+A claims provider is an interface to communicate with different types of parties via its [technical profiles](technicalprofiles.md). Every claims provider must have one or more technical profiles that determine the endpoints and the protocols needed to communicate with the claims provider. A claims provider can have multiple technical profiles. For example, multiple technical profiles may be defined because the claims provider supports multiple protocols, various endpoints with different capabilities, or releases different claims at different assurance levels. It may be acceptable to release sensitive claims in one user journey, but not in another.

+ >In the above configuration under step 4, please choose **Passwordless** option. Change the mode for each groups added for PSI for **Authentication mode**, choose **Passwordless** for passwordless sign-in to work with CBA. If the admin configures "Any", the user can use either push or passwordless. If passwordless is preferred over push but still wants to allow push, admin can still choose "Any" but configure system preferred MFA or configure authentication strengths.

+ Title: Configure the role claim for enterprise applications

+description: Learn how to configure the role claim issued in the SAML token for enterprise applications in Azure Active Directory.

+# Configure the role claim issued in the SAML token

+In Azure Active Directory (Azure AD), you can customize the role claim in the access token that is received after an application is authorized. Use this feature if your application expects custom roles in the token returned by Azure AD. You can create as many roles as you need.

+## Prerequisites

+- An Azure AD subscription with a configured tenant. For more information, see [Quickstart: Set up a tenant](quickstart-create-new-tenant.md).

+- An enterprise application that has been added to the tenant. For more information, see [Quickstart: Add an enterprise application](../manage-apps/add-application-portal.md).

+- Single sign-on (SSO) configured for the application. For more information, see [Enable single sign-on for an enterprise application](../manage-apps/add-application-portal-setup-sso.md).

+- A user account that is assigned to the role. For more information, see [Quickstart: Create and assign a user account](../manage-apps/add-application-portal-assign-users.md).

+> [!NOTE]

+> This article explains how to create, update, or delete application roles on the service principal using APIs in Azure AD. To use the new user interface for App Roles, see [Add app roles to your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md).

+## Locate the enterprise application

+Use the following steps to locate the enterprise application:

+1. In the [Azure portal](https://portal.azure.com/), in the left pane, select **Azure Active Directory**.

+1. Select **Enterprise applications**, and then select **All applications**.

+1. Enter the name of the existing application in the search box, and then select the application from the search results.

+1. After the application is selected, copy the object ID from the overview pane.

+ :::image type="content" source="media/active-directory-enterprise-app-role-management/record-objectid.png" alt-text="Screenshot that shows how to locate and record the object identifier for the application.":::

+## Add roles

+Use the Microsoft Graph Explorer to add roles to an enterprise application.

+1. Open [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) in another window and sign in using the administrator credentials for your tenant.

+ > [!NOTE]

+ > The Cloud App Administrator and App Administrator role won't work in this scenario. The Global Admin permissions are needed for directory read and write.

+1. Select **modify permissions**, select **Consent** for the `Application.ReadWrite.All` and the `Directory.ReadWrite.All` permissions in the list.

+1. Replace `<objectID>` in the following request with the object ID that was previously recorded and then run the query:

+ `https://graph.microsoft.com/v1.0/servicePrincipals/<objectID>`

+1. An enterprise application is also referred to as a service principal. Record the **appRoles** property from the service principal object that was returned. The following example shows the typical appRoles property:

+ ```json

+ {

+ "appRoles": [

+ {

+ "allowedMemberTypes": [

+ "User"

+ ],

+ "description": "msiam_access",

+ "displayName": "msiam_access",

+ "id": "ef7437e6-4f94-4a0a-a110-a439eb2aa8f7",

+ "isEnabled": true,

+ "origin": "Application",

+ "value": null

+ }

+ ]

+ }

+ ```

+1. In Graph Explorer, change the method from **GET** to **PATCH**.

+1. Copy the appRoles property that was previously recorded into the **Request body** pane of Graph Explorer, add the new role definition, and then select **Run Query** to execute the patch operation. A success message confirms the creation of the role. The following example shows the addition of an *Admin* role:

+ ```json

+ {

+ "appRoles": [

+ {

+ "allowedMemberTypes": [

+ "User"

+ ],

+ "description": "msiam_access",

+ "displayName": "msiam_access",

+ "id": "ef7437e6-4f94-4a0a-a110-a439eb2aa8f7",

+ "isEnabled": true,

+ "origin": "Application",

+ "value": null

+ },

+ {

+ "allowedMemberTypes": [

+ "User"

+ ],

+ "description": "Administrators Only",

+ "displayName": "Admin",

+ "id": "4f8f8640-f081-492d-97a0-caf24e9bc134",

+ "isEnabled": true,

+ "origin": "ServicePrincipal",

+ "value": "Administrator"

+ }

+ ]

+ }

+ ```

+ You can only add new roles after msiam_access for the patch operation. Also, you can add as many roles as your organization needs. Azure AD sends the value of these roles as the claim value in the SAML response. To generate the GUID values for the ID of new roles use the web tools, such as the [Online GUID / UUID Generator](https://www.guidgenerator.com/). The appRoles property should now represent what was in the request body of the query.

+## Edit attributes

+Update the attributes to define the role claim that is included in the token.

+1. Locate the application in the Azure portal, and then select **Single sign-on** in the left menu.

+1. In the **Attributes & Claims** section, select **Edit**.

+1. Select **Add new claim**.

+1. In the **Name** box, type the attribute name. This example uses **Role Name** as the claim name.

+1. Leave the **Namespace** box blank.

+1. From the **Source attribute** list, select **user.assignedroles**.

+1. Select **Save**. The new **Role Name** attribute should now appear in the **Attributes & Claims** section. The claim should now be included in the access token when signing into the application.

+ :::image type="content" source="media/active-directory-enterprise-app-role-management/attributes-summary.png" alt-text="Screenshot that shows a display of the list of attributes and claims defined for the application.":::

+## Assign roles

+After the service principal is patched with more roles, you can assign users to the respective roles.

+1. In the Azure portal, locate the application to which the role was added.

+1. Select **Users and groups** in the left menu and then select the user that you want to assign the new role.

+1. Select **Edit assignment** at the top of the pane to change the role.

+1. Select **None Selected**, select the role from the list, and then select **Select**.

+1. Select **Assign** to assign the role to the user.

+ :::image type="content" source="media/active-directory-enterprise-app-role-management/assign-role.png" alt-text="Screenshot that shows how to assign a role to a user of an application.":::

+## Update roles

+To update an existing role, perform the following steps:

+1. Open [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+1. Sign in to the Graph Explorer site by using the global admin or coadmin credentials for your tenant.

+1. Using the object ID for the application from the overview pane, replace `<objectID>` in the following request with it and then run the query:

+ `https://graph.microsoft.com/v1.0/servicePrincipals/<objectID>`

+1. Record the **appRoles** property from the service principal object that was returned.

+1. In Graph Explorer, change the method from **GET** to **PATCH**.

+1. Copy the appRoles property that was previously recorded into the **Request body** pane of Graph Explorer, add update the role definition, and then select **Run Query** to execute the patch operation.

+## Delete roles

+To delete an existing role, perform the following steps:

+1. Open [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+1. Sign in to the Graph Explorer site by using the global admin or coadmin credentials for your tenant.

+1. Using the object ID for the application from the overview pane in the Azure portal, replace `<objectID>` in the following request with it and then run the query:

+ `https://graph.microsoft.com/v1.0/servicePrincipals/<objectID>`

+1. Record the **appRoles** property from the service principal object that was returned.

+1. In Graph Explorer, change the method from **GET** to **PATCH**.

+1. Copy the appRoles property that was previously recorded into the **Request body** pane of Graph Explorer, set the **IsEnabled** value to **false** for the role that you want to delete, and then select **Run Query** to execute the patch operation. A role must be disabled before it can be deleted.

+1. After the role is disabled, delete that role block from the **appRoles** section. Keep the method as **PATCH**, and select **Run Query** again.

+## Next steps

+- For information about customizing claims, see [Customize claims issued in the SAML token for enterprise applications](saml-claims-customization.md).

+MSAL is designed to enable a secure solution without developers having to worry about the implementation details. It simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. We recommend you use MSAL to [increase the resilience of authentication and authorization in client applications that you develop](../fundamentals/resilience-client-app.md?tabs=csharp#use-the-microsoft-authentication-library-msal).

+## AD FS support in MSAL

+You can use MSAL.NET, MSAL Java, MSAL.js, and MSAL Python to get tokens from Active Directory Federation Services (AD FS) 2019 or later. Earlier versions of AD FS, including AD FS 2016, are unsupported by MSAL.

+- [Migrate to MSAL.js](msal-compare-msal-js-and-adal-js.md)

+### Client assertions

+This is useful if you want to handle the certificate yourself. For example, if you wish to use Azure KeyVault's APIs for signing, which eliminates the need for downloading the certificates. A signed client assertion takes the form of a signed JWT with the payload containing the required authentication claims mandated by Azure AD, Base64 encoded. To use it:

+aud | `https://login.microsoftonline.com/{tenantId}/v2.0/token` | The "aud" (audience) claim identifies the recipients that the JWT is intended for (here Azure AD) See [RFC 7519, Section 4.1.3](https://tools.ietf.org/html/rfc7519#section-4.1.3). In this case, that recipient is the token endpoint of the identity provider

+### Crafting the asssertion

+This is an example using [Microsoft.IdentityModel.JsonWebTokens](https://www.nuget.org/packages/Microsoft.IdentityModel.JsonWebTokens/) to create the assertion for you.

+ string GetSignedClientAssertion(X509Certificate2 certificate, string tenantId, string clientId)

+ {

+ // no need to add exp, nbf as JsonWebTokenHandler will add them by default.

+ var claims = new Dictionary<string, object>()

+ {

+ { "aud", tokenEndpoint },

+ { "iss", clientId },

+ { "jti", Guid.NewGuid().ToString() },

+ { "sub", clientId }

+ };

+ var securityTokenDescriptor = new SecurityTokenDescriptor

+ {

+ Claims = claims,

+ SigningCredentials = new X509SigningCredentials(certificate)

+ };

+ var handler = new JsonWebTokenHandler();

+ var signedClientAssertion = handler.CreateToken(securityTokenDescriptor);

+ }

+Alternatively, if you do not wish to use Microsoft.IdentityModel.JsonWebTokens:

+In some cases, developers want to inject some claims into the assertions, but would still like MSAL to handle the creation of the assertion and the signing.

+`WithClientClaims(X509Certificate2 certificate, IDictionary<string, string> claimsToSign, bool mergeWithDefaultClaims = true)` will produce a signed assertion containing the claims expected by Azure AD plus additional client claims that you want to send.

+AcquireTokenResult tokenResult = await acquirer.GetTokenForUserAsync(new[] { "https://graph.microsoft.com/.default" });

+The pattern for acquiring tokens for APIs with [MSAL.js](https://github.com/AzureAD/microsoft-authentication-library-for-js) is to first attempt a silent token request by using the `acquireTokenSilent` method. When this method is called, the library first checks the cache in browser storage to see if a non-expired access token exists and returns it. If no access token is found or the access token found has expired, it attempts to use its refresh token to get a fresh access token. If the refresh token's 24-hour lifetime has also expired, MSAL.js opens a hidden iframe to silently request a new authorization code by using the existing active session with Azure Active Directory (Azure AD) (if any), which will then be exchanged for a fresh set of tokens (access _and_ refresh tokens). For more information about single sign-on (SSO) session and token lifetime values in Azure AD, see [Token lifetimes](configurable-token-lifetimes.md). For more information on MSAL.js cache lookup policy, see: [Acquiring an Access Token](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/acquire-token.md#acquiring-an-access-token).

+- If users have browser constraints or policies where pop-up windows are disabled, you can use the redirect method. Use the redirect method with the Internet Explorer browser, because there are [known issues with pop-up windows on Internet Explorer](msal-js-known-issues-ie-edge-browsers.md).

+You can specify the scopes for APIs in the `protectedResourceMap` configuration option. `MsalInterceptor` requests the specified scopes when automatically acquiring tokens.

+You can specify the scopes for APIs in the `protectedResourceMap` configuration option. `MsalInterceptor` requests the specified scopes when automatically acquiring tokens.

+The following pattern is as described earlier but shown with a redirect method to acquire tokens interactively. You need to call and await `handleRedirectPromise` on page load.

+The following pattern is as described earlier but shown with a redirect method to acquire tokens interactively. You need to register the redirect callback as mentioned earlier.

+If `acquireTokenSilent` fails, fallback to `acquireTokenRedirect`. This method initiates a full-frame redirect and the response will be handled when returning to the application. When this component is rendered after returning from the redirect, `acquireTokenSilent` should now succeed as the tokens will be pulled from the cache.

+ Title: "Quickstart: Sign in users in single-page apps (SPA) by using the authorization code with Proof Key for Code Exchange (PKCE)"

+description: In this quickstart, learn how a JavaScript single-page application (SPA) can sign in users of personal accounts, work accounts, and school accounts by using the authorization code flow with Proof Key for Code Exchange (PKCE).

+# Quickstart: Sign in users in single-page apps (SPA) via the authorization code flow with Proof Key for Code Exchange (PKCE)

+- **Invitation message**: Select the **Send invite message** checkbox to send an invitation message. When enabling this checkbox, you can also set up the customized short message and additional CC recipient.

+1. (This step applies to **Organizational settings** only.) Review the **Automatic redemption** option:

+ - **Automatically redeem invitations with the tenant** &lt;tenant&gt;: Check this setting if you want to automatically redeem invitations. If so, users from the specified tenant won't have to accept the consent prompt the first time they access this tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for outbound access as well.

+ 

+1. Review the **Automatic redemption** option:

+ - **Automatically redeem invitations with the tenant** &lt;tenant&gt;: Check this setting if you want to automatically redeem invitations. If so, users from this tenant don't have to accept the consent prompt the first time they access the specified tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for inbound access as well.

+ 

+1. (This step applies to **Organizational settings** only.) Review the **Automatic redemption** option:

+ - **Automatically redeem invitations with the tenant** &lt;tenant&gt;: Check this setting if you want to automatically redeem invitations. If so, users from the specified tenant won't have to accept the consent prompt the first time they access this tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for outbound access as well.

+ 

+1. Review the **Automatic redemption** option:

+ - **Automatically redeem invitations with the tenant** &lt;tenant&gt;: Check this setting if you want to automatically redeem invitations. If so, users from this tenant don't have to accept the consent prompt the first time they access the specified tenant using cross-tenant synchronization, B2B collaboration, or B2B direct connect. This setting will only suppress the consent prompt if the specified tenant checks this setting for inbound access as well.

+ 

+ Title: Reset redemption status for a guest user

+To manage these scenarios previously, you had to manually delete the guest userΓÇÖs account from your directory and reinvite the user. Now you can use the Azure portal, PowerShell or the Microsoft Graph invitation API to reset the user's redemption status and reinvite the user while keeping the user's object ID, group memberships, and app assignments. When the user redeems the new invitation, the UserPrincipalName (UPN) of the user doesn't change, but the user's sign-in name changes to the new email. Then the user can sign in using the new email or an email you've added to the `otherMails` property of the user object.

+1. On the **Overview** tab, underΓÇ»**My Feed**, select the **Reset redemption status** link in the **B2B collaboration** tile.

+ :::image type="content" source="media/reset-redemption-status/user-profile-b2b-collaboration.png" alt-text="Screenshot showing the B2B collaboration reset link." lightbox="media/reset-redemption-status/user-profile-b2b-collaboration.png":::

+1. Under **Reset redemption status**, select **Reset**.

+ :::image type="content" source="media/reset-redemption-status/reset-status.png" alt-text="Screenshot showing the reset invitation status setting.":::

+- [Add Azure Active Directory B2B collaboration users by using PowerShell](customize-invitation-api.md#powershell)

+## November 2022

+### General Availability - Use Web Sign-in on Windows for password-less recovery with Temporary Access Pass

+**Type:** Changed feature

+**Service category:** N/A

+**Product capability:** User Authentication

+The Temporary Access Pass can now be used to recover Azure AD-joined PCs when the EnableWebSignIn policy is enabled on the device. This is useful for when your users don't know, or have, a password. For more information, see: [Authentication/EnableWebSignIn](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin).

+### Public Preview - Workload Identity Federation for Managed Identities

+**Type:** New feature

+**Service category:** Managed identities for Azure resources

+**Product capability:** Developer Experience

+Developers can now use managed identities for their software workloads running anywhere, and for accessing Azure resources, without needing secrets. Key scenarios include:

+- Accessing Azure resources from Kubernetes pods running on-premises or in any cloud.

+- GitHub workflows to deploy to Azure, no secrets necessary.

+- Accessing Azure resources from other cloud platforms that support OIDC, such as Google Cloud.

+For more information, see:

+- [Configure a user-assigned managed identity to trust an external identity provider (preview)](../develop/workload-identity-federation-create-trust-user-assigned-managed-identity.md)

+- [Workload identity federation](../develop/workload-identity-federation.md)

+- [Use an Azure AD workload identity (preview) on Azure Kubernetes Service (AKS)](../../aks/workload-identity-overview.md)

+### General Availability - Authenticator on iOS is FIPS 140 compliant

+**Type:** New feature

+**Service category:** Microsoft Authenticator App

+**Product capability:** User Authentication

+Authenticator version 6.6.8 and higher on iOS will be FIPS 140 compliant for all Azure AD authentications using push multi-factor authentications (MFA), Password-less Phone Sign-In (PSI), and time-based one-time pass-codes (TOTP). No changes in configuration are required in the Authenticator app or Azure portal to enable this capability. For more information, see: [FIPS 140 compliant for Azure AD authentication](../authentication/concept-authentication-authenticator-app.md#fips-140-compliant-for-azure-ad-authentication).

+### General Availability - New Federated Apps available in Azure AD Application gallery - November 2022

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** 3rd Party Integration

+In November 2022, we've added the following 22 new applications in our App gallery with Federation support

+[Adstream](../saas-apps/adstream-tutorial.md), [Databook](../saas-apps/databook-tutorial.md), [Ecospend IAM](https://ecospend.com/), [Digital Pigeon](../saas-apps/digital-pigeon-tutorial.md), [Drawboard Projects](../saas-apps/drawboard-projects-tutorial.md), [Vellum](https://www.vellum.ink/request-demo), [Veracity](https://aie-veracity.com/connect/azure), [Microsoft OneNote to Bloomberg Note Sync](https://www.bloomberg.com/professional/support/software-updates/), [DX NetOps Portal](../saas-apps/dx-netops-portal-tutorial.md), [itslearning Outlook integration](https://itslearning.com/global/), [Tranxfer](../saas-apps/tranxfer-tutorial.md), [Occupop](https://app.occupop.com/), [Nialli Workspace](https://ws.nialli.com/), [Tideways](https://app.tideways.io/login), [SOWELL](https://manager.sowellapp.com/#/?sso=true), [Prewise Learning](https://prewiselearning.com/), [CAPTOR for Intune](https://www.inkscreen.com/microsoft), [wayCloud Platform](https://app.way-cloud.de/login), [Nura Space Meeting Room](https://play.google.com/store/apps/details?id=com.meetingroom.prod), [Flexopus Exchange Integration](https://help.flexopus.com/de/microsoft-graph-integration), [Ren Systems](https://app.rensystems.com/login), [Nudge Security](https://www.nudgesecurity.io/login)

+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

+For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

+### General Availability - New provisioning connectors in the Azure AD Application Gallery - November 2022

+**Type:** New feature

+**Service category:** App Provisioning

+**Product capability:** 3rd Party Integration

+We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

+- [Keepabl](../saas-apps/keepabl-provisioning-tutorial.md)

+- [Uber](../saas-apps/uber-provisioning-tutorial.md)

+For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

+### Public Preview - Dynamic Group pause functionality

+**Type:** New feature

+**Service category:** Group Management

+**Product capability:** Directory

+Admins can now pause, and resume, the processing of individual dynamic groups in the Entra Admin Center. For more information, see: [Create or update a dynamic group in Azure Active Directory](../enterprise-users/groups-create-rule.md).

+### Public Preview - Enabling extended customization capabilities for sign-in and sign-up pages in Company Branding capabilities.

+**Type:** New feature

+**Service category:** Authentications (Logins)

+**Product capability:** User Authentication

+Update the Azure AD and Microsoft 365 sign-in experience with new company branding capabilities. You can apply your companyΓÇÖs brand guidance to authentication experiences with pre-defined templates. For more information, see: [Configure your company branding](../fundamentals/customize-branding.md).

+### Public Preview - Enabling customization capabilities for the Self-Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icons in Company Branding.

+**Type:** New feature

+**Service category:** Directory Management

+**Product capability:** Directory

+Update the company branding functionality on the Azure AD/Microsoft 365 sign-in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icon. For more information, see: [Configure your company branding](../fundamentals/customize-branding.md).

+### General Availability - Soft Delete for Administrative Units

+**Type:** New feature

+**Service category:** Directory Management

+**Product capability:** Directory

+Administrative Units now support soft deletion. Admins can now list, view properties of, or restore deleted Administrative Units using the Microsoft Graph. This functionality restores all configuration for the Administrative Unit when restored from soft delete, including memberships, admin roles, processing rules, and processing rules state.

+This functionality greatly enhances recoverability and resilience when using Administrative Units. Now, when an Administrative Unit is accidentally deleted, you can restore it quickly to the same state it was at time of deletion. This removes uncertainty around configuration and makes restoration quick and easy. For more information, see: [List deletedItems (directory objects)](/graph/api/directory-deleteditems-list).

+### Public Preview - IPv6 coming to Azure AD

+**Type:** Plan for change

+**Service category:** Identity Protection

+**Product capability:** Platform

+With the growing adoption and support of IPv6 across enterprise networks, service providers, and devices, many customers are wondering if their users can continue to access their services and applications from IPv6 clients and networks. Today, weΓÇÖre excited to announce our plan to bring IPv6 support to Microsoft Azure Active Directory (Azure AD). This allows customers to reach the Azure AD services over both IPv4 and IPv6 network protocols (dual stack).

+For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to de-prioritize IPv4 in any Azure Active Directory features or services.

+We'll begin introducing IPv6 support into Azure AD services in a phased approach, beginning March 31, 2023.

+We have guidance that is specifically for Azure AD customers who use IPv6 addresses and also use Named Locations in their Conditional Access policies.

+Customers who use named locations to identify specific network boundaries in their organization need to:

+1. Conduct an audit of existing named locations to anticipate potential risk.

+1. Work with your network partner to identify egress IPv6 addresses in use in your environment.

+1. Review and update existing named locations to include the identified IPv6 ranges.

+Customers who use Conditional Access location based policies to restrict and secure access to their apps from specific networks need to:

+1. Conduct an audit of existing Conditional Access policies to identify use of named locations as a condition to anticipate potential risk.

+1. Review and update existing Conditional Access location based policies to ensure they continue to meet your organizationΓÇÖs security requirements.

+We continue to share additional guidance on IPv6 enablement in Azure AD at this link: https://aka.ms/azureadipv6.

+## May 2023

+### General Availability - Conditional Access authentication strength for members, external users and FIDO2 restrictions

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** Identity Security & Protection

+Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. Likewise, to access a nonsensitive resource, they can allow less secure multifactor authentication (MFA) combinations such as password + SMS.

+Authentication strength is now in General Availability for members and external users from any Microsoft cloud and FIDO2 restrictions. For more information, see: [Conditional Access authentication strength](../authentication/concept-authentication-strengths.md).

+### General Availability - SAML/Ws-Fed based identity provider authentication for Azure Active Directory B2B users in US Sec and US Nat clouds

+**Type:** New feature

+**Service category:** B2B

+**Product capability:** B2B/B2C

+SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally available in US Sec, US Nat and China clouds. For more information, see: [Federation with SAML/WS-Fed identity providers for guest users](../external-identities/direct-federation.md).

+### Generally Availability - Cross-tenant synchronization

+**Type:** New feature

+**Service category:** Provisioning

+**Product capability:** Identity Lifecycle Management

+Cross-tenant synchronization allows you to set up a scalable and automated solution for users to access applications across tenants in your organization. It builds upon the Azure Active Directory B2B functionality and automates creating, updating, and deleting B2B users within tenants in your organization. For more information, see: [What is cross-tenant synchronization?](../multi-tenant-organizations/cross-tenant-synchronization-overview.md).

+### Public Preview(Refresh) - Custom Extensions in Entitlement Management

+**Type:** New feature

+**Service category:** Entitlement management

+**Product capability:** Identity Governance

+Last year we announced the [public preview of custom extensions in Entitlement Management](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/run-custom-workflows-in-azure-ad-entitlement-management/ba-p/2466938) allowing you to automate complex processes when access is requested or about to expire. We have recently expanded the public preview to allow for the access package assignment request to be paused while your external process is running. In addition, the external process can now provide feedback to Entitlement Management to either surface additional information to end users in MyAccess or even stop the access request. This expands the scenarios of custom extension from notifications to additional stakeholders or the generation of tickets to advanced scenarios such as external governance, risk and compliance checks. In the course of this update, we have also improved the audit logs, token security and the payload sent to the Logic App. To learn more about the preview refresh, see:

+- [Trigger Logic Apps with custom extensions in entitlement management (Preview)](../governance/entitlement-management-logic-apps-integration.md)

+- [accessPackageAssignmentRequest: resume](/graph/api/accesspackageassignmentrequest-resume)

+- [accessPackageAssignmentWorkflowExtension resource type](/graph/api/resources/accesspackageassignmentworkflowextension)

+- [accessPackageAssignmentRequestWorkflowExtension resource type](/graph/api/resources/accesspackageassignmentrequestworkflowextension)

+### General Availability - Managed Identity in Microsoft Authentication Library for .NET

+**Type:** New feature

+**Service category:** Authentications (Logins)

+**Product capability:** User Authentication

+The latest version of MSAL.NET graduates the Managed Identity APIs into the General Availability mode of support, which means that developers can integrate them safely in production workloads.

+Managed identities are a part of the Azure infrastructure, simplifying how developers handle credentials and secrets to access cloud resources. With Managed Identities, developers do not need to manually handle credential retrieval and security. Instead, they can rely on an automatically managed set of identities to connect to resources that support Azure Active Directory (AAD) authentication. You can learn more in [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)

+With MSAL.NET 4.54.0, the Managed Identity APIs are now stable. There are a few changes that we added that make them easier to use and integrate that might require tweaking your code if youΓÇÖve used our [experimental implementation](https://den.dev/blog/managed-identity-msal-net/):

+- When using Managed Identity APIs, developers will need to specify the identity type when creating an [ManagedIdentityApplication](/dotnet/api/microsoft.identity.client.managedidentityapplication).

+- When acquiring tokens with Managed Identity APIs and using the default HTTP client, MSAL retries the request for certain exception codes.

+- We added a new [MsalManagedIdentityException](/dotnet/api/microsoft.identity.client.msalmanagedidentityexception) class that represents any Managed Identity-related exceptions. It includes general exception information, including the Azure source from which the exception originates.

+- MSAL will now proactively refresh tokens acquired with Managed Identity.

+To get started with Managed Identity in MSAL.NET, you can use the [Microsoft.Identity.Client](/dotnet/api/microsoft.identity.client) package together with the [ManagedIdentityApplicationBuilder](/dotnet/api/microsoft.identity.client.managedidentityapplicationbuilder) class.

+### Public Preview - New My Groups Experience

+**Type:** Changed feature

+**Service category:** Group Management

+**Product capability:** End User Experiences

+A new and improved My Groups experience is now available at [myaccount.microsoft.com/groups](https://myaccount.microsoft.com/groups). This experience replaces the existing My Groups experience at mygroups.microsoft.com in May. For more information, see: [Update your Groups info in the My Apps portal](https://support.microsoft.com/account-billing/update-your-groups-info-in-the-my-apps-portal-bc0ca998-6d3a-42ac-acb8-e900fb1174a4).

+### General Availability - Admins can restrict their users from creating tenants

+**Type:** New feature

+**Service category:** User Access Management

+**Product capability:** User Management

+The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings pane allows admins to restrict their users from being able to create new tenants. There's also a new [Tenant Creator](../roles/permissions-reference.md#tenant-creator) role to allow specific users to create tenants. For more information, see [Default user permissions](../fundamentals/users-default-permissions.md#restrict-member-users-default-permissions).

+### Public Preview - Devices Self-Help Capability for Pending Devices

+**Type:** New feature

+**Service category:** Device Access Management

+**Product capability:** End User Experiences

+In the **All Devices** view under the Registered column, you can now select any pending devices you have, and it opens a context pane to help troubleshoot why a device may be pending. You can also offer feedback on if the summarized information is helpful or not. For more information, see: [Pending devices in Azure Active Directory](/troubleshoot/azure/active-directory/pending-devices).

+### General Availability - Admins can now restrict users from self-service accessing their BitLocker keys

+**Type:** New feature

+**Service category:** Device Access Management

+**Product capability:** User Management

+Admins can now restrict their users from self-service accessing their BitLocker keys through the Devices Settings page. Turning on this capability hides the BitLocker key(s) of all non-admin users. This helps to control BitLocker access management at the admin level. For more information, see: [Restrict member users' default permissions](users-default-permissions.md#restrict-member-users-default-permissions).

+### Public Preview - New provisioning connectors in the Azure AD Application Gallery - May 2023

+**Type:** New feature

+**Service category:** App Provisioning

+**Product capability:** 3rd Party Integration

+

+We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

+- [Sign In Enterprise Host Provisioning](../saas-apps/sign-in-enterprise-host-provisioning-tutorial.md)

+For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

+### General Availability - Microsoft Entra Permissions Management Azure Active Directory Insights

+**Type:** New feature

+**Service category:** Other

+**Product capability:** Permissions Management

+The Azure Active Directory Insights tab in Microsoft Entra Permissions Management provides a view of all permanent role assignments assigned to Global Administrators, and a curated list of highly privileged roles. Administrators can then use the report to take further action within the Azure Active Directory console. For more information, see [View privileged role assignments in your organization (Preview)](../cloud-infrastructure-entitlement-management/product-privileged-role-insights.md).

+### Public Preview - In portal guide to configure multi-factor authentication

+**Type:** New feature

+**Service category:** MFA

+**Product capability:** Identity Security & Protection

+The in portal guide to configure multi-factor authentication helps you get started with Azure Active Directory's MFA capabilities. You can find this guide under the Tutorials tab in the Azure AD Overview. For more information, see: [Configure multi-factor authentication using the portal guide](../authentication/multi-factor-authentication-wizard.md).

+### General Availability - Authenticator Lite (In Outlook)

+**Type:** New feature

+**Service category:** Microsoft Authenticator App

+**Product capability:** User Authentication

+Authenticator Lite (in Outlook) is an authentication solution for users that haven't yet downloaded the Microsoft Authenticator app. Users are prompted in Outlook on their mobile device to register for multi-factor authentication. After they enter their password at sign-in, they'll have the option to send a push notification to their Android or iOS device.

+Due to the security enhancement this feature provides users, the Microsoft managed value of this feature will be changed from ΓÇÿ*disabled*ΓÇÖ to ΓÇÿ*enabled*ΓÇÖ on June 9. WeΓÇÖve made some changes to the feature configuration, so if you made an update before GA, May 17, please validate that the feature is in the correct state for your tenant prior to June 9. If you don't wish for this feature to be enabled on June 9, move the state to ΓÇÿ*disabled*ΓÇÖ, or set users to include and exclude groups.

+For more information, see: [How to enable Microsoft Authenticator Lite for Outlook mobile (preview)](../authentication/how-to-mfa-authenticator-lite.md).

+### General Availability - PowerShell and Web Services connector support through the Azure AD provisioning agent

+**Type:** New feature

+**Service category:** Provisioning

+**Product capability:** Outbound to On-premises Applications

+The Azure AD on-premises application provisioning feature now supports both the [PowerShell](../app-provisioning/on-premises-powershell-connector.md) and [web services](../app-provisioning/on-premises-web-services-connector.md) connectors. you can now provision users into a flat file using the PowerShell connector or an app such as SAP ECC using the web services connector. For more information, see: [Provisioning users into applications using PowerShell](../app-provisioning/on-premises-powershell-connector.md).

+### General Availability - Verified threat actor IP sign-in detection

+**Type:** New feature

+**Service category:** Identity Protection

+**Product capability:** Identity Security & Protection

+Identity Protection has added a new detection, using the Microsoft Threat Intelligence database, to detect sign-in's performed from IP addresses of known nation state and cyber-crime actors and allow customers to block these sign-ins's by using risk-based conditional access policies. For more information, see: [Sign-in risk](../identity-protection/concept-identity-protection-risks.md#sign-in-risk).

+### General Availability - Conditional Access Granular control for external user types

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** Identity Security & Protection

+When configuring a Conditional Access policy, customers now have granular control over the types of external users they want to apply the policy to. External users are categorized based on how they authenticate (internally or externally) and their relationship to your organization (guest or member). For more information, see: [Assigning Conditional Access policies to external user types](../external-identities/authentication-conditional-access.md#assigning-conditional-access-policies-to-external-user-types).

+### General Availability - New Federated Apps available in Azure AD Application gallery - May 2023

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** 3rd Party Integration

+In May 2023 we added the following 51 new applications in our App gallery with Federation support

+[INEXTRACK](https://inexto.com/inexto-suite/inextrack), [Valotalive Digital Signage Microsoft 365 integration](https://valota.live/apps/microsoft-excel/), [Tailscale](http://tailscale.com/), [MANTL](https://console.mantl.com/), [ServusConnect](../saas-apps/servusconnect-tutorial.md), [Jigx MS Graph Demonstrator](https://www.jigx.com/), [Delivery Solutions](../saas-apps/delivery-solutions-tutorial.md), [Radiant IOT Portal](../saas-apps/radiant-iot-portal-tutorial.md), [Cosgrid Networks](../saas-apps/cosgrid-networks-tutorial.md), [voya SSO](https://app.voya.ai/), [Redocly](../saas-apps/redocly-tutorial.md), [Glaass Pro](https://glaass.net/pro/), [TalentLyftOIDC](https://www.talentlyft.com/en), [Cisco Expressway](../saas-apps/cisco-expressway-tutorial.md), [IBM TRIRIGA on Cloud](../saas-apps/ibm-tririga-on-cloud-tutorial.md), [Avionte Bold SAML Federated SSO](../saas-apps/avionte-bold-saml-federated-sso-tutorial.md), [InspectNTrack](http://www.inspecttrack.com/), [CAREERSHIP](../saas-apps/careership-tutorial.md), [Cisco Unity Connection](../saas-apps/cisco-unity-connection-tutorial.md), [HSC-Buddy](https://hsc-buddy.com/), [teamecho](https://app.teamecho.at/), [Uni-tel ), [Recnice](https://recnice.com/)

+

+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

+For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest

+### General Availability - My Security-info now shows Microsoft Authenticator type

+**Type:** Changed feature

+**Service category:** MFA

+**Product capability:** Identity Security & Protection

+We have improved My Sign-ins and My Security-Info to give you more clarity on the types of Microsoft Authenticator other Authenticator apps a user has registered. Users will now see Microsoft Authenticator registrations with additional information showing the app as being registered as Push-based MFA or Password-less phone sign-in (PSI) and for other Authenticator apps (Software OATH) we now indicate they're registered as a Time-based One-time password method. For more information, see: [Set up the Microsoft Authenticator app as your verification method](https://support.microsoft.com/account-billing/set-up-the-microsoft-authenticator-app-as-your-verification-method-33452159-6af9-438f-8f82-63ce94cf3d29).

+### General Availability - SAML/Ws-Fed based identity provider authentication for Azure Active Directory B2B users in US Sec and US Nat clouds

+**Type:** New feature

+**Service category:** B2B

+**Product capability:** B2B/B2C

+SAML/Ws-Fed based identity providers for authentication in Azure AD B2B are generally available in US Sec, US Nat and China clouds. For more information, see: [Federation with SAML/WS-Fed identity providers for guest users](../external-identities/direct-federation.md).

+Authenticator Lite is an additional surface for Azure Active Directory users to complete multifactor authentication using push notifications on their Android or iOS device. With Authenticator Lite, users can satisfy a multifactor authentication requirement from the convenience of a familiar app. Authenticator Lite is currently enabled in the Outlook mobile app. Users may receive a notification in their Outlook mobile app to approve or deny, or use the Outlook app to generate an OATH verification code that can be entered during sign-in. The *'Microsoft managed'* setting for this feature will be set to enabled on May 26th, 2023. This enables the feature for all users in tenants where the feature is set to Microsoft managed. If you wish to change the state of this feature, please do so before May 26, 2023. For more information, see: [How to enable Microsoft Authenticator Lite for Outlook mobile (preview)](../authentication/how-to-mfa-authenticator-lite.md).

+As part of ongoing service improvements, we're making updates to the per-user MFA admin configuration experience to align with the look and feel of Azure. This change doesn't include any changes to the core functionality and will only include visual improvements.  For more information, see: [Enable per-user Azure AD Multi-Factor Authentication to secure sign-in events](../authentication/howto-mfa-userstates.md).

+>[!NOTE]

+> The rule evaluation is case-sensitive.

+|Choose the best sync tool|Before moving to cloud sync, you should verify that cloud sync is currently the best synchronization tool for you. You can do this task by going through the wizard [here](https://aka.ms/EvaluateSyncOptions).|

+``

+Learn the options available for managing consent to applications in a tenant. Learn about delegated permissions and how to revoke previously consented permissions to mitigate risks posed by malicious applications.

+ :::column-end:::

+## Phases of migrating apps from ADFS to Azure AD

+Learn about the different phases of migrating apps from ADFS to Azure AD and the steps involved in each phase. View a demo on how to migrate a simple app from ADFS to Azure AD and the steps you need to take to ensure a successful migration.

+___

+ :::column:::

+ 1 - [Phase 1 and 2: Discover, scope, and classify apps and plan pilot](https://www.youtube.com/watch?v=PxLIacDpHh4)(4:05)

+ :::column-end:::

+ :::column:::

+ >[!VIDEO https://www.youtube.com/embed/PxLIacDpHh4]

+ :::column-end:::

+ :::column:::

+ 2 - [Phase 3: Plan migration and testing](https://www.youtube.com/watch?v=PvI4Q4P_HfU)(5:39)

+ :::column-end:::

+ :::column:::

+ >[!Video https://www.youtube.com/embed/PvI4Q4P_HfU]

+ :::column-end:::

+ :::column:::

+ 3 - [Phase 4: Plan management and insights](https://www.youtube.com/watch?v=8aUIuOXeDxw)(7:02)

+ :::column-end:::

+ :::column:::

+ >[!Video https://www.youtube.com/embed/8aUIuOXeDxw]

+ :::column-end:::

+ :::column:::

+ 4 - [Active Directory Federation Services (AD FS) decommission guide](https://www.youtube.com/watch?v=D0M-N-RQw0I)(11:18)

+ :::column-end:::

+ :::column:::

+ >[!Video https://www.youtube.com/embed/D0M-N-RQw0I]

+ Title: 'Understand the stages of migrating application authentication from AD FS to Azure AD'

+description: This article provides the stages of the migration process and what types of applications to migrate.

+# Understand the stages of migrating application authentication from AD FS to Azure AD

+Azure Active Directory (Azure AD) offers a universal identity platform that provides your people, partners, and customers a single identity to access applications and collaborate from any platform and device. Azure AD has a full suite of identity management capabilities. Standardizing your application authentication and authorization to Azure AD provides these benefits.

+Your applications may use modern or legacy protocols for authentication. When you plan your migration to Azure AD, consider migrating the apps that use modern authentication protocols (such as SAML and Open ID Connect) first.

+These apps can be reconfigured to authenticate with Azure AD either via a built-in connector from the Azure App Gallery, or by registering the custom application in Azure AD.

+Apps that use older protocols can be integrated using [Application Proxy](../app-proxy/what-is-application-proxy.md) or any of our [Secure Hybrid Access (SHA) partners](secure-hybrid-access-integrations.md).

+## The migration process

+### Stage 1 ΓÇô Current state: The production app authenticates with AD FS

+### Stage 2 ΓÇô (Optional) Point a test instance of the app to the test Azure AD tenant

+### Stage 3 ΓÇô Point a test instance of the app to the production Azure AD tenant

+### Stage 4 ΓÇô Point the production app to the production Azure AD tenant

+## Line of business apps

+- [Configure SAML-based single sign-on](migrate-adfs-saml-based-sso.md).

+ Title: 'Phase 2: Classify apps and plan pilot'

+description: This article describes phase 2 of planning migration of applications from AD FS to Azure Active Directory

+# Phase 2: Classify apps and plan pilot

+Classifying the migration of your apps is an important exercise. Not every app needs to be migrated and transitioned at the same time. Once you've collected information about each of the apps, you can rationalize which apps should be migrated first and which may take added time.

+## Classify in-scope apps

+One way to think about this is along the axes of business criticality, usage, and lifespan, each of which is dependent on multiple factors.

+### Business criticality

+Business criticality takes on different dimensions for each business, but the two measures that you should consider are **features and functionality** and **user profiles**. Assign apps with unique functionality a higher point value than those with redundant or obsolete functionality.

+### Usage

+Applications with **high usage numbers** should receive a higher value than apps with low usage. Assign a higher value to apps with external, executive, or security team users. For each app in your migration portfolio, complete these assessments.

+Once you've determined values for business criticality and usage, you can then determine the **application lifespan**, and create a matrix of priority. The diagram shows the matrix.

+> [!VIDEO https://www.youtube.com/embed/PxLIacDpHh4]

+>[!NOTE]

+> This video covers both phase 1 and 2 of the migration process.

+## Prioritize apps for migration

+You can choose to begin the app migration with either the lowest priority apps or the highest priority apps based on your organizationΓÇÖs needs.

+In a scenario where you may not have experience using Azure AD and Identity services, consider moving your **lowest priority apps** to Azure AD first. This minimizes your business impact, and you can build momentum. Once you've successfully moved these apps and have gained the stakeholderΓÇÖs confidence, you can continue to migrate the other apps.

+If there's no clear priority, you should consider moving the apps that are in the [Azure AD Gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps) first and support multiple identity providers because they're easier to integrate. It's likely that these apps are the **highest-priority apps** in your organization. To help integrate your SaaS applications with Azure AD, we have developed a collection of [tutorials](../saas-apps/tutorial-list.md) that walk you through configuration.

+When you have a deadline to migrate the apps, these highest priority apps bucket takes the major workload. You can eventually select the lower priority apps as they won't change the cost even though you've moved the deadline.

+In addition to this classification and depending on the urgency of your migration, you should publish a **migration schedule** within which app owners must engage to have their apps migrated. At the end of this process, you should have a list of all applications in prioritized buckets for migration.

+## Document your apps

+First, start by gathering key details about your applications. The [Application Discovery Worksheet](https://download.microsoft.com/download/2/8/3/283F995C-5169-43A0-B81D-B0ED539FB3DD/Application%20Discovery%20worksheet.xlsx) helps you to make your migration decisions quickly and get a recommendation out to your business group in no time at all.

+Information that is important to making your migration decision includes:

+- **App name** ΓÇô what is this app known as to the business?

+- **App type** ΓÇô is it a third-party SaaS app? A custom line-of-business web app? An API?

+- **Business criticality** ΓÇô is its high criticality? Low? Or somewhere in between?

+- **User access volume** ΓÇô does everyone access this app or just a few people?

+- **User access type**: who needs to access the application ΓÇô Employees, business partners, or customers or perhaps all?

+- **Planned lifespan** ΓÇô how long will this app be around? Less than six months? More than two years?

+- **Current identity provider** ΓÇô what is the primary IdP for this app? AD FS, Active Directory, or Ping Federate?

+- **Security requirements** - does the application require MFA or that users be on the corporate network to access the application?

+- **Method of authentication** ΓÇô does the app authenticate using open standards?

+- **Whether you plan to update the app code** ΓÇô is the app under planned or active development?

+- **Whether you plan to keep the app on-premises** ΓÇô do you want to keep the app in your datacenter long term?

+- **Whether the app depends on other apps or APIs** ΓÇô does the app currently call into other apps or APIs?

+- **Whether the app is in the Azure AD gallery** ΓÇô is the app currently already integrated with the [Azure AD Gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps)?

+Other data that helps you later, but that you don't need to make an immediate migration decision includes:

+- **App URL** ΓÇô where do users go to access the app?

+- **Application Logo**: If migrating an application to Azure AD that isnΓÇÖt in the Azure AD app gallery, it's recommended you provide a descriptive logo

+- **App description** ΓÇô what is a brief description of what the app does?

+- **App owner** ΓÇô who in the business is the main POC for the app?

+- **General comments or notes** ΓÇô any other general information about the app or business ownership

+Once you've classified your application and documented the details, then be sure to gain business owner buy-in to your planned migration strategy.

+## Application users

+There are two main categories of users of your apps and resources that Azure AD supports:

+- **Internal:** Employees, contractors, and vendors that have accounts within your identity provider. This might need further pivots with different rules for managers or leadership versus other employees.

+- **External:** Vendors, suppliers, distributors, or other business partners that interact with your organization in the regular course of business with [Azure AD B2B collaboration.](../external-identities/what-is-b2b.md)

+You can define groups for these users and populate these groups in diverse ways. You may choose that an administrator must manually add members into a group, or you can enable self-service group membership. Rules can be established that automatically add members into groups based on the specified criteria using [dynamic groups](../enterprise-users/groups-dynamic-membership.md).

+External users may also refer to customers. [Azure AD B2C](../../active-directory-b2c/overview.md), a separate product supports customer authentication. However, it is outside the scope of this paper.

+## Plan a pilot

+The app(s) you select for the pilot should represent the key identity and security requirements of your organization, and you must have clear buy-in from the application owners. Pilots typically run in a separate test environment.

+DonΓÇÖt forget about your external partners. Make sure that they participate in migration schedules and testing. Finally, ensure they have a way to access your helpdesk if there were breaking issues.

+## Plan for limitations

+While some apps are easy to migrate, others may take longer due to multiple servers or instances. For example, SharePoint migration may take longer due to custom sign-in pages.

+Many SaaS app vendors may not provide a self-service means to reconfigure the application and may charge for changing the SSO connection. Check with them and plan for this.

+## App owner sign-off

+Business critical and universally used applications may need a group of pilot users to test the app in the pilot stage. Once you've tested an app in the preproduction or pilot environment, ensure that app business owners sign off on performance prior to the migration of the app and all users to production use of Azure AD for authentication.

+## Plan the security posture

+Before you initiate the migration process, take time to fully consider the security posture you wish to develop for your corporate identity system. This is based on gathering these valuable sets of information: **Identities, devices, and locations that are accessing your applications and data.**

+### Identities and data

+Most organizations have specific requirements about identities and data protection that vary by industry segment and by job functions within organizations. Refer to [identity and device access configurations](/microsoft-365/enterprise/microsoft-365-policies-configurations) for our recommendations including a prescribed set of [conditional access policies](../conditional-access/overview.md) and related capabilities.

+You can use this information to protect access to all services integrated with Azure AD. These recommendations are aligned with Microsoft Secure Score and the [identity score in Azure AD](../fundamentals/identity-secure-score.md). The score helps you to:

+- Objectively measure your identity security posture

+- Plan identity security improvements

+- Review the success of your improvements

+This also helps you implement the [five steps to securing your identity infrastructure](../../security/fundamentals/steps-secure-identity.md). Use the guidance as a starting point for your organization and adjust the policies to meet your organization's specific requirements.

+### Device/location used to access data

+The device and location that a user uses to access an app are also important. Devices physically connected to your corporate network are more secure. Connections from outside the network over VPN may need scrutiny.

+With these aspects of resource, user, and device in mind, you may choose to use [Azure AD Conditional Access](../conditional-access/overview.md) capabilities. Conditional access goes beyond user permissions: it's based on a combination of factors, such as the identity of a user or group, the network that the user is connected to, the device and application they're using, and the type of data they're trying to access. The access granted to the user adapts to this broader set of conditions.

+## Exit criteria

+You're successful in this phase when you have:

+- Fully documented the apps you intend to migrate

+- Prioritized apps based on business criticality, usage volume, and lifespan

+- Selected apps that represent your requirements for a pilot

+- Business-owner buy-in to your prioritization and strategy

+- Understanding of your security posture needs and how to implement them

+## Next steps

+- [Phase 3 - Plan migration and testing](migrate-adfs-plan-migration-test.md)

+ Title: 'Phase 1: Discover and scope apps'

+description: This article describes phase 1 of planning migration of applications from AD FS to Azure Active Directory

+# Phase 1: Discover and scope apps

+Application discovery and analysis are a fundamental exercise to give you a good start. You may not know everything so be prepared to accommodate the unknown apps.

+## Find your apps

+The first decision in the migration process is which apps to migrate, which if any should remain, and which apps to deprecate. There's always an opportunity to deprecate the apps that you won't use in your organization. There are several ways to find apps in your organization. While discovering apps, ensure you include in-development and planned apps. Use Azure Active Directory (Azure AD) for authentication in all future apps.

+Discover applications using ADFS:

+- **Use Azure AD Connect Health for ADFS**: If you have an Azure AD Premium license, we recommend deploying [Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md) to analyze the app usage in your on-premises environment. You can use the [ADFS application report](./migrate-adfs-application-activity.md) to discover ADFS applications that can be migrated and evaluate the readiness of the application to be migrated.

+- If you donΓÇÖt have Azure AD Premium licenses, we recommend using the ADFS to Azure AD app migration tools based on [PowerShell](https://github.com/AzureAD/Deployment-Plans/tree/master/ADFS%20to%20AzureAD%20App%20Migration). Refer to [solution guide](./migrate-adfs-apps-to-azure.md):

+> [!VIDEO https://www.youtube.com/embed/PxLIacDpHh4]

+>[!NOTE]

+> This video covers both phase 1 and 2 of the migration process.

+

+## Using other identity providers (IdPs)

+- If youΓÇÖre currently using Okta, refer to our [Okta to Azure AD migration guide](migrate-applications-from-okta-to-azure-active-directory.md).

+- If youΓÇÖre currently using Ping Federate, then consider using the [Ping Administrative API](https://docs.pingidentity.com/r/en-us/pingfederate-112/pf_admin_api) to discover applications.

+- If the applications are integrated with Active Directory, search for service principals or service accounts that may be used for applications.

+## Using cloud discovery tools

+In the cloud environment, you need rich visibility, control over data travel, and sophisticated analytics to find and combat cyber threats across all your cloud services. You can gather your cloud app inventory using the following tools:

+- **Cloud Access Security Broker (CASB**) ΓÇô A [CASB](/cloud-app-security/) typically works alongside your firewall to provide visibility into your employeesΓÇÖ cloud application usage and helps you protect your corporate data from cybersecurity threats. The CASB report can help you determine the most used apps in your organization, and the early targets to migrate to Azure AD.

+- **Cloud Discovery** - By configuring [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps), you gain visibility into the cloud app usage, and can discover unsanctioned or Shadow IT apps.

+- **Azure Hosted Applications** - For apps connected to Azure infrastructure, you can use the APIs and tools on those systems to begin to take an inventory of hosted apps. In the Azure environment:

+ - Use the [Get-AzureWebsite](/powershell/module/servicemanagement/azure/get-azurewebsite) cmdlet to get information about Azure websites.

+ - Use the [Get-AzureRMWebApp](/powershell/module/azurerm.websites/get-azurermwebapp) cmdlet to get information about your Azure Web Apps.D

+ - Query Azure AD looking for [Applications](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#application-entity) and [Service Principals](/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#serviceprincipal-entity).

+## Manual discovery process

+Once you've taken the automated approaches described in this article, you have a good handle on your applications. However, you might consider doing the following to ensure you have good coverage across all user access areas:

+- Contact the various business owners in your organization to find the applications in use in your organization.

+- Run an HTTP inspection tool on your proxy server, or analyze proxy logs, to see where traffic is commonly routed.

+- Review weblogs from popular company portal sites to see what links users access the most.

+- Reach out to executives or other key business members to ensure that you've covered the business-critical apps.

+## Type of apps to migrate

+Once you find your apps, you identify these types of apps in your organization:

+- Apps that use modern authentication protocols such as [Security Assertion Markup Language (SAML)](../fundamentals/auth-saml.md) or [OpenID Connect (OIDC)](../fundamentals/auth-oidc.md).

+- Apps that use legacy authentication such as [Kerberos](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889) or NT LAN Manager (NTLM) that you choose to modernize.

+- Apps that use legacy authentication protocols that you choose NOT to modernize

+- New Line of Business (LoB) apps

+### Apps that use modern authentication already

+The already modernized apps are the most likely to be moved to Azure AD. These apps already use modern authentication protocols such as SAML or OIDC and can be reconfigured to authenticate with Azure AD.

+We recommend you search and add applications from the [Azure AD app gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps). If you donΓÇÖt find them in the gallery, you can still onboard a custom application.

+### Legacy apps that you choose to modernize

+For legacy apps that you want to modernize, moving to Azure AD for core authentication and authorization unlocks all the power and data-richness that the [Microsoft Graph](https://developer.microsoft.com/graph/gallery/?filterBy=Samples,SDKs) and [Intelligent Security Graph](https://www.microsoft.com/security/operations/intelligence?rtc=1) have to offer.

+We recommend updating the authentication stack code for these applications from the legacy protocol (such as Windows-Integrated Authentication, Kerberos, HTTP Headers-based authentication) to a modern protocol (such as SAML or OpenID Connect).

+### Legacy apps that you choose NOT to modernize

+For certain apps using legacy authentication protocols, sometimes modernizing their authentication isn't the right thing to do for business reasons. These include the following types of apps:

+- Apps kept on-premises for compliance or control reasons.

+- Apps connected to an on-premises identity or federation provider that you don't want to change.

+- Apps developed using on-premises authentication standards that you have no plans to move

+Azure AD can bring great benefits to these legacy apps. You can enable modern Azure AD security and governance features like [Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md), [Conditional Access](../conditional-access/overview.md), [Identity Protection](../identity-protection/index.yml), [Delegated Application Access](./access-panel-manage-self-service-access.md), and [Access Reviews](../governance/manage-user-access-with-access-reviews.md#create-and-perform-an-access-review) against these apps without touching the app at all!

+- Start by extending these apps into the cloud with [Azure AD Application Proxy](../app-proxy/application-proxy.md).

+- Or explore using on of our [Secure Hybrid Access (SHA) partner integrations](secure-hybrid-access.md) that you might have deployed already.

+### New Line of Business (LoB) apps

+You usually develop LoB apps for your organizationΓÇÖs in-house use. If you have new apps in the pipeline, we recommend using the [Microsoft Identity Platform](../develop/v2-overview.md) to implement OIDC.

+## Apps to deprecate

+Apps without clear owners and clear maintenance and monitoring present a security risk for your organization. Consider deprecating applications when:

+- Their **functionality is highly redundant** with other systems

+- There's **no business owner**

+- There's clearly **no usage**

+We recommend that you **do not deprecate high impact, business-critical applications**. In those cases, work with business owners to determine the right strategy.

+## Exit criteria

+You're successful in this phase with:

+- A good understanding of the applications in scope for migration, those that require modernization, those that should stay as-is, or those you've marked for deprecation.

+## Next steps

+- [Phase 2 - Classify apps and plan pilot](migrate-adfs-classify-apps-plan-pilot.md).

+ Title: 'Phase 4: Plan management and insights'

+description: This article describes phase 4 of planning migration of applications from AD FS to Azure Active Directory

+# Phase 4: Plan management and insights

+Once apps are migrated, you must ensure that:

+- Users can securely access and manage

+- You can gain the appropriate insights into usage and app health

+We recommend taking the following actions as appropriate to your organization.

+## Manage your usersΓÇÖ app access

+Once you've migrated the apps, consider applying the following suggestions to enrich your userΓÇÖs experience:

+- Make apps discoverable by publishing them to the [Microsoft MyApplications portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510#download-and-install-the-my-apps-secure-sign-in-extension).

+- Add [app collections](access-panel-collections.md) so users can locate application based on business function.

+- Add their own application bookmarks to the [MyApplications portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510#download-and-install-the-my-apps-secure-sign-in-extension).

+- Enable [self-service application access](manage-self-service-access.md) to an app and **let users add apps that you curate**.

+- Optionally [hide applications from end-users](./hide-application-from-user-portal.md).

+- Users can go to [Office.com](https://www.office.com) to **search for their apps and have their most-recently-used apps appear** for them right from where they do work.

+- Users can download the MyApps secure sign-in extension in Chrome, or Microsoft Edge so they can launch applications directly from their browser without having to first navigate to MyApplications.

+- Users can access the MyApps portal with Intune-managed browser on their [iOS 7.0](./hide-application-from-user-portal.md) or later or [Android](./hide-application-from-user-portal.md) devices.

+ - For **Android devices**, from the [Google play store](https://play.google.com/store/apps/details?id=com.microsoft.intune)

+ - For **Apple devices**, from the [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358) or they can download the My Apps mobile app for [iOS](https://appadvice.com/app/my-apps-azure-active-directory/824048653).

+> [!VIDEO https://www.youtube.com/embed/8aUIuOXeDxw]

+## Secure app access

+Azure AD provides a centralized access location to manage your migrated apps. Go to the [Azure portal](https://portal.azure.com/) and enable the following capabilities:

+- **Secure user access to apps.** Enable [Conditional Access policies](../conditional-access/overview.md)or [Identity Protection](../identity-protection/overview-identity-protection.md)to secure user access to applications based on device state, location, and more.

+- **Automatic provisioning.** Set up [automatic provisioning of users](../app-provisioning/user-provisioning.md) with various third-party SaaS apps that users need to access. In addition to creating user identities, it includes the maintenance and removal of user identities as status or roles change.

+- **Delegate user access** **management**. As appropriate, enable self-service application access to your apps and *assign a business approver to approve access to those apps*. Use [Self-Service Group Management](../enterprise-users/groups-self-service-management.md)for groups assigned to collections of apps.

+- **Delegate admin access.** using **Directory Role** to assign an admin role (such as Application administrator, Cloud Application administrator, or Application developer) to your user.

+- **Add applications to Access Packages** to provide governance and attestation.

+## Audit and gain insights of your apps

+You can also use the [Azure portal](https://portal.azure.com/) to audit all your apps from a centralized location,

+- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Azure AD Reporting API](../reports-monitoring/concept-reporting-api.md) to integrate into your favorite tools.

+- **View the permissions for an app** using **Enterprise Applications, Permissions** for apps using OAuth/OpenID Connect.

+- **Get sign-in insights** using **Enterprise Applications, Sign-Ins**. Access the same information from the [Azure AD Reporting API.](../reports-monitoring/concept-reporting-api.md)

+- **Visualize your appΓÇÖs usage** from the [Azure AD Power BI content pack](../reports-monitoring/howto-use-azure-monitor-workbooks.md)

+## Exit criteria

+You're successful in this phase when you:

+- Provide secure app access to your users

+- Manage to audit and gain insights of the migrated apps

+## Do even more with deployment plans

+Deployment plans walk you through the business value, planning, implementation steps, and management of Azure AD solutions, including app migration scenarios. They bring together everything that you need to start deploying and getting value out of Azure AD capabilities. The deployment guides include content such as Microsoft recommended best practices, end-user communications, planning guides, implementation steps, test cases, and more.

+Many [deployment plans](../fundamentals/active-directory-deployment-plans.md) are available for your use, and weΓÇÖre always making more!

+## Contact support

+Visit the following support links to create or track support ticket and monitor health.

+- **Azure Support:** You can call [Microsoft Support](https://azure.microsoft.com/support) and open a ticket for any Azure Identity deployment issue depending on your Enterprise Agreement with Microsoft.

+- **FastTrack**: If you've purchased Enterprise Mobility and Security (EMS) or Azure AD Premium licenses, you're eligible to receive deployment assistance from the [FastTrack program.](/enterprise-mobility-security/solutions/enterprise-mobility-fasttrack-program)

+- **Engage the Product Engineering team:** If you're working on a major customer deployment with millions of users, you're entitled to support from the Microsoft account team or your Cloud Solutions Architect. Based on the projectΓÇÖs deployment complexity, you can work directly with the [Azure Identity Product Engineering team.](https://portal.azure.com/#blade/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/solutionProviders)

+## Next steps

+- [Migration process](migrate-adfs-apps-to-azure.md)

+ Title: 'Phase 3: Plan migration and testing'

+description: This article describes phase 3 of planning migration of applications from AD FS to Azure Active Directory

+# Phase 3: Plan migration and testing

+Once you've gained business buy-in, the next step is to start migrating these apps to Azure AD authentication.

+## Migration tools and guidance

+Use the tools and guidance provided to follow the precise steps needed to migrate your applications to Azure AD:

+- **General migration guidance** ΓÇô Use the whitepaper, tools, email templates, and applications questionnaire in the [Azure AD apps migration toolkit](./migration-resources.md) to discover, classify, and migrate your apps.

+- **SaaS applications** ΓÇô See our list of [SaaS app tutorials](../saas-apps/tutorial-list.md) and the [Azure AD SSO deployment plan](plan-sso-deployment.md) to walk through the end-to-end process.

+- **Applications running on-premises** ΓÇô Learn all [about the Azure AD Application Proxy](../app-proxy/application-proxy.md) and use the complete [Azure AD Application Proxy deployment plan](https://aka.ms/AppProxyDPDownload) to get going quickly or consider our [Secure Hybrid Access partners](secure-hybrid-access.md), which you may already own.

+- **Apps youΓÇÖre developing** ΓÇô Read our step-by-step [integration](../develop/quickstart-register-app.md) and [registration](../develop/quickstart-register-app.md) guidance.

+> [!VIDEO https://www.youtube.com/embed/PvI4Q4P_HfU]

+## Plan testing

+During the process of the migration, your app may already have a test environment used during regular deployments. You can continue to use this environment for migration testing. If a test environment isn't currently available, you may be able to set one up using Azure App Service or Azure Virtual Machines, depending on the architecture of the application.

+You may choose to set up a separate test Azure AD tenant to use as you develop your app configurations. This tenant starts in a clean state and won't be configured to sync with any system.

+Depending on how you configure your app, verify that SSO works properly.

+| Authentication type | Testing |

+| | |

+| **OAuth / OpenID Connect** | Select **Enterprise applications &gt; Permissions** and ensure you've consented to the application to be used in your organization in the user settings for your app. |

+| **SAML-based SSO** | Use the [Test SAML Settings](./debug-saml-sso-issues.md) button found under **Single Sign-On.** |

+| **Password-Based SSO** | Download and install the [MyApps Secure Sign-in Extension](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510#download-and-install-the-my-apps-secure-sign-in-extension). This extension helps you start any of your organization's cloud apps that require you to use an SSO process. |

+| **[Application Proxy](../app-proxy/application-proxy.md)** | Ensure your connector is running and assigned to your application. Visit the [Application Proxy troubleshooting guide](../app-proxy/application-proxy-troubleshoot.md) for further assistance. |

+You can test each app by logging in with a test user and make sure all functionality is the same as prior to the migration. If you determine during testing that users need to update their [MFA](../authentication/howto-mfa-userstates.md) or [SSPR](../authentication/tutorial-enable-sspr.md)settings, or you're adding this functionality during the migration, be sure to add that to your end-user communication plan. See [MFA](https://aka.ms/mfatemplates) and [SSPR](https://aka.ms/ssprtemplates) end-user communication templates.

+## Troubleshoot

+If you run into problems, check out our [apps troubleshooting guide](../app-provisioning/isv-automatic-provisioning-multi-tenant-apps.md) and [Secure Hybrid Access partner integration article](secure-hybrid-access-integrations.md) to get help. You can also check out our troubleshooting articles, see [Problems signing in to SAML-based single sign-on configured apps](/troubleshoot/azure/active-directory/troubleshoot-sign-in-saml-based-apps).

+## Plan rollback

+If the migration fails, we recommend that you leave the existing Relying Parties on the AD FS servers and remove access to the Relying Parties. This allows for a quick fallback if needed during the deployment.

+Consider the following suggestions for actions you can take to mitigate migration issues:

+- **Take screenshots** of the existing configuration of your app. You can look back if you must reconfigure the app once again.

+- You might also consider **providing links for the application to use alternative authentication options (legacy or local authentication)**, in case there are issues with cloud authentication.

+- Before you complete your migration, **do not change your existing configuration** with the existing identity provider.

+- Be aware of the **apps that support multiple IdPs** since they provide an easier rollback plan.

+- Ensure that your app experience has a **Feedback button** or pointers to your **helpdesk** issues.

+### Employee communication

+While the planned outage window itself can be minimal, you should still plan on communicating these timeframes proactively to employees while switching from AD FS to Azure AD. Ensure that your app experience has a feedback button, or pointers to your helpdesk for issues.

+Once deployment is complete, you can inform users of the successful deployment and remind them of any steps that they need to take.

+- Instruct users to use [My Apps](https://myapps.microsoft.com) to access all the migrated applications.

+- Remind users they might need to update their MFA settings.

+- If Self-Service Password Reset is deployed, users might need to update or verify their authentication methods. See [MFA](https://aka.ms/mfatemplates) and [SSPR](https://aka.ms/ssprtemplates) end-user communication templates.

+### External user communication

+This group of users is usually the most critically impacted in case of any issues. This is especially true if your security posture dictates a different set of Conditional Access rules or risk profiles for external partners. Ensure that external partners are aware of the cloud migration schedule and have a timeframe during which they're encouraged to participate in a pilot deployment that tests out all flows unique to external collaboration. Finally, ensure they have a way to access your helpdesk in case there are problems.

+## Exit criteria

+You're successful in this phase when you have:

+- Reviewed the migration tools

+- Planned your testing including test environments and groups

+- Planned rollback

+## Next steps

+- [Phase 4 - Manage and gain insights](migrate-adfs-plan-management-insights.md)

+ Title: 'Represent AD FS security policies in Azure Active Directory: Mappings and examples'

+description: Learn how to map AD FS security policies to Azure AD when migrating app authentication, including authorization and multi-factor authentication rules.

+# Represent AD FS security policies in Azure Active Directory: Mappings and examples

+In this article, you'll learn how to map authorization and multi-factor authentication rules from AD FS to Azure Active Directory (Azure AD) when moving your app authentication. Find out how to meet your app owner's security requirements while making the app migration process easier with mappings for each rule.

+When moving your app authentication to Azure AD, create mappings from existing security policies to their equivalent or alternative variants available in Azure AD. Ensuring that these mappings can be done while meeting security standards required by your app owners makes the rest of the app migration easier.

+For each rule example, we show what the rule looks like in AD FS, the AD FS rule language equivalent code, and how this maps to Azure AD.

+## Map authorization rules

+The following are examples of various types of authorization rules in AD FS, and how you map them to Azure AD.

+### Example 1: Permit access to all users

+Permit Access to All Users in AD FS:

+This maps to Azure AD in one of the following ways:

+1. Set **User assignment required** to **No**.

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/permit-access-to-all-users-2.png" alt-text="Screenshot shows how to edit access control policy for SaaS apps.":::

+ > [!Note]

+ > Setting **User assignment required** to **Yes** requires that users are assigned to the application to gain access. When set to **No**, all users have access. This switch doesn't control what users see in the **My Apps** experience.

+1. In the **Users and groups tab**, assign your application to the **All Users** automatic group. You must [enable Dynamic Groups](../enterprise-users/groups-create-rule.md) in your Azure AD tenant for the default **All Users** group to be available.

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/permit-access-to-all-users-3.png" alt-text="Screenshot shows My SaaS Apps in Azure AD.":::

+### Example 2: Allow a group explicitly

+Explicit group authorization in AD FS:

+To map this rule to Azure AD:

+1. In the [Entra portal](https://entra.microsoft.com/#home), [create a user group](../fundamentals/active-directory-groups-create-azure-portal.md) that corresponds to the group of users from AD FS.

+1. Assign app permissions to the group:

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/allow-a-group-explicitly-2.png" alt-text="Screenshot shows how to add a user assignment to the app.":::

+### Example 3: Authorize a specific user

+Explicit user authorization in AD FS:

+To map this rule to Azure AD:

+* In the [Entra portal](https://entra.microsoft.com/#home), add a user to the app through the Add Assignment tab of the app as shown below:

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/authorize-a-specific-user-2.png" alt-text="Screenshot shows My SaaS apps in Azure.":::

+## Map multi-factor authentication rules

+An on-premises deployment of [Multi-Factor Authentication (MFA)](../authentication/concept-mfa-howitworks.md) and AD FS still works after the migration because you're federated with AD FS. However, consider migrating to Azure's built-in MFA capabilities that are tied into Azure AD's Conditional Access workflows.

+The following are examples of types of MFA rules in AD FS, and how you can map them to Azure AD based on different conditions.

+MFA rule settings in AD FS:

+### Example 1: Enforce MFA based on users/groups

+The users/groups selector is a rule that allows you to enforce MFA on a per-group (Group SID) or per-user (Primary SID) basis. Apart from the users/groups assignments, all other checkboxes in the AD FS MFA configuration UI function as extra rules that are evaluated after the users/groups rule is enforced.

+Specify MFA rules for a user or a group in Azure AD:

+1. Create a [new conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json).

+1. Select **Assignments**. Add the user(s) or group(s) for which you want to enforce MFA.

+1. Configure the **Access controls** options as shown in the following screenshots:

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/mfa-users-groups.png" alt-text="Screenshot shows the Grant pane where you can grant access.":::

+### Example 2: Enforce MFA for unregistered devices

+Specify MFA rules for unregistered devices in Azure AD:

+1. Create a [new conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json).

+1. Set the **Assignments** to **All users**.

+1. Configure the **Access controls** options as shown below:

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/mfa-unregistered-devices.png" alt-text="Screenshot shows the Grant pane where you can grant access and specify other restrictions.":::

+When you set the **For multiple controls** option to **Require one of the selected controls**, it means that if any one of the conditions specified by the checkbox are met by the user, the user is granted access to your app.

+### Example 3: Enforce MFA based on location

+Specify MFA rules based on a user's location in Azure AD:

+1. Create a [new conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json).

+1. Set the **Assignments** to **All users**.

+1. [Configure named locations in Azure AD](../conditional-access/location-condition.md). Otherwise, federation from inside your corporate network is trusted.

+1. Configure the **Conditions rules** to specify the locations for which you would like to enforce MFA.

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/mfa-location-1.png" alt-text="Screenshot shows the Locations pane for Conditions rules.":::

+1. Configure the **Access controls** options as shown below:

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/mfa-location-2.png" alt-text="Screenshot shows the Locations pane to map access control policies.":::

+## Map Emit attributes as Claims rule

+Emit attributes as Claims rule in AD FS:

+To map the rule to Azure AD:

+1. In the [Entra portal](https://entra.microsoft.com/#home), select **Enterprise Applications** and then **Single sign-on** to view the SAML-based sign-on configuration:

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/map-emit-attributes-as-claims-rule-2.png" alt-text="Screenshot shows the Single sign-on page for your Enterprise Application.":::

+1. Select **Edit** (highlighted) to modify the attributes:

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/map-emit-attributes-as-claims-rule-3.png" alt-text="Screenshot shows the page to edit User Attributes and Claims.":::

+## Map built-In access control policies

+Built-in access control policies in AD FS 2016:

+ :::image type="content" source="media/migrate-adfs-represent-security-policies/map-built-in-access-control-policies-1.png" alt-text="Screenshot shows Azure AD built in access control.":::

+To implement built-in policies in Azure AD, use a [new conditional access policy](../authentication/tutorial-enable-azure-mfa.md?bc=%2fazure%2factive-directory%2fconditional-access%2fbreadcrumb%2ftoc.json&toc=%2fazure%2factive-directory%2fconditional-access%2ftoc.json) and configure the access controls, or use the custom policy designer in AD FS 2016 to configure access control policies. The Rule Editor has an exhaustive list of Permit and Except options that can help you make all kinds of permutations.

+In this table, we've listed some useful Permit and Except options and how they map to Azure AD.

+| Option | How to configure Permit option in Azure AD?| How to configure Except option in Azure AD? |

+| - | - | - |

+| From specific network| Maps to [Named Location](../conditional-access/location-condition.md) in Azure AD| Use the **Exclude** option for [trusted locations](../conditional-access/location-condition.md) |

+| From specific groups| [Set a User/Groups Assignment](assign-user-or-group-access-portal.md)| Use the **Exclude** option in Users and Groups |

+| From Devices with Specific Trust Level| Set this from the **Device State** control under Assignments -> Conditions| Use the **Exclude** option under Device State Condition and Include **All devices** |

+| With Specific Claims in the Request| This setting can't be migrated| This setting can't be migrated |

+Here's an example of how to configure the Exclude option for trusted locations in the Entra portal:

+## Transition users from AD FS to Azure AD

+### Sync AD FS groups in Azure AD

+When you map authorization rules, apps that authenticate with AD FS may use Active Directory groups for permissions. In such a case, use [Azure AD Connect](https://go.microsoft.com/fwlink/?LinkId=615771) to sync these groups with Azure AD before migrating the applications. Make sure that you verify those groups and membership before migration so that you can grant access to the same users when the application is migrated.

+For more information, see [Prerequisites for using Group attributes synchronized from Active Directory](../hybrid/how-to-connect-fed-group-claims.md).

+### Set up user self-provisioning

+Some SaaS applications support the ability to Just-in-Time (JIT) provision users when they first sign in to the application. In Azure AD, app provisioning refers to automatically creating user identities and roles in the cloud ([SaaS](https://azure.microsoft.com/overview/what-is-saas/)) applications that users need to access. Users that are migrated already have an account in the SaaS application. Any new users added after the migration need to be provisioned. Test [SaaS app provisioning](../app-provisioning/user-provisioning.md) once the application is migrated.

+### Sync external users in Azure AD

+Your existing external users can be set up in these two ways in AD FS:

+- **External users with a local account within your organization**ΓÇöYou continue to use these accounts in the same way that your internal user accounts work. These external user accounts have a principle name within your organization, although the account's email may point externally.

+As you progress with your migration, you can take advantage of the benefits that [Azure AD B2B](../external-identities/what-is-b2b.md) offers by migrating these users to use their own corporate identity when such an identity is available. This streamlines the process of signing in for those users, as they're often signed in with their own corporate sign-in. Your organization's administration is easier as well, by not having to manage accounts for external users.

+- **Federated external Identities**ΓÇöIf you're currently federating with an external organization, you have a few approaches to take:

+ - [Add Azure Active Directory B2B collaboration users in the Entra portal](../external-identities/add-users-administrator.md). You can proactively send B2B collaboration invitations from the Azure AD administrative portal to the partner organization for individual members to continue using the apps and assets they're used to.

+ - [Create a self-service B2B sign-up workflow](../external-identities/self-service-portal.md) that generates a request for individual users at your partner organization using the B2B invitation API.

+No matter how your existing external users are configured, they likely have permissions that are associated with their account, either in group membership or specific permissions. Evaluate whether these permissions need to be migrated or cleaned up.

+Accounts within your organization that represent an external user need to be disabled once the user has been migrated to an external identity. The migration process should be discussed with your business partners, as there may be an interruption in their ability to connect to your resources.

+## Next steps

+- Read [Migrating application authentication to Azure AD](https://aka.ms/migrateapps/whitepaper).

+- Set up [Conditional Access](../conditional-access/overview.md) and [MFA](../authentication/concept-mfa-howitworks.md).

+- Try a step-wise code sample:[AD FS to Azure AD application migration playbook for developers](https://aka.ms/adfsplaybook).

+ Title: 'SAML-based single sign-on: Configuration and Limitations'

+description: This article explains how to configure an application for SAML-based SSO with Azure AD, including user mapping, limitations, SAML signing certificates, token encryption, request signature verification, and custom claims providers.

+# SAML-based single sign-on: Configuration and Limitations

+In this article, you learn how to configure an application for SAML-based single sign-on (SSO) with Azure Active Directory (Azure AD). This article covers mapping users to specific application roles based on rules, and limitations to keep in mind when mapping attributes. It also covers SAML signing certificates, SAML token encryption, SAML request signature verification, and custom claims providers.

+Apps that use SAML 2.0 for authentication can be configured for [SAML-based single sign-on](what-is-single-sign-on.md) (SSO). With SAML-based SSO, you can map users to specific application roles based on rules that you define in your SAML claims.

+To configure a SaaS application for SAML-based SSO, see [Quickstart: Set up SAML-based single sign-on](add-application-portal-setup-sso.md).

+Many SaaS applications have an [application-specific tutorial](../saas-apps/tutorial-list.md) that steps you through the configuration for SAML-based SSO.

+Some apps can be migrated easily. Apps with more complex requirements, such as custom claims, may require extra configuration in Azure AD and/or [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md). For information about supported claims mappings, see [How to: Customize claims emitted in tokens for a specific app in a tenant (Preview)](../develop/active-directory-claims-mapping.md).

+Keep in mind the following limitations when mapping attributes:

+* Not all attributes that can be issued in AD FS show up in Azure AD as attributes to emit to SAML tokens, even if those attributes are synced. When you edit the attribute, the **Value** dropdown list shows you the different attributes that are available in Azure AD. Check [Azure AD Connect sync articles](../hybrid/how-to-connect-sync-whatis.md) configuration to ensure that a required attributeΓÇöfor example, **samAccountName**ΓÇöis synced to Azure AD. You can use the extension attributes to emit any claim that isn't part of the standard user schema in Azure AD.

+* In the most common scenarios, only the **NameID** claim and other common user identifier claims are required for an app. To determine if any extra claims are required, examine what claims you're issuing from AD FS.

+* Not all claims can be issued, as some claims are protected in Azure AD.

+* The ability to use encrypted SAML tokens is now in preview. See [How to: customize claims issued in the SAML token for enterprise applications](../develop/active-directory-saml-claims-customization.md).

+## Software as a service (SaaS) apps

+If your users sign in to SaaS apps such as Salesforce, ServiceNow, or Workday, and are integrated with AD FS, you're using federated sign-on for SaaS apps.

+Most SaaS applications can be configured in Azure AD. Microsoft has many preconfigured connections to SaaS apps in the [Azure AD app gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps), which makes your transition easier. SAML 2.0 applications can be integrated with Azure AD via the Azure AD app gallery or as [non-gallery applications](add-application-portal.md).

+Apps that use OAuth 2.0 or OpenID Connect can be similarly integrated with Azure AD as [app registrations](../develop/quickstart-register-app.md). Apps that use legacy protocols can use [Azure AD Application Proxy](../app-proxy/application-proxy.md) to authenticate with Azure AD.

+For any issues with onboarding your SaaS apps, you can contact the [SaaS Application Integration support alias](mailto:SaaSApplicationIntegrations@service.microsoft.com).

+## SAML signing certificates for SSO

+Signing certificates are an important part of any SSO deployment. Azure AD creates the signing certificates to establish SAML-based federated SSO to your SaaS applications. Once you add either gallery or non-gallery applications, you'll configure the added application using the federated SSO option. See [Manage certificates for federated single sign-on in Azure Active Directory](manage-certificates-for-federated-single-sign-on.md).

+## SAML token encryption

+Both AD FS and Azure AD provide token encryptionΓÇöthe ability to encrypt the SAML security assertions that go to applications. The assertions are encrypted with a public key, and decrypted by the receiving application with the matching private key. When you configure token encryption, you upload X.509 certificate files to provide the public keys.

+For information about Azure AD SAML token encryption and how to configure it, see [How to: Configure Azure AD SAML token encryption](howto-saml-token-encryption.md).

+> [!NOTE]

+> Token encryption is an Azure Active Directory (Azure AD) premium feature. To learn more about Azure AD editions, features, and pricing, see [Azure AD pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+## SAML request signature verification

+This functionality validates the signature of signed authentication requests. An App Admin enables and disables the enforcement of signed requests and uploads the public keys that should be used to do the validation. For more information, see [How to enforce signed SAML authentication requests](howto-enforce-signed-saml-authentication.md).

+## Custom claims providers (preview)

+To migrate data from legacy systems such as ADFS, or data stores such as LDAP, your apps are dependent on certain data in the tokens. You can use custom claims providers to add claims into the token. For more information, see [Custom claims provider overview](../develop/custom-claims-provider-overview.md).

+## Apps and configurations that can be moved today

+Apps that you can move easily today include SAML 2.0 apps that use the standard set of configuration elements and claims. These standard items are:

+* User Principal Name

+* Email address

+* Given name

+* Surname

+* Alternate attribute as SAML **NameID**, including the Azure AD mail attribute, mail prefix, employee ID, extension attributes 1-15, or on-premises **SamAccountName** attribute. For more information, see [Editing the NameIdentifier claim](../develop/active-directory-saml-claims-customization.md).

+* Custom claims.

+The following require more configuration steps to migrate to Azure AD:

+* Custom authorization or multi-factor authentication (MFA) rules in AD FS. You configure them using the [Azure AD Conditional Access](../conditional-access/overview.md) feature.

+* Apps with multiple Reply URL endpoints. You configure them in Azure AD using PowerShell or the Entra portal interface.

+* WS-Federation apps such as SharePoint apps that require SAML version 1.1 tokens. You can configure them manually using PowerShell. You can also add a preintegrated generic template for SharePoint and SAML 1.1 applications from the gallery. We support the SAML 2.0 protocol.

+* Complex claims issuance transforms rules. For information about supported claims mappings, see:

+ * [Claims mapping in Azure Active Directory](../develop/active-directory-claims-mapping.md).

+ * [Customizing claims issued in the SAML token for enterprise applications in Azure Active Directory](../develop/active-directory-saml-claims-customization.md).

+## Apps and configurations not supported in Azure AD today

+Apps that require certain capabilities can't be migrated today.

+### Protocol capabilities

+Apps that require the following protocol capabilities can't be migrated today:

+* Support for the WS-Trust ActAs pattern

+* SAML artifact resolution

+## Map app settings from AD FS to Azure AD

+Migration requires assessing how the application is configured on-premises, and then mapping that configuration to Azure AD. AD FS and Azure AD work similarly, so the concepts of configuring trust, sign-on and sign-out URLs, and identifiers apply in both cases. Document the AD FS configuration settings of your applications so that you can easily configure them in Azure AD.

+### Map app configuration settings

+The following table describes some of the most common mapping of settings between an AD FS Relying Party Trust to Azure AD Enterprise Application:

+* AD FSΓÇöFind the setting in the AD FS Relying Party Trust for the app. Right-click the relying party and select Properties.

+* Azure ADΓÇöThe setting is configured within [Entra portal](https://entra.microsoft.com/#home) in each application's SSO properties.

+| Configuration setting| AD FS| How to configure in Azure AD| SAML Token |

+| - | - | - | - |

+| **App sign-on URL** <p>The URL for the user to sign in to the app in a SAML flow initiated by a Service Provider (SP).| N/A| Open Basic SAML Configuration from SAML based sign-on| N/A |

+| **App reply URL** <p>The URL of the app from the perspective of the identity provider (IdP). The IdP sends the user and token here after the user has signed in to the IdP. ΓÇÄThis is also known as **SAML assertion consumer endpoint**.| Select the **Endpoints** tab| Open Basic SAML Configuration from SAML based sign-on| Destination element in the SAML token. Example value: `https://contoso.my.salesforce.com` |

+| **App sign-out URL** <p>This is the URL to which sign-out cleanup requests are sent when a user signs out from an app. The IdP sends the request to sign out the user from all other apps as well.| Select the **Endpoints** tab| Open Basic SAML Configuration from SAML based sign-on| N/A |

+| **App identifier** <p>This is the app identifier from the IdP's perspective. The sign-on URL value is often used for the identifier (but not always). ΓÇÄSometimes the app calls this the "entity ID."| Select the **Identifiers** tab|Open Basic SAML Configuration from SAML based sign-on| Maps to the **Audience** element in the SAML token. |

+| **App federation metadata** <p>This is the location of the app's federation metadata. The IdP uses it to automatically update specific configuration settings, such as endpoints or encryption certificates.| Select the **Monitoring** tab| N/A. Azure AD doesn't support consuming application federation metadata directly. You can manually import the federation metadata.| N/A |

+| **User Identifier/ Name ID** <p>Attribute that is used to uniquely indicate the user identity from Azure AD or AD FS to your app. ΓÇÄThis attribute is typically either the UPN or the email address of the user.| Claim rules. In most cases, the claim rule issues a claim with a type that ends with the **NameIdentifier**.| You can find the identifier under the header **User Attributes and Claims**. By default, the UPN is used| Maps to the **NameID** element in the SAML token. |

+| **Other claims** <p>Examples of other claim information that is commonly sent from the IdP to the app include first name, last name, email address, and group membership.| In AD FS, you can find this as other claim rules on the relying party.| You can find the identifier under the header **User Attributes & Claims**. Select **View** and edit all other user attributes.| N/A |

+### Map Identity Provider (IdP) settings

+Configure your applications to point to Azure AD versus AD FS for SSO. Here, we're focusing on SaaS apps that use the SAML protocol. However, this concept extends to custom line-of-business apps as well.

+> [!NOTE]

+> The configuration values for Azure AD follows the pattern where your Azure Tenant ID replaces {tenant-id} and the Application ID replaces {application-id}. You find this information in the [Entra portal](https://entra.microsoft.com/#home) under **Azure Active Directory > Properties**:

+* Select Directory ID to see your Tenant ID.

+* Select Application ID to see your Application ID.

+ At a high-level, map the following key SaaS apps configuration elements to Azure AD.

+| Element| Configuration Value |

+| - | - |

+| Identity provider issuer| https:\//sts.windows.net/{tenant-id}/ |

+| Identity provider sign-in URL| [https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) |

+| Identity provider sign-out URL| [https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) |

+| Federation metadata location| [https://login.windows.net/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={application-id}](https://login.windows.net/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={application-id}) |

+## Map SSO settings for SaaS apps

+SaaS apps need to know where to send authentication requests and how to validate the received tokens. The following table describes the elements to configure SSO settings in the app, and their values or locations within AD FS and Azure AD

+| Configuration setting| AD FS| How to configure in Azure AD |

+| - | - | - |

+| **IdP Sign-on URL** <p>Sign-on URL of the IdP from the app's perspective (where the user is redirected for sign-in).| The AD FS sign-on URL is the AD FS federation service name followed by "/adfs/ls/." <p>For example: `https://fs.contoso.com/adfs/ls/`| Replace {tenant-id} with your tenant ID. <p> ΓÇÄFor apps that use the SAML-P protocol: [https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) <p>ΓÇÄFor apps that use the WS-Federation protocol: [https://login.microsoftonline.com/{tenant-id}/wsfed](https://login.microsoftonline.com/{tenant-id}/wsfed) |

+| **IdP sign-out URL**<p>Sign-out URL of the IdP from the app's perspective (where the user is redirected when they choose to sign out of the app).| The sign-out URL is either the same as the sign-on URL, or the same URL with "wa=wsignout1.0" appended. For example: `https://fs.contoso.com/adfs/ls/?wa=wsignout1.0`| Replace {tenant-id} with your tenant ID.<p>For apps that use the SAML-P protocol:<p>[https://login.microsoftonline.com/{tenant-id}/saml2](https://login.microsoftonline.com/{tenant-id}/saml2) <p> ΓÇÄFor apps that use the WS-Federation protocol: [https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0](https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0) |

+| **Token signing certificate**<p>The IdP uses the private key of the certificate to sign issued tokens. It verifies that the token came from the same IdP that the app is configured to trust.| Find the AD FS token signing certificate in AD FS Management under **Certificates**.| Find it in the Entra portal in the application's **Single sign-on properties** under the header **SAML Signing Certificate**. There, you can download the certificate for upload to the app. <p>ΓÇÄIf the application has more than one certificate, you can find all certificates in the federation metadata XML file. |

+| **Identifier/ "issuer"**<p>Identifier of the IdP from the app's perspective (sometimes called the "issuer ID").<p>ΓÇÄIn the SAML token, the value appears as the Issuer element.| The identifier for AD FS is usually the federation service identifier in AD FS Management under **Service > Edit Federation Service Properties**. For example: `http://fs.contoso.com/adfs/services/trust`| Replace {tenant-id} with your tenant ID.<p>https:\//sts.windows.net/{tenant-id}/ |

+| **IdP federation metadata**<p>Location of the IdP's publicly available federation metadata. (Some apps use federation metadata as an alternative to the administrator configuring URLs, identifier, and token signing certificate individually.)| Find the AD FS federation metadata URL in AD FS Management under **Service > Endpoints > Metadata > Type: Federation Metadata**. For example: `https://fs.contoso.com/FederationMetadat). |

+## Next steps

+- [Represent AD FS security policies in Azure AD](migrate-adfs-represent-security-policies.md).

+ Title: 'Plan application migration to Azure Active Directory'

+description: This article discusses the advantages of Azure Active Directory and provides a four-phase guide for planning and executing a migration strategy with detailed planning and exit criteria.

+# Plan application migration to Azure Active Directory

+In this article, you'll learn about the benefits of Azure Active Directory (Azure AD) and how to plan for migrating your application authentication. This article gives an overview of the planning and exit criteria to help you plan your migration strategy and understand how Azure AD authentication can support your organizational goals.

+> [!VIDEO https://www.youtube.com/embed/8WmquuuuaLk]

+Today, your organization requires numerous applications for users to get work done. You likely continue to add, develop, or retire apps every day. Users access these applications from a vast range of corporate and personal devices, and locations. They open apps in many ways, including:

+- By bookmarking or adding favorites on their browsers

+- Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) via an on-premises or cloud-hosted Identity and Access Management (IAM) solutions federation solution (such as Active Directory Federation Services (ADFS), Okta, or Ping)

+- Kerberos or NTLM via Active Directory

+- Header-based authentication via Ping Access

+[Azure AD](../fundamentals/active-directory-whatis.md) offers a universal identity platform that provides your employees, partners, and customers a single identity to access the applications they want and collaborate from any platform and device.

+| **Identity Architect / Azure AD App Administrator** | Responsible for the following:<br /> - design the solution in cooperation with stakeholders<br /> - document the solution design and operational procedures for handoff to the operations team<br /> - manage the preproduction and production environments |

+Effective business engagement and communication are the keys to success. It's important to give stakeholders and end-users an avenue to get information and keep informed of schedule updates. Educate everyone about the value of the migration, what the expected timelines are, and how to plan for any temporary business disruption. Use multiple avenues such as briefing sessions, emails, one-to-one meetings, banners, and town halls.

+## Plan phases and project strategy

+| - Notification that migration is coming and explanation of resultant <br/>end-user experiences.<br />- Downtimes coming and complete communications, including what<br/> they should now do, feedback, and how to get help | - End users (and all others) |

+## Migration states communication dashboard

+## Best practices

+## Next steps

+- [Phase 1 - Discover and Scope](migrate-adfs-discover-scope-apps.md).

+- [Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning.md)

+- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning.md)

+- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning.md)

+ Title: Tutorial to migrate Okta sync provisioning to Azure AD Connect-based synchronization

+description: Migrate user provisioning from Okta to Azure Active Directory (Azure AD). See how to use Azure AD Connect server or Azure AD cloud provisioning.

+# Tutorial: Migrate Okta sync provisioning to Azure AD Connect synchronization

+In this tutorial, learn to migrate user provisioning from Okta to Azure Active Directory (Azure AD) and migrate User Sync or Universal Sync to Azure AD Connect. This capability enables provisioning into Azure AD and Office 365.

+ > [!NOTE]

+ > When migrating synchronization platforms, validate steps in this article against your environment before you remove Azure AD Connect from staging mode or enable the Azure AD cloud provisioning agent.

+## Prerequisites

+When you switch from Okta provisioning to Azure AD, there are two choices. Use an Azure AD Connect server or Azure AD cloud provisioning.

+Learn more: [Comparison between Azure AD Connect and cloud sync](../cloud-sync/what-is-cloud-sync.md#comparison-between-azure-ad-connect-and-cloud-sync).

+Azure AD cloud provisioning is the most familiar migration path for Okta customers who use Universal Sync or User Sync. The cloud provisioning agents are lightweight. You can install them on, or near, domain controllers like the Okta directory sync agents. Don't install them on the same server.

+When you synchronize users, use an Azure AD Connect server if your organization needs any of the following technologies:

+- Device synchronization: Hybrid Azure AD join or Hello for Business

+- Pass-through authentication

+- Support for more than 150,000 objects

+- Support for writeback

+ >[!NOTE]

+ >Take all prerequisites into consideration when you install Azure AD Connect or Azure AD cloud provisioning. Before you continue with installation, see [Prerequisites for Azure AD Connect](../hybrid/how-to-connect-install-prerequisites.md).

+## Confirm ImmutableID attribute synchronized by Okta

+The ImmutableID attribute ties synchronized objects to their on-premises counterparts. Okta takes the Active Directory objectGUID of an on-premises object and converts it to a Base64-encoded string. By default, it then stamps that string to the ImmutableID field in Azure AD.

+You can connect to Microsoft Graph PowerShell and examine the current ImmutableID value. If you've never used the Microsoft Graph PowerShell module, run

+`Install-Module AzureAD` in an administrative session before you run the following commands:

+```Powershell

+Import-module AzureAD

+Connect-MgGraph

+```

+If you have the module, a warning might appear to update to the latest version.

+1. Import the module after it's installed.

+2. In the authentication window, enter Global Administrator credentials.

+ 

+3. Connect to the tenant.

+4. Verify ImmutableID value settings. The following example is the default of converting the objectGUID into the ImmutableID.

+ 

+5. Manually confirm the conversion from objectGUID to Base64 on-premises. To test an individual value, use these commands:

+ ```PowerShell

+ Get-MgUser onpremupn | fl objectguid

+ $objectguid = 'your-guid-here-1010'

+ [system.convert]::ToBase64String(([GUID]$objectGUID).ToByteArray())

+ ```

+ 

+## ObjectGUID mass-validation methods

+Before you move to Azure AD Connect, it's critical to validate that the ImmutableID values in Azure AD match their on-premises values.

+The following command gets on-premises Azure AD users and exports a list of their objectGUID values and ImmutableID values already calculated to a CSV file.

+1. Run this command in Microsoft Graph PowerShell on an on-premises domain controller:

+ ```PowerShell

+ Get-MgUser -Filter * -Properties objectGUID | Select-Object

+ UserPrincipalName, Name, objectGUID, @{Name = 'ImmutableID';

+ Expression = {

+ [system.convert]::ToBase64String((GUID).tobytearray())

+ } } | export-csv C:\Temp\OnPremIDs.csv

+ ```

+ 

+1. Run this command in a Microsoft Graph PowerShell session to list the synchronized values:

+ ```powershell

+ Get-MgUser -all $true | Where-Object {$_.dirsyncenabled -like

+ "true"} | Select-Object UserPrincipalName, @{Name = 'objectGUID';

+ Expression = {

+ [GUID][System.Convert]::FromBase64String($_.ImmutableID) } },

+ ImmutableID | export-csv C:\\temp\\AzureADSyncedIDS.csv

+ ```

+ 

+3. After both exports, confirm user ImmutableID values match.

+ >[!IMPORTANT]

+ >If your ImmutableID values in the cloud don't match objectGUID values, you've modified the defaults for Okta sync. You've likely chosen another attribute to determine ImmutableID values. Before going the next section, identify which source attribute populates ImmutableID values. Before you disable Okta sync, update the attribute Okta is syncing.

+## Install Azure AD Connect in staging mode

+After you prepare your list of source and destination targets, install an Azure AD Connect server. If you use Azure AD Connect cloud provisioning, skip this section.

+1. Download and install Azure AD Connect on a server. See, [Custom installation of Azure Active Directory Connect](../hybrid/how-to-connect-install-custom.md).

+2. In the left panel, select **Identifying users**.

+3. On the **Uniquely identifying your users** page, under **Select how users should be identified with Azure AD**, select **Choose a specific attribute**.

+4. If you haven't modified the Okta default, select **mS-DS-ConsistencyGUID**.

+ >[!WARNING]

+ >This step is critical. Ensure the attribute you select for a source anchor currently populates your Azure AD users. If you select the wrong attribute, uninstall and reinstall Azure AD Connect to reselect this option.

+

+ 

+5. Select **Next**.

+6. In the left panel, select **Configure**.

+7. On the **Ready to configure** page, select **Enable staging mode**.

+8. Select **Install**.

+ 

+9. Verify the ImmutableID values match.

+10. When the configuration is complete, select **Exit**.

+11. Open **Synchronization Service** as an administrator.

+ 

+12. Find the **Full Synchronization** to the domain.onmicrosoft.com connector space.

+13. Confirm there are users under the **Connectors with Flow Updates** tab.

+ 

+14. Verify no pending deletions in the export.

+15. Select the **Connectors** tab.

+16. Highlight the domain.onmicrosoft.com connector space.

+17. Select **Search Connector Space**.

+ 

+18. In the **Search Connector Space** dialog, under **Scope**, select **Pending Export**.

+ 

+19. Select **Delete**.

+20. Select **Search**. If all objects match, no matching records appear for **Deletes**.

+21. Record objects pending deletion and their on-premises values.

+ 

+22. Clear **Delete**.

+23. Select **Add**.

+24. Select **Modify**.

+25. Select **Search**.

+26. Update functions appear for users being synchronized to Azure AD via Okta. Add new objects Okta isn't syncing, which are in the organizational unit (OU) structure selected during Azure AD Connect installation.

+ 

+27. To see what Azure AD Connect communicates with Azure AD, double-click an update.

+ > [!NOTE]

+ > If there are **add** functions for a user in Azure AD, their on-premises account doesn't match the cloud account. AD Connect creates a new object and records new and unexpected adds.

+28. Before you exit the staging mode, correct the ImmutableID value in Azure AD.

+In this example, Okta stamped the **mail** attribute to the user's account, although the on-premises value wasn't accurate. When Azure AD Connect takes over the account, the **mail** attribute is deleted from the object.

+29. Verify updates include attributes expected in Azure AD. If multiple attributes are being deleted, you can populate on-premises AD values before you remove the staging mode.

+ 

+ >[!NOTE]

+ >Before you continue, ensure user attributes are syncing and appear on the **Pending Export** tab. If they're deleted, ensure the ImmutableID values match and the user is in a selected OU for synchronization.

+## Install Azure AD cloud sync agents

+After you prepare your list of source and destination targets, install and configure Azure AD cloud sync agents. See, [Tutorial: Integrate a single forest with a single Azure AD tenant](../cloud-sync/tutorial-single-forest.md).

+ > [!NOTE]

+ > If you use an Azure AD Connect server, skip this section.

+## Disable Okta provisioning to Azure AD

+After you verify the Azure AD Connect installation, disable Okta provisioning to Azure AD.

+1. Go to the Okta portal

+2. Select **Applications**.

+3. Select the Okta app that provisions users to Azure AD.

+4. Select the **Provisioning** tab.

+5. Select the **Integration** section.

+ 

+6. Select **Edit**.

+7. Clear the **Enable API integration** option.

+8. Select **Save**.

+ 

+ >[!NOTE]

+ >If you have multiple Office 365 apps that handle provisioning to Azure AD, ensure they switched off.

+## Disable staging mode in Azure AD Connect

+After you disable Okta provisioning, the Azure AD Connect server can synchronize objects.

+ >[!NOTE]

+ >If you use Azure AD cloud sync agents, skip this section.

+1. From the desktop, run the installation wizard from the desktop.

+2. Select **Configure**.

+ 

+3. Select **Configure staging mode**

+4. Select **Next**.

+5. Enter Global Administrator credentials.

+ 

+6. Clear **Enable staging mode**.

+7. Select **Next**.

+ 

+8. Select **Configure**.

+ 

+9. After configuration, open the **Synchronization Service** as an administrator.

+10. On the domain.onmicrosoft.com connector, view the **Export**.

+11. Verify additions, updates, and deletions.

+ 

+12. Migration is complete. Rerun the installation wizard to update and expand Azure AD Connect features.

+## Enable cloud sync agents

+After you disable Okta provisioning, the Azure AD cloud sync agent can synchronize objects.

+1. Go to the [Azure portal](https://portal.azure.com/).

+2. Browse to **Azure Active Directory**.

+3. Select **Azure AD Connect**.

+4. Select **Cloud Sync**.

+5. Select **Configuration** profile

+6. Select **Enable**.

+7. Return to the provisioning menu and select **Logs**.

+8. Confirm the provisioning connector updated in-place objects. The cloud sync agents are nondestructive. Updates fail if a match isn't found.

+9. If a user is mismatched, make updates to bind the ImmutableID values.

+10. Restart the cloud provisioning sync.

+## Next steps

+- [Tutorial: Migrate your applications from Okta to Azure AD](migrate-applications-from-okta-to-azure-active-directory.md)

+- [Tutorial: Migrate Okta federation to Azure AD-managed authentication](migrate-okta-federation-to-azure-active-directory.md)

+- [Tutorial: Migrate Okta sign-on policies to Azure AD Conditional Access](migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access.md)

+|[Migrating your apps to Azure AD](https://aka.ms/migrateapps/whitepaper) | This article is an introduction to a series of articles that describe how to plan for migration in four clearly-outlined phases: discovery, classification, migration, and ongoing management. You're guided through how to think about the process and break down your project into easy-to-consume pieces. Throughout the series are links to important resources that help you along the way. |

+|[Developer tutorial: AD FS to Azure AD application migration playbook for developers](https://aka.ms/adfsplaybook) | This set of ASP.NET code samples and accompanying tutorials help you learn how to safely and securely migrate your applications integrated with Active Directory Federation Services (AD FS) to Azure Active Directory (Azure AD). This tutorial is focused towards developers who not only need to learn how to configure apps on both AD FS and Azure AD, but also become aware and confident of changes their code base will require in this process.|

+| [Deployment plan: Migrating from AD FS to pass-through authentication](https://aka.ms/ADFSTOPTADPDownload)|Azure AD pass-through authentication helps users sign in to both on-premises and cloud-based applications by using the same password. This feature provides your users with a better experience since they have one less password to remember. It also reduces IT help desk costs because users are less likely to forget how to sign in when they only need to remember one password. When people sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory.|

+| [Deployment plan: Extending apps to Azure AD with Application Proxy](../app-proxy/application-proxy-deployment-plan.md)| Providing access from employee laptops and other devices to on-premises applications has traditionally involved virtual private networks (VPNs) or demilitarized zones (DMZs). Not only are these solutions complex and hard to make secure, but they're costly to set up and manage. Azure AD Application Proxy makes it easier to access on-premises applications. |

+| [Other deployment plans](../fundamentals/active-directory-deployment-plans.md) | Find more deployment plans for deploying features such as Azure AD multi-factor authentication, Conditional Access, user provisioning, seamless SSO, self-service password reset, and more! |

+| [Active Directory Federation Services (AD FS) decommission guide](/windows-server/identity/ad-fs/decommission/adfs-decommission-guide) | This guide explains the prerequisites for decommissioning, including migrating user authentication and applications to Azure AD. It also provides step-by-step instructions for decommissioning the AD FS servers, including removing load balancer entries, uninstalling WAP and AD FS servers, and deleting SSL certificates and databases. |

+| [Videos - Phases of migrating apps from ADFS to Azure AD](app-management-videos.md#phases-of-migrating-apps-from-adfs-to-azure-ad) | These videos illustrate the five phases of a typical ADFS to Azure AD migration process|

+ Title: Configure cross-tenant synchronization using PowerShell or Microsoft Graph API

+description: Learn how to configure cross-tenant synchronization in Azure Active Directory using Microsoft Graph PowerShell or Microsoft Graph API.

+# Configure cross-tenant synchronization using PowerShell or Microsoft Graph API

+> [!IMPORTANT]

+> Configuring cross-tenant synchronization using Microsoft Graph PowerShell is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+This article describes the key steps to configure cross-tenant synchronization using Microsoft Graph PowerShell or Microsoft Graph API. When configured, Azure AD automatically provisions and de-provisions B2B users in your target tenant. For detailed steps using the Azure portal, see [Configure cross-tenant synchronization](cross-tenant-synchronization-configure.md).

+## Step 1: Sign in to the target tenant

+<br/>**Target tenant**

+# [PowerShell](#tab/ms-powershell)

+1. Start PowerShell.

+1. If necessary, install the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?branch=main).

+1. Get the tenant ID of the source and target tenants and initialize variables.

+ ```powershell

+ $SourceTenantId = "<SourceTenantId>"

+ $TargetTenantId = "<TargetTenantId>"

+ ```

+1. Use the [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands?branch=main#using-connect-mggraph) command to sign in to the target tenant and consent to the following required permissions.

+ ```powershell

+ Connect-MgGraph -TenantId $TargetTenantId -Scopes "Policy.Read.All","Policy.ReadWrite.CrossTenantAccess"

+ ```

+1. Use the [Select-MgProfile](/powershell/microsoftgraph/authentication-commands?branch=main#using-select-mgprofile) command to change to the beta version.

+ ```powershell

+ Select-MgProfile -Name "beta"

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+These steps describe how to use Microsoft Graph Explorer (recommended), but you can also use Postman, or another REST API client.

+1. Start [Microsoft Graph Explorer tool](https://aka.ms/ge).

+1. Select your profile and then select **Consent to permissions**.

+ :::image type="content" source="./media/cross-tenant-synchronization-configure-graph/graph-explorer-profile.png" alt-text="Screenshot of Graph Explorer profile with Consent to permissions link." lightbox="./media/cross-tenant-synchronization-configure-graph/graph-explorer-profile.png":::

+1. Consent to the following required permissions.

+1. Get the tenant ID of the source and target tenants. The example configuration described in this article uses the following tenant IDs.

+# [PowerShell](#tab/ms-powershell)

+1. In the target tenant, use the [New-MgPolicyCrossTenantAccessPolicyPartner](/powershell/module/microsoft.graph.identity.signins/new-mgpolicycrosstenantaccesspolicypartner?view=graph-powershell-beta&preserve-view=true&branch=main) command to create a new partner configuration in a cross-tenant access policy between the target tenant and the source tenant. Use the source tenant ID in the request.

+ If you get the error `New-MgPolicyCrossTenantAccessPolicyPartner_Create: Another object with the same value for property tenantId already exists`, you might already have an existing configuration. For more information, see [Symptom - New-MgPolicyCrossTenantAccessPolicyPartner_Create error](#symptomnew-mgpolicycrosstenantaccesspolicypartner_create-error).

+ ```powershell

+ $Params = @{

+ TenantId = $SourceTenantId

+ }

+ New-MgPolicyCrossTenantAccessPolicyPartner -BodyParameter $Params | Format-List

+ ```

+ ```Output

+ AutomaticUserConsentSettings : Microsoft.Graph.PowerShell.Models.MicrosoftGraphInboundOutboundPolicyConfiguration

+ B2BCollaborationInbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting

+ B2BCollaborationOutbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting

+ B2BDirectConnectInbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting

+ B2BDirectConnectOutbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting

+ IdentitySynchronization : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantIdentitySyncPolicyPartner

+ InboundTrust : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyInboundTrust

+ IsServiceProvider :

+ TenantId : <SourceTenantId>

+ TenantRestrictions : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyTenantRestrictions

+ AdditionalProperties : {[@odata.context, https://graph.microsoft.com/beta/$metadata#policies/crossTenantAccessPolicy/partners/$entity],

+ [crossCloudMeetingConfiguration,

+ System.Collections.Generic.Dictionary`2[System.String,System.Object]], [protectedContentSharing,

+ System.Collections.Generic.Dictionary`2[System.String,System.Object]]}

+ ```

+1. Use the [Invoke-MgGraphRequest](/powershell/microsoftgraph/authentication-commands?branch=main#using-invoke-mggraphrequest) command to enable user synchronization in the target tenant.

+ If you get an `Request_MultipleObjectsWithSameKeyValue` error, you might already have an existing policy. For more information, see [Symptom - Request_MultipleObjectsWithSameKeyValue error](#symptomrequest_multipleobjectswithsamekeyvalue-error).

+ ```powershell

+ $Params = @{

+ userSyncInbound = @{

+ isSyncAllowed = $true

+ }

+ }

+ Invoke-MgGraphRequest -Method PUT -Uri "https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners/$SourceTenantId/identitySynchronization" -Body $Params

+ ```

+1. Use the [Get-MgPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization](/powershell/module/microsoft.graph.identity.signins/get-mgpolicycrosstenantaccesspolicypartneridentitysynchronization?view=graph-powershell-beta&preserve-view=true&branch=main) command to verify `IsSyncAllowed` is set to True.

+ ```powershell

+ (Get-MgPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization -CrossTenantAccessPolicyConfigurationPartnerTenantId $SourceTenantId).UserSyncInbound

+ ```

+

+ ```Output

+ IsSyncAllowed

+ -

+ True

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+# [PowerShell](#tab/ms-powershell)

+1. In the target tenant, use the [Update-MgPolicyCrossTenantAccessPolicyPartner](/powershell/module/microsoft.graph.identity.signins/update-mgpolicycrosstenantaccesspolicypartner?view=graph-powershell-beta&preserve-view=true&branch=main) command to automatically redeem invitations and suppress consent prompts for inbound access.

+ ```powershell

+ $AutomaticUserConsentSettings = @{

+ "InboundAllowed"="True"

+ }

+ Update-MgPolicyCrossTenantAccessPolicyPartner -CrossTenantAccessPolicyConfigurationPartnerTenantId $SourceTenantId -AutomaticUserConsentSettings $AutomaticUserConsentSettings

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+## Step 4: Sign in to the source tenant

+# [PowerShell](#tab/ms-powershell)

+1. Start an instance of PowerShell.

+1. Get the tenant ID of the source and target tenants and initialize variables.

+ ```powershell

+ $SourceTenantId = "<SourceTenantId>"

+ $TargetTenantId = "<TargetTenantId>"

+ ```

+1. Use the [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands?branch=main#using-connect-mggraph) command to sign in to the source tenant and consent to the following required permissions.

+ - `Policy.Read.All`

+ - `Policy.ReadWrite.CrossTenantAccess`

+ - `Application.ReadWrite.All`

+ - `Directory.ReadWrite.All`

+ - `AuditLog.Read.All`

+ ```powershell

+ Connect-MgGraph -TenantId $SourceTenantId -Scopes "Policy.Read.All","Policy.ReadWrite.CrossTenantAccess","Application.ReadWrite.All","Directory.ReadWrite.All","AuditLog.Read.All"

+ ```

+1. Use the [Select-MgProfile](/powershell/microsoftgraph/authentication-commands?branch=main#using-select-mgprofile) command to change to the beta version.

+ ```powershell

+ Select-MgProfile -Name "beta"

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+1. Start an instance of [Microsoft Graph Explorer tool](https://aka.ms/ge).

+1. Sign in to the source tenant.

+1. Consent to the following required permissions.

+ - `Policy.Read.All`

+ - `Policy.ReadWrite.CrossTenantAccess`

+ - `Application.ReadWrite.All`

+ - `Directory.ReadWrite.All`

+ - `AuditLog.Read.All`

+ If you see a **Need admin approval** page, you'll need to sign in with a user that has been assigned the Global Administrator role to consent.

+## Step 5: Automatically redeem invitations in the source tenant

+<br/>**Source tenant**

+# [PowerShell](#tab/ms-powershell)

+1. In the source tenant, use the [New-MgPolicyCrossTenantAccessPolicyPartner](/powershell/module/microsoft.graph.identity.signins/new-mgpolicycrosstenantaccesspolicypartner?view=graph-powershell-beta&preserve-view=true&branch=main) command to create a new partner configuration in a cross-tenant access policy between the source tenant and the target tenant. Use the target tenant ID in the request.

+ If you get the error `New-MgPolicyCrossTenantAccessPolicyPartner_Create: Another object with the same value for property tenantId already exists`, you might already have an existing configuration. For more information, see [Symptom - New-MgPolicyCrossTenantAccessPolicyPartner_Create error](#symptomnew-mgpolicycrosstenantaccesspolicypartner_create-error).

+ ```powershell

+ $Params = @{

+ TenantId = $TargetTenantId

+ }

+ New-MgPolicyCrossTenantAccessPolicyPartner -BodyParameter $Params | Format-List

+ ```

+ ```Output

+ AutomaticUserConsentSettings : Microsoft.Graph.PowerShell.Models.MicrosoftGraphInboundOutboundPolicyConfiguration

+ B2BCollaborationInbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting

+ B2BCollaborationOutbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting

+ B2BDirectConnectInbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting

+ B2BDirectConnectOutbound : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting

+ IdentitySynchronization : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantIdentitySyncPolicyPartner

+ InboundTrust : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyInboundTrust

+ IsServiceProvider :

+ TenantId : <TargetTenantId>

+ TenantRestrictions : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyTenantRestrictions

+ AdditionalProperties : {[@odata.context, https://graph.microsoft.com/beta/$metadata#policies/crossTenantAccessPolicy/partners/$entity],

+ [crossCloudMeetingConfiguration,

+ System.Collections.Generic.Dictionary`2[System.String,System.Object]], [protectedContentSharing,

+ System.Collections.Generic.Dictionary`2[System.String,System.Object]]}

+

+ ```

+1. Use the [Update-MgPolicyCrossTenantAccessPolicyPartner](/powershell/module/microsoft.graph.identity.signins/update-mgpolicycrosstenantaccesspolicypartner?view=graph-powershell-beta&preserve-view=true&branch=main) command to automatically redeem invitations and suppress consent prompts for outbound access.

+ ```powershell

+ $AutomaticUserConsentSettings = @{

+ "OutboundAllowed"="True"

+ }

+ Update-MgPolicyCrossTenantAccessPolicyPartner -CrossTenantAccessPolicyConfigurationPartnerTenantId $TargetTenantId -AutomaticUserConsentSettings $AutomaticUserConsentSettings

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+## Step 6: Create a configuration application in the source tenant

+# [PowerShell](#tab/ms-powershell)

+1. In the source tenant, use the [Invoke-MgInstantiateApplicationTemplate](/powershell/module/microsoft.graph.applications/invoke-mginstantiateapplicationtemplate?view=graph-powershell-beta&preserve-view=true&branch=main) command to add an instance of a configuration application from the Azure AD application gallery into your tenant.

+ ```powershell

+ Invoke-MgInstantiateApplicationTemplate -ApplicationTemplateId "518e5f48-1fc8-4c48-9387-9fdf28b0dfe7" -DisplayName "Fabrikam"

+ ```

+1. Use the [Get-MgServicePrincipal](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal?branch=main) command to get the service principal ID.

+ ```powershell

+ Get-MgServicePrincipal -Filter "DisplayName eq 'Fabrikam'" | Format-List

+ ```

+ ```Output

+ AccountEnabled : True

+ AddIns : {}

+ AlternativeNames : {}

+ AppDescription :

+ AppDisplayName : Fabrikam

+ AppId : <AppId>

+ AppManagementPolicies :

+ AppOwnerOrganizationId : <AppOwnerOrganizationId>

+ AppRoleAssignedTo :

+ AppRoleAssignmentRequired : True

+ AppRoleAssignments :

+ AppRoles : {<AppRolesId>}

+ ApplicationTemplateId : 518e5f48-1fc8-4c48-9387-9fdf28b0dfe7

+ ClaimsMappingPolicies :

+ CreatedObjects :

+ CustomSecurityAttributes : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCustomSecurityAttributeValue

+ DelegatedPermissionClassifications :

+ DeletedDateTime :

+ Description :

+ DisabledByMicrosoftStatus :

+ DisplayName : Fabrikam

+ Endpoints :

+ ErrorUrl :

+ FederatedIdentityCredentials :

+ HomeRealmDiscoveryPolicies :

+ Homepage : https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=aad2aadsync|ISV9.1|primary|z

+ Id : <ServicePrincipalId>

+ Info : Microsoft.Graph.PowerShell.Models.MicrosoftGraphInformationalUrl

+ KeyCredentials : {}

+ LicenseDetails :

+

+ ...

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+## Step 7: Test the connection to the target tenant

+# [PowerShell](#tab/ms-powershell)

+1. Initialize a variable with the service principal ID from the previous step.

+ Be sure to use the service principal ID instead of the application ID.

+ ```powershell

+ $ServicePrincipalId = "<ServicePrincipalId>"

+ ```

+1. In the source tenant, use the [Invoke-MgGraphRequest](/powershell/microsoftgraph/authentication-commands?branch=main#using-invoke-mggraphrequest) command to test the connection to the target tenant and validate the credentials.

+ ```powershell

+ $Params = @{

+ "useSavedCredentials" = $false

+ "templateId" = "Azure2Azure"

+ "credentials" = @(

+ @{

+ "key" = "CompanyId"

+ "value" = $TargetTenantId

+ }

+ @{

+ "key" = "AuthenticationType"

+ "value" = "SyncPolicy"

+ }

+ )

+ }

+ Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/servicePrincipals/$ServicePrincipalId/synchronization/jobs/validateCredentials" -Body $Params

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+1. In the source tenant, use the [synchronizationJob: validateCredentials](/graph/api/synchronization-synchronizationjob-validatecredentials?branch=main) API to test the connection to the target tenant and validate the credentials.

+## Step 8: Create a provisioning job in the source tenant

+# [PowerShell](#tab/ms-powershell)

+1. Determine the synchronization template to use, such as `Azure2Azure`.

+ A template has pre-configured synchronization settings.

+1. In the source tenant, use the [New-MgServicePrincipalSynchronizationJob](/powershell/module/microsoft.graph.applications/new-mgserviceprincipalsynchronizationjob?view=graph-powershell-beta&preserve-view=true&branch=main) command to create a provisioning job based on a template.

+ ```powershell

+ New-MgServicePrincipalSynchronizationJob -ServicePrincipalId $ServicePrincipalId -TemplateId "Azure2Azure" | Format-List

+ ```

+ ```Output

+ Id : <JobId>

+ Schedule : Microsoft.Graph.PowerShell.Models.MicrosoftGraphSynchronizationSchedule

+ Schema : Microsoft.Graph.PowerShell.Models.MicrosoftGraphSynchronizationSchema

+ Status : Microsoft.Graph.PowerShell.Models.MicrosoftGraphSynchronizationStatus

+ SynchronizationJobSettings : {AzureIngestionAttributeOptimization, LookaheadQueryEnabled}

+ TemplateId : Azure2Azure

+ AdditionalProperties : {[@odata.context, https://graph.microsoft.com/beta/$metadata#servicePrincipals('<ServicePrincipalId>')/synchro

+ nization/jobs/$entity]}

+ ```

+1. Initialize the job ID for a later step.

+ ```powershell

+ $JobId = "<JobId>"

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+## Step 9: Save your credentials

+# [PowerShell](#tab/ms-powershell)

+1. In the source tenant, use the [Invoke-MgGraphRequest](/powershell/microsoftgraph/authentication-commands?branch=main#using-invoke-mggraphrequest) command to save your credentials.

+ ```powershell

+ $Params = @{

+ "value" = @(

+ @{

+ "key" = "AuthenticationType"

+ "value" = "SyncPolicy"

+ }

+ @{

+ "key" = "CompanyId"

+ "value" = $TargetTenantId

+ }

+ )

+ }

+ Invoke-MgGraphRequest -Method PUT -Uri "https://graph.microsoft.com/beta/servicePrincipals/$ServicePrincipalId/synchronization/secrets" -Body $Params

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+ {

+ "key": "CompanyId",

+ "value": "{targetTenantId}"

+ },

+## Step 10: Assign a user to the configuration

+# [PowerShell](#tab/ms-powershell)

+1. In the source tenant, use the [New-MgServicePrincipalAppRoleAssignedTo](/powershell/module/microsoft.graph.applications/new-mgserviceprincipalapproleassignedto?branch=main) command to assign an internal user to the configuration.

+ ```powershell

+ $Params = @{

+ PrincipalId = "<PrincipalId>"

+ ResourceId = $ServicePrincipalId

+ AppRoleId = "<AppRoleId>"

+ }

+ New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $ServicePrincipalId -BodyParameter $Params | Format-List

+ ```

+ ```Output

+ AppRoleId : <AppRoleId>

+ CreationTimestamp : 5/20/2023 8:02:19 PM

+ Id : <Id>

+ PrincipalDisplayName : User1

+ PrincipalId : <PrincipalId>

+ PrincipalType : User

+ ResourceDisplayName : Fabrikam

+ ResourceId : <ServicePrincipalId>

+ AdditionalProperties : {[@odata.context, https://graph.microsoft.com/beta/$metadata#appRoleAssignments/$entity]}

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+1. In the source tenant, use the [Grant an appRoleAssignment for a service principal](/graph/api/serviceprincipal-post-approleassignedto?branch=main) API to assign an internal user to the configuration.

+## Step 11: Test provision on demand

+# [PowerShell](#tab/ms-powershell)

+1. In the source tenant, use the [New-MgServicePrincipalSynchronizationJobOnDemand](/powershell/module/microsoft.graph.applications/new-mgserviceprincipalsynchronizationjobondemand?view=graph-powershell-beta&preserve-view=true&branch=main) command to provision a test user on demand.

+ ```powershell

+ $Params = @{

+ Parameters = @(

+ @{

+ Subjects = @(

+ @{

+ ObjectId = "<UserObjectId>"

+ ObjectTypeName = "User"

+ }

+ )

+ RuleId = "<RuleId>"

+ }

+ )

+ }

+ New-MgServicePrincipalSynchronizationJobOnDemand -ServicePrincipalId $ServicePrincipalId -SynchronizationJobId $JobId -BodyParameter $Params | Format-List

+ ```

+ ```Output

+ Key : Microsoft.Identity.Health.CPP.Common.DataContracts.SyncFabric.StatusInfo

+ Value : [{"provisioningSteps":[{"name":"EntryImport","type":"Import","status":"Success","description":"Retrieved User

+ 'user1@fabrikam.com' from Azure Active Directory","timestamp":"2023-05-20T20:10:07.3900245Z","details":{"objectId":

+ "<UserObjectId>","accountEnabled":"True","displayName":"User1","mailNickname":"user1","userPrincipalName":"use

+ ...

+ AdditionalProperties : {[@odata.context, https://graph.microsoft.com/beta/$metadata#microsoft.graph.stringKeyStringValuePair]}

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+## Step 12: Start the provisioning job

+# [PowerShell](#tab/ms-powershell)

+1. Now that the provisioning job is configured, in the source tenant, use the [Start-MgServicePrincipalSynchronizationJob](/powershell/module/microsoft.graph.applications/start-mgserviceprincipalsynchronizationjob?view=graph-powershell-beta&preserve-view=true&branch=main) command to start the provisioning job.

+ ```powershell

+ Start-MgServicePrincipalSynchronizationJob -ServicePrincipalId $ServicePrincipalId -SynchronizationJobId $JobId

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+## Step 13: Monitor provisioning

+# [PowerShell](#tab/ms-powershell)

+1. Now that the provisioning job is running, in the source tenant, use the [Get-MgServicePrincipalSynchronizationJob](/powershell/module/microsoft.graph.applications/get-mgserviceprincipalsynchronizationjob?view=graph-powershell-beta&preserve-view=true&branch=main) command to monitor the progress of the current provisioning cycle as well as statistics to date such as the number of users and groups that have been created in the target system.

+ ```powershell

+ Get-MgServicePrincipalSynchronizationJob -ServicePrincipalId $ServicePrincipalId -SynchronizationJobId $JobId | Format-List

+ ```

+ ```Output

+ Id : <JobId>

+ Schedule : Microsoft.Graph.PowerShell.Models.MicrosoftGraphSynchronizationSchedule

+ Schema : Microsoft.Graph.PowerShell.Models.MicrosoftGraphSynchronizationSchema

+ Status : Microsoft.Graph.PowerShell.Models.MicrosoftGraphSynchronizationStatus

+ SynchronizationJobSettings : {AzureIngestionAttributeOptimization, LookaheadQueryEnabled}

+ TemplateId : Azure2Azure

+ AdditionalProperties : {[@odata.context, https://graph.microsoft.com/beta/$metadata#servicePrincipals('<ServicePrincipalId>')/synchro

+ nization/jobs/$entity]}

+ ```

+1. In addition to monitoring the status of the provisioning job, use the [Get-MgAuditLogProvisioning](/powershell/module/microsoft.graph.reports/get-mgauditlogprovisioning?view=graph-powershell-beta&preserve-view=true&branch=main) command to retrieve the provisioning logs and get all the provisioning events that occur. For example, query for a particular user and determine if they were successfully provisioned.

+ ```powershell

+ Get-MgAuditLogDirectoryAudit | Select -First 10 | Format-List

+ ```

+ ```Output

+ ActivityDateTime : 5/21/2023 12:08:17 AM

+ ActivityDisplayName : Export

+ AdditionalDetails : {Details, ErrorCode, EventName, ipaddr...}

+ Category : ProvisioningManagement

+ CorrelationId : cc519f3b-fb72-4ea2-9b7b-8f9dc271c5ec

+ Id : Sync_cc519f3b-fb72-4ea2-9b7b-8f9dc271c5ec_L5BFV_161778479

+ InitiatedBy : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAuditActivityInitiator1

+ LoggedByService : Account Provisioning

+ OperationType :

+ Result : success

+ ResultReason : User 'user2@fabrikam.com' was created in Azure Active Directory (target tenant)

+ TargetResources : {<ServicePrincipalId>, }

+ UserAgent :

+ AdditionalProperties : {}

+

+ ActivityDateTime : 5/21/2023 12:08:17 AM

+ ActivityDisplayName : Export

+ AdditionalDetails : {Details, ErrorCode, EventName, ipaddr...}

+ Category : ProvisioningManagement

+ CorrelationId : cc519f3b-fb72-4ea2-9b7b-8f9dc271c5ec

+ Id : Sync_cc519f3b-fb72-4ea2-9b7b-8f9dc271c5ec_L5BFV_161778264

+ InitiatedBy : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAuditActivityInitiator1

+ LoggedByService : Account Provisioning

+ OperationType :

+ Result : success

+ ResultReason : User 'user2@fabrikam.com' was updated in Azure Active Directory (target tenant)

+ TargetResources : {<ServicePrincipalId>, }

+ UserAgent :

+ AdditionalProperties : {}

+

+ ActivityDateTime : 5/21/2023 12:08:14 AM

+ ActivityDisplayName : Synchronization rule action

+ AdditionalDetails : {Details, ErrorCode, EventName, ipaddr...}

+ Category : ProvisioningManagement

+ CorrelationId : cc519f3b-fb72-4ea2-9b7b-8f9dc271c5ec

+ Id : Sync_cc519f3b-fb72-4ea2-9b7b-8f9dc271c5ec_L5BFV_161778395

+ InitiatedBy : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAuditActivityInitiator1

+ LoggedByService : Account Provisioning

+ OperationType :

+ Result : success

+ ResultReason : User 'user2@fabrikam.com' will be created in Azure Active Directory (target tenant) (User is active and assigned

+ in Azure Active Directory, but no matching User was found in Azure Active Directory (target tenant))

+ TargetResources : {<ServicePrincipalId>, }

+ UserAgent :

+ AdditionalProperties : {}

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+1. In addition to monitoring the status of the provisioning job, use the [List provisioningObjectSummary](/graph/api/provisioningobjectsummary-list?branch=main) API to retrieve the provisioning logs and get all the provisioning events that occur. For example, query for a particular user and determine if they were successfully provisioned.

+# [PowerShell](#tab/ms-powershell)

+#### Symptom - Insufficient privileges error

+When you try to perform an action, you receive an error message similar to the following:

+```

+code: Authorization_RequestDenied

+message: Insufficient privileges to complete the operation.

+```

+**Cause**

+Either the signed-in user doesn't have sufficient privileges, or you need to consent to one of the required permissions.

+**Solution**

+1. Make sure you're assigned the required roles. See [Prerequisites](#prerequisites) earlier in this article.

+2. When you sign in with [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands?branch=main#using-connect-mggraph), make sure you specify the required scopes. See [Step 1: Sign in to the target tenant](#step-1-sign-in-to-the-target-tenant) and [Step 4: Sign in to the source tenant](#step-4-sign-in-to-the-source-tenant) earlier in this article.

+#### Symptom - New-MgPolicyCrossTenantAccessPolicyPartner_Create error

+When you try to create a new partner configuration, you receive an error message similar to the following:

+```

+New-MgPolicyCrossTenantAccessPolicyPartner_Create: Another object with the same value for property tenantId already exists.

+```

+**Cause**

+You are likely trying to create a configuration or object that already exists, possibly from a previous configuration.

+**Solution**

+1. Verify your syntax and that you are using the correct tenant ID.

+1. Use the [Get-MgPolicyCrossTenantAccessPolicyPartner](/powershell/module/microsoft.graph.identity.signins/get-mgpolicycrosstenantaccesspolicypartner?view=graph-powershell-beta&preserve-view=true&branch=main) command to list the existing object.

+1. If you have an existing object, you might need to make an update using [Update-MgPolicyCrossTenantAccessPolicyPartner](/powershell/module/microsoft.graph.identity.signins/update-mgpolicycrosstenantaccesspolicypartner?view=graph-powershell-beta&preserve-view=true&branch=main)

+#### Symptom - Request_MultipleObjectsWithSameKeyValue error

+When you try to enable user synchronization, you receive an error message similar to the following:

+```

+Invoke-MgGraphRequest: PUT https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners/<SourceTenantId>/identitySynchronization

+HTTP/1.1 409 Conflict

+...

+{"error":{"code":"Request_MultipleObjectsWithSameKeyValue","message":"A conflicting object with one or more of the specified property values is present in the directory.","details":[{"code":"ConflictingObjects","message":"A conflicting object with one or more of the specified property values is present in the directory.", ... }}}

+```

+**Cause**

+You are likely trying to create a policy that already exists, possibly from a previous configuration.

+**Solution**

+1. Verify your syntax and that you are using the correct tenant ID.

+1. Use the [Get-MgPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization](/powershell/module/microsoft.graph.identity.signins/get-mgpolicycrosstenantaccesspolicypartneridentitysynchronization?view=graph-powershell-beta&preserve-view=true&branch=main) command to list the `IsSyncAllowed` setting.

+ ```powershell

+ (Get-MgPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization -CrossTenantAccessPolicyConfigurationPartnerTenantId $SourceTenantId).UserSyncInbound

+ ```

+1. If you have an existing policy, you might need to make an update using [Update-MgPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization](/powershell/module/microsoft.graph.identity.signins/update-mgpolicycrosstenantaccesspolicypartneridentitysynchronization?view=graph-powershell-beta&preserve-view=true&branch=main) command to enable user synchronization.

+ ```powershell

+ $Params = @{

+ userSyncInbound = @{

+ isSyncAllowed = $true

+ }

+ }

+ Update-MgPolicyCrossTenantAccessPolicyPartnerIdentitySynchronization -CrossTenantAccessPolicyConfigurationPartnerTenantId $SourceTenantId -BodyParameter $Params

+ ```

+# [Microsoft Graph](#tab/ms-graph)

+2. In [Microsoft Graph Explorer tool](https://aka.ms/ge), make sure you consent to the required permissions. See [Step 1: Sign in to the target tenant](#step-1-sign-in-to-the-target-tenant) and [Step 4: Sign in to the source tenant](#step-4-sign-in-to-the-source-tenant) earlier in this article.

+1. Check the **Automatically redeem invitations with the tenant** &lt;tenant&gt; check box.

+ :::image type="content" source="../media/external-identities/inbound-consent-prompt-setting.png" alt-text="Screenshot that shows the inbound Automatic redemption check box." lightbox="../media/external-identities/inbound-consent-prompt-setting.png":::

+1. Check the **Automatically redeem invitations with the tenant** &lt;tenant&gt; check box.

+ :::image type="content" source="../media/external-identities/outbound-consent-prompt-setting.png" alt-text="Screenshot that shows the outbound Automatic redemption check box." lightbox="../media/external-identities/outbound-consent-prompt-setting.png":::

+#### Symptom - Automatic redemption check box is disabled

+When configuring cross-tenant synchronization, the **Automatic redemption** check box is disabled.

+ Title: Azure Active Directory SSO integration with Brainfuse Online Tutoring

+description: Learn how to configure single sign-on between Azure Active Directory and Brainfuse Online Tutoring.

+# Azure Active Directory SSO integration with Brainfuse Online Tutoring

+In this article, you'll learn how to integrate Brainfuse Online Tutoring with Azure Active Directory (Azure AD). This app provides single sign-on integration to Brainfuse Live Tutoring. You must be a subscriber to use the app. When you integrate Brainfuse Online Tutoring with Azure AD, you can:

+* Control in Azure AD who has access to Brainfuse Online Tutoring.

+* Enable your users to be automatically signed-in to Brainfuse Online Tutoring with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Brainfuse Online Tutoring in a test environment. Brainfuse Online Tutoring supports **SP** initiated single sign-on.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with Brainfuse Online Tutoring, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Brainfuse Online Tutoring single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Brainfuse Online Tutoring application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Brainfuse Online Tutoring from the Azure AD gallery

+Add Brainfuse Online Tutoring from the Azure AD application gallery to configure single sign-on with Brainfuse Online Tutoring. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Brainfuse Online Tutoring** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type the URL:

+ `https://landing.brainfuse.com/shibboleth`

+ b. In the **Reply URL** textbox, type the URL:

+ `https://landing.brainfuse.com/Shibboleth.sso/SAML2/POST`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://landing.brainfuse.com/saml.asp?oauth_consumer_key=<ID>`

+

+ > [!NOTE]

+ > This value is not real. Update this value with the actual Sign on URL. Contact [Brainfuse Online Tutoring support team](mailto:support@brainfuse.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Brainfuse Online Tutoring application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Brainfuse Online Tutoring application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | mail | user.mail |

+ | primarysid | user.userprincipalname |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, select copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure Brainfuse Online Tutoring SSO

+To configure single sign-on on **Brainfuse Online Tutoring** side, you need to send the **App Federation Metadata Url** to [Brainfuse Online Tutoring support team](mailto:support@brainfuse.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Brainfuse Online Tutoring test user

+In this section, you create a user called Britta Simon at Brainfuse Online Tutoring. Work with [Brainfuse Online Tutoring support team](mailto:support@brainfuse.com) to add the users in the Brainfuse Online Tutoring platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Brainfuse Online Tutoring Sign-on URL where you can initiate the login flow.

+* Go to Brainfuse Online Tutoring Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Brainfuse Online Tutoring tile in the My Apps, this will redirect to Brainfuse Online Tutoring Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Brainfuse Online Tutoring you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+- Confluence: 7.0.1 to 8.3.0

+- JIRA Core and Software 6.4 to 9.8.1 or JIRA Service Desk 3.0 to 4.22.1 should be installed and configured on Windows 64-bit version.

+* JIRA Core and Software: 6.4 to 9.8.1.

+* Jira Core and Software: 6.0 to 9.8.1

+* Confluence: 7.0.1 to 8.3.0.

+| | JIRA SAML SSO add-on redirects to incorrect URL from mobile browser. | 7.0.0 to 9.8.1 |

+| 6.3.9 | Bug Fixes: | Confluence Server: 7.20.3 to 8.3.0 |

+* Jira Core and Software: 6.0 to 9.8.1.

+* Confluence: 7.0.1 to 8.3.0.

+description: This article shows you how to to Azure Kubernetes Service (AKS).

+In this article, we summarize migration details for:

+>

+> * Containerizing applications through Azure Migrate

+> * AKS with standard load balancer and Virtual Machine Scale Sets

+> * Existing attached Azure services

+> * High availability and business continuity

+> [!NOTE]

+> Depending on your scenario, the following open-source tools might help with your migration:

+>

+> * [Velero](https://velero.io/) (Requires Kubernetes 1.7+)

+> * [Azure Kube CLI extension](https://github.com/yaron2/azure-kube-cli)

+## Before you begin

+* Ensure your target Kubernetes version is within the supported window for AKS. Older versions may not be within the supported range and require a version upgrade for AKS support. For more information, see [AKS supported Kubernetes versions](./supported-kubernetes-versions.md).

+* If you're migrating to a newer version of Kubernetes, review the [Kubernetes version and version skew support policy](https://kubernetes.io/docs/setup/release/version-skew-policy/#supported-versions).

+* [Containerizing ASP.NET applications and migrating to AKS](../migrate/tutorial-app-containerization-aspnet-kubernetes.md).

+* [Containerizing Java web applications and migrating to AKS](../migrate/tutorial-app-containerization-java-kubernetes.md).

+## AKS with standard load balancer and Virtual Machine Scale Sets

+AKS is a managed service offering unique capabilities with lower management overhead. Since AKS is a managed service, you must select from a set of AKS-supported [regions](./quotas-skus-regions.md). You may need to modify your existing applications to keep them healthy on the AKS-managed control plane during the transition from your existing cluster to AKS.

+We recommend using AKS clusters backed by [Virtual Machine Scale Sets](../virtual-machine-scale-sets/index.yml) and the [Azure Standard Load Balancer](./load-balancer-standard.md) to ensure you get the following features:

+* [Availability zones](../reliability/availability-zones-overview.md),

+* [Cluster autoscaler](./cluster-autoscaler.md),

+* Other new features as they're released.

+AKS clusters backed by [virtual machine availability sets](../virtual-machines/availability.md#availability-sets) lack support for many of these features.

+### Create an AKS cluster with Standard Load Balancer and Virtual Machine Scale Sets

+The following example creates an AKS cluster with single node pool backed by a virtual machine (VM) scale set. It enables the cluster autoscaler on the node pool for the cluster and sets a minimum of *one* and a maximum of *three* nodes.

+1. Create a resource group using the [`az group create`][az-group-create] command.

+ ```azurecli-interactive

+ az group create --name myResourceGroup --location eastus

+ ```

+2. Create an AKS cluster using the [`az aks create`][az-aks-create] command.

+ ```azurecli-interactive

+ az aks create \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --node-count 1 \

+ --vm-set-type VirtualMachineScaleSets \

+ --load-balancer-sku standard \

+ --enable-cluster-autoscaler \

+ --min-count 1 \

+ --max-count 3

+ ```

+When migrating clusters, you may have attached external Azure services. While the following services don't require resource recreation, they require updating connections from previous to new clusters to maintain functionality.

+Since other VMs are deployed into your subscription during migration, you should verify your quotas and limits are sufficient for these resources. If necessary, request an increase in [vCPU quota](../azure-portal/supportability/per-vm-quota-requests.md).

+You may need to request an increase for [network quotas](../azure-portal/supportability/networking-quota-requests.md) to ensure you don't exhaust IPs. For more information, see [networking and IP ranges for AKS](./configure-kubenet.md).

+## High availability and business continuity

+If your application can't handle downtime, you need to follow best practices for high availability migration scenarios. Read more about [Best practices for complex business continuity planning, disaster recovery, and maximizing uptime in Azure Kubernetes Service (AKS)](./operator-best-practices-multi-region.md).

+For complex applications, you typically migrate over time rather than all at once, meaning the old and new environments might need to communicate over the network. Applications previously using `ClusterIP` services to communicate might need to be exposed as type `LoadBalancer` and secured appropriately.

+To complete the migration, you want to point clients to the new services that run on AKS. We recommend you redirect traffic by updating DNS to point to the load balancer sitting in front of your AKS cluster.

+[Azure Traffic Manager](../traffic-manager/index.yml) can direct customers to the desired Kubernetes cluster and application instance. Traffic Manager is a DNS-based traffic load balancer that can distribute network traffic across regions. For the best performance and redundancy, direct all application traffic through Traffic Manager before it goes to your AKS cluster.

+[Azure Front Door Service](../frontdoor/front-door-overview.md) is another option for routing traffic for AKS clusters. With Azure Front Door Service, you can define, manage, and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for high availability.

+Stateless application migration involves the following steps:

+2. Ensure everything works as expected.

+3. Redirect traffic to activate your new cluster.

+Unlike disks, Azure Files can be mounted to multiple hosts concurrently. In your AKS cluster, Azure and Kubernetes don't prevent you from creating a pod that your AKS cluster still uses. To prevent data loss and unexpected behavior, ensure the clusters don't simultaneously write to the same files.

+If your application can host multiple replicas that point to the same file share, follow the stateless migration steps and deploy your YAML definitions to your new cluster.

+If not, a possible migration approach involves the following steps:

+2. Point your live traffic to your new AKS cluster.

+3. Disconnect the old cluster.

+If you want to start with an empty share and make a copy of the source data, you can use the [`az storage file copy`](/cli/azure/storage/file/copy) command to migrate your data.

+If you're migrating existing persistent volumes to AKS, you generally follow these steps:

+1. Quiesce writes to the application.

+> If you choose not to quiesce writes, you need to replicate data to the new deployment. Otherwise you miss the data that was written after you took the disk snapshots.

+The following open-source tools can help you create managed disks and migrate volumes between Kubernetes clusters:

+We recommend you use your existing Continuous Integration (CI) and Continuous Delivery (CD) pipeline to deploy a known-good configuration to AKS. You can use Azure Pipelines to [build and deploy your applications to AKS](/azure/devops/pipelines/ecosystems/kubernetes/aks-template). Clone your existing deployment tasks and ensure `kubeconfig` points to the new AKS cluster.

+You may want to move your AKS cluster to a [different region supported by AKS][region-availability]. We recommend you create a new cluster in the other region and then deploy your resources and applications to your new cluster.

+If you have any services running on your AKS cluster, you need to install and configure those services on your cluster in the new region.

+>

+> * Containerizing applications through Azure Migrate

+> * AKS with standard load balancer and Virtual Machine Scale Sets

+> * Existing attached Azure services

+> * High availability and business continuity

+<!-- LINKS - internal -->

+[az-group-create]: /cli/azure/group#az_group_create

+[az-aks-create]: /cli/azure/aks#az_aks_create

+> **The feature described in this document, Azure AD Integration (legacy), will be deprecated on June 1st, 2023. At that time, no new clusters can be created with Azure AD Integration (legacy). All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from August 1st, 2023.

+ Title: Create a managed or user-assigned NAT gateway for your Azure Kubernetes Service (AKS) cluster

+# Create a managed or user-assigned NAT gateway for your Azure Kubernetes Service (AKS) cluster

+While you can route egress traffic through an Azure Load Balancer, there are limitations on the number of outbound flows of traffic you can have. Azure NAT Gateway allows up to 64,512 outbound UDP and TCP traffic flows per IP address with a maximum of 16 IP addresses.

+This article shows you how to create an Azure Kubernetes Service (AKS) cluster with a managed NAT gateway and a user-assigned NAT gateway for egress traffic. It also shows you how to disable OutboundNAT on Windows.

+* Managed NAT gateway is incompatible with custom virtual networks.

+* Create an AKS cluster with a new managed NAT gateway using the [`az aks create`][az-aks-create] command with the `--outbound-type managedNATGateway`, `--nat-gateway-managed-outbound-ip-count`, and `--nat-gateway-idle-timeout` parameters. If you want the NAT gateway to operate out of availability zones, specify the zones using `--zones`.

+ ```azurecli-interactive

+ az aks create \

+ --resource-group myResourceGroup \

+ --name myNatCluster \

+ --node-count 3 \

+ --outbound-type managedNATGateway \

+ --nat-gateway-managed-outbound-ip-count 2 \

+ --nat-gateway-idle-timeout 4

+ ```

+ > [!IMPORTANT]

+ > If no value for the outbound IP address is specified, the default value is one.

+* Update the outbound IP address or idle timeout using the [`az aks update`][az-aks-update] command with the `--nat-gateway-managed-outbound-ip-count` or `--nat-gateway-idle-timeout` parameter.

+ ```azurecli-interactive

+ az aks update \

+ --resource-group myResourceGroup \

+ --name myNatCluster\

+ --nat-gateway-managed-outbound-ip-count 5

+ ```

+This configuration requires bring-your-own networking (via [Kubenet][byo-vnet-kubenet] or [Azure CNI][byo-vnet-azure-cni]) and that the NAT gateway is preconfigured on the subnet. The following commands create the required resources for this scenario.

+1. Create a resource group using the [`az group create`][az-group-create] command.

+ --name myNatClusterId \

+3. Create a public IP for the NAT gateway using the [`az network public-ip create`][az-network-public-ip-create] command.

+4. Create the NAT gateway using the [`az network nat gateway create`][az-network-nat-gateway-create] command.

+5. Create a virtual network using the [`az network vnet create`][az-network-vnet-create] command.

+ --name myNatCluster \

+7. Create an AKS cluster using the subnet with the NAT gateway and the managed identity using the [`az aks create`][az-aks-create] command.

+ --name myNatCluster \

+> OutboundNAT can only be disabled on Windows Server 2019 node pools.

+ 1. Install or update `aks-preview` using the [`az extension add`][az-extension-add] or [`az extension update`][az-extension-update] command.

+ 2. Register the feature flag using the [`az feature register`][az-feature-register] command.

+ 3. Check the registration status using the [`az feature list`][az-feature-list] command.

+ 4. Refresh the registration of the `Microsoft.ContainerService` resource provider us

+* Your clusters must have a managed NAT gateway (which may increase the overall cost).

+* If you need to switch from a load balancer to NAT gateway, you can either add a NAT gateway into the VNet or run [`az aks upgrade`][aks-upgrade] to update the outbound type.

+* Manually disable OutboundNAT for Windows when creating new Windows agent pools using the [`az aks nodepool add`][az-aks-nodepool-add] command with the `--disable-windows-outbound-nat` flag.

+ > [!NOTE]

+ > You can use an existing AKS cluster, but you may need to update the outbound type and add a node pool to enable `--disable-windows-outbound-nat`.

+ ```azurecli

+ az aks nodepool add \

+ --resource-group myResourceGroup

+ --cluster-name myNatCluster

+ --name mynodepool

+ --node-count 3

+ --os-type Windows

+ --disable-windows-outbound-nat

+ ```

+[az-feature-register]: /cli/azure/feature#az_feature_register

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az-aks-update]: /cli/azure/aks#az-aks-update

+[az-group-create]: /cli/azure/group#az_group_create

+[az-network-public-ip-create]: /cli/azure/network/public-ip#az_network_public_ip_create

+[az-network-nat-gateway-create]: /cli/azure/network/nat/gateway#az_network_nat_gateway_create

+[az-network-vnet-create]: /cli/azure/network/vnet#az_network_vnet_create

+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az_aks_nodepool_add

+ Title: Automatically repair Azure Kubernetes Service (AKS) nodes

+description: Learn about node auto-repair functionality and how AKS fixes broken worker nodes.

+Azure Kubernetes Service (AKS) continuously monitors the health state of worker nodes and performs automatic node repair if they become unhealthy. The Azure virtual machine (VM) platform [performs maintenance on VMs][vm-updates] experiencing issues. AKS and Azure VMs work together to minimize service disruptions for clusters.

+In this article, you learn how the automatic node repair functionality behaves for Windows and Linux nodes.

+AKS uses the following rules to determine if a node is unhealthy and needs repair:

+* The node reports the **NotReady** status on consecutive checks within a 10-minute time frame.

+* The node doesn't report any status within 10 minutes.

+You can manually check the health state of your nodes with the `kubectl get nodes` command.

+> [!NOTE]

+If AKS identifies an unhealthy node that remains unhealthy for *five* minutes, AKS performs the following actions:

+1. Attempts to restart the node.

+2. If the node restart is unsuccessful, AKS reimages the node.

+3. If the reimage is unsuccessful and it's a Linux node, AKS redeploys the node.

+AKS engineers investigate alternative remediations if auto-repair is unsuccessful.

+If you want the remediator to reimage the node, you can add the `nodeCondition "customerMarkedAsUnhealthy": true`.

+## Node auto-drain

+[Scheduled events][scheduled-events] can occur on the underlying VMs in any of your node pools. For [spot node pools][spot-node-pools], scheduled events may cause a *preempt* node event for the node. Certain node events, such as *preempt*, cause AKS node auto-drain to attempt a cordon and drain of the affected node. This process enables rescheduling for any affected workloads on that node. You might notice the node receives a taint with `"remediator.aks.microsoft.com/unschedulable"`, because of `"kubernetes.azure.com/scalesetpriority: spot"`.

+The following table shows the node events and actions they cause for AKS node auto-drain:

+| Freeze | The VM is scheduled to pause for a few seconds. CPU and network connectivity may be suspended, but there's no impact on memory or open files. | No action. |

+| Reboot | The VM is scheduled for reboot. The VM's non-persistent memory is lost. | No action. |

+| Redeploy | The VM is scheduled to move to another node. The VM's ephemeral disks are lost. | Cordon and drain. |

+| Terminate | The VM is scheduled for deletion.| Cordon and drain. |

+In many cases, AKS can determine if a node is unhealthy and attempt to repair the issue. However, there are cases where AKS either can't repair the issue or detect that an issue exists. For example, AKS can't detect issues in the following example scenarios:

+* A node status isn't being reported due to error in network configuration.

+* A node failed to initially register as a healthy node.

+Use [availability zones][availability-zones] to increase high availability with your AKS cluster workloads.

+- Learn more about the support policy for the [self-hosted gateway](self-hosted-gateway-support-policies.md)

+|**[Virtual network - external](#virtual-network-integration)** | Developer, Premium | Developer portal, gateway, management plane, and Git repository | Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and S2S VPN connections. | External access to private and on-premises backends

+An app service always runs in an _App Service plan_. In addition, [Azure Functions](../azure-functions/dedicated-plan.md) also has the option of running in an _App Service plan_. An App Service plan defines a set of compute resources for a web app to run.

+- Region (West US, East US, and so on)

+The _pricing tier_ of an App Service plan determines what App Service features you get and how much you pay for the plan. The pricing tiers available to your App Service plan depend on the operating system selected at creation time. There are the following categories of pricing tiers:

+- **Shared compute**: **Free** and **Shared**, the two base tiers, runs an app on the same Azure VM as other App Service apps, including apps of other customers. These tiers allocate CPU quotas to each app that runs on the shared resources, and the resources cannot scale out. These tiers are intended to be used only for development and testing purposes.

+Each tier also provides a specific subset of App Service features. These features include custom domains and TLS/SSL certificates, autoscaling, deployment slots, backups, Traffic Manager integration, and more. The higher the tier, the more features are available. To find out which features are supported in each pricing tier, see [App Service plan details](https://azure.microsoft.com/pricing/details/app-service/windows/#pricing).

+## Premium V3 pricing tier

+The **PremiumV3** pricing tier guarantees machines with faster processors (minimum 195 [ACU](../virtual-machines/acu.md) per virtual CPU), SSD storage, memory-optimized options and quadruple memory-to-core ratio compared to **Standard** tier. **PremiumV3** also supports higher scale via increased instance count while still providing all the advanced capabilities found in **Standard** tier. All features available in the existing **PremiumV2** tier are included in **PremiumV3**.

+Multiple VM sizes are available for this tier including 4-to-1 and 8-to-1 memory-to-core ratios:

+

+- P0v3&nbsp;&nbsp;&nbsp;&nbsp;(1 vCPU, 4 GiB of memory)

+- P1v3&nbsp;&nbsp;&nbsp;&nbsp;(2 vCPU, 8 GiB of memory)

+- P1mv3&nbsp;(2 vCPU, 16 GiB of memory)

+- P2v3&nbsp;&nbsp;&nbsp;&nbsp;(4 vCPU, 16 GiB of memory)

+- P2mv3&nbsp;(4 vCPU, 32 GiB of memory)

+- P3v3&nbsp;&nbsp;&nbsp;&nbsp;(8 vCPU, 32 GiB of memory) 

+- P3mv3&nbsp;(8 vCPU, 64 GiB of memory)

+- P4mv3&nbsp;(16 vCPU, 128 GiB of memory)

+- P5mv3&nbsp;(32 vCPU, 256 GiB of memory)

+For **PremiumV3** pricing information, see [App Service Pricing](https://azure.microsoft.com/pricing/details/app-service/).

+To get started with the new **PremiumV3** pricing tier, see [Configure PremiumV3 tier for App Service](app-service-configure-premium-tier.md).

+When you create an app in App Service, it's part of an App Service plan. When the app runs, it runs on all the VM instances configured in the App Service plan. If multiple apps are in the same App Service plan, they all share the same VM instances. If you have multiple deployment slots for an app, all deployment slots also run on the same VM instances. If you enable diagnostic logs, perform backups, or run [WebJobs](), they also use CPU cycles and memory on these VM instances.

+For example, you can start testing your web app in a **Free** App Service plan and pay nothing. When you add your [custom DNS name](app-service-web-tutorial-custom-domain.md) to the web app, just scale your plan up to **Shared** tier. Later, when you want to [create a TLS binding](configure-ssl-bindings.md), scale your plan up to **Basic** tier. When you want to have [staging environments](deploy-staging-slots.md), scale up to **Standard** tier. When you need more cores, memory, or storage, scale up to a bigger VM size in the same tier.

+## Next steps

+1. Sign in to the Azure portal. Select the Key Vault used by your App Service Certificate. Navigate to Access policies.</li>

+2. If you do not see the two Service Principals listed you will need to add them. If they are available, verify the permissions include the recommended secret and certificate permissions.</li>

+3. Add a Service Principal by selecting "Create". Then select the needed permissions for Secret and Certificate permissions.</li>

+4. For the Principal, enter the value(s) given above in the search box. Then select the principal.</li>

+

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **App Service Certificates**, and then select the certificate.</li>

+2. Select **Rekey and Sync**, and then select **Sync**. The sync takes some time to finish.</li>

+3. When the sync completes, the following notification appears: "Successfully updated all the resources with the latest certificate."</li>

+> - Deployments before 1st May 2023: These deployments will continue to have the default domain names like <label>.cloudapp.net mapped to the application gateway's Public IP address.

+1. Set **PowerShell execution policy** to **Bypass** (if not already set by default).

+When using a request transform you must return a `RequestParameters` object that contains a `url` property at a minimum. The following are the properties that can be included in a `RequestParameters` object.

+| Option | Type | Description |

+|--||-|

+| body | string | A POST request body. |

+| credentials | `'same-origin'` \| `'include'` | Used to specify the cross-origin request (CORs) credentials setting. Use 'include' to send cookies with cross-origin requests. |

+| headers | object | The headers to be sent with the request. The object is a key value pair of string values. |

+| method | `'GET'` \| `'POST'` \| `'PUT'` | The type of request to be made. Default is `'GET'`. |

+| type | `'string'` \| `'json'` \| `'arrayBuffer'` | The format of POST response body. |

+| url | string | The url to be requested. |

+The resource types most relevant to content you add to the map are listed in the table below:

+| Resource Type | Description |

+||-|

+| Image | A request for an image for use with either a SymbolLayer or ImageLayer. |

+| Source | A request for source information, such as a TileJSON request. Some requests from the base map styles will also use this resource type when loading source information. |

+| Tile | A request from a tile layer (raster or vector). |

+| WFS | A request from a `WfsClient` in the [Spatial IO module](spatial-io-connect-wfs-service.md) to an OGC Web Feature Service. |

+| WebMapService | A request from the `OgcMapLayer` in the [Spatial IO module](spatial-io-add-ogc-map-layer.md) to a WMS or WMTS service. |

+Here are some resource types that are passed through the request transform that are related to the base map styles: StyleDefinitions, Style, SpriteImage, SpriteJSON, Glyphs, Attribution. You will normally want to ignore these and simply return the `url` value.

+> [Code samples](/samples/browse/?products=azure-maps)

+# Syslog troubleshooting guide for Azure Monitor Linux Agent

+Overview of Azure Monitor Linux Agent syslog collection and supported RFC standards:

+## Issues

+### Rsyslog data not uploaded due to full disk space issue on Azure Monitor Linux Agent

+#### Symptom

+#### Cause

+#### Confirming the issue of full disk

+### Rsyslog default configuration logs all facilities to /var/log/syslog

+#### Fix: Remove high-volume facilities from /etc/rsyslog.d/50-default.conf

+### Azure Monitor Linux Agent Event Buffer is Filling Disk

+For some device types that don't allow local installation of the Azure Monitor agent, the agent can be installed instead on a dedicated Linux-based log forwarder. The originating device must be configured to send Syslog events to the Syslog daemon on this forwarder instead of the local daemon. Please see [Sentinel tutorial](../../sentinel/forward-syslog-monitor-agent.md) for more information.

+### Create rule

+1. Select **Create**.

+1. Wait 20 minutes before moving on to the next section.

+If your VM doesn't have the Azure Monitor agent installed, the data collection rule deployment triggers the installation of the agent on the VM.

+| targetResource | The list of the Azure Resource Manager IDs that are affected targets of an alert. For a log alert defined on a Log Analytics workspace or Application Insights instance, it's the respective workspace or application. |

+

+ Title: Integrate KEDA with your Azure Kubernetes Service cluster

+description: How to integrate KEDA with your Azure Kubernetes Service cluster.

+

+# Integrate KEDA with your Azure Kubernetes Service cluster

+KEDA is a Kubernetes-based Event Driven Autoscaler. KEDA lets you drive the scaling of any container in Kubernetes based on the load to be processed, by querying metrics from systems such as Prometheus. Integrate KEDA with your Azure Kubernetes Service (AKS) cluster to scale your workloads based on Prometheus metrics from your Azure Monitor workspace.

+To integrate KEDA into your Azure Kubernetes Service, you have to deploy and configure a workload identity or pod identity on your cluster. The identity allows KEDA to authenticate with Azure and retrieve metrics for scaling from your Monitor workspace.

+This article walks you through the steps to integrate KEDA into your AKS cluster using a workload identity.

+ Note

+> [!NOTE]

+> We recommend using Azure Active Directory workload identity. This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application.

+>

+> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022, and the project will be archived in Sept. 2023. For more information, see the deprecation notice. The AKS Managed add-on begins deprecation in Sept. 2023.

+## Prerequisites

+## Set up a workload identity

+1. Start by setting up some environment variables. Change the values to suit your AKS cluster.

+

+ ```bash

+ export RESOURCE_GROUP="rg-keda-integration"

+ export LOCATION="eastus"

+ export SUBSCRIPTION="$(az account show --query id --output tsv)"

+ export USER_ASSIGNED_IDENTITY_NAME="keda-int-identity"

+ export FEDERATED_IDENTITY_CREDENTIAL_NAME="kedaFedIdentity"

+ export SERVICE_ACCOUNT_NAMESPACE="keda"

+ export SERVICE_ACCOUNT_NAME="keda-operator"

+ ```

+ + `SERVICE_ACCOUNT_NAME` - KEDA must use the service account that was used to create federated credentials.

+ + `SERVICE_ACCOUNT_NAMESPACE` Both KEDA and service account must be in same namespace.

+ + `USER_ASSIGNED_IDENTITY_NAME` is the name of the Azure Active directory identity that's created for KEDA.

+ + `FEDERATED_IDENTITY_CREDENTIAL_NAME` is the name of the credential that's created for KEDA to use to authenticate with Azure.

+1. If your AKS cluster hasn't been created with workload-identity or oidc-issuer enabled, you'll need to enable it. If you aren't sure, you can run the following command to check if it's enabled.

+ ```azurecli

+ az aks show --resource-group $RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query oidcIssuerProfile

+ az aks show --resource-group $RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query securityProfile.workloadIdentity

+ ```

+

+ To enable workload identity and oidc-issuer, run the following command.

+

+ ```azurecli

+ az aks update -g $RESOURCE_GROUP -n $AKS_CLUSTER_NAME --enable-managed-identity --enable-oidc-issuer

+ ```

+

+1. Store the OIDC issuer url in an environment variable to be used later.

+

+ ```bash

+ export AKS_OIDC_ISSUER="$(az aks show -n $CLUSTER_NAME -g $RESOURCE_GROUP --query "oidcIssuerProfile.issuerUrl" -otsv)"

+ ```

+

+1. Create a user assigned identity for KEDA. This identity is used by KEDA to authenticate with Azure Monitor.

+

+ ```azurecli

+ az identity create --name $USER_ASSIGNED_IDENTITY_NAME --resource-group $RESOURCE_GROUP --location $LOCATION --subscription $SUBSCRIPTION

+ ```

+

+ The output will be similar to the following:

+

+ ```json

+ {

+ "clientId": "abcd1234-abcd-abcd-abcd-9876543210ab",

+ "id": "/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourcegroups/rg-keda-integration/providers/Microsoft. ManagedIdentity/userAssignedIdentities/keda-int-identity",

+ "location": "eastus",

+ "name": "keda-int-identity",

+ "principalId": "12345678-abcd-abcd-abcd-1234567890ab",

+ "resourceGroup": "rg-keda-integration",

+ "systemData": null,

+ "tags": {},

+ "tenantId": "1234abcd-9876-9876-9876-abcdef012345",

+ "type": "Microsoft.ManagedIdentity/userAssignedIdentities"

+ }

+ ```

+1. Store the `clientId` and `tenantId` in environment variables to use later.

+ ```bash

+ export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group $RESOURCE_GROUP --name $USER_ASSIGNED_IDENTITY_NAME --query 'clientId' -otsv)"

+ export TENANT_ID="$(az identity show --resource-group $RESOURCE_GROUP --name $USER_ASSIGNED_IDENTITY_NAME --query 'tenantId' -otsv)"

+ ```

+

+1. Assign the *Monitoring Data Reader* role to the identity for your Azure Monitor workspace. This role allows the identity to read metrics from your workspace.

+

+ ```azurecli

+ az role assignment create \

+ --assignee $USER_ASSIGNED_CLIENT_ID \

+ --role "Monitoring Data Reader" \

+ --scope /subscriptions/$SUBSCRIPTION/resourceGroups/<Azure Monitor Workspace resource group>/providers/microsoft.monitor/accounts/ <Azure monitor workspace name>

+ ```

+

+

+1. Create the KEDA namespace, then create Kubernetes service account. This service account is used by KEDA to authenticate with Azure.

+

+ ```azurecli

+

+ az aks get-credentials -n $CLUSTER_NAME -g $RESOURCE_GROUP

+

+ kubectl create namespace keda

+

+ cat <<EOF | kubectl apply -f -

+ apiVersion: v1

+ kind: ServiceAccount

+ metadata:

+ annotations:

+ azure.workload.identity/client-id: $USER_ASSIGNED_CLIENT_ID

+ name: $SERVICE_ACCOUNT_NAME

+ namespace: $SERVICE_ACCOUNT_NAMESPACE

+ EOF

+ ```

+1. Check your service account by running

+ ```bash

+ kubectl describe serviceaccount workload-identity-sa -n keda

+ ```

+1. Establish a federated credential between the service account and the user assigned identity. The federated credential allows the service account to use the user assigned identity to authenticate with Azure.

+ ```azurecli

+ az identity federated-credential create --name $FEDERATED_IDENTITY_CREDENTIAL_NAME --identity-name $USER_ASSIGNED_IDENTITY_NAME --resource-group $RESOURCE_GROUP --issuer $AKS_OIDC_ISSUER --subject system:serviceaccount:$SERVICE_ACCOUNT_NAMESPACE:$SERVICE_ACCOUNT_NAME --audience api://AzureADTokenExchange

+ ```

+ > [!Note]

+ > It takes a few seconds for the federated identity credential to be propagated after being initially added. If a token request is made immediately after adding the federated identity credential, it might lead to failure for a couple of minutes as the cache is populated in the directory with old data. To avoid this issue, you can add a slight delay after adding the federated identity credential.

+## Deploy KEDA

+KEDA can be deployed using YAML manifests, Helm charts, or Operator Hub. This article uses Helm charts. For more information on deploying KEDA, see [Deploying KEDA](https://keda.sh/docs/2.10/deploy/)

+Deploy KEDA using the following command.

+```bash

+helm install keda kedacore/keda --namespace keda \

+--set podIdentity.azureWorkload.enabled=true \

+--set podIdentity.azureWorkload.clientId=$USER_ASSIGNED_CLIENT_ID \

+--set podIdentity.azureWorkload.tenantId=$TENANT_ID

+```

+

+Check your deployment by running the following command.

+```bash

+kubectl get pods -n keda

+```

+The output will be similar to the following:

+```bash

+NAME READY STATUS RESTARTS AGE

+keda-admission-webhooks-ffcb8f688-kqlxp 1/1 Running 0 4m

+keda-operator-5d9f7d975-mgv7r 1/1 Running 1 (4m ago) 4m

+keda-operator-metrics-apiserver-7dc6f59678-745nz 1/1 Running 0 4m

+```

+## Scalers

+Scalers define how and when KEDA should scale a deployment. KEDA supports a variety of scalers. For more information on scalers, see [Scalers](https://keda.sh/docs/2.10/scalers/prometheus/). Azure Managed Prometheus utilizes already existing Prometheus scaler to retrieve Prometheus metrics from Azure Monitor Workspace. The following yaml file is an example to use Azure Managed Prometheus.

+```yml

+apiVersion: keda.sh/v1alpha1

+kind: TriggerAuthentication

+metadata:

+ name: azure-managed-prometheus-trigger-auth

+spec:

+ podIdentity:

+ provider: azure-workload | azure # use "azure" for pod identity and "azure-workload" for workload identity

+ identityId: <identity-id> # Optional. Default: Identity linked with the label set when installing KEDA.

+apiVersion: keda.sh/v1alpha1

+kind: ScaledObject

+metadata:

+ name: azure-managed-prometheus-scaler

+spec:

+ scaleTargetRef:

+ name: deployment-name-to-be-scaled

+ minReplicaCount: 1

+ maxReplicaCount: 20

+ triggers:

+ - type: prometheus

+ metadata:

+ serverAddress: https://test-azure-monitor-workspace-name-1234.eastus.prometheus.monitor.azure.com

+ metricName: http_requests_total

+ query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) # Note: query must return a vector/scalar single element response

+ threshold: '100.50'

+ activationThreshold: '5.5'

+ authenticationRef:

+ name: azure-managed-prometheus-trigger-auth

+```

+## Troubleshooting

+The following section provides troubleshooting tips for common issues.

+### Federated credentials

+Federated credentials can take up to 10 minutes to propagate. If you're having issues with KEDA authenticating with Azure, try the following steps.

+The following log excerpt shows an error with the federated credentials.

+```

+kubectl logs -n keda keda-operator-5d9f7d975-mgv7r

+{

+ \"error\": \"unauthorized_client\",\n \"error_description\": \"AADSTS70021: No matching federated identity record found for presented assertion.

+Assertion Issuer: 'https://eastus.oic.prod-aks.azure.com/abcdef01-2345-6789-0abc-def012345678/12345678-abcd-abcd-abcd-1234567890ab/'.

+Assertion Subject: 'system:serviceaccount:keda:keda-operator'.

+Assertion Audience: 'api://AzureADTokenExchange'. https://docs.microsoft.com/azure/active-directory/develop/workload-identity-federation

+Trace ID: 12dd9ea0-3a65-408f-a41f-5d0403a25100\\r\\nCorrelation ID: 8a2dce68-17f1-4f11-bed2-4bcf9577f2af\\r\\nTimestamp: 2023-05-30 11:11:53Z\",

+\"error_codes\": [\n 70021\n ],\n \"timestamp\": \"2023-05-30 11:11:53Z\",

+\"trace_id\": \"12345678-3a65-408f-a41f-5d0403a25100\",

+\"correlation_id\": \"12345678-17f1-4f11-bed2-4bcf9577f2af\",

+\"error_uri\": \"https://login.microsoftonline.com/error?code=70021\"\n}

+\n--\n"}

+```

+Check the values used to create the ServiceAccount and the credentials created with `az identity federated-credential create` and ensure the `subject` value matches the `system:serviceaccount` value.

+### Azure Monitor workspace permissions

+If you're having issues with KEDA authenticating with Azure, check the permissions for the Azure Monitor workspace.

+The following log excerpt shows that the identity doesn't have read permissions for the Azure Monitor workspace.

+```

+kubectl logs -n keda keda-operator-5d9f7d975-mgv7r

+2023-05-30T11:15:45Z ERROR scale_handler error getting metric for scaler

+{"scaledObject.Namespace": "default", "scaledObject.Name": "azure-managed-prometheus-scaler", "scaler": "prometheusScaler",

+"error": "prometheus query api returned error. status: 403 response: {\"status\":\"error\",

+\"errorType\":\"Forbidden\",\"error\":\"User \\u0027abc123ab-1234-1234-abcd-abcdef123456

+\\u0027 does not have access to perform any of the following actions

+\\u0027microsoft.monitor/accounts/data/metrics/read, microsoft.monitor/accounts/data/metrics/read

+\\u0027 on resource \\u0027/subscriptions/abcdef01-2345-6789-0abc-def012345678/resourcegroups/rg-azmon-ws-01/providers/microsoft.monitor/accounts/azmon-ws-01\\u0027. RequestId: 123456c427f348258f3e5aeeefef834a\"}"}

+```

+Ensure the identity has the `Monitoring Data Reader` role on the Azure Monitor workspace.

+- Syslog

+Microsoft and New Relic have teamed up to provide the [Azure Native New Relic Service](https://azuremarketplace.microsoft.com/marketplace/apps/newrelicinc1635200720692.newrelic_liftr_payg?tab=Overview), where the New Relic observability platform is hosted on Azure. You can subscribe to the New Relic service to collect, alert on, and analyze telemetry data for your applications and infrastructure, and with this offering, your telemetry data will be stored in Azure. In addition, you can allocate your multi-year committed Azure spend towards the New Relic service.

+Overview of the Azure Native New Relic Service:

+**Built on Azure**

+- The New Relic platform is hosted on Microsoft Azure.

+- Your telemetry data remains in Azure.

+**Rapid Onboarding**

+- Onboard with New Relic easily with the natively-integrated service built on Azure.

+- Automatically monitor Azure subscription activity and resource logs.

+- Automatically monitor Azure metrics.

+- Use a single experience to deploy and manage the New Relic agents on virtual machines and app services.

+- Deploy the New Relic infrastructure agent via Site Extensions.

+- Deploy .NET and Java language agents via App Service Extensions.

+- Manage Azure services observability in the Azure Portal.

+**Marketplace Advantages**

+- Get a single bill for all the resources that you consume on Azure, including New Relic.

+- Retire Microsoft Azure Consumption Commitment (MACC) spend.

+- Set up a free account or purchase New Relic through the Azure Marketplace.

+**Next steps**

+Learn more about [how to monitor Azure](https://newrelic.com/solutions/partners/azure) using the New Relic platform, the [New Relic Azure Monitor integration](https://docs.newrelic.com/docs/infrastructure/microsoft-azure-integrations/azure-integrations-list/azure-monitor/), and the [Azure Native New Relic Service](https://docs.newrelic.com/docs/infrastructure/microsoft-azure-integrations/get-started/azure-native/).

+### Backup or restore job is displayed as *in progress* in Azure for many days but is not visible in the console

+If a MARS Agent backup or restore job crashes during execution, it is marked as failed in the MARS console, but the status might not get propagated to Azure. Hence, the job might be displayed as "in progress" in the Azure Portal even when it is not running. This stale job entry will be removed from the Azure Portal automatically after 30 days.

+- If you need to restore a backup, see [restore files to a Windows machine](backup-azure-restore-windows-server.md).

+* [Learn more about Azure network security](../networking/security/index.yml)

+ "sku": "20.04-lts"

+ "nodeAgentSKUId": "batch.node.ubuntu 20.04"

+> [!Important]

+> This document references a release version of Linux that is nearing or at, End of Life(EOL). Please consider updating to a more current version.

+This article lists current metros containing point-of-presence (POP) locations, sorted by region, for Azure Content Delivery Network (CDN) products. Each metro may contain more than one POP. For example, Azure CDN from Microsoft has 192 POPs across 109 metro cities.

+> [!NOTE]

+> A location may contain more than one POP, noted by the number in parentheses.

+Get started with the Content Safety Studio, REST API, or client SDKs to do basic text moderation. The Content Safety service provides you with AI algorithms for flagging objectionable content. Follow these steps to try it out.

+| Calling | [npm](https://www.npmjs.com/package/@azure/communication-calling) | [NuGet](https://www.nuget.org/packages/Azure.Communication.Calling.WindowsClient) | - | - | [GitHub](https://github.com/Azure/azure-sdk-for-ios/releases) ([docs](/objectivec/communication-services/calling/)) | [Maven](https://search.maven.org/artifact/com.azure.android/azure-communication-calling/) | - |

+1. The Share Screen capability can be achieved using Raw Media, if you want to learn, **how to add Raw Media**, visit [the quickstart guide](../../quickstarts/voice-video-calling/get-started-raw-media-access.md).

+If you have already created users and have added them as participants in the room following the "Set up room participants" section in [this page](./get-started-rooms.md), then you can directly use those users to join the room.

+Otherwise, you'll need to create a User Access Token for each call participant. [Learn how to create and manage user access tokens](../identity/access-tokens.md). You can also use the Azure CLI and run the command below with your connection string to create a user and an access token. After the users have been created, you'll need to add them to the room as participants before they can join the room.

+## Next steps

+ Title: Quickstart - Add video calling to your app

+description: In this tutorial, you learn how to enable inline image interoperability with the Azure Communication Chat SDK.

+## Add inline image support

+Inline images are images that are copied and pasted directly into the send box of the Teams client. For images that were uploaded via the "Upload from this device" menu or via drag-and-drop, such as images dragged directly to the send box in Teams, you need to refer to [this tutorial](./meeting-interop-features-file-attachment.md) to enable it as the part of the file sharing feature. (See the section "Handling Image Attachment.") To copy an image, the Teams user can either use their operating system's context menu to copy the image file and then paste it into the send box of their Teams client or use keyboard shortcuts.

+The Chat SDK for JavaScript provides `previewUrl` and `url` for each inline image. Note that some GIF images fetched from `previewUrl` might not be animated, and a static preview image may be returned instead. Developers are expected to use the `url` if the intention is to fetch animated images only.

+ The `ORDER BY` clause requires that the indexing policy include an index for the fields being sorted. The Azure Cosmos DB query runtime supports sorting against a property name or [computed properties](./computed-properties.md). Azure Cosmos DB supports multiple `ORDER BY` properties. In order to run a query with multiple ORDER BY properties, you should define a [composite index](../../index-policy.md#composite-indexes) on the fields being sorted.

+ >[!NOTE]

+ > This example uses System-assigned managed identity. If you are using Run As account (service principal) or User-assigned managed identity, refer to [Azure Automation Sample scripts](../automation/migrate-run-as-accounts-managed-identity.md?tabs=ua-managed-identity#sample-scripts) for login part.

+ >

+ > Enable appropriate RBAC permissions for the managed identity of this Automation account. Refer to [Roles and permissions for Azure Data Factory](concepts-roles-permissions.md).

+ $ErrorActionPreference = "Stop"

+

+ Connect-AzAccount -Identity

+ Write-Error -Message $_.Exception

+ throw $_.Exception

+ When you check the self-hosted IR event log after going to **Windows** > **Event viewer (logs)** > **Applications and Services Logs** > **Integration Runtime**, you'll find the following error message.

+ - Install [Visual Studio Community Edition](https://visualstudio.microsoft.com/vs/community/). You'll have a \Windows Kits\10 folder under the Program Files folder--for example, C:\Program Files (x86)\Windows Kits\10\. You'll also find the Windows 10 SDK version under \Windows Kits\10\Lib. If you donΓÇÖt see these folders, reinstall Visual Studio and be sure to select the Windows 10 SDK during the installation. If you've this installed with Visual Studio, the U-SQL local compiler will find it automatically.

+* [Learn more about Azure network security](../networking/security/index.yml)

+## Deprecated Defender for Servers alerts

+The following tables include the Defender for Servers security alerts [which have been deprecated in April, 2023 due to an improvment proccess](release-notes.md#deprecation-and-improvement-of-selected-alerts-for-windows-and-linux-servers).

+### Deprecated Linux alerts

+### Deprecated Windows alerts

+- **Query vulnerability information via sub-assessment API** - You can get scan results via REST API. See the [sub-assessment list](/rest/api/defenderforcloud/sub-assessments/get?tabs=HTTP).

+- **Support for exemptions** - Learn how to [create exemption rules for a management group, resource group, or subscription](how-to-enable-agentless-containers.md#support-for-exemptions).

+## Support for exemptions

+You can customize your vulnerability assessment experience by exempting management groups, subscriptions, or specific resources from your secure score. Learn how to [create an exemption](exempt-resource.md) for a resource or subscription.

+You can also view the [full list of alerts](alerts-reference.md#deprecated-defender-for-servers-alerts) that are set to be deprecated.

+- Supports Threat Intel *alert mode* only

+- Fixed scale unit to run the service on two virtual machine backend instances

+- Recommended for environments with an estimated throughput of 250 Mbps

+To learn more about Azure Firewall Basic, see [Azure Firewall Basic features](basic-features.md).

+To compare the all Firewall SKU features, see [Choose the right Azure Firewall SKU to meet your needs](choose-firewall-sku.md).

+ Title: 'Azure Front Door POP locations by region'

+description: This article lists Azure Front Door POP locations, sorted by regions.

+# Azure Front Door POP locations by metro

+This article lists current metro cities with Azure Front Door point-of-presence (POP), sorted by regions. Each metro may contain more than one POP. Currently, Azure Front Door has 192 edge locations across 109 metro cities. Azure Front Door also has 4 edge locations across 4 Azure US Government cloud regions.

+## Microsoft POP locations

+> [!NOTE]

+> A location may contain more than one POP, noted by the number in parentheses.

+ Title: Architectural concepts in Azure IoT Central

+description: This article introduces key IoT Central architectural concepts such as device management, security, integration, and extensibility.

+ Title: Device authentication in Azure IoT Central

+description: This article introduces key IoT Central device authentication concepts such as enrollment groups, shared access signatures, and X.509 certificates.

+ Title: What are device templates in Azure IoT Central

+description: Device templates let you specify the behavior of the devices connected to your application. They also define a UI for the device in IoT Central.

+ Title: Move from IoT Central to a PaaS solution

+description: This article discusses to move between application platform as a service (aPaaS) and platform as a service (PaaS) Azure IoT solution approaches.

+ Title: How to extend IoT Central

+description: How to use data exports, rules, or the REST API to extend IoT Central if it's missing something you need.

+ Title: Industrial IoT patterns with Azure IoT Central

+ Title: Azure IoT Edge and Azure IoT Central

+description: Understand how to use Azure IoT Edge with an IoT Central application including the different gateway patterns and IoT Edge management capabilities.

+ Title: Azure IoT Central quotas and limits

+description: This article lists the key quotas and limits that apply to an IoT Central application including those from the underlying DPS and IoT Hub services.

+ Title: Change Azure IoT Central application settings

+description: How to authenticate and authorize IoT Central REST API calls by using bearer tokens or or an IoT Central API token.

+ Title: Deploy the Azure IoT Central device bridge

+description: Deploy the IoT Central device bridge to connect other IoT clouds such as Sigfox, Particle Device Cloud, and The Things Network to your application.

+ Title: Upload files from devices to Azure storage

+description: How to configure, implement, and manage file uploads from your devices to your IoT Central application.

+ Title: Use workflows to integrate Azure IoT Central

+description: How to configure rules and actions that integrate your IoT Central application with other cloud services by using Power Automate or Azure Logic Apps.

+ Title: Configure rules and actions in Azure IoT Central

+ Title: Connect a Rigado Cascade 500 in Azure IoT Central

+description: Learn how to configure and connect a Rigado Cascade 500 gateway device to your IoT Central application.

+ Title: Connect a RuuviTag in Azure IoT Central

+description: Learn how to configure and connect a RuuviTag environment sensor device to your IoT Central application.

+description: How to use the IoT Central REST API to control devices in an application by using properties and commands.

+ Title: Analyze device data in your Azure IoT Central application

+description: Analyze device data in your Azure IoT Central application by using device groups and the built-in data explorer.

+ Title: Manage Azure IoT Central applications from the CSP portal

+description: As a CSP, learn how to create and manage an Azure IoT Central application on behalf of your customer.

+ Title: Extend Azure IoT Central with custom analytics

+ Title: Extend Azure IoT Central by using custom rules

+description: Configure an IoT Central application to send notifications when a device stops sending telemetry by using Azure Stream Analytics, Azure Functions, and SendGrid.

+ Title: Create an IoT Central application

+description: How to create an IoT Central application by using the Azure IoT Central site, the Azure portal, or a command-line environment.

+ Title: Manage IoT Central organizations

+description: How to create and manage an organization hierarchy to create multi-tenanted IoT Central applications.

+ Title: Customize the Azure IoT Central UI

+ Title: Edit device templates in your Azure IoT Central application

+description: Iteratively update your device templates without impacting your live connected devices by using versioned device templates.

+ Title: Integrate Azure IoT Central with CI/CD

+description: Describes how to integrate IoT Central into a pipeline created with Azure Pipelines to enable continuous integration and continuous delivery.

+# Integrate IoT Central with Azure Pipelines for continuous integration and continuous delivery

+description: How to use the IoT Central REST API to create, update, delete, and manage dashboards in an application

+ Title: Create and manage Azure IoT Central dashboards

+description: Learn how to create and manage application and personal dashboards in Azure IoT Central. Customize dashboards by using tiles.

+description: How to use the IoT Central REST API to manage data export in an application. Export data to desinations such as blob storage, event hubs, and service bus.

+ Title: Azure IoT Central deployment manifests and the REST API

+ Title: Manage Azure IoT Edge deployment manifests

+ Title: Add device templates in Azure IoT Central with the REST API

+description: How to use the IoT Central REST API to add, update, delete, and manage device templates in an application

+ Title: Create and run jobs in your Azure IoT Central application

+ :::image type="content" source="media/howto-manage-devices-in-bulk/download-details.png" alt-text="Screenshot that shows the device status in IoT Central." lightbox="media/howto-manage-devices-in-bulk/download-details.png":::

+You can include connection and disconnection events in [Export IoT data to cloud destinations using Blob Storage](howto-export-to-blob-storage.md). To learn more, see [React to IoT Hub events > Limitations for device connected and device disconnected events](../../iot-hub/iot-hub-event-grid.md#limitations-for-device-connection-state-events).

+description: Learn how to use the IoT Central REST API to add, modify, delete, and manage devices in an application

+ Title: Manage IoT Central from Azure CLI or PowerShell

+description: How to create and manage your IoT Central application using the Azure CLI or PowerShell and configure a managed system identity for secure data export.

+ Title: Manage and monitor IoT Central in the Azure portal

+ Title: Use the REST API to manage IoT Central applications

+description: This article describes how to create and manage your IoT Central applications with the REST API and add a system assigned managed identity to your application.

+description: How to use the IoT Central REST API to create and manage jobs in an application to bulk manage your devices

+ Title: Manage your personal preferences on IoT Central

+ Title: Manage users and roles with the Azure IoT Central REST API

+description: How to use the IoT Central REST API to manage users and roles in an application and control access to resources

+ Title: Manage users and roles in Azure IoT Central application

+description: Create, edit, delete, and manage users and roles in your Azure IoT Central application to control access to resources

+ Title: Transform telemetry on ingress to IoT Central

+description: To use complex telemetry from devices, you can use mappings to transform it as it arrives in your IoT Central application.

+ Title: Monitor device connectivity with Azure IoT Central CLI

+description: Monitor device messages and observe device twin changes using Azure IoT Central CLI commands to verify device connectivity

+ Title: Define a new IoT device type in Azure IoT Central

+description: How to create an Azure IoT device template in your Azure IoT Central application. You define the telemetry, state, properties and commands for your device type.

+ Title: Transform data inside Azure IoT Central

+ Title: Configure uploads with the REST API in Azure IoT Central

+description: How to use the IoT Central REST API to add an upload storage account configuration in an application

+ Title: Use Azure IoT Central audit logs

+description: Learn how to use audit logs in IoT Central to track changes made by users or programatically in an IoT Central application

+description: How to use device commands in Azure IoT Central solution. Learn how to define and call device commands from IoT Central, and respond in a device.

+description: Learn how to use read-only and writable properties in an Azure IoT Central solution. Define properties in IoT Central and use properties progrmatically.

+ Title: Customer data request featuresΓÇï in Azure IoT Central

+ Title: Customer data residency in Azure IoT Central

+description: This article describes customer data residency in Azure IoT Central applications and how it relates to Azure geopgraphies.

+ Title: Supported browsers for Azure IoT Central

+description: How to administer your IoT Central application. Application administration includes users, organization, security, and automated deployments.

+ Title: Take a tour of the Azure IoT Central API

+description: This guide describes how to secure your IoT Central application including users, devices, API access, and authentication to other services for data export.

+ Title: Azure IoT Central data integration guide

+description: This guide describes how to integrate your IoT Central application with other services to extend its capabilities.

+ Title: Take a tour of the Azure IoT Central UI

+ Title: What is Azure IoT Central

+description: Azure IoT Central is an application platform that simplifies the creation of IoT solutions, reducing the overhead of IoT management operations, and development.

+ Title: Quickstart - Configure Azure IoT Central rules and actions

+ Title: Quickstart - Connect a device to Azure IoT Central

+description: In this quickstart, you learn how to connect your first device to a new IoT Central application. This quickstart uses a smartphone app as an IoT device.

+ Title: Troubleshoot data exports from Azure IoT Central

+description: Troubleshoot data exports in IoT Central for issues such as managed identity permissions and virtual network configuration

+ Title: Tutorial - Connect a client app to Azure IoT Central

+description: This tutorial shows you how to connect a device running either a C, C#, Java, JavaScript, or Python client app to your Azure IoT Central application.

+ Title: Tutorial - Create and manage rules in Azure IoT Central

+description: This tutorial shows you how Azure IoT Central rules let you monitor your devices in near real time and automatically invoke actions when a rule triggers.

+ Title: Tutorial - Define an Azure IoT Central gateway device type

+ Title: Tutorial - Explore an Azure IoT Central industrial scenario

+description: This tutorial shows you how to deploy an end-to-end industrial IoT solution by using IoT Edge, IoT Central, and Azure Data Explorer.

+ Title: Tutorial - Use Azure IoT Central device groups

+ Title: Tutorial - Azure IoT solar panel monitoring

+ Title: Tutorial - Azure IoT connected waste management

+ Title: Tutorial - Azure IoT water consumption monitoring

+ Title: Tutorial - Azure IoT water quality monitoring

+ Title: Tutorial - Deploy an Azure IoT in-store analytics app

+ Title: Tutorial - Visualize data from Azure IoT Central

+description: In this tutorial, learn how to export data from IoT Central, and visualize insights in a Power BI dashboard.

+ Title: Tutorial of IoT Connected logistics

+description: Learn how to deploy and use an IoT Central connected logistics application from an application template

+ Title: Tutorial - Azure IoT Digital Distribution Center

+ Title: Tutorial - Azure IoT smart inventory management

+ --step handler=microsoft/script:1 properties='{"installedCriteria": "1.0"}' \

+# Send cloud-to-device messages with IoT Hub (.NET)

+* Send cloud-to-device (C2D) messages from your solution backend to a single device through IoT Hub

+* **MessageReceiveSample**: a sample device app included with the [Microsoft Azure IoT SDK for .NET](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/device/samples), which connects to your IoT hub and receives cloud-to-device messages.

+* **SendCloudToDevice**: a service app that sends a cloud-to-device message to the device app through IoT Hub and then receives its delivery acknowledgment.

+* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](iot-hub-create-through-portal.md).

+* A device registered in your IoT hub. If you haven't registered a device yet, register one in the [Azure portal](iot-hub-create-through-portal.md#register-a-new-device-in-the-iot-hub).

+* This article uses sample code from the [Azure IoT SDK for C#](https://github.com/Azure/azure-iot-sdk-csharp).

+ * Download or clone the SDK repository from GitHub to your development machine.

+ * Make sure that .NET Core 3.0.0 or greater is installed on your development machine. Check your version by running `dotnet --version` and [download .NET](https://dotnet.microsoft.com/download) if necessary.

+* Visual Studio.

+## Get the device connection string

+In this article, you run a sample app that simulates a device, which receives cloud-to-device messages sent through your IoT Hub. The **MessageReceiveSample** sample app included with the [Microsoft Azure IoT SDK for .NET](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/device/samples) connects to your IoT hub and acts as your simulated device. The sample uses the primary connection string of the registered device on your IoT hub.

+## Receive messages in the device app

+In this section, run the **MessageReceiveSample** sample device app to receive C2D messages sent through your IoT hub. Open a new command prompt and navigate to the **azure-iot-sdk-csharp\iothub\device\samples\getting started\MessageReceiveSample** folder, under the folder where you expanded the Azure IoT C# SDK. Run the following commands, replacing the `{Your device connection string}` placeholder value with the device connection string you copied from the registered device in your IoT hub.

+```cmd/sh

+dotnet restore

+dotnet run --c "{Your device connection string}"

+```

+The following output is from the sample device app after it successfully starts and connects to your IoT hub:

+

+```cmd/sh

+5/22/2023 11:13:18 AM> Press Control+C at any time to quit the sample.

+

+5/22/2023 11:13:18 AM> Device waiting for C2D messages from the hub...

+5/22/2023 11:13:18 AM> Use the Azure Portal IoT hub blade or Azure IoT Explorer to send a message to this device.

+5/22/2023 11:13:18 AM> Trying to receive C2D messages by polling using the ReceiveAsync() method. Press 'n' to move to the next phase.

+```

+The sample device app polls for messages by using the [ReceiveAsync](/dotnet/api/microsoft.azure.devices.client.deviceclient.receiveasync) and [CompleteAsync](/dotnet/api/microsoft.azure.devices.client.deviceclient.completeasync) methods. The `ReceiveC2dMessagesPollingAndCompleteAsync` method uses the `ReceiveAsync` method, which asynchronously returns the received message at the time the device receives the message. `ReceiveAsync` returns *null* after a specifiable timeout period. In this example, the default of one minute is used. When the device receives a *null*, it should continue to wait for new messages. This requirement is the reason why the sample app includes the following block of code in the `ReceiveC2dMessagesPollingAndCompleteAsync` method:

+```csharp

+ if (receivedMessage == null)

+ {

+ continue;

+ }

+```

+The call to the `CompleteAsync` method notifies IoT Hub that the message has been successfully processed and that the message can be safely removed from the device queue. The device should call this method when its processing successfully completes regardless of the protocol it's using.

+With AMQP and HTTPS protocols, but not the [MQTT protocol](../iot/iot-mqtt-connect-to-iot-hub.md), the device can also:

+1. Add the following fields to the **Program** class. Replace the `{iot hub connection string}` placeholder value with the IoT hub connection string you noted previously in [Get the IoT hub connection string](#get-the-iot-hub-connection-string). Replace the `{device id}` placeholder value with the device ID of the registered device in your IoT hub.

+1. Press **F5** to start your sample service app. Select the **SendCloudToDevice** window, and press **Enter**. You should see the message received by the sample device app, as shown in the following output example.

+

+ ```cmd/sh

+ 5/22/2023 11:13:18 AM> Press Control+C at any time to quit the sample.

+

+ 5/22/2023 11:13:18 AM> Device waiting for C2D messages from the hub...

+ 5/22/2023 11:13:18 AM> Use the Azure Portal IoT hub blade or Azure IoT Explorer to send a message to this device.

+ 5/22/2023 11:13:18 AM> Trying to receive C2D messages by polling using the ReceiveAsync() method. Press 'n' to move to the next phase.

+ 5/22/2023 11:15:18 AM> Polling using ReceiveAsync() - received message with Id=

+ 5/22/2023 11:15:18 AM> Received message: [Cloud to device message.]

+ Content type:

+

+ 5/22/2023 11:15:18 AM> Completed C2D message with Id=.

+ ```

+In this section, you modify the **SendCloudToDevice** sample service app to request feedback, and receive it from the IoT hub.

+ ```csharp

+ ```csharp

+1. Make sure the sample device app is running, and then run the sample service app by pressing **F5**. Select the **SendCloudToDevice** console window and press **Enter**. You should see the message being received by the sample device app, and after a few seconds, the feedback message being received by your **SendCloudToDevice** application. The following output shows the feedback message received by the sample service app:

+ ```cmd/sh

+ Send Cloud-to-Device message

+

+

+ Receiving c2d feedback from service

+ Press any key to send a C2D message.

+

+ Received feedback: Success

+ ```

+* Receive cloud-to-device (C2D) messages on a device

+* Send cloud-to-device (C2D) messages from your solution backend to a single device through IoT Hub

+* **HandleMessages**: a sample device app included with the [Microsoft Azure IoT SDK for Java](https://github.com/Azure/azure-iot-sdk-java/tree/main/iothub/device/iot-device-samples), which connects to your IoT hub and receives cloud-to-device messages.

+* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](iot-hub-create-through-portal.md).

+* A device registered in your IoT hub. If you haven't registered a device yet, register one in the [Azure portal](iot-hub-create-through-portal.md#register-a-new-device-in-the-iot-hub).

+* This article uses sample code from the [Azure IoT SDK for Java](https://github.com/Azure/azure-iot-sdk-java).

+ * Download or clone the SDK repository from GitHub to your development machine.

+ * Make sure that [Java SE Development Kit 8](/java/azure/jdk/) is installed on your development machine. Make sure you select **Java 8** under **Long-term support** to get to downloads for JDK 8.

+* [Maven 3](https://maven.apache.org/download.cgi)

+* Make sure that port 8883 is open in your firewall. The device sample in this article uses MQTT protocol, which communicates over port 8883. This port may be blocked in some corporate and educational network environments. For more information and ways to work around this issue, see [Connecting to IoT Hub (MQTT)](../iot/iot-mqtt-connect-to-iot-hub.md#connecting-to-iot-hub).

+## Get the device connection string

+In this article, you run a sample app that simulates a device, which receives cloud-to-device messages sent through your IoT Hub. The **HandleMessages** sample app included with the [Microsoft Azure IoT SDK for Java](https://github.com/Azure/azure-iot-sdk-java/tree/main/iothub/device/iot-device-samples) connects to your IoT hub and acts as your simulated device. The sample uses the primary connection string of the registered device on your IoT hub.

+## Receive messages in the device app

+In this section, run the **HandleMessages** sample device app to receive C2D messages sent through your IoT hub. Open a new command prompt and navigate to the **azure-iot-sdk-java\iothub\device\iot-device-samples\handle-messages** folder, under the folder where you expanded the Azure IoT Java SDK. Run the following commands, replacing the `{Your device connection string}` placeholder value with the device connection string you copied from the registered device in your IoT hub.

+```cmd/sh

+mvn clean package -DskipTests

+java -jar ./target/handle-messages-1.0.0-with-deps.jar "{Your device connection string}"

+```

+The following output is from the sample device app after it successfully starts and connects to your IoT hub:

+

+```cmd/sh

+5/22/2023 11:13:18 AM> Press Control+C at any time to quit the sample.

+

+Starting...

+Beginning setup.

+Successfully read input parameters.

+Using communication protocol MQTT.

+2023-05-23 09:51:06,062 INFO (main) [com.microsoft.azure.sdk.iot.device.transport.ExponentialBackoffWithJitter] - NOTE: A new instance of ExponentialBackoffWithJitter has been created with the following properties. Retry Count: 2147483647, Min Backoff Interval: 100, Max Backoff Interval: 10000, Max Time Between Retries: 100, Fast Retry Enabled: true

+2023-05-23 09:51:06,187 DEBUG (main) [com.microsoft.azure.sdk.iot.device.ClientConfiguration] - Device configured to use software based SAS authentication provider

+2023-05-23 09:51:06,187 INFO (main) [com.microsoft.azure.sdk.iot.device.transport.ExponentialBackoffWithJitter] - NOTE: A new instance of ExponentialBackoffWithJitter has been created with the following properties. Retry Count: 2147483647, Min Backoff Interval: 100, Max Backoff Interval: 10000, Max Time Between Retries: 100, Fast Retry Enabled: true

+2023-05-23 09:51:06,202 DEBUG (main) [com.microsoft.azure.sdk.iot.device.DeviceClient] - Initialized a DeviceClient instance using SDK version 2.1.5

+Successfully created an IoT Hub client.

+Successfully set message callback.

+2023-05-23 09:51:06,205 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.mqtt.MqttIotHubConnection] - Opening MQTT connection...

+2023-05-23 09:51:06,218 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.mqtt.Mqtt] - Sending MQTT CONNECT packet...

+2023-05-23 09:51:07,308 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.mqtt.Mqtt] - Sent MQTT CONNECT packet was acknowledged

+2023-05-23 09:51:07,308 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.mqtt.Mqtt] - Sending MQTT SUBSCRIBE packet for topic devices/US60536-device/messages/devicebound/#

+2023-05-23 09:51:07,388 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.mqtt.Mqtt] - Sent MQTT SUBSCRIBE packet for topic devices/US60536-device/messages/devicebound/# was acknowledged

+2023-05-23 09:51:07,388 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.mqtt.MqttIotHubConnection] - MQTT connection opened successfully

+2023-05-23 09:51:07,388 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.IotHubTransport] - The connection to the IoT Hub has been established

+2023-05-23 09:51:07,404 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.IotHubTransport] - Updating transport status to new status CONNECTED with reason CONNECTION_OK

+2023-05-23 09:51:07,404 DEBUG (main) [com.microsoft.azure.sdk.iot.device.DeviceIO] - Starting worker threads

+2023-05-23 09:51:07,408 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.IotHubTransport] - Invoking connection status callbacks with new status details

+CONNECTION STATUS UPDATE: CONNECTED

+CONNECTION STATUS REASON: CONNECTION_OK

+CONNECTION STATUS THROWABLE: null

+The connection was successfully established. Can send messages.

+2023-05-23 09:51:07,408 DEBUG (main) [com.microsoft.azure.sdk.iot.device.transport.IotHubTransport] - Client connection opened successfully

+2023-05-23 09:51:07,408 INFO (main) [com.microsoft.azure.sdk.iot.device.DeviceClient] - Device client opened successfully

+Opened connection to IoT Hub. Messages sent to this device will now be received.

+Press any key to exit...

+```

+In this article, you create a backend service to send cloud-to-device messages through your IoT Hub. To send cloud-to-device messages, your service needs the **service connect** permission. By default, every IoT Hub is created with a shared access policy named **service** that grants this permission.

+9. To build the **send-c2d-messages** app using Maven, execute the following command at the command prompt in the simulated-device folder:

+1. At a command prompt in the **azure-iot-sdk-java\iothub\device\iot-device-samples\handle-messages** folder, run the following commands, replacing the `{Your device connection string}` placeholder value with the device connection string you copied from the registered device in your IoT hub. This step starts the sample device app, which sends telemetry to your IoT hub and listens for cloud-to-device messages sent from your hub:

+ java -jar ./target/handle-messages-1.0.0-with-deps.jar "{Your device connection string}"

+ :::image type="content" source="./media/iot-hub-java-java-c2d/receivec2d.png" alt-text="Screenshot of the sample device app running in a console window." lightbox="./media/iot-hub-java-java-c2d/receivec2d.png":::

+2. At a command prompt in the **send-c2d-messages** folder, run the following command to send a cloud-to-device message and wait for a feedback acknowledgment:

+ :::image type="content" source="./media/iot-hub-java-java-c2d/sendc2d.png" alt-text="Screenshot of the sample service app running in a console window." lightbox="./media/iot-hub-java-java-c2d/sendc2d.png":::

+* Send cloud-to-device (C2D) messages from your solution backend to a single device through IoT Hub

+* **simple_sample_device**: a sample device app included with the [Microsoft Azure IoT SDK for Node.js](https://github.com/Azure/azure-iot-sdk-node/tree/main/device/samples), which connects to your IoT hub and receives cloud-to-device messages.

+* **SendCloudToDevice**: a service app that sends a cloud-to-device message to the device app through IoT Hub and then receives its delivery acknowledgment.

+* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](iot-hub-create-through-portal.md).

+* A device registered in your IoT hub. If you haven't registered a device yet, register one in the [Azure portal](iot-hub-create-through-portal.md#register-a-new-device-in-the-iot-hub).

+* This article uses sample code from the [Azure IoT SDK for Node.js](https://github.com/Azure/azure-iot-sdk-node).

+ * Download or clone the SDK repository from GitHub to your development machine.

+ * Make sure that Node.js version 10.0.x or greater is installed on your development machine. [Prepare your development environment](https://github.com/Azure/azure-iot-sdk-node/tree/main/doc/node-devbox-setup.md) describes how to install Node.js for this article on either Windows or Linux.

+## Get the device connection string

+In this article, you run a sample app that simulates a device, which receives cloud-to-device messages sent through your IoT Hub. The **simple_sample_device** sample app included with the [Microsoft Azure IoT SDK for Node.js](https://github.com/Azure/azure-iot-sdk-node/tree/main/device/samples) connects to your IoT hub and acts as your simulated device. The sample uses the primary connection string of the registered device on your IoT hub.

+## Receive messages in the device app

+In this section, run the **simple_sample_device** sample device app to receive C2D messages sent through your IoT hub. Open a new command prompt and navigate to the **azure-iot-sdk-node\device\samples\javascript** folder, under the folder where you expanded the Azure IoT Node.js SDK. Run the following commands, replacing the `{Your device connection string}` placeholder value with the device connection string you copied from the registered device in your IoT hub.

+```cmd/sh

+set IOTHUB_DEVICE_CONNECTION_STRING={Your device connection string}

+node simple_sample_device.js

+```

+The following output is from the sample device app after it successfully starts and connects to your IoT hub:

+```cmd/sh

+Client connected

+Client connected

+Client connected

+Sending message: {"deviceId":"myFirstDevice","windSpeed":10.949952400617569,"temperature":26.0096515658525,"humidity":72.59398225838534}

+Client connected

+Client connected

+send status: MessageEnqueued

+Sending message: {"deviceId":"myFirstDevice","windSpeed":12.917649160180087,"temperature":27.336831253904613,"humidity":77.37300365434534}

+```

+> If you use HTTPS instead of MQTT or AMQP as the transport, the **Client** instance checks for messages from IoT Hub infrequently (a minimum of every 25 minutes). For more information about the differences between MQTT, AMQP, and HTTPS support, see [Cloud-to-device communications guidance](iot-hub-devguide-c2d-guidance.md) and [Choose a communication protocol](iot-hub-devguide-protocols.md).

+1. Create an empty folder called **sendcloudtodevicemessage**. Open a command prompt, navigate to the **sendcloudtodevicemessage** folder, and then run the following command to create a `package.json` file in that folder. Press **Enter** at each prompt presented by the `npm` command to accept the default for that prompt:

+ ```cmd/sh

+ ```cmd/sh

+1. At the command prompt in the **azure-iot-sdk-node\device\samples\javascript** folder, run the following command to send telemetry to IoT Hub and to listen for cloud-to-device messages:

+ node simple_sample_device.js

+* Send cloud-to-device (C2D) messages from your solution backend to a single device through IoT Hub

+ Title: Azure IoT Hub and Event Grid

+description: Use Azure Event Grid to send notifications and trigger processes based on actions that happen in IoT Hub.

+To watch a video discussing this integration, see [Azure IoT Hub integration with Azure Event Grid](/shows/internet-of-things-show/iot-devices-and-event-grid).

+

+Device telemetry messages must be in a valid JSON format with the contentType set to **application/json** and contentEncoding set to **UTF-8** in the message [system properties](iot-hub-devguide-routing-query-syntax.md#system-properties). Both of these properties are case insensitive. If the content encoding is not set, then IoT Hub writes the messages in base 64 encoded format.

+You can enrich device telemetry events before they're published to Event Grid by selecting the endpoint as Event Grid. For more information, see [message enrichments](iot-hub-message-enrichments-overview.md).

+Event Grid enables [filtering](../event-grid/event-filtering.md) on event types, subjects, and data content. While creating the Event Grid subscription, you can choose to subscribe to selected IoT events.

+* Event type: For the list of IoT Hub event types, see [event types](#event-types).

+* Subject: For IoT Hub events, the subject is the device name. The subject takes the format `devices/{deviceId}`. You can filter subjects based on **Begins With** (prefix) and **Ends With** (suffix) matches. The filter uses an `AND` operator, so events with a subject that match both the prefix and suffix are delivered to the subscriber.

+* Data content: The data content is populated by IoT Hub using the message format. You can choose what events are delivered based on the contents of the telemetry message. For examples, see [advanced filtering](../event-grid/event-filtering.md#advanced-filtering). For filtering on the telemetry message body, you must set the contentType to **application/json** and contentEncoding to **UTF-8** in the message [system properties](./iot-hub-devguide-routing-query-syntax.md#system-properties). Both of these properties are case insensitive.

+## Limitations for device connection state events

+Device connected and device disconnected events are available for devices connecting using either the MQTT or AMQP protocol, or using either of these protocols over WebSockets. Requests made only with HTTPS won't trigger device connection state notifications.

+### Device connection state interval

+IoT Hub attempts to report each device connection state change event, but some may be missed. At minimum, IoT Hub reports connection state change events that occur 60 seconds apart from each other. This behavior may lead to outcomes such as multiple device connect events reported with no device disconnect events between them.

+<!--

+

+-->

+* For an overview of using Event Grid with IoT Hub, see [React to IoT Hub events with Event Grid](iot-hub-event-grid.md). Pay particular attention to the [Limitations for device connection state events](iot-hub-event-grid.md#limitations-for-device-connection-state-events) section.

+> [Create a public load balancer with an IP-based backend](tutorial-load-balancer-ip-backend-portal.md)

+* Azure Batch Service

+* Azure Cognitive Services

+* Azure Container Apps

+* Azure Container Instances

+* Azure Data Explorer

+* Azure Data Factory

+* Azure Data Lake Storage Gen1

+* Azure Database for MySQL Flexible Server

+* Azure Database for PostgreSQL Flexible Server

+* Azure HDInsight

+* Azure Logic Apps

+* Azure Spring Apps

+* Azure Synapse Analytics

+* Storage Accounts: Azure Blob Storage/Azure Files/Azure Table Storage/Queue Storage

+| Workflow - Maximum name length | - Consumption: 80 characters <br><br>- Standard: 32 characters ||

+import joblib

+When working with REST, we recommend invoking batch endpoints using a service principal. However, if you want to test a particular deployment using REST with your own credentials, you can do it by generating an Azure AD token for your account. Follow these steps:

+1. The simplest way to get a valid token for your user account is to use the Azure CLI. In a console, run the following command:

+ ```azurecli

+ az account get-access-token --resource https://ml.azure.com --query "accessToken" --output tsv

+ ```

+

+1. Take note of the generated output.

+1. Once authenticated, make a request to the invocation URI replacing `<TOKEN>` by the one you obtained before.

+

+ __Request__:

+

+ ```http

+ POST jobs HTTP/1.1

+ Host: <ENDPOINT_URI>

+ Authorization: Bearer <TOKEN>

+ Content-Type: application/json

+ ```

+ __Body:__

+

+ ```json

+ {

+ "properties": {

+ "InputData": {

+ "mnistinput": {

+ "JobInputType" : "UriFolder",

+ "Uri": "https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci"

+ }

+ }

+ }

+ }

+ ```

+ On [Azure Machine Learning studio portal](https://ml.azure.com), follow these steps:

+

+ 1. From the __Endpoints__ page, Select **+Create**.

+ 1. Provide a name and authentication type for the endpoint, and then select __Next__.

+ 1. When selecting a model, select the MLflow model registered previously. Select __Next__ to continue.

+ 1. When you select a model registered in MLflow format, in the Environment step of the wizard, you don't need a scoring script or an environment. However, you can indicate one by selecting the checkbox __Customize environment and scoring script__.

+ :::image type="content" source="media/how-to-batch-scoring-script/configure-scoring-script-mlflow.png" lightbox="media/how-to-batch-scoring-script/configure-scoring-script-mlflow.png" alt-text="Screenshot showing how to indicate an environment and scoring script for MLflow models":::

+

+ 1. Select the environment and scoring script you created before, then select __Next__.

+ 1. Complete the wizard to deploy the model to the endpoint.

+| Deploy to managed online endpoints (with a scoring script) | ³ | [See example](how-to-deploy-mlflow-models-online-endpoints.md#customizing-mlflow-model-deployments) | [See example](how-to-deploy-mlflow-models-online-endpoints.md?tab=studio#customizing-mlflow-model-deployments) |

+| Deploy to batch endpoints | ³ | [See example](how-to-mlflow-batch.md) | [See example](how-to-mlflow-batch.md?tab=studio) |

+| Deploy to batch endpoints (with a scoring script) | ³ | [See example](how-to-mlflow-batch.md#customizing-mlflow-models-deployments-with-a-scoring-script) | [See example](how-to-mlflow-batch.md?tab=studio#customizing-mlflow-models-deployments-with-a-scoring-script) |

+| Deploy to web services (ACI/AKS) | Legacy support² | Not supported² | Not supported² |

+| Deploy to web services (ACI/AKS - with a scoring script) | ³ | Legacy support² | Legacy support² |

+> - ³ MLflow (OSS) doesn't have the concept of an scoring script and doesn't support batch execution by the moment.

+ To create a new deployment under the created endpoint, create a `YAML` configuration like the following. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+ To create a new deployment under the created endpoint, create a `YAML` configuration like the following. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+ To create a new deployment under the created endpoint, create a `YAML` configuration like the following. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+ To create a new deployment under the created endpoint, create a `YAML` configuration like the following. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+ To create a new deployment under the created endpoint, create a `YAML` configuration like the following. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+ To create a new deployment under the created endpoint, create a `YAML` configuration like the following. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+ The `deployment.yml` file contains the deployment's configuration. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+ The `deployment.yml` file contains the deployment's configuration. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+- [Troubleshooting batch endpoints](how-to-troubleshoot-batch-endpoints.md)

+ The `deployment-ordinal/deployment.yml` file contains the deployment's configuration. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+ The `deployment-onehot/deployment.yml` file contains the deployment's configuration. You can check the [full batch endpoint YAML schema](reference-yaml-endpoint-batch.md) for extra properties.

+- [Troubleshooting batch endpoints](how-to-troubleshoot-batch-endpoints.md)

+ min[max[(Previous delta replication cycle time/2), 1 hour], 12 hours]

+That is, the next delta replication will be scheduled no sooner than one hour and no later than 12 hours. For example, if a VM takes four hours for a delta replication cycle, the next delta replication cycle is scheduled in two hours, and not in the next hour.

+The Migration and modernization portal experience lets you [migrate VMware VMs to Azure with agentless replication.](tutorial-migrate-vmware.md) The portal experience supports DES/CMK. DES should be created before starting replication and must be provided while starting replication. It cannot be provided at the time of migration. In this article, you'll see how to create and deploy an [Azure Resource Manager template](../azure-resource-manager/templates/overview.md) to replicate a VMware VM and configure the replicated disks in Azure to use SSE with CMK.

+ 3. Search for your storage account in the Azure portal. Ensure that the subscription you use to search is the same subscription (target subscription) in which the storage account is created. Go to Containers in the Blob Service section. Select **+Container** and create a Container. Ensure you provide *write* permission to the container. Retain Public Access Level to the default selected value.

+> [!Note]

+> Azure Migrate doesn't support agentless migration of VMware VMs with VMDK containing non-ASCII characters.

+ Title: Manage NSG flow logs - Azure portal

+description: Learn how to create, change, disable, or delete Azure Network Watcher NSG flow logs using the Azure portal.

+# Manage NSG flow logs using the Azure portal

+> [!div class="op_single_selector"]

+> - [Azure portal](nsg-flow-logging.md)

+> - [PowerShell](network-watcher-nsg-flow-logging-powershell.md)

+> - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)

+> - [REST API](network-watcher-nsg-flow-logging-rest.md)

+Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about NSG flow logs, see [NSG flow logs overview](network-watcher-nsg-flow-logging-overview.md).

+In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure portal.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Insights provider. For more information, see [Register Insights provider](#register-insights-provider).

+- A network security group. If you need to create a network security group, see [Create, change, or delete a network security group](../virtual-network/manage-network-security-group.md?tabs=network-security-group-portal).

+- An Azure storage account. If you need to create a storage account, see [Create a storage account using PowerShell](../storage/common/storage-account-create.md?tabs=azure-portal).

+## Register Insights provider

+*Microsoft.Insights* provider must be registered to successfully log traffic flowing through a network security group. If you aren't sure if the *Microsoft.Insights* provider is registered, check its status:

+1. In the search box at the top of the portal, enter *subscriptions*. Select **Subscriptions** in the search results.

+1. Select the Azure subscription that you want to enable the provider for in **Subscriptions**.

+1. Under **Settings**, select **Resource providers**.

+1. Enter *insight* in the filter box.

+1. Confirm the status of the provider displayed is **Registered**. If the status is **NotRegistered**, select the **Microsoft.Insights** provider then select **Register**.

+ :::image type="content" source="./media/nsg-flow-logging/register-microsoft-insights.png" alt-text="Screenshot of registering Microsoft Insights provider in the Azure portal.":::

+## Create a flow log

+Create a flow log for your network security group. This NSG flow log is saved in an Azure storage account.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select **+ Create** or **Create flow log** blue button.

+ :::image type="content" source="./media/nsg-flow-logging/flow-logs.png" alt-text="Screenshot of Flow logs page in the Azure portal." lightbox="./media/nsg-flow-logging/flow-logs.png":::

+1. Enter or select the following values in **Create a flow log**:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select the Azure subscription of your network security group that you want to log. |

+ | Network security group | Select **+ Select resource**. <br> In **Select network security group**, select **myNSG**. Then, select **Confirm selection**. |

+ | Flow Log Name | Enter a name for the flow log or leave the default name. **myNSG-myResourceGroup-flowlog** is the default name for this example. |

+ | **Instance details** | |

+ | Subscription | Select the Azure subscription of your storage account. |

+ | Storage Accounts | Select the storage account that you want to save the flow logs to. If you want to create a new storage account, select **Create a new storage account**. |

+ | Retention (days) | Enter a retention time for the logs. Enter *0* if you want to retain the flow logs data in the storage account forever (until you delete it from the storage account). For information about pricing, see [Azure Storage pricing](https://azure.microsoft.com/pricing/details/storage/). |

+ :::image type="content" source="./media/nsg-flow-logging/create-nsg-flow-log.png" alt-text="Screenshot of creating an NSG flow log in the Azure portal.":::

+ > [!NOTE]

+ > If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the [necessary permissions](required-rbac-permissions.md).

+1. Select **Review + create**.

+1. Review the settings, and then select **Create**.

+## Create a flow log and traffic analytics workspace

+Create a flow log for your network security group and enable traffic analytics. The NSG flow log is saved in an Azure storage account.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select **+ Create** or **Create flow log** blue button.

+ :::image type="content" source="./media/nsg-flow-logging/flow-logs.png" alt-text="Screenshot of Flow logs page in the Azure portal." lightbox="./media/nsg-flow-logging/flow-logs.png":::

+1. Enter or select the following values in **Create a flow log**:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select the Azure subscription of your network security group that you want to log. |

+ | Network security group | Select **+ Select resource**. <br> In **Select network security group**, select **myNSG**. Then, select **Confirm selection**. |

+ | Flow Log Name | Enter a name for the flow log or leave the default name. By default, Azure portal creates *{network-security-group}-{resource-group}-flowlog* flow log in **NetworkWatcherRG** resource group. |

+ | **Instance details** | |

+ | Subscription | Select the Azure subscription of your storage account. |

+ | Storage Accounts | Select the storage account that you want to save the flow logs to. If you want to create a new storage account, select **Create a new storage account**. |

+ | Retention (days) | Enter a retention time for the logs. Enter *0* if you want to retain the flow logs data in the storage account forever (until you delete it from the storage account). For information about pricing, see [Azure Storage pricing](https://azure.microsoft.com/pricing/details/storage/). |

+ :::image type="content" source="./media/nsg-flow-logging/create-nsg-flow-log-basics.png" alt-text="Screenshot of the Basics tab of Create a flow log in the Azure portal.":::

+ > [!NOTE]

+ > If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the [necessary permissions](required-rbac-permissions.md).

+1. Select **Next: Analytics** button, or select **Analytics** tab. Then enter or select the following values:

+ | Setting | Value |

+ | - | -- |

+ | Flow Logs Version | Select the flow log version. Version 2 is selected by default when you create a flow log using the Azure portal. For more information about flow logs versions, see [Log format of NSG flow logs](network-watcher-nsg-flow-logging-overview.md#log-format). |

+ | **Traffic Analytics** | |

+ | Enable Traffic Analytics | Select the checkbox to enable traffic analytics for your flow log. |

+ | Traffic Analytics processing interval | Select the processing interval that you prefer, available options are: **Every 1 hour** and **Every 10 mins**. The default processing interval is every one hour. For more information, see [Traffic Analytics](traffic-analytics.md). |

+ | Subscription | Select the Azure subscription of your Log Analytics workspace. |

+ | Log Analytics Workspace | Select your Log Analytics workspace. By default, Azure portal creates and selects *DefaultWorkspace-{subscription-id}-{region}* Log Analytics workspace in *defaultresourcegroup-{Region}* resource group. |

+ :::image type="content" source="./media/nsg-flow-logging/enable-traffic-analytics.png" alt-text="Screenshot of enabling traffic analytics for a flow log in the Azure portal.":::

+1. Select **Review + create**.

+1. Review the settings, and then select **Create**.

+## Change a flow log

+You can change the properties of a flow log after you create it. For example, you can change the flow log version or disable traffic analytics.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the flow log that you want to change.

+1. In **Flow logs settings**, you can change any of the following settings:

+ - **Flow Logs Version**: Change the flow log version. Available versions are: version 1 and version 2. Version 2 is selected by default when you create a flow log using the Azure portal. For more information about flow logs versions, see [Log format of NSG flow logs](network-watcher-nsg-flow-logging-overview.md#log-format).

+ - **Storage Account**: Change the storage account that you want to save the flow logs to. If you want to create a new storage account, select **Create a new storage account**.

+ - **Retention (days)**: Change the retention time in the storage account. Enter *0* if you want to retain the flow logs data in the storage account forever (until you manually delete the data from the storage account).

+ - **Traffic Analytics**: Enable or disable traffic analytics for your flow log. For more information, see [Traffic Analytics](traffic-analytics.md).

+ - **Traffic Analytics processing interval**: Change the processing interval of traffic analytics (if traffic analytics is enabled). Available options are: one hour and 10 minutes. The default processing interval is every one hour. For more information, see [Traffic Analytics](traffic-analytics.md).

+ - **Log Analytics workspace**: Change the Log Analytics workspace that you want to save the flow logs to (if traffic analytics is enabled).

+ :::image type="content" source="./media/nsg-flow-logging/change-flow-log.png" alt-text="Screenshot of Flow logs settings page in the Azure portal where you can change some settings." lightbox="./media/nsg-flow-logging/change-flow-log.png":::

+## List all flow logs

+You can list all flow logs in a subscription or a group of subscriptions. You can also list all flow logs in a region.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. Select **Subscription equals** filter to choose one or more of your subscriptions. You can apply other filters like **Location equals** to list all the flow logs in a region.

+ :::image type="content" source="./media/nsg-flow-logging/list-flow-logs.png" alt-text="Screenshot shows how to use filters to list all existing flow logs in a subscription using the Azure portal." lightbox="./media/nsg-flow-logging/list-flow-logs.png":::

+## View details of a flow log resource

+You can view the details of a flow log in a subscription or a group of subscriptions. You can also list all flow logs in a region.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the flow log that you want to see.

+1. In **Flow logs settings**, you can view the settings of the flow log resource.

+ :::image type="content" source="./media/nsg-flow-logging/flow-log-settings.png" alt-text="Screenshot of Flow logs settings page in the Azure portal." lightbox="./media/nsg-flow-logging/flow-log-settings.png":::

+## Download a flow log

+The storage location of a flow log is defined at creation. To access and download flow logs from your storage account, you can use Azure Storage Explorer. Fore more information, see [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md).

+NSG flow log files saved to a storage account follow this path:

+```

+https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{NetworkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

+```

+For information about the structure of a flow log, see [Log format of NSG flow logs](network-watcher-nsg-flow-logging-overview.md#log-format).

+## Disable a flow log

+You can temporarily disable an NSG flow log without deleting it. Disabling a flow log stops flow logging for the associated network security group. However, the flow log resource remains with all its settings and associations. You can re-enable it at any time to resume flow logging for the configured network security group.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the checkbox of the flow log that you want to disable.

+1. Select **Disable**.

+ :::image type="content" source="./media/nsg-flow-logging/disable-flow-log.png" alt-text="Screenshot shows how to disable a flow log in the Azure portal." lightbox="./media/nsg-flow-logging/disable-flow-log.png":::

+> [!NOTE]

+> If traffic analytics is enabled for a flow log, it must disabled before you can disable the flow log. To disable traffic analytics, see [Change a flow log](#change-a-flow-log).

+## Delete a flow log

+You can permanently delete an NSG flow log. Deleting a flow log deletes all its settings and associations. To begin flow logging again for the same network security group, you must create a new flow log for it.

+1. In the search box at the top of the portal, enter *network watcher*. Select **Network Watcher** in the search results.

+1. Under **Logs**, select **Flow logs**.

+1. In **Network Watcher | Flow logs**, select the checkbox of the flow log that you want to delete.

+1. Select **Delete**.

+ :::image type="content" source="./media/nsg-flow-logging/delete-flow-log.png" alt-text="Screenshot shows how to delete a flow log in the Azure portal." lightbox="./media/nsg-flow-logging/delete-flow-log.png":::

+> [!NOTE]

+> Deleting a flow log does not delete the flow log data from the storage account. Flow logs data stored in the storage account follows the configured retention policy or stays stored in the storage account until manually deleted (in case no retention policy is configured).

+## Next Steps

+- To learn how to use Azure built-in policies to audit or deploy NSG flow logs, see [Manage NSG flow logs using Azure Policy](nsg-flow-logs-policy-portal.md).

+- To learn about traffic analytics, see [Traffic analytics](traffic-analytics.md).

+For those customers that are looking for simplified management, built-in high availability, easy connectivity with containerized applications and are interested in utilizing most popular configuration parameters with PGBouncer built-in PGBouncer feature is good choice. For customers looking for full control of all parameters and debugging experience another choice could be setting up PGBouncer on Azure VM as an alternative.

+# Query Performance Insight for Azure Database for PostgreSQL - Flexible Server

+The Query Performance Insight view in the Azure portal will surface visualizations on key information from Query Store. Query Performance Insight is easy to use:

+## Release: June 2023

+* General availability of [Query Performance Insight](./concepts-query-performance-insight.md) for Azure Database for PostgreSQL ΓÇô Flexible Server.

+3. Carry out the following procedure three times, plus once for each of the supplementary data networks (so five times in total if you have the maximum three data networks):

+3. Carry out the following procedure three times, plus once for each of the supplementary data networks (so five times in total if you have the maximum three data networks):

+Azure Private 5G Core requires a management network, access network, and up to three data networks. These networks can all be part of the same, larger network, or they can be separate. The approach you use depends on your traffic separation requirements.

+ Title: Configure UE to UE internal forwarding - Azure portal

+description: In this how-to guide you'll learn how to enable or disable UE to UE internal forwarding using policy control configuration in the Azure portal.

+# Configure UE to UE internal forwarding for Azure Private 5G Core - Azure portal

+Azure Private 5G Core enables traffic flowing between user equipment (UEs) attached to the same data network to stay within that network. This is called *internal forwarding between UEs*. Internal forwarding between UEs minimizes latency and maximizes security and privacy for UE-UE traffic. You can enable or disable this behavior using SIM policies.

+If you are using the [Default service and allow-all SIM policy](default-service-sim-policy.md), internal forwarding will be enabled. If you are using a more restrictive policy, you may need to enable internal forwarding.

+If you are using the [Default service and allow-all SIM policy](default-service-sim-policy.md) and would like to disable internal forwarding, either because you use an external gateway or because you do not want UEs to communicate with each other, you can create a service to do so and then apply it to your allow-all SIM policy.

+## Prerequisites

+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you identified in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md). This account must have the built-in Contributor or Owner role at the subscription scope.

+- Identify the name of the Mobile Network resource corresponding to your private mobile network.

+- Collect all the configuration values in [Collect the required information for a service](collect-required-information-for-service.md) for your chosen service.

+## Create a service to allow internal forwarding

+In this step, we'll create a service that allows traffic labeled with the remote address in the range configured for UEs (10.20.0.0/16, in this example) to flow in both directions.

+To create the service:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Search for and select the Mobile Network resource representing your private mobile network.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal showing the results for a search for a Mobile Network resource.":::

+1. In the **Resource** menu, select **Services**.

+ :::image type="content" source="media/configure-service-azure-portal/services-resource-menu-option.png" alt-text="Screenshot of the Azure portal showing the Services option in the resource menu of a Mobile Network resource.":::

+1. In the **Command** bar, select **Create**.

+ :::image type="content" source="media/configure-service-azure-portal/create-command-bar-option.png" alt-text="Screenshot of the Azure portal showing the Create option in the command bar.":::

+1. We'll now enter values to define the QoS characteristics that will be applied to service data flows (SDFs) that match this service. On the **Basics** tab, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Service name** |`service_allow_internal_forwarding` |

+ |**Service precedence** | `200` |

+ |**Maximum bit rate (MBR) - Uplink** | `2 Gbps` |

+ |**Maximum bit rate (MBR) - Downlink** | `2 Gbps` |

+ |**Allocation and Retention Priority level** | `2` |

+ |**5QI/QCI** | `9` |

+ |**Preemption capability** | Select **May not preempt**. |

+ |**Preemption vulnerability** | Select **Not preemptible**. |

+1. Under **Data flow policy rules**, select **Add a policy rule**.

+1. We'll now create a data flow policy rule that allows any packets that match the data flow template we'll configure in the next step. Under **Add a policy rule** on the right, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Rule name** |`rule_allow_internal_forwarding` |

+ |**Policy rule precedence** | Select **200**. |

+ |**Allow traffic** | Select **Enabled**. |

+1. We'll now create a data flow template that matches on packets flowing towards or away from UEs in 10.20.0.0/16, so that they can be allowed by `rule_allow_internal_forwarding`.

+ Under **Data flow templates**, select **Add a data flow template**. In the **Add a data flow template** pop-up, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Template name** |`internal_forwarding` |

+ |**Protocols** | Select **All**. |

+ |**Direction** | Select **Bidirectional**. |

+ |**Remote IPs** | `10.20.0.0/16` |

+ |**Ports** | Leave blank. |

+1. Select **Add**.

+1. On the **Basics** configuration tab, select **Review + create**.

+1. Select **Create** to create the service.

+1. The Azure portal will display the following confirmation screen when the service has been created. Select **Go to resource** to see the new service resource.

+ :::image type="content" source="media/configure-service-azure-portal/service-resource-deployment-confirmation.png" alt-text="Screenshot of the Azure portal showing the successful deployment of a service and the Go to resource button.":::

+1. Confirm that the QoS characteristics, data flow policy rules, and service data flow templates listed at the bottom of the screen are configured as expected.

+## Create a service to block internal forwarding

+In this step, we'll create a service that blocks traffic labeled with the remote address in the range configured for UEs (10.20.0.0/16, in this example) in both directions.

+To create the service:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Search for and select the Mobile Network resource representing your private mobile network.

+ :::image type="content" source="media/mobile-network-search.png" alt-text="Screenshot of the Azure portal showing the results for a search for a Mobile Network resource.":::

+1. In the **Resource** menu, select **Services**.

+ :::image type="content" source="media/configure-service-azure-portal/services-resource-menu-option.png" alt-text="Screenshot of the Azure portal showing the Services option in the resource menu of a Mobile Network resource.":::

+1. In the **Command** bar, select **Create**.

+ :::image type="content" source="media/configure-service-azure-portal/create-command-bar-option.png" alt-text="Screenshot of the Azure portal showing the Create option in the command bar.":::

+1. Enter values to define the QoS characteristics that will be applied to service data flows (SDFs) that match this service. On the **Basics** tab, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Service name** |`service_block_internal_forwarding` |

+ |**Service precedence** | `200` |

+ |**Maximum bit rate (MBR) - Uplink** | `2 Gbps` |

+ |**Maximum bit rate (MBR) - Downlink** | `2 Gbps` |

+ |**Allocation and Retention Priority level** | `2` |

+ |**5QI/QCI** | `9` |

+ |**Preemption capability** | Select **May not preempt**. |

+ |**Preemption vulnerability** | Select **Not preemptible**. |

+ > [!IMPORTANT]

+ > The **Service precedence** must be a lower value than any conflicting service (such as an "allow all" service). Services are matched to traffic in order of precedence.

+1. Under **Data flow policy rules**, select **Add a policy rule**.

+1. We'll now create a data flow policy rule that blocks any packets that match the data flow template we'll configure in the next step. Under **Add a policy rule** on the right, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Rule name** |`rule_block_internal_forwarding` |

+ |**Policy rule precedence** | Select **200**. |

+ |**Allow traffic** | Select **Blocked**. |

+1. We'll now create a data flow template that matches on packets flowing towards or away from UEs in 10.20.0.0/16, so that they can be blocked by `rule_block_internal_forwarding`.

+ Under **Data flow templates**, select **Add a data flow template**. In the **Add a data flow template** pop-up, fill out the fields as follows.

+ |Field |Value |

+ |||

+ |**Template name** |`internal_forwarding` |

+ |**Protocols** | Select **All**. |

+ |**Direction** | Select **Bidirectional**. |

+ |**Remote IPs** | `10.20.0.0/16` |

+ |**Ports** | Leave blank. |

+1. Select **Add**.

+1. On the **Basics** configuration tab, select **Review + create**.

+1. Select **Create** to create the service.

+1. The Azure portal will display the following confirmation screen when the service has been created. Select **Go to resource** to see the new service resource.

+ :::image type="content" source="media/configure-service-azure-portal/service-resource-deployment-confirmation.png" alt-text="Screenshot of the Azure portal showing the successful deployment of a service and the Go to resource button.":::

+1. Confirm that the QoS characteristics, data flow policy rules, and service data flow templates listed at the bottom of the screen are configured as expected.

+## Modify an existing SIM policy to assign the new service

+In this step, we'll assign the new service (`service_allow_internal_forwarding` or `service_block_internal_forwarding`) to an existing SIM policy.

+1. Find the SIM policy configured for your UEs.

+ :::image type="content" source="media/configure-sim-policy-azure-portal/sim-policies-resource-menu-option.png" alt-text="Screenshot of the Azure portal showing the SIM policies option in the resource menu of a Mobile Network resource.":::

+1. Select the SIM policy you want to modify and select **Modify the selected SIM policy**.

+ :::image type="content" source="media/sim-policies-modify-button.png" alt-text="Screenshot of the Azure portal showing the modify SIM policies option.":::

+1. Select **Modify Network Scope** for the existing slice and data network configured for your UEs.

+1. Under **Service configuration**, add the new service.

+1. Select **Modify**.

+1. Select **Assign to SIMs**.

+1. Select **Review + modify**.

+1. Review your updated SIM policy and check that the configuration is as expected.

+ - The top level settings for the SIM policy are shown under the **Essentials** heading.

+ - The network scope configuration is shown under the **Network scope** heading including configured services under **Service configuration** and quality of service configuration under **Quality of Service (QoS)**.

+

+## Next steps

+- [Find out how to design your own policy control configuration](policy-control.md)

+ - AP5GC can support up to three attached data networks, each with its own configuration for Domain Name System (DNS), UE IP address pools, N6 IP configuration, and NAT. The operator can provision UEs as subscribed in one or more data networks and apply data network-specific policy and quality of service (QoS) configuration.

+ Title: Catalog Adoption Insights in Microsoft Purview

+description: This article describes the catalog adoption dashboards in Microsoft Purview, and how they can be used to govern and manage your data estate.

+# Get insights into catalog adoption from Microsoft Purview

+As described in the [insights concepts](concept-insights.md), the catalog adoption report is part of the "Health" section of the Data Estate Insights App. This report offers a one-stop shop experience for administrators to determine if and how the Microsoft Purview Data Catalog is being used. It helps answer questions like:

+- What are my users searching for?

+- How many people used the data catalog last month?

+- What are the most used data assets?

+## Prerequisites

+Before getting started with Microsoft Purview Data Estate Insights, make sure that you've completed the following steps:

+* Set up a storage resource and populated the account with data.

+* Set up and completed a scan your storage source.

+* [Enable and schedule your data estate insights reports](how-to-schedule-data-estate-insights.md).

+For more information to create and complete a scan, see [the manage data sources in Microsoft Purview article](manage-data-sources.md).

+## Understand your data estate and catalog health in Data Estate Insights

+In Microsoft Purview Data Estate Insights, you can get an overview of all assets inventoried in the Data Map, and any key gaps that can be closed by governance stakeholders, for better governance of the data estate.

+1. Access the [Microsoft Purview Governance Portal](https://web.purview.azure.com/) and open your Microsoft Purview account.

+1. On the Microsoft Purview **Home** page, select **Data Estate Insights** on the left menu.

+ :::image type="content" source="./media/catalog-adoption-insights/view-insights.png" alt-text="Screenshot of the Microsoft Purview governance portal with the Data Estate Insights button highlighted in the left menu.":::

+1. In the **Data Estate Insights** area, look for **Catalog Adoption** in the **Health** section.

+ :::image type="content" source="./media/catalog-adoption-insights/select-catalog-adoption.png" alt-text="Screenshot of the Microsoft Purview governance portal Data Estate Insights menu with Catalog Adoption highlighted under the Health section.":::

+## View catalog adoption dashboard

+The catalog adoption dashboard has several curated tiles and charts to identify:

+- How many active users your data catalog had in the last month

+- How many total searches were performed in the last month

+- Which data catalog features are being used

+- Most viewed assets

+- Top searched keywords in your data catalog

+### Monthly active users

+The monthly active users tile provides a count of users who have taken at least one action in the Microsoft Purview Data Catalog in the last 30 days. An action in the data catalog includes: searching for a term, browsing in the data catalog, and updating an asset in the data catalog.

+This tile also includes an indicator of a percentage increase or decrease in users from the previous month.

+### Total searches

+The total searches tile provides a count of all searches performed in the Microsoft Purview Data Catalog over the last 30 days. At the bottom it also includes an indicator of a percentage increase or decrease in the number of searches from the previous month.

+### Active users by feature category

+The active users by feature category chart allows you to monitory user activity trends in your data catalog.

+At the top of the chart, you can select your date range to view user activity on a daily, weekly, or monthly basis.

+The table then shows the number of users in the date range performing one of these three categories of actions:

+- Search and browse - the count of users who performed any search or browse action in the Microsoft Purview Data Catalog

+- Asset curation - the count of users who performed at least any one of these actions on an asset:

+ - Added, removed, or updated a rating

+ - Added or removed a tag

+ - Added or removed a glossary term

+ - Added or removed a classification

+ - Edited an asset's name or description

+ - Added or removed a certification

+ - Added or removed a column level classification, glossary term, description, name, or data type

+ - Added or removed manual lineage

+ - Added or removed a contact

+- All - the count of users who both performed search and browse and asset curation actions within the date range

+### Most viewed assets

+The most viewed assets table shows the top assets in your data catalog, by sum of views in the last 30 days.

+This table allows you to select through to your most viewed assets for more information, but the table also provides these other details:

+- Curation status - There are three possible statuses: "Fully curated", "Partially curated" and "Not curated", based on certain attributes of assets being present. An asset is "Fully curated" if it has at least one classification tag, an assigned Data Owner and a description. If any of these attributes is missing, but not all, then the asset is categorized as "Partially curated" and if all of them are missing, then it's "Not curated". For more information about the curation status of your data assets, see the [data stewardship dashboard](data-stewardship.md).

+- Views - count of the number of views the asset received in the last 30 days.

+### Top searched keywords

+The top searched keywords table shows your top keywords both for searches that produced results, and searches that didn't. That way you can know what users are finding with the data catalog, and what they're still looking for.

+At the top of the table, you can select one of the two radio buttons to select whether to show keywords for searches with results, or searches without results.

+You can select any of the keywords to run the search in the data catalog and see the results for yourself as well.

+The table also provides search volume, which is the number of times that keyword was searched in the last 30 days.

+## Next steps

+Learn more about Microsoft Purview Data Estate Insights through:

+* [Data Estate Insights Concepts](concept-insights.md)

+* [Data stewardship insights](data-stewardship.md)

+ - purviewstudio.azure.com

+Management-focused users, like a Chief Data Officer, can also get a high-level understanding of weekly and monthly active users of their catalog, and information about how the catalog is being used. Is the catalog being adopted across their organization, as better adoption leads to better overall governance penetration in the organization?

+### Catalog adoption

+The catalog adoption dashboard highlights active users, searches, viewed assets, and top searched keywords. This report helps you understand how and if your data catalog is being used, so you can see the impact it's having on data usage and discoverability.

+For more information about these dashboards, see the [catalog adoption documentation.](catalog-adoption-insights.md)

+## DevOps policies API

+Many sophisticated customers prefer to interface with Microsoft Purview via scripts rather than via the UI. Microsoft Purview DevOps policies now support a REST API offering full CRUD capability (listing, policies for SQL Performance Monitor, policies for SQL Security Auditor). See the spec [here]( /rest/api/purview/devopspolicydataplane/devops-policy).

+.

+Check these documents for more on what your IT support personnel can do when granted access via these Purview roles:

+In the **View details** page, if you select a specific collection, it will list all assets with attribute values or blanks that make up the ***fully curated*** assets.

+* [Catalog adoption insights](catalog-adoption-insights.md)

+* Blog: [Microsoft Purview DevOps policies for Azure SQL Database is now generally available](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-purview-devops-policies-for-azure-sql-database-is-now/ba-p/3775885)

+* Blog: [Microsoft Purview DevOps policies API is now public](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-purview-devops-policies-api-is-now-public/ba-p/3818931)

+ Title: Use external APIs in Workflows

+description: Work with external APIs using HTTP connector and Parse JSON in Microsoft Purview workflows.

+# Use external APIs in Workflows

+You can use [workflows](concept-workflow.md) to automate some business processes through Microsoft Purview, and the [HTTP connector](#http-connector) and [parse JSON action](#parse-json-action) allow you to integrate your workflows with external applications.

+## HTTP connector

+HTTP connectors use Representational State Transfer (REST) architecture, which allows Microsoft Purview workflows to interact directly with third party applications by using web requests.

+1. To add an HTTP connector, click on the **+** icon in the template where you want to add and select HTTP connector.

+1. Once you select HTTP connector, you see the following parameters:

+ 1. Method - Select one of the following methods. GET, PUT, PATCH, POST and DELETE. These methods correspond to create, read, update and delete operations.

+ 1. Authentication - HTTP connector is integrated with Purview credentials. Depending on the URL, you may invoke the endpoint with None (no authentication) or you can use credentials to create a basic authentication. To learn more about credentials see the [Microsoft Purview credentials article](manage-credentials.md).

+1. You are now presented with the settings for HTTP connector and you can turn secure inputs and outputs OFF.

+ :::image type="content" source="./media/how-to-use-workflow-http-connector/add-http-secure.png" alt-text="Screenshot of how to add HTTP connector secure input and outputs.":::

+

+## Parse JSON action

+The parse JSON action in workflows allows you to take an incoming JSON from HTTP (or any other action/connector), and parse the JSON to extract values for use in your workflow.

+The parse JSON action is available in all workflows.

+The parse JSON action has two parameters:

+- Content - a variable that should contain the JSON you want to parse.

+- Schema - the schema of the incoming JSON, which allows the workflow to parse the incoming information. You can supply your own, or use the **Generate from sample** button. If you generate from a sample, you'll enter a sample JSON payload and a schema will be automatically generated for you.

+Actions and connectors in the workflow after the parse JSON action will be able to use the values extracted from the JSON by selecting **Add dynamic content** for any parameters.

+## Customize network settings for your account

+When you're deploying your ARM template, you can also use the following settings in the template to manage your public network access settings:

+- **Enabled for all networks**

+ `"publicNetworkAccess": "Enabled",

+ "managedResourcesPublicNetworkAccess": "Enabled" `

+ - **Disabled for ingestion only (Preview)**

+ `"publicNetworkAccess": "Enabled",

+ "managedResourcesPublicNetworkAccess": "Disabled" `

+ - **Disabled from all networks**

+ `"publicNetworkAccess": "Disables",

+ "managedResourcesPublicNetworkAccess": "Disabled" `

+

+For example:

+`

+"resources": [

+ {

+ "type": "Microsoft.Purview/accounts",

+ "apiVersion": "2021-12-01",

+ "name": "[parameters('purviewName')]",

+ "location": "[parameters('location')]",

+ "sku": {

+ "name": "Standard",

+ "capacity": 1

+ },

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "properties": {

+ "publicNetworkAccess": "Enabled",

+ "managedResourcesPublicNetworkAccess": "Enabled"

+ "managedResourceGroupName": "[format('managed-rg-{0}', parameters('purviewName'))]"

+ }

+ }

+ ]

+`

+>Lineage is not currently supported using a self-hosted integration runtime or managed VNET runtime and a private endpoint. You need to enable Azure services to access the server under network settings for your Azure SQL Database.

+1. Sign in to Azure SQL Database with your Azure AD account, and assign `db_owner` permissions to the Microsoft Purview managed identity.

+ >[!NOTE]

+ > The 'db_owner' permissions is needed because lineage is based on XEvent sessions. So Microsoft Purview needs the permission to manage the XEvent sessions in SQL.

+You'll run the **Import data** wizard in the Azure portal to apply skills that transform and enrich content during indexing. Output is a searchable index containing AI-generated image text, captions, and entities. Enriched content is queryable in the portal using [**Search explorer**](search-explorer.md).

+If you get "Error detecting index schema from data source", the indexer that's powering the wizard can't connect to your data source. Most likely, the data source has security protections. Try the following solutions and then rerun the wizard.

+| Security feature | Solution |

+|--|-|

+| Resource requires Azure roles or its access keys are disabled | [Connect as a trusted service](search-indexer-howto-access-trusted-service-exception.md) or [connect using a managed identity](search-howto-managed-identities-data-sources.md) |

+| Resource is behind an IP firewall | [Open an inbound rule for Azure portal](search-indexer-howto-access-ip-restricted.md) |

+| Resource requires a private endpoint connection | [Create a shared private link for your target resource](search-indexer-howto-access-private.md) |

+The following recommended playbooks, and other similar playbooks are available to you in the [Content hub](sentinel-solutions-deploy.md), or in the [Microsoft Sentinel GitHub repository](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks):

+Learn how to [collect Syslog with the AMA](../azure-monitor/agents/data-collection-syslog.md), including how to configure Syslog and create a DCR.

+## Avoid data ingestion duplication

+Using the same facility for both Syslog and CEF messages may result in data ingestion duplication between the CommonSecurityLog and Syslog tables.

+To avoid this scenario, use one of these methods:

+- **If the source device enables configuration of the target facility**: On each source machine that sends logs to the log forwarder in CEF format, edit the Syslog configuration file to remove the facilities used to send CEF messages. This way, the facilities sent in CEF won't also be sent in Syslog. Make sure that each DCR you configure in the next steps uses the relevant facility for CEF or Syslog respectively.

+- **If changing the facility for the source appliance isn't applicable**: Use an ingest time transformation to filter out CEF messages from the Syslog stream to avoid duplication. The data will be sent twice from the collector machine to the workspace:

+ ```kusto

+ source |

+ where ProcessName !contains ΓÇ£\ΓÇ£CEF\ΓÇ¥ΓÇ¥

+ ```

+> Using the same facility for both Syslog and CEF messages may result in data ingestion duplication. Learn how to [avoid data ingestion duplication](#avoid-data-ingestion-duplication).

+Learn how to [collect Syslog with the Azure Monitor Agent](../azure-monitor/agents/data-collection-syslog.md), including how to configure Syslog and create a DCR.

+Learn how to [collect Syslog with the AMA](../azure-monitor/agents/data-collection-syslog.md), including how to configure Syslog and create a DCR.

+Learn how to [collect Syslog with the Azure Monitor Agent](../azure-monitor/agents/data-collection-syslog.md), including how to configure Syslog and create a DCR.

+Learn how to [collect Syslog with the Azure Monitor Agent](../azure-monitor/agents/data-collection-syslog.md), including how to configure Syslog and create a DCR.

+To implement the health and audit feature using API (Bicep/ARM/REST), review the [Diagnostic Settings operations](/rest/api/monitor/diagnostic-settings).

+To configure the retention time for your audit and health events, see [Configure data retention and archive policies in Azure Monitor Logs](../azure-monitor/logs/data-retention-archive.md).

+> [!IMPORTANT]

+>

+> The *SentinelHealth* and *SentinelAudit* data tables are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+## Data tables and resource types

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Analytics rules health](monitor-analytics-rule-integrity.md) |Public Preview |&#x2705; |&#10060; |

+|[MITRE ATT&CK dashboard](mitre-coverage.md) |Public Preview |&#x2705; |&#10060; |

+|[NRT rules](near-real-time-rules.md) |Public Preview |&#x2705; |&#x2705; |

+|[Recommendations](detection-tuning.md) |Public Preview |&#x2705; |&#10060; |

+|[Scheduled](detect-threats-built-in.md) and [Microsoft rules](create-incidents-from-alerts.md) |GA |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Content hub](sentinel-solutions.md) and [solutions](sentinel-solutions-catalog.md) |Public preview |&#x2705; |&#10060; |

+|[Repositories](ci-cd.md?tabs=github) |Public preview |&#x2705; |&#10060; |

+|[Workbooks](monitor-your-data.md) |GA |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Amazon Web Services](connect-aws.md?tabs=ct) |GA |&#x2705; |&#10060; |

+|[Amazon Web Services S3 (Preview)](connect-aws.md?tabs=s3) |Public Preview |&#x2705; |&#10060; |

+|[Azure Active Directory](connect-azure-active-directory.md) |GA |&#x2705; |&#x2705; ^{[1](#logsavailable)} |

+|[Azure Active Directory Identity Protection](connect-services-api-based.md) |GA |&#x2705; |&#10060; |

+|[Azure Activity](data-connectors/azure-activity.md) |GA |&#x2705; |&#x2705; |

+|[Azure DDoS Protection](connect-services-diagnostic-setting-based.md) |GA |&#x2705; |&#10060; |

+|[Azure Firewall](data-connectors/azure-firewall.md) |GA |&#x2705; |&#x2705; |

+|[Azure Information Protection (Preview)](data-connectors/azure-information-protection.md) |Deprecated |&#10060; |&#10060; |

+|[Azure Key Vault](data-connectors/azure-key-vault.md) |Public Preview |&#x2705; |&#x2705; |

+|[Azure Kubernetes Service (AKS)](data-connectors/azure-kubernetes-service-aks.md) |Public Preview |&#x2705; |&#x2705; |

+|[Azure SQL Databases](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-sql-solution-query-deep-dive/ba-p/2597961) |GA |&#x2705; |&#x2705; |

+|[Azure Web Application Firewall (WAF)](data-connectors/azure-web-application-firewall-waf.md) |GA |&#x2705; |&#x2705; |

+|[Cisco ASA](data-connectors/cisco-asa.md) |GA |&#x2705; |&#x2705; |

+|[Codeless Connectors Platform](create-codeless-connector.md?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal) |Public Preview |&#x2705; |&#10060; |

+|[Common Event Format (CEF)](connect-common-event-format.md) |GA |&#x2705; |&#x2705; |

+|[Common Event Format (CEF) via AMA (Preview)](connect-cef-ama.md) |Public Preview |&#x2705; |&#x2705; |

+|[Data Connectors health](monitor-data-connector-health.md#use-the-sentinelhealth-data-table-public-preview) |Public Preview |&#x2705; |&#10060; |

+|[DNS](data-connectors/dns.md) |Public Preview |&#x2705; |&#x2705; |

+|[GCP Pub/Sub Audit Logs](connect-google-cloud-platform.md) |Public Preview |&#x2705; |&#10060; |

+|[Microsoft 365 Defender](connect-microsoft-365-defender.md?tabs=MDE) |GA |&#x2705; |&#10060; |

+|[Microsoft Purview Insider Risk Management (Preview)](sentinel-solutions-catalog.md#domain-solutions) |Public Preview |&#x2705; |&#10060; |

+|[Microsoft Defender for Cloud](connect-defender-for-cloud.md) |GA |&#x2705; |&#x2705; |

+|[Microsoft Defender for IoT](connect-services-api-based.md) |GA |&#x2705; |&#10060; |

+|[Microsoft Power BI (Preview)](data-connectors/microsoft-powerbi.md) |Public Preview |&#x2705; |&#10060; |

+|[Microsoft Project (Preview)](data-connectors/microsoft-project.md) |Public Preview |&#x2705; |&#10060; |

+|[Microsoft Purview (Preview)](connect-services-diagnostic-setting-based.md) |Public Preview |&#x2705; |&#10060; |

+|[Microsoft Purview Information Protection](connect-microsoft-purview.md) |Public Preview |&#x2705; |&#10060; |

+|[Office 365](connect-services-api-based.md) |GA |&#x2705; |&#x2705; |

+|[Security Events via Legacy Agent](connect-services-windows-based.md#log-analytics-agent-legacy) |GA |&#x2705; |&#x2705; |

+|[Syslog](connect-syslog.md) |GA |&#x2705; |&#x2705; |

+|[Windows DNS Events via AMA (Preview)](connect-dns-ama.md) |Public Preview |&#x2705; |&#10060; |

+|[Windows Firewall](data-connectors/windows-firewall.md) |GA |&#x2705; |&#x2705; |

+|[Windows Forwarded Events (Preview)](connect-services-windows-based.md) |Public Preview |&#x2705; |&#x2705; |

+|[Windows Security Events via AMA](connect-services-windows-based.md) |GA |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Hunting blade](hunting.md) |GA |&#x2705; |&#x2705; |

+|[Restore historical data](restore.md) |GA |&#x2705; |&#x2705; |

+|[Search large datasets](search-jobs.md) |GA |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Add entities to threat intelligence](add-entity-to-threat-intelligence.md?tabs=incidents) |Public Preview |&#x2705; |&#10060; |

+|[Advanced and/or conditions](add-advanced-conditions-to-automation-rules.md) |Public Preview |&#x2705; |&#x2705; |

+|[Automation rules](automate-incident-handling-with-automation-rules.md) |Public Preview |&#x2705; |&#x2705; |

+|[Automation rules health](monitor-automation-health.md) |Public Preview |&#x2705; |&#10060; |

+|[Create incidents manually](create-incident-manually.md) |Public Preview |&#x2705; |&#x2705; |

+|[Cross-tenant/Cross-workspace incidents view](multiple-workspace-view.md) |GA |&#x2705; |&#x2705; |

+|[Incident advanced search](investigate-cases.md#search-for-incidents) |GA |&#x2705; |&#x2705; |

+|[Incident tasks](incident-tasks.md) |Public Preview |&#x2705; |&#x2705; |

+|[Microsoft 365 Defender incident integration](microsoft-365-defender-sentinel-integration.md#working-with-microsoft-365-defender-incidents-in-microsoft-sentinel-and-bi-directional-sync) |Public Preview |&#x2705; |&#10060; |

+|[Microsoft Teams integrations](collaborate-in-microsoft-teams.md) |Public Preview |&#x2705; |&#10060; |

+|[Playbook template gallery](use-playbook-templates.md) |Public Preview |&#x2705; |&#10060; |

+|[Run playbooks on entities](respond-threats-during-investigation.md) |Public Preview |&#x2705; |&#10060; |

+|[Run playbooks on incidents](automate-responses-with-playbooks.md) |Public Preview |&#x2705; |&#x2705; |

+|[SOC incident audit metrics](manage-soc-with-incident-metrics.md) |GA |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Anomalous RDP login detection - built-in ML detection](configure-connector-login-detection.md) |Public Preview |&#x2705; |&#x2705; |

+|[Anomalous SSH login detection - built-in ML detection](connect-syslog.md#configure-the-syslog-connector-for-anomalous-ssh-login-detection) |Public Preview |&#x2705; |&#x2705; |

+|[Bring Your Own ML (BYO-ML)](bring-your-own-ml.md) |Public Preview |&#x2705; |&#10060; |

+|[Fusion](fusion.md) - advanced multistage attack detections ^{[1](#partialga)} |GA |&#x2705; |&#x2705; |

+|[Fusion detection for ransomware](fusion.md#fusion-for-ransomware) |Public Preview |&#x2705; |&#x2705; |

+|[Fusion for emerging threats](fusion.md#fusion-for-emerging-threats) |Public Preview |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Advanced Security Information Model (ASIM)](normalization.md) |Public Preview |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Notebooks](notebooks.md) |GA |&#x2705; |&#x2705; |

+|[Notebook integration with Azure Synapse](notebooks-with-synapse.md) |Public Preview |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Threat protection for SAP](sap/deployment-overview.md)^[1](#sap) |GA |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[GeoLocation and WhoIs data enrichment](work-with-threat-indicators.md) |Public Preview |&#x2705; |&#10060; |

+|[Import TI from flat file](indicators-bulk-file-import.md) |Public Preview |&#x2705; |&#x2705; |

+|[Threat intelligence matching analytics](use-matching-analytics-to-detect-threats.md) |Public Preview |&#x2705; |&#10060; |

+|[Threat Intelligence Platform data connector](understand-threat-intelligence.md) |Public Preview |&#x2705; |&#x2705; |

+|[Threat Intelligence Research blade](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-threat-intelligence-menu-item-in-public-preview/ba-p/1646597) |GA |&#x2705; |&#x2705; |

+|[Threat Intelligence - TAXII data connector](understand-threat-intelligence.md) |GA |&#x2705; |&#x2705; |

+|[Threat Intelligence workbook](/azure/architecture/example-scenario/data/sentinel-threat-intelligence) |GA |&#x2705; |&#x2705; |

+|[URL detonation](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-the-new-built-in-url-detonation-in-azure-sentinel/ba-p/996229) |Public Preview |&#x2705; |&#10060; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Active Directory sync via MDI](enable-entity-behavior-analytics.md#how-to-enable-user-and-entity-behavior-analytics) |Public preview |&#x2705; |&#10060; |

+|[Azure resource entity pages](entity-pages.md) |Public Preview |&#x2705; |&#10060; |

+|[Entity insights](identify-threats-with-entity-behavior-analytics.md) |GA |&#x2705; |&#x2705; |

+|[Entity pages](entity-pages.md) |GA |&#x2705; |&#x2705; |

+|[Identity info table data ingestion](investigate-with-ueba.md) |GA |&#x2705; |&#x2705; |

+|[IoT device entity page](/azure/defender-for-iot/organizations/iot-advanced-threat-monitoring#investigate-further-with-iot-device-entities) |Public Preview |&#x2705; |&#10060; |

+|[Peer/Blast radius enrichments](identify-threats-with-entity-behavior-analytics.md#what-is-user-and-entity-behavior-analytics-ueba) |Public preview |&#x2705; |&#10060; |

+|[SOC-ML anomalies](soc-ml-anomalies.md#what-are-customizable-anomalies) |GA |&#x2705; |&#10060; |

+|[UEBA anomalies](soc-ml-anomalies.md#ueba-anomalies) |GA |&#x2705; |&#10060; |

+|[UEBA enrichments\insights](investigate-with-ueba.md) |GA |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure China 21Vianet |

+|||||

+|[Large watchlists from Azure Storage](watchlists.md) |Public Preview |&#x2705; |&#10060; |

+|[Watchlists](watchlists.md) |GA |&#x2705; |&#x2705; |

+|[Watchlist templates](watchlist-schemas.md) |Public Preview |&#x2705; |&#10060; |

+# Tutorial: Forward syslog data to a Log Analytics workspace with Microsoft Sentinel by using the Azure Monitor agent

+See step by step guide [here](../azure-monitor/agents/data-collection-syslog.md#create-a-data-collection-rule).

+Learn more about:

+> [Collect syslog with Azure Monitor Agent overview](../azure-monitor/agents/data-collection-syslog.md)

+If you want to migrate your Splunk Observability deployment, learn more about how to [migrate from Splunk to Azure Monitor Logs](../azure-monitor/logs/migrate-splunk-to-azure-monitor-logs.md).

+|Migrate from Splunk |ΓÇó [Migrate detection rules](migration-splunk-detection-rules.md)<br>ΓÇó [Migrate SOAR automation](migration-splunk-automation.md)<br>ΓÇó [Export historical data](migration-splunk-historical-data.md)<br><br>If you want to migrate your Splunk Observability deployment, learn more about how to [migrate from Splunk to Azure Monitor Logs](../azure-monitor/logs/migrate-splunk-to-azure-monitor-logs.md). |

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+## Next steps

+In this article, you learned how to monitor the SAP audit log using Microsoft Sentinel built-in analytics rules.

+- [Learn more about the SAP Audit log monitor rules](sap-solution-security-content.md#monitoring-the-sap-audit-log)

+- [Learn about the SAP Audit Log workbook](sap-audit-log-workbook.md)

+## Deployment milestones

+Track your SAP solution deployment journey through this series of articles:

+1. [Deployment overview](deployment-overview.md)

+1. [Deployment prerequisites](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)

+1. [Work with the solution across multiple workspaces](cross-workspace.md) (PREVIEW)

+1. [Prepare SAP environment](preparing-sap.md)

+1. **Configure auditing (*You are here*)**

+1. [Deploy data connector agent](deploy-data-connector-agent-container.md)

+1. [Deploy SAP security content](deploy-sap-security-content.md)

+1. [Configure Microsoft Sentinel solution for SAP® applications](deployment-solution-configuration.md)

+1. Optional deployment steps

+ - [Configure data connector to use SNC](configure-snc.md)

+ - [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)

+ - [Configure audit log monitoring rules](configure-audit-log-rules.md)

+ - [Deploy SAP connector manually](sap-solution-deploy-alternate.md)

+ - [Select SAP ingestion profiles](select-ingestion-profiles.md)

+In this article, you learned how to enable and configure SAP auditing for Microsoft Sentinel.

+Now you are ready to deploy the data connector agent container.

+> [!div class="nextstepaction"]

+> [Deploy and configure the container hosting the data connector agent](deploy-data-connector-agent-container.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+1. [Configure auditing](configure-audit.md)

+1. Optional deployment steps

+ - [Configure data connector to use SNC](configure-snc.md)

+ - [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)

+ - [Configure audit log monitoring rules](configure-audit-log-rules.md)

+ - [Deploy SAP connector manually](sap-solution-deploy-alternate.md)

+ - [Select SAP ingestion profiles](select-ingestion-profiles.md)

+1. [Configure auditing](configure-audit.md)

+1. Optional deployment steps

+ - [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)

+ - [Configure audit log monitoring rules](configure-audit-log-rules.md)

+ - [Deploy SAP connector manually](sap-solution-deploy-alternate.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+> [!TIP]

+> Learn how to [monitor the health and role of your SAP systems](../monitor-sap-system-health.md).

+| **5. Configure auditing** | [Configure auditing](configure-audit.md) |

+| **6. Deploy data connector agent** | [Deploy and configure the container hosting the data connector agent](deploy-data-connector-agent-container.md) |

+| **7. Deploy SAP security content** | [Deploy SAP security content](deploy-sap-security-content.md)

+| **8. Configure the solution** | [Configure Microsoft Sentinel solution for SAP® applications](deployment-solution-configuration.md) |

+| **9. Optional steps** |- [Configure Microsoft Sentinel for SAP data connector to use SNC](configure-snc.md)<br>- [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)<br>- [Configure audit log monitoring rules](configure-audit-log-rules.md)<br>- [Deploy SAP connector manually](sap-solution-deploy-alternate.md)<br>- [Select SAP ingestion profiles](select-ingestion-profiles.md) |

+1. [Configure auditing](configure-audit.md)

+1. Optional deployment steps

+ - [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)

+ - [Configure audit log monitoring rules](configure-audit-log-rules.md)

+ - [Deploy SAP connector manually](sap-solution-deploy-alternate.md)

+## Next steps

+Learn more about the Microsoft Sentinel solution for SAP® applications:

+- [Deploy Microsoft Sentinel solution for SAP® applications](deployment-overview.md)

+- [Prerequisites for deploying Microsoft Sentinel solution for SAP® applications](prerequisites-for-deploying-sap-continuous-threat-monitoring.md)

+- [Deploy SAP Change Requests (CRs) and configure authorization](preparing-sap.md)

+- [Deploy and configure container hosting the SAP data connector agent](deploy-data-connector-agent-container.md)

+- [Deploy SAP security content](deploy-sap-security-content.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Deploy the Microsoft Sentinel for SAP data connector with SNC](configure-snc.md)

+- [Enable and configure SAP auditing](configure-audit.md)

+- [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)

+Troubleshooting:

+- [Troubleshoot your Microsoft Sentinel solution for SAP® applications deployment](sap-deploy-troubleshoot.md)

+- [Configure SAP Transport Management System](configure-transport.md)

+Reference files:

+- [Microsoft Sentinel solution for SAP® applications data reference](sap-solution-log-reference.md)

+- [Microsoft Sentinel solution for SAP® applications: security content reference](sap-solution-security-content.md)

+- [Kickstart script reference](reference-kickstart.md)

+- [Update script reference](reference-update.md)

+- [Systemconfig.ini file reference](reference-systemconfig.md)

+For more information, see [Microsoft Sentinel solutions](../sentinel-solutions.md).

+1. [Configure auditing](configure-audit.md)

+1. Optional deployment steps

+ - [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)

+ - [Configure audit log monitoring rules](configure-audit-log-rules.md)

+ - [Deploy SAP connector manually](sap-solution-deploy-alternate.md)

+Now you are ready to enable and configure SAP auditing for Microsoft Sentinel.

+> [Enable and configure SAP auditing for Microsoft Sentinel](configure-audit.md)

+1. [Configure auditing](configure-audit.md)

+1. Optional deployment steps

+ - [Collect SAP HANA audit logs](collect-sap-hana-audit-logs.md)

+ - [Configure audit log monitoring rules](configure-audit-log-rules.md)

+ - [Deploy SAP connector manually](sap-solution-deploy-alternate.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+- [Monitor the health of your SAP system](../monitor-sap-system-health.md)

+The `Complete`, `DeadLetter`, or `RenewLock` operations may fail due to network issues, if the held lock has expired, or there are other service-side conditions that prevent settlement. In one of the latter cases, the service sends a negative acknowledgment that surfaces as an exception in the API clients. If the reason is a broken network connection, the lock is dropped since Service Bus doesn't support recovery of existing AMQP links on a different connection.

+Yes. Site Recovery converts from generation 2 to generation 1 during failover. At failback the machine is converted back to generation 2. [Read more](https://azure.microsoft.com/blog/new-azure-migrate-and-azure-site-recovery-enhancements-for-cloud-migration/).

+VM type | Generation 1<br/><br/> Generation 2--Windows | Generation 2 VMs with an OS disk type of basic (which includes one or two data volumes formatted as VHDX) and less than 2 TB of disk space are supported.<br></br>Linux Generation 2 VMs aren't supported. [Learn more](https://azure.microsoft.com/blog/new-azure-migrate-and-azure-site-recovery-enhancements-for-cloud-migration/).|

+In the following example, we create a [complex variable](https://learn.microsoft.com/powershell/module/az.automation/set-azautomationvariable) in the Azure Automation account.

+| 3.0.x | 2022.0.x |

+| 3.0.x | 2022.0.x |

+### Dependencies for Spring Boot version 2.5/2.6/2.7

+For Spring Boot version 2.5, add the following dependencies to the application POM file.

+ <version>2020.0.6</version>

+ <version>2.7.8</version>

+ <version>2021.0.6</version>

+| Azure Files (REST) | [Supported](/rest/api/storageservices/authorize-with-shared-key/) | [Supported](storage-sas-overview.md) | [Supported (preview)](../files/authorize-oauth-rest.md) | Not supported | Not supported | Not supported |

+https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/providers/Microsoft.Security/defenderForStorageSettings/current?api-version=2022-12-01-preview

+az elastic-san create -n $sanName -g $resourceGroupName -l $sanLocation --base-size-tib 100 --extended-capacity-size-tib 20 --sku "{name:Premium_LRS,tier:Premium}"

+Azure Files supports 10,000 open handles on the root directory and 2,000 open handles per file and directory within the share.

+#### Azure Files scalability improvement for Azure Virtual Desktop and other workloads is generally available

+Azure Files has increased the root directory handle limit per share from 2,000 to 10,000 for standard and premium file shares. This improvement benefits applications that keep an open handle on the root directory. For example, Azure Virtual Desktop with FSLogix profile containers now supports 10,000 active users per share (5x improvement).

+Note: The number of active users supported per share is dependent on the applications that are accessing the share. If your applications are not opening a handle on the root directory, Azure Files can support more than 10,000 active users per share.

+

+The root directory handle limit has been increased in all regions and applies to all existing and new file shares. For more information about Azure Files scale targets, see: [Azure Files scalability and performance targets](storage-files-scale-targets.md).

+| Maximum concurrent handles for root directory³ | 10,000 handles | 10,000 handles |

+| Maximum concurrent handles per file and directory³ | 2,000 handles | 2,000 handles |

+^{3 Azure Files supports 10,000 open handles on the root directory and 2,000 open handles per file and directory within the share. The number of active users supported per share is dependent on the applications that are accessing the share. If your applications are not opening a handle on the root directory, Azure Files can support more than 10,000 active users per share.}

+ GET https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Synapse/workspaces/{workspace-name}/sqlPools?api-version=2021-06-01-preview

+ @concat('https://management.azure.com/subscriptions/',pipeline().parameters.SubscriptionID,'/resourceGroups/',pipeline().parameters.ResourceGroup,'/providers/Microsoft.Synapse/workspaces/',pipeline().parameters.WorkspaceName,'/sqlPools?api-version=2021-06-01-preview')

+ GET https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Synapse/workspaces/{workspace-name}/sqlPools/{database-name}?api-version=2021-06-01-preview HTTP/1.1

+ @concat('https://management.azure.com/subscriptions/',pipeline().parameters.SubscriptionID,'/resourceGroups/',pipeline().parameters.ResourceGroup,'/providers/Microsoft.Synapse/workspaces/',pipeline().parameters.WorkspaceName,'/sqlPools/',item().name,'?api-version=2021-06-01-preview')

+ POST https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Synapse/workspaces/{workspace-name}/sqlPools/{database-name}/resume?api-version=2021-06-01-preview HTTP/1.1

+ @concat('https://management.azure.com/subscriptions/',pipeline().parameters.SubscriptionID,'/resourceGroups/',pipeline().parameters.ResourceGroup,'/providers/Microsoft.Synapse/workspaces/',pipeline().parameters.WorkspaceName,'/sqlPools/',activity('CheckState').output.name,'/resume?api-version=2021-06-01-preview')

+ POST https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Synapse/workspaces/{workspace-name}/sqlPools/{database-name}/pause?api-version=2021-06-01-preview HTTP/1.1

+ @concat('https://management.azure.com/subscriptions/',pipeline().parameters.SubscriptionID,'/resourceGroups/',pipeline().parameters.ResourceGroup,'/providers/Microsoft.Synapse/workspaces/',pipeline().parameters.WorkspaceName,'/sqlPools/',activity('CheckState').output.name,'/pause?api-version=2021-06-01-preview')

+| MicrosoftWindowsServer | WindowsServer | 2022-Datacenter-azure-edition |

+| MicrosoftWindowsServer | WindowsServer | 2022-Datacenter-azure-edition-smalldisk |

+| MicrosoftWindowsServer | WindowsServer | 2022-Datacenter-azure-edition-core |

+| MicrosoftWindowsServer | WindowsServer | 2022-Datacenter-azure-edition-core-smalldisk |

+- Availability zones

+- Fault domains

+| Oracle 7.9 | Oracle: Oracle-Linux:ol79-lvm-gen2:latest |

+| Oracle 8.5 | Oracle: Oracle-Linuz:ol85-lvm-gen2:latest |

+| Oracle 8.6 | Oracle: Oracle-Linux:ol86-lvm-gen2:latest |

+| Oracle 8.7 | Oracle: Oracle-Linux:ol87-lvm-gen2:latest |

+| Oracle 9.0 | Oracle: Oracle-Linux:ol9-lvm-gen2:latest |

+| Oracle 9.1 | Oracle: Oracle-Linux:ol91-lvm-gen2:latest |

+| RHEL 9.0 | RedHat: RHEL:90-gen2:latest |

+| SLES 15.4 | suse: sles-15-sp4:gen2:latest |

+| Standard_HB60-45rs | 45 | AMD EPYC 7551 | 228 | 263 | 2.0 | 2.55 | 2.55 | 100 | All | 700 | 4 | 8 |

+| Standard_HB60-30rs | 30 | AMD EPYC 7551 | 228 | 263 | 2.0 | 2.55 | 2.55 | 100 | All | 700 | 4 | 8 |

+| Standard_HB60-15rs | 15 | AMD EPYC 7551 | 228 | 263 | 2.0 | 2.55 | 2.55 | 100 | All | 700 | 4 | 8 |

+Standard_HB120-96rs_v3 | 4 | 24 | Dual-socket EPYC 7643 |

+Standard_HB120-64rs_v3 | 4 | 16 | Dual-socket EPYC 7573X |

+Standard_HB120-32rs_v3 | 4 | 8 | Dual-socket EPYC 7373X |

+Standard_HB120-16rs_v3 | 4 | 4 | Dual-socket EPYC 72F3 |

+> [!TIP]

+> Eviction rates are quoted _per hour_. For example, an eviction rate of 10% means a VM has a 10% chance of being evicted within the next hour, based on historical eviction data of the last 28 days.

+For the following image sources, the security type on the image definition should be set to `TrustedLaunch`:

+For the following image sources, the security type on the image definition should be set to `TrustedLaunchsupported`:

+No VM Guest State information shall be included in the image source.

+These images can be shared using [Azure Compute Gallery - Direct Shared Gallery](../virtual-machines/azure-compute-gallery.md#shared-directly-to-a-tenant-or-subscription) and [Azure Compute Gallery - Community Gallery](../virtual-machines/azure-compute-gallery.md#community-gallery)