```

+### Update the application

+Update the application to assign the newly added application package as the default version.

+```azurecli

+az batch application set \

+ --resource-group $resourceGroup \

+ --name $batchAccount \

+ --application-name "MyApplication" \

+ --default-version 1.0

+```

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+description: Learn how to create a Batch account in Batch service mode with this Azure CLI script example. This script also shows how to query or update various properties of the account.

+service. Allocated compute nodes are subject to a separate vCPU (core) quota and the account can be authenticated either via shared key credentials or an Azure Active Directory token.

+## Sample script

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+## Sample script

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+## Sample script

+### To create a Linux pool in Azure Batch

+### To reboot a batch node

+If a particular node in the pool is having issues, it can be rebooted or reimaged. The ID of the node can be retrieved with the list command above. A typical node ID is in the format `tvm-xxxxxxxxxx_1-<timestamp>`.

+```azurecli

+az batch node reboot \

+ --pool-id mypool-linux \

+ --node-id tvm-123_1-20170316t000000z

+```

+### To delete a batch node

+One or more compute nodes can be deleted from the pool, and any work already assigned to it can be re-allocated to another node.

+```azurecli

+az batch node delete \

+ --pool-id mypool-linux \

+ --node-list tvm-123_1-20170316t000000z tvm-123_2-20170316t000000z \

+ --node-deallocation-option requeue

+```

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+manage a pool of Windows compute nodes in Azure Batch. A Windows pool can be configured in two ways, with either a Cloud Services configuration or a Virtual Machine configuration. This example shows how to create a Windows pool with the Cloud Services configuration.

+## Sample script

+### Run the script

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+This script creates a Batch job and adds a series of tasks to the job. It also demonstrates how to monitor a job and its tasks.

+## Sample script

+### Create a Batch account in Batch service mode

+### To add many tasks at once

+To add many tasks at once, specify the tasks in a JSON file, and pass it to the command. For format, see https://github.com/Azure/azure-docs-cli-python-samples/blob/master/batch/run-job/tasks.json. Provide the absolute path to the JSON file. For an example JSON file, see https://github.com/Azure-Samples/azure-cli-samples/blob/master/batch/run-job/tasks.json.

+```azurecli

+az batch task create \

+ --job-id myjob \

+ --json-file tasks.json

+```

+### To update the job

+Update the job so that it is automatically marked as completed once all the tasks are finished.

+```azurecli

+az batch job set \

+--job-id myjob \

+--on-all-tasks-complete terminatejob

+```

+### To monitor the status of the job

+```azurecli

+az batch job show --job-id myjob

+```

+### To monitor the status of a task

+```azurecli

+az batch task show \

+ --job-id myjob \

+ --task-id task1

+```

+## Clean up resources

+```azurecli

+az group delete --name $resourceGroup

+## Sample reference

+ Title: What is Azure Chaos Studio (Preview)?

+description: Measure, understand, and build resilience to incidents by using chaos engineering to inject faults and monitor how your application responds.

+# What is Azure Chaos Studio (Preview)?

+[Azure Chaos Studio](https://azure.microsoft.com/services/chaos-studio) is a managed service that uses chaos engineering to help you measure, understand, and improve your cloud application and service resilience. Chaos engineering is a methodology by which you inject real-world faults into your application to run controlled fault injection experiments.

+Resilience is the capability of a system to handle and recover from disruptions. Application disruptions can cause errors and failures that can adversely affect your business or mission. Whether you're developing, migrating, or operating Azure applications, it's important to validate and improve your application's resilience.

+Chaos Studio helps you avoid negative consequences by validating that your application responds effectively to disruptions and failures. You can use Chaos Studio to test resilience against real-world incidents, like outages or high CPU utilization on virtual machines (VMs).

+The following video provides more background about Azure Chaos Studio:

+## Chaos Studio scenarios

+You can use chaos engineering for various resilience validation scenarios that span the service development and operations lifecycle. There are two types of scenarios:

+- *Shift right* scenarios use a production or pre-production environment. Usually, you do shift right scenarios with real customer traffic or simulated load.

+- *Shift left* scenarios can use a development or shared test environment. You can do shift left scenarios without any real customer traffic.

+You can use Chaos Studio for the following common chaos engineering scenarios:

+- Reproduce an incident that affected your application, to better understand the failure. Ensure that post-incident repairs prevent the incident from recurring.

+- Prepare for a major event or season with "game day" load, scale, performance, and resilience validation.

+- Do business continuity and disaster recovery (BCDR) drills to ensure that your application can recover quickly and preserve critical data in a disaster.

+- Run high availability (HA) drills to test application resilience against region outages, network configuration errors, high stress events, or noisy neighbor issues.

+- Develop application performance benchmarks.

+- Plan capacity needs for production environments.

+- Run stress tests or load tests.

+- Ensure that services migrated from an on-premises or other cloud environment remain resilient to known failures.

+- Build confidence in services built on cloud-native architectures.

+- Validate that live site tooling, observability data, and on-call processes still work in unexpected conditions.

+For many of these scenarios, you first build resilience using ad-hoc chaos experiments. Then, you continuously validate that new deployments won't regress resilience, by running chaos experiments as deployment gates in your continuous integration/continuous deployment (CI/CD) pipelines.

+## How Chaos Studio works

+With Chaos Studio, you can orchestrate safe, controlled fault injection on your Azure resources. Chaos experiments are the core of Chaos Studio. A chaos experiment describes the faults to run and the resources to run against. You can organize faults to run in parallel or sequence, depending on your needs.

+Chaos Studio supports two types of faults:

+- *Service-direct* faults run directly against an Azure resource, without any installation or instrumentation. Examples include rebooting an Azure Cache for Redis cluster, or adding network latency to Azure Kubernetes Service (AKS) pods.

+- *Agent-based* faults run in VMs or virtual machine scale sets to do in-guest failures. Examples include applying virtual memory pressure or killing a process.

+Each fault has specific parameters you can configure, like which process to kill or how much memory pressure to generate.

+When you build a chaos experiment, you define one or more *steps* that execute sequentially. Each step contains one or more *branches* that run in parallel within the step. Each branch contains one or more *actions*, such as injecting a fault or waiting for a certain duration.

+You organize resource *targets* to run faults against into groups called *selectors*, so you can easily reference a group of resources in each action.

+The following diagram shows the layout of a chaos experiment in Chaos Studio:

+A chaos experiment is an Azure resource in a subscription and resource group. You can use the Azure portal or the [Chaos Studio REST API](/rest/api/chaosstudio) to create, update, start, cancel, and view the status of experiments.

+description: Connect to SQL databases from workflows in Azure Logic Apps.

+# Connect to a SQL database from workflows in Azure Logic Apps

+This article shows how to access your SQL database from a workflow in Azure Logic Apps with the SQL Server connector. You can then create automated workflows that run when triggered by events in your SQL database or in other systems and run actions to manage your SQL data and resources.

+For example, your workflow can run actions that get, insert, and delete data or that can run SQL queries and stored procedures. Your workflow can check for new records in a non-SQL database, do some processing work, use the results to create new records in your SQL database, and send email alerts about the new records.

+If you're new to Azure Logic Apps, review the following get started documentation:

+* [What is Azure Logic Apps](../logic-apps/logic-apps-overview.md)

+* [Quickstart: Create your first logic app workflow](../logic-apps/quickstart-create-first-logic-app-workflow.md)

+## Supported SQL editions

+The SQL Server connector supports the following SQL editions:

+## Connector technical reference

+The SQL Server connector has different versions, based on [logic app type and host environment](../logic-apps/logic-apps-overview.md#resource-environment-differences).

+| Logic app | Environment | Connector version |

+|--|-|-|

+| **Consumption** | Multi-tenant Azure Logic Apps | [Managed connector - Standard class](managed.md). For more information, review the [SQL Server managed connector reference](/connectors/sql). |

+| **Consumption** | Integration service environment (ISE) | [Managed connector - Standard class](managed.md) and ISE version. For more information, review the [SQL Server managed connector reference](/connectors/sql). |

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | [Managed connector - Standard class](managed.md) and [built-in connector](built-in.md), which is [service provider based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). <br><br>The built-in version differs in the following ways: <br><br>- The built-in version has no triggers. <br><br>- The built-in version has a single **Execute Query** action. The action can directly connect to Azure virtual networks without the on-premises data gateway. <br><br>For the managed version, review the [SQL Server managed connector reference](/connectors/sql/). |

+||||

+ The SQL Server connector requires that your tables contain data so that the connector operations can return results when called. For example, if you use Azure SQL Database, you can use the included sample databases to try the SQL Server connector operations.

+* To connect to an on-premises SQL server, the following extra requirements apply, based on whether you have a Consumption or Standard logic app workflow.

+ You can use the SQL Server built-in connector, which requires a connection string. If you want to use the SQL Server managed connector, you need follow the same requirements as a Consumption logic app workflow in multi-tenant Azure Logic Apps.

+1. Find and select the [SQL Server managed connector trigger](/connectors/sql) that you want to use.

+ 1. On the designer, under the search box, select **All**.

+ 1. In the search box, enter **sql server**.

+ 

+1. If the designer prompts you for connection information, [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.

+1. When you're done, save your workflow.

+In Standard logic app workflows, only the SQL Server managed connector has triggers. The SQL Server built-in connector doesn't have any triggers.

+1. Find and select the [SQL Server managed connector trigger](/connectors/sql) that you want to use.

+ 1. On the designer, select **Choose an operation**.

+ 1. Under the **Choose an operation** search box, select **Azure**.

+ 1. In the search box, enter **sql server**.

+ 

+1. If the designer prompts you for connection information, [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.

+ This trigger returns only one row from the selected table, and nothing else. To perform other tasks, continue by adding either a [SQL Server connector action](#add-sql-action) or [another action](../connectors/apis-list.md) that performs the next task that you want in your logic app workflow.

+1. When you're done, save your workflow.

+Recurring connection-based triggers where you need to create a connection first, such as the SQL Server managed connector trigger, differ from built-in triggers that run natively in Azure Logic Apps, such as the [Recurrence trigger](../connectors/connectors-native-recurrence.md). For recurring connection-based triggers, the recurrence schedule isn't the only driver that controls execution, and the time zone only determines the initial start time. Subsequent runs depend on the recurrence schedule, the last trigger execution, *and* other factors that might cause run times to drift or produce unexpected behavior. For example, unexpected behavior can include failure to maintain the specified schedule when daylight saving time (DST) starts and ends.

+1. Find and select the [SQL Server managed connector action](/connectors/sql) that you want to use. This example continues with the action named **Get row**.

+ 1. Under the **Choose an operation** search box, select **All**.

+ 1. In the search box, enter **sql server**.

+1. If the designer prompts you for connection information, [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.

+ This action returns only one row from the selected table, and nothing else. To view the data in this row, add other actions. For example, such actions might create a file, include the fields from the returned row, and store the file in a cloud storage account. To learn about other available actions for this connector, see the [connector's reference page](/connectors/sql/).

+1. When you're done, save your workflow.

+ 1. Under the trigger or action where you want to add the SQL Server action, select the plus sign (**+**), and then select **Add an action**.

+ Or, to add an action between existing steps, select the plus sign (**+**) on the connecting arrow, and then select **Add an action**.

+ 1. Under the **Choose an operation** search box, select either of the following options:

+ * **Built-in** when you want to use SQL Server built-in actions such as **Execute Query**

+ * **Azure** when you want to use [SQL Server managed connector actions](/connectors/sql) such as **Get row**

+ 1. In the search box, enter **sql server**.

+1. If the designer prompts you for connection information, [create your SQL database connection now](#create-connection). After you create this connection, you can continue with the next step.

+ This action returns only one row from the selected table, and nothing else. To view the data in this row, add other actions. For example, such actions might create a file, include the fields from the returned row, and store the file in a cloud storage account. To learn about other available actions for this connector, see the [connector's reference page](/connectors/sql/).

+1. When you're done, save your workflow.

+When you add a [SQL Server trigger](#add-sql-trigger) or [SQL Server action](#add-sql-action) without a previously created and active database connection, complete the following steps:

+ | **Service principal (Azure AD application)** | - Available only for the SQL Server managed connector. <br><br>- Requires an Azure AD application and service principal. For more information, see [Create an Azure AD application and service principal that can access resources using the Azure portal](../active-directory/develop/howto-create-service-principal-portal.md). |

+ | **Logic Apps Managed Identity** | - Available only for the SQL Server managed connector and ISE-versioned connector. <br><br>- Requires the following items: <br><br> A valid managed identity that's [enabled on your logic app resource](../logic-apps/create-managed-service-identity.md) and has access to your database. <br><br> **SQL DB Contributor** role access to the SQL Server resource <br><br> **Contributor** access to the resource group that includes the SQL Server resource. <br><br>For more information, see [SQL - Server-Level Roles](/sql/relational-databases/security/authentication-access/server-level-roles). |

+ | [**Azure AD Integrated**](/azure/azure-sql/database/authentication-aad-overview) | - Available only for the SQL Server managed connector and ISE-versioned connector. <br><br>- Requires a valid managed identity in Azure Active Directory (Azure AD) that's [enabled on your logic app resource](../logic-apps/create-managed-service-identity.md) and has access to your database. For more information, see these topics: <br><br>- [Azure SQL Security Overview - Authentication](/azure/azure-sql/database/security-overview#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) <br>- [Azure SQL - Azure AD Integrated authentication](/azure/azure-sql/database/authentication-aad-overview) |

+ | [**SQL Server Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication) | - Available only for the SQL Server managed connector and ISE-versioned connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid user name and strong password that are created and stored in your SQL Server database. For more information, see the following topics: <br><br>- [Azure SQL Security Overview - Authentication](/azure/azure-sql/database/security-overview#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) |

+When you add a [SQL Server trigger](#add-sql-trigger) or [SQL Server action](#add-sql-action) without a previously created and active database connection, complete the following steps:

+ | [**SQL Server Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication) | - Available only for the SQL Server managed connector and ISE-versioned connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid user name and strong password that are created and stored in your SQL Server. <br><br>For more information, see [SQL Server Authentication](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication). |

+ | [**Windows Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-windows-authentication) | - Available only for the SQL Server managed connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid Windows user name and password to confirm your identity through your Windows account. <br><br>For more information, see [Windows Authentication](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-windows-authentication). |

+Sometimes, you work with result sets so large that the connector doesn't return all the results at the same time. Or, you want better control over the size and structure for your result sets. The following list includes some ways that you can handle such large result sets:

+* Create a [*stored procedure*](/sql/relational-databases/stored-procedures/stored-procedures-database-engine) that organizes the results the way that you want. The SQL Server connector provides many backend features that you can access by using Azure Logic Apps so that you can more easily automate business tasks that work with SQL database tables.

+ >

+ > The SQL Server connector has a stored procedure timeout limit that's [less than 2 minutes](/connectors/sql/#known-issues-and-limitations).

+ > [Handle long-running stored procedure timeouts in the SQL Server connector for Azure Logic Apps](../logic-apps/handle-long-running-stored-procedures-sql-connector.md).

+1. In the designer, under the action where you call the stored procedure, add a new action.

+ >

+ > If you get an error that Azure Logic Apps can't generate a schema,

+ > check that your sample output's syntax is correctly formatted.

+ > If you still can't generate the schema, in the **Schema** box,

+ > manually enter the schema.

+1. When you're done, save your workflow.

+Connection problems can commonly happen, so to troubleshoot and resolve these kinds of issues, review [Solving connectivity errors to SQL Server](https://support.microsoft.com/help/4009936/solving-connectivity-errors-to-sql-server). The following list provides some examples:

+ > If you use the **Day**, **Week**, or **Month** frequency, and you specify a future date and time, make sure that you set up the recurrence in advance:

+ > * **Month**: Set up the monthly recurrence at least one month in advance.

+ >

+Users can also work with trial subscription, which supports monitoring a limited number of devices for 30 days. See [Microsoft Defender for IoT pricing](https://azure.microsoft.com/pricing/details/iot-defender/) information on committed device prices.

+Defender for IoT APIs is governed by [Microsoft API License and Terms of use](/legal/microsoft-apis/terms-of-use).

+This API is supported for maintenance purposes only and is not meant to be used instead of [alert exclusion rules](/azure/defender-for-iot/organizations/how-to-work-with-alerts-on-premises-management-console#create-alert-exclusion-rules). Use this API for one-time maintenance operations only.

+- **ttl**: Required. Defines the TTL (time to live), which is the duration of the maintenance window in minutes. After the period of time that this parameter defines, the system automatically starts sending alerts.

+After installing the software for your sensor or on-premises management console, you'll want to perform the [Post-installation validation](how-to-install-software.md#post-installation-validation).

+ Enter the complete URL that you would like to run the test for. For example, `https://www.example.com/login`.

+> [Identify performance bottlenecks](./tutorial-identify-bottlenecks-azure-portal.md)

+ Title: About schedules for recurring triggers in workflows

+description: An overview about schedules for recurring workflows in Azure Logic Apps.

+ > If you use the **Day**, **Week**, or **Month** frequency, and you specify a future date and time, make sure that you set up the recurrence in advance:

+ >

+ > * **Month**: Set up the monthly recurrence at least one month in advance.

+ >

+ > factors such as latency during storage calls. To make sure that your workflow doesn't miss a recurrence, especially when

+| Start time now or in the future | Runs the first workload at the specified start time. <p><p>**Recurrence** trigger: Runs future workloads based on the last run time. <p><p>**Sliding Window** trigger: Runs future workloads based on the specified start time. | Runs the first workload *no sooner* than the start time, based on the schedule calculated from the start time. <p><p>Runs future workloads based on the specified schedule. If you use the **Day**, **Week**, or **Month** frequency, and you specify a future date and time, make sure that you set up the recurrence in advance: <p>- **Day**: Set up the daily recurrence at least 24 hours in advance. <p>- **Week**: Set up the weekly recurrence at least 7 days in advance. <p>- **Month**: Set up the monthly recurrence at least one month in advance. <p>Otherwise, the workflow might skip the first recurrence. <p>**Note:** If you specify a recurrence with a schedule, but don't specify hours or minutes for the schedule, Azure Logic Apps calculates future run times by using the hours or minutes, respectively, from the first run time. |

+In this article, you'll use the Azure portal to create a Flexible Server with public access connectivity method. Alternatively, refer to the respective quickstarts to create a Flexible Server using [Azure CLI](./quickstart-create-server-cli.md), [ARM template](./quickstart-create-arm-template.md), [Terraform](./quickstart-create-terraform.md), or [within a VNET](./quickstart-create-connect-server-vnet.md).

+Create a flexible server with the `az mysql flexible-server create` command. A server can contain multiple databases. The following command creates a server using service defaults and values from your Azure CLI's local context:

+ Title: 'Quickstart: Use Terraform to create an Azure Database for MySQL - Flexible Server'

+description: Learn how to deploy a database for Azure Database for MySQL Flexible Server using Terraform

+# Quickstart: Use Terraform to create an Azure Database for MySQL - Flexible Server

+Article tested with the following Terraform and Terraform provider versions:

+- [Terraform v1.2.1](https://releases.hashicorp.com/terraform/)

+- [AzureRM Provider v.2.99.0](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)

+In this article, you learn how to deploy an Azure MySQL Flexible Server Database in a virtual network (VNet) using Terraform.

+> [!div class="checklist"]

+> * Create an Azure resource group using [azurerm_resource_group](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group)

+> * Create an Azure VNet using [azurerm_virtual_network](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network)

+> * Create an Azure subnet using [azurerm_subnet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet)

+> * Define a private DNS zone within an Azure DNS using [azurerm_private_dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone)

+> * Define a private DNS zone VNet link using using [azurerm_private_dns_zone_virtual_network_link](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link)

+> * Deploy Flexible Server using [azurerm_mysql_flexible_server](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server)

+> * Deploy a database using [azurerm_mysql_flexible_database](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_database)

+> [!NOTE]

+> The example code in this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/201-mysql-fs-db).

+## Prerequisites

+- [!INCLUDE [flexible-server-free-trial-note](../includes/flexible-server-free-trial-note.md)]

+- [Install and configure Terraform](/azure/developer/terraform/quickstart-configure)

+## Implement the Terraform code

+1. Create a directory in which to test the sample Terraform code and make it the current directory.

+1. Create a file named `providers.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/providers.tf)]

+1. Create a file named `main.tf` and insert the following code:

+ [!code-terraform[master](../../../terraform_samples/quickstart/201-mysql-fs-db/main.tf)]

+1. Create a file named `mysql-fs-db.tf` and insert the following code:

+ [!code-terraform[master](../../../terraform_samples/quickstart/201-mysql-fs-db/mysql-fs-db.tf)]

+1. Create a file named `variables.tf` and insert the following code:

+ [!code-terraform[master](../../../terraform_samples/quickstart/201-mysql-fs-db/variables.tf)]

+1. Create a file named `output.tf` and insert the following code:

+ [!code-terraform[master](../../../terraform_samples/quickstart/201-mysql-fs-db/output.tf)]

+## Initialize Terraform

+## Create a Terraform execution plan

+## Apply a Terraform execution plan

+## Verify the results

+#### [Azure CLI](#tab/azure-cli)

+Run [az mysql flexible-server db show](/cli/azure/mysql/flexible-server/db#az-mysql-flexible-server-db-show) to display the Azure MySQL database.

+```azurecli

+az mysql flexible-server db show \

+ --resource-group <resource_group_name> \

+ --server-name <azurerm_mysql_flexible_server> \

+ --database-name <mysql_flexible_server_database_name>

+```

+**Key points:**

+- The values for the `<resource_group_name>`, `<azurerm_mysql_flexible_server>`, and `<mysql_flexible_server_database_name>` are displayed in the `terraform apply` output. You can also run the [terraform output](https://www.terraform.io/cli/commands/output) command to view these output values.

+#### [Azure PowerShell](#tab/azure-powershell)

+Run [Get-AzMySqlFlexibleServerDatabase](/powershell/module/az.mysql/get-azmysqlflexibleserverdatabase) to display the Azure MySQL database.

+```azurepowershell

+Get-AzMySqlFlexibleServerDatabase `

+ -ResourceGroupName <resource_group_name> `

+ -ServerName <azurerm_mysql_flexible_server> `

+ -Name <mysql_flexible_server_database_name>

+```

+**Key points:**

+- The values for the `<resource_group_name>`, `<azurerm_mysql_flexible_server>`, and `<mysql_flexible_server_database_name>` are displayed in the `terraform apply` output. You can also run the [terraform output](https://www.terraform.io/cli/commands/output) command to view these output values.

+## Clean up resources

+## Troubleshoot Terraform on Azure

+[Troubleshoot common problems when using Terraform on Azure](/azure/developer/terraform/troubleshoot)

+## Next steps

+> [!div class="nextstepaction"]

+> [Connect Azure Database for MySQL Flexible Server with private access](/azure/mysql/flexible-server/quickstart-create-connect-server-vnet)

+ Title: 'Quickstart: Upgrade Quickstart HoloLens app to Unity 2020'

+description: In this quickstart, you learn how to upgrade a Unity HoloLens app that uses Azure Object Anchors from Unity 2019 to Unity 2020.

+- mode-other

+- kr2b-contr-experiment

+In this quickstart, you upgrade a Unity HoloLens app that uses [Azure Object Anchors](../overview.md) from Unity 2019 to Unity 2020. Azure Object Anchors is a managed cloud service that converts 3D assets into AI models that enable object-aware mixed reality experiences for the HoloLens. When you finish, you'll have a HoloLens app built with Unity that can detect objects in the physical world.

+* All prerequisites from either the [Unity HoloLens](get-started-unity-hololens.md) or the [Unity HoloLens with MRTK](get-started-unity-hololens-mrtk.md) quickstarts

+1. Open Unity Hub. Select **Add** and pick either the `quickstarts/apps/unity/basic` or the `quickstarts/apps/unity/mrtk` project.

+1. Under the **Unity Version** column, select the version of Unity 2020 in the dropdown that you've installed on your computer.

+1. Under the **Target Platform** column, select **Universal Windows Platform**.

+1. Select the **Project Name** column and open the sample in Unity.

+ :::image type="content" source="./media/upgrade-unity-2020.png" alt-text="Screenshot shows a Unity page with Unity Version, Target Platform and ADD highlighted.":::

+ You'll see a dialog asking for confirmation to upgrade your project. Select the **Confirm** button.

+ :::image type="content" source="./media/confirm-unity-upgrade.png" alt-text="Screenshot shows a dialog confirming the upgrade with Confirm selected.":::

+Once the upgrade process completes, **Unity Editor** opens.

+1. Follow the <a href="/windows/mixed-reality/develop/unity/welcome-to-mr-feature-tool" target="_blank">Mixed Reality Feature Tool</a> documentation to set up the tool and learn how to use it.

+1. Under **Platform Support**, install the **Mixed Reality OpenXR Plugin** feature package, version 1.0.0 or newer, into the Unity project folder.

+1. If you're working with the `quickstarts/apps/unity/mrtk` project, also open the **Mixed Reality Toolkit** section, locate the **Mixed Reality Toolkit Foundation** and **Mixed Reality Toolkit Tools** feature packages, and upgrade them to version 2.7.0 or newer.

+1. Go back to your **Unity Editor**. It might take a few minutes, while the **Mixed Reality Feature Tool** feature packages are installed.

+ You'll see a dialog asking for confirmation to enable the new input system. Select **Yes**.

+ :::image type="content" source="./media/new-input-system.png" alt-text="Screenshot shows a dialog that contains a warning with the Yes button highlighted.":::

+ If you get a dialog asking you to overwrite MRTK shaders, select **Yes**.

+ :::image type="content" source="./media/mrtk-shaders.png" alt-text="Screenshot shows the Mixed Reality Toolkit Standard Assets dialog.":::

+Once the install process completes, Unity restarts automatically.

+Back in **Unity Editor**, follow the <a href="/windows/mixed-reality/develop/unity/new-openxr-project-with-mrtk#configure-openxr-settings" target="_blank">Configuring XR Plugin Management for OpenXR</a> documentation to set up the **XR Plugin Management** in your **Project Settings**. Then, follow the <a href="/windows/mixed-reality/develop/unity/new-openxr-project-with-mrtk#optimization" target="_blank">Optimization</a> documentation to apply the recommended project settings for HoloLens 2.

+If you're working with the `quickstarts/apps/unity/mrtk` project, follow the steps below to adjust MRTK. Otherwise, skip to [Build, deploy, and run the app](#build-deploy-and-run-the-app).

+1. In **Unity Editor**, navigate to `Assets/MixedReality.AzureObjectAnchors/Scenes`, and open **AOASampleScene**. Under the **Hierarchy** pane, select **MixedRealityToolkit**.

+ :::image type="content" source="./media/open-sample-scene.png" alt-text="Screenshot shows the Unity Editor with the MixedRealityToolkit highlighted.":::

+1. Under the **Inspector** pane, select **Camera**, and change the profile from **ObsoleteXRSDKCameraProfile** to **DefaultMixedRealityCameraProfile**.

+ :::image type="content" source="./media/update-camera-profile.png" alt-text="Screenshot shows the Unity Editor with Camera and DefaultMixedRealityCameraProfile highlighted.":::

+1. Still in the **Inspector** pane, select **Input**, and expand the **Input Data Providers** dropdown list. Follow the <a href="/windows/mixed-reality/mrtk-unity/configuration/getting-started-with-mrtk-and-xrsdk#configuring-mrtk-for-the-xr-sdk-pipeline" target="_blank">Configuring MRTK for the XR SDK pipeline</a> documentation to set up the proper input data providers: **OpenXRDeviceManager** and **WindowsMixedRealityDeviceManager**.

+ :::image type="content" source="./media/update-input-profile.png" alt-text="Screenshot shows the Unity Editor with Input and Input Data Providers highlighted.":::

+*Managed identities for Azure resources* are free with Azure AD for Azure subscriptions. There's no extra cost.

+Managed identities for Azure are based upon several key concepts:

+- **Client ID** - a unique identifier generated by Azure AD that is tied to an application and service principal during its initial provisioning (also see [Application (client) ID](../active-directory/develop/developer-glossary.md#application-client-id).)

+- **Principal ID** - the object ID of the service principal object for your managed identity that is used to grant role-based access to an Azure resource.

+- **Service Principal** - an Azure Active Directory object, which represents the projection of an Azure AD application in a given tenant (also see [service principal](../active-directory/develop/developer-glossary.md#service-principal-object).)

+Managed identities for Service Fabric are only supported in Azure-deployed Service Fabric clusters, and only for applications deployed as Azure resources. An application not deployed as an Azure resource can't be assigned an identity. Conceptually speaking, support for managed identities in an Azure Service Fabric cluster consists of two phases:

+The system-assigned identity of an application is unique to that application; a user-assigned identity is a standalone resource, which may be assigned to multiple applications. Within an application, a single identity (whether system-assigned or user-assigned) can be assigned to multiple services of the application, but each individual service can only be assigned one identity. Lastly, a service must be assigned an identity explicitly to have access to this feature. In effect, the mapping of an application's identities to its constituent services allows for in-application isolationΓÇöa service may only use the identity mapped to it.

+The following scenarios are supported for this feature:

+The following scenarios are unsupported or not recommended. These actions may not be blocked, but can lead to outages in your applications:

+- Removing or changing the identities assigned to an application. If you need to make changes, submit separate deployments to first add a new identity assignment, and then to remove a previously assigned one. Removal of an identity from an existing application can have undesirable effects, including leaving your application in a non-upgradeable state. It's safe to delete the application altogether if the removal of an identity is necessary. Deleting the application deletes any system-assigned identity associated with the application and removes all associations with any user-assigned identities assigned to the application.

+- Service Fabric doesn't support managed identities in the deprecated [AzureServiceTokenProvider](/dotnet/api/overview/azure/service-to-service-authentication). Instead, use managed identities in Service Fabric by using the [Azure Identity SDK](./how-to-managed-identity-service-fabric-app-code.md)

+- [Use the managed identity of a Service Fabric application from service code](./how-to-managed-identity-service-fabric-app-code.md)

+ Title: Enable data contract serialization for remoting exceptions in Service Fabric

+description: Enable data contract serialization for remoting exceptions in Azure Service Fabric.

+# Remoting exception serialization overview

+BinaryFormatter-based serialization isn't secure, so don't use BinaryFormatter for data processing. For more information on the security implications, see [Deserialization risks in the use of BinaryFormatter and related types](/dotnet/standard/serialization/binaryformatter-security-guide).

+Azure Service Fabric used BinaryFormatter for serializing exceptions. Starting with ServiceFabric v9.0, [data contract-based serialization](/dotnet/api/system.runtime.serialization.datacontractserializer?view=net-6.0) for remoting exceptions is available as an opt-in feature. We recommend that you opt for DataContract remoting exception serialization by following the steps in this article.

+Support for BinaryFormatter-based remoting exception serialization will be deprecated in the future.

+## Enable data contract serialization for remoting exceptions

+>Data contract serialization for remoting exceptions is only available for remoting V2/V2_1 services.

+To enable data contract serialization for remoting exceptions:

+1. Enable DataContract remoting exception serialization on the **Service** side by using `FabricTransportRemotingListenerSettings.ExceptionSerializationTechnique` while you create the remoting listener.

+ - StatelessService

+ ```csharp

+ protected override IEnumerable<ServiceInstanceListener> CreateServiceInstanceListeners()

+ return new[]

+ {

+ new ServiceInstanceListener(serviceContext =>

+ new FabricTransportServiceRemotingListener(

+ serviceContext,

+ this,

+ new FabricTransportRemotingListenerSettings

+ {

+ ExceptionSerializationTechnique = FabricTransportRemotingListenerSettings.ExceptionSerialization.Default,

+ }),

+ "ServiceEndpointV2")

+ };

+ }

+ ```

+ - StatefulService

+ ```csharp

+ protected override IEnumerable<ServiceReplicaListener> CreateServiceReplicaListeners()

+ return new[]

+ {

+ new ServiceReplicaListener(serviceContext =>

+ new FabricTransportServiceRemotingListener(

+ serviceContext,

+ this,

+ new FabricTransportRemotingListenerSettings

+ {

+ ExceptionSerializationTechnique = FabricTransportRemotingListenerSettings.ExceptionSerialization.Default,

+ }),

+ "ServiceEndpointV2")

+ };

+ }

+ ```

+ - ActorService

+To enable DataContract remoting exception serialization on the actor service, override `CreateServiceReplicaListeners()` by extending `ActorService`.

+ ```csharp

+ protected override IEnumerable<ServiceReplicaListener> CreateServiceReplicaListeners()

+ return new List<ServiceReplicaListener>

+ {

+ new ServiceReplicaListener(_ =>

+ {

+ return new FabricTransportActorServiceRemotingListener(

+ this,

+ new FabricTransportRemotingListenerSettings

+ {

+ ExceptionSerializationTechnique = FabricTransportRemotingListenerSettings.ExceptionSerialization.Default,

+ });

+ },

+ "MyActorServiceEndpointV2")

+ };

+ }

+ ```

+ If the original exception has multiple levels of inner exceptions, you can control the number of levels of inner exceptions to be serialized by setting `FabricTransportRemotingListenerSettings.RemotingExceptionDepth`.

+1. Enable DataContract remoting exception serialization on the **Client** by using `FabricTransportRemotingSettings.ExceptionDeserializationTechnique` while you create the client factory.

+ - ServiceProxyFactory creation

+ ```csharp

+ var serviceProxyFactory = new ServiceProxyFactory(

+ (callbackClient) =>

+ {

+ return new FabricTransportServiceRemotingClientFactory(

+ new FabricTransportRemotingSettings

+ {

+ ExceptionDeserializationTechnique = FabricTransportRemotingSettings.ExceptionDeserialization.Default,

+ },

+ callbackClient);

+ });

+ ```

+ - ActorProxyFactory

+ ```csharp

+ var actorProxyFactory = new ActorProxyFactory(

+ (callbackClient) =>

+ return new FabricTransportActorRemotingClientFactory(

+ new FabricTransportRemotingSettings

+ ExceptionDeserializationTechnique = FabricTransportRemotingSettings.ExceptionDeserialization.Default,

+ },

+ callbackClient);

+ });

+ ```

+1. DataContract remoting exception serialization converts an exception to the data transfer object (DTO) on the service side. The DTO is converted back to an exception on the client side. Users need to register `ExceptionConvertor` to convert the desired exceptions to DTO objects and vice versa.

+ The framework implements convertors for the following list of exceptions. If user service code depends on exceptions outside the following list for retry implementation and exception handling, users need to implement and register convertors for such exceptions.

+ * All Service Fabric exceptions derived from `System.Fabric.FabricException`

+ * SystemExceptions derived from `System.SystemException`

+ * System.AccessViolationException

+ * System.AppDomainUnloadedException

+ * System.ArgumentException

+ * System.ArithmeticException

+ * System.ArrayTypeMismatchException

+ * System.BadImageFormatException

+ * System.CannotUnloadAppDomainException

+ * System.Collections.Generic.KeyNotFoundException

+ * System.ContextMarshalException

+ * System.DataMisalignedException

+ * System.ExecutionEngineException

+ * System.FormatException

+ * System.IndexOutOfRangeException

+ * System.InsufficientExecutionStackException

+ * System.InvalidCastException

+ * System.InvalidOperationException

+ * System.InvalidProgramException

+ * System.IO.InternalBufferOverflowException

+ * System.IO.InvalidDataException

+ * System.IO.IOException

+ * System.MemberAccessException

+ * System.MulticastNotSupportedException

+ * System.NotImplementedException

+ * System.NotSupportedException

+ * System.NullReferenceException

+ * System.OperationCanceledException

+ * System.OutOfMemoryException

+ * System.RankException

+ * System.Reflection.AmbiguousMatchException

+ * System.Reflection.ReflectionTypeLoadException

+ * System.Resources.MissingManifestResourceException

+ * System.Resources.MissingSatelliteAssemblyException

+ * System.Runtime.InteropServices.ExternalException

+ * System.Runtime.InteropServices.InvalidComObjectException

+ * System.Runtime.InteropServices.InvalidOleVariantTypeException

+ * System.Runtime.InteropServices.MarshalDirectiveException

+ * System.Runtime.InteropServices.SafeArrayRankMismatchException

+ * System.Runtime.InteropServices.SafeArrayTypeMismatchException

+ * System.Runtime.Serialization.SerializationException

+ * System.StackOverflowException

+ * System.Threading.AbandonedMutexException

+ * System.Threading.SemaphoreFullException

+ * System.Threading.SynchronizationLockException

+ * System.Threading.ThreadInterruptedException

+ * System.Threading.ThreadStateException

+ * System.TimeoutException

+ * System.TypeInitializationException

+ * System.TypeLoadException

+ * System.TypeUnloadedException

+ * System.UnauthorizedAccessException

+ * System.ArgumentNullException

+ * System.IO.FileNotFoundException

+ * System.IO.DirectoryNotFoundException

+ * System.ObjectDisposedException

+ * System.AggregateException

+## Sample implementation of a service-side convertor for a custom exception

+The following example is reference `IExceptionConvertor` implementation on the **Service** and **Client** side for a well-known exception type, `CustomException`.

+- CustomException

+

+ ```csharp

+ class CustomException : Exception

+ {

+ public CustomException(string message, string field1, string field2)

+ : base(message)

+ {

+ this.Field1 = field1;

+ this.Field2 = field2;

+

+ public CustomException(string message, Exception innerEx, string field1, string field2)

+ : base(message, innerEx)

+ {

+ this.Field1 = field1;

+ this.Field2 = field2;

+ }

+

+ public string Field1 { get; set; }

+

+ public string Field2 { get; set; }

+ ```

+- `IExceptionConvertor` implementation on the **Service** side:

+ ```csharp

+ class CustomConvertorService : Microsoft.ServiceFabric.Services.Remoting.V2.Runtime.IExceptionConvertor

+ public Exception[] GetInnerExceptions(Exception originalException)

+ {

+ return originalException.InnerException == null ? null : new Exception[] { originalException.InnerException };

+ }

+

+ public bool TryConvertToServiceException(Exception originalException, out ServiceException serviceException)

+ {

+ serviceException = null;

+ if (originalException is CustomException customEx)

+ {

+ serviceException = new ServiceException(customEx.GetType().FullName, customEx.Message);

+ serviceException.ActualExceptionStackTrace = originalException.StackTrace;

+ serviceException.ActualExceptionData = new Dictionary<string, string>()

+ {

+ { "Field1", customEx.Field1 },

+ { "Field2", customEx.Field2 },

+ };

+

+ return true;

+ }

+

+ return false;

+ }

+ ```

+The actual exception observed during the execution of the remoting call is passed as input to `TryConvertToServiceException`. If the type of the exception is a well-known one, `TryConvertToServiceException` should convert the original exception to `ServiceException`

+ and return it as an out parameter. A true value should be returned if the original exception type is a well-known one and the original exception is successfully converted to `ServiceException`. Otherwise, the value is false.

+ A list of inner exceptions at the current level should be returned by `GetInnerExceptions()`.

+- `IExceptionConvertor` implementation on the **Client** side:

+ ```csharp

+ class CustomConvertorClient : Microsoft.ServiceFabric.Services.Remoting.V2.Client.IExceptionConvertor

+ public bool TryConvertFromServiceException(ServiceException serviceException, out Exception actualException)

+ {

+ return this.TryConvertFromServiceException(serviceException, (Exception)null, out actualException);

+ }

+

+ public bool TryConvertFromServiceException(ServiceException serviceException, Exception innerException, out Exception actualException)

+ {

+ actualException = null;

+ if (serviceException.ActualExceptionType == typeof(CustomException).FullName)

+ {

+ actualException = new CustomException(

+ serviceException.Message,

+ innerException,

+ serviceException.ActualExceptionData["Field1"],

+ serviceException.ActualExceptionData["Field2"]);

+

+ return true;

+ }

+

+ return false;

+ }

+

+ public bool TryConvertFromServiceException(ServiceException serviceException, Exception[] innerExceptions, out Exception actualException)

+ {

+ throw new NotImplementedException();

+ }

+ ```

+`ServiceException` is passed as a parameter to `TryConvertFromServiceException` along with converted `innerException[s]`. If the actual exception type, `ServiceException.ActualExceptionType`, is a known one, the convertor should create an actual exception object from `ServiceException` and `innerException[s]`.

+- `IExceptionConvertor` registration on the **Service** side:

+ To register convertors, `CreateServiceInstanceListeners` must be overridden and the list of `IExceptionConvertor` classes must be passed while you create the `RemotingListener` instance.

+ - *StatelessService*

+ ```csharp

+ protected override IEnumerable<ServiceInstanceListener> CreateServiceInstanceListeners()

+ {

+ return new[]

+ {

+ new ServiceInstanceListener(serviceContext =>

+ new FabricTransportServiceRemotingListener(

+ serviceContext,

+ this,

+ new FabricTransportRemotingListenerSettings

+ {

+ ExceptionSerializationTechnique = FabricTransportRemotingListenerSettings.ExceptionSerialization.Default,

+ },

+ exceptionConvertors: new[]

+ {

+ new CustomConvertorService(),

+ }),

+ "ServiceEndpointV2")

+ };

+ }

+ ```

+ ```csharp

+ protected override IEnumerable<ServiceReplicaListener> CreateServiceReplicaListeners()

+ return new[]

+ {

+ new ServiceReplicaListener(serviceContext =>

+ new FabricTransportServiceRemotingListener(

+ serviceContext,

+ this,

+ new FabricTransportRemotingListenerSettings

+ {

+ ExceptionSerializationTechnique = FabricTransportRemotingListenerSettings.ExceptionSerialization.Default,

+ },

+ exceptionConvertors: new []

+ {

+ new CustomConvertorService(),

+ }),

+ "ServiceEndpointV2")

+ };

+ }

+ ```

+

+ ```csharp

+ protected override IEnumerable<ServiceReplicaListener> CreateServiceReplicaListeners()

+ return new List<ServiceReplicaListener>

+ new ServiceReplicaListener(_ =>

+ {

+ return new FabricTransportActorServiceRemotingListener(

+ this,

+ new FabricTransportRemotingListenerSettings

+ {

+ ExceptionSerializationTechnique = FabricTransportRemotingListenerSettings.ExceptionSerialization.Default,

+ },

+ exceptionConvertors: new[]

+ {

+ new CustomConvertorService(),

+ });

+ },

+ "MyActorServiceEndpointV2")

+ };

+ }

+ ```

+- `IExceptionConvertor` registration on the **Client** side:

+ To register convertors, the list of `IExceptionConvertor` classes must be passed while you create the `ClientFactory` instance.

+ ```csharp

+ var serviceProxyFactory = new ServiceProxyFactory(

+ (callbackClient) =>

+ {

+ return new FabricTransportServiceRemotingClientFactory(

+ new FabricTransportRemotingSettings

+ {

+ ExceptionDeserializationTechnique = FabricTransportRemotingSettings.ExceptionDeserialization.Default,

+ },

+ callbackClient,

+ exceptionConvertors: new[]

+ {

+ new CustomConvertorClient(),

+ });

+ });

+ ```

+ ```csharp

+ var actorProxyFactory = new ActorProxyFactory(

+ (callbackClient) =>

+ {

+ return new FabricTransportActorRemotingClientFactory(

+ new FabricTransportRemotingSettings

+ {

+ ExceptionDeserializationTechnique = FabricTransportRemotingSettings.ExceptionDeserialization.Default,

+ },

+ callbackClient,

+ exceptionConvertors: new[]

+ {

+ new CustomConvertorClient(),

+ });

+ });

+ ```

+>If the framework finds the convertor for the exception, the converted (actual) exception is wrapped inside `AggregateException` and is thrown at the remoting API (proxy). If the framework fails to find the convertor, then `ServiceException`, which contains all the details of the actual exception, is wrapped inside `AggregateException` and is thrown.

+### Upgrade an existing service to enable data contract serialization for remoting exceptions

+Existing services must follow the following order (*Service first*) to upgrade. Failure to follow this order could result in misbehavior in retry logic and exception handling.

+1. Implement the **Service** side `ExceptionConvertor` classes for the desired exceptions, if any. Update the remoting listener registration logic with `ExceptionSerializationTechnique` and the list of `IExceptionConvertor`classes. Upgrade the existing service to apply the exception serialization changes.

+1. Implement the **Client** side `ExceptionConvertor` classes for the desired exceptions, if any. Update the ProxyFactory creation logic with `ExceptionSerializationTechnique` and the list of `IExceptionConvertor` classes. Upgrade the existing client to apply the exception serialization changes.

+ Install-Module PowerShellGet -Repository PSGallery -Force

+ :::image type="content" source="media/storage-account-create/menu-expand-sml.png" alt-text="Image of the Azure Portal homepage showing the location of the Menu button near the top left corner of the browser." lightbox="media/storage-account-create/menu-expand-lrg.png":::

+ :::image type="content" source="media/storage-account-create/create-button-sml.png" alt-text="Image showing the location of the create button within the Azure Portal Storage Accounts page." lightbox="media/storage-account-create/create-button-lrg.png":::

+| Network connectivity | Endpoint type | Required | Azure Storage supports two types of endpoints: standard endpoints (the default) and Azure DNS zone endpoints (preview). Within a given subscription, you can create up to 250 accounts with standard endpoints per region, and up to 5000 accounts with Azure DNS zone endpoints per region. To learn how to view the service endpoints for an existing storage account, see [Get service endpoints for the storage account](storage-account-get-info.md#get-service-endpoints-for-the-storage-account). |

+> [!IMPORTANT]

+> Azure DNS zone endpoints are currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+```azurepowershell

+```azurepowershell

+```azurepowershell

+To create an account with Azure DNS zone endpoints (preview), follow these steps:

+1. Register for the preview as described in [Azure DNS zone endpoints (preview)](storage-account-overview.md#azure-dns-zone-endpoints-preview).

+1. Make sure you have the latest version of PowerShellGet installed.

+ ```azurepowershell

+ Install-Module PowerShellGet ΓÇôRepository PSGallery ΓÇôForce

+ ```

+1. Close and reopen the PowerShell console.

+1. Install version [4.4.2-preview](https://www.powershellgallery.com/packages/Az.Storage/4.4.2-preview) or later of the Az.Storage PowerShell module. You may need to uninstall other versions of the PowerShell module. For more information about installing Azure PowerShell, see [Install Azure PowerShell with PowerShellGet](/powershell/azure/install-az-ps).

+ ```azurepowershell

+ Install-Module Az.Storage -Repository PsGallery -RequiredVersion 4.4.2-preview -AllowClobber -AllowPrerelease -Force

+ ```

+Next, create the account, specifying `AzureDnsZone` for the `-DnsEndpointType` parameter. After the account is created, you can see the service endpoints by getting the `PrimaryEndpoints` and `SecondaryEndpoints` properties for the storage account.

+```azurepowershell

+$rgName = "<resource-group>"

+$accountName = "<storage-account>"

+$account = New-AzStorageAccount -ResourceGroupName $rgName `

+ -Name $accountName `

+ -SkuName Standard_RAGRS `

+ -Location <location> `

+ -Kind StorageV2 `

+ -DnsEndpointType AzureDnsZone

+$account.PrimaryEndpoints

+$account.SecondaryEndpoints

+```

+To enable a hierarchical namespace for the storage account to use [Azure Data Lake Storage](https://azure.microsoft.com/services/storage/data-lake-storage/), set the `EnableHierarchicalNamespace` parameter to `$True` on the call to the **New-AzStorageAccount** command.

+ --location eastus

+ --location eastus \

+To create an account with Azure DNS zone endpoints (preview), first register for the preview as described in [Azure DNS zone endpoints (preview)](storage-account-overview.md#azure-dns-zone-endpoints-preview). Next, install the preview extension for the Azure CLI if it's not already installed:

+```azurecli

+az extension add -name storage-preview

+```

+Next, create the account, specifying `AzureDnsZone` for the `--dns-endpoint-type` parameter. After the account is created, you can see the service endpoints by getting the `PrimaryEndpoints` property of the storage account.

+```azurecli

+az storage account create \

+ --name <account-name> \

+ --resource-group <resource-group> \

+ --location <location> \

+ --dns-endpoint-type AzureDnsZone

+```

+After the account is created, you can return the service endpoints by getting the `primaryEndpoints` and `secondaryEndpoints` properties for the storage account.

+```azurecli

+az storage account show \

+ --resource-group <resource-group> \

+ --name <account-name> \

+ --query '[primaryEndpoints, secondaryEndpoints]'

+```

+```azurepowershell

+```azurepowershell

+## Get service endpoints for the storage account

+The service endpoints for a storage account provide the base URL for any blob, queue, table, or file object in Azure Storage. Use this base URL to construct the address for any given resource.

+# [Azure portal](#tab/portal)

+To get the service endpoints for a storage account in the Azure portal, follow these steps:

+1. Navigate to your storage account in the Azure portal.

+1. In the **Settings** section, locate the **Endpoints** setting.

+1. On the **Endpoints** page, you'll see the service endpoint for each Azure Storage service, as well as the resource ID.

+ :::image type="content" source="media/storage-account-get-info/service-endpoints-portal-sml.png" alt-text="Screenshot showing how to retrieve service endpoints for a storage account." lightbox="media/storage-account-get-info/service-endpoints-portal-lrg.png":::

+If the storage account is geo-replicated, the secondary endpoints will also appear on this page.

+# [PowerShell](#tab/powershell)

+To get the service endpoints for a storage account with PowerShell, call [Get-AzStorageAccount](/powershell/module/az.storage/get-azstorageaccount) and return the `PrimaryEndpoints` property. If the storage account is geo-replicated, then the `SecondaryEndpoints` property returns the secondary endpoints.

+```azurepowershell

+(Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName).PrimaryEndpoints

+(Get-AzStorageAccount -ResourceGroupName $rgName -Name $accountName).SecondaryEndpoints

+```

+# [Azure CLI](#tab/azure-cli)

+To get the service endpoints for a storage account with Azure CLI, call [az storage account show](/cli/azure/storage/account#az-storage-account-show) and return the `primaryEndpoints` property. If the storage account is geo-replicated, then the `secondaryEndpoints` property returns the secondary endpoints.

+```azurecli

+az storage account show \

+ --resource-group <resource-group> \

+ --name <account-name> \

+ --query '[primaryEndpoints, secondaryEndpoints]'

+```

+## Get a connection string for the storage account

+You can use a connection string to authorize access to Azure Storage with the account access keys (Shared Key authorization). To learn more about connection strings, see [Configure Azure Storage connection strings](storage-configure-connection-string.md).

+# [Portal](#tab/portal)

+To get a connection string in the Azure portal, follow these steps:

+1. Navigate to your storage account in the Azure portal.

+1. In the **Security + networking** section, locate the **Access keys** setting.

+1. To display the account keys and associated connection strings, select the **Show keys** button at the top of the page.

+1. To copy a connection string to the clipboard, select the **Copy** button to the right of the connection string.

+# [PowerShell](#tab/powershell)

+To get a connection string with PowerShell, first get a `StorageAccountContext` object, then retrieve the `ConnectionString` property.

+```azurepowershell

+$rgName = "<resource-group>"

+$accountName = "storagesamplesdnszone2"

+(Get-AzStorageAccount -ResourceGroupName <resource-group> -Name <storage-account>).Context.ConnectionString

+```

+# [Azure CLI](#tab/azure-cli)

+To get a connection string with Azure CLI, call the [az storage account show-connection-string](/cli/azure/storage/account#az-storage-account-show-connection-string) command.

+```azurecli

+az storage account show-connection-string --resource-group <resource-group> --name <storage-account>

+```

+## Storage account name

+## Storage account endpoints

+A storage account provides a unique namespace in Azure for your data. Every object that you store in Azure Storage has a URL address that includes your unique account name. The combination of the account name and the service endpoint forms the endpoints for your storage account.

+There are two types of service endpoints available for a storage account:

+- Standard endpoints (recommended). You can create up to 250 storage accounts per region with standard endpoints in a given subscription.

+- Azure DNS zone endpoints (preview). You can create up to 5000 storage accounts per region with Azure DNS zone endpoints in a given subscription.

+Within a single subscription, you can create accounts with either standard or Azure DNS Zone endpoints, for a maximum of 5250 accounts per subscription.

+> [!IMPORTANT]

+> Azure DNS zone endpoints are currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+You can configure your storage account to use a custom domain for the Blob Storage endpoint. For more information, see [Configure a custom domain name for your Azure Storage account](../blobs/storage-custom-domain-name.md).

+### Standard endpoints

+A standard service endpoint in Azure Storage includes the protocol (HTTPS is recommended), the storage account name as the subdomain, and a fixed domain that includes the name of the service.

+The following table lists the format for the standard endpoints for each of the Azure Storage services.

+| Static website (Blob Storage) | `https://<storage-account>.web.core.windows.net` |

+When your account is created with standard endpoints, you can easily construct the URL for an object in Azure Storage by appending the object's location in the storage account to the endpoint. For example, the URL for a blob will be similar to:

+### Azure DNS zone endpoints (preview)

+When you create an Azure Storage account with Azure DNS zone endpoints (preview), Azure Storage dynamically selects an Azure DNS zone and assigns it to the storage account when it is created. The new storage account's endpoints are created in the dynamically selected Azure DNS zone. For more information about Azure DNS zones, see [DNS zones](../../dns/dns-zones-records.md#dns-zones).

+An Azure DNS zone service endpoint in Azure Storage includes the protocol (HTTPS is recommended), the storage account name as the subdomain, and a domain that includes the name of the service and the identifier for the DNS zone. The identifier for the DNS zone always begins with `z` and can range from `z00` to `z99`.

+The following table lists the format for Azure DNS Zone endpoints for each of the Azure Storage services, where the zone is `z5`.

+| Storage service | Endpoint |

+|--|--|

+| Blob Storage | `https://<storage-account>.z[00-99].blob.core.windows.net` |

+| Static website (Blob Storage) | `https://<storage-account>.z[00-99].web.core.windows.net` |

+| Data Lake Storage Gen2 | `https://<storage-account>.z[00-99].dfs.core.windows.net` |

+| Azure Files | `https://<storage-account>.z[00-99].file.core.windows.net` |

+| Queue Storage | `https://<storage-account>.z[00-99].queue.core.windows.net` |

+| Table Storage | `https://<storage-account>.z[00-99].table.core.windows.net` |

+> [!IMPORTANT]

+> You can create up to 5000 accounts with Azure DNS Zone endpoints per subscription. However, you may need to update your application code to query for the account endpoint at runtime. You can call the [Get Properties](/rest/api/storagerp/storage-accounts/get-properties) operation to query for the storage account endpoints.

+Azure DNS zone endpoints are supported for accounts created with the Azure Resource Manager deployment model only. For more information, see [Azure Resource Manager overview](../../azure-resource-manager/management/overview.md).

+To learn how to create a storage account with Azure DNS Zone endpoints, see [Create a storage account](storage-account-create.md).

+#### About the preview

+The Azure DNS zone endpoints preview is available in all public regions. The preview is not available in any government cloud regions.

+To register for the preview, follow the instructions provided in [Set up preview features in Azure subscription](../../azure-resource-manager/management/preview-features.md#register-preview-feature). Specify `PartitionedDnsPublicPreview` as the feature name and `Microsoft.Storage` as the provider namespace.

+## Scalability targets for standard storage accounts

+> VSS snapshots (including Previous Versions tab) are supported on volumes which have cloud tiering enabled. However, you must enable previous version compatibility through PowerShell. [Learn how](file-sync-deployment-guide.md#self-service-restore-through-previous-versions-and-vss-volume-shadow-copy-service).

+This error can occur if Azure File Sync cannot access the storage account due to security settings or if the NT AUTHORITY\SYSTEM account does not have permissions to the System Volume Information folder on the volume where the server endpoint is located. Note, if individual files are failing to sync with ERROR_ACCESS_DENIED, perform the steps documented in the [Troubleshooting per file/directory sync errors](?tabs=portal1%252cazure-portal#troubleshooting-per-filedirectory-sync-errors) section.

+* [Configure Always On availability group in Azure Virtual Machines manually by using Resource Manager](/azure/azure-sql/virtual-machines/windows/availability-group-overview)

+* [Configure an AlwaysOn availability group in Azure virtual machines manually by using Resource Manager](/azure/azure-sql/virtual-machines/windows/availability-group-overview)