+| SamlAssertionDecryption |No* | The X509 certificate (RSA key set). A SAML identity provider uses the public portion of the certificate to encrypt the assertion of the SAML response. Azure AD B2C uses the private portion of the certificate to decrypt the assertion. <br/><br/> * Required if the external IDP encrypts SAML assertions.|

+Provisioning connectors are set up and configured using the [Azure portal](https://portal.azure.com), by following the [provided documentation](../saas-apps/tutorial-list.md) for the supported application. Once configured and running, provisioning jobs can be reported on using the following methods:

+- The [Azure portal](https://portal.azure.com)

+- Streaming the provisioning logs into [Azure Monitor](../app-provisioning/application-provisioning-log-analytics.md). This method allows for extended data retention and building custom dashboards, alerts, and queries.

+- Querying the [Microsoft Graph API](/graph/api/resources/provisioningobjectsummary) for the provisioning logs.

+- Downloading the provisioning logs as a CSV or JSON file.

+To get provisioning report information for a given application, start by launching the [Azure portal](https://portal.azure.com) and **Azure Active Directory** &gt; **Enterprise Apps** &gt; **Provisioning logs** in the **Activity** section. You can also browse to the Enterprise Application for which provisioning is configured. For example, if you are provisioning users to LinkedIn Elevate, the navigation path to the application details is:

+## Provisioning logs

+All activities performed by the provisioning service are recorded in the Azure AD [provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). You can access the provisioning logs in the Azure portal by selecting **Azure Active Directory** &gt; **Enterprise Apps** &gt; **Provisioning logs ** in the **Activity** section. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+1. Review the [provisioning logs](../app-provisioning/check-status-user-account-provisioning.md) to determine what incorrect operations occurred on the affected users and/or groups.

+* [Writing expressions for attribute mappings in Azure Active directory](../app-provisioning/functions-for-customizing-application-data.md)

+1. Review the [provisioning logs](../app-provisioning/check-status-user-account-provisioning.md#provisioning-logs) to determine what incorrect operations were performed on the affected users or groups. For more information on the provisioning summary report and logs, see [Manage cloud HR app user provisioning](#manage-your-configuration).

+ Cd c:\NPS

+1. Create a *.env* file in the root of your project folder. Then add the following code:

+1. Create a new file named *auth.js* under the *router* folder and add the following code there:

+Create a file named *fetch.js* in the root of your project and add the following code:

+$serverServicePrincipalObjectId = $serverServicePrincipal.Id

+ Title: 'Tutorial: Azure AD SSO integration with Agile Provisioning'

+description: Learn how to configure single sign-on between Azure Active Directory and Agile Provisioning.

+# Tutorial: Azure AD SSO integration with Agile Provisioning

+In this tutorial, you'll learn how to integrate Agile Provisioning with Azure Active Directory (Azure AD). When you integrate Agile Provisioning with Azure AD, you can:

+* Control in Azure AD who has access to Agile Provisioning.

+* Enable your users to be automatically signed-in to Agile Provisioning with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Agile Provisioning single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Agile Provisioning supports **SP** and **IDP** initiated SSO.

+## Add Agile Provisioning from the gallery

+To configure the integration of Agile Provisioning into Azure AD, you need to add Agile Provisioning from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Agile Provisioning** in the search box.

+1. Select **Agile Provisioning** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Agile Provisioning

+Configure and test Azure AD SSO with Agile Provisioning using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Agile Provisioning.

+To configure and test Azure AD SSO with Agile Provisioning, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Agile Provisioning SSO](#configure-agile-provisioning-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Agile Provisioning test user](#create-agile-provisioning-test-user)** - to have a counterpart of B.Simon in Agile Provisioning that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Agile Provisioning** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a value using the following pattern:

+ `<CustomerFullyQualifiedName>`

+

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://<CustomerFullyQualifiedName>/web-portal/saml/SSO`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<CustomerFullyQualifiedName>/web-portal/`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Agile Provisioning Client support team](mailto:support@flexcomlabs.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Agile Provisioning.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Agile Provisioning**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Agile Provisioning SSO

+To configure single sign-on on **Agile Provisioning** side, you need to send the **App Federation Metadata Url** to [Agile Provisioning support team](mailto:support@flexcomlabs.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Agile Provisioning test user

+In this section, you create a user called Britta Simon in Agile Provisioning. Work with [Agile Provisioning support team](mailto:support@flexcomlabs.com) to add the users in the Agile Provisioning platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Agile Provisioning Sign on URL where you can initiate the login flow.

+* Go to Agile Provisioning Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Agile Provisioning for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Agile Provisioning tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Agile Provisioning for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Agile Provisioning you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure Active Directory integration with AirWatch'

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+ a. In the **Identifier (Entity ID)** text box, type the value as:

+ b. In the **Reply URL** text box, type a URL using one of the following patterns:

+ | Reply URL|

+ |--|

+ | `https://<SUBDOMAIN>.awmdm.com/<COMPANY_CODE>` |

+ | `https://<SUBDOMAIN>.airwatchportals.com/<COMPANY_CODE>` |

+ |

+ c. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<subdomain>.awmdm.com/AirWatch/Login?gid=companycode`

+ > These values are not the real. Update these values with the actual Reply URL and Sign-on URL. Contact [AirWatch Client support team](https://www.vmware.com/in/support/acquisitions/airwatch.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+ Title: 'Tutorial: Azure AD SSO integration with ASC Contracts'

+# Tutorial: Azure AD SSO integration with ASC Contracts

+In this tutorial, you'll learn how to integrate ASC Contracts with Azure Active Directory (Azure AD). When you integrate ASC Contracts with Azure AD, you can:

+* Control in Azure AD who has access to ASC Contracts.

+* Enable your users to be automatically signed-in to ASC Contracts with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* ASC Contracts single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* ASC Contracts supports **IDP** initiated SSO.

+## Add ASC Contracts from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **ASC Contracts** in the search box.

+1. Select **ASC Contracts** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for ASC Contracts

+Configure and test Azure AD SSO with ASC Contracts using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ASC Contracts.

+To configure and test Azure AD SSO with ASC Contracts, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure ASC Contracts SSO](#configure-asc-contracts-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create ASC Contracts test user](#create-asc-contracts-test-user)** - to have a counterpart of B.Simon in ASC Contracts that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **ASC Contracts** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+

+ 

+1. On the **Basic SAML Configuration** page, perform the following steps:

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up ASC Contracts** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ASC Contracts.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **ASC Contracts**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure ASC Contracts SSO

+To configure single sign-on on **ASC Contracts** side, call ASC Networks Inc. (ASC) support at **613.599.6178** and provide them with the downloaded **Federation Metadata XML**. They set this application up to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the ASC Contracts for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the ASC Contracts tile in the My Apps, you should be automatically signed in to the ASC Contracts for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure ASC Contracts you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with CWT'

+description: Learn how to configure single sign-on between Azure Active Directory and CWT.

+# Tutorial: Azure AD SSO integration with CWT

+In this tutorial, you'll learn how to integrate CWT with Azure Active Directory (Azure AD). When you integrate CWT with Azure AD, you can:

+* Control in Azure AD who has access to CWT.

+* Enable your users to be automatically signed-in to CWT with their Azure AD accounts.

+* CWT single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* CWT supports **IDP** initiated SSO.

+## Add CWT from the gallery

+To configure the integration of CWT into Azure AD, you need to add CWT from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **CWT** in the search box.

+1. Select **CWT** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for CWT

+Configure and test Azure AD SSO with CWT using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in CWT.

+To configure and test Azure AD SSO with CWT, perform the following steps:

+1. **[Configure CWT SSO](#configure-cwt-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create CWT test user](#create-cwt-test-user)** - to have a counterpart of B.Simon in CWT that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **CWT** application integration page, find the **Manage** section and select **single sign-on**.

+ 

+1. On the **Basic SAML Configuration** section, the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.

+1. On the **Set-up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set-up CWT** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to CWT.

+1. In the applications list, select **CWT**.

+## Configure CWT SSO

+To configure single sign-on on **CWT** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [CWT support team](https://www.mycwt.com/traveler-help/). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create CWT test user

+In this section, you create a user called Britta Simon in CWT. Work with [CWT support team](https://www.mycwt.com/traveler-help/) to add the users in the CWT platform. Users must be created and activated before you use single sign-on.

+* Click on Test this application in Azure portal and you should be automatically signed in to the CWT for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the CWT tile in the My Apps, you should be automatically signed in to the CWT for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+Once you configure CWT you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Cloud Service PICCO'

+# Tutorial: Azure AD SSO integration with Cloud Service PICCO

+In this tutorial, you'll learn how to integrate Cloud Service PICCO with Azure Active Directory (Azure AD). When you integrate Cloud Service PICCO with Azure AD, you can:

+* Control in Azure AD who has access to Cloud Service PICCO.

+* Enable your users to be automatically signed-in to Cloud Service PICCO with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Cloud Service PICCO single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Cloud Service PICCO supports **SP** initiated SSO.

+* Cloud Service PICCO supports **Just In Time** user provisioning.

+## Add Cloud Service PICCO from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Cloud Service PICCO** in the search box.

+1. Select **Cloud Service PICCO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Cloud Service PICCO

+Configure and test Azure AD SSO with Cloud Service PICCO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Cloud Service PICCO.

+To configure and test Azure AD SSO with Cloud Service PICCO, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Cloud Service PICCO SSO](#configure-cloud-service-picco-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Cloud Service PICCO test user](#create-cloud-service-picco-test-user)** - to have a counterpart of B.Simon in Cloud Service PICCO that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Cloud Service PICCO** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** box, type a value using the following pattern:

+ `<SUB DOMAIN>.cloudservicepicco.com`

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ c. In the **Sign-on URL** text box, type a URL using the following pattern:

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Cloud Service PICCO Client support team](mailto:picco.support@est.fujitsu.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Cloud Service PICCO.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Cloud Service PICCO**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Cloud Service PICCO SSO

+To configure single sign-on on **Cloud Service PICCO** side, you need to send the **App Federation Metadata Url** to [Cloud Service PICCO support team](mailto:picco.support@est.fujitsu.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Cloud Service PICCO Sign-on URL where you can initiate the login flow.

+* Go to Cloud Service PICCO Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Cloud Service PICCO tile in the My Apps, this will redirect to Cloud Service PICCO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Cloud Service PICCO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Guardium Data Protection'

+description: Learn how to configure single sign-on between Azure Active Directory and Guardium Data Protection.

+# Tutorial: Azure AD SSO integration with Guardium Data Protection

+In this tutorial, you'll learn how to integrate Guardium Data Protection with Azure Active Directory (Azure AD). When you integrate Guardium Data Protection with Azure AD, you can:

+* Control in Azure AD who has access to Guardium Data Protection.

+* Enable your users to be automatically signed-in to Guardium Data Protection with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Guardium Data Protection single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Guardium Data Protection supports **SP** and **IDP** initiated SSO.

+## Add Guardium Data Protection from the gallery

+To configure the integration of Guardium Data Protection into Azure AD, you need to add Guardium Data Protection from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Guardium Data Protection** in the search box.

+1. Select **Guardium Data Protection** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Guardium Data Protection

+Configure and test Azure AD SSO with Guardium Data Protection using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Guardium Data Protection.

+To configure and test Azure AD SSO with Guardium Data Protection, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Guardium Data Protection SSO](#configure-guardium-data-protection-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Guardium Data Protection test user](#create-guardium-data-protection-test-user)** - to have a counterpart of B.Simon in Guardium Data Protection that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Guardium Data Protection** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a value using the following pattern:

+ `<hostname>`

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://<hostname>:8443/saml/sso`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+

+ In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<hostname>:8443`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Guardium Data Protection support team](mailto:NA@ibm.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Guardium Data Protection application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Guardium Data Protection application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirement.

+ | Name | Source Attribute |

+ |-| |

+ | jobtitle | user.jobtitle |

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Guardium Data Protection** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Guardium Data Protection.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Guardium Data Protection**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Guardium Data Protection SSO

+To configure single sign-on on **Guardium Data Protection** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Guardium Data Protection support team](mailto:NA@ibm.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Guardium Data Protection test user

+In this section, you create a user called Britta Simon in Guardium Data Protection. Work with [Guardium Data Protection support team](mailto:NA@ibm.com) to add the users in the Guardium Data Protection platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Guardium Data Protection Sign on URL where you can initiate the login flow.

+* Go to Guardium Data Protection Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Guardium Data Protection for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Guardium Data Protection tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Guardium Data Protection for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Guardium Data Protection you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Javelo'

+description: Learn how to configure single sign-on between Azure Active Directory and Javelo.

+# Tutorial: Azure AD SSO integration with Javelo

+In this tutorial, you'll learn how to integrate Javelo with Azure Active Directory (Azure AD). When you integrate Javelo with Azure AD, you can:

+* Control in Azure AD who has access to Javelo.

+* Enable your users to be automatically signed-in to Javelo with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Javelo single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Javelo supports **SP** initiated SSO.

+* Javelo supports **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Javelo from the gallery

+To configure the integration of Javelo into Azure AD, you need to add Javelo from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Javelo** in the search box.

+1. Select **Javelo** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Javelo

+Configure and test Azure AD SSO with Javelo using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Javelo.

+To configure and test Azure AD SSO with Javelo, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Javelo SSO](#configure-javelo-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Javelo test user](#create-javelo-test-user)** - to have a counterpart of B.Simon in Javelo that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Javelo** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, Upload the **Service Provider metadata file** which you can download from the [URL](https://api.javelo.io/omniauth/<CustomerSPIdentifier>_saml/metadata) and perform the following steps:

+ a. Click **Upload metadata file**.

+ 

+ b. Click on **folder logo** to select the metadata file and click **Upload**.

+ 

+ c. Once the metadata file is successfully uploaded, the necessary URLs get auto populated automatically.

+ d. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<CustomerSubdomain>.javelo.io/auth/login`

+ > [!NOTE]

+ > This value is not real. Update this value with the actual Sign-on URL. Contact [Javelo Client support team](mailto:Support@javelo.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Javelo.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Javelo**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Javelo SSO

+1. Log in to your Javelo company site as an administrator.

+1. Go to **Admin** view and navigate to **SSO** tab > **Azure Active Directory** and click **Configure**.

+1. In the **Enable SSO with Azure Active Directory** page, perform the following steps:

+ 

+ a. Enter a valid name in the **Provider** textbox.

+ b. In the **Entity ID** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.

+ c. In the **Metadata URL** textbox, paste the **App Federation Metadata Url** which you have copied from the Azure portal.

+ d. Click **Test URL**.

+ e. Enter a valid domain in the **Email Domains** textbox.

+ f. Click **Enable SSO with Azure Active Directory**.

+### Create Javelo test user

+In this section, a user called B.Simon is created in Javelo. Javelo supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Javelo, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Javelo Sign-on URL where you can initiate the login flow.

+* Go to Javelo Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Javelo tile in the My Apps, this will redirect to Javelo Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Javelo you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with Palo Alto Networks - Admin UI'

+* It is a requirement that the service should be public available. Please refer [this](../develop/single-sign-on-saml-protocol.md) page for more information.

+1. In a different web browser window, log in to Snowflake as a Security Administrator.

+If you are using a new Snowflake URL with an organization name as the login URL, it is necessary to update the following parameters:

+ Alter the integration to add Snowflake Issuer URL and SAML2 Snowflake ACS URL, please follow the step-6 in [this](https://community.snowflake.com/s/article/HOW-TO-SETUP-SSO-WITH-ADFS-AND-THE-SNOWFLAKE-NEW-URL-FORMAT-OR-PRIVATELINK) article for more information.

+1. [ SAML2_SNOWFLAKE_ISSUER_URL = '<string_literal>' ]

+ alter security integration `<your security integration name goes here>` set SAML2_SNOWFLAKE_ISSUER_URL = `https://<organization_name>-<account name>.snowflakecomputing.com`;

+2. [ SAML2_SNOWFLAKE_ACS_URL = '<string_literal>' ]

+ alter security integration `<your security integration name goes here>` set SAML2_SNOWFLAKE_ACS_URL = `https://<organization_name>-<account name>.snowflakecomputing.com/fed/login`;

+* Click on **Test this application** in Azure portal. This will redirect to Snowflake Sign-on URL where you can initiate the login flow.

+* Go to Snowflake Sign on URL directly and initiate the login flow from there.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Snowflake tile in the My Apps, if configured in SP mode you would be redirected to the application Sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Snowflake for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+ Title: 'Tutorial: Azure AD SSO integration with TimeOffManager'

+# Tutorial: Azure AD SSO integration with TimeOffManager

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* TimeOffManager supports **IDP** initiated SSO.

+* TimeOffManager supports **Just In Time** user provisioning.

+## Add TimeOffManager from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for TimeOffManager

+To configure and test Azure AD SSO with TimeOffManager, perform the following steps:

+1. In the Azure portal, on the **TimeOffManager** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following step:

+ 

+ 

+ 

+ 

+ 

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the TimeOffManager for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the TimeOffManager tile in the My Apps, you should be automatically signed in to the TimeOffManager for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure TimeOffManager you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Versal'

+# Tutorial: Azure AD SSO integration with Versal

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Versal supports **IDP** initiated SSO.

+## Add Versal from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for Versal

+To configure and test Azure AD SSO with Versal, perform the following steps:

+1. In the Azure portal, on the **Versal** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** page, perform the following steps:

+ a. In the **Identifier** text box, type the value:

+ 

+ 

+ 

+## Next steps

+Once you configure Versal you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+[user-assigned managed identity]: use-managed-identity.md#bring-your-own-control-plane-managed-identity

+### Before you begin

+You must have the following resource installed:

+* The Azure CLI

+* The `aks-preview` extension version 0.5.50 or later

+* Kubernetes version 1.22.x or above

+#### Install the aks-preview CLI extension

+```azurecli-interactive

+# Install the aks-preview extension

+az extension add --name aks-preview

+# Update the extension to make sure you have the latest version installed

+az extension update --name aks-preview

+```

+### Create a Private Link service connection

+To attach an Azure Private Link service to an internal load balancer, create a service manifest named `internal-lb-pls.yaml` with the service type *LoadBalancer* and the *azure-load-balancer-internal* and *azure-pls-create* annotation as shown in the example below. For more options, refer to the [Azure Private Link Service Integration](https://kubernetes-sigs.github.io/cloud-provider-azure/development/design-docs/pls-integration/) design document

+### Create a Private Endpoint to the Private Link service

+ Title: Use a service principal with Azure Kubernetes Services (AKS)

+description: Create and manage an Azure Active Directory service principal with a cluster in Azure Kubernetes Service (AKS)

+# Use a service principal with Azure Kubernetes Service (AKS)

+To access other Azure Active Directory (Azure AD) resources, an AKS cluster requires either an [Azure Active Directory (AD) service principal][aad-service-principal] or a [managed identity][managed-identity-resources-overview]. A service principal or managed identity is needed to dynamically create and manage other Azure resources such as an Azure load balancer or container registry (ACR).

+Managed identities are the recommended way to authenticate with other resources in Azure, and is the default authentication method for your AKS cluster. For more information about using a managed identity with your cluster, see [Use a system-assigned managed identity][use-managed-identity].

+To create an Azure AD service principal, you must have permissions to register an application with your Azure AD tenant, and to assign the application to a role in your subscription. If you don't have the necessary permissions, you need to ask your Azure AD or subscription administrator to assign the necessary permissions, or pre-create a service principal for you to use with the AKS cluster.

+If you're using a service principal from a different Azure AD tenant, there are other considerations around the permissions available when you deploy the cluster. You may not have the appropriate permissions to read and write directory information. For more information, see [What are the default user permissions in Azure Active Directory?][azure-ad-permissions]

+## Prerequisites

+Azure CLI version 2.0.59 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+Azure PowerShell version 5.0.0 or later. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install the Azure Az PowerShell module][install-the-azure-az-powershell-module].

+The output is similar to the following example. Copy the values for `appId` and `password`. These values are used when you create an AKS cluster in the next section.

+To decrypt the value stored in the **Secret** secure string, run the following command:

+> If you're using an existing service principal with customized secret, ensure the secret is not longer than 190 bytes.

+> Permission granted to a cluster using a system-assigned managed identity may take up 60 minutes to populate.

+The following sections detail common delegations that you may need to assign.

+You may use advanced networking where the virtual network and subnet or public IP addresses are in another resource group. Assign the [Network Contributor][rbac-network-contributor] built-in role on the subnet within the virtual network. Alternatively, you can create a [custom role][rbac-custom-role] with permissions to access the network resources in that resource group. For more information, see [AKS service permissions][aks-permissions].

+If you need to access existing disk resources in another resource group, assign one of the following set of role permissions:

+If you use Virtual Kubelet to integrate with AKS and choose to run Azure Container Instances (ACI) in resource group separate from the AKS cluster, the AKS cluster service principal must be granted *Contributor* permissions on the ACI resource group.

+## Other considerations

+When using AKS and an Azure AD service principal, consider the following:

+- The service principal for Kubernetes is a part of the cluster configuration. However, don't use this identity to deploy the cluster.

+- If you don't specify a service principal with AKS CLI commands, the default service principal located at `~/.azure/aksServicePrincipal.json` is used.

+- You can optionally remove the `aksServicePrincipal.json` file, and AKS creates a new service principal.

+- When you delete an AKS cluster that was created by [az aks create][az-aks-create], the service principal created automatically isn't deleted.

+ - To delete the service principal, query for your clusters *servicePrincipalProfile.clientId* and then delete it using the [az ad sp delete][az-ad-sp-delete] command. Replace the values for the `-g` parameter for the resource group name, and `-n` parameter for the cluster name:

+When using AKS and an Azure AD service principal, consider the following:

+- The service principal for Kubernetes is a part of the cluster configuration. However, don't use this identity to deploy the cluster.

+- If you don't specify a service principal with AKS PowerShell commands, the default service principal located at `~/.azure/acsServicePrincipal.json` is used.

+- You can optionally remove the `acsServicePrincipal.json` file, and AKS creates a new service principal.

+- When you delete an AKS cluster that was created by [New-AzAksCluster][new-azakscluster], the service principal created automatically isn't deleted.

+ - To delete the service principal, query for your clusters *ServicePrincipalProfile.ClientId* and then delete it using the [Remove-AzADServicePrincipal][remove-azadserviceprincipal] command. Replace the values for the `-ResourceGroupName` parameter for the resource group name, and `-Name` parameter for the cluster name:

+The service principal credentials for an AKS cluster are cached by the Azure CLI. If these credentials have expired, you encounter errors during deployment of the AKS cluster. The following error message when running [az aks create][az-aks-create] may indicate a problem with the cached service principal credentials:

+Check the age of the credentials file by running the following command:

+The default expiration time for the service principal credentials is one year. If your *aksServicePrincipal.json* file is older than one year, delete the file and retry deploying the AKS cluster.

+The service principal credentials for an AKS cluster are cached by Azure PowerShell. If these credentials have expired, you encounter errors during deployment of the AKS cluster. The following error message when running [New-AzAksCluster][new-azakscluster] may indicate a problem with the cached service principal credentials:

+Check the age of the credentials file by running the following command:

+The default expiration time for the service principal credentials is one year. If your *aksServicePrincipal.json* file is older than one year, delete the file and retry deploying the AKS cluster.

+[use-managed-identity]: use-managed-identity.md

+[managed-identity-resources-overview]: ..//active-directory/managed-identities-azure-resources/overview.md

+In this quickstart, you deployed a Kubernetes cluster and then subscribed to AKS events in Azure Event Hubs.

+[sp-delete]: kubernetes-service-principal.md#other-considerations

+[sp-delete]: kubernetes-service-principal.md#other-considerations

+[sp-delete]: kubernetes-service-principal.md#other-considerations

+ Title: Use a managed identity in Azure Kubernetes Service

+description: Learn how to use a system-assigned or user-assigned managed identity in Azure Kubernetes Service (AKS)

+# Use a managed identity in Azure Kubernetes Service

+An Azure Kubernetes Service (AKS) cluster requires an identity to access Azure resources like load balancers and managed disks. This identity can be either a managed identity or a service principal. By default, when you create an AKS cluster a system-assigned managed identity automatically created. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. For more information about managed identities in Azure AD, see [Managed identities for Azure resources][managed-identity-resources-overview].

+To use a [service principal](kubernetes-service-principal.md), you have to create one, AKS does not create one automatically. Clusters using a service principal eventually expire and the service principal must be renewed to keep the cluster working. Managing service principals adds complexity, which is why it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities.

+Managed identities are essentially a wrapper around service principals, and make their management simpler. Managed identities use certificate-based authentication, and each managed identities credential has an expiration of 90 days and it's rolled after 45 days. AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable.

+## Prerequisites

+Azure CLI version 2.23.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+* Tenants move or migrate a managed identity-enabled cluster isn't supported.

+> [!NOTE]

+> AKS will create a kubelet managed identity in the Node resource group if you do not specify your own kubelet managed identity.

+## Create an AKS cluster using a managed identity

+You can create an AKS cluster using a system-assigned managed identity by running the following CLI command.

+## Update an AKS cluster to use a managed identity

+To update an AKS cluster currently using a service principals to work with a system-assigned managed identity, run the following CLI command.

+> An update will only work if there is an actual VHD update to consume. If you are running the latest VHD, you'll need to wait until the next VHD is available in order to perform the update.

+> After updating, your cluster's control plane and addon pods, they use the managed identity, but kubelet will continue using a service principal until you upgrade your agentpool. Perform an `az aks nodepool upgrade --node-image-only` on your nodes to complete the update to a managed identity.

+> If your cluster was using `--attach-acr` to pull from image from Azure Container Registry, after updating your cluster to a managed identity, you need to rerun `az aks update --attach-acr <ACR Resource ID>` to let the newly created kubelet used for managed identity get the permission to pull from ACR. Otherwise, you won't be able to pull from ACR after the upgrade.

+> The Azure CLI will ensure your addon's permission is correctly set after migrating, if you're not using the Azure CLI to perform the migrating operation, you'll need to handle the addon identity's permission by yourself. Here is one example using an [Azure Resource Manager](../role-based-access-control/role-assignments-template.md) template.

+> A nodepool upgrade will cause downtime for your AKS cluster as the nodes in the nodepools will be cordoned/drained and then reimaged.

+## Get and use the system-assigned managed identity for your AKS cluster

+If the cluster is using a managed identity, the output shows `clientId` with a value of **msi**. A cluster using a service principal shows an object ID. For example:

+After verifying the cluster is using a managed identity, you can find the control plane system-assigned identity's object ID by running the following command:

+> For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. If you are using an ARM template or other method, you need to use the PrincipalID of the cluster system-assigned managed identity to perform a role assignment. For more information on role assignment, see [Delegate access to other Azure resources](kubernetes-service-principal.md#delegate-access-to-other-azure-resources).

+> Permission granted to your cluster's managed identity used by Azure may take up 60 minutes to populate.

+## Bring your own control plane managed identity

+A custom control plane managed identity enables access to be granted to the existing identity prior to cluster creation. This feature enables scenarios such as using a custom VNET or outboundType of UDR with a pre-created managed identity.

+> [!NOTE]

+> USDOD Central, USDOD East, USGov Iowa regions in Azure US Government cloud aren't currently supported.

+If you don't have a managed identity, you should create one by running the [az identity][az-identity-create] command.

+Azure CLI automatically adds required role assignment for the control plane managed identity. If you are using an ARM template or other method, you need to create the role assignment manually.

+If your managed identity is part of your subscription, run the following [az identity CLI command][az-identity-list] command to query it.

+Run the following command to create a cluster with your existing identity:

+A successful cluster creation using your own managed identity should resemble the following **userAssignedIdentities** profile information:

+## Use a pre-created kubelet managed identity

+A Kubelet identity enables access granted to the existing identity prior to cluster creation. This feature enables scenarios such as connection to ACR with a pre-created managed identity.

+> Updating kubelet managed identity upgrades Nodepool, which causes downtime for your AKS cluster as the nodes in the nodepools will be cordoned/drained and then reimaged.

+- Azure CLI version 2.26.0 or later installed. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+- Only works with a user-assigned managed cluster.

+- China East and China North regions in Azure China 21Vianet aren't currently supported.

+If you don't have a control plane managed identity, you can create by running the following [az identity create][az-identity-create] command:

+The output should resemble the following:

+If you don't have a kubelet managed identity, you can create one by running the following [az identity create][az-identity-create] command:

+The output should resemble the following:

+Now you can use the following command to create your AKS cluster with your existing identities. Provide the control plane identity resource ID via `assign-identity` and the kubelet managed identity via `assign-kubelet-identity`:

+A successful AKS cluster creation using your own kubelet managed identity should resemble the following output:

+### Update an existing cluster using kubelet identity

+Update kubelet identity on an existing AKS cluster with your existing identities.

+Use [Azure Resource Manager templates ][aks-arm-template] to create a managed identity-enabled cluster.

+[managed-identity-resources-overview]: ../active-directory/managed-identities-azure-resources/overview.md

+> To view the effective policies at the current scope, select **Calculate effective policy** in the policy editor.

+This article provides a reference for API Management policies to validate REST or SOAP API requests and responses against schemas defined in the API definition or supplementary JSON or XML schemas. Validation policies protect from vulnerabilities such as injection of headers or payload or leaking sensitive data. Learn more about common [API vulnerabilites](mitigate-owasp-api-threats.md).

+While not a replacement for a Web Application Firewall, validation policies provide flexibility to respond to an additional class of threats that arenΓÇÖt covered by security products that rely on static, predefined rules.

+The following table shows the schema formats and request or response content types that the policy supports. Content type values are case insensitive.

+### What content is validated

+The policy validates the following content in the request or response against the schema:

+* Presence of all required properties.

+* Absence of additional properties, if the schema has the `additionalProperties` field set to `false`.

+* Types of all properties. For example, if a schema specifies a property as an integer, the request (or response) must include an integer and not another type, such as a string.

+* The format of the properties, if specified in the schema - for example, regex (if the `pattern` keyword is specified), `minimum` for integers, and so on.

+> [!TIP]

+> For examples of regex pattern constraints that can be used in schemas, see [OWASP Validation Regex Repository](https://owasp.org/www-community/OWASP_Validation_Regex_Repository).

+The paragraph roles are best used with unstructured documents. PAragraph roles help analyze the structure of the extracted content for better semantic search and analysis.

+ | **Model ID** | **Text extraction** | **Language detection** | **Selection Marks** | **Tables** | **Paragraphs** | **Paragraph roles** | **Key-Value pairs** | **Fields** |

+ |:--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+|🆕 [prebuilt-read](concept-read.md#data-extraction) | ✓ | ✓ | | | ✓ | | | |

+|🆕 [prebuilt-tax.us.w2](concept-w2.md#field-extraction) | ✓ | | ✓ | | ✓ | | | ✓ |

+|🆕 [prebuilt-document](concept-general-document.md#data-extraction)| ✓ | | ✓ | ✓ | ✓ | | ✓ | |

+| [prebuilt-layout](concept-layout.md#data-extraction) | Γ£ô | | Γ£ô | Γ£ô | Γ£ô | Γ£ô | | | |

+| [prebuilt-invoice](concept-invoice.md#field-extraction) | Γ£ô | | Γ£ô | Γ£ô | Γ£ô | | Γ£ô | Γ£ô |

+| [prebuilt-receipt](concept-receipt.md#field-extraction) | Γ£ô | | | | Γ£ô | | | Γ£ô |

+| [prebuilt-idDocument](concept-id-document.md#field-extraction) | Γ£ô | | | | Γ£ô | | | Γ£ô |

+| [prebuilt-businessCard](concept-business-card.md#field-extraction) | Γ£ô | | | | Γ£ô | | | Γ£ô |

+| [Custom](concept-custom.md#compare-model-features) | Γ£ô | | Γ£ô | Γ£ô | Γ£ô | | | Γ£ô |

+* Supported file formats: JPEG/JPG, PNG, BMP, TIFF, and PDF (text-embedded or scanned). Additionally, the Read API supports Microsoft Word (DOCX), Excel (XLS), PowerPoint (PPT), and HTML files.

+* [Learn more about Azure Key Vault](../../key-vault/general/overview.md)

+* Learn more about the [Layout API](concept-layout.md)

+- Export the Run As certificate and then import it into the Hybrid Runbook Worker.

+- Renew the certificate used by the Run As account.

+- Handle the Run As connection object in your runbook code.

+There are two ways to use the Managed Identities in Hybrid Runbook Worker scripts.

+1. Use the system-assigned Managed Identity for the Automation account:

+ 1. [Configure](/enable-managed-identity-for-automation.md#enable-a-system-assigned-managed-identity-for-an-azure-automation-account) a System-assigned Managed Identity for the Automation account.

+ 1. Grant this identity the [required permissions](/enable-managed-identity-for-automation.md#assign-role-to-a-system-assigned-managed-identity) within the Subscription to perform its task.

+ 1. Update the runbook to use the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet with the `Identity` parameter to authenticate to Azure resources. This configuration reduces the need to use a Run As account and perform the associated account management.

+ ```powershell

+ # Ensures you do not inherit an AzContext in your runbook

+ Disable-AzContextAutosave -Scope Process

+

+ # Connect to Azure with system-assigned managed identity

+ $AzureContext = (Connect-AzAccount -Identity).context

+

+ # set and store context

+ $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile

+ $AzureContext

+ # Get all VM names from the subscription

+ Get-AzVM -DefaultProfile $AzureContext | Select Name

+ ```

+ > [!NOTE]

+ > It is **Not** possible to use the Automation Account's User Managed Identity on a Hybrid Runbook Worker, it must be the Automation Account's System Managed Identity.

+2. Use the VM Managed Identity for both the Azure VM or Arc-enabled server running as a Hybrid Runbook Worker.

+ Here, you can use either the **VMΓÇÖs User-assigned Managed Identity** or the **VMΓÇÖs System-assigned Managed Identity**.

+ > [!NOTE]

+ > This will **Not** work in an Automation Account which has been configured with an Automation account Managed Identity. As soon as the Automation account Managed Identity is enabled, you can't use the VM Managed Identity. The only available option is to use the Automation Account **System-Assigned Managed Identity** as mentioned in option 1.

+ **To use a VM's system-assigned managed identity**:

+ 1. [Configure](/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-managed-identity-on-an-existing-vm) a System Managed Identity for the VM.

+ 1. Grant this identity the [required permissions](/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-arm#grant-your-vm-access-to-a-resource-group-in-resource-manager) within the subscription to perform its tasks.

+ 1. Update the runbook to use the [Connect-Az-Account](/powershell/module/az.accounts/connect-azaccount?view=azps-8.0.0) cmdlet with the `Identity` parameter to authenticate to Azure resources. This configuration reduces the need to use a Run As Account and perform the associated account management.

+ # Ensures you do not inherit an AzContext in your runbook

+ Disable-AzContextAutosave -Scope Process

+

+ # Connect to Azure with system-assigned managed identity

+ $AzureContext = (Connect-AzAccount -Identity).context

+

+ # set and store context

+ $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile

+ $AzureContext

+ # Get all VM names from the subscription

+ Get-AzVM -DefaultProfile $AzureContext | Select Name

+ ```

+ **To use a VM's user-assigned managed identity**:

+ 1. [Configure](/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#user-assigned-managed-identity) a User Managed Identity for the VM.

+ 1. Grant this identity the [required permissions](/active-directory/managed-identities-azure-resources/howto-assign-access-portal) within the Subscription to perform its tasks.

+ 1. Update the runbook to use the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount?view=azps-8.0.0) cmdlet with the `Identity ` and `AccountID` parameters to authenticate to Azure resources. This configuration reduces the need to use a Run As account and perform the associated account management.

+ ```powershell

+ # Ensures you do not inherit an AzContext in your runbook

+ Disable-AzContextAutosave -Scope Process

+

+ # Connect to Azure with user-managed-assigned managed identity. Replace <ClientId> below with the Client Id of the User Managed Identity

+ $AzureContext = (Connect-AzAccount -Identity -AccountId <ClientId>).context

+

+ # set and store context

+ $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile

+ $AzureContext

+ # Get all VM names from the subscription

+ Get-AzVM -DefaultProfile $AzureContext | Select Name

+ > [!NOTE]

+ > You can find the client Id of the user-assigned managed identity in the Azure portal.

+ > :::image type="content" source="./media/automation-hrw-run-runbooks/managed-identities-client-id-inline.png" alt-text="Screenshot of client id in Managed Identites." lightbox="./media/automation-hrw-run-runbooks/managed-identities-client-id-expanded.png":::

+> By default, the Azure contexts are saved for use between PowerShell sessions. It is possible that when a previous runbook on the Hybrid Runbook Worker has been authenticated with Azure, that context persists to the disk in the System PowerShell profile, as per [Azure contexts and sign-in credentials | Microsoft Docs](/powershell/azure/context-persistence?view=azps-7.3.2).

+

+New scripts are added to the Azure Automation [GitHub repository](https://github.com/azureautomation) to address one of Azure Automation's key scenarios of VM management based on Azure Monitor alert. For more information, see [Trigger runbook from Azure alert](./automation-create-alert-triggered-runbook.md#common-azure-vm-management-operations).

+ >As explained in the [Managed Identities for Azure resources FAQs](../active-directory/managed-identities-azure-resources/known-issues.md), there is a default way to resolve which managed identity is used. In this case, the Azure Identity library enforces you to specify the desired identity to avoid possible runtime issues in the future (for instance, if a new user-assigned managed identity is added or if the system-assigned managed identity is enabled). So, you will need to specify the clientId even if only one user-assigned managed identity is defined, and there is no system-assigned managed identity.

+> [CLI samples](./cli-samples.md)

+description: "Learn how to resolve common issues with Azure Arc-enabled Kubernetes clusters and GitOps."

+This document provides troubleshooting guides for issues with Azure Arc-enabled Kubernetes connectivity, permissions, and agents. It also provides troubleshooting guides for Azure GitOps, which can be used in either Azure Arc-enabled Kubernetes or Azure Kubernetes Service (AKS) clusters.

+First, verify the Azure Arc Helm Chart release:

+If the Helm Chart release isn't found or missing, try [connecting the cluster to Azure Arc](./quickstart-connect-cluster.md) again.

+If the Helm Chart release is present with `STATUS: deployed`, check the status of the agents using `kubectl`:

+All pods should show `STATUS` as `Running` with either `3/3` or `2/2` under the `READY` column. Fetch logs and describe the pods returning an `Error` or `CrashLoopBackOff`. If any pods are stuck in `Pending` state, there might be insufficient resources on cluster nodes. [Scaling up your cluster](https://kubernetes.io/docs/tasks/administer-cluster/) can get these pods to transition to `Running` state.

+Connecting clusters to Azure Arc requires access to an Azure subscription and `cluster-admin` access to a target cluster. If you can't reach the cluster, or if you have insufficient permissions, connecting the cluster to Azure Arc will fail. Make sure you've met all of the [prerequisites to connect a cluster](quickstart-connect-cluster.md#prerequisites).

+With Helm version >= 3.7.0, you may run into the following error when using `az connectedk8s connect` to connect the cluster to Azure Arc:

+To resolve this issue, you'll need to install a prior version of [Helm 3](https://helm.sh/docs/intro/install/), where the version is less than 3.7.0. After you've installed that version, run the `az connectedk8s connect` command again to connect the cluster to Azure Arc.

+If the provided kubeconfig file doesn't have sufficient permissions to install the Azure Arc agents, the Azure CLI command will return an error.

+To resolve this issue, the user connecting the cluster to Azure Arc should have the `cluster-admin` role assigned to them on the cluster.

+If `az connectedk8s connect` is timing out and failing when connecting an OpenShift cluster to Azure Arc:

+1. Ensure that the OpenShift cluster meets the version prerequisites: 4.5.41+ or 4.6.35+ or 4.7.18+.

+1. Before you run `az connectedk8s connnect`, run this command on the cluster:

+You may see the following Helm timeout error:

+To resolve this issue, try the following steps.

+1. Run the following command:

+ ```console

+ kubectl get pods -n azure-arc

+ ```

+2. Check if the `clusterconnect-agent` or the `config-agent` pods are showing `crashloopbackoff`, or if not all containers are running:

+ ```output

+ NAME READY STATUS RESTARTS AGE

+ cluster-metadata-operator-664bc5f4d-chgkl 2/2 Running 0 4m14s

+ clusterconnect-agent-7cb8b565c7-wklsh 2/3 CrashLoopBackOff 0 1m15s

+ clusteridentityoperator-76d645d8bf-5qx5c 2/2 Running 0 4m15s

+ config-agent-65d5df564f-lffqm 1/2 CrashLoopBackOff 0 1m14s

+ ```

+3. If the certificate below isn't present, the system assigned managed identity hasn't been installed.

+ ```console

+ kubectl get secret -n azure-arc -o yaml | grep name:

+ ```

+ ```output

+ name: azure-identity-certificate

+ ```

+ To resolve this issue, try deleting the Arc deployment by running the `az connectedk8s delete` command and reinstalling it. If the issue continues to happen, it could be an issue with your proxy settings. In that case, [try connecting your cluster to Azure Arc via a proxy](./quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server) to connect your cluster to Arc via a proxy.

+4. If the `clusterconnect-agent` and the `config-agent` pods are running, but the `kube-aad-proxy` pod is missing, check your pod security policies. This pod uses the `azure-arc-kube-aad-proxy-sa` service account, which doesn't have admin permissions but requires the permission to mount host path.

+Helm `v3.3.0-rc.1` version has an [issue](https://github.com/helm/helm/pull/8527) where helm install/upgrade (used by the `connectedk8s` CLI extension) results in running of all hooks leading to the following error:

+ ```console

+ kubectl delete ns azure-arc

+ kubectl delete clusterrolebinding azure-arc-operator

+ kubectl delete secret sh.helm.release.v1.azure-arc.v1

+ ```

+> [!NOTE]

+> Eventually Azure will stop supporting GitOps with Flux v1, so begin using [Flux v2](./tutorial-use-gitops-flux2.md) as soon as possible.

+The `microsoft.flux` extension installs the Flux controllers and Azure GitOps agents into your Azure Arc-enabled Kubernetes or Azure Kubernetes Service (AKS) clusters. If the extension isn't already installed in a cluster and you create a GitOps configuration resource for that cluster, the extension will be installed automatically.

+If you experience an error during installation, or if the extension is in a failed state, run a script to investigate. The cluster-type parameter can be set to `connectedClusters` for an Arc-enabled cluster or `managedClusters` for an AKS cluster. The name of the `microsoft.flux` extension will be "flux" if the extension was installed automatically during creation of a GitOps configuration. Look in the "statuses" object for information.

+* For an AKS cluster, assure that the subscription has the `Microsoft.ContainerService/AKS-ExtensionManager` feature flag enabled.

+* Assure that the cluster doesn't have any policies that restrict creation of the `flux-system` namespace or resources in that namespace.

+With these actions accomplished, you can either [recreate a flux configuration](./tutorial-use-gitops-flux2.md), which will install the flux extension automatically, or you can reinstall the flux extension manually.

+The extension-agent pod is trying to get its token from IMDS on the cluster in order to talk to the extension service in Azure, but the token request is intercepted by the [pod identity](../../aks/use-azure-ad-pod-identity.md)).

+Azure Monitor for Containers requires its DaemonSet to run in privileged mode. To successfully set up a Canonical Charmed Kubernetes cluster for monitoring, run the following command:

+Some older agent versions didn't support the Cluster Connect feature. If you use one of these versions, you may see this error:

+Be sure to use the `connectedk8s` Azure CLI extension with version >= 1.2.0, then [connect your cluster again](quickstart-connect-cluster.md) to Azure Arc. Also, verify that you've met all the [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements) needed for Arc-enabled Kubernetes.

+If your cluster is behind an outbound proxy or firewall, verify that websocket connections are enabled for `*.servicebus.windows.net`, which is required specifically for the [Cluster Connect](cluster-connect.md) feature.

+When connecting your cluster to Azure Arc or enabling custom locations on an existing cluster, you may see the following warning:

+This warning occurs when you use a service principal to log into Azure. The service principal doesn't have permissions to get information of the application used by Azure Arc service. To avoid this error, execute the following steps:

+1. Sign in into Azure CLI using your user account. Fetch the Object ID of the Azure AD application used by Azure Arc service:

+1. Sign in into Azure CLI using the service principal. Use the `<objectId>` value from above step to enable custom locations on the cluster:

+ * To enable custom locations when connecting the cluster to Arc, run the following command:

+ ```azurecli

+ az connectedk8s connect -n <cluster-name> -g <resource-group-name> --custom-locations-oid <objectId>

+ ```

+ * To enable custom locations on an existing Azure Arc-enabled Kubernetes cluster, run the following command:

+ ```azurecli

+ az connectedk8s enable-features -n <cluster-name> -g <resource-group-name> --custom-locations-oid <objectId> --features cluster-connect custom-locations

+ ```

+The steps below provide guidance on validating the deployment of all the Open Service Mesh (OSM) extension components on your cluster.

+If the OSM Controller is healthy, you'll see output similar to the following:

+```output

+If the OSM Controller is healthy, you'll see output similar to the following:

+```output

+Even though one controller was _evicted_ at some point, there's another which is `READY 1/1` and `Running` with `0` restarts. If the column `READY` is anything other than `1/1`, the service mesh would be in a broken state. Column `READY` with `0/1` indicates the control plane container is crashing. Use the following command to inspect controller logs:

+If the OSM Controller is healthy, you'll see the following output:

+```output

+If the OSM Controller is healthy, you'll see output similar to the following:

+```output

+If the user's cluster has no `ENDPOINTS` for `osm-controller`, the control plane is unhealthy. This unhealthy state may be caused by the OSM Controller pod crashing, or the pod may never have been deployed correctly.

+If the OSM Injector is healthy, you'll see output similar to the following:

+```output

+If the OSM Injector is healthy, you'll see output similar to the following:

+```output

+If the OSM Injector is healthy, you'll see output similar to the following:

+```output

+If the OSM Injector is healthy, you'll see output similar to the following:

+If the **Validating** webhook is healthy, you'll see output similar to the following:

+```output

+If the **Mutating** webhook is healthy, you'll see output similar to the following:

+```output

+Check for the service and the CA bundle of the **Validating** webhook by using the following command:

+A well configured **Validating** webhook configuration will have output similar to the following:

+Check for the service and the CA bundle of the **Mutating** webhook by using the following command:

+A well configured **Mutating** webhook configuration will have output similar to the following:

+Check whether OSM Controller has given the **Validating** (or **Mutating**) webhook a CA Bundle by using the following command:

+The number in the output indicates the number of bytes, or the size of the CA Bundle. If this is empty, 0, or a number under 1000, the CA Bundle is not correctly provisioned. Without a correct CA Bundle, the `ValidatingWebhook` will throw an error.

+Check for the existence of the resource:

+Check the content of the OSM MeshConfig:

+### Check namespaces

+>The arc-osm-system namespace will never participate in a service mesh and will never be labeled or annotated with the key/values below.

+We use the `osm namespace add` command to join namespaces to a given service mesh. When a Kubernetes namespace is part of the mesh, confirm the following:

+If you aren't using `osm` CLI, you could also manually add these annotations to your namespaces. If a namespace isn't annotated with `"openservicemesh.io/sidecar-injection": "enabled"`, or isn't labeled with `"openservicemesh.io/monitored-by": "osm"`, the OSM Injector will not add Envoy sidecars.

+Check whether the cluster has the required Custom Resource Definitions (CRDs) by using the following command:

+Ensure that the CRDs correspond to the versions available in the release branch. For example, if you're using OSM-Arc v1.0.0-1, navigate to the [SMI supported versions page](https://docs.openservicemesh.io/docs/overview/smi/) and select v1.0 from the Releases dropdown to check which CRDs versions are in use.

+If CRDs are missing, use the following commands to install them on the cluster. If you're using a version of OSM-Arc that's not v1.0, ensure that you replace the version in the command (for example, v1.1.0 would be release-v1.1).

+To see CRD changes between releases, refer to the [OSM release notes](https://github.com/openservicemesh/osm/releases).

+For information on how OSM issues and manages certificates to Envoy proxies running on application pods, see the [OSM docs site](https://docs.openservicemesh.io/docs/guides/certificates/).

+When a new pod is created in a namespace monitored by the add-on, OSM will inject an [Envoy proxy sidecar](https://docs.openservicemesh.io/docs/guides/app_onboarding/sidecar_injection/) in that pod. If the Envoy version needs to be updated, follow the steps in the [Upgrade Guide](https://docs.openservicemesh.io/docs/guides/upgrade/#envoy) on the OSM docs site.

+ * Import the repository with name `arc-cicd-demo-src`

+ * Import the repository with name `arc-cicd-demo-gitops`

+ --namespace flux-system \

+ -u https://dev.azure.com/<Your organization>/<Your project>/_git/arc-cicd-demo-gitops \

+ * You can also check on Azure Portal page of your K8s cluster on `GitOps` tab a configuration `cluster-config` is created.

+| [`.pipelines/az-vote-pr-pipeline.yaml`](https://github.com/Azure/arc-cicd-demo-src/blob/master/.pipelines/az-vote-pr-pipeline.yaml) | The application PR pipeline, named **arc-cicd-demo-src PR** |

+| [`.pipelines/az-vote-ci-pipeline.yaml`](https://github.com/Azure/arc-cicd-demo-src/blob/master/.pipelines/az-vote-ci-pipeline.yaml) | The application CI pipeline, named **arc-cicd-demo-src CI** |

+> [!NOTE]

+> `Azure Repos PAT token` should have `Build: Read & executee` and `Code: Read` permissions.

+ name: cluster-config

+ name: cluster-config-cluster-config

+#### Create environments

+In Azure DevOps project create `Dev` and `Stage` environments. See [Create and target an environment](/azure/devops/pipelines/process/environments) for more details.

+1. For the `<Project Name> Build Service (<Organization Name>)` and for the `Project Collection Build Service (<Organization Name>)` (type in the search field, if it doesn't show up), allow `Contribute`, `Contribute to pull requests`, and `Create branch`.

+1. Switch off `Protect access to repositories in YAML pipelines` option

+ name: cluster-config

+ name: cluster-config-cluster-config

+* An MSI-based AKS cluster that's up and running.

+ >**Ensure that the AKS cluster is created with MSI** (not SPN), because the `microsoft.flux` extension won't work with SPN-based AKS clusters.

+ >For new AKS clusters created with ΓÇ£az aks createΓÇ¥, the cluster will be MSI-based by default. For already created SPN-based clusters that need to be converted to MSI run ΓÇ£az aks update -g $RESOURCE_GROUP -n $CLUSTER_NAME --enable-managed-identityΓÇ¥. For more information, refer to [managed identity docs](../../aks/use-managed-identity.md).

+* Amazon Web Services (AWS) metadata, when running in AWS:

+ * Account ID

+ * Instance ID

+ * Region

+* Google Cloud Platform (GCP) metadata, when running in GCP:

+ * Instance ID

+ * Image

+ * Machine type

+ * OS

+ * Project ID

+ * Project number

+ * Service accounts

+ * Zone

+## Version 1.14 - January 2022

+### Fixed

+- A state corruption issue in the extension manager that could cause extension operations to get stuck in transient states has been fixed. Customers running agent version 1.13 are encouraged to upgrade to version 1.14 as soon as possible. If you continue to have issues with extensions after upgrading the agent, [submit a support ticket](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).

+## Version 1.19 - June 2022

+### New features

+- When installed on a Google Compute Engine virtual machine, the agent will now detect and report Google Cloud metadata in the "detected properties" of the Azure Arc-enabled servers resource. [Learn more](agent-overview.md#instance-metadata) about the new metadata.

+### Fixed

+- An issue that could cause the extension manager to hang during extension installation, update, and removal operations has been resolved.

+- Improved support for TLS 1.3

+Azure Arc-enabled SCVMM works with VMM 2016, 2019 and 2022 versions and supports SCVMM management servers with a maximum of 3500 VMS.

+| **SCVMM accounts** | An SCVMM admin account that can perform all administrative actions on all objects that VMM manages. <br/><br/> The user should be part of local administrator account in the SCVMM server. <br/><br/>This will be used for the ongoing operation of Azure Arc-enabled SCVMM as well as the deployment of the Arc Resource bridge VM. |

+ > When you deploy Azure Cache for Redis to a Resource Manager virtual network, the cache must be in a dedicated subnet that contains no other resources except for Azure Cache for Redis instances. If you attempt to deploy an Azure Cache for Redis instance to a Resource Manager virtual network subnet that contains other resources, or has a NAT Gateway assigned, the deployment fails. The failure is because Azure Cache for Redis uses a basic load balancer that is not compatible with a NAT Gateway.

+ - Ping the cache endpoint by using port 6380 from a machine that's within the same virtual network as the cache, using [`tcping`](https://www.elifulkerson.com/projects/tcping.php). For example:

+Your function definition should now look like the following code, depending on mode:

+# [In-process](#tab/in-process)

+# [Isolated process](#tab/isolated-process)

+

+| 4.x (recommended) | `~16`<br/>`~14` | `node|16`<br/>`node|14` |

+ Title: Deploy Start/Stop VMs v2

+description: This article tells how to deploy the Start/Stop VMs v2 feature for your Azure VMs in your Azure subscription.

+# Deploy Start/Stop VMs v2

+Perform the steps in this topic in sequence to install the Start/Stop VMs v2 feature. After completing the setup process, configure the schedules to customize it to your requirements.

+To simplify management and removal, we recommend you deploy Start/Stop VMs v2 to a dedicated resource group.

+> Currently this solution does not support specifying an existing Storage account or Application Insights resource.

+After the Start/Stop deployment completes, perform the following steps to enable Start/Stop VMs v2 to take action across multiple subscriptions.

+Start/Stop VMs v2 can help manage the cost of running Azure Resource Manager and classic VMs in your subscription by evaluating machines that aren't used during non-peak periods, such as after hours, and automatically shutting them down if processor utilization is less than a specified percentage.

+To learn how to monitor status of your Azure VMs managed by the Start/Stop VMs v2 feature and perform other management tasks, see the [Manage Start/Stop VMs](manage.md) article.

+ Title: Manage Start/Stop VMs v2

+description: This article tells how to monitor status of your Azure VMs managed by the Start/Stop VMs v2 feature and perform other management tasks.

+# How to manage Start/Stop VMs v2

+Start/Stop VMs v2 includes a [dashboard](../../azure-monitor/best-practices-analysis.md#azure-dashboards) to help you understand the management scope and recent operations against your VMs. It is a quick and easy way to verify the status of each operation thatΓÇÖs performed on your Azure VMs. The visualization in each tile is based on a Log query and to see the query, select the **Open in logs blade** option in the right-hand corner of the tile. This opens the [Log Analytics](../../azure-monitor/logs/log-analytics-overview.md#starting-log-analytics) tool in the Azure portal, and from here you can evaluate the query and modify to support your needs, such as custom [log alerts](../../azure-monitor/alerts/alerts-log.md), a custom [workbook](../../azure-monitor/visualize/workbooks-overview.md), etc.

+To change email notifications after Start/Stop VMs v2 is deployed, you can modify the action group created during deployment.

+To handle problems during VM management, see [Troubleshoot Start/Stop VMs v2](troubleshoot.md) issues.

+ Title: Start/Stop VMs v2 overview

+description: This article describes version two of the Start/Stop VMs feature, which starts or stops Azure Resource Manager and classic VMs on a schedule.

+# Start/Stop VMs v2 overview

+The Start/Stop VMs v2 feature starts or stops Azure virtual machines (VMs) across multiple subscriptions. It starts or stops Azure VMs on user-defined schedules, provides insights through [Azure Application Insights](../../azure-monitor/app/app-insights-overview.md), and send optional notifications by using [action groups](../../azure-monitor/alerts/action-groups.md). The feature can manage both Azure Resource Manager VMs and classic VMs for most scenarios.

+This new version of Start/Stop VMs v2 provides a decentralized low-cost automation option for customers who want to optimize their VM costs. It offers all of the same functionality as the [original version](../../automation/automation-solution-vm-management.md) available with Azure Automation, but it is designed to take advantage of newer technology in Azure.

+Start/Stop VMs v2 is redesigned and it doesn't depend on Azure Automation or Azure Monitor Logs, as required by the [previous version](../../automation/automation-solution-vm-management.md). This version relies on [Azure Functions](../../azure-functions/functions-overview.md) to handle the VM start and stop execution.

+A managed identity is created in Azure Active Directory (Azure AD) for this Azure Functions application and allows Start/Stop VMs v2 to easily access other Azure AD-protected resources, such as the logic apps and Azure VMs. For more about managed identities in Azure AD, see [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).

+An Azure Storage account, which is required by Functions, is also used by Start/Stop VMs v2 for two purposes:

+When a new version of Start/Stop VMs v2 is released, your instance is auto-updated without having to manually redeploy.

+- Start/Stop VMs v2 is available in all Azure global and US Government cloud regions that are listed in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=functions) page for Azure Functions.

+To deploy this feature, see [Deploy Start/Stop VMs](deploy.md).

+ Title: Remove Start/Stop VMs v2 overview

+description: This article describes how to remove the Start/Stop VMs v2 feature.

+# How to remove Start/Stop VMs v2

+After you enable the Start/Stop VMs v2 feature to manage the running state of your Azure VMs, you may decide to stop using it. Removing this feature can be done by deleting the resource group dedicated to store the following resources in support of Start/Stop VMs v2:

+> If you run into problems during deployment, you encounter an issue when using Start/Stop VMs v2, or if you have a related question, you can submit an issue on [GitHub](https://github.com/microsoft/startstopv2-deployments/issues). Filing an Azure support incident from the [Azure support site](https://azure.microsoft.com/support/options/) is not available for this version.

+To re-deploy this feature, see [Deploy Start/Stop v2](deploy.md).

+ Title: Troubleshoot Start/Stop VMs

+description: This article tells how to troubleshoot issues encountered with the Start/Stop VMs feature for your Azure VMs.

+# Troubleshoot common issues with Start/Stop VMs

+This article provides information on troubleshooting and resolving issues that may occur while attempting to install and configure Start/Stop VMs. For general information, see [Start/Stop VMs overview](overview.md).

+You can start by reviewing the Azure shared dashboard. The Azure shared dashboard deployed as part of Start/Stop VMs v2 is a quick and easy way to verify the status of each operation that's performed on your VMs. Refer to the **Recently attempted actions on VMs** tile to see all the recent operations executed on your VMs. There is some latency, around five minutes, for data to show up in the report as it pulls data from the Application Insights resource.

+You can review the details for the operations performed on the VMs that are written to the table **requestsstoretable** in the Azure storage account used for Start/Stop VMs v2. Perform the following steps to view those records.

+1. Navigate to the storage account in the Azure portal and in the account select **Storage Explorer** from the left-hand pane.

+1. Select the Function app for Start/Stop VMs v2 from the list.

+* If you run into problems during deployment, you encounter an issue when using Start/Stop VMs v2, or if you have a related question, you can submit an issue on [GitHub](https://github.com/microsoft/startstopv2-deployments/issues). Filing an Azure support incident from the [Azure support site](https://azure.microsoft.com/support/options/) is also available for this version.

+| Red Hat Linux 8 | 8.5 | 4.18.0-348.\*el8_5.x86_644.18.0-348.\*el8.x86_64 |

+| | 8.4 | 4.18.0-305.\*el8.x86_64, 4.18.0-305.\*el8_4.x86_64 |

+| CentOS Linux 8 | 8.5 | 4.18.0-348.\*el8_5.x86_644.18.0-348.\*el8.x86_64 |

+| | 8.4 | 4.18.0-305.\*el8.x86_64, 4.18.0-305.\*el8_4.x86_64 |

+You can query you alerts instances to create custom views outside of the Azure portal, or to analyze your alerts to identify patterns and trends.

+We recommended that you use [Azure Resource Graphs](https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/ArgQueryBlade) with the 'AlertsManagementResources' schema for managing alerts across multiple subscriptions. For an sample query, see [Azure Resource Graph sample queries for Azure Monitor](../resource-graph-samples.md).

+You can use Azure Resource Graphs:

+ - with [Azure PowerShell](/powershell/module/az.monitor/)

+ - with the [Azure CLI](/cli/azure/monitor?view=azure-cli-latest&preserve-view=true)

+ - in the Azure portal

+

+You can also use the [Alert Management REST API](/rest/api/monitor/alertsmanagement/alerts) for lower scale querying or to update fired alerts.

+1. Get the existing rule ([metric alerts](/powershell/module/az.monitor/get-azmetricalertrulev2), [activity log alerts](/powershell/module/az.monitor/get-azactivitylogalert), alert [processing rules](/powershell/module/az.alertsmanagement/get-azalertprocessingrule)).

+3. Redeploy the rule ([metric alerts](/powershell/module/az.monitor/add-azmetricalertrulev2), [activity log alerts](/powershell/module/az.monitor/enable-azactivitylogalert), [alert processing rules](/powershell/module/az.alertsmanagement/set-azalertprocessingrule)).

+> If you are using a log alert, the query results must include a ΓÇ£ComputerΓÇ¥ column containing the configuration items list.

+To create a new workspace, see [Create a Log Analytics workspace in the Azure portal](./quick-create-workspace.md). For considerations on creating multiple workspaces, see [Design a Log Analytics workspace configuration](./workspace-design.md).

+ Title: Enable Profiler for Azure Cloud Services | Microsoft Docs

+description: Profile live Azure Cloud Services with Application Insights Profiler.

+# Enable Profiler for Azure Cloud Services

+Receive performance traces for your [Azure Cloud Service](../../cloud-services-extended-support/overview.md) by enabling the Application Insights Profiler. The Profiler is installed on your Cloud Service via the [Azure Diagnostics extension](../agents/diagnostics-extension-overview.md).

+In this article, you will:

+- Enable your Cloud Service to send diagnostics data to Application Insights.

+- Configure the Azure Diagnostics extension within your solution to install Profiler.

+- Deploy your service and generate traffic to view Profiler traces.

+## Pre-requisites

+- Make sure you've [set up diagnostics for Azure Cloud Services](/visualstudio/azure/vs-azure-tools-diagnostics-for-cloud-services-and-virtual-machines).

+- Use [.NET Framework 4.6.1](/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed) or newer.

+ - If you're using [OS Family 4](../../cloud-services/cloud-services-guestos-update-matrix.md#family-4-releases), install .NET Framework 4.6.1 or newer with a [startup task](../../cloud-services/cloud-services-dotnet-install-dotnet.md).

+ - [OS Family 5](../../cloud-services/cloud-services-guestos-update-matrix.md#family-5-releases) includes a compatible version of .NET Framework by default.

+## Track requests with Application Insights

+When publishing your CloudService to Azure portal, add the [Application Insights SDK to Azure Cloud Services](../app/cloudservices.md).

+Once you've added the SDK and published your Cloud Service to the Azure portal, track requests using Application Insights.

+- **For ASP.NET web roles**, Application Insights tracks the requests automatically.

+- **For worker roles**, you need to [add code manually to your application to track requests](profiler-trackrequests.md).

+## Configure the Azure Diagnostics extension

+Locate the Azure Diagnostics *diagnostics.wadcfgx* file for your application role:

+Add the following `SinksConfig` section as a child element of `WadCfg`:

+```xml

+<WadCfg>

+ <DiagnosticMonitorConfiguration>...</DiagnosticMonitorConfiguration>

+ <SinksConfig>

+ <Sink name="MyApplicationInsightsProfiler">

+ <!-- Replace with your own Application Insights instrumentation key. -->

+ <ApplicationInsightsProfiler>00000000-0000-0000-0000-000000000000</ApplicationInsightsProfiler>

+ </Sink>

+ </SinksConfig>

+</WadCfg>

+```

+> [!NOTE]

+> The instrumentation keys that are used by the application and the ApplicationInsightsProfiler sink need to match each other.

+Deploy your service with the new Diagnostics configuration. Application Insights Profiler is now configured to run on your Cloud Service.

+## Generate traffic to your service

+Now that your Azure Cloud Service is deployed with Profiler, you can generate traffic to view Profiler traces.

+Generate traffic to your application by setting up an [availability test](../app/monitor-web-app-availability.md). Wait 10 to 15 minutes for traces to be sent to the Application Insights instance.

+Navigate to your Azure Cloud Service's Application Insights resource. In the left side menu, select **Performance**.

+Select the **Profiler** for your Cloud Service.

+Select **Profile now** to start a profiling session. This process will take a few minutes.

+For more instructions on profiling sessions, see the [Profiler overview](./profiler-overview.md#start-a-profiler-on-demand-session).

+- Learn more about [configuring Profiler](./profiler-settings.md).

+- [Troubleshoot Profiler issues](./profiler-troubleshooting.md).

+| [InstallDependencyAgent-Windows.exe](https://aka.ms/dependencyagentwindows) | Windows | 9.10.14.20760 | D4DB398FAD36E86FEACCC41D7B8AF46711346A943806769B6CE017F0BF1625FF |

+| [InstallDependencyAgent-Linux64.bin](https://aka.ms/dependencyagentlinux) | Linux | 9.10.14.20760 | 3DE3B485BA79B57E74B3DFB60FD277A30C8A5D1BD898455AD77FECF20E0E2610 |

+ Title: How to Query Logs from VM insights

+description: VM insights solution collects metrics and log data to and this article describes the records and includes sample queries.

+# How to query logs from VM insights

+VM insights collects performance and connection metrics, computer and process inventory data, and health state information and forwards it to the Log Analytics workspace in Azure Monitor. This data is available for [query](../logs/log-query-overview.md) in Azure Monitor. You can apply this data to scenarios that include migration planning, capacity analysis, discovery, and on-demand performance troubleshooting.

+## Map records

+One record is generated per hour for each unique computer and process, in addition to the records that are generated when a process or computer starts or is added to VM insights. The fields and values in the ServiceMapComputer_CL events map to fields of the Machine resource in the ServiceMap Azure Resource Manager API. The fields and values in the ServiceMapProcess_CL events map to the fields of the Process resource in the ServiceMap Azure Resource Manager API. The ResourceName_s field matches the name field in the corresponding Resource Manager resource.

+There are internally generated properties you can use to identify unique processes and computers:

+- Computer: Use *ResourceId* or *ResourceName_s* to uniquely identify a computer within a Log Analytics workspace.

+- Process: Use *ResourceId* to uniquely identify a process within a Log Analytics workspace. *ResourceName_s* is unique within the context of the machine on which the process is running (MachineResourceName_s)

+Because multiple records can exist for a specified process and computer in a specified time range, queries can return more than one record for the same computer or process. To include only the most recent record, add `| summarize arg_max(TimeGenerated, *) by ResourceId` to the query.

+### Connections and ports

+The Connection Metrics feature introduces two new tables in Azure Monitor logs - VMConnection and VMBoundPort. These tables provide information about the connections for a machine (inbound and outbound), as well as the server ports that are open/active on them. ConnectionMetrics are also exposed via APIs that provide the means to obtain a specific metric during a time window. TCP connections resulting from *accepting* on a listening socket are inbound, while those created by *connecting* to a given IP and port are outbound. The direction of a connection is represented by the Direction property, which can be set to either **inbound** or **outbound**.

+Records in these tables are generated from data reported by the Dependency Agent. Every record represents an observation over a 1-minute time interval. The TimeGenerated property indicates the start of the time interval. Each record contains information to identify the respective entity, that is, connection or port, as well as metrics associated with that entity. Currently, only network activity that occurs using TCP over IPv4 is reported.

+#### Common fields and conventions

+The following fields and conventions apply to both VMConnection and VMBoundPort:

+- Computer: Fully-qualified domain name of reporting machine

+- AgentId: The unique identifier for a machine with the Log Analytics agent

+- Machine: Name of the Azure Resource Manager resource for the machine exposed by ServiceMap. It is of the form *m-{GUID}*, where *GUID* is the same GUID as AgentId

+- Process: Name of the Azure Resource Manager resource for the process exposed by ServiceMap. It is of the form *p-{hex string}*. Process is unique within a machine scope and to generate a unique process ID across machines, combine Machine and Process fields.

+- ProcessName: Executable name of the reporting process.

+- All IP addresses are strings in IPv4 canonical format, for example *13.107.3.160*

+To manage cost and complexity, connection records do not represent individual physical network connections. Multiple physical network connections are grouped into a logical connection, which is then reflected in the respective table. Meaning, records in *VMConnection* table represent a logical grouping and not the individual physical connections that are being observed. Physical network connection sharing the same value for the following attributes during a given one-minute interval, are aggregated into a single logical record in *VMConnection*.

+| Property | Description |

+|:--|:--|

+|Direction |Direction of the connection, value is *inbound* or *outbound* |

+|Machine |The computer FQDN |

+|Process |Identity of process or groups of processes, initiating/accepting the connection |

+|SourceIp |IP address of the source |

+|DestinationIp |IP address of the destination |

+|DestinationPort |Port number of the destination |

+|Protocol |Protocol used for the connection. Values is *tcp*. |

+To account for the impact of grouping, information about the number of grouped physical connections is provided in the following properties of the record:

+| Property | Description |

+|:--|:--|

+|LinksEstablished |The number of physical network connections that have been established during the reporting time window |

+|LinksTerminated |The number of physical network connections that have been terminated during the reporting time window |

+|LinksFailed |The number of physical network connections that have failed during the reporting time window. This information is currently available only for outbound connections. |

+|LinksLive |The number of physical network connections that were open at the end of the reporting time window|

+#### Metrics

+In addition to connection count metrics, information about the volume of data sent and received on a given logical connection or network port are also included in the following properties of the record:

+| Property | Description |

+|:--|:--|

+|BytesSent |Total number of bytes that have been sent during the reporting time window |

+|BytesReceived |Total number of bytes that have been received during the reporting time window |

+|Responses |The number of responses observed during the reporting time window.

+|ResponseTimeMax |The largest response time (milliseconds) observed during the reporting time window. If no value, the property is blank.|

+|ResponseTimeMin |The smallest response time (milliseconds) observed during the reporting time window. If no value, the property is blank.|

+|ResponseTimeSum |The sum of all response times (milliseconds) observed during the reporting time window. If no value, the property is blank.|

+The third type of data being reported is response time - how long does a caller spend waiting for a request sent over a connection to be processed and responded to by the remote endpoint. The response time reported is an estimation of the true response time of the underlying application protocol. It is computed using heuristics based on the observation of the flow of data between the source and destination end of a physical network connection. Conceptually, it is the difference between the time the last byte of a request leaves the sender, and the time when the last byte of the response arrives back to it. These two timestamps are used to delineate request and response events on a given physical connection. The difference between them represents the response time of a single request.

+In this first release of this feature, our algorithm is an approximation that may work with varying degree of success depending on the actual application protocol used for a given network connection. For example, the current approach works well for request-response based protocols such as HTTP(S), but does not work with one-way or message queue-based protocols.

+Here are some important points to consider:

+1. If a process accepts connections on the same IP address but over multiple network interfaces, a separate record for each interface will be reported.

+2. Records with wildcard IP will contain no activity. They are included to represent the fact that a port on the machine is open to inbound traffic.

+3. To reduce verbosity and data volume, records with wildcard IP will be omitted when there is a matching record (for the same process, port, and protocol) with a specific IP address. When a wildcard IP record is omitted, the IsWildcardBind record property with the specific IP address, will be set to "True" to indicate that the port is exposed over every interface of the reporting machine.

+4. Ports that are bound only on a specific interface have IsWildcardBind set to *False*.

+#### Naming and Classification

+For convenience, the IP address of the remote end of a connection is included in the RemoteIp property. For inbound connections, RemoteIp is the same as SourceIp, while for outbound connections, it is the same as DestinationIp. The RemoteDnsCanonicalNames property represents the DNS canonical names reported by the machine for RemoteIp. The RemoteDnsQuestions property represents the DNS questions reported by the machine for RemoteIp. The RemoveClassification property is reserved for future use.

+#### Geolocation

+*VMConnection* also includes geolocation information for the remote end of each connection record in the following properties of the record:

+| Property | Description |

+|:--|:--|

+|RemoteCountry |The name of the country/region hosting RemoteIp. For example, *United States* |

+|RemoteLatitude |The geolocation latitude. For example, *47.68* |

+|RemoteLongitude |The geolocation longitude. For example, *-122.12* |

+#### Malicious IP

+Every RemoteIp property in *VMConnection* table is checked against a set of IPs with known malicious activity. If the RemoteIp is identified as malicious the following properties will be populated (they are empty, when the IP is not considered malicious) in the following properties of the record:

+| Property | Description |

+|:--|:--|

+|MaliciousIp |The RemoteIp address |

+|IndicatorThreadType |Threat indicator detected is one of the following values, *Botnet*, *C2*, *CryptoMining*, *Darknet*, *DDos*, *MaliciousUrl*, *Malware*, *Phishing*, *Proxy*, *PUA*, *Watchlist*. |

+|Description |Description of the observed threat. |

+|TLPLevel |Traffic Light Protocol (TLP) Level is one of the defined values, *White*, *Green*, *Amber*, *Red*. |

+|Confidence |Values are *0 ΓÇô 100*. |

+|Severity |Values are *0 ΓÇô 5*, where *5* is the most severe and *0* is not severe at all. Default value is *3*. |

+|FirstReportedDateTime |The first time the provider reported the indicator. |

+|LastReportedDateTime |The last time the indicator was seen by Interflow. |

+|IsActive |Indicates indicators are deactivated with *True* or *False* value. |

+|ReportReferenceLink |Links to reports related to a given observable. |

+|AdditionalInformation |Provides additional information, if applicable, about the observed threat. |

+### Ports

+Ports on a machine that actively accept incoming traffic or could potentially accept traffic, but are idle during the reporting time window, are written to the VMBoundPort table.

+Every record in VMBoundPort is identified by the following fields:

+| Property | Description |

+|:--|:--|

+|Process | Identity of process (or groups of processes) with which the port is associated with.|

+|Ip | Port IP address (can be wildcard IP, *0.0.0.0*) |

+|Port |The Port number |

+|Protocol | The protocol. Example, *tcp* or *udp* (only *tcp* is currently supported).|

+

+The identity a port is derived from the above five fields and is stored in the PortId property. This property can be used to quickly find records for a specific port across time.

+#### Metrics

+Port records include metrics representing the connections associated with them. Currently, the following metrics are reported (the details for each metric are described in the previous section):

+- BytesSent and BytesReceived

+- LinksEstablished, LinksTerminated, LinksLive

+- ResposeTime, ResponseTimeMin, ResponseTimeMax, ResponseTimeSum

+Here are some important points to consider:

+- If a process accepts connections on the same IP address but over multiple network interfaces, a separate record for each interface will be reported.

+- Records with wildcard IP will contain no activity. They are included to represent the fact that a port on the machine is open to inbound traffic.

+- To reduce verbosity and data volume, records with wildcard IP will be omitted when there is a matching record (for the same process, port, and protocol) with a specific IP address. When a wildcard IP record is omitted, the *IsWildcardBind* property for the record with the specific IP address, will be set to *True*. This indicates the port is exposed over every interface of the reporting machine.

+- Ports that are bound only on a specific interface have IsWildcardBind set to *False*.

+### VMComputer records

+Records with a type of *VMComputer* have inventory data for servers with the Dependency agent. These records have the properties in the following table:

+| Property | Description |

+|:--|:--|

+|TenantId | The unique identifier for the workspace |

+|SourceSystem | *Insights* |

+|TimeGenerated | Timestamp of the record (UTC) |

+|Computer | The computer FQDN |

+|AgentId | The unique ID of the Log Analytics agent |

+|Machine | Name of the Azure Resource Manager resource for the machine exposed by ServiceMap. It is of the form *m-{GUID}*, where *GUID* is the same GUID as AgentId. |

+|DisplayName | Display name |

+|FullDisplayName | Full display name |

+|HostName | The name of machine without domain name |

+|BootTime | The machine boot time (UTC) |

+|TimeZone | The normalized time zone |

+|VirtualizationState | *virtual*, *hypervisor*, *physical* |

+|Ipv4Addresses | Array of IPv4 addresses |

+|Ipv4SubnetMasks | Array of IPv4 subnet masks (in the same order as Ipv4Addresses). |

+|Ipv4DefaultGateways | Array of IPv4 gateways |

+|Ipv6Addresses | Array of IPv6 addresses |

+|MacAddresses | Array of MAC addresses |

+|DnsNames | Array of DNS names associated with the machine. |

+|DependencyAgentVersion | The version of the Dependency agent running on the machine. |

+|OperatingSystemFamily | *Linux*, *Windows* |

+|OperatingSystemFullName | The full name of the operating system |

+|PhysicalMemoryMB | The physical memory in megabytes |

+|Cpus | The number of processors |

+|CpuSpeed | The CPU speed in MHz |

+|VirtualMachineType | *hyperv*, *vmware*, *xen* |

+|VirtualMachineNativeId | The VM ID as assigned by its hypervisor |

+|VirtualMachineNativeName | The name of the VM |

+|VirtualMachineHypervisorId | The unique identifier of the hypervisor hosting the VM |

+|HypervisorType | *hyperv* |

+|HypervisorId | The unique ID of the hypervisor |

+|HostingProvider | *azure* |

+|_ResourceId | The unique identifier for an Azure resource |

+|AzureSubscriptionId | A globally unique identifier that identifies your subscription |

+|AzureResourceGroup | The name of the Azure resource group the machine is a member of. |

+|AzureResourceName | The name of the Azure resource |

+|AzureLocation | The location of the Azure resource |

+|AzureUpdateDomain | The name of the Azure update domain |

+|AzureFaultDomain | The name of the Azure fault domain |

+|AzureVmId | The unique identifier of the Azure virtual machine |

+|AzureSize | The size of the Azure VM |

+|AzureImagePublisher | The name of the Azure VM publisher |

+|AzureImageOffering | The name of the Azure VM offer type |

+|AzureImageSku | The SKU of the Azure VM image |

+|AzureImageVersion | The version of the Azure VM image |

+|AzureCloudServiceName | The name of the Azure cloud service |

+|AzureCloudServiceDeployment | Deployment ID for the Cloud Service |

+|AzureCloudServiceRoleName | Cloud Service role name |

+|AzureCloudServiceRoleType | Cloud Service role type: *worker* or *web* |

+|AzureCloudServiceInstanceId | Cloud Service role instance ID |

+|AzureVmScaleSetName | The name of the virtual machine scale set |

+|AzureVmScaleSetDeployment | Virtual machine scale set deployment ID |

+|AzureVmScaleSetResourceId | The unique identifier of the virtual machine scale set resource.|

+|AzureVmScaleSetInstanceId | The unique identifier of the virtual machine scale set |

+|AzureServiceFabricClusterId | The unique identifer of the Azure Service Fabric cluster |

+|AzureServiceFabricClusterName | The name of the Azure Service Fabric cluster |

+### VMProcess records

+Records with a type of *VMProcess* have inventory data for TCP-connected processes on servers with the Dependency agent. These records have the properties in the following table:

+| Property | Description |

+|:--|:--|

+|TenantId | The unique identifier for the workspace |

+|SourceSystem | *Insights* |

+|TimeGenerated | Timestamp of the record (UTC) |

+|Computer | The computer FQDN |

+|AgentId | The unique ID of the Log Analytics agent |

+|Machine | Name of the Azure Resource Manager resource for the machine exposed by ServiceMap. It is of the form *m-{GUID}*, where *GUID* is the same GUID as AgentId. |

+|Process | The unique identifier of the Service Map process. It is in the form of *p-{GUID}*.

+|ExecutableName | The name of the process executable |

+|DisplayName | Process display name |

+|Role | Process role: *webserver*, *appServer*, *databaseServer*, *ldapServer*, *smbServer* |

+|Group | Process group name. Processes in the same group are logically related, e.g., part of the same product or system component. |

+|StartTime | The process pool start time |

+|FirstPid | The first PID in the process pool |

+|Description | The process description |

+|CompanyName | The name of the company |

+|InternalName | The internal name |

+|ProductName | The name of the product |

+|ProductVersion | The version of the product |

+|FileVersion | The version of the file |

+|ExecutablePath |The path of the executable |

+|CommandLine | The command line |

+|WorkingDirectory | The working directory |

+|Services | An array of services under which the process is executing |

+|UserName | The account under which the process is executing |

+|UserDomain | The domain under which the process is executing |

+|_ResourceId | The unique identifier for a process within the workspace |

+## Sample map queries

+### List all known machines

+```kusto

+VMComputer | summarize arg_max(TimeGenerated, *) by _ResourceId

+```

+### When was the VM last rebooted

+```kusto

+let Today = now(); VMComputer | extend DaysSinceBoot = Today - BootTime | summarize by Computer, DaysSinceBoot, BootTime | sort by BootTime asc

+```

+### Summary of Azure VMs by image, location, and SKU

+```kusto

+VMComputer | where AzureLocation != "" | summarize by Computer, AzureImageOffering, AzureLocation, AzureImageSku

+```

+### List the physical memory capacity of all managed computers

+```kusto

+VMComputer | summarize arg_max(TimeGenerated, *) by _ResourceId | project PhysicalMemoryMB, Computer

+```

+### List computer name, DNS, IP, and OS

+```kusto

+VMComputer | summarize arg_max(TimeGenerated, *) by _ResourceId | project Computer, OperatingSystemFullName, DnsNames, Ipv4Addresses

+```

+### Find all processes with "sql" in the command line

+```kusto

+VMProcess | where CommandLine contains_cs "sql" | summarize arg_max(TimeGenerated, *) by _ResourceId

+```

+### Find a machine (most recent record) by resource name

+```kusto

+search in (VMComputer) "m-4b9c93f9-bc37-46df-b43c-899ba829e07b" | summarize arg_max(TimeGenerated, *) by _ResourceId

+```

+### Find a machine (most recent record) by IP address

+```kusto

+search in (VMComputer) "10.229.243.232" | summarize arg_max(TimeGenerated, *) by _ResourceId

+```

+### List all known processes on a specified machine

+```kusto

+VMProcess | where Machine == "m-559dbcd8-3130-454d-8d1d-f624e57961bc" | summarize arg_max(TimeGenerated, *) by _ResourceId

+```

+### List all computers running SQL Server

+```kusto

+VMComputer | where AzureResourceName in ((search in (VMProcess) "*sql*" | distinct Machine)) | distinct Computer

+```

+### List all unique product versions of curl in my datacenter

+```kusto

+VMProcess | where ExecutableName == "curl" | distinct ProductVersion

+```

+### Create a computer group of all computers running CentOS

+```kusto

+VMComputer | where OperatingSystemFullName contains_cs "CentOS" | distinct Computer

+```

+### Bytes sent and received trends

+```kusto

+VMConnection | summarize sum(BytesSent), sum(BytesReceived) by bin(TimeGenerated,1hr), Computer | order by Computer desc | render timechart

+```

+### Which Azure VMs are transmitting the most bytes

+```kusto

+VMConnection | join kind=fullouter(VMComputer) on $left.Computer == $right.Computer | summarize count(BytesSent) by Computer, AzureVMSize | sort by count_BytesSent desc

+```

+### Link status trends

+```kusto

+VMConnection | where TimeGenerated >= ago(24hr) | where Computer == "acme-demo" | summarize dcount(LinksEstablished), dcount(LinksLive), dcount(LinksFailed), dcount(LinksTerminated) by bin(TimeGenerated, 1h) | render timechart

+```

+### Connection failures trend

+```kusto

+VMConnection | where Computer == "acme-demo" | extend bythehour = datetime_part("hour", TimeGenerated) | project bythehour, LinksFailed | summarize failCount = count() by bythehour | sort by bythehour asc | render timechart

+```

+### Bound Ports

+```kusto

+VMBoundPort

+| where TimeGenerated >= ago(24hr)

+| where Computer == 'admdemo-appsvr'

+| distinct Port, ProcessName

+```

+### Number of open ports across machines

+```kusto

+VMBoundPort

+| where Ip != "127.0.0.1"

+| summarize by Computer, Machine, Port, Protocol

+| summarize OpenPorts=count() by Computer, Machine

+| order by OpenPorts desc

+```

+### Score processes in your workspace by the number of ports they have open

+```kusto

+VMBoundPort

+| where Ip != "127.0.0.1"

+| summarize by ProcessName, Port, Protocol

+| summarize OpenPorts=count() by ProcessName

+| order by OpenPorts desc

+```

+### Aggregate behavior for each port

+This query can then be used to score ports by activity, e.g., ports with most inbound/outbound traffic, ports with most connections

+```kusto

+//

+VMBoundPort

+| where Ip != "127.0.0.1"

+| summarize BytesSent=sum(BytesSent), BytesReceived=sum(BytesReceived), LinksEstablished=sum(LinksEstablished), LinksTerminated=sum(LinksTerminated), arg_max(TimeGenerated, LinksLive) by Machine, Computer, ProcessName, Ip, Port, IsWildcardBind

+| project-away TimeGenerated

+| order by Machine, Computer, Port, Ip, ProcessName

+```

+### Summarize the outbound connections from a group of machines

+```kusto

+// the machines of interest

+let machines = datatable(m: string) ["m-82412a7a-6a32-45a9-a8d6-538354224a25"];

+// map of ip to monitored machine in the environment

+let ips=materialize(VMComputer

+| summarize ips=makeset(todynamic(Ipv4Addresses)) by MonitoredMachine=AzureResourceName

+| mvexpand ips to typeof(string));

+// all connections to/from the machines of interest

+let out=materialize(VMConnection

+| where Machine in (machines)

+| summarize arg_max(TimeGenerated, *) by ConnectionId);

+// connections to localhost augmented with RemoteMachine

+let local=out

+| where RemoteIp startswith "127."

+| project ConnectionId, Direction, Machine, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteIp, RemoteMachine=Machine;

+// connections not to localhost augmented with RemoteMachine

+let remote=materialize(out

+| where RemoteIp !startswith "127."

+| join kind=leftouter (ips) on $left.RemoteIp == $right.ips

+| summarize by ConnectionId, Direction, Machine, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteIp, RemoteMachine=MonitoredMachine);

+// the remote machines to/from which we have connections

+let remoteMachines = remote | summarize by RemoteMachine;

+// all augmented connections

+(local)

+| union (remote)

+//Take all outbound records but only inbound records that come from either //unmonitored machines or monitored machines not in the set for which we are computing dependencies.

+| where Direction == 'outbound' or (Direction == 'inbound' and RemoteMachine !in (machines))

+| summarize by ConnectionId, Direction, Machine, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol, RemoteIp, RemoteMachine

+// identify the remote port

+| extend RemotePort=iff(Direction == 'outbound', DestinationPort, 0)

+// construct the join key we'll use to find a matching port

+| extend JoinKey=strcat_delim(':', RemoteMachine, RemoteIp, RemotePort, Protocol)

+// find a matching port

+| join kind=leftouter (VMBoundPort

+| where Machine in (remoteMachines)

+| summarize arg_max(TimeGenerated, *) by PortId

+| extend JoinKey=strcat_delim(':', Machine, Ip, Port, Protocol)) on JoinKey

+// aggregate the remote information

+| summarize Remote=makeset(iff(isempty(RemoteMachine), todynamic('{}'), pack('Machine', RemoteMachine, 'Process', Process1, 'ProcessName', ProcessName1))) by ConnectionId, Direction, Machine, Process, ProcessName, SourceIp, DestinationIp, DestinationPort, Protocol

+```

+## Performance records

+Records with a type of *InsightsMetrics* have performance data from the guest operating system of the virtual machine. These records have the properties in the following table:

+| Property | Description |

+|:--|:--|

+|TenantId | Unique identifier for the workspace |

+|SourceSystem | *Insights* |

+|TimeGenerated | Time the value was collected (UTC) |

+|Computer | The computer FQDN |

+|Origin | *vm.azm.ms* |

+|Namespace | Category of the performance counter |

+|Name | Name of the performance counter |

+|Val | Collected value |

+|Tags | Related details about the record. See the table below for tags used with different record types. |

+|AgentId | Unique identifier for each computer's agent |

+|Type | *InsightsMetrics* |

+|_ResourceId_ | Resource ID of the virtual machine |

+The performance counters currently collected into the *InsightsMetrics* table are listed in the following table:

+| Namespace | Name | Description | Unit | Tags |

+|:|:|:|:|:|

+| Computer | Heartbeat | Computer Heartbeat | | |

+| Memory | AvailableMB | Memory Available Bytes | Megabytes | memorySizeMB - Total memory size|

+| Network | WriteBytesPerSecond | Network Write Bytes Per Second | BytesPerSecond | NetworkDeviceId - Id of the device<br>bytes - Total sent bytes |

+| Network | ReadBytesPerSecond | Network Read Bytes Per Second | BytesPerSecond | networkDeviceId - Id of the device<br>bytes - Total received bytes |

+| Processor | UtilizationPercentage | Processor Utilization Percentage | Percent | totalCpus - Total CPUs |

+| LogicalDisk | WritesPerSecond | Logical Disk Writes Per Second | CountPerSecond | mountId - Mount ID of the device |

+| LogicalDisk | WriteLatencyMs | Logical Disk Write Latency Millisecond | MilliSeconds | mountId - Mount ID of the device |

+| LogicalDisk | WriteBytesPerSecond | Logical Disk Write Bytes Per Second | BytesPerSecond | mountId - Mount ID of the device |

+| LogicalDisk | TransfersPerSecond | Logical Disk Transfers Per Second | CountPerSecond | mountId - Mount ID of the device |

+| LogicalDisk | TransferLatencyMs | Logical Disk Transfer Latency Millisecond | MilliSeconds | mountId - Mount ID of the device |

+| LogicalDisk | ReadsPerSecond | Logical Disk Reads Per Second | CountPerSecond | mountId - Mount ID of the device |

+| LogicalDisk | ReadLatencyMs | Logical Disk Read Latency Millisecond | MilliSeconds | mountId - Mount ID of the device |

+| LogicalDisk | ReadBytesPerSecond | Logical Disk Read Bytes Per Second | BytesPerSecond | mountId - Mount ID of the device |

+| LogicalDisk | FreeSpacePercentage | Logical Disk Free Space Percentage | Percent | mountId - Mount ID of the device |

+| LogicalDisk | FreeSpaceMB | Logical Disk Free Space Bytes | Megabytes | mountId - Mount ID of the device<br>diskSizeMB - Total disk size |

+| LogicalDisk | BytesPerSecond | Logical Disk Bytes Per Second | BytesPerSecond | mountId - Mount ID of the device |

+## Next steps

+* If you are new to writing log queries in Azure Monitor, review [how to use Log Analytics](../logs/log-analytics-tutorial.md) in the Azure portal to write log queries.

+* Learn about [writing search queries](../logs/get-started-queries.md).

+> [!NOTE]

+> VM insights does not currently support [Azure Monitor agent](../agents/azure-monitor-agent-overview.md). You can

+ 2. Select **Edit**.

+1. Before converting the volume:

+ 1. Unmount it from the clients in preparation. See [Mount or unmount a volume](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md).

+ Example:

+ `sudo umount /path/to/vol1`

+ 2. Change the export policy to read-only. See [Configure export policy for NFS or dual-protocol volumes](azure-netapp-files-configure-export-policy.md).

+ 2. Select **Edit**.

+ `vol1:/path/to/vol1 on /path type nfs (rw,intr,tcp,nfsvers=3,rsize=16384,wsize=16384,addr=192.168.1.1)`.

+7. Change the read-only export policy back to the original export policy. See See [Configure export policy for NFS or dual-protocol volumes](azure-netapp-files-configure-export-policy.md).

+8. Verify access using root and non-root users.

+This article compares the capabilities of **Azure Video Indexer APIs** and **Media Services v3 APIs**.

+> It's mandatory to have the following three accounts in the same region: the Azure Video Indexer account that you're connecting with the Media Services account, as well as the Azure storage account connected to the same Media Services account. When you create an Azure Video Indexer account and connect it to Media Services, the media and metadata files are stored in the Azure storage account associated with that Media Services account.

+- See [Monitoring Azure Video Indexer](monitor-video-indexer.md) for a description of monitoring Azure Video Indexer.

+description: This article gives an overview of the Azure Video Indexer network security options.

+Azure Video Indexer is a service hosted on Azure. In some architecture cases the service needs to interact with other services in order to index video files (that is, a Storage Account) or when a customer orchestrates indexing jobs against our API endpoint using their own service hosted on Azure (i.e AKS, Web Apps, Logic Apps, Functions). Customers who would like to limit access to their resources on a network level can use [Network Security Groups with Service Tags](/azure/virtual-network/service-tags-overview). A service tag represents a group of IP address prefixes from a given Azure service, in this case Azure Video Indexer. Microsoft manages the address prefixes grouped by the service tag and automatically updates the service tag as addresses change in our backend, minimizing the complexity of frequent updates to network security rules by the customer.

+This article shows how to index videos stored on OneDrive by using the Azure Video Indexer website.

+> [!NOTE]

+> The following sample is intended for Classic accounts only and isn't compatible with ARM accounts. For an updated sample for ARM, see [this ARM sample repo](https://github.com/Azure-Samples/media-services-video-indexer/blob/master/ApiUsage/ArmBased/Program.cs).

+Azure Video Indexer analyzes the video and audio content by running 30+ AI models, generating rich insights. Below is an illustration of the audio and video analysis performed by Azure Video Indexer in the background.

+To start extracting insights with Azure Video Indexer, you need to [create an account](connect-to-azure.md) and upload videos, see the [how can i get started](#how-can-i-get-started-with-azure-video-indexer) section below.

+* *Content creation*: Create trailers, highlight reels, social media content, or news clips based on the insights Azure Video Indexer extracts from your content. Keyframes, scenes markers, and timestamps of the people and label appearances make the creation process smoother and easier, enabling you to easily get to the parts of the video you need when creating content.

+Azure VMware Solution currently supports the following regions:

+**America** : East US, West US, Central US, South Central US, North Central US, Canada East, Canada Central .

+**Europe** : North Europe, UK West, UK South, France Central, Switzerland West, Germany West Central.

+**Asia** : Southeast Asia, Japan West.

+**Australia** : Australia East, Australia Southeast.

+**Brazil** : Brazil South.

+The list of supported regions will expand as the preview progresses.

+>Before you enable Internet access to your Azure VMware Solution, review the [Internet connectivity design considerations](concepts-design-public-internet-access.md).

+1. Log on to the Azure portal.

+>Before selecting a Public IP, ensure you understand the implications to your existing environment. For more information, see [Internet connectivity design considerations](concepts-design-public-internet-access.md).

+The Distributed Firewall could be used to filter traffic to VMs. This feature is outside the scope of this document. For more information, see [NSX-T Distributed Firewall Administration Guide]( https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-6AB240DB-949C-4E95-A9A7-4AC6EF5E3036.html)git status.

+To enable this feature for your subscription, register the ```PIPOnNSXEnabled``` flag and follow these steps to [set up the preview feature in your Azure subscription](https://docs.microsoft.com/azure/azure-resource-manager/management/preview-features?tabs=azure-portal).

+ Title: Azure Web PubSub service data plane REST API reference overview

+description: Describes the REST APIs Azure Web PubSub supports to manage the WebSocket connections and send messages to them.

+# Azure Web PubSub service data plane REST API reference

+

+As illustrated by the above workflow graph, and also detailed workflow described in [internals](./concept-service-internals.md), your app server can send messages to clients or to manage the connected clients using REST APIs exposed by Web PubSub service. This article describes the REST APIs in detail.

+## Using REST API

+### Authenticate via Azure Web PubSub Service AccessKey

+In each HTTP request, an authorization header with a [JSON Web Token (JWT)](https://en.wikipedia.org/wiki/JSON_Web_Token) is required to authenticate with Azure Web PubSub Service.

+<a name="signing"></a>

+#### Signing Algorithm and Signature

+`HS256`, namely HMAC-SHA256, is used as the signing algorithm.

+You should use the `AccessKey` in Azure Web PubSub Service instance's connection string to sign the generated JWT token.

+#### Claims

+Below claims are required to be included in the JWT token.

+Claim Type | Is Required | Description

+||

+`aud` | true | Should be the **SAME** as your HTTP request url, trailing slash and query parameters not included. For example, a broadcast request's audience looks like: `https://example.webpubsub.azure.com/api/hubs/myhub`.

+`exp` | true | Epoch time when this token will be expired.

+A pseudo code in JS:

+```js

+const bearerToken = jwt.sign({}, connectionString.accessKey, {

+ audience: request.url,

+ expiresIn: "1h",

+ algorithm: "HS256",

+ });

+```

+### Authenticate via Azure Active Directory Token (Azure AD Token)

+Like using `AccessKey`, a [JSON Web Token (JWT)](https://en.wikipedia.org/wiki/JSON_Web_Token) is also required to authenticate the HTTP request.

+**The difference is**, in this scenario, JWT Token is generated by Azure Active Directory.

+[Learn how to generate Azure AD Tokens](/azure/active-directory/develop/reference-v2-libraries)

+You could also use **Role Based Access Control (RBAC)** to authorize the request from your server to Azure Web PubSub Service.

+[Learn how to configure Role Based Access Control roles for your resource](./howto-authorize-from-application.md#add-role-assignments-on-azure-portal)

+## APIs

+| Operation Group | Description |

+|--|-|

+|[Service Status](/rest/api/webpubsub/dataplane/health-api)| Provides operations to check the service status |

+|[Hub Operations](/rest/api/webpubsub/dataplane/web-pub-sub)| Provides operations to manage the connections and send messages to them. |

+Cloud Service deployments using legacy role sizes (such as Small or ExtraLarge). | The role sizes need to be updated before migration. Update all deployment artifacts to reference these new modern role sizes. For more information, see [Available VM sizes](available-sizes.md)|

+For assistance migrating your Cloud Services (classic) deployment to Cloud Services (extended support) see our [Support and troubleshooting](support-help.md) landing page.

+|German (Germany)|`de-DE`^{Public preview} |

+ Title: Create shared access signature (SAS) tokens for storage containers and blobs

+ "fileUri": "FILE-URI-PATH"

+| | Suppport for early media | ❌ |

+| | Support for early media | ❌ | ✔️ | ✔️ | ✔️ |

+ Title: Verify if a web browser is supported

+#Customer intent: As a developer, I can verify that a browser an end user is trying to do a call on is supported by Azure Communication Services.

+Enclave applications that do remote attestation need to generate a quote. The quote provides cryptographic proof of the identity and the state of the application, along with the enclave's host environment. Quote generation relies on certain trusted software components from Intel, which are part of the SGX Platform Software Components (PSW/DCAP). This PSW is packaged as a daemon set that runs per node. You can use PSW when requesting attestation quote from enclave apps. Using the AKS provided service helps better maintain the compatibility between the PSW and other SW components in the host. Read the feature details below.

+Intel supports two attestation modes to run the quote generation. For how to choose which type, see the [attestation type differences] (#attestation-type-differences).

+SGX applications are built using Open Enclave SDK by default use in-proc attestation mode. SGX-based applications allow out-of-proc and require extra hosting. These applications expose the required components such as Architectural Enclave Service Manager (AESM), external to the application.

+With out-of-proc, container owners donΓÇÖt need to manage updates within their container. Container owners instead rely on the provided interface that invokes the centralized service outside of the container.

+For out-of-proc, there's no concern of failures because of out-of-date PSW components. The quote generation involves the trusted SW components - Quoting Enclave (QE) & Provisioning Certificate Enclave (PCE), which are part of the trusted computing base (TCB). These SW components must be up to date to maintain the attestation requirements. The provider manages the updates to these components. Customers never have to deal with attestation failures because of out-of-date trusted SW components within their container.

+The abstract model applies to confidential workload scenarios. This model uses the already available AESM service. AESM is containerized and deployed as a daemon set across the Kubernetes cluster. Kubernetes guarantees a single instance of an AESM service container, wrapped in a pod, to be deployed on each agent node. The new SGX Quote daemon set has a dependency on the `sgx-device-plugin` daemon set, since the AESM service container would request EPC memory from `sgx-device-plugin` for launching QE and PCE enclaves.

+> If you are using a Intel SGX wrapper software (OSS/ISV) to run you unmodified containers the attestation interaction with hardware is typically handled for your higher level apps. Please refer to the attestation implementation per provider.

+By default, this service is not enabled for your AKS Cluster with "confcom" addon. Please update the addon with the below command

+```azurecli

+az aks addon update --addon confcom --name " YourAKSClusterName " --resource-group "YourResourceGroup " --enable-sgxquotehelper

+```

+Once the service is up, use the below docker sample for an Open Enclave-based application to validate the flow. Set the `SGX_AESM_ADDR=1` environment variable in the Docker file. Or, set the variable in the deployment file. Follow this sample for the Docker file and deployment YAML details.

+> The **libsgx-quote-ex** package from Intel needs to be packaged in the application container for out-of-proc attestation to work properly. The instructions below have the details.

+# this sets the flag for out of proc attestation mode, alternatively you can set this flag on the deployment files

+The deployment should succeed and allow your apps to perform remote attestation using the SGX Quote Helper service.

+To import an artifact by digest without adding a tag:

+```azurecli

+az acr import \

+ --name myregistry \

+ --source docker.io/library/hello-world@sha256:abc123 \

+ --repository hello-world

+```

+> When querying data in a table that has a compound primary key, if you want to filter on the partition key *and* any other non-indexed fields aside from the clustering key, ensure that you *explicitly add a secondary index on the partition key*:

+> Partition keys are not indexed by default in Cassandra API. If you have a [compound primary key](cassandra-partitioning.md#compound-primary-key) in your table, and you filter either on partition key and clustering key, or just partition key, this will give the desired behaviour. However, if you filter on partition key and any other non-indexed fields aside from the clustering key, this will result in a partition key fan-out - even if the other non-indexed fields have a secondary index. If you have a compound primary key in your table, and you want to filter on both the partition key value element of the compound primary key, plus another field that is not the partition key or clustering key, please ensure that you explicitly add a secondary index on the *partition key*. The index in this scenario should significantly improve query performance, even if the other non-partition key and non-clustering key fields have no index. Review our article on [partitioning](cassandra-partitioning.md) for more information.

+The Azure Consumption APIs give you programmatic access to cost and usage data for your Azure resources. These APIs currently only support Enterprise Enrollments, Web Direct Subscriptions (with a few exceptions), and CSP Azure plan subscriptions. The APIs are continually updated to support other types of Azure subscriptions.

+ versionSpec: '14.x'

+| **Exfiltration** | Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. |

+ Title: How to use Defender for Containers to identify vulnerabilities in Microsoft Defender for Cloud

+This page explains how to use Defender for Containers to scan the container images stored in your Azure Resource Manager-based Azure Container Registry, as part of the protections provided within Microsoft Defender for Cloud.

+To enable scanning of vulnerabilities in containers, you have to [enable Defender for Containers](defender-for-containers-enable.md). When the scanner, powered by Qualys, reports vulnerabilities, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more. You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.

+ - A continuous scan based on an image pull. This scan is performed every seven days after an image was pulled, and only for 30 days after the image was pulled. This mode doesn't require the security profile, or extension.

+ - (Preview) Continuous scan for running images. This scan is performed every seven days for as long as the image runs. This mode runs instead of the above mode when the Defender profile, or extension is running on the cluster.

+This scan typically completes within 2 minutes, but it might take up to 40 minutes. For every vulnerability identified, Defender for Cloud provides actionable recommendations, along with a severity classification, and guidance for how to remediate the issue.

+1. [Enable Defender for Containers](defender-for-containers-enable.md) for your subscription. Defender for Containers is now ready to scan images in your registries.

+### How does Defender for Containers scan an image?

+Defender for Containers pulls the image from the registry and runs it in an isolated sandbox with the Qualys scanner. The scanner extracts a list of known vulnerabilities.

+If you connect unsupported registries to your Azure subscription, Defender for Containers won't scan them and won't bill you for them.

+| Compliance | Docker CIS | VM, VMSS | GA | X | Log Analytics agent | Defender for Servers Plan 2 | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+The Splunk application can be installed locally ('Splunk Enterprise') or run on a cloud ('Splunk Cloud'). The Splunk integration along with Defender for IoT supports 'Splunk Enterprise' only.

+description: In this tutorial, you learn how to configure an Azure DNS alias record to reference an Azure public IP address.

+# Tutorial: Create an alias record to refer to an Azure public IP address

+You can create an alias record to reference an Azure resource. An example is an alias record that references an Azure public IP resource.

+> * Create a virtual network and a subnet.

+* An Azure account with an active subscription.

+* A domain name hosted in Azure DNS. If you don't have an Azure DNS zone, you can [create a DNS zone](./dns-delegate-domain-azure-dns.md#create-a-dns-zone), then [delegate your domain](dns-delegate-domain-azure-dns.md#delegate-the-domain) to Azure DNS.

+> [!NOTE]

+> In this tutorial, `contoso.com` is used as an example. Replace `contoso.com` with your own domain name.

+## Sign in to Azure

+Sign in to the Azure portal at https://portal.azure.com.

+Create a virtual network and a subnet to place your web server in.

+1. In the Azure portal, enter *virtual network* in the search box at the top of the portal, and then select **Virtual networks** from the search results.

+1. In **Virtual networks**, select **+ Create**.

+1. In **Create virtual network**, enter or select the following information in the **Basics** tab:

+ | **Setting** | **Value** |

+ |-||

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **Create new** </br> In **Name**, enter **PIPResourceGroup** </br> Select **OK** |

+ | **Instance details** | |

+ | Name | Enter **myPIPVNet** |

+ | Region | Select your region |

+1. Select the **IP Addresses** tab or select the **Next: IP Addresses** button at the bottom of the page.

+1. In the **IP Addresses** tab, enter the following information:

+ | Setting | Value |

+ |--|-|

+ | IPv4 address space | Enter **10.10.0.0/16** |

+1. Select **+ Add subnet**, and enter this information in the **Add subnet**:

+ | Setting | Value |

+ |-|-|

+ | Subnet name | Enter **WebSubnet** |

+ | Subnet address range | Enter **10.10.0.0/24** |

+1. Select **Add**.

+1. Select the **Review + create** tab or select the **Review + create** button.

+1. Select **Create**.

+Create a Windows Server virtual machine and then install IIS web server on it.

+### Create the virtual machine

+Create a Windows Server 2019 virtual machine.

+1. In the Azure portal, enter *virtual machine* in the search box at the top of the portal, and then select **Virtual machines** from the search results.

+1. In **Virtual machines**, select **+ Create** and then select **Azure virtual machine**.

+1. In **Create a virtual machine**, enter or select the following information in the **Basics** tab:

+ | **Setting** | **Value** |

+ |||

+ | **Project Details** | |

+ | Subscription | Select your Azure subscription |

+ | Resource Group | Select **RG-DNS-Alias-pip** |

+ | **Instance details** | |

+ | Virtual machine name | Enter **Web-01** |

+ | Region | Select **(US) East US** |

+ | Availability options | Select **No infrastructure redundancy required** |

+ | Security type | Select **Standard**. |

+ | Image | Select **Windows Server 2019 Datacenter - Gen2** |

+ | Size | Choose VM size or take default setting |

+ | **Administrator account** | |

+ | Username | Enter a username |

+ | Password | Enter a password |

+ | Confirm password | Reenter password |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None** |

+1. Select the **Networking** tab, or select **Next: Disks**, then **Next: Networking**.

+1. In the **Networking** tab, enter or select the following information:

+ | Setting | Value |

+ ||-|

+ | **Network interface** | |

+ | Virtual network | **myPIPVNet** |

+ | Subnet | **WebSubnet** |

+ | Public IP | Take the default public IP |

+ | NIC network security group | Select **Basic**|

+ | Public inbound ports | Select **Allow selected ports** |

+ | Select inbound ports | Select **HTTP (80)**, **HTTPS (443)** and **RDP (3389)** |

+1. Select **Review + create**.

+1. Review the settings, and then select **Create**.

+This deployment may take a few minutes to complete.

+> [!NOTE]

+> **Web-01** virtual machine has an attached NIC with a basic dynamic public IP that changes every time the virtual machine is restarted.

+### Install IIS web server

+Install IIS web server on **Web-01**.

+1. In the **Overview** page of **Web-01**, select **Connect** and then **RDP**.

+1. In the **RDP** page, select **Download RDP File**.

+1. Open *Web-01.rdp*, and select **Connect**.

+1. Enter the username and password entered during virtual machine creation.

+1. On the **Server Manager** dashboard, select **Manage** then **Add Roles and Features**.

+1. Select **Server Roles** or select **Next** three times. On the **Server Roles** page, select **Web Server (IIS)**.

+1. Select **Add Features**, and then select **Next**.

+1. Select **Confirmation** or select **Next** three times, and then select **Install**. The installation process takes a few minutes to finish.

+1. After the installation finishes, select **Close**.

+1. Open a web browser. Browse to **localhost** to verify that the default IIS web page appears.

+ :::image type="content" source="./media/tutorial-alias-pip/iis-web-server.png" alt-text="Screenshot of Internet Explorer showing the I I S Web Server Welcome page.":::

+1. In the Azure portal, enter *contoso.com* in the search box at the top of the portal, and then select **contoso.com** DNS zone from the search results.

+1. In the **Overview** page, select the **+ Record set** button.

+1. In the **Add record set**, enter *web01* in the **Name**.

+1. Select **A** for the **Type**.

+1. Select **Yes** for the **Alias record set**, and then select the **Azure Resource** for the **Alias type**.

+1. Select the **Web-01-ip** public IP address for the **Azure resource**.

+1. Select **OK**.

+ :::image type="content" source="./media/tutorial-alias-pip/add-public-ip-alias-inline.png" alt-text="Screenshot of adding an alias record to refer to the Azure public IP of the I I S web server using the Add record set page." lightbox="./media/tutorial-alias-pip/add-public-ip-alias-expanded.png":::

+1. In the Azure portal, enter *virtual machine* in the search box at the top of the portal, and then select **Virtual machines** from the search results.

+1. Select the **Web-01** virtual machine. Note the public IP address in the **Overview** page.

+1. From a web browser, browse to `web01.contoso.com`, which is the fully qualified domain name of the **Web-01** virtual machine. You now see the IIS welcome web page.

+1. Close the web browser.

+1. Stop the **Web-01** virtual machine, and then restart it.

+1. After the virtual machine restarts, note the new public IP address for the virtual machine.

+1. From a web browser, browse again to `web01.contoso.com`.

+This procedure succeeds because you used an alias record to point to the public IP resource instead of a standard A record that points to the public IP address, not the resource.

+When no longer needed, you can delete all resources created in this tutorial by deleting the **RG-DNS-Alias-pip** resource group and the alias record **web01** from **contoso.com** DNS zone.

+In this tutorial, you created an alias record to refer to an Azure public IP address resource. To learn how to create an alias record to support domain name apex with Traffic Manager, continue with the alias records for Traffic Manager tutorial.

+> [Create alias records for Traffic Manager](./tutorial-alias-tm.md)

+description: In this tutorial, you learn how to configure an alias record to reference a resource record within the zone.

+> * Create a resource record in the zone.

+> * Create an alias record for the resource record.

+* An Azure account with an active subscription.

+* A domain name hosted in Azure DNS. If you don't have an Azure DNS zone, you can [create a DNS zone](./dns-delegate-domain-azure-dns.md#create-a-dns-zone), then [delegate your domain](dns-delegate-domain-azure-dns.md#delegate-the-domain) to Azure DNS.

+> [!NOTE]

+> In this tutorial, `contoso.com` is used as an example. Replace `contoso.com` with your own domain name.

+## Sign in to Azure

+Sign in to the Azure portal at https://portal.azure.com.

+1. In the Azure portal, enter *contoso.com* in the search box at the top of the portal, and then select **contoso.com** DNS zone from the search results.

+1. In the **Overview** page, select the **+Record set** button.

+1. In the **Add record set**, enter *server* in the **Name**.

+1. Select **A** for the **Type**.

+1. Enter *10.10.10.10* in the **IP address**.

+1. Select **OK**.

+ :::image type="content" source="./media/tutorial-alias-rr/add-record-set-inline.png" alt-text="Screentshot of adding the target record set in the Add record set page." lightbox="./media/tutorial-alias-rr/add-record-set-expanded.png":::

+1. In the **Overview** page of **contoso.com** DNS zone, select the **+Record set** button.

+1. In the **Add record set**, enter *test* in the **Name**.

+1. Select **A** for the **Type**.

+1. Select **Yes** for the **Alias record set**, and then select the **Zone record set** for the **Alias type**.

+1. Select the **server** record for the **Zone record set**.

+1. Select **OK**.

+ :::image type="content" source="./media/tutorial-alias-rr/add-alias-record-set-inline.png" alt-text="Screentshot of adding the alias record set in the Add record set page." lightbox="./media/tutorial-alias-rr/add-alias-record-set-expanded.png":::

+After adding the alias record, you can verify that it's working by using a tool such as *nslookup* to query the `test` A record.

+> [!TIP]

+> You may need to wait at least 10 minutes after you add a record to successfully verify that it's working. It can take a while for changes to propagate through the DNS system.

+1. From a command prompt, enter the `nslookup` command:

+ ```

+ nslookup test.contoso.com

+ ```

+1. Verify that the response looks similar to the following output:

+ ```

+ Server: UnKnown

+ Address: 40.90.4.1

+ Name: test.contoso.com

+ Address: 10.10.10.10

+ ```

+1. In the **Overview** page of **contoso.com** DNS zone, select the **server** record, and then enter *10.11.11.11* in the **IP address**.

+1. Select **Save**.

+1. Wait a few minutes, and then use the `nslookup` command again. Verify the response changed to reflect the new IP address:

+ ```

+ Server: UnKnown

+ Address: 40.90.4.1

+ Name: test.contoso.com

+ Address: 10.11.11.11

+ ```

+## Clean up resources

+When you no longer need the resources created for this tutorial, delete the **server** and **test** records from your zone.

+In this tutorial, you learned the basic steps to create an alias record to refer to a resource record within the Azure DNS zone.

+- Learn more about [alias records](dns-alias.md).

+- Learn more about [zones and records](dns-zones-records.md).

+ Title: Azure Active Directory events

+description: This article describes Azure AD event types and provides event samples.

+# Azure Active Directory events

+This article provides the properties and schema for Azure Active Directory (Azure AD) events, which are published by Microsoft Graph API. For an introduction to event schemas, see [CloudEvents schema](cloud-event-schema.md).

+## Available event types

+These events are triggered when a [User](/graph/api/resources/user) or [Group](/graph/api/resources/group) is created, updated or deleted in Azure AD or by operating over those resources using Microsoft Graph API.

+ | Event name | Description |

+ | - | -- |

+ | **Microsoft.Graph.UserCreated** | Triggered when a user in Azure AD is created. |

+ | **Microsoft.Graph.UserUpdated** | Triggered when a user in Azure AD is updated. |

+ | **Microsoft.Graph.UserDeleted** | Triggered when a user in Azure AD is deleted. |

+ | **Microsoft.Graph.GroupCreated** | Triggered when a group in Azure AD is created. |

+ | **Microsoft.Graph.GroupUpdated** | Triggered when a group in Azure AD is updated. |

+ | **Microsoft.Graph.GroupDeleted** | Triggered when a group in Azure AD is deleted. |

+## Example event

+When an event is triggered, the Event Grid service sends data about that event to subscribing destinations. This section contains an example of what that data would look like for each Azure AD event.

+### Microsoft.Graph.UserCreated event

+```json

+[{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.UserCreated",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Users/<user-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "changeType": "created",

+ "clientState": "<guid>",

+ "resource": "Users/<user-id>",

+ "resourceData": {

+ "@odata.type": "#Microsoft.Graph.User",

+ "@odata.id": "Users/<user-id>",

+ "id": "<user-id>",

+ "organizationId": "<tenant-id>",

+ "eventTime": "2022-05-24T22:24:31.3062901Z",

+ "sequenceNumber": <sequence-number>

+ },

+ "subscriptionExpirationDateTime": "2022-05-24T23:21:19.3554403+00:00",

+ "subscriptionId": "<microsoft-graph-subscription-id>",

+ "tenantId": "<tenant-id>

+ }

+}]

+```

+### Microsoft.Graph.UserUpdated event

+```json

+[{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.UserUpdated",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Users/<user-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "changeType": "updated",

+ "clientState": "<guid>",

+ "resource": "Users/<user-id>",

+ "resourceData": {

+ "@odata.type": "#Microsoft.Graph.User",

+ "@odata.id": "Users/<user-id>",

+ "id": "<user-id>",

+ "organizationId": "<tenant-id>",

+ "eventTime": "2022-05-24T22:24:31.3062901Z",

+ "sequenceNumber": <sequence-number>

+ },

+ "subscriptionExpirationDateTime": "2022-05-24T23:21:19.3554403+00:00",

+ "subscriptionId": "<microsoft-graph-subscription-id>",

+ "tenantId": "<tenant-id>

+ }

+}]

+```

+### Microsoft.Graph.UserDeleted event

+```json

+[{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.UserDeleted",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Users/<user-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "changeType": "deleted",

+ "clientState": "<guid>",

+ "resource": "Users/<user-id>",

+ "resourceData": {

+ "@odata.type": "#Microsoft.Graph.User",

+ "@odata.id": "Users/<user-id>",

+ "id": "<user-id>",

+ "organizationId": "<tenant-id>",

+ "eventTime": "2022-05-24T22:24:31.3062901Z",

+ "sequenceNumber": <sequence-number>

+ },

+ "subscriptionExpirationDateTime": "2022-05-24T23:21:19.3554403+00:00",

+ "subscriptionId": "<microsoft-graph-subscription-id>",

+ "tenantId": "<tenant-id>

+ }

+}]

+```

+### Microsoft.Graph.GroupCreated event

+```json

+[{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.GroupCreated",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Groups/<group-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "changeType": "created",

+ "clientState": "<guid>",

+ "resource": "Groups/<group-id>",

+ "resourceData": {

+ "@odata.type": "#Microsoft.Graph.Group",

+ "@odata.id": "Groups/<group-id>",

+ "id": "<group-id>",

+ "organizationId": "<tenant-id>",

+ "eventTime": "2022-05-24T22:24:31.3062901Z",

+ "sequenceNumber": <sequence-number>

+ },

+ "subscriptionExpirationDateTime": "2022-05-24T23:21:19.3554403+00:00",

+ "subscriptionId": "<microsoft-graph-subscription-id>",

+ "tenantId": "<tenant-id>

+ }

+}]

+```

+### Microsoft.Graph.GroupUpdated event

+```json

+[{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.GroupUpdated",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Groups/<group-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "changeType": "updated",

+ "clientState": "<guid>",

+ "resource": "Groups/<group-id>",

+ "resourceData": {

+ "@odata.type": "#Microsoft.Graph.Group",

+ "@odata.id": "Groups/<group-id>",

+ "id": "<group-id>",

+ "organizationId": "<tenant-id>",

+ "eventTime": "2022-05-24T22:24:31.3062901Z",

+ "sequenceNumber": <sequence-number>

+ },

+ "subscriptionExpirationDateTime": "2022-05-24T23:21:19.3554403+00:00",

+ "subscriptionId": "<microsoft-graph-subscription-id>",

+ "tenantId": "<tenant-id>

+ }

+}]

+```

+### Microsoft.Graph.GroupDeleted event

+```json

+[{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.GroupDeleted",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Groups/<group-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "changeType": "deleted",

+ "clientState": "<guid>",

+ "resource": "Groups/<group-id>",

+ "resourceData": {

+ "@odata.type": "#Microsoft.Graph.Group",

+ "@odata.id": "Groups/<group-id>",

+ "id": "<group-id>",

+ "organizationId": "<tenant-id>",

+ "eventTime": "2022-05-24T22:24:31.3062901Z",

+ "sequenceNumber": <sequence-number>

+ },

+ "subscriptionExpirationDateTime": "2022-05-24T23:21:19.3554403+00:00",

+ "subscriptionId": "<microsoft-graph-subscription-id>",

+ "tenantId": "<tenant-id>

+ }

+}]

+```

+## Event properties

+An event has the following top-level data:

+| Property | Type | Description |

+| -- | - | -- |

+| `source` | string | The tenant event source. This field isn't writeable. Microsoft Graph API provides this value. |

+| `subject` | string | Publisher-defined path to the event subject. |

+| `type` | string | One of the event types for this event source. |

+| `time` | string | The time the event is generated based on the provider's UTC time |

+| `id` | string | Unique identifier for the event. |

+| `data` | object | Event payload that provides the data about the resource state change. |

+| `specversion` | string | CloudEvents schema specification version. |

+The data object has the following properties:

+| Property | Type | Description |

+| -- | - | -- |

+| `changeType` | string | The type of resource state change. |

+| `resource` | string | The resource identifier for which the event was raised. |

+| `tenantId` | string | The organization ID where the user or group is kept. |

+| `clientState` | string | A secret provided by the user at the time of the Graph API subscription creation. |

+| `@odata.type` | string | The Graph API change type. |

+| `@odata.id` | string | The Graph API resource identifier for which the event was raised. |

+| `id` | string | The resource identifier for which the event was raised. |

+| `organizationId` | string | The Azure AD tenant identifier. |

+| `eventTime` | string | The time at which the resource state occurred. |

+| `sequenceNumber` | string | A sequence number. |

+| `subscriptionExpirationDateTime` | string | The time in [RFC 3339](https://tools.ietf.org/html/rfc3339) format at which the Graph API subscription expires. |

+| `subscriptionId` | string | The Graph API subscription identifier. |

+| `tenantId` | string | The Azure AD tenant identifier. |

+## Next steps

+* For an introduction to Azure Event Grid's Partner Events, see [Partner Events overview](partner-events-overview.md)

+* For information on how to subscribe to Microsoft Graph API to receive Azure AD events, see [subscribe to Azure Graph API events](subscribe-to-graph-api-events.md).

+* For information about Azure Event Grid event handlers, see [event handlers](event-handlers.md).

+* For more information about creating an Azure Event Grid subscription, see [create event subscription](subscribe-through-portal.md#create-event-subscriptions) and [Event Grid subscription schema](subscription-creation-schema.md).

+* For information about how to configure an event subscription to select specific events to be delivered, consult [event filtering](event-filtering.md). You may also want to refer to [filter events](how-to-filter-events.md).

+You can also use [extension context attributes in CloudEvents 1.0](https://github.com/cloudevents/spec/blob/v1.0.1/spec.md#extension-context-attributes). In the following example, `comexampleextension1` and `comexampleothervalue` are extension context attributes.

+* 25 advanced filters and 25 filter values across all the filters per Event Grid subscription

+ Title: Outlook events in Azure Event Grid

+description: This article describes Microsoft Outlook events in Azure Event Grid.

+# Microsoft Outlook events

+This article provides the properties and schema for Microsoft Outlook events, which are published by Microsoft Graph API. For an introduction to event schemas, see [CloudEvents schema](cloud-event-schema.md).

+## Available event types

+These events are triggered when an Outlook event or an Outlook contact is created, updated or deleted or by operating over those resources using Microsoft Graph API.

+ | Event name | Description |

+ | - | -- |

+ | **Microsoft.Graph.EventCreated** | Triggered when an event in Outlook is created. |

+ | **Microsoft.Graph.EventUpdated** | Triggered when an event in Outlook is updated. |

+ | **Microsoft.Graph.EventDeleted** | Triggered when an event in Outlook is deleted. |

+ | **Microsoft.Graph.ContactCreated** | Triggered when a contact in Outlook is created. |

+ | **Microsoft.Graph.ContactUpdated** | Triggered when a contact in Outlook is updated. |

+ | **Microsoft.Graph.ContactDeleted** | Triggered when a contact in Outlook is deleted. |

+## Example event

+When an event is triggered, the Event Grid service sends data about that event to subscribing destinations. This section contains an example of what that data would look like for each Outlook event.

+### Microsoft.Graph.EventCreated event

+```json

+{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.EventCreated",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Events/<event-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "@odata.type": "#Microsoft.OutlookServices.Notification",

+ "Id": null,

+ "SubscriptionExpirationDateTime": "2019-02-14T23:56:30.1307708Z",

+ "ChangeType": "created",

+ "subscriptionId": "MTE1MTVlYTktMjVkZS00MjY3LWI1YzYtMjg0NzliZmRhYWQ2",

+ "resource": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Events('<event id>')",

+ "clientState": "<client state>",

+ "resourceData": {

+ "Id": "<event id>",

+ "@odata.etag": "<tag id>",

+ "od@ata.id": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Events('<event id>')",

+ "@odata.type": "#Microsoft.OutlookServices.Event",

+ "OtherResourceData": "<some other resource data>"

+ }

+ }

+}

+```

+### Microsoft.Graph.EventUpdated event

+```json

+{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.EventUpdated",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Events/<event-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "@odata.type": "#Microsoft.OutlookServices.Notification",

+ "Id": null,

+ "SubscriptionExpirationDateTime": "2019-02-14T23:56:30.1307708Z",

+ "ChangeType": "updated",

+ "subscriptionId": "MTE1MTVlYTktMjVkZS00MjY3LWI1YzYtMjg0NzliZmRhYWQ2",

+ "resource": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Events('<event id>')",

+ "clientState": "<client state>",

+ "resourceData": {

+ "Id": "<event id>",

+ "@odata.etag": "<tag id>",

+ "od@ata.id": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Events('<event id>')",

+ "@odata.type": "#Microsoft.OutlookServices.Event",

+ "OtherResourceData": "<some other resource data>"

+ }

+ }

+}

+```

+### Microsoft.Graph.EventDeleted event

+```json

+{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.EventDeleted",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Events/<event-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "@odata.type": "#Microsoft.OutlookServices.Notification",

+ "Id": null,

+ "SubscriptionExpirationDateTime": "2019-02-14T23:56:30.1307708Z",

+ "ChangeType": "deleted",

+ "subscriptionId": "MTE1MTVlYTktMjVkZS00MjY3LWI1YzYtMjg0NzliZmRhYWQ2",

+ "resource": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Events('<event id>')",

+ "clientState": "<client state>",

+ "resourceData": {

+ "Id": "<event id>",

+ "@odata.etag": "<tag id>",

+ "od@ata.id": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Events('<event id>')",

+ "@odata.type": "#Microsoft.OutlookServices.Event",

+ "OtherResourceData": "<some other resource data>"

+ }

+ }

+}

+```

+### Microsoft.Graph.ContactCreated event

+```json

+{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.ContactCreated",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Contacts/<contact-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "@odata.type": "#Microsoft.OutlookServices.Notification",

+ "Id": null,

+ "SubscriptionExpirationDateTime": "2019-02-14T23:56:30.1307708Z",

+ "ChangeType": "created",

+ "subscriptionId": "MTE1MTVlYTktMjVkZS00MjY3LWI1YzYtMjg0NzliZmRhYWQ2",

+ "resource": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Contacts('<contact id>')",

+ "clientState": "<client state>",

+ "resourceData": {

+ "Id": "<contact id>",

+ "@odata.etag": "<tag id>",

+ "od@ata.id": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Contacts('<contact id>')",

+ "@odata.type": "#Microsoft.OutlookServices.Contact",

+ "OtherResourceData": "<some other resource data>"

+ }

+ }

+}

+```

+### Microsoft.Graph.ContactUpdated event

+```json

+{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.ContactUpdated",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Contacts/<contact-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "@odata.type": "#Microsoft.OutlookServices.Notification",

+ "Id": null,

+ "SubscriptionExpirationDateTime": "2019-02-14T23:56:30.1307708Z",

+ "ChangeType": "updated",

+ "subscriptionId": "MTE1MTVlYTktMjVkZS00MjY3LWI1YzYtMjg0NzliZmRhYWQ2",

+ "resource": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Contacts('<contact id>')",

+ "clientState": "<client state>",

+ "resourceData": {

+ "Id": "<contact id>",

+ "@odata.etag": "<tag id>",

+ "od@ata.id": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Contacts('<contact id>')",

+ "@odata.type": "#Microsoft.OutlookServices.Contact",

+ "OtherResourceData": "<some other resource data>"

+ }

+ }

+}

+```

+### Microsoft.Graph.ContactDeleted event

+```json

+{

+ "id": "00d8a100-2e92-4bfa-86e1-0056dacd0fce",

+ "type": "Microsoft.Graph.ContactDeleted",

+ "source": "/tenants/<tenant-id>/applications/<application-id>",

+ "subject": "Contacts/<contact-id>",

+ "time": "2022-05-24T22:24:31.3062901Z",

+ "datacontenttype": "application/json",

+ "specversion": "1.0",

+ "data": {

+ "@odata.type": "#Microsoft.OutlookServices.Notification",

+ "Id": null,

+ "SubscriptionExpirationDateTime": "2019-02-14T23:56:30.1307708Z",

+ "ChangeType": "deleted",

+ "subscriptionId": "MTE1MTVlYTktMjVkZS00MjY3LWI1YzYtMjg0NzliZmRhYWQ2",

+ "resource": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Contacts('<contact id>')",

+ "clientState": "<client state>",

+ "resourceData": {

+ "Id": "<contact id>",

+ "@odata.etag": "<tag id>",

+ "od@ata.id": "https://outlook.office365.com/api/beta/Users('userId@tenantId')/Contacts('<contact id>')",

+ "@odata.type": "#Microsoft.OutlookServices.Contact",

+ "OtherResourceData": "<some other resource data>"

+ }

+ }

+}

+```

+## Event properties

+An event has the following top-level data:

+| Property | Type | Description |

+| -- | - | -- |

+| `source` | string | The tenant event source. This field isn't writeable. Microsoft Graph API provides this value. |

+| `subject` | string | Publisher-defined path to the event subject. |

+| `type` | string | One of the event types for this event source. |

+| `time` | string | The time the event is generated based on the provider's UTC time |

+| `id` | string | Unique identifier for the event. |

+| `data` | object | Event payload that provides the data about the resource state change. |

+| `specversion` | string | CloudEvents schema specification version. |

+The data object has the following properties:

+| Property | Type | Description |

+| -- | - | -- |

+| `changeType` | string | The type of resource state change. |

+| `resource` | string | The resource identifier for which the event was raised. |

+| `tenantId` | string | The organization ID where the user or contact is kept. |

+| `clientState` | string | A secret provided by the user at the time of the Graph API subscription creation. |

+| `@odata.type` | string | The Graph API change type. |

+| `@odata.id` | string | The Graph API resource identifier for which the event was raised. |

+| `id` | string | The resource identifier for which the event was raised. |

+| `organizationId` | string | The Outlook tenant identifier. |

+| `eventTime` | string | The time at which the resource state occurred. |

+| `sequenceNumber` | string | A sequence number. |

+| `subscriptionExpirationDateTime` | string | The time in [RFC 3339](https://tools.ietf.org/html/rfc3339) format at which the Graph API subscription expires. |

+| `subscriptionId` | string | The Graph API subscription identifier. |

+| `tenantId` | string | The Outlook tenant identifier. |

+| `otherResourceData` | string | Placeholder that represents one or more dynamic properties that may be included in the event. |

+## Next steps

+* For an introduction to Azure Event Grid's Partner Events, see [Partner Events overview](partner-events-overview.md)

+* For information on how to subscribe to Microsoft Graph API to receive Outlook events, see [subscribe to Azure Graph API events](subscribe-to-graph-api-events.md).

+* For information about Azure Event Grid event handlers, see [event handlers](event-handlers.md).

+* For more information about creating an Azure Event Grid subscription, see [create event subscription](subscribe-through-portal.md#create-event-subscriptions) and [Event Grid subscription schema](subscription-creation-schema.md).

+* For information about how to configure an event subscription to select specific events to be delivered, consult [event filtering](event-filtering.md). You may also want to refer to [filter events](how-to-filter-events.md).

+Event Grid is a highly scalable, serverless event broker that you can use to integrate applications using events. Events are delivered by Event Grid to subscriber destinations such as applications, Azure services, or any endpoint to which Event Grid has network access. The source of those events can be other applications, SaaS services and Azure services.

+With Event Grid you connect solutions using event-driven architectures. An [event-driven architecture](/azure/architecture/guide/architecture-styles/event-driven) uses events to communicate occurrences in system state changes, for example, to other applications or services. You can use filters to route specific events to different endpoints, multicast to multiple endpoints, and make sure your events are reliably delivered.

+The event sources and event handlers or destinations are summarized in the following diagram.

+Event Grid supports the following event sources:

+1. **Your own service or solution** that publishes events to Event Grid so that your customers can subscribe to them. Event Grid provides two type of resources you can use depending on your requirements.

+ - [Custom Topics](custom-topics.md) or "Topics" for short. Use custom topics if your requirements resemble the following user story:

+

+ "As an owner of a system, I want to communicate my system's state changes by publishing events and routing those events to event handlers, under my control or otherwise, that can process my system's events in a way they see fit."

+ - [Domains](event-domains.md). Use domains if you want to deliver events to multiple teams at scale. Your requirements probably are similar to the following one:

+

+ "As an owner of a system, I want to announce my systemΓÇÖs state changes to multiple teams in a single tenant so that they can process my systemΓÇÖs events in a way they see fit."

+2. A **SaaS provider or platform** can publish their events to Event Grid through a feature called [Partner Events](partner-events-overview.md). You can [subscribe to those events](subscribe-to-partner-events.md) and automate tasks, for example. Events from the following partners are currently available:

+ - [Auth0](auth0-overview.md)

+ - [Microsoft Graph API](subscribe-to-graph-api-events.md). Through Microsoft Graph API you can get events from [Microsoft Outlook](outlook-events.md), [Teams](teams-events.md), [Azure AD](azure-active-directory-events.md), SharePoint, Conversations, security alerts, and Universal Print.

+

+3. **An Azure service**. The following Azure services support sending events to Event Grid. For more information about a source in the list, select the link.

+For full details on the capabilities of each handler and related articles, see [event handlers](event-handlers.md). Currently, the following Azure services support handling events from Event Grid:

+* [Partner Events overview](partner-events-overview.md).

+* [subscribe to partner events](subscribe-to-partner-events.md).

+ Title: Microsoft Graph API events in Azure Event Grid

+description: This article describes events published by Microsoft Graph API.

+# Microsoft Graph API events

+Microsoft Graph API provides a unified programmable model that you can use to receive events about state changes of resources in Microsoft Outlook, Teams, SharePoint, Azure Active Directory, Microsoft Conversations, and security alerts. For every resource in the following table, events for create, update and delete state changes are supported.

+## Graph API event sources

+|Microsoft event source |Resource(s) | Available event types |

+|: | : | :-|

+|Azure Active Directory| [User](/graph/api/resources/user), [Group](/graph/api/resources/group) | [Azure AD event types](azure-active-directory-events.md) |

+|Microsoft Outlook|[Event](/graph/api/resources/event) (calendar meeting), [Message](/graph/api/resources/message) (email), [Contact](/graph/api/resources/contact) | [Microsoft Outlook event types](outlook-events.md) |

+|Microsoft Teams|[ChatMessage](/graph/api/resources/callrecords-callrecord), [CallRecord](/graph/api/resources/callrecords-callrecord) (meeting) | [Microsoft Teams event types](teams-events.md) |

+|Microsoft SharePoint and OneDrive| [DriveItem](/graph/api/resources/driveitem)| |

+|Microsoft SharePoint| [List](/graph/api/resources/list)|

+|Security alerts| [Alert](/graph/api/resources/alert)|

+|Microsoft Conversations| [Conversation](/graph/api/resources/conversation)| |

+You create a Microsoft Graph API subscription to enable Graph API events to flow into a partner topic. The partner topic is automatically created for you as part of the Graph API subscription creation. You use that partner topic to [create event subscriptions](event-filtering.md) to send your events to any of the supported [event handlers](event-handlers.md) that best meets your requirements to process the events.

+## Next steps

+* [Partner Events overview](partner-events-overview.md).

+* [subscribe to partner events](subscribe-to-partner-events.md), which includes instructions on how to subscribe to Microsoft Graph API events.

+### Microsoft partners

+| Partner | Sends events to Azure? | Receives events from Azure? |

+| :--|:--:|:-:|

+| Microsoft Graph API* | Yes | N/A |

+#### Microsoft Graph API

+Through Microsoft Graph API, you can get events from a diverse set of Microsoft services such as [Azure AD](azure-active-directory-events.md), [Microsoft Outlook](outlook-events.md), [Teams](teams-events.md), **SharePoint**, and so on. For a complete list of event sources, see [Microsoft Graph API's change notifications documentation](/graph/webhooks#supported-resources).

+### Non-Microsoft partners

+ Title: Azure Event Grid - Subscribe to Microsoft Graph API events

+description: This article explains how to subscribe to events published by Microsoft Graph API.

+# Subscribe to events published by Microsoft Graph API

+This article describes steps to subscribe to events published by Microsoft Graph API. The following table lists the resources for which events are available through Graph API. For every resource, events for create, update and delete state changes are supported.

+|Microsoft event source |Resource(s) | Available event types |

+|: | : | :-|

+|Azure Active Directory| [User](/graph/api/resources/user), [Group](/graph/api/resources/group) | [Azure AD event types](azure-active-directory-events.md) |

+|Microsoft Outlook|[Event](/graph/api/resources/event) (calendar meeting), [Message](/graph/api/resources/message) (email), [Contact](/graph/api/resources/contact) | [Microsoft Outlook event types](outlook-events.md) |

+|Microsoft Teams|[ChatMessage](/graph/api/resources/callrecords-callrecord), [CallRecord](/graph/api/resources/callrecords-callrecord) (meeting) | [Microsoft Teams event types](teams-events.md) |

+|Microsoft SharePoint and OneDrive| [DriveItem](/graph/api/resources/driveitem)| |

+|Microsoft SharePoint| [List](/graph/api/resources/list)|

+|Security alerts| [Alert](/graph/api/resources/alert)|

+|Microsoft Conversations| [Conversation](/graph/api/resources/conversation)| |

+> [!IMPORTANT]

+>If you aren't familiar with the **Partner Events** feature, see [Partner Events overview](partner-events-overview.md).

+## Why you should use Microsoft Graph API with Event Grid as a destination?

+Besides the ability to subscribe to Microsoft Graph API events via Event Grid, you have [other options](/graph/change-notifications-delivery) through which you can receive similar notifications (not events). Consider using Microsoft Graph API to deliver events to Event Grid if you have at least one of the following requirements:

+- You're developing an event-driven solution that requires events from Azure Active Directory, Outlook, Teams, etc. to react to resource changes. You require the robust eventing model and publish-subscribe capabilities that Event Grid provides. For an overview of Event Grid, see [Event Grid concepts](concepts.md).

+- You want to use Event Grid to route events to multiple destinations using a single Graph API subscription and you want to avoid managing multiple Graph API subscriptions.

+- You require to route events to different downstream applications, webhooks or Azure services depending on some of the properties in the event. For example, you may want to route event types such as `Microsoft.Graph.UserCreated` and `Microsoft.Graph.UserDeleted` to a specialized application that processes users' onboarding and off-boarding. You may also want to send `Microsoft.Graph.UserUpdated` events to another application that syncs contacts information, for example. You can achieve that using a single Graph API subscription when using Event Grid as a notification destination. For more information, see [event filtering](event-filtering.md) and [event handlers](event-handlers.md).

+- Interoperability is important to you. You want to forward and handle events in a standard way using CNCF's [CloudEvents](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md) specification standard, to which Event Grid fully complies.

+- You like the extensibility support that CloudEvents provides. For example, if you want to trace events across compliant systems, you may use CloudEvents extension [Distributed Tracing](https://github.com/cloudevents/spec/blob/v1.0.1/extensions/distributed-tracing.md). Learn more about more [CloudEvents extensions](https://github.com/cloudevents/spec/blob/v1.0.1/documented-extensions.md).

+- You want to use proven event-driven approaches adopted by the industry.

+## High-level steps

+The common steps to subscribe to events published by any partner, including Graph API, are described in [subscribe to partner events](subscribe-to-partner-events.md). For a quick reference, the steps described in that article are listed here. This article deals with step 3: enable events flow to a partner topic.

+1. Register the Event Grid resource provider with your Azure subscription.

+2. Authorize partner to create a partner topic in your resource group.

+3. [Enable events to flow to a partner topic](#enable-microsoft-graph-api-events-to-flow-to-your-partner-topic)

+4. Activate partner topic so that your events start flowing to your partner topic.

+5. Subscribe to events.

+### Enable Microsoft Graph API events to flow to your partner topic

+> [!IMPORTANT]

+> Microsoft Graph API's (MGA) ability to send events to Even Grid (a generally available service) is in private preview. In the following steps, you will follow instructions from [Node.js](https://github.com/microsoftgraph/nodejs-webhooks-sample), [Java](https://github.com/microsoftgraph/java-spring-webhooks-sample), and[.NET Core](https://github.com/microsoftgraph/aspnetcore-webhooks-sample) Webhook samples to enable flow of events from Microsoft Graph API. At some point in the sample, you will have an application registered with Azure AD. Email your application ID to <a href="mailto:ask.graph.and.grid@microsoft.com?subject=Please allow my application ID">mailto:ask.graph.and.grid@microsoft.com?subject=Please allow my Azure AD application with ID to send events through Graph API</a> so that the Microsoft Graph API team can add your application ID to allow list to use this new capability.

+You request Microsoft Graph API to send events by creating a Graph API subscription. When you create a Graph API subscription, the http request should look like the following sample:

+```json

+POST to https://canary.graph.microsoft.com/testprodbetawebhooks1/subscriptions

+Body:

+{

+ "changeType": "Updated,Deleted,Created",

+ "notificationUrl": "EventGrid:?azuresubscriptionid=8A8A8A8A-4B4B-4C4C-4D4D-12E12E12E12E&resourcegroup=yourResourceGroup&partnertopic=youPartnerTopic&location=theAzureRegionFortheTopic",

+ "resource": "users",

+ "expirationDateTime": "2022-04-30T00:00:00Z",

+ "clientState": "mysecret"

+}

+```

+Here are some of the key payload properties:

+- `changeType`: the kind of resource changes for which you want to receive events. Valid values: `Updated`, `Deleted`, and `Created`. You can specify one or more of these values separated by commas.

+- `notificationUrl`: a URI that conforms to the following pattern: `EventGrid:?azuresubscriptionid=<you-azure-subscription-id>&resourcegroup=<your-resource-group-name>&partnertopic=<the-name-for-your-partner-topic>&location=<the-Azure-region-where-you-want-the-topic-created>`.

+- resource: the resource for which you need events announcing state changes.

+- expirationDateTime: the expiration time at which the subscription will expire and hence the flow of events will stop. It must conform to the format specified in [RFC 3339](https://tools.ietf.org/html/rfc3339). You must specify an expiration time that is within the [maximum subscription length allowable for the resource type](/graph/api/resources/subscription#maximum-length-of-subscription-per-resource-type) used.

+- client state. A value that is set by you when creating a Graph API subscription. For more information, see [Graph API subscription properties](/graph/api/resources/subscription#properties).

+> [!NOTE]

+> Microsoft Graph API's capability to send events to Event Grid is only available in a specific Graph API environment. You will need to update your code so that it uses the following Graph API endpoint `https://canary.graph.microsoft.com/testprodbetawebhooks1`. For example, this is the way you can set the endpoint on your graph client (`com.microsoft.graph.requests.GraphServiceClient`) using the Graph API Java SDK:

+>

+>```java

+>graphClient.setServiceRoot("https://canary.graph.microsoft.com/testprodbetawebhooks1");

+>```

+**You can create a Microsoft Graph API subscription by following the instructions in the [Microsoft Graph API webhook samples](https://github.com/microsoftgraph?q=webhooks&type=public&language=&sort=)** that include code samples for [NodeJS](https://github.com/microsoftgraph/nodejs-webhooks-sample), [Java (Spring Boot)](https://github.com/microsoftgraph/java-spring-webhooks-sample), and [.NET Core](https://github.com/microsoftgraph/aspnetcore-webhooks-sample). There are no samples available for Python, Go and other languages yet, but the [Graph SDK](/graph/sdks/sdks-overview) supports creating Graph API subscriptions using those programming languages.

+> [!NOTE]

+> - Partner topic names must be unique within the same Azure region. Each tenant-application ID combination can create up to 10 unique partner topics.

+> - Be mindful of certain [Graph API resources' service limits](/graph/webhooks#azure-ad-resource-limitations) when developing your solution.

+#### What happens when you create a Microsoft Graph API subscription?

+When you create a Graph API subscription with a `notificationUrl` bound to Event Grid, a partner topic is created in your Azure subscription. For that partner topic, you [configure event subscriptions](event-filtering.md) to send your events to any of the supported [event handlers](event-handlers.md) that best meets your requirements to process the events.

+#### Microsoft Graph API Explorer

+For quick tests and to get to know the API, you could use the [Microsoft Graph API explorer](/graph/graph-explorer/graph-explorer-features). For anything else beyond casuals tests or learning, you should use the Graph SDKs as described above.

+## Next steps

+See the following articles:

+- [Azure Event Grid - Partner Events overview](partner-events-overview.md)

+- [Microsoft Graph API webhook samples](https://github.com/microsoftgraph?q=webhooks&type=public&language=&sort=). Use these samples to send events to Event Grid. You just need to provide a suitable value ``notificationUrl`` according to the request example above.

+- [Varied set of resources on Microsoft Graph API](https://developer.microsoft.com/en-us/graph/rest-api).

+- [Microsoft Graph API webhooks](/graph/api/resources/webhooks)

+- [Best practices for working with Microsoft Graph API](/graph/best-practices-concept)

+- [Microsoft Graph API SDKs](/graph/sdks/sdks-overview)

+- [Microsoft Graph API tutorials](/graph/tutorials), which shows how to use Graph API in different programming languages.This doesn't necessarily include examples for sending events to Event Grid.

+- [Microsoft Graph API](subscribe-to-graph-api-events.md)

+ Title: Microsoft Teams events in Azure Event Grid

+description: This article describes Microsoft Teams events in Azure Event Grid.

+# Microsoft Teams events in Azure Event Grid

+This article provides the list of available event types for Microsoft Teams events, which are published by Microsoft Graph API. For an introduction to event schemas, see [CloudEvents schema](cloud-event-schema.md).

+## Available event types

+These events are triggered when a call record is created or updated, and chat message is created, updated or deleted or by operating over those resources using Microsoft Graph API.

+ | Event name | Description |

+ | - | -- |

+ | **Microsoft.Graph.CallRecordCreated** | Triggered when a call or meeting is produced in Microsoft Teams. |

+ | **Microsoft.Graph.CallRecordUpdated** | Triggered when a call or meeting is updated in Microsoft Teams. |

+ | **Microsoft.Graph.ChatMessageCreated** | Triggered when a chat message is sent via teams or channels in Microsoft Teams. |

+ | **Microsoft.Graph.ChatMessageUpdated** | Triggered when a chat message is edited via teams or channels in Microsoft Teams. |

+ | **Microsoft.Graph.ChatMessageDeleted** | Triggered when a chat message is deleted via Teams or channels in Teams. |

+## Next steps

+* For an introduction to Azure Event Grid's Partner Events, see [Partner Events overview](partner-events-overview.md)

+* For information on how to subscribe to Microsoft Graph API events, see [subscribe to Azure Graph API events](subscribe-to-graph-api-events.md).

+* For information about Azure Event Grid event handlers, see [event handlers](event-handlers.md).

+* For more information about creating an Azure Event Grid subscription, see [create event subscription](subscribe-through-portal.md#create-event-subscriptions) and [Event Grid subscription schema](subscription-creation-schema.md).

+* For information about how to configure an event subscription to select specific events to be delivered, consult [event filtering](event-filtering.md). You may also want to refer to [filter events](how-to-filter-events.md).

+Before using ExpressRoute Direct, you must first enroll your subscription. To enroll, run the following via Azure PowerShell:

+Reference the recently created ExpressRoute Direct resource, input a customer name to write the LOA to and (optionally) define a file location to store the document. If a file path isn't referenced, the document will download to the current directory.

+By default, you can create 10 circuits in the subscription where the ExpressRoute Direct resource is. This limit can be increased by support. You're responsible for tracking both Provisioned and Utilized Bandwidth. Provisioned bandwidth is the sum of bandwidth of all circuits on the ExpressRoute Direct resource and utilized bandwidth is the physical usage of the underlying physical interfaces.

+There are more circuit bandwidths that can be utilized on ExpressRoute Direct to support only the scenarios outlined above. These bandwidths are 40 Gbps and 100 Gbps.

+**SkuFamily** can only be MeteredData. Unlimited isn't supported on ExpressRoute Direct.

+## Public Preview

+The following scenario is in public preview:

+ExpressRoute Direct and ExpressRoute circuit(s) in different subscriptions or Azure Active Directory tenants. You'll create an authorization for your ExpressRoute Direct resource, and redeem the authorization to create an ExpressRoute circuit in a different subscription or Azure Active Directory tenant.

+### Enable ExpressRoute Direct and circuits in different subscriptions

+1. To enroll in the preview, send an e-mail to ExpressRouteDirect@microsoft.com with the ExpressRoute Direct and target ExpressRoute circuit Azure subscription IDs. You'll receive an e-mail once the feature get enabled for your subscriptions.

+1. Create the ExpressRoute Direct authorization by running the following commands in PowerShell:

+ ```powershell

+ Add-AzExpressRoutePortAuthorization -Name $Name -ExpressRoutePort $ERPort

+ Set-AzExpressRoutePort -ExpressRoutePort $ERPort

+ ```

+1. Verify the authorization was created successfully and store ExpressRoute Direct authorization into a variable:

+ ```powershell

+ $ERDirect = Get-AzExpressRoutePort -Name $Name -ResourceGroupName $ResourceGroupName

+ $ERDirect

+ ```

+1. Redeem the authorization to create the ExpressRoute Direct circuit with the following command:

+ ```powershell

+ New-AzExpressRouteCircuit -Name $Name -ResourceGroupName $RGName -ExpressRoutePort $ERDirect -Location $Location -SkuTier $SkuTier -SkuFamily $SkuFamily -BandwidthInGbps $BandwidthInGbps -Authorization $ERDirect.Authorization

+ ```

+| **Doha2** | [Ooredoo](https://www.ooredoo.qa/portal/OoredooQatar/b2b-data-centre) | 3 | Qatar Central | Supported | |

+## Public preview features

+The following features are in public preview:

+| Routing Intent and Policies enabling Inter-hub security | This feature allows you to configure internet-bound, private or inter-hub traffic flow through Azure Firewall. For more information, see [Routing Intent and Policies](../virtual-wan/how-to-routing-policies.md). |

+|`Off` | The threat intelligence feature isn't enabled for your firewall. |

+|`Alert only` | You'll receive high-confidence alerts for traffic going through your firewall to or from known malicious IP addresses and domains. |

+|`Alert and deny` | Traffic is blocked and you'll receive high-confidence alerts when traffic is detected attempting to go through your firewall to or from known malicious IP addresses and domains. |

+- **Outbound testing** - Outbound traffic alerts should be a rare occurrence, as it means that your environment has been compromised. To help test outbound alerts are working, the following FQDNs have been created to trigger an alert. Use the following FQDNs for your outbound tests:

+<br><br>

+ - `documentos-001.brazilsouth.cloudapp.azure.com`

+ - `itaucardiupp.centralus.cloudapp.azure.com`

+ - `azure-c.online`

+ - `www.azureadsec.com`

+ - `azurein360.co`

+ > [!NOTE]

+ > These FQDNs are subject to change, so they are not guaranteed to always work. Any changes will be documented here.

+ New-AzADServicePrincipal -ApplicationId '205478c0-bd83-4e1b-a9d6-db63a3e1e1c8'

+* [Known Issues for Apache Spark cluster on HDInsight](./spark/apache-spark-known-issues.md)

+* [Troubleshoot Apache Oozie](./troubleshoot-oozie.md)

+If you use the default **SAS-IoT-Devices** enrollment group, IoT Central generates the individual device keys for you. To access these keys, select **Connect** on the device details page. This page displays the **ID Scope**, **Device ID**, **Primary key**, and **Secondary key** that you use in your device code. This page also displays a QR code the contains the same data.

+Device templates: If you're currently using legacy data exports with the device templates data type, then you can obtain the same data using the [Device Templates - Get API call](/rest/api/iotcentral/2022-05-31dataplane/device-templates/get).

+Starting 3 February 2020, all new exports in applications with Devices and Device templates enabled will have the data format described above. All exports created before this date remain on the old data format until 30 June 2020, at which time these exports will automatically be migrated to the new data format. The new data format matches the [device](/rest/api/iotcentral/2022-05-31dataplane/devices/get), [device property](/rest/api/iotcentral/2022-05-31dataplane/devices/get-properties), and [device template](/rest/api/iotcentral/2022-05-31dataplane/device-templates/get) objects in the IoT Central public API.

+1. The device status changes to **Provisioned** when the device that connected to your IoT Central application with valid credentials completes the provisioning step. In this step, the device uses DPS. The *Device ID* that was used to register the device. Either a SAS key or X.509 certificatTo find these values: to automatically retrieve a connection string from the IoT Hub used by your IoT Central application. The device can now connect to IoT Central and start sending data.

+When a device or edge device connects using the MQTT protocol, _connected_ and _disconnected_ events for the device are generated. These events aren't sent by the device, they're generated internally by IoT Central.

+## Get device connection information

+When a device provisions and connects to IoT Central, it needs connection information from your IoT Central application:

+- The *ID Scope* that identifies the application to DPS.

+- The *Device ID* that was used to register the device.

+- Either a SAS key or X.509 certificate.

+To find these values:

+1. Choose **Devices** on the left pane.

+1. Click on the device in the device list to see the device details.

+1. Select **Connect** to view the connection information. The QR code encodes a JSON document that includes the **ID Scope**, **Device ID**, and **Primary key** derived from the default **SAS-IoT-Devices** device connection group.

+> [!NOTE]

+> If the authentication type is **Shared access signature**, the keys displayed are derived from the default **SAS-IoT-Devices** device connection group.

+1. Select **Manage Device** and **Organization** from the drop-down menu.

+You can also add a service principal user which is useful if you need to use service principal authentication for REST API calls. To learn more, see [Add or update a service principal user](/rest/api/iotcentral/2022-05-31dataplane/users/create#add-or-update-a-service-principal-user).

+- *Data plane* operations that let you work with resources inside IoT Central applications. Data plane operations let you automate tasks that can also be completed using the IoT Central UI. Currently, there are [generally available](/rest/api/iotcentral/2022-05-31dataplane/api-tokens) and [preview](/rest/api/iotcentral/1.2-previewdataplane/api-tokens) versions of the data plane API.

+- Add devices in bulk from a CSV file. To learn more, see [Import devices](howto-manage-devices-in-bulk.md#import-devices).

+- Use the **Devices** page in your IoT Central application to register devices individually. To learn more, see [Add a device](howto-manage-devices-individually.md#add-a-device).

+> [!TIP]

+> The QR code contains the information, such as the registered device ID, your device needs to establish a connection to your IoT Central application. It saves you from the need to enter the connection information manually.

+* Download the Microchip ATSAME54-XPRO IAR sample from [Azure RTOS samples](https://github.com/azure-rtos/samples/), and unzip it to a working directory.

+ > [!IMPORTANT]

+ > Choose a directory with a short path to avoid compiler errors when you build. For example, use *C:\atsame54*.

+* Download the Microchip ATSAME54-XPRO MPLab sample from [Azure RTOS samples](https://github.com/azure-rtos/samples/), and unzip it to a working directory.

+ > [!IMPORTANT]

+ > Choose a directory with a short path to avoid compiler errors when you build. For example, use *C:\atsame54*.

+ | `\*.data.mcr.microsoft.com` | 443 | Data endpoint providing content delivery. |

+*Message enrichments* are the ability of Azure IoT Hub to stamp messages with additional information before the messages are sent to the designated endpoint. One reason to use message enrichments is to include data that can be used to simplify downstream processing. For example, enriching device messages with a device twin tag can reduce load on customers to make device twin API calls for this information. For more information, see [Overview of message enrichments](iot-hub-message-enrichments-overview.md).

+* The first method is to use the Azure CLI to create the resources and configure the message routing. Then you define the message enrichments in the Azure portal.

+* The second method is to use an Azure Resource Manager template to create both the resources and configure both the message routing and message enrichments.

+In this tutorial, you perform the following tasks:

+>

+> * First method: Create resources and configure message routing using the Azure CLI. Configure the message enrichments in the Azure portal.

+> * Second method: Create resources and configure message routing and message enrichments using a Resource Manager template.

+> * View the results, and verify that the message enrichments are being applied to the targeted messages.

+* You must have an Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* Make sure that port 8883 is open in your firewall. The device sample in this tutorial uses MQTT protocol, which communicates over port 8883. This port may be blocked in some corporate and educational network environments. For more information and ways to work around this issue, see [Connecting to IoT Hub (MQTT)](iot-hub-mqtt-support.md#connecting-to-iot-hub).

+Download or clone the [IoT C# samples](https://github.com/Azure-Samples/azure-iot-samples-csharp) from GitHub. Follow the directions in **README.md** to set up the prerequisites for running C# samples.

+This repository has several applications, scripts, and Resource Manager templates in it. The ones to be used for this tutorial are as follows:

+* For the manual method, there's a CLI script that creates the cloud resources. This script is in `/azure-iot-samples-csharp/iot-hub/Tutorials/Routing/SimulatedDevice/resources/iothub_msgenrichment_cli.azcli`. This script creates the resources and configures the message routing. After you run this script, create the message enrichments manually by using the Azure portal.

+* For the automated method, there's an Azure Resource Manager template. The template is in `/azure-iot-samples-csharp/iot-hub/Tutorials/Routing/SimulatedDevice/resources/template_msgenrichments.json`. This template creates the resources, configures the message routing, and then configures the message enrichments.

+* The third application you use is the device simulation app, which you use to send messages to the IoT hub and test the message enrichments.

+## Create and configure resources using the Azure CLI

+In addition to creating the necessary resources, the Azure CLI script also configures the two routes to the endpoints that are separate storage containers. For more information on how to configure message routing, see the [routing tutorial](tutorial-routing.md). After the resources are set up, use the [Azure portal](https://portal.azure.com) to configure message enrichments for each endpoint. Then continue on to the testing step.

+* Set up routing for the two different storage containers:

+ * Create an endpoint for each storage account container.

+ * Create a route to each of the storage account container endpoints.

+| container name 1 | original |

+| container name 2 | enriched |

+# This command installs the IoT Extension for Azure CLI.

+### Configure the message enrichments using the Azure portal

+1. In the [Azure portal](https://portal.azure.com), go to your IoT hub by selecting **Resource groups**. Then select the resource group set up for this tutorial (**ContosoResourcesMsgEn**). Find the IoT hub in the list, and select it.

+2. Select **Message routing** for the IoT hub.

+ The message routing pane has three tabs labeled **Routes**, **Custom endpoints**, and **Enrich messages**. Browse the first two tabs to see the configuration set up by the script.

+3. Select the **Enrich messages** tab to add three message enrichments for the messages going to the endpoint for the storage container called **enriched**.

+4. For each message enrichment, fill in the name and value, and then select the endpoint **ContosoStorageEndpointEnriched** from the drop-down list. Here's an example of how to set up an enrichment that adds the IoT hub name to the message:

+ Add these values to the list for the ContosoStorageEndpointEnriched endpoint:

+ | Name | Value | Endpoint |

+ | - | -- | -- |

+ | myIotHub | `$iothubname` | ContosoStorageEndpointEnriched |

+ | DeviceLocation | `$twin.tags.location` (assumes that the device twin has a location tag) | ContosoStorageEndpointEnriched |

+ |customerID | `6ce345b8-1e4a-411e-9398-d34587459a3a` | ContosoStorageEndpointEnriched |

+ When you're finished, your pane should look similar to this image:

+5. Select **Apply** to save the changes.

+You now have message enrichments set up for all messages routed to the **enriched** endpoint. Skip to the [Test message enrichments](#test-message-enrichments) section to continue the tutorial.

+## Create and configure resources using a Resource Manager template

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **+ Create a Resource** to bring up a search box. Enter *template deployment*, and search for it. In the results pane, select **Template deployment (deploy using custom template)**.

+1. In the **Edit template** pane, select **Load file**. Windows Explorer appears. Locate the **template_messageenrichments.json** file in the unzipped repo file in the **/iot-hub/Tutorials/Routing/SimulatedDevice/resources** directory.

+ | container name 1 | original |

+ | container name 2 | enriched |

+1. Here's the bottom half of the **Custom deployment** pane. You can see the rest of the parameters and the terms and conditions.

+1. Wait for the template to be fully deployed. Select the bell icon at the top of the screen to check on the progress.

+### Register a device in the portal

+1. Once your resources are deployed, select the IoT hub in your resource group.

+1. Select **Devices** from the **Device management** section of the navigation menu.

+1. Select **Add Device** to register a new device in your hub.

+1. Provide a device ID. The sample application used later in this tutorial defaults to a device named `Contoso-Test-Device`, but you can use any ID. Select **Save**.

+1. Once the device is created in your hub, select its name from the list of devices. You may need to refresh the list.

+1. Copy the **Primary key** value and have it available to use in the testing section of this article.

+1. Navigate to your IoT hub in the Azure portal.

+1. Select **Devices** on the left-pane of the IoT hub, then select your device.

+Now that the message enrichments are configured for the **enriched** endpoint, run the simulated device application to send messages to the IoT hub. The hub was set up with settings that accomplish the following tasks:

+* Messages routed to the storage endpoint ContosoStorageEndpointOriginal won't be enriched and will be stored in the storage container **original**.

+* Messages routed to the storage endpoint ContosoStorageEndpointEnriched will be enriched and stored in the storage container **enriched**.

+The simulated device application is one of the applications in the azure-iot-samples-csharp repository. The application sends messages with a randomized value for the property `level`. Only messages that have `storage` set as the message's level property will be routed to the two endpoints.

+1. Open the file **Program.cs** from the **SimulatedDevice** directory in your preferred code editor.

+1. Replace the placeholder text with your own resource information. Substitute the IoT hub name for the marker `{your hub name}`. The format of the IoT hub host name is **{your hub name}.azure-devices.net**. Next, substitute the device key you saved earlier when you ran the script to create the resources for the marker `{your device key}`.

+ If you don't have the device key, you can retrieve it from the portal. After you sign in, go to **Resource groups**, select your resource group, and then select your IoT hub. Look under **IoT Devices** for your test device, and select your device. Select the copy icon next to **Primary key** to copy it to the clipboard.

+ private readonly static string s_myDeviceId = "Contoso-Test-Device";

+ private readonly static string s_iotHubUri = "{your hub name}.azure-devices.net";

+ // This is the primary key for the device. This is in the portal.

+ // Find your IoT hub in the portal > IoT devices > select your device > copy the key.

+ private readonly static string s_deviceKey = "{your device key}";

+Run the console application for a few minutes.

+In a command line window, you can run the sample with the following commands executed at the **SimulatedDevice** directory level:

+```console

+dotnet restore

+dotnet run

+```

+The app sends a new device-to-cloud message to the IoT hub every second. The messages that are being sent are displayed on the console screen of the application. The message contains a JSON-serialized object with the device ID, temperature, humidity, and message level, which defaults to `normal`. The sample program randomly changes the message level to either `critical` or `storage`. Messages labeled for storage are routed to the storage account, and the rest go to the default endpoint. The messages sent to the **enriched** container in the storage account will be enriched.

+After several storage messages are sent, view the data.

+1. Select **Resource groups**. Find your resource group, **ContosoResourcesMsgEn**, and select it.

+2. Select your storage account, which begins with **contosostorage**. Then select **Storage browser (preview)** from the navigation menu. Select **Blob containers** to see the two containers that you created.

+ :::image type="content" source="./media/tutorial-message-enrichments/show-blob-containers.png" alt-text="See the containers in the storage account.":::

+The messages in the container called **enriched** have the message enrichments included in the messages. The messages in the container called **original** have the raw messages with no enrichments. Drill down into one of the containers until you get to the bottom, and open the most recent message file. Then do the same for the other container to verify that the one is enriched and one isn't.

+{

+ "EnqueuedTimeUtc":"2019-05-10T06:06:32.7220000Z",

+ "Properties":

+ {

+ "level":"storage",

+ "myIotHub":"contosotesthubmsgen3276",

+ "DeviceLocation":"Plant 43",

+ "customerID":"6ce345b8-1e4a-411e-9398-d34587459a3a"

+ },

+ "SystemProperties":

+ {

+ "connectionDeviceId":"Contoso-Test-Device",

+ "connectionAuthMethod":"{\"scope\":\"device\",\"type\":\"sas\",\"issuer\":\"iothub\",\"acceptingIpFilterRule\":null}",

+ "connectionDeviceGenerationId":"636930642531278483",

+ "enqueuedTime":"2019-05-10T06:06:32.7220000Z"

+ },"Body":"eyJkZXZpY2VJZCI6IkNvbnRvc28tVGVzdC1EZXZpY2UiLCJ0ZW1wZXJhdHVyZSI6MjkuMjMyMDE2ODQ4MDQyNjE1LCJodW1pZGl0eSI6NjQuMzA1MzQ5NjkyODQ0NDg3LCJwb2ludEluZm8iOiJUaGlzIGlzIGEgc3RvcmFnZSBtZXNzYWdlLiJ9"

+}

+Here's an unenriched message. Notice that `my IoT Hub,` `devicelocation,` and `customerID` don't show up here because these fields are added by the enrichments. This endpoint has no enrichments.

+{

+ "EnqueuedTimeUtc":"2019-05-10T06:06:32.7220000Z",

+ "Properties":

+ {

+ "level":"storage"

+ },

+ "SystemProperties":

+ {

+ "connectionDeviceId":"Contoso-Test-Device",

+ "connectionAuthMethod":"{\"scope\":\"device\",\"type\":\"sas\",\"issuer\":\"iothub\",\"acceptingIpFilterRule\":null}",

+ "connectionDeviceGenerationId":"636930642531278483",

+ "enqueuedTime":"2019-05-10T06:06:32.7220000Z"

+ },"Body":"eyJkZXZpY2VJZCI6IkNvbnRvc28tVGVzdC1EZXZpY2UiLCJ0ZW1wZXJhdHVyZSI6MjkuMjMyMDE2ODQ4MDQyNjE1LCJodW1pZGl0eSI6NjQuMzA1MzQ5NjkyODQ0NDg3LCJwb2ludEluZm8iOiJUaGlzIGlzIGEgc3RvcmFnZSBtZXNzYWdlLiJ9"

+}

+In this tutorial, you configured and tested message enrichments for IoT Hub messages as they are routed to an endpoint.

+To learn more about IoT Hub, continue to the next tutorial.

+> [Tutorial: Set up and use metrics and logs with an IoT hub](tutorial-use-metrics-and-diags.md)

+ 1. Go to key vault Access control (IAM) tab and remove "Key Vault Secrets Officer" role assignment for this resource.

+ 

+ 1. Navigate to previously created secret. You can see all secret properties.

+ 

+ 1. Create new secret ( Secrets \> +Generate/Import) should show below error:

+ 

+1. Validate secret editing without "Key Vault Secret Officer" role on secret level.

+ 1. Go to previously created secret Access Control (IAM) tab

+ 1. Navigate to previously created secret. You can see secret properties.

+ 

+1. Validate secrets read without reader role on key vault level.

+ 1. Go to key vault resource group Access control (IAM) tab and remove "Key Vault Reader" role assignment.

+ 1. Navigating to key vault's Secrets tab should show below error:

+ 

+Onboarding a subscription that you created through the CSP program follows the steps described in [Onboard a subscription to Azure Lighthouse](../how-to/onboard-customer.md). Any user who has the Admin Agent role in the customer's tenant can perform this onboarding.

+> [Managed Service offers](managed-services-offers.md) with private plans aren't supported with subscriptions established through a reseller of the Cloud Solution Provider (CSP) program. Instead, you can onboard these subscriptions to Azure Lighthouse by [using Azure Resource Manager templates](../how-to/onboard-customer.md).

+As a service provider, you can use [Azure Lighthouse](../overview.md) to manage your customers' Azure resources from within your own Azure Active Directory (Azure AD) tenant. Many common tasks and services can be performed across these managed tenants.

+An Azure AD tenant is a representation of an organization. It's a dedicated instance of Azure AD that an organization receives when they create a relationship with Microsoft by signing up for Azure, Microsoft 365, or other services. Each Azure AD tenant is distinct and separate from other Azure AD tenants, and has its own tenant ID (a GUID). For more information, see [What is Azure Active Directory?](../../active-directory/fundamentals/active-directory-whatis.md)

+Typically, in order to manage Azure resources for a customer, service providers would have to sign in to the Azure portal using an account associated with that customer's tenant. In this scenario, an administrator in the customer's tenant must create and manage user accounts for the service provider.

+With Azure Lighthouse, the onboarding process specifies users in the service provider's tenant who will be able to work on delegated subscriptions and resource groups in the customer's tenant. These users can then sign in to the Azure portal, using their own credentials, and work on resources belonging to all of the customers to which they have access. Users in the managing tenant can see all of these customers by visiting the [My customers](../how-to/view-manage-customers.md) page in the Azure portal. They can also work on resources directly within the context of that customer's subscription, either in the Azure portal or via APIs.

+Azure Lighthouse provides flexibility to manage resources for multiple customers without having to sign in to different accounts in different tenants. For example, a service provider may have two customers with different responsibilities and access levels. Using Azure Lighthouse, authorized users can sign in to the service provider's tenant and access all of the delegated resources across these customers.

+You can perform management tasks on delegated resources in the Azure portal, or you can use APIs and management tools such as Azure CLI and Azure PowerShell. All existing APIs can be used on delegated resources, as long as the functionality is supported for cross-tenant management and the user has the appropriate permissions.

+ - Ensure the same set of [policies are applied](../../azure-arc/servers/learn/tutorial-assign-policy-portal.md) across customers' hybrid environments

+ - Use Microsoft Defender for Cloud to [monitor compliance across customers' hybrid environments](../../defender-for-cloud/quickstart-onboard-machines.md?pivots=azure-arc)

+ - [Use GitOps](../../azure-arc/kubernetes/tutorial-use-gitops-flux2.md) for connected clusters

+ - [Enforce policies across connected clusters](../../governance/policy/concepts/policy-for-kubernetes.md#install-azure-policy-extension-for-azure-arc-enabled-kubernetes)

+- View data for all delegated customer resources in [Backup center](../../backup/backup-center-overview.md)

+- Use [Backup reports](../../backup/configure-reports.md) across delegated subscriptions to track historical trends, analyze backup storage consumption, and audit backups and restores.

+- [Use Azure Monitor for containers](../../aks/monitor-aks.md) to monitor performance across customer tenants

+- Manage connectivity services such as [Azure Virtual WAN](../../virtual-wan/virtual-wan-about.md), [Azure ExpressRoute](../../expressroute/expressroute-introduction.md), and [VPN Gateway](../../vpn-gateway/vpn-gateway-about-vpngateways.md)

+- Learn more about [Azure Lighthouse architecture](architecture.md).

+- Any built-in roles with [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission are not supported.

+By default, Azure Load Testing copies and processes your input files unmodified across all test engine instances. Azure Load Testing enables you to split the CSV input data evenly across all engine instances. If you have multiple CSV files, each file will be split evenly.

+Azure Load Testing doesn't preserve the header row in your CSV file when splitting a CSV file. For more information about how to configure your JMeter script and CSV file, see [Read data from a CSV file](./how-to-read-csv-data.md).

+You can specify test failure criteria based on client metrics. When a load test surpasses the threshold for a metric, the load test has a **Failed** status. For more information, see [Configure test failure criteria](./how-to-define-test-criteria.md).

+

+ 1. Optionally, enter the CSV field names in **Variable Names**, when you split the CSV file across test engines.

+ Azure Load Testing doesn't preserve the header row when splitting your CSV file. Provide the variable names in the **CSV Data Set Config** element instead of using a header row.

+ :::image type="content" source="media/how-to-read-csv-data/update-csv-data-set-config.png" alt-text="Screenshot that shows the JMeter UI to configure a C S V Data Set Config element.":::

+ 1. Repeat the previous steps for every **CSV Data Set Config** element in the script.

+ 1. Save the JMeter script and add it to your [test plan](./how-to-create-manage-test.md#test-plan).

+ 1. For each `CSVDataSet`:

+ 1. Update the `filename` element and remove any file path reference.

+ 1. Add the CSV field names as a comma-separated list in `variableNames`.

+ 1. Save the JMeter script and add it to your [test plan](./how-to-create-manage-test.md#test-plan).

+> [!IMPORTANT]

+> Azure Load Testing doesn't preserve the header row when splitting your CSV file. Before you add the CSV file to the load test, remove the header row from the file.

+By default, Azure Load Testing copies and processes your input files unmodified across all test engine instances. Azure Load Testing enables you to split the CSV input data evenly across all engine instances. If you have multiple CSV files, each file will be split evenly.

+> [!IMPORTANT]

+> Azure Load Testing doesn't preserve the header row when splitting your CSV file.

+> 1. [Configure your JMeter script](#configure-your-jmeter-script) to use variable names when reading the CSV file.

+> 1. Remove the header row from the CSV file before you add it to the load test.

+An [MLTable](concept-data.md#mltable) is primarily an abstraction over tabular data, but it can also be used for some advanced scenarios involving multiple paths. The following YAML describes an MLTable:

+For more information on the YAML file format, see [the MLTable file](how-to-create-register-data-assets.md#the-mltable-file).

+<!-- Commenting until notebook is published. For a full example of using an MLTable, see the [Working with MLTable notebook]. -->

+ :::image type="content" source="./media/permissions/permissions-iam.png" alt-text="Screenshot of the Azure platform to add role assignment in App Insights.":::

+ :::image type="content" source="./media/permissions/permissions-role.png" alt-text="Screenshot of the Azure platform and choose Monitor Reader.":::

+ :::image type="content" source="media/permissions/permissions-members.png" alt-text="Screenshot of the Azure platform selecting members.":::

+ :::image type="content" source="media/permissions/permissions-managed-identities.png" alt-text="Screenshot of the Azure platform selecting the workspace.":::

+For more information about how to use Managed Grafana with Azure Monitor, go to [Monitor your Azure services in Grafana](../azure-monitor/visualize/grafana-plugin.md).

+### What versions of Apache Cassandra does the service support?

+The service currently supports Cassandra versions 3.11 and 4.0. By default, version 3.11 is deployed, as version 4.0 is currently in public preview. See our [Azure CLI Quickstart](create-cluster-cli.md) (step 5) for specifying Cassandra version during cluster deployment.

+### Can I deploy Azure Managed Instance for Apache Cassandra in any region?

+>[!NOTE]

+> The service currently supports Cassandra versions 3.11 and 4.0. By default, version 3.11 is deployed, as version 4.0 is currently in public preview. See our [Azure CLI Quickstart](create-cluster-cli.md) (step 5) for specifying Cassandra version during cluster deployment.

+* The system currently doesn't perform a major compaction.

+* During patching, machines are rebooted one rack at a time. You shouldn't experience any degradation at the application side as long as **quorum ALL setting is not being used**, and the replication factor is **3 or higher**.

+* The version in Apache Cassandra is in the format `X.Y.Z`. You can control the deployment of major (X) and minor (Y) versions manually via service tools. Whereas the Cassandra patches (Z) that may be required for that major/minor version combination are done automatically.

+>[!NOTE]

+> The service currently supports Cassandra versions 3.11 and 4.0. By default, version 3.11 is deployed, as version 4.0 is currently in public preview. See our [Azure CLI Quickstart](create-cluster-cli.md) (step 5) for specifying Cassandra version during cluster deployment.

+Snapshot backups are enabled by default and taken every 4 hours with [Medusa](https://github.com/thelastpickle/cassandra-medusa). Backups are stored in an internal Azure Blob Storage account and are retained for up to 2 days (48 hours). There's no cost for backups. To restore from a backup, file a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) in the Azure portal.

+When a [hybrid](configure-hybrid-cluster.md) cluster is configured, automated reaper operations running in the service will benefit the whole cluster. This includes data centers that aren't provisioned by the service. Outside this, it is your responsibility to maintain your on-premise or externally hosted data center.

+> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion](../../aks/kubernetes-service-principal.md#other-considerations). If you used a managed identity, the identity is managed by the platform and does not require removal.

+Rename ```wp-config-sample.php``` to ```wp-config.php``` and replace lines from beginingin of ```// ** MySQL settings - You can get this info from your web host ** //``` until the line ```define( 'DB_COLLATE', '' );``` with the code snippet below. The code below is reading the database host, username and password from the Kubernetes manifest file.

+> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion](../../aks/kubernetes-service-principal.md#other-considerations). If you used a managed identity, the identity is managed by the platform and does not require removal.

+Run the following Azure CLI command to create a resource group in which your Azure Red Hat OpenShift cluster will reside.

+> [!IMPORTANT]

+> This service principal only allows a contributor over the resource group the Azure Red Hat OpenShift cluster is located in. If your VNet is in another resource group, you need to assign the service principal contributor role to that resource group as well. You also need to create your Azure Red Hat OpenShift cluster in the resource group you created above.

+This section explains how to use the Azure portal to create a service principal for your Azure Red Hat OpenShift cluster.

+To create a service principal, see [Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). **Be sure to save the client ID and the appID.**

+ If you need to create a service principal, see [Creating and using a service principal with an Azure Red Hat OpenShift cluster](howto-create-service-principal.md).

+

+ :::image type="content" source="media/create/marketplace.png" alt-text="Screenshot of the Azure Marketplace icon.":::

+1. In the plan overview screen, select **Subscribe**.

+ :::image type="content" source="media/create/datadog-app-2.png" alt-text="Screenshot of the Datadog application in Azure Marketplace.":::

+If you're creating a new Datadog organization, select **Create** under the **Create a new Datadog organization**

+- Virtual machines, virtual machine scale sets, and app service plans with _Include_ tags send metrics to Datadog.

+- Virtual machines, virtual machine scale sets, and app service plans with _Exclude_ tags don't send metrics to Datadog.

+- If there's a conflict between inclusion and exclusion rules, exclusion takes priority.

+- Azure resources with _Include_ tags send logs to Datadog.

+- Azure resources with _Exclude_ tags don't send logs to Datadog.

+For example, the following screenshot shows a tag rule where only those virtual machines, virtual machine scale sets, and app service plans tagged as _Datadog = True_ send metrics to Datadog.

+There are three types of logs that can be sent from Azure to Datadog.

+1. **Azure Active Directory logs** - As an IT administrator, you want to monitor your IT environment. The information about your system's health enables you to assess potential issues and decide how to respond.

+The Azure Active Directory portal gives you access to three activity logs:

+- [Sign-in](../../active-directory/reports-monitoring/concept-sign-ins.md) ΓÇô Information about sign-ins and how your resources are used by your users.

+- [Audit](../../active-directory/reports-monitoring/concept-audit-logs.md) ΓÇô Information about changes applied to your tenant such as users and group management or updates applied to your tenant's resources.

+- [Provisioning](../../active-directory/reports-monitoring/concept-provisioning-logs.md) ΓÇô Activities performed by the provisioning service, such as the creation of a group in ServiceNow or a user imported from Workday.

+To send Azure resource logs to Datadog, select **Send Azure resource logs for all defined resources**. The types of Azure resource logs are listed in [Azure Monitor Resource Log categories](../../azure-monitor/essentials/resource-logs-categories.md). To filter the set of Azure resources sending logs to Datadog, use Azure resource tags.

+You can request your IT Administrator to route Azure Active Directory Logs to Datadog. For more information, see [Azure AD activity logs in Azure Monitor](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md).

+ Title: Create Dynatrace for Azure (preview) resource - Azure partner solutions

+In this quickstart, you create a new instance of Dynatrace for Azure (preview). You can either create a new Dynatrace environment or [link to an existing Dynatrace environment](dynatrace-link-to-existing.md#link-to-existing-dynatrace-environment).

+ Title: Configure pre-deployment to use Dynatrace with Azure (preview) - Azure partner solutions

+To set up the Dynatrace for Azure (preview), you must have **Owner** or **Contributor** access on the Azure subscription. [Confirm that you have the appropriate access](/azure/role-based-access-control/check-access) before starting the setup.

+ Title: Manage your Dynatrace for Azure (preview) integration - Azure partner solutions

+This article describes how to manage the settings for your Dynatrace for Azure (preview).

+ Title: Linking to an existing Dynatrace for Azure (preview) resource - Azure partner solutions

+When you use the integrated experience for Dynatrace in the Azure (preview) portal, your billing and monitoring for the following entities is tracked in the portal.

+ Title: Dynatrace for Azure (preview) overview - Azure partner solutions

+Dynatrace is a monitoring solution that provides deep cloud observability, advanced AIOps, and continuous runtime application security capabilities in Azure.

+Dynatrace for Azure (preview) offering in the Azure Marketplace enables you to create and manage Dynatrace environments using the Azure portal with a seamlessly integrated experience. This enables you to use Dynatrace as a monitoring solution for your Azure workloads through a streamlined workflow, starting from procurement, all the way to configuration and management.

+## Dynatrace links

+ Title: Troubleshooting Dynatrace for Azure (preview) - Azure partner solutions

+description: This article provides information about troubleshooting Dynatrace for Azure

+This article describes how to contact support when working with a Dynatrace for Azure (preview) resource. Before contacting support, see [Fix common errors](#fix-common-errors).

+| [Dynatrace for Azure (preview)](./dynatrace/dynatrace-overview.md) | Use Dyntrace for Azure (preview) for monitoring your workflows using the Azure portal. |

+> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion](../../aks/kubernetes-service-principal.md#other-considerations). If you used a managed identity, the identity is managed by the platform and does not require removal.

+> The process mentioned in this document can also be used to upgrade your Azure Database for PostgreSQL - Flexible server. The main difference is the connection string for the flexible server target is without the `@dbName`. For example, if the user name is `pg`, the single serverΓÇÖs username in the connect string will be `pg@pg-95`, while with flexible server, you can simply use `pg`.

+Log Analytics will ingest an average of 1.4 GB of data a day from each packet core instance. [Monitor usage and estimated costs in Azure Monitor](../azure-monitor/usage-estimated-costs.md) provides information on how to estimate the cost of using Log Analytics to monitor Azure Private 5G Core.

+ Title: Understand access and permissions in the Microsoft Purview governance portal

+description: This article gives an overview permission, access control, and collections in the Microsoft Purview governance portal. Role-based access control is managed within the Microsoft Purview Data Map in the governance portal itself, so this guide will cover the basics to secure your information.

+# Access control in the Microsoft Purview governance portal

+The Microsoft Purview governance portal uses **Collections** in the Microsoft Purview Data Map to organize and manage access across its sources, assets, and other artifacts. This article describes collections and access management for your account in the Microsoft Purview governance portal.

+A collection is a tool that the Microsoft Purview Data Map uses to group assets, sources, and other artifacts into a hierarchy for discoverability and to manage access control. All accesses to the Microsoft Purview governance portal's resources are managed from collections in the Microsoft Purview Data Map.

+The Microsoft Purview governance portal uses a set of predefined roles to control who can access what within the account. These roles are currently:

+- **Collection administrator** - a role for users that will need to assign roles to other users in the Microsoft Purview governance portal or manage collections. Collection admins can add users to roles on collections where they're admins. They can also edit collections, their details, and add subcollections.

+- **Data source administrator** - a role that allows a user to manage data sources and scans. If a user is granted only to **Data source admin** role on a given data source, they can run new scans using an existing scan rule. To create new scan rules, the user must be also granted as either **Data reader** or **Data curator** roles.- **Insights reader** - a role that provides read-only access to insights reports for collections where the insights reader also has at least the **Data reader** role. For more information, see [insights permissions.](insights-permissions.md)

+- **Policy author (Preview)** - a role that allows a user to view, update, and delete Microsoft Purview policies through the policy management app within the Microsoft Purview governance portal.

+> At this time, Microsoft Purview policy author role is not sufficient to create policies. The Microsoft Purview data source admin role is also required.

+|My application's Service Principal needs to push data to the Microsoft Purview Data Map|Data curator|

+|I need to enable a Service Principal or group to set up and monitor scans in the Microsoft Purview Data Map without allowing them to access the catalog's information |Data source administrator|

+|I need to put users into roles in the Microsoft Purview governance portal| Collection administrator |

+|I need to create workflows for my Microsoft Purview account in the governance portal| Workflow administrator |

+## Understand how to use the Microsoft Purview governance portal's roles and collections

+All access control is managed through collections in the Microsoft Purview Data Map. The collections can be found in the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/). Open your account in the [Azure portal](https://portal.azure.com) and select the Microsoft Purview governance portal tile on the Overview page. From there, navigate to the data map on the left menu, and then select the 'Collections' tab.

+When a Microsoft Purview (formerly Azure Purview) account is created, it starts with a root collection that has the same name as the account itself. The creator of the account is automatically added as a Collection Admin, Data Source Admin, Data Curator, and Data Reader on this root collection, and can edit and manage this collection.

+Sources, assets, and objects can be added directly to this root collection, but so can other collections. Adding collections will give you more control over who has access to data across your account.

+All other users can only access information within the Microsoft Purview governance portal if they, or a group they're in, are given one of the above roles. This means, when you create an account, no one but the creator can access or use its APIs until they're [added to one or more of the above roles in a collection](how-to-create-and-manage-collections.md#add-role-assignments).

+You can assign roles to users, security groups, and service principals from your Azure Active Directory that is associated with your subscription.

+After creating a Microsoft Purview (formerly Azure Purview) account, the first thing to do is create collections and assign users to roles within those collections.

+> If you created your account using a service principal, to be able to access the Microsoft Purview governance portal and assign permissions to users, you will need to grant a user collection admin permissions on the root collection.

+Collections can be customized for structure of the sources in your Microsoft Purview Data Map, and can act like organized storage bins for these resources. When you're thinking about the collections you might need, consider how your users will access or discover information. Are your sources broken up by departments? Are there specialized groups within those departments that will only need to discover some assets? Are there some sources that should be discoverable by all your users?

+This is one way an organization might structure their data: Starting with their root collection (Contoso, in this example) collections are organized into regions, and then into departments and subdepartments. Data sources and assets can be added to any one these collections to organize data resources by these regions and department, and manage access control along those lines. There's one subdepartment, Revenue, that has strict access guidelines so permissions will need to be tightly managed.

+The [data reader role](#roles) can access information within the catalog, but not manage or edit it. So for our example above, adding the Data Reader permission to a group on the root collection and allowing inheritance will give all users in that group reader permissions on sources and assets in the Microsoft Purview Data Map. This makes these resources discoverable, but not editable, by everyone in that group. [Restricting inheritance](how-to-create-and-manage-collections.md#restrict-inheritance) on the Revenue group will control access to those assets. Users who need access to revenue information can be added separately to the Revenue collection.

+There may be a time when your [root collection admin](#roles) needs to change. By default, the user who creates the account is automatically assigned collection admin to the root collection. To update the root collection admin, there are three options:

+Now that you have a base understanding of collections, and access control, follow the guides below to create and manage those collections, or get started with registering sources into your Microsoft Purview Data Map.

+- [Supported data sources in the Microsoft Purview Data Map](azure-purview-connector-overview.md)

+ Title: Pricing guidelines for Microsoft Purview (formerly Azure Purview)

+description: This article provides a guideline to understand and strategize pricing for the components of Microsoft Purview (formerly Azure Purview).

+# Pricing for Microsoft Purview (formerly Azure Purview)

+Microsoft Purview, formally known as Azure Purview, provides a single pane of glass for managing data governance by enabling automated scanning and classifying data at scale through the Microsoft Purview governance portal.

+## Why do you need to understand the components of pricing?

+- While the pricing for Microsoft Purview (formerly Azure Purview) is on a subscription-based **Pay-As-You-Go** model, there are various dimensions that you can consider while budgeting

+- This guideline is intended to help you plan the budgeting for Microsoft Purview in the governance portal by providing a view on the control factors that impact the budget

+## Factors impacting Azure Pricing

+There are **direct** and **indirect** costs that need to be considered while planning budgeting and cost management.

+- The **Data map** is the foundation of the Microsoft Purview governance portal architecture and so needs to be up to date with asset information in the data estate at any given point

+- The data map is always provisioned at one CU when an account is first created

+ - When there's a need for more operations/second throughput, the Data map can autoscale within the elasticity window to cater to the changed load

+There are two major automated processes that can trigger ingestion of metadata into the Microsoft Purview Data Map:

+ - Ingestion of metadata into the Microsoft Purview Data Map

+ - Ingestion of metadata and lineage into the Microsoft Purview Data Map if the account is connected to any Azure Data Factory or Azure Synapse pipelines.

+- It's important to consider and avoid the scenarios when multiple people or groups belonging to different departments set up scans for the same data source resulting in more pricing for duplicate scanning

+- The **ΓÇ£View DetailsΓÇ¥** link for a data source will enable users to run a full scan. However, consider running incremental scans after a full scan for optimized scanning excepting when there's a change to the scan rule set (classifications/file types)

+- Consider that the **type of data source** and the **number of assets** being scanned affect the scan duration

+- metadata and lineage are ingested from Azure Data Factory or Azure Synapse pipelines every time the pipelines run in the source system.

+- The Microsoft Purview Data Map uses **resource sets** to address the challenge of mapping large numbers of data assets to a single logical resource by providing the ability to scan all the files in the data lake and find patterns (GUID, localization patterns, etc.) to group them as a single asset in the data map

+- **Advanced Resource Set** is an optional feature, which allows for customers to get enriched resource set information computed such as Total Size, Partition Count, etc., and enables the customization of resource set grouping via pattern rules. If Advanced Resource Set feature isn't enabled, your data catalog will still contain resource set assets, but without the aggregated properties. There will be no "Resource Set" meter billed to the customer in this case.

+- Use the basic resource set feature, before switching on the Advanced Resource Sets in the Microsoft Purview Data Map to verify if requirements are met

+ - Your data lakes schema is constantly changing, and you're looking for more value beyond the basic Resource Set feature to enable the Microsoft Purview Data Map to compute parameters such as #partitions, size of the data estate, etc., as a service

+ - There's a need to customize how resource set assets get grouped

+- It's important to note that billing for Advanced Resource Sets is based on the compute used by the offline tier to aggregate resource set information and is dependent on the size/number of resource sets in your catalog

+Indirect costs impacting Microsoft Purview (formerly Azure Purview) pricing to be considered are:

+ - When an account is provisioned, a storage account and event hub queue are created within the subscription in order to cater to secured scanning, which may be charged separately

+ - Azure private end points are used for Microsoft Purview (formerly Azure Purview), where it's required for users on a virtual network (VNet) to securely access the catalog over a private link

+ - It's required to deploy and register Self-hosted integration runtime (SHIR) inside the same virtual network where Microsoft Purview ingestion private endpoints are deployed

+ - [Other memory requirements for scanning](./register-scan-sapecc-source.md#create-and-run-scan)

+ - Certain data sources such as SAP require more memory on the SHIR machine for scanning

+ - The pricing for Azure Alerts is available [here](https://azure.microsoft.com/pricing/details/monitor/)

+- [Microsoft Purview, forerly Azure Purview, pricing page](https://azure.microsoft.com/pricing/details/azure-purview/)

+ Title: 'Quickstart: Create a Microsoft Purview (formerly Azure Purview) account'

+description: This Quickstart describes how to create a Microsoft Purview (formerly Azure Purview) account and configure permissions to begin using it.

+# Quickstart: Create an account in the Microsoft Purview governance portal

+This quickstart describes the steps to Create a Microsft Purview (formerly Azure Purview) account through the Azure portal. Then we'll get started on the process of classifying, securing, and discovering your data in the Microsoft Purview Data Map!

+The Microsoft Purview governance portal surfaces tools like the Microsoft Purview Data Map and Microsoft Purview Data Catalog, that help you manage and govern your data landscape. By connecting to data across your on-premises, multi-cloud, and software-as-a-service (SaaS) sources, the Microsoft Purview Data Map creates an up-to-date map of your data estate. It identifies and classifies sensitive data, and provides end-to-end linage. Data consumers are able to discover data across your organization, and data administrators are able to audit, secure, and ensure right use of your data.

+For more information about the governance capabilities of Microsoft Purview, formerly Azure Purview, [see our overview page](overview.md). For more information about deploying Microsoft Purview across your organization, [see our deployment best practices](deployment-best-practices.md).

+## Create an account

+1. Search for **Microsoft Purview** in the [Azure portal](https://portal.azure.com).

+ :::image type="content" source="media/create-catalog-portal/select-create.png" alt-text="Screenshot of the Microsoft Purview accounts page with the create button highlighted in the Azure portal.":::

+1. On the new Create Microsoft Purview account page under the **Basics** tab, select the Azure subscription where you want to create your account.

+1. Select an existing **resource group** or create a new one to hold your account.

+ The list shows only locations that support the Microsoft Purview governance portal. The location you choose will be the region where your Microsoft Purview account and meta data will be stored. Sources can be housed in other regions.

+ > The Microsoft Purview, formerly Azure Purview, does not support moving accounts across regions, so be sure to deploy to the correction region. You can find out more information about this in [move operation support for resources](../azure-resource-manager/management/move-support-resources.md).

+1. Select **Review & Create**, and then select **Create**. It takes a few minutes to complete the creation. The newly created account will appear in the list on your **Microsoft Purview accounts** page.

+After your account is created, you'll use the Microsoft Purview governance portal to access and manage it. There are two ways to open the Microsoft Purview governance portal:

+* Alternatively, you can browse to [https://web.purview.azure.com](https://web.purview.azure.com), select your Microsoft Purview account name, and sign in to your workspace.

+In this quickstart, you learned how to create a Microsoft Purview (formerly Azure Purview) account, and how to access it.

+Follow these next articles to learn how to navigate the Microsoft Purview governance portal, create a collection, and grant access to the Microsoft Purview Data Map:

+description: This article explains how to create and manage collections within the Microsoft Purview Data Map.

+# Create and manage collections in the Microsoft Purview Data Map

+Collections in the Microsoft Purview Data Map can be used to organize assets and sources by your business's flow. They're also the tool used to manage access across the Microsoft Purview governance portal. This guide will take you through the creation and management of these collections, as well as cover steps about how to register sources and add assets into your collections.

+* An active [Microsoft Purview (formerly Azure Purview) account](create-catalog-portal.md).

+In order to create and manage collections in the Microsoft Purview Data Map, you'll need to be a **Collection Admin** within the Microsoft Purview governance portal. We can check these permissions in the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/). You can find Studio in the overview page of the account in the [Azure portal](https://portal.azure.com).

+1. Select your root collection. This is the top collection in your collection list and will have the same name as your account. In the following example, it's called Contoso Microsoft Purview. Alternatively, if collections already exist you can select any collection where you want to create a subcollection.

+1. To create a collection, you'll need to be in the collection admin list under role assignments. If you created the account, you should be listed as a collection admin under the root collection already. If not, you'll need to contact the collection admin to grant your permission.

+Since permissions are managed through collections in the Microsoft Purview Data Map, it's important to understand the roles and what permissions they'll give your users. A user granted permissions on a collection will have access to sources and assets associated with that collection, and inherit permissions to subcollections. Inheritance [can be restricted](#restrict-inheritance), but is allowed by default.

+1. Select **OK** to save your changes, and you'll see the new users reflected in the role assignments list.

+Collection permissions are inherited automatically from the parent collection. For example, any permissions on the root collection (the collection at the top of the list that has the same name as your account), will be inherited by all collections below it. You can restrict inheritance from a parent collection at any time, using the restrict inherited permissions option.

+Once you restrict inheritance, you'll need to add users directly to the restricted collection to grant them access.

+1. Back in the collection window, you'll see the data sources linked to the collection on the sources card.

+ 1. If you don't have read permission on a collection, the assets under that collection won't be listed in search results. If you get the direct URL of one asset and open it, you'll see the no access page. Contact your collection admin to grant you the access. You can select the **Refresh** button to check the permission again.

+1. In the Microsoft Purview governance portal, the search bar is located at the top of the portal window.

+ :::image type="content" source="./media/how-to-create-and-manage-collections/purview-search-bar.png" alt-text="Screenshot showing the location of the Microsoft Purview governance portal search bar." border="true":::

+1. Enter in keywords that help identify your asset such as its name, data type, classifications, and glossary terms. As you enter in keywords relating to your desired asset, the Microsoft Purview governance portal displays suggestions on what to search and potential asset matches. To complete your search, select **View search results** or press **Enter**.

+1. The search results page shows a list of assets that match the keywords provided in order of relevance. There are various factors that can affect the relevance score of an asset. You can filter down the list more by selecting specific collections, data stores, classifications, contacts, labels, and glossary terms that apply to the asset you're looking for.

+ Title: Introduction to Microsoft Purview (formerly Azure Purview)

+description: This article provides an overview of Microsoft Purview (formerly Azure Purview), including its features and the problems it addresses. Microsoft Purview enables any user to register, discover, understand, and consume data sources.

+# What is Microsoft Purview (formerly Azure Purview)?

+description: Learn how to set up a search indexer to index data stored in Azure Database for MySQL for full text search in Azure Cognitive Search.

+This article supplements [Creating indexers in Azure Cognitive Search](search-howto-create-indexers.md) with information that's specific to indexing files in Azure DB for MySQL. It uses the REST APIs to demonstrate a three-part workflow common to all indexers:

+- Create a data source

+- Create an index

+- Create an indexer

+When configured to include a high water mark and soft deletion, the indexer takes all changes, uploads, and deletes for your MySQL database. It reflects these changes in your search index. Data extraction occurs when you submit the Create Indexer request.

+- [Register for the preview](https://aka.ms/azure-cognitive-search/indexer-preview) to provide feedback and get help with any issues you encounter.

+- [Azure Database for MySQL single server](../mysql/single-server-overview.md).

+- A table or view that provides the content. A primary key is required. If you're using a view, it must have a [high water mark column](#DataChangeDetectionPolicy).

+- Read permissions. A *full access* connection string includes a key that grants access to the content, but if you're using Azure roles, make sure the [search service managed identity](search-howto-managed-identities-data-sources.md) has **Reader** permissions on MySQL.

+- A REST client, such as [Postman](search-get-started-rest.md) or [Visual Studio Code with the extension for Azure Cognitive Search](search-get-started-vs-code.md) to send REST calls that create the data source, index, and indexer.

+ You can also use the [Azure SDK for .NET](/dotnet/api/azure.search.documents.indexes.models.searchindexerdatasourcetype.mysql). You can't use the portal for indexer creation, but you can manage indexers and data sources once they're created.

+For more information, see [Azure Database for MySQL](../mysql/overview.md).

+Currently, change tracking and deletion detection aren't working if the date or timestamp is uniform for all rows. This limitation is a known issue to be addressed in an update to the preview. Until this issue is addressed, donΓÇÖt add a skillset to the MySQL indexer.

+1. Set `type` to `"mysql"` (required).

+1. Set `credentials` to an ADO.NET connection string. You can find connection strings in Azure portal, on the **Connection strings** page for MySQL.

+1. Set `container` to the name of the table.

+1. Set [`dataChangeDetectionPolicy`](#DataChangeDetectionPolicy) if data is volatile and you want the indexer to pick up just the new and updated items on subsequent runs.

+1. Set [`dataDeletionDetectionPolicy`](#DataDeletionDetectionPolicy) if you want to remove search documents from a search index when the source item is deleted.

+If the primary key in the source table matches the document key (in this case, "ID"), the indexer imports the primary key as the document key.

+The following table maps the MySQL database to Cognitive Search equivalents. For more information, see [Supported data types (Azure Cognitive Search)](/rest/api/searchservice/supported-data-types).

+An indexer runs automatically when it's created. You can prevent it from running by setting `disabled` to `true`. To control indexer execution, [run an indexer on demand](search-howto-run-reset-indexers.md) or [put it on a schedule](search-howto-schedule-indexers.md).

+To enable incremental indexing, set the `dataChangeDetectionPolicy` property in your data source definition. This property tells the indexer which change tracking mechanism is used on your data.

+An indexer's change detection policy relies on having a *high water mark* column that captures the row version, or the date and time when a row was last updated. It's often a `DATE`, `DATETIME`, or `TIMESTAMP` column at a granularity sufficient for meeting the requirements of a high water mark column.

+- All data inserts must specify a value for the column.

+- All updates to an item also change the value of the column.

+- The value of this column increases with each insert or update.

+- Queries with the following `WHERE` and `ORDER BY` clauses can be executed efficiently: `WHERE [High Water Mark Column] > [Current High Water Mark Value] ORDER BY [High Water Mark Column]`

+> If the source table does not have an index on the high water mark column, queries used by the MySQL indexer might time out. In particular, the `ORDER BY [High Water Mark Column]` clause requires an index to run efficiently when the table contains many rows.

+When rows are deleted from the table or view, you normally want to delete those rows from the search index as well. However, if the rows are physically removed from the table, an indexer has no way to infer the presence of records that no longer exist. The solution is to use a *soft-delete* technique to logically delete rows without removing them from the table. Add a column to your table or view and mark rows as deleted using that column.

+Given a column that provides deletion state, an indexer can be configured to remove any search documents for which deletion state is set to `true`. The configuration property that supports this behavior is a data deletion detection policy, which is specified in the [data source definition](#define-the-data-source) as follows:

+The `softDeleteMarkerValue` must be a string. For example, if you have an integer column where deleted rows are marked with the value 1, use `"1"`. If you have a `BIT` column where deleted rows are marked with the Boolean true value, use the string literal `True` or `true` (the case doesn't matter).

+- [Index large data sets](search-howto-large-index.md)

+- [Indexer access to content protected by Azure network security features](search-indexer-securing-resources.md)

+Occasionally, questions are asked about tasks *not* on the above list.

+You cannot change a server name, region, or tier programmatically or in the portal. Dedicated resources are allocated when a service is created. As such, changing the underlying hardware (location or node type) requires a new service.

+You cannot use tools or APIs to transfer content, such as an index, from one service to another. Within a service, programmatic creation of content is through [Search Service REST API](/rest/api/searchservice/) or an SDK such as [Azure SDK for .NET](/dotnet/api/overview/azure/search.documents-readme). While there are no dedicated commands for content migration, you can write script that calls REST API or a client library to create and load indexes on a new service.

+Preview administration features are typically not available in the **az search** module. If you want to use a preview feature, [use the Management REST API](search-manage-rest.md) and a preview API version.

+For more information on creating private endpoints in Azure CLI, see this [Private Link Quickstart](../private-link/create-private-endpoint-cli.md)

+Occasionally, questions are asked about tasks *not* on the above list.

+You cannot change a server name, region, or tier programmatically or in the portal. Dedicated resources are allocated when a service is created. As such, changing the underlying hardware (location or node type) requires a new service.

+You cannot use tools or APIs to transfer content, such as an index, from one service to another. Within a service, programmatic creation of content is through [Search Service REST API](/rest/api/searchservice/) or an SDK such as [Azure SDK for .NET](/dotnet/api/overview/azure/search.documents-readme). While there are no dedicated commands for content migration, you can write script that calls REST API or a client library to create and load indexes on a new service.

+Preview administration features are typically not available in the **Az.Search** module. If you want to use a preview feature, [use the Management REST API](search-manage-rest.md) and a preview API version.

+To create an [S3HD](./search-sku-tier.md#tier-descriptions) service, a combination of `-Sku` and `-HostingMode` is used. Set `-Sku` to `Standard3` and `-HostingMode` to `HighDensity`.

+In this article, learn how to create and configure an Azure Cognitive Search service using the [Management REST APIs](/rest/api/searchmanagement/). Only the Management REST APIs are guaranteed to provide early access to [preview features](/rest/api/searchmanagement/management-api-versions#2021-04-01-preview). Set a preview API version to access preview features.

+> * [Create or update a service](#create-or-update-a-service)

+## Create or update a service

+## Create an S3HD service

+To create an [S3HD](search-sku-tier.md#tier-descriptions) service, use a combination of `-Sku` and `-HostingMode` properties. Set "sku" to `Standard3` and "hostingMode" to `HighDensity`.

+```rest

+PUT https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resource-group}}/providers/Microsoft.Search/searchServices/{{search-service-name}}?api-version=2021-04-01-preview

+{

+ "location": "{{region}}",

+ "sku": {

+ "name": "Standard3"

+ },

+ "properties": {

+ "replicaCount": 1,

+ "partitionCount": 1,

+ "hostingMode": "HighDensity"

+ }

+}

+```

+The most commonly used billable tiers include the following:

+Some tiers are designed for certain types of work:

+Rules based on the update trigger have their own separate order queue. If such rules are triggered to run on a just-created incident (by a change made by another automation rule), they will run only after all the applicable rules based on the create trigger have run.

+Automation rules are run sequentially, according to the [order](#order) you [determine](create-manage-use-automation-rules.md#finish-creating-your-rule). Each automation rule is executed after the previous one has finished its run. Within an automation rule, all actions are run sequentially in the order in which they are defined.

+| **Kusto function URL:** | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Barracuda%20CloudGen%20Firewall/Parsers/CGFWFirewallActivity |

+| **Supported by** | [Illusive Networks](https://illusive.com/support/) |

+| **Kusto function URL** | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Parsers/Morphisec/Morphisec |

+| **Vendor documentation/<br>installation instructions** | <li>[Netskope Cloud Security Platform](https://www.netskope.com/platform)<li>[Netskope API Documentation](https://docs.netskope.com/en/rest-api-v1-overview.html)<li>[Obtain an API Token](https://docs.netskope.com/en/rest-api-v2-overview.html) |

+| **Kusto function URL** | https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Onapsis%20Platform/Parsers/OnapsisLookup.txt |

+To export your QRadar data, you use the QRadar REST API to run Ariel Query Language (AQL) queries on data stored in an Ariel database. Because the export process is resource intensive, we recommend that you use small time ranges in your queries, and only migrate the data you need.

+## Create AQL query

+1. In the QRadar Console, select the **Log Activity** tab.

+1. Create a new AQL search query or select a saved search query to export the data. Ensure that the query includes the `START` and `STOP` functions to set the date and time range.

+ Learn how to use [AQL](https://www.ibm.com/docs/en/qsip/7.5?topic=aql-ariel-query-language) and how to [save search criteria](https://www.ibm.com/docs/en/qsip/7.5?topic=searches-saving-search-criteria) in AQL.

+1. Copy the AQL query for later use.

+1. Encode the AQL query to the URL encoded format. Paste the query you copied in step 3 [into the decoder](https://www.url-encode-decode.com/). Copy the encoded format output.

+## Execute search query

+You can execute the search query using one of these methods.

+- **QRadar Console user ID**. To use this method, ensure that the console user ID being used for data migration is assigned to a [security profile](https://www.ibm.com/docs/en/qradar-on-cloud?topic=management-security-profiles) that can access the data you need for the export.

+- **API token**. To use this method, [generate an API token in QRadar](https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

+To execute the search query:

+1. Log in to the system from which you'll download the historical data. Ensure that this system has access to the QRadar Console and QRadar API on TCP/443 via HTTPS.

+1. To execute the search query that retrieves the historical data, open a command prompt and run one of these commands:

+

+ - For the QRadar Console user ID method, run:

+ ```

+ curl -s -X POST -u <enter_qradar_console_user_id> -H 'Version: 12.0' -H 'Accept: application/json' 'https://<enter_qradar_console_ip_or_hostname>/api/ariel/searches?query_expression=<enter_encoded_AQL_from_previous_step>'

+ ```

+ - For the API token method, run:

+

+ ```

+ curl -s -X POST -H 'SEC: <enter_api_token>' -H 'Version: 12.0' -H 'Accept: application/json' 'https://<enter_qradar_console_ip_or_hostname>/api/ariel/searches?query_expression=<enter_encoded_AQL_from_previous_step>

+ ```

+

+ The search job execution time may vary, depending on the AQL time range and amount of queried data. We recommended that you run the query in small time ranges, and to query only the data you need for the export.

+ The output should return a status, such as `COMPLETED`, `EXECUTE`, `WAIT`, a `progress` value, and a `search_id` value. For example:

+ :::image type="content" source="media/migration-qradar-historical-data/export-output.png" alt-text="Screenshot of the output of the search query command." border="false":::

+1. Copy the value in the `search_id` field. You'll use this ID to check the progress and status of the search query execution, and to download the results after the search execution is complete.

+1. To check the status and the progress of the search, run one of these commands:

+ - For the QRadar Console user ID method, run:

+ ```

+ curl -s -X POST -u <enter_qradar_console_user_id> -H 'Version: 12.0' -H 'Accept: application/json' 'https:// <enter_qradar_console_ip_or_hostname>/api/ariel/searches/<enter_search_id_from_previous_step>'

+ ```

+

+ - For the API token method, run:

+

+ ```

+ curl -s -X POST -H 'SEC: <enter_api_token>' -H 'Version: 12.0' -H 'Accept: application/json' 'https:// <enter_qradar_console_ip_or_hostname>/api/ariel/searches/<enter_search_id_from_previous_step>'

+ ```

+1. Review the output. If the value in the `status` field is `COMPLETED`, continue to the next step. If the status isn't `COMPLETED`, check the value in the `progress` field, and after 5-10 minutes, run the command you ran in step 4.

+1. Review the output and ensure that the status is `COMPELETED`.

+1. Run one of these commands to download the results or returned data from the JSON file to a folder on the current system:

+ - For the QRadar Console user ID method, run:

+

+ ```

+ curl -s -X GET -u <enter_qradar_console_user_id> -H 'Version: 12.0' -H 'Accept: application/json' 'https:// <enter_qradar_console_ip_or_hostname>/api/ariel/searches/<enter_search_id_from_previous_step>/results' > <enter_path_to_file>.json

+ ```

+ - For the API token method, run:

+

+ ```

+ curl -s -X GET -H 'SEC: <enter_api_token>' -H 'Version: 12.0' -H 'Accept: application/json' 'https:// <enter_qradar_console_ip_or_hostname>/api/ariel/searches/<enter_search_id_from_previous_step>/results' > <enter_path_to_file>.json

+ ```

+1. To retrieve the data that you need to export, [create the AQL query](#create-aql-query) (steps 1-4) and [execute the query](#execute-search-query) (steps 1-7) again. Adjust the time range and search queries to get the data you need.

+## Deploy the workbook content and view the workbook

+|**Apache Log4j Vulnerability Detection** | Analytics rules, hunting queries, workbooks, playbooks | Application, Security - Threat Protection, Security - Vulnerability Management | Microsoft|

+## Zscaler

+|**Zscaler Private Access**|Data connector, workbook, analytics rules, hunting queries, parser | Security - Network | Microsoft|

+ Title: Grant access to Azure resources on a Service Fabric cluster

+description: Learn how to grant a managed-identity-enabled Service Fabric application access to other Azure resources that support Azure Active Directory authentication.

+# Grant a Service Fabric application access to Azure resources on a Service Fabric cluster

+Before an application can use its managed identity to access other resources, grant permissions to that identity on the protected Azure resource being accessed. Granting permissions is typically a management action on the *control plane* of the Azure service that owns the protected resource routed by Azure Resource Manager. That service enforces any applicable role-based access checking.

+The exact sequence of steps depends on the type of Azure resource being accessed and the language and client used to grant permissions. This article assumes a user-assigned identity assigned to the application and includes several examples. Consult the documentation of the respective Azure services for up-to-date instructions on granting permissions.

+## Grant access to Azure Storage

+You can use the Service Fabric application's managed identity, which is user-assigned in this case, to get the data from an Azure storage blob. Grant the identity the required permissions in the [Azure portal](https://portal.azure.com/) by using the following steps:

+1. Navigate to the storage account.

+1. Select the Access Control (IAM) link in the left panel.

+1. (Optional) Check existing access: select **System-assigned** or **User-assigned** managed identity in the **Find** control. Select the appropriate identity from the ensuing result list.

+1. Select **Add** > **Add role assignment** on top of the page to add a new role assignment for the application's identity.

+1. Under **Role**, from the dropdown list, select **Storage Blob Data Reader**.

+1. In the next dropdown list, under **Assign access to**, choose **User assigned managed identity**.

+1. Next, ensure the proper subscription is listed in **Subscription** dropdown list and then set **Resource Group** to **All resource groups**.

+1. Under **Select**, choose the UAI corresponding to the Service Fabric application and then select **Save**.

+Support for system-assigned Service Fabric managed identities doesn't include integration in the Azure portal. If your application uses a system-assigned identity, find the client ID of the application's identity, and then repeat the steps above but selecting the **Azure AD user, group, or service principal** option in the **Find** control.

+## Grant access to Azure Key Vault

+Similarly to accessing storage, you can use the managed identity of a Service Fabric application to access an Azure Key Vault. The steps for granting access in the Azure portal are similar to the steps listed above. Refer to the image below for differences.

+

+The following example illustrates granting access to a vault by using a template deployment. Add the snippets below as another entry under the `resources` element of the template. The sample demonstrates access granting for both user-assigned and system-assigned identity types, respectively. Choose the applicable one.

+For system-assigned managed identities:

+For more information, see [Vaults - Update Access Policy](/rest/api/keyvault/keyvault/vaults/update-access-policy).

+By default, Windows Defender antivirus is installed on Windows Server 2016. For details, see [Windows Defender Antivirus on Windows Server 2016](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The user interface is installed by default on some SKUs, but is not required. To reduce any performance impact and resource consumption overhead incurred by Windows Defender, and if your security policies allow you to exclude processes and paths for open-source software, declare the following Virtual Machine Scale Set Extension Resource Manager template properties to exclude your Service Fabric cluster from scans:

+ Title: Upgrade Linux OS for Azure Service Fabric

+description: Learn about options for migrating your Azure Service Fabric cluster to another Linux operating system.

+# Upgrade Linux OS for Azure Service Fabric

+This document describes how to migrate your Azure Service Fabric for Linux cluster from Ubuntu version 16.04 LTS to 18.04 LTS. Each operating system (OS) version requires a different Service Fabric runtime package. This article describes the steps required to facilitate a smooth migration to the newer version.

+## Approach to migration

+The general approach to the migration follows these steps:

+1. Switch the Service Fabric cluster Azure Resource Manager resource `vmImage` to `Ubuntu18_04`. This setting pulls future code upgrades for this OS version. This temporary OS mismatch against existing node types blocks automatic code upgrade rollouts to ensure safe rollover.

+ > [!TIP]

+ > Avoid issuing manual Service Fabric cluster code upgrades during the OS migration. Doing so may cause the old node type nodes to enter a state that requires human intervention.

+1. For each node type in the cluster, create another node type that targets the Ubuntu 18.04 OS image for the underlying Virtual Machine Scale Set. Each new node type assumes the role of its old counterpart.

+ * A new primary node type has to be created to replace the old node type marked as `isPrimary: true`.

+ * For each non-primary node type, these nodes types are marked `isPrimary: false`.

+ * Ensure after the new target OS node type is created that existing workloads continue to function correctly. If issues are observed, address the changes required in the app or pre-installed machine packages before proceeding with removing the old node type.

+1. Mark the old primary node type `isPrimary: false`. This setting results in a long-running set of upgrades to transition all seed nodes.

+1. (For Bronze durability node types ONLY): Connect to the cluster by using [sfctl](service-fabric-sfctl.md), [PowerShell](/powershell/module/ServiceFabric), or [FabricClient](/dotnet/api/system.fabric.fabricclient). Disable all nodes in the old node type.

+1. Remove the old node types.

+[Az PowerShell](/powershell/azure/) generates a new DNS name for the added node type. Redirect external traffic to this endpoint.

+This procedure demonstrates how to quickly prototype the node type migration by using Az PowerShell cmdlets in a TEST-only cluster. For production clusters facing real business traffic, we expect that the same steps are done by issuing Resource Manager upgrades, to preserve repeatability and a consistent declarative source of truth.

+1. Update the `vmImage` setting on the Service Fabric cluster resource using [Update-AzServiceFabricVmImage](/powershell/module/az.servicefabric/update-azservicefabricvmimage):

+3. Update the old primary node type to non-primary in order to roll over seed nodes and system services to the new node type:

+ Your output should look like this example:

+ ```output

+4. To remove Bronze durability node types, disable the nodes before proceeding to remove the old node type. Connect to a cluster node by using *ssh*. Run the following commands:

+5. Remove the previous node type by removing the Service Fabric cluster resource node type attribute and decommissioning the associated virtual machine scale set and networking resources:

+ > In some cases this command might hit the following error:

+ >

+ > ```powershell

+ > Remove-AzServiceFabricNodeType : Code: ClusterUpgradeFailed, Message: Long running operation failed with status 'Failed'

+ > ```

+ >

+ > You might find by using Service Fabric Explorer (SFX) the InfrastructureService that the removed node type is in an error state. Retry the removal.

+Confirm that workloads have been successfully migrated to the new node types and old node types have been purged. Then the cluster can proceed with Service Fabric runtime code version and configuration upgrades.

+You can also run a provisioning automation pipeline using Terraform, Bicep, or Azure Resource Manager template (ARM template). This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy.

+### Automate provisioning using Bicep

+To configure the environment variables in a Bicep file, add the following code to the file, replacing the *\<...>* placeholders with your own values. For more information, see [Microsoft.AppPlatform Spring/apps/deployments](/azure/templates/microsoft.appplatform/spring/apps/deployments?tabs=bicep).

+```bicep

+deploymentSettings: {

+ environmentVariables: {

+ APPDYNAMICS_AGENT_APPLICATION_NAME : '<your-app-name>'

+ APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY : '<your-agent-access-key>'

+ APPDYNAMICS_AGENT_ACCOUNT_NAME : '<your-agent-account-name>'

+ APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME : 'true'

+ APPDYNAMICS_JAVA_AGENT_REUSE_NODE_NAME_PREFIX : '<your-agent-node-name>'

+ APPDYNAMICS_AGENT_TIER_NAME : '<your-agent-tier-name>'

+ APPDYNAMICS_CONTROLLER_HOST_NAME : '<your-AppDynamics-controller-host-name>'

+ APPDYNAMICS_CONTROLLER_SSL_ENABLED : 'true'

+ APPDYNAMICS_CONTROLLER_PORT : '443'

+ }

+ jvmOptions: '-javaagent:/opt/agents/appdynamics/java/javaagent.jar'

+}

+```

+```JSON

+The following screenshot shows the **Slow Transactions** page:

+> [!NOTE]

+The following sections describe how to automate your deployment using Bicep, Azure Resource Manager templates (ARM templates) or Terraform.

+### Bicep

+To deploy using a Bicep file, copy the following content into a *main.bicep* file. For more information, see [Microsoft.AppPlatform Spring/monitoringSettings](/azure/templates/microsoft.appplatform/spring/monitoringsettings).

+```bicep

+param location string = resourceGroup().location

+resource customize_this 'Microsoft.AppPlatform/Spring@2020-07-01' = {

+ name: 'customize this'

+ location: location

+ properties: {}

+}

+resource customize_this_default 'Microsoft.AppPlatform/Spring/monitoringSettings@2020-11-01-preview' = {

+ parent: customize_this

+ name: 'default'

+ properties: {

+ appInsightsInstrumentationKey: '00000000-0000-0000-0000-000000000000'

+ appInsightsSamplingRate: 88

+ }

+}

+```

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]"

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.AppPlatform/Spring",

+ "apiVersion": "2020-07-01",

+ "name": "customize this",

+ "location": "[parameters('location')]",

+ "properties": {}

+ },

+ {

+ "type": "Microsoft.AppPlatform/Spring/monitoringSettings",

+ "apiVersion": "2020-11-01-preview",

+ "name": "[format('{0}/{1}', 'customize this', 'default')]",

+ "properties": {

+ "appInsightsInstrumentationKey": "00000000-0000-0000-0000-000000000000",

+ "appInsightsSamplingRate": 88

+ },

+ "dependsOn": [

+ "[resourceId('Microsoft.AppPlatform/Spring', 'customize this')]"

+ ]

+ }

+ ]

+> [!NOTE]

+> [!NOTE]

+ --is-public true

+Using Terraform, Bicep, or Azure Resource Manager template (ARM template), you can also run a provisioning automation pipeline. This pipeline can provide a complete hands-off experience to instrument and monitor any new applications that you create and deploy.