+| IsMfaRegistered | Yes |boolean | Indicates whether the user already enrolled a method for multi-factor authentication. If the value is set to `false`, the Conditional Access policy evaluation returns a `block` challenge if action is required. |

+ Title: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel

+description: Use Microsoft Sentinel to perform security analytics for Azure Active Directory B2C data.

+#Customer intent: As an IT professional, I want to gather logs and audit data using Microsoft Sentinel and Azure Monitor to secure applications that use Azure Active Directory B2C.

+# Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel

+Increase the security of your Azure Active Directory B2C (Azure AD B2C) environment by routing logs and audit information to Microsoft Sentinel. The scalable Microsoft Sentinel is a cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Use the solution for alert detection, threat visibility, proactive hunting, and threat response for Azure AD B2C.

+Learn more:

+* [What is Microsoft Sentinel?](../sentinel/overview.md)

+* [What is SOAR?](https://www.microsoft.com/security/business/security-101/what-is-soar)

+More uses for Microsoft Sentinel, with Azure AD B2C, are:

+* Detect previously undetected threats and minimize false positives with analytics and threat intelligence features

+* Investigate threats with artificial intelligence (AI)

+ * Hunt for suspicious activities at scale, and benefit from the experience of years of cybersecurity work at Microsoft

+* Respond to incidents rapidly with common task orchestration and automation

+* Meet your organization's security and compliance requirements

+In this tutorial, learn how to:

+* Transfer Azure AD B2C logs to a Log Analytics workspace

+* Enable Microsoft Sentinel in a Log Analytics workspace

+* Create a sample rule in Microsoft Sentinel to trigger an incident

+* Configure an automated response

+## Configure Azure AD B2C with Azure Monitor Log Analytics

+To define where logs and metrics for a resource are sent,

+1. Enable **Diagnostic settings** in Azure AD, in your Azure AD B2C tenant.

+2. Configure Azure AD B2C to send logs to Azure Monitor.

+Learn more, [Monitor Azure AD B2C with Azure Monitor](./azure-monitor.md).

+## Deploy a Microsoft Sentinel instance

+After you configure your Azure AD B2C instance to send logs to Azure Monitor, enable an instance of Microsoft Sentinel.

+ >[!IMPORTANT]

+ >To enable Microsoft Sentinel, obtain Contributor permissions to the subscription in which the Microsoft Sentinel workspace resides. To use Microsoft Sentinel, use Contributor or Reader permissions on the resource group to which the workspace belongs.

+1. Go to the [Azure portal](https://portal.azure.com).

+2. Select the subscription where the Log Analytics workspace is created.

+3. Search for and select **Microsoft Sentinel**.

+ 

+3. Select **Add**.

+4. In the **search workspaces** field, select the new workspace.

+ 

+5. Select **Add Microsoft Sentinel**.

+ >[!NOTE]

+ >It's possible to run Microsoft Sentinel on more than one workspace, however data is isolated in a single workspace.</br> See, [Quickstart: Onboard Microsoft Sentinel](../sentinel/quickstart-onboard.md)

+## Create a Microsoft Sentinel rule

+After you enable Microsoft Sentinel, get notified when something suspicious occurs in your Azure AD B2C tenant.

+You can create custom analytics rules to discover threats and anomalous behaviors in your environment. These rules search for specific events, or event sets, and alert you when event thresholds or conditions are met. Then incidents are generated for investigation.

+See, [Create custom analytics rules to detect threats](../sentinel/detect-threats-custom.md)

+ >[!NOTE]

+ >Microsoft Sentinel has templates to create threat detection rules that search your data for suspicious activity. For this tutorial, you create a rule.

+### Notification rule for unsuccessful forced access

+Use the following steps to receive notification about two or more unsuccessful, forced access attempts into your environment. An example is brute-force attack.

+1. In Microsoft Sentinel, from the left menu, select **Analytics**.

+2. On the top bar, select **+ Create** > **Scheduled query rule**.

+ 

+3. In the Analytics Rule wizard, go to **General**.

+4. For **Name**, enter a name for unsuccessful logins.

+5. For **Description**, indicate the rule notifies for two or more unsuccessful sign-ins, within 60 seconds.

+6. For **Tactics**, select a category. For example, select **PreAttack**.

+7. For **Severity**, select a severity level.

+8. **Status** is **Enabled** by default. To change a rule, go to the **Active rules** tab.

+ 

+9. Select the **Set rule logic** tab.

+10. Enter a query in the **Rule query** field. The query example organizes the sign-ins by `UserPrincipalName`.

+ 

+11. Go to **Query scheduling**.

+12. For **Run query every**, enter **5** and **Minutes**.

+13. For **Lookup data from the last**, enter **5** and **Minutes**.

+14. For **Generate alert when number of query results**, select **Is greater than**, and **0**.

+15. For **Event grouping**, select **Group all events into a single alert**.

+16. For **Stop running query after alert is generated**, select **Off**.

+17. Select **Next: Incident settings (Preview)**.

+ 

+18. Go to the **Review and create** tab to review rule settings.

+19. When the **Validation passed** banner appears, select **Create**.

+ 

+#### View a rule and related incidents

+View the rule and the incidents it generates. Find your newly created custom rule of type **Scheduled** in the table under the **Active rules** tab on the main

+1. Go to the **Analytics** screen.

+2. Select the **Active rules** tab.

+3. In the table, under **Scheduled**, find the rule.

+You can edit, enable, disable, or delete the rule.

+ 

+#### Triage, investigate, and remediate incidents

+An incident can include multiple alerts, and is an aggregation of relevant evidence for an investigation. At the incident level, you can set properties such as Severity and Status.

+Learn more: [Investigate incidents with Microsoft Sentinel](../sentinel/investigate-cases.md).

+

+1. Go to the **Incidents** page.

+2. Select an incident.

+3. On the right, detailed incident information appears, including severity, entities, events, and the incident ID.

+ 

+4. On the **Incidents** pane, elect **View full details**.

+5. Review tabs that summarize the incident.

+ 

+6. Select **Evidence** > **Events** > **Link to Log Analytics**.

+7. In the results, see the identity `UserPrincipalName` value attempting sign-in.

+ 

+## Automated response

+Microsoft Sentinel has security orchestration, automation, and response (SOAR) functions. Attach automated actions, or a playbook, to analytics rules.

+See, [What is SOAR?](https://www.microsoft.com/security/business/security-101/what-is-soar)

+### Email notification for an incident

+For this task, use a playbook from the Microsoft Sentinel GitHub repository.

+1. Go to a configured playbook.

+2. Edit the rule.

+3. On the **Automated response** tab, select the playbook.

+Learn more: [Incident-Email-Notification](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Incident-Email-Notification)

+ 

+## Resources

+For more information about Microsoft Sentinel and Azure AD B2C, see:

+* [Azure AD B2C Reports & Alerts, Workbooks](https://github.com/azure-ad-b2c/siem#workbooks)

+* [Microsoft Sentinel documentation](../sentinel/index.yml)

+## Next step

+[Handle false positives in Microsoft Sentinel](../sentinel/false-positives.md)

+You can use Azure Front Door advanced configuration, such as [Azure Web Application Firewall (WAF)](partner-web-application-firewall.md). Azure WAF provides centralized protection of your web applications from common exploits and vulnerabilities.

+ Title: Microsoft Azure Active Directory B2C external identity video series

+description: Learn about external identities in Azure AD B2C in the Microsoft identity platform

+# Microsoft Azure Active Directory B2C external identity video series

+Learn the basics of External Identities - Azure Active Directory B2C (Azure AD B2C) and Azure Active Directory B2B (Azure AD B2B) in the Microsoft identity platform.

+## Azure Active Directory B2C architecture deep dive series

+Get a deeper view into the features and technical aspects of the Azure AD B2C service.

+| Video title | Video | Video title | Video |

+|:|:|:|:|

+|[Azure AD B2C sign-up sign-in](https://www.youtube.com/watch?v=c8rN1ZaR7wk&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=7&t=2s) 10:25|[:::image type="icon" source="./media/external-identities-videos/customer-sign-up-sign-in.png" border="false":::](https://www.youtube.com/watch?v=c8rN1ZaR7wk&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=6)|[Azure AD B2C single sign on and self service password reset](https://www.youtube.com/watch?v=kRV-7PSLK38&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=7) 8:40 |[:::image type="icon" source="./media/external-identities-videos/single-sign-on.png" border="false":::](https://www.youtube.com/watch?v=kRV-7PSLK38&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=7)|

+|[Application and identity migration to Azure AD B2C](https://www.youtube.com/watch?v=Xw_YwSJmhIQ&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=9) 10:34|[:::image type="icon" source="./media/external-identities-videos/identity-migration.png" border="false":::](https://www.youtube.com/watch?v=Xw_YwSJmhIQ&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=9)| [Build resilient and scalable flows using Azure AD B2C](https://www.youtube.com/watch?v=8f_Ozpw9yTs&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=12) 16:47|[:::image type="icon" source="./media/external-identities-videos/b2c-scalable-flows.png" border="false":::](https://www.youtube.com/watch?v=8f_Ozpw9yTs&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=12)|

+|[Building a custom CIAM solution with Azure AD B2C and ISV alliances](https://www.youtube.com/watch?v=UZjiGDD0wa8&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=8) 10:01|[:::image type="icon" source="./media/external-identities-videos/build-custom-b2c-solution.png" border="false":::](https://www.youtube.com/watch?v=UZjiGDD0wa8&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=8)|[Protecting Web APIs with Azure AD B2C](https://www.youtube.com/watch?v=wuUu71RcsIo&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=10) 19:03| [:::image type="icon" source="./media/external-identities-videos/protecting-web-apis.png" border="false":::](https://www.youtube.com/watch?v=wuUu71RcsIo&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=10)|

+|[Integration of SAML with Azure AD B2C](https://www.youtube.com/watch?v=r2TIVBCm7v4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=11) 9:09 | [:::image type="icon" source="./media/external-identities-videos/saml-integration.png" border="false":::](https://www.youtube.com/watch?v=r2TIVBCm7v4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=11) |[Azure AD B2C Identity Protection and Conditional Access](https://www.youtube.com/watch?v=frn5jVqbmUo&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=15) 14:44 | [:::image type="icon" source="./media/external-identities-videos/identity-protection-and-conditional-access.png" border="false":::](https://www.youtube.com/watch?v=frn5jVqbmUo&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=15)|

+## Azure Active Directory B2C how to series

+Learn how to perform various use cases in Azure AD B2C.

+| Video title | Video |Video title|Video|

+|:|:|:|:|

+|[Azure AD: Monitoring and reporting Azure AD B2C using Azure Monitor](https://www.youtube.com/watch?v=Mu9GQy-CbXI&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=1) 6:57|[:::image type="icon" source="./media/external-identities-videos/monitoring-reporting.png" border="false":::](https://www.youtube.com/watch?v=Mu9GQy-CbXI&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=2)|[Azure AD B2C user migration using Microsoft Graph API](https://www.youtube.com/watch?v=9BRXBtkBzL4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=5) 7:09| [:::image type="icon" source="./media/external-identities-videos/user-migration-msgraph-api.png" border="false":::](https://www.youtube.com/watch?v=9BRXBtkBzL4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=6)|

+| [Azure AD B2C user migration strategies](https://www.youtube.com/watch?v=lCWR6PGUgz0&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=2) 8:22| [:::image type="icon" source="./media/external-identities-videos/user-migration-stratagies.png" border="false":::](https://www.youtube.com/watch?v=lCWR6PGUgz0&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=3)| [How to localize or customize language using Azure AD B2C](https://www.youtube.com/watch?v=yqrX5_tA7Ms&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=13) 20:41| [:::image type="icon" source="./media/external-identities-videos/language-localization.png" border="false":::](https://www.youtube.com/watch?v=yqrX5_tA7Ms&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=14) |

+|[Configure monitoring: Azure AD B2C using Azure Monitor](https://www.youtube.com/watch?v=tF2JS6TGc3g&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=14) 17:23 | [:::image type="icon" source="./media/external-identities-videos/configure-monitoring.png" border="false":::](https://www.youtube.com/watch?v=tF2JS6TGc3g&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=15) | [Configuring custom domains in Azure AD B2C using Azure Front Door](https://www.youtube.com/watch?v=mVNB59VK-DQ&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=13) 19:45| [:::image type="icon" source="./media/external-identities-videos/configure-custom-domains.png" border="false":::](https://www.youtube.com/watch?v=mVNB59VK-DQ&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=14) |

+|  provides centralized protection of your web applications from common exploits and vulnerabilities. |

+ Title: Tutorial to configure Azure Active Directory B2C with Azure Web Application Firewall

+description: Learn to configure Azure AD B2C with Azure Web Application Firewall to protect applications from malicious attacks

+# Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall

+Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant, with a custom domain. WAF protects web applications from common exploits and vulnerabilities.

+>[!NOTE]

+>This feature is in public preview.

+See, [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)

+## Prerequisites

+To get started, you need:

+* An Azure subscription

+* If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)

+* **An Azure AD B2C tenant** ΓÇô authorization server that verifies user credentials using custom policies defined in the tenant

+ * Also known as the identity provider (IdP)

+ * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)

+* **Azure Front Door (AFD)** ΓÇô enables custom domains for the Azure AD B2C tenant

+ * See, [Azure Front Door and CDN documentation](../frontdoor/index.yml)

+* **WAF** ΓÇô manages traffic sent to the authorization server

+ * [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/#overview)

+## Custom domains in Azure AD B2C

+To use custom domains in Azure AD B2C, use the custom domain features in AFD. See, [Enable custom domains for Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow).

+ > [!IMPORTANT]

+ > After you configure the custom domain, see [Test your custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain).

+## Enable WAF

+To enable WAF, configure a WAF policy and associate it with the AFD for protection.

+### Create a WAF policy

+Create a WAF policy with Azure-managed default rule set (DRS). See, [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md).

+1. Go to the [Azure portal](https://portal.azure.com).

+2. Select **Create a resource**.

+3. Search for Azure WAF.

+4. Select **Azure Web Application Firewall (WAF)**.

+5. Select **Create**.

+6. Go to the **Create a WAF policy** page.

+7. Select the **Basics** tab.

+8. For **Policy for**, select **Global WAF (Front Door)**.

+9. For **Front Door SKU**, select between **Basic**, **Standard**, or **Premium** SKU.

+10. For **Subscription**, select your Front Door subscription name.

+11. For **Resource group**, select your Front Door resource group name.

+12. For **Policy name**, enter a unique name for your WAF policy.

+13. For **Policy state**, select **Enabled**.

+14. For **Policy mode**, select **Detection**.

+15. Select **Review + create**.

+16. Go to the **Association** tab of the Create a WAF policy page.

+17. Select **+ Associate a Front Door profile**.

+18. For **Front Door**, select your Front Door name associated with Azure AD B2C custom domain.

+19. For **Domains**, select the Azure AD B2C custom domains to associate the WAF policy to.

+20. Select **Add**.

+21. Select **Review + create**.

+22. Select **Create**.

+### Detection and Prevention modes

+When you create WAF policy, the policy is in Detection mode. We recommend you don't disable Detection mode. In this mode, WAF doesn't block requests. Instead, requests that match the WAF rules are logged in the WAF logs.

+Learn more: [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)

+The following query shows the requests blocked by the WAF policy in the past 24 hours. The details include, rule name, request data, action taken by the policy, and the policy mode.

+

+ 

+ 

+Review the WAF logs to determine if policy rules cause false positives. Then, exclude the WAF rules based on the WAF logs.

+Learn more: [Define exclusion rules based on Web Application Firewall logs](../web-application-firewall/afds/waf-front-door-exclusion.md#define-exclusion-based-on-web-application-firewall-logs)

+#### Switching modes

+To see WAF operating, select **Switch to prevention mode**, which changes the mode from Detection to Prevention. Requests that match the rules in the DRS are blocked and logged in the WAF logs.

+ 

+To revert to Detection mode, select **Switch to detection mode**.

+ 

+## Next steps

+* [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)

+* [Web Application Firewall (WAF) with Front Door exclusion lists](../web-application-firewall/afds/waf-front-door-exclusion.md)

+|Azure AD B2C authentication endpoints|`/authorize`, `/token`, `/.well-known/openid-configuration`, `/discovery/v2.0/keys`|Prevent resource exhaustion|[Web Application Firewall (WAF)](./partner-web-application-firewall.md) and [Azure Front Door (AFD)](https://azure.microsoft.com/products/frontdoor/?ef_id=_k_53b0ace78faa14e3c3b1c8b385bf944d_k_&OCID=AIDcmm5edswduu_SEM__k_53b0ace78faa14e3c3b1c8b385bf944d_k_&msclkid=53b0ace78faa14e3c3b1c8b385bf944d)|

+|External REST APIs|Your REST API endpoints|Malicious usage of user flows or custom policies can lead to resource exhaustion at your API endpoints.|[WAF](./partner-web-application-firewall.md) and [AFD](https://azure.microsoft.com/products/frontdoor/?ef_id=_k_921daffd3bd81af80dd9cba9348858c4_k_&OCID=AIDcmm5edswduu_SEM__k_921daffd3bd81af80dd9cba9348858c4_k_&msclkid=921daffd3bd81af80dd9cba9348858c4)|

+|Security Information and Event management (SIEM)/ Security Orchestration, Automation and Response (SOAR) |You need a reliable monitoring and alerting system for analyzing usage patterns such as sign-ins and sign-ups, and detect any anomalous behavior that may be indicative of a cyberattack. It's an important step that adds an extra layer of security. It also you to understand patterns and trends that can only be captured and built upon over time. Alerting assists in determining factors such as the rate of change in overall sign-ins, an increase in failed sign-ins, and failed sign-up journeys, phone-based frauds such as IRSF attacks, and so on. All of these can be indicators of an ongoing cyberattack that requires immediate attention. Azure AD B2C supports both high level and fine grain logging, as well as the generation of reports and alerts. It's advised that you implement monitoring and alerting in all production tenants. | <ul><li>[Monitor using Azure Monitor](./azure-monitor.md)</li><li>[Use reports & alerts](https://github.com/azure-ad-b2c/siem)</li><li> [Monitor for fraudulent MFA usage](./phone-based-mfa.md)</li><li>[Collect Azure AD B2C logs with Application Insights](troubleshoot-with-application-insights.md?pivots=b2c-user-flow)</li><li>[Configure security analytics for Azure AD B2C data with Microsoft Sentinel](./configure-security-analytics-sentinel.md)</li></ul>|

+- [Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall](partner-web-application-firewall.md)

+- [Tutorial: Configure security analytics for Azure Active Directory B2C data with Microsoft Sentinel](configure-security-analytics-sentinel.md)

+1. Create a Windows PowerShell Credentials object `$cred` that contains an administrative username and password for your directory. Run the following command, replacing *\<username\>* , *\<password\>* and *\<tenantid\>*:

+ $TenantId = '<tenantid>'

+ .\RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft AAD App Proxy Connector\Modules\" -moduleName "AppProxyPSModule" -Authenticationmode Credentials -Usercredentials $cred -Feature ApplicationProxy -TenantId $TenantId

+* SMS-based authentication isn't supported for B2B accounts.

+ Title: Claims mapping policy type

+description: Learn about the claims mapping policy type, which is used to modify the claims emitted in tokens in the Microsoft identity platform.

+A policy object represents a set of rules enforced on individual applications or on all applications in an organization. Each type of policy has a unique structure, with a set of properties that are then applied to objects to which they're assigned.

+A claims mapping policy is a type of policy object that modifies the claims included in tokens. For more information, see [Customize claims issued in the SAML token for enterprise applications](saml-claims-customization.md).

+The following table lists the sets of claims that define how and when they're used in tokens.

+|--|-|

+| Core claim set | Present in every token regardless of the policy. These claims are also considered restricted, and can't be modified. |

+| Basic claim set | Includes the claims that are included by default for tokens in addition to the core claim set. You can omit or modify basic claims by using the claims mapping policies. |

+| Restricted claim set | Can't be modified using a policy. The data source can't be changed, and no transformation is applied when generating these claims. |

+### JSON Web Token (JWT) restricted claim set

+The following claims are in the restricted claim set for a JWT.

+- `.`

+- `_claim_names`

+- `_claim_sources`

+- `aai`

+- `access_token`

+- `account_type`

+- `acct`

+- `acr`

+- `acrs`

+- `actor`

+- `ageGroup`

+- `aio`

+- `altsecid`

+- `amr`

+- `app_chain`

+- `app_displayname`

+- `app_res`

+- `appctx`

+- `appctxsender`

+- `appid`

+- `appidacr`

+- `at_hash`

+- `auth_time`

+- `azp`

+- `azpacr`

+- `c_hash`

+- `ca_enf`

+- `ca_policy_result`

+- `capolids_latebind`

+- `capolids`

+- `cc`

+- `cnf`

+- `code`

+- `controls_auds`

+- `controls`

+- `credential_keys`

+- `ctry`

+- `deviceid`

+- `domain_dns_name`

+- `domain_netbios_name`

+- `e_exp`

+- `email`

+- `endpoint`

+- `enfpolids`

+- `expires_on`

+- `fido_auth_data`

+- `fwd_appidacr`

+- `fwd`

+- `graph`

+- `group_sids`

+- `groups`

+- `hasgroups`

+- `haswids`

+- `home_oid`

+- `home_puid`

+- `home_tid`

+- `identityprovider`

+- `idp`

+- `idtyp`

+- `in_corp`

+- `instance`

+- `inviteTicket`

+- `ipaddr`

+- `isbrowserhostedapp`

+- `isViral`

+- `login_hint`

+- `mam_compliance_url`

+- `mam_enrollment_url`

+- `mam_terms_of_use_url`

+- `mdm_compliance_url`

+- `mdm_enrollment_url`

+- `mdm_terms_of_use_url`

+- `msproxy`

+- `nameid`

+- `nickname`

+- `nonce`

+- `oid`

+- `on_prem_id`

+- `onprem_sam_account_name`

+- `onprem_sid`

+- `openid2_id`

+- `origin_header`

+- `platf`

+- `polids`

+- `pop_jwk`

+- `preferred_username`

+- `primary_sid`

+- `prov_data`

+- `puid`

+- `pwd_exp`

+- `pwd_url`

+- `rdp_bt`

+- `refresh_token_issued_on`

+- `refreshtoken`

+- `rh`

+- `roles`

+- `rt_type`

+- `scp`

+- `secaud`

+- `sid`

+- `sid`

+- `signin_state`

+- `source_anchor`

+- `src1`

+- `src2`

+- `sub`

+- `target_deviceid`

+- `tbid`

+- `tbidv2`

+- `tenant_ctry`

+- `tenant_display_name`

+- `tenant_region_scope`

+- `tenant_region_sub_scope`

+- `thumbnail_photo`

+- `tid`

+- `tokenAutologonEnabled`

+- `trustedfordelegation`

+- `ttr`

+- `unique_name`

+- `upn`

+- `user_setting_sync_url`

+- `uti`

+- `ver`

+- `verified_primary_email`

+- `verified_secondary_email`

+- `vnet`

+- `wamcompat_client_info`

+- `wamcompat_id_token`

+- `wamcompat_scopes`

+- `wids`

+- `xcb2b_rclient`

+- `xcb2b_rcloud`

+- `xcb2b_rtenant`

+- `ztdid`

+> Any claim starting with `xms_` is restricted.

+### SAML restricted claim set

+The following table lists the SAML claims that are in the restricted claim set.

+These claims are restricted by default, but aren't restricted if you [set the AcceptMappedClaims property](saml-claims-customization.md) to `true` in your app manifest *or* have a [custom signing key](saml-claims-customization.md):

+These claims are restricted by default, but aren't restricted if you have a [custom signing key](saml-claims-customization.md):

+To control the claims that are included and where the data comes from, use the properties of a claims mapping policy. Without a policy, the system issues tokens with the following claims:

+- The core claim set.

+- The basic claim set.

+- Any [optional claims](active-directory-optional-claims.md) that the application has chosen to receive.

+| String | Data type | Summary |

+| | | - |

+| **IncludeBasicClaimSet** | Boolean (True or False) | Determines whether the basic claim set is included in tokens affected by this policy. If set to True, all claims in the basic claim set are emitted in tokens affected by the policy. If set to False, claims in the basic claim set aren't in the tokens, unless they're individually added in the claims schema property of the same policy. |

+| **ClaimsSchema** | JSON blob with one or more claim schema entries | Defines which claims are present in the tokens affected by the policy, in addition to the basic claim set and the core claim set. For each claim schema entry defined in this property, certain information is required. Specify where the data is coming from (**Value**, **Source/ID pair**, or **Source/ExtensionID pair**), and **Claim Type**, which is emitted as (**JWTClaimType** or **SamlClaimType**).

+- **Value** - Defines a static value as the data to be emitted in the claim.

+- **SAMLNameForm** - Defines the value for the NameFormat attribute for this claim. If present, the allowed values are:

+ - `urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified`

+ - `urn:oasis:names:tc:SAML:2.0:attrname-format:uri`

+ - `urn:oasis:names:tc:SAML:2.0:attrname-format:basic`

+- **Source/ID pair** - Defines where the data in the claim is sourced from.

+- **Source/ExtensionID pair** - Defines the directory extension attribute where the data in the claim is sourced from. For more information, see [Using directory extension attributes in claims](schema-extensions.md).

+- **Claim Type** - The **JwtClaimType** and **SamlClaimType** elements define which claim this claim schema entry refers to.

+ - The **JwtClaimType** must contain the name of the claim to be emitted in JWTs.

+ - The **SamlClaimType** must contain the URI of the claim to be emitted in SAML tokens.

+Set the **Source** element to one of the values in the following table.

+| Source value | Data in claim |

+| | - |

+| `user` | Property on the User object. |

+| `application` | Property on the application (client) service principal. |

+| `resource` | Property on the resource service principal. |

+| `audience` | Property on the service principal that is the audience of the token (either the client or resource service principal). |

+| `company` | Property on the resource tenant's Company object. |

+| `transformation` | Claims transformation. When you use this claim, the **TransformationID** element must be included in the claim definition. The **TransformationID** element must match the ID element of the transformation entry in the **ClaimsTransformation** property that defines how the data for the claim is generated. |

+The ID element identifies the property on the source that provides the value for the claim. The following table lists the values of the ID element for each value of Source.

+|--|-|-|

+| `user` | `surname` | The family name of the user. |

+| `user` | `givenname` | The given name of the user. |

+| `user` | `displayname` | The display name of the user. |

+| `user` | `objectid` | The object ID of the user. |

+| `user` | `mail` | The email address of the user. |

+| `user` | `userprincipalname` | The user principal name of the user. |

+| `user` | `department` | The department of the user. |

+| `user` | `onpremisessamaccountname` | The on-premises SAM account name of the user. |

+| `user` | `netbiosname` | The NetBios name of the user. |

+| `user` | `dnsdomainname` | The DNS domain name of the user. |

+| `user` | `onpremisesecurityidentifier` | The on-premises security identifier of the user. |

+| `user` | `companyname` | The organization name of the user. |

+| `user` | `streetaddress` | The street address of the user. |

+| `user` | `postalcode` | The postal code of the user.|

+| `user` | `preferredlanguage` | The preferred language of the user. |

+| `user` | `onpremisesuserprincipalname` | The on-premises UPN of the user. When you use an alternate ID, the on-premises attribute `userPrincipalName` is synchronized with the `onPremisesUserPrincipalName` attribute. This attribute is only available when Alternate ID is configured.|

+| `user` | `mailnickname` | The mail nickname of the user. |

+| `user` | `extensionattribute1` | Extension attribute 1. |

+| `user` | `extensionattribute2` | Extension attribute 2. |

+| `user` | `extensionattribute3` | Extension attribute 3. |

+| `user` | `extensionattribute4` | Extension attribute 4. |

+| `user` | `extensionattribute5` | Extension attribute 5. |

+| `user` | `extensionattribute6` | Extension attribute 6. |

+| `user` | `extensionattribute7` | Extension attribute 7. |

+| `user` | `extensionattribute8` | Extension attribute 8. |

+| `user` | `extensionattribute9` | Extension attribute 9. |

+| `user` | `extensionattribute10` | Extension attribute 10. |

+| `user` | `extensionattribute11` | Extension attribute 11. |

+| `user` | `extensionattribute12` | Extension attribute 12. |

+| `user` | `extensionattribute13` | Extension attribute 13. |

+| `user` | `extensionattribute14` | Extension attribute 14. |

+| `user` | `extensionattribute15` | Extension attribute 15. |

+| `user` | `othermail` | The other mail of the user.|

+| `user` | `country` | The country/region of the user. |

+| `user` | `city` | The city of the user. |

+| `user` | `state` | The state of the user. |

+| `user` | `jobtitle` | The job title of the user. |

+| `user` | `employeeid` | The employee ID of the user. |

+| `user` | `facsimiletelephonenumber` | The facsimile telephone number of the user. |

+| `user` | `assignedroles` | The list of app roles assigned to the user. |

+| `user` | `accountEnabled` | Indicates whether the user account is enabled. |

+| `user` | `consentprovidedforminor` | Indicates whether consent was provided for a minor. |

+| `user` | `createddatetime` | The date and time that the user account was created. |

+| `user` | `creationtype` | Indicates how the user account was creation. |

+| `user` | `lastpasswordchangedatetime` | The last date and time that the password was changed. |

+| `user` | `mobilephone` | The mobile phone of the user. |

+| `user` | `officelocation` | The office location of the user. |

+| `user` | `onpremisesdomainname` | The on-premises domain name of the user. |

+| `user` | `onpremisesimmutableid` | The on-premises immutable ID of the user. |

+| `user` | `onpremisessyncenabled` | Indicates whether on-premises sync is enabled. |

+| `user` | `preferreddatalocation` | Defines the preferred data location of the user. |

+| `user` | `proxyaddresses` | The proxy addresses of the user. |

+| `user` | `usertype` | The type of user account. |

+| `user` | `telephonenumber` | The business or office phones of the user. |

+| `application`, `resource`, `audience` | `displayname` | The display name of the object. |

+| `application`, `resource`, `audience` | `objectid` | The ID of the object. |

+| `application`, `resource`, `audience` | `tags` | The service principal tag of the object. |

+| `company` | `tenantcountry` | The country/region of the tenant. |

+The only available multi-valued claim sources on a user object are multi-valued extension attributes that have been synced from Active Directory Connect. Other properties, such as `othermails` and `tags`, are multi-valued but only one value is emitted when selected as a source.

+Names and URIs of claims in the restricted claim set can't be used for the claim type elements.

+- **String** - GroupFilter

+- **Data type:** - JSON blob

+- **Summary** - Use this property to apply a filter on the userΓÇÖs groups to be included in the group claim. This property can be a useful means of reducing the token size.

+- **MatchOn:** - Identifies the group attribute on which to apply the filter. Set the **MatchOn** property to one of the following values:

+ - `displayname` - The group display name.

+ - `samaccountname` - The on-premises SAM account name.

+- **Type** - Defines the type of filter applied to the attribute selected by the **MatchOn** property. Set the **Type** property to one of the following values:

+ - `prefix` - Include groups where the **MatchOn** property starts with the provided **Value** property.

+ - `suffix` Include groups where the **MatchOn** property ends with the provided **Value** property.

+ - `contains` - Include groups where the **MatchOn** property contains with the provided **Value** property.

+- **String** - ClaimsTransformation

+- **Data type** - JSON blob, with one or more transformation entries

+- **Summary** - Use this property to apply common transformations to source data to generate the output data for claims specified in the Claims Schema.

+- **ID** - References the transformation entry in the TransformationID Claims Schema entry. This value must be unique for each transformation entry within this policy.

+- **TransformationMethod** - Identifies the operation that's performed to generate the data for the claim.

+| TransformationMethod | Expected input | Expected output | Description |

+|-|-|--|-|

+| **Join** | string1, string2, separator | output claim | Joins input strings by using a separator in between. For example, string1:`foo@bar.com` , string2:`sandbox` , separator:`.` results in output claim:`foo@bar.com.sandbox`. |

+| **ExtractMailPrefix** | Email or UPN | extracted string | Extension attributes 1-15 or any other directory extensions, which store a UPN or email address value for the user. For example, `johndoe@contoso.com`. Extracts the local part of an email address. For example, mail:`foo@bar.com` results in output claim:`foo`. If no \@ sign is present, then the original input string is returned. |

+- **InputClaims** - Used to pass the data from a claim schema entry to a transformation. It has three attributes: **ClaimTypeReferenceId**, **TransformationClaimType** and **TreatAsMultiValue**.

+ - **ClaimTypeReferenceId** - Joined with the ID element of the claim schema entry to find the appropriate input claim.

+ - **TransformationClaimType** Gives a unique name to this input. This name must match one of the expected inputs for the transformation method.

+ - **TreatAsMultiValue** is a Boolean flag that indicates whether the transform should be applied to all values or just the first. By default, transformations are only applied to the first element in a multi-value claim. Setting this value to true ensures it's applied to all. ProxyAddresses and groups are two examples for input claims that you would likely want to treat as a multi-value claim.

+- **InputParameters** - Passes a constant value to a transformation. It has two attributes: **Value** and **ID**.

+ - **Value** is the actual constant value to be passed.

+ - **ID** is used to give a unique name to the input. The name must match one of the expected inputs for the transformation method.

+- **OutputClaims** - Holds the data generated by a transformation, and ties it to a claim schema entry. It has two attributes: **ClaimTypeReferenceId** and **TransformationClaimType**.

+ - **ClaimTypeReferenceId** is joined with the ID of the claim schema entry to find the appropriate output claim.

+ - **TransformationClaimType** is used to give a unique name to the output. The name must match one of the expected outputs for the transformation method.

+**SAML NameID and UPN** - The attributes from which you source the NameID and UPN values, and the claims transformations that are permitted, are limited.

+| Source | ID | Description |

+|--|-|-|

+| `user` | `mail` | The email address of the user. |

+| `user` | `userprincipalname` | The user principal name of the user. |

+| `user` | `onpremisessamaccountname` | On-premises Sam Account Name|

+| `user` | `employeeid` | The employee ID of the user. |

+| `user` | `telephonenumber` | The business or office phones of the user. |

+| `user` | `extensionattribute1` | Extension attribute 1. |

+| `user` | `extensionattribute2` | Extension attribute 2. |

+| `user` | `extensionattribute3` | Extension attribute 3. |

+| `user` | `extensionattribute4` | Extension attribute 4. |

+| `user` | `extensionattribute5` | Extension attribute 5. |

+| `user` | `extensionattribute6` | Extension attribute 6. |

+| `user` | `extensionattribute7` | Extension attribute 7. |

+| `user` | `extensionattribute8` | Extension attribute 8. |

+| `user` | `extensionattribute9` | Extension Attribute 9. |

+| `user` | `extensionattribute10` | Extension attribute 10. |

+| `user` | `extensionattribute11` | Extension attribute 11. |

+| `user` | `extensionattribute12` | Extension attribute 12. |

+| `user` | `extensionattribute13` | Extension attribute 13. |

+| `user` | `extensionattribute14` | Extension attribute 14. |

+| `User` | `extensionattribute15` | Extension attribute 15. |

+The transformation methods listed in the following table are allowed for SAML NameID.

+| -- | |

+- **String** - issuerWithApplicationId

+- **Data type** - Boolean (True or False)

+ - If set to `True`, the application ID is added to the issuer claim in tokens affected by the policy.

+ - If set to `False`, the application ID isn't added to the issuer claim in tokens affected by the policy. (default)

+- **Summary** - Enables the application ID to be included in the issuer claim. Ensures that multiple instances of the same application have a unique claim value for each instance. This setting is ignored if a custom signing key isn't configured for the application.

+- **String** - audienceOverride

+- **Data type** - String

+- **Summary** - Enables you to override the audience claim sent to the application. The value provided must be a valid absolute URI. This setting is ignored if no custom signing key is configured for the application.

+- To learn more about extension attributes, see [Directory extension attributes in claims](schema-extensions.md).

+# Customize SAML token claims

+The Microsoft identity platform supports [single sign-on (SSO)](../manage-apps/what-is-single-sign-on.md) with most preintegrated applications in the application gallery and custom applications. When a user authenticates to an application through the Microsoft identity platform using the SAML 2.0 protocol, a token is sent to the application. The application validates and uses the token to sign the user in instead of prompting for a username and password.

+These SAML tokens contain pieces of information about the user known as *claims*. A claim is information that an identity provider states about a user inside the token they issue for that user. In a SAML token, claims data is typically contained in the SAML Attribute Statement. The user's unique ID is typically represented in the SAML subject, which is also referred to as the name identifier (`nameID`).

+By default, the Microsoft identity platform issues a SAML token to an application that contains a claim with a value of the user's username (also known as the user principal name), which can uniquely identify the user. The SAML token also contains other claims that include the user's email address, first name, and last name.

+* The application requires the `NameIdentifier` or `nameID` claim to be something other than the username (or user principal name).

+To edit the name identifier value claim:

+|--|-|

+Any constant (static) value can be assigned to any claim. Use the following steps to assign a constant value:

+You can also configure directory schema extension attributes as non-conditional/conditional attributes. Use the following steps to configure the single or multi-valued directory schema extension attribute as a claim:

+1. Click **Save** to commit the changes.

+| **ExtractMailPrefix()** | Removes the domain suffix from either the email address or the user principal name. This function extracts only the first part of the user name being passed through. For example, `joe_smith` instead of `joe_smith@contoso.com`. |

+| **Join()** | Creates a new value by joining two attributes. Optionally, you can use a separator between the two attributes. For the `nameID` claim transformation, the **Join()** function has specific behavior when the transformation input has a domain part. It removes the domain part from input before joining it with the separator and the selected parameter. For example, if the input of the transformation is `joe_smith@contoso.com` and the separator is `@` and the parameter is `fabrikam.com`, this input combination results in `joe_smith@fabrikam.com`. |

+| **Contains()** | Outputs an attribute or constant if the input matches the specified value. Otherwise, you can specify another output if there's no match. For example, if you want to emit a claim where the value is the user's email address if it contains the domain `@contoso.com`, otherwise you want to output the user principal name. To perform this function, configure the following values: `Parameter 1(input): user.email`, `Value: "@contoso.com"`, `Parameter 2 (output): user.email`, and `Parameter 3 (output if there's no match): user.userprincipalname`. |

+| **EndWith()** | Outputs an attribute or constant if the input ends with the specified value. Otherwise, you can specify another output if there's no match.<br/>For example, if you want to emit a claim where the value is the user's employee ID if the employee ID ends with `000`, otherwise you want to output an extension attribute. To perform this function, configure the following values: `Parameter 1(input): user.employeeid`, `Value: "000"`, `Parameter 2 (output): user.employeeid`, and `Parameter 3 (output if there's no match): user.extensionattribute1`. |

+| **StartWith()** | Outputs an attribute or constant if the input starts with the specified value. Otherwise, you can specify another output if there's no match. For example, if you want to emit a claim where the value is the user's employee ID if the country/region starts with `US`, otherwise you want to output an extension attribute. To perform this function, configure the following values: `Parameter 1(input): user.country`, `Value: "US"`, `Parameter 2 (output): user.employeeid`, and `Parameter 3 (output if there's no match): user.extensionattribute1` |

+| **Extract() - After matching** | Returns the substring after it matches the specified value. For example, if the input's value is `Finance_BSimon`, the matching value is `Finance_`, then the claim's output is `BSimon`. |

+| **Extract() - Before matching** | Returns the substring until it matches the specified value. For example, if the input's value is `BSimon_US`, the matching value is `_US`, then the claim's output is `BSimon`. |

+| **Extract() - Between matching** | Returns the substring until it matches the specified value. For example, if the input's value is `Finance_BSimon_US`, the first matching value is `Finance_`, the second matching value is `_US`, then the claim's output is `BSimon`. |

+| **ExtractAlpha() - Prefix** | Returns the prefix alphabetical part of the string. For example, if the input's value is `BSimon_123`, then it returns `BSimon`. |

+| **ExtractAlpha() - Suffix** | Returns the suffix alphabetical part of the string. For example, if the input's value is `123_Simon`, then it returns `Simon`. |

+| **ExtractNumeric() - Prefix** | Returns the prefix numerical part of the string. For example, if the input's value is `123_BSimon`, then it returns `123`. |

+| **ExtractNumeric() - Suffix** | Returns the suffix numerical part of the string. For example, if the input's value is `BSimon_123`, then it returns `123`. |

+| **IfEmpty()** | Outputs an attribute or constant if the input is null or empty. For example, if you want to output an attribute stored in an extension attribute if the employee ID for a user is empty. To perform this function, configure the following values: `Parameter 1(input): user.employeeid`, `Parameter 2 (output): user.extensionattribute1`, and `Parameter 3 (output if there's no match): user.employeeid`. |

+| **IfNotEmpty()** | Outputs an attribute or constant if the input isn't null or empty. For example, if you want to output an attribute stored in an extension attribute if the employee ID for a user isn't empty. To perform this function, configure the following values: `Parameter 1(input): user.employeeid` and `Parameter 2 (output): user.extensionattribute1`. |

+| **Substring() - Fixed Length** (Preview)| Extracts parts of a string claim type, beginning at the character at the specified position, and returns the specified number of characters. The `sourceClaim` is the claim source of the transform that should be executed. The `StartIndex` is the zero-based starting character position of a substring in this instance. The `Length` is the length in characters of the substring. For example, `sourceClaim - PleaseExtractThisNow`, `StartIndex - 6`, and `Length - 11` produces an output of `ExtractThis`. |

+| **Substring() - EndOfString** (Preview) | Extracts parts of a string claim type, beginning at the character at the specified position, and returns the rest of the claim from the specified start index. The `sourceClaim` is the claim source of the transform that should be executed. The `StartIndex` is the zero-based starting character position of a substring in this instance. For example, `sourceClaim - PleaseExtractThisNow` and `StartIndex - 6` produces an output of `ExtractThisNow`. |

+| **RegexReplace()** (Preview) | For more information about regex-based claims transformation, see the next section. |

+The actions listed in the following table provide information about the first level of transformations and correspond to the labels in the previous image. Select **Edit** to open the claims transformation blade.

+| `1` | `Transformation` | Select the **RegexReplace()** option from the **Transformation** options to use the regex-based claims transformation method for claims transformation. |

+| `2` | `Parameter 1` | The input for the regular expression transformation. For example, user.mail that has a user email address such as `admin@fabrikam.com`. |

+| `3` | `Treat source as multivalued` | Some input user attributes can be multi-value user attributes. If the selected user attribute supports multiple values and the user wants to use multiple values for the transformation, they need to select **Treat source as multivalued**. If selected, all values are used for the regex match, otherwise only the first value is used. |

+| `4` | `Regex pattern` | A regular expression that is evaluated against the value of user attribute selected as *Parameter 1*. For example, a regular expression to extract the user alias from the user's email address would be represented as `(?'domain'^.*?)(?i)(\@fabrikam\.com)$`. |

+| `5` | `Add additional parameter` | More than one user attribute can be used for the transformation. The values of the attributes would then be merged with regex transformation output. Up to five more parameters are supported. |

+| `6` | `Replacement pattern` | The replacement pattern is the text template, which contains placeholders for regex outcome. All group names must be wrapped inside the curly braces such as `{group-name}`. Let's say the administration wants to use user alias with some other domain name, for example `xyz.com` and merge country name with it. In this case, the replacement pattern would be `{country}.{domain}@xyz.com`, where `{country}` is the value of input parameter and `{domain}` is the group output from the regular expression evaluation. In such a case, the expected outcome is `US.swmal@xyz.com`. |

+| `1` | `Transformation` | Regex-based claims transformations aren't limited to the first transformation and can be used as the second level transformation as well. Any other transformation method can be used as the first transformation. |

+| `2` | `Parameter 1` | If **RegexReplace()** is selected as a second level transformation, output of first level transformation is used as an input for the second level transformation. To apply the transformation, the second level regex expression should match the output of the first transformation. |

+| `3` | `Regex pattern` | **Regex pattern** is the regular expression for the second level transformation. |

+| `4` | `Parameter input` | User attribute inputs for the second level transformations. |

+| `5` | `Parameter input` | Administrators can delete the selected input parameter if they don't need it anymore. |

+| `6` | `Replacement pattern` | The replacement pattern is the text template, which contains placeholders for regex outcome group name, input parameter group name, and static text value. All group names must be wrapped inside the curly braces such as `{group-name}`. Let's say the administration wants to use user alias with some other domain name, for example `xyz.com` and merge country name with it. In this case, the replacement pattern would be `{country}.{domain}@xyz.com`, where `{country}` is the value of input parameter and {domain} is the group output from the regular expression evaluation. In such a case, the expected outcome is `US.swmal@xyz.com`. |

+| `7` | `Test transformation` | The RegexReplace() transformation is evaluated only if the value of the selected user attribute for *Parameter 1* matches with the regular expression provided in the **Regex pattern** textbox. If they don't match, the default claim value is added to the token. To validate regular expression against the input parameter value, a test experience is available within the transform blade. This test experience operates on dummy values only. When more input parameters are used, the name of the parameter is added to the test result instead of the actual value. To access the test section, select **Test transformation**. |

+| `1` | `Test transformation` | Select the close or (X) button to hide the test section and re-render the **Test transformation** button again on the blade. |

+| `2` | `Test regex input` | Accepts input that is used for the regular expression test evaluation. In case regex-based claims transformation is configured as a second level transformation, provide a value that is the expected output of the first transformation. |

+| `3` | `Run test` | After the test regex input is provided and the **Regex pattern**, **Replacement pattern** and **Input parameters** are configured, the expression can be evaluated by selecting **Run test**. |

+| `4` | `Test transformation result` | If evaluation succeeds, an output of test transformation is rendered against the **Test transformation result** label. |

+| `5` | `Remove transformation` | The second level transformation can be removed by selecting **Remove transformation**. |

+| `6` | `Specify output if no match` | When a regex input value is configured against the *Parameter 1* that doesn't match the **Regular expression**, the transformation is skipped. In such cases, the alternate user attribute can be configured, which is added to the token for the claim by checking **Specify output if no match**. |

+| `7` | `Parameter 3` | If an alternate user attribute needs to be returned when there's no match and **Specify output if no match** is checked, an alternate user attribute can be selected using the dropdown. This dropdown is available against **Parameter 3 (output if no match)**. |

+| `8` | `Summary` | At the bottom of the blade, a full summary of the format is displayed that explains the meaning of the transformation in simple text. |

+| `9` | `Add` | After the configuration settings for the transformation are verified, it can be saved to a claims policy by selecting **Add**. Select **Save** on the **Manage Claim** blade to save the changes. |

+The `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` claim is part of the [SAML restricted claim set](reference-claims-mapping-policy-type.md), so you can't add it in the **Attributes & Claims** section. As a workaround, you can add it as an [optional claim](active-directory-optional-claims.md) through **App registrations** in the Azure portal.

+As another example, consider when Britta Simon tries to sign in and the following configuration is used. All conditions are first evaluated with the source of `Attribute`. Because Britta's user type is **AAD guests**, `user.mail` is assigned as the source for the claim. Next, the transformations are evaluated. Because Britta is a guest, `user.extensionattribute1` is now the new source for the claim. Because Britta is in **AAD guests**, `user.othermail` is now the source for this claim. Finally, the claim is emitted with a value of `user.othermail` for Britta.

+- [.NET 7.0 SDK](https://dotnet.microsoft.com/download/dotnet/7.0)

+- [Visual Studio 2022](https://aka.ms/vsdownloads) with the MAUI workload installed:

+- [.NET 7.0 SDK](https://dotnet.microsoft.com/download/dotnet/7.0)

+- [Visual Studio 2022](https://aka.ms/vsdownloads) with the MAUI workload installed:

+Several user attributes have been added to the list of attributes available to map to claims to bring attributes available in claims more in line with what is available on the user object in Microsoft Graph. New attributes include mobilePhone and ProxyAddresses. [Learn more](../develop/reference-claims-mapping-policy-type.md).

+ Title: 'Plan application migration to Azure Active Directory'

+description: This article discusses the advantages of Azure Active Directory and provides a four-phase guide for planning and executing a migration strategy with detailed planning and exit criteria.

+# Plan application migration to Azure Active Directory

+In this article, you'll learn about the benefits of Azure Active Directory (Azure AD) and how to plan for migrating your application authentication. This article gives an overview of the planning and exit criteria to help you plan your migration strategy and understand how Azure AD authentication can support your organizational goals.

+The process is broken into four phases, each with detailed planning and exit criteria, and designed to help you plan your migration strategy and understand how Azure AD authentication supports your organizational goals.

+> [!VIDEO https://www.youtube.com/embed/8WmquuuuaLk]

+## Introduction

+Today, your organization requires numerous applications for users to get work done. You likely continue to add, develop, or retire apps every day. Users access these applications from a vast range of corporate and personal devices, and locations. They open apps in many ways, including:

+- Through a company homepage or portal

+- By bookmarking or adding favorites on their browsers

+- Through a vendorΓÇÖs URL for software as a service (SaaS) apps

+- Links pushed directly to userΓÇÖs desktops or mobile devices via a mobile device/application management (MDM/ MAM) solution

+Your applications are likely using the following types of authentication:

+- Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) via an on-premises or cloud-hosted Identity and Access Management (IAM) solutions federation solution (such as Active Directory Federation Services (ADFS), Okta, or Ping)

+- Kerberos or NTLM via Active Directory

+- Header-based authentication via Ping Access

+To ensure that the users can easily and securely access applications, your goal is to have a single set of access controls and policies across your on-premises and cloud environments.

+[Azure AD](../fundamentals/active-directory-whatis.md) offers a universal identity platform that provides your employees, partners, and customers a single identity to access the applications they want and collaborate from any platform and device.

+Azure AD has a [full suite of identity management capabilities](../fundamentals/active-directory-whatis.md#which-features-work-in-azure-ad). Standardizing your app authentication and authorization to Azure AD gets you the benefits that these capabilities provide.

+You can find more migration resources at [https://aka.ms/migrateapps](./migration-resources.md)

+## Plan your migration phases and project strategy

+When technology projects fail, it's often due to mismatched expectations, the right stakeholders not being involved, or a lack of communication. Ensure your success by planning the project itself.

+### The phases of migration

+Before we get into the tools, you should understand how to think through the migration process. Through several direct-to-customer workshops, we recommend the following four phases:

+### Assemble the project team

+Application migration is a team effort, and you need to ensure that you've all the vital positions filled. Support from senior business leaders is important. Ensure that you involve the right set of executive sponsors, business decision-makers, and subject matter experts (SMEs.)

+During the migration project, one person may fulfill multiple roles, or multiple people fulfill each role, depending on your organizationΓÇÖs size and structure. You may also have a dependency on other teams that play a key role in your security landscape.

+The following table includes the key roles and their contributions:

+| Role | Contributions |

+| - | - |

+| **Project Manager** | Project coach accountable for guiding the project, including:<br /> - gain executive support<br /> - bring in stakeholders<br /> - manage schedules, documentation, and communications |

+| **Identity Architect / Azure AD App Administrator** | Responsible for the following:<br /> - design the solution in cooperation with stakeholders<br /> - document the solution design and operational procedures for handoff to the operations team<br /> - manage the preproduction and production environments |

+| **On premises AD operations team** | The organization that manages the different on-premises identity sources such as AD forests, LDAP directories, HR systems etc.<br /> - perform any remediation tasks needed before synchronizing<br /> - Provide the service accounts required for synchronization<br /> - provide access to configure federation to Azure AD |

+| **IT Support Manager** | A representative from the IT support organization who can provide input on the supportability of this change from a helpdesk perspective. |

+| **Security Owner** | A representative from the security team that can ensure that the plan meets the security requirements of your organization. |

+| **Application technical owners** | Includes technical owners of the apps and services that integrate with Azure AD. They provide the applicationsΓÇÖ identity attributes that should include in the synchronization process. They usually have a relationship with CSV representatives. |

+| **Application business Owners** | Representative colleagues who can provide input on the user experience and usefulness of this change from a userΓÇÖs perspective and owns the overall business aspect of the application, which may include managing access. |

+| **Pilot group of users** | Users who test as a part of their daily work, the pilot experience, and provide feedback to guide the rest of the deployments. |

+### Plan communications

+Effective business engagement and communication are the keys to success. It's important to give stakeholders and end-users an avenue to get information and keep informed of schedule updates. Educate everyone about the value of the migration, what the expected timelines are, and how to plan for any temporary business disruption. Use multiple avenues such as briefing sessions, emails, one-to-one meetings, banners, and town halls.

+Based on the communication strategy that you've chosen for the app you may want to remind users of the pending downtime. You should also verify that there are no recent changes or business impacts that would require to postpone the deployment.

+In the following table, you find the minimum suggested communication to keep your stakeholders informed:

+## Plan phases and project strategy

+| Communication | Audience |

+| | - |

+| Awareness and business / technical value of project | All except end users |

+| Solicitation for pilot apps | - App business owners<br />- App technical owners<br />- Architects and Identity team |

+**Phase 1- Discover and Scope**:

+| Communication | Audience |

+| | - |

+| - Solicitation for application information<br />- Outcome of scoping exercise | - App technical owners<br />- App business owners |

+**Phase 2- Classify apps and plan pilot**:

+| Communication | Audience |

+| | - |

+| - Outcome of classifications and what that means for migration schedule<br />- Preliminary migration schedule | - App technical owners<br /> - App business owners |

+**Phase 3 ΓÇô Plan migration and testing**:

+| Communication | Audience |

+| | - |

+| - Outcome of application migration testing | - App technical owners<br />- App business owners |

+| - Notification that migration is coming and explanation of resultant <br/>end-user experiences.<br />- Downtimes coming and complete communications, including what<br/> they should now do, feedback, and how to get help | - End users (and all others) |

+**Phase 4 ΓÇô Manage and gain insights**:

+| Communication | Audience |

+| | - |

+| Available analytics and how to access | - App technical owners<br />- App business owners |

+## Migration states communication dashboard

+Communicating the overall state of the migration project is crucial, as it shows progress, and helps app owners whose apps are coming up for migration to prepare for the move. You can put together a simple dashboard using Power BI or other reporting tools to provide visibility into the status of applications during the migration.

+The migration states you might consider using are as follows:

+| Migration states | Action plan |

+| - | |

+| **Initial Request** | Find the app and contact the owner for more information |

+| **Assessment Complete** | App owner evaluates the app requirements and returns the app questionnaire</td>

+| **Configuration in Progress** | Develop the changes necessary to manage authentication against Azure AD |

+| **Test Configuration Successful** | Evaluate the changes and authenticate the app against the test Azure AD tenant in the test environment |

+| **Production Configuration Successful** | Change the configurations to work against the production AD tenant and assess the app authentication in the test environment |

+| **Complete / Sign Off** | Deploy the changes for the app to the production environment and execute against the production Azure AD tenant |

+This ensures app owners know what the app migration and testing schedule are when their apps are up for migration, and what the results are from other apps that have already been migrated. You might also consider providing links to your bug tracker database for owners to be able to file and view issues for apps that are being migrated.

+## Best practices

+The following articles are about our customer and partnerΓÇÖs success stories, and suggested best practices:

+- [Five tips to improve the migration process to Azure Active Directory](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Five-tips-to-improve-the-migration-process-to-Azure-Active/ba-p/445364) by Patriot Consulting, a member of our partner network that focuses on helping customers deploy Microsoft cloud solutions securely.

+- [Develop a risk management strategy for your Azure AD application migration](https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Develop-a-risk-management-strategy-for-your-Azure-AD-application/ba-p/566488) by Edgile, a partner that focuses on IAM and risk management solutions.

+## Next steps

+- [Phase 1 - Discover and Scope](migrate-adfs-discover-scope-apps.md).

+ Title: 'Understand the stages of migrating application authentication from AD FS to Azure AD'

+description: This article provides the stages of the migration process and what types of applications to migrate.

+# Understand the stages of migrating application authentication from AD FS to Azure AD

+Azure Active Directory (Azure AD) offers a universal identity platform that provides your people, partners, and customers a single identity to access applications and collaborate from any platform and device. Azure AD has a full suite of identity management capabilities. Standardizing your application authentication and authorization to Azure AD provides these benefits.

+## Types of apps to migrate

+Your applications may use modern or legacy protocols for authentication. When you plan your migration to Azure AD, consider migrating the apps that use modern authentication protocols (such as SAML and Open ID Connect) first.

+These apps can be reconfigured to authenticate with Azure AD either via a built-in connector from the Azure App Gallery, or by registering the custom application in Azure AD.

+Apps that use older protocols can be integrated using [Application Proxy](../app-proxy/what-is-application-proxy.md) or any of our [Secure Hybrid Access (SHA) partners](secure-hybrid-access-integrations.md).

+For more information, see:

+* [Using Azure AD Application Proxy to publish on-premises apps for remote users](../app-proxy/what-is-application-proxy.md).

+* [What is application management?](what-is-application-management.md)

+* [AD FS application activity report to migrate applications to Azure AD](migrate-adfs-application-activity.md).

+* [Monitor AD FS using Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md).

+## The migration process

+During the process of moving your app authentication to Azure AD, test your apps and configuration. We recommend that you continue to use existing test environments for migration testing before you move to the production environment. If a test environment isn't currently available, you can set one up using [Azure App Service](https://azure.microsoft.com/services/app-service/) or [Azure Virtual Machines](https://azure.microsoft.com/free/virtual-machines/search/?OCID=AID2000128_SEM_lHAVAxZC&MarinID=lHAVAxZC_79233574796345_azure%20virtual%20machines_be_c__1267736956991399_kwd-79233582895903%3Aloc-190&lnkd=Bing_Azure_Brand&msclkid=df6ac75ba7b612854c4299397f6ab5b0&ef_id=XmAptQAAAJXRb3S4%3A20200306231230%3As&dclid=CjkKEQiAhojzBRDg5ZfomsvdiaABEiQABCU7XjfdCUtsl-Abe1RAtAT35kOyI5YKzpxRD6eJS2NM97zw_wcB), depending on the architecture of the application.

+You may choose to set up a separate test Azure AD tenant on which to develop your app configurations.

+Your migration process may look like this:

+### Stage 1 ΓÇô Current state: The production app authenticates with AD FS

+### Stage 2 ΓÇô (Optional) Point a test instance of the app to the test Azure AD tenant

+Update the configuration to point your test instance of the app to a test Azure AD tenant, and make any required changes. The app can be tested with users in the test Azure AD tenant. During the development process, you can use tools such as [Fiddler](https://www.telerik.com/fiddler) to compare and verify requests and responses.

+If it isn't feasible to set up a separate test tenant, skip this stage and point a test instance of the app to your production Azure AD tenant as described in Stage 3 below.

+### Stage 3 ΓÇô Point a test instance of the app to the production Azure AD tenant

+Update the configuration to point your test instance of the app to your production Azure AD tenant. You can now test with users in your production tenant. If necessary, review the section of this article on transitioning users.

+### Stage 4 ΓÇô Point the production app to the production Azure AD tenant

+Update the configuration of your production app to point to your production Azure AD tenant.

+ Apps that authenticate with AD FS can use Active Directory groups for permissions. Use [Azure AD Connect sync](../hybrid/how-to-connect-sync-whatis.md) to sync identity data between your on-premises environment and Azure AD before you begin migration. Verify those groups and membership before migration so that you can grant access to the same users when the application is migrated.

+## Line of business apps

+Your line-of-business apps are those that your organization developed or those that are a standard packaged product.

+Line-of-business apps that use OAuth 2.0, OpenID Connect, or WS-Federation can be integrated with Azure AD as [app registrations](../develop/quickstart-register-app.md). Integrate custom apps that use SAML 2.0 or WS-Federation as [non-gallery applications](add-application-portal.md) on the enterprise applications page in the [Entra portal](https://entra.microsoft.com/#home).

+## Next steps

+- [Configure SAML-based single sign-on](migrate-adfs-saml-based-sso.md).

+> [!IMPORTANT]

+> Restricted management administrative units are currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+- Privileged Role Administrator role

+- Microsoft.Graph module when using [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation)

+- AzureADPreview module when using PowerShell and restricted management administrative units

+1. If you don't want tenant-level administrators to be able to access this administrative unit, set the **Restricted management administrative unit** toggle to **Yes**. For more information, see [Restricted management administrative units](admin-units-restricted-management.md).

+# [Microsoft Graph PowerShell](#tab/ms-powershell)

+Use the [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands?branch=main#using-connect-mggraph) command to sign in to your tenant and consent to the required permissions.

+Connect-MgGraph -Scopes "AdministrativeUnit.ReadWrite.All"

+Use the [New-MgDirectoryAdministrativeUnit](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdirectoryadministrativeunit?branch=main) command to create a new administrative unit.

+```powershell

+$params = @{

+ DisplayName = "Seattle District Technical Schools"

+ Description = "Seattle district technical schools administration"

+ Visibility = "HiddenMembership"

+}

+$adminUnitObj = New-MgDirectoryAdministrativeUnit -BodyParameter $params

+```

+Use the [New-MgDirectoryAdministrativeUnit (beta)](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdirectoryadministrativeunit?view=graph-powershell-beta&preserve-view=true&branch=main) command to create a new restricted management administrative unit. Set the `IsMemberManagementRestricted` property to `$true`.

+Select-MgProfile -Name beta

+ DisplayName = "Contoso Executive Division"

+ Description = "Contoso Executive Division administration"

+ Visibility = "HiddenMembership"

+ IsMemberManagementRestricted = $true

+$restrictedAU = New-MgDirectoryAdministrativeUnit -BodyParameter $params

+# [Azure AD PowerShell](#tab/aad-powershell)

+Use the [New-AzureADMSAdministrativeUnit](/powershell/module/azuread/new-azureadmsadministrativeunit?branch=main) command to create a new administrative unit.

+```powershell

+$adminUnitObj = New-AzureADMSAdministrativeUnit -Description "West Coast region" -DisplayName "West Coast"

+```

+Use the [New-AzureADMSAdministrativeUnit (preview)](/powershell/module/azuread/new-azureadmsadministrativeunit?view=azureadps-2.0-preview&preserve-view=true&branch=main) command to create a new restricted management administrative unit. Set the `IsMemberManagementRestricted` parameter to `$true`.

+```powershell

+$restrictedAU = New-AzureADMSAdministrativeUnit -DisplayName "Contoso Executive Division" -IsMemberManagementRestricted $true

+```

+Use the [Create administrativeUnit](/graph/api/administrativeunit-post-administrativeunits?branch=main) API to create a new administrative unit.

+Use the [Create administrativeUnit (beta)](/graph/api/directory-post-administrativeunits?view=graph-rest-beta&preserve-view=true&branch=main) API to create a new restricted management administrative unit. Set the `isMemberManagementRestricted` property to `true`.

+Request

+```http

+POST https://graph.microsoft.com/beta/administrativeUnits

+```

+Body

+```http

+{

+ "displayName": "Contoso Executive Division",

+ "description": "This administrative unit contains executive accounts of Contoso Corp.",

+ "isMemberManagementRestricted": true

+}

+```

+# [Microsoft Graph PowerShell](#tab/ms-powershell)

+Use the [Remove-MgDirectoryAdministrativeUnit](/powershell/module/microsoft.graph.identity.directorymanagement/remove-mgdirectoryadministrativeunit?branch=main) command to delete an administrative unit.

+```powershell

+$adminUnitObj = Get-MgDirectoryAdministrativeUnit -Filter "DisplayName eq 'Seattle District Technical Schools'"

+Remove-MgDirectoryAdministrativeUnit -AdministrativeUnitId $adminUnitObj.Id

+```

+# [Azure AD PowerShell](#tab/aad-powershell)

+Use the [Remove-AzureADMSAdministrativeUnit](/powershell/module/azuread/remove-azureadmsadministrativeunit?branch=main) command to delete an administrative unit.

+$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "DisplayName eq 'Seattle District Technical Schools'"

+- [Azure AD administrative units: Troubleshooting and FAQ](admin-units-faq-troubleshoot.yml)

+In Azure Active Directory (Azure AD), you can add users, groups, or devices to an administrative unit to limit the scope of role permissions. Adding a group to an administrative unit brings the group itself into the management scope of the administrative unit, but **not** the members of the group. For additional details on what scoped administrators can do, see [Administrative units in Azure Active Directory](administrative-units.md).

+### List the restricted management administrative units for a single user or group

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select **Azure Active Directory**.

+1. Select **Users** or **Groups** and then select the user or group you want to list their restricted management administrative units.

+1. Select **Administrative units** to list all the administrative units where the user or group is a member.

+1. In the **Restricted management** column, look for administrative units that are set to **Yes**.

+ 

+Use the user [List memberOf](/graph/api/user-list-memberof) API to list the administrative units a user is a direct member of.

+Use the group [List memberOf](/graph/api/group-list-memberof) API to list the administrative units a group is a direct member of.

+Use the [List device memberships](/graph/api/device-list-memberof) API to list the administrative units a device is a direct member of.

+GET https://graph.microsoft.com/v1.0/devices/{device-id}/memberOf/$/Microsoft.Graph.AdministrativeUnit

+### List the users, groups, or devices for an administrative unit

+Use the [List members](/graph/api/administrativeunit-list-members) API to list the users, groups, or devices for an administrative unit. For member type, specify `microsoft.graph.user`, `microsoft.graph.group`, or `microsoft.graph.device`.

+### List whether a single user is in a restricted management administrative unit

+Use the [Get a user (beta)](/graph/api/user-get?view=graph-rest-beta&preserve-view=true) API to determine whether a user is in a restricted management administrative unit. Look at the value of the `isManagementRestricted` property. If the property is `true`, it is in a restricted management administrative unit. If the property is `false`, empty, or null, it is not in a restricted management administrative unit.

+GET https://graph.microsoft.com/beta/users/{user-id}

+Response

+```

+{

+ "displayName": "John",

+ "isManagementRestricted": true,

+ "userPrincipalName": "john@contoso.com",

+}

+```

+Use the [Remove a member](/graph/api/administrativeunit-delete-members) API to remove users, groups, or devices from an administrative unit. For `{member-id}`, specify the user, group, or device ID.

+### Remove users, groups, or devices from an administrative unit

+DELETE https://graph.microsoft.com/v1.0/directory/administrativeUnits/{admin-unit-id}/members/{member-id}/$ref

+ Title: Restricted management administrative units in Azure Active Directory (Preview)

+description: Use restricted management administrative units for more sensitive resources in Azure Active Directory.

+documentationcenter: ''

+# Restricted management administrative units in Azure Active Directory (Preview)

+> [!IMPORTANT]

+> Restricted management administrative units are currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Restricted management administrative units allow you to protect specific objects in your tenant from access by anyone other than a specific set of administrators that you designate. This allows you to meet security or compliance requirements without having to remove tenant-level role assignments from your administrators.

+## Why use restricted management administrative units?

+Here are some reasons why you might use restricted management administrative units to help manage access in your tenant.

+- You want to protect your C-level executive accounts and their devices from Helpdesk Administrators who would otherwise be able to reset their passwords or access BitLocker recovery keys. You can add your C-level user accounts in a restricted management administrative unit and enable a specific trusted set of administrators who can reset their passwords and access BitLocker recovery keys when needed.

+- You're implementing a compliance control to ensure that certain resources can only be managed by administrators in a specific country. You can add those resources in a restricted management administrative unit and assign local administrators to manage those objects. Even Global Administrators won't be allowed to modify the objects unless they assign themselves explicitly to a role scoped to the restricted management administrative unit (which is an auditable event).

+- You're using security groups to control access to sensitive applications in your organization, and you donΓÇÖt want to allow your tenant-scoped administrators who can modify groups to be able to control who can access the applications. You can add those security groups to a restricted management administrative unit and then be sure that only the specific administrators you assign can manage them.

+> [!NOTE]

+> Placing objects in restricted management administrative units severely restricts who can make changes to the objects. This restriction can cause existing workflows to break.

+## What objects can be members?

+Here are the objects that can be members of restricted management administrative units.

+| Azure AD object type | Administrative unit | Administrative unit with restricted management setting enabled |

+| | :: | :: |

+| Users | Yes | Yes |

+| Devices | Yes | Yes |

+| Groups (Security) | Yes | Yes |

+| Groups (Microsoft 365) | Yes | No |

+| Groups (Mail enabled security) | Yes | No |

+| Groups (Distribution) | Yes | No |

+## What types of operations are blocked?

+For administrators not explicitly assigned at the restricted management administrative unit scope, operations that directly modify the Azure AD properties of objects in restricted management administrative units are blocked, whereas operations on related objects in Microsoft 365 services aren't affected.

+| Operation type | Blocked | Allowed |

+| | :: | :: |

+| Read standard properties like user principal name, user photo | | :heavy_check_mark: |

+| Modify any Azure AD properties of the user, group, or device | :x: | |

+| Delete the user, group, or device | :x: | |

+| Update password for a user | :x: | |

+| Modify owners or members of the group in the restricted management administrative unit | :x: | |

+| Add users, groups, or devices in a restricted management administrative unit to groups in Azure AD | | :heavy_check_mark: |

+| Modify email & mailbox settings in Exchange for the user in the restricted management administrative unit | | :heavy_check_mark: |

+| Apply policies to a device in a restricted management administrative unit using Intune | | :heavy_check_mark: |

+| Add or remove a group as a site owner in SharePoint | | :heavy_check_mark: |

+## Who can modify objects?

+Only administrators with an explicit assignment at the scope of a restricted management administrative unit can change the Azure AD properties of objects in the restricted management administrative unit.

+| User role | Blocked | Allowed |

+| | :: | :: |

+| Global Administrator | :x: | |

+| Tenant-scoped administrators (including Global Administrator) | :x: | |

+| Administrators assigned at the scope of restricted management administrative unit | | :heavy_check_mark: |

+| Administrators assigned at the scope of another restricted management administrative unit of which the object is a member | | :heavy_check_mark: |

+| Administrators assigned at the scope of another regular administrative unit of which the object is a member | :x: | |

+| Groups Administrator, User Administrator, and other role assigned at the scope of a resource | :x: | |

+| Owners of groups or devices added to restricted management administrative units | :x: | |

+## Limitations

+Here are some of the limits and constraints for restricted management administrative units.

+- The restricted management setting must be applied during administrative unit creation and can't be changed once the administrative unit is created.

+- Groups in a restricted management administrative unit can't be managed with [Azure AD Privileged Identity Management](../privileged-identity-management/groups-discover-groups.md).

+- Role-assignable groups, when added to a restricted management administrative unit, can't have their membership modified. Group owners aren't allowed to manage groups in restricted management administrative units and only Global Administrators and Privileged Role Administrators (neither of which can be assigned at administrative unit scope) can modify membership.

+- Certain actions may not be possible when an object is in a restricted management administrative unit, if the required role isn't one of the roles that can be assigned at administrative unit scope. For example, a Global Administrator in a restricted management administrative unit can't have their password reset by any other administrator in the system, because there's no admin role that can be assigned at the administrative unit scope that can reset the password of a Global Administrator. In such scenarios, the Global Administrator would need to be removed from the restricted management administrative unit first, and then have their password reset by another Global Administrator or Privileged Role Administrator.

+- When deleting a restricted management administrative unit, it can take up to 30 minutes to remove all protections from the former members.

+## Programmability

+Applications can't modify objects in restricted management administrative units by default. To grant an application access to manage objects in a restricted management administrative unit, you must assign the *Directory.Write.Restricted* [permission in Microsoft Graph](/graph/permissions-reference?branch=main#directory-permissions).

+## License requirements

+Restricted management administrative units require an Azure AD Premium P1 license for each administrative unit administrator, and Azure AD Free licenses for administrative unit members. To find the right license for your requirements, see [Comparing generally available features of the Free and Premium editions](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

+## Next steps

+- [Create, update, or delete administrative units](admin-units-manage.md)

+- [Add users or groups to an administrative unit](admin-units-members-add.md)

+- [Assign Azure AD roles with administrative unit scope](admin-units-assign-roles.md)

+- [Restricted management administrative units](admin-units-restricted-management.md)

+ Title: User management permissions for Azure AD custom roles

+# User management permissions for Azure AD custom roles

+- Read identity of users

+> | microsoft.directory/users/standard/read | Read basic properties on users |

+> | microsoft.directory/users/basic/update | Update basic properties on users |

+## Read identity of users

+The following permissions are available to read identity of users.

+> | microsoft.directory/users/identities/read | Read identities of users |

+> | microsoft.directory/users/manager/read | Read manager of users |

+> | microsoft.directory/users/manager/update | Update manager for users |

+> | microsoft.directory/users/jobInfo/update | Update job information of users |

+> | microsoft.directory/users/contactInfo/update | Update contact properties on users |

+> | microsoft.directory/users/parentalControls/update | Update parental controls of users |

+> | microsoft.directory/users/usageLocation/update | Update usage location of users |

+> | microsoft.directory/users/directReports/read | Read the direct reports for users |

+> | microsoft.directory/users/extensionProperties/update | Update extension properties of users |

+> | microsoft.directory/users/deviceForResourceAccount/read | Read deviceForResourceAccount of users |

+> | microsoft.directory/users/licenseDetails/read | Read license details of users |

+> | microsoft.directory/users/assignLicense | Manage user licenses |

+> | microsoft.directory/users/reprocessLicenseAssignment | Reprocess license assignments for users |

+> | microsoft.directory/users/passwordPolicies/update | Update password policies properties of users |

+> | microsoft.directory/users/appRoleAssignments/read | Read application role assignments for users |

+> | microsoft.directory/users/assignLicense | Manage user licenses |

+> | microsoft.directory/users/basic/update | Update basic properties on users |

+> | microsoft.directory/users/contactInfo/update | Update contact properties on users |

+> | microsoft.directory/users/deviceForResourceAccount/read | Read deviceForResourceAccount of users |

+> | microsoft.directory/users/directReports/read | Read the direct reports for users |

+> | microsoft.directory/users/extensionProperties/update | Update extension properties of users |

+> | microsoft.directory/users/identities/read | Read identities of users |

+> | microsoft.directory/users/jobInfo/update | Update job information of users |

+> | microsoft.directory/users/licenseDetails/read | Read license details of users |

+> | microsoft.directory/users/manager/read | Read manager of users |

+> | microsoft.directory/users/manager/update | Update manager for users |

+> | microsoft.directory/users/memberOf/read | Read the group memberships of users |

+> | microsoft.directory/users/ownedDevices/read | Read owned devices of users |

+> | microsoft.directory/users/parentalControls/update | Update parental controls of users |

+> | microsoft.directory/users/passwordPolicies/update | Update password policies properties of users |

+> | microsoft.directory/users/registeredDevices/read | Read registered devices of users |

+> | microsoft.directory/users/reprocessLicenseAssignment | Reprocess license assignments for users |

+> | microsoft.directory/users/scopedRoleMemberOf/read | Read user's membership of an Azure AD role, that is scoped to an administrative unit |

+> | microsoft.directory/users/standard/read | Read basic properties on users |

+> | microsoft.directory/users/usageLocation/update | Update usage location of users |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/pendingExternalUserProfiles/create | Create external user profiles in the extended directory for Teams |

+> | microsoft.directory/pendingExternalUserProfiles/standard/read | Read standard properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/pendingExternalUserProfiles/basic/update | Update basic properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/pendingExternalUserProfiles/delete | Delete external user profiles in the extended directory for Teams |

+> | microsoft.directory/externalUserProfiles/standard/read | Read standard properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/externalUserProfiles/basic/update | Update basic properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/externalUserProfiles/delete | Delete external user profiles in the extended directory for Teams |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/externalUserProfiles/standard/read | Read standard properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/pendingExternalUserProfiles/standard/read | Read standard properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/organization/strongAuthentication/read | Read strong authentication properties of an organization |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/auditLogs/allProperties/read | Read all properties on audit logs, excluding custom security attributes audit logs |

+> | microsoft.directory/pendingExternalUserProfiles/create | Create external user profiles in the extended directory for Teams |

+> | microsoft.directory/pendingExternalUserProfiles/standard/read | Read standard properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/pendingExternalUserProfiles/basic/update | Update basic properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/pendingExternalUserProfiles/delete | Delete external user profiles in the extended directory for Teams |

+> | microsoft.directory/externalUserProfiles/standard/read | Read standard properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/externalUserProfiles/basic/update | Update basic properties of external user profiles in the extended directory for Teams |

+> | microsoft.directory/externalUserProfiles/delete | Delete external user profiles in the extended directory for Teams |

+User with a role scoped to a [restricted management administrative unit](./admin-units-restricted-management.md) | &nbsp; | &nbsp; | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+User with a role scoped to a [restricted management administrative unit](./admin-units-restricted-management.md) | &nbsp; | &nbsp; | :heavy_check_mark: | :heavy_check_mark:

+description: Learn how to automatically provision and deprovision user accounts from Azure AD to Oracle Cloud Infrastructure Console.

+This tutorial describes the steps you need to perform in both Oracle Cloud Infrastructure Console and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and deprovisions users and groups to [Oracle Cloud Infrastructure Console](https://www.oracle.com/cloud/free/?source=:ow:o:p:nav:0916BCButton&intcmp=:ow:o:p:nav:0916BCButton) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+1. Log on to the Oracle Cloud Infrastructure Console admin portal. On the top left corner of the screen navigate to **Identity > Federation**.

+3. Click on **Add Identity Provider** to create a new identity provider. Save the IdP ID to be used as a part of tenant URL. Select the plus icon beside the **Applications** tab to create an OAuth Client and Grant IDCS Identity Domain Administrator AppRole.

+4. Follow the screenshots below to configure your application. When the configuration is done, select **Save**.

+> The extension attributes "urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:bypassNotification" and "urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:isFederatedUser" are the only custom extension attributes supported.

+ Title: Configure Azure Active Directory for HIPAA compliance

+description: Introduction for guidance on how to configure Azure Active Directory for HIPAA compliance level.

+# Configuring Azure Active Directory for HIPAA compliance

+Microsoft services such as Azure Active Directory (Azure AD) can help you meet identity-related requirements for the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

+The HIPAA Security Rule (HSR) establishes standards to protect individualsΓÇÖ electronic personal health information that is created, received, used, or maintained by a covered entity. The HSR is managed by the U.S. Department of Health and Human Services (HHS) and requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

+Technical safeguards requirements and objectives are defined in Title 45 of the Code of Federal Regulations (CFRs). Part 160 of Title 45 provides the general administrative requirements, and Part 164ΓÇÖs subparts A and C describe the security and privacy requirements.

+Subpart § 164.304 defines technical safeguards as the technology and the policies and procedures for its use that protect electronic protected health information and control access to it. The HHS also outlines key areas for healthcare organizations to consider when implementing HIPAA technical safeguards. From [§ 164.312 Technical safeguards](https://www.ecfr.gov/current/title-45/section-164.312):

+* **Access controls** - Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in [§ 164.308(a)(4)](https://www.ecfr.gov/current/title-45/section-164.308).

+* **Audit controls** - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

+* **Integrity controls** - Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

+* **Person or entity authentication** - Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

+* **Transmission security** - Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

+The HSR defines subparts as standard, along with required and addressable implementation specifications. All must be implemented. The "addressable" designation denotes a specification is reasonable and appropriate. Addressable doesn't mean that an implementation specification is optional. Therefore, subparts that are defined as addressable are also required.

+The remaining articles in this series provide guidance and links to resources, organized by key areas and technical safeguards. For each key area, there's a table with the relevant safeguards listed, and links to Azure Active Directory (Azure AD) guidance to accomplish the safeguard.

+## Learn more

+* [HHS Zero Trust in Healthcare pdf](https://www.hhs.gov/sites/default/files/zero-trust.pdf)

+* [Combined regulation text](https://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/https://docsupdatetracker.net/index.html?language=es) of all HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164

+* [Code of Federal Regulations (CFR) Title 45](https://www.ecfr.gov/current/title-45) describing the public welfare portion of the regulation

+* [Part 160](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160?toc=1) describing the general administrative requirements of Title 45

+* [Part 164](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164) Subparts A and C describing the security and privacy requirements of Title 45

+* [HIPAA Security Risk Safeguard Tool](https://www.healthit.gov/providers-professionals/security-risk-assessment-tool)

+* [NIST HSR Toolkit](http://scap.nist.gov/hipaa/)

+## Next steps

+* [Access Controls Safeguard guidance](hipaa-access-controls.md)

+* [Audit Controls Safeguard guidance](hipaa-audit-controls.md)

+* [Other Safeguard guidance](hipaa-other-controls.md)

+ Title: Azure Active Directory PCI-DSS guidance

+description: Guidance on meeting payment card industry (PCI) compliance with Azure AD

+# Azure Active Directory PCI-DSS guidance

+The Payment Card Industry Security Standards Council (PCI SSC) is responsible for developing and promoting data security standards and resources, including the Payment Card Industry Data Security Standard (PCI-DSS), to ensure the security of payment transactions. To achieve PCI compliance, organizations using Azure Active Directory (Azure AD) can refer to guidance in this document. However, it is the responsibility of the organizations to ensure their PCI compliance. Their IT teams, SecOps teams, and Solutions Architects are responsible for creating and maintaining secure systems, products, and networks that handle, process, and store payment card information.

+While Azure AD helps meet some PCI-DSS control requirements, and provides modern identity and access protocols for cardholder data environment (CDE) resources, it should not be the sole mechanism for protecting cardholder data. Therefore, review this document set and all PCI-DSS requirements to establish a comprehensive security program that preserves customer trust. For a complete list of requirements, please visit the official PCI Security Standards Council website at pcisecuritystandards.org: [Official PCI Security Standards Council Site](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf)

+## PCI requirements for controls

+The global PCI-DSS v4.0 establishes a baseline of technical and operational standards for protecting account data. It ΓÇ£was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures, globally. It provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI-DSS can also be used to protect against threats and secure other elements in the payment ecosystem.ΓÇ¥

+## Azure AD configuration and PCI-DSS

+This document serves as a comprehensive guide for technical and business leaders who are responsible for managing identity and access management (IAM) with Azure Active Directory (Azure AD) in compliance with the Payment Card Industry Data Security Standard (PCI DSS). By following the key requirements, best practices, and approaches outlined in this document, organizations can reduce the scope, complexity, and risk of PCI noncompliance, while promoting security best practices and standards compliance. The guidance provided in this document aims to help organizations configure Azure AD in a way that meets the necessary PCI DSS requirements and promotes effective IAM practices.

+Technical and business leaders can use the following guidance to fulfill responsibilities for identity and access management (IAM) with Azure AD. For more information on PCI-DSS in other Microsoft workloads, see [Overview of the Microsoft cloud security benchmark (v1)](/security/benchmark/azure/overview).

+PCI-DSS requirements and testing procedures consist of 12 principal requirements that ensure the secure handling of payment card information. Together, these requirements are a comprehensive framework that helps organizations secure payment card transactions and protect sensitive cardholder data.

+Azure AD is an enterprise identity service that secures applications, systems, and resources to support PCI-DSS compliance. The following table has the PCI principal requirements and links to Azure AD recommended controls for PCI-DSS compliance.

+## Principal PCI-DSS requirements

+PCI-DSS requirements **3**, **4**, **9**, and **12** aren't addressed or met by Azure AD, therefore there are no corresponding articles. To see all requirements, go to pcisecuritystandards.org: [Official PCI Security Standards Council Site](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf).

+|PCI Data Security Standard - High Level Overview|Azure AD recommended PCI-DSS controls|

+|-|-|

+|Build and Maintain Secure Network and Systems|[1. Install and Maintain Network Security Controls]() </br> [2. Apply Secure Configurations to All System Components]()|

+|Protect Account Data|3. Protect Stored Account Data </br> 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Public Networks|

+|Maintain a Vulnerability Management Program|[5. Protect All Systems and Networks from Malicious Software]() </br> [6. Develop and Maintain Secure Systems and Software]()|

+|Implement Strong Access Control Measures|[7. Restrict Access to System Components and Cardholder Data by Business Need to Know]() </br> [8. Identify and Authenticate Access to System Components]() </br> 9. Restrict Physical Access to System Components and Cardholder Data|

+|Regularly Monitor and Test Networks|[10. Log and Monitor All Access to System Components and Cardholder Data]() </br> [11. Test Security of Systems and Networks Regularly]()|

+|Maintain an Information Security Policy|12. Support Information Security with Organizational Policies and Programs|

+## PCI-DSS applicability

+PCI-DSS applies to organizations that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). These data elements, considered together, are known as account data. PCI-DSS provides security guidelines and requirements for organizations that affect the cardholder data environment (CDE). Entities safeguarding CDE ensures the confidentiality and security of customer payment information.

+CHD consists of:

+* **Primary account number (PAN)** - a unique payment card number (credit, debit, or prepaid cards, etc.) that identifies the issuer and the cardholder account

+* **Cardholder name** ΓÇô the card owner

+* **Card expiration date** ΓÇô the day and month the card expires

+* **Service code** - a three- or four-digit value in the magnetic stripe that follows the expiration date of the payment card on the track data. It defines service attributes, differentiating between international and national/regional interchange, or identifying usage restrictions.

+SAD consists of security-related information used to authenticate cardholders and/or authorize payment card transactions. SAD includes, but isn't limited to:

+* **Full track data** - magnetic stripe or chip equivalent

+* **Card verification codes/values** - also referred to as the card validation code (CVC), or value (CVV). ItΓÇÖs the three- or four-digit value on the front or back of the payment card. ItΓÇÖs also referred to as CAV2, CVC2, CVN2, CVV2 or CID, determined by the participating payment brands (PPB).

+* **PIN** - personal identification number

+ * **PIN blocks** - an encrypted representation of the PIN used in a debit or credit card transaction. It ensures the secure transmission of sensitive information during a transaction

+Protecting the CDE is essential to the security and confidentiality of customer payment information and helps:

+* **Preserve customer trust** - customers expect their payment information to be handled securely and kept confidential. If a company experiences a data breach that results in the theft of customer payment data, it can degrade customer trust in the company and cause reputational damage.

+* **Comply with regulations** - companies processing credit card transactions are required to comply with the PCI-DSS. Failure to comply results in fines, legal liabilities, and resultant reputational damage.

+* **Financial risk mitigation** -data breaches have significant financial effects, including, costs for forensic investigations, legal fees, and compensation for affected customers.

+* **Business continuity** - data breaches disrupt business operations and might affect credit card transaction processes. This scenario might lead to lost revenue, operational disruptions, and reputational damage.

+## PCI audit scope

+PCI audit scope relates to the systems, networks, and processes in the storage, processing, or transmission of CHD and/or SAD. If Account Data is stored, processed, or transmitted in a cloud environment, PCI-DSS applies to that environment and compliance typically involves validation of the cloud environment and the usage of it. There are five fundamental elements in scope for a PCI audit:

+* **Cardholder data environment (CDE)** - the area where CHD, and/or SAD, is stored, processed, or transmitted. It includes an organizationΓÇÖs components that touch CHD, such as networks, and network components, databases, servers, applications, and payment terminals.

+* **People** - with access to the CDE, such as employees, contractors, and third-party service providers, are in the scope of a PCI audit.

+* **Processes** - that involve CHD, such as authorization, authentication, encryption and storage of account data in any format, are within the scope of a PCI audit.

+* **Technology** - that processes, stores, or transmits CHD, including hardware such as printers, and multi-function devices that scan, print and fax, end-user devices such as computers, laptops workstations, administrative workstations, tablets and mobile devices, software, and other IT systems, are in the scope of a PCI audit.

+* **System components** ΓÇô that might not store, process, or transmit CHD/SAD but have unrestricted connectivity to system components that store, process, or transmit CHD/SAD, or that could effect the security of the CDE.

+If PCI scope is minimized, organizations can effectively reduce the effects of security incidents and lower the risk of data breaches. Segmentation can be a valuable strategy for reducing the size of the PCI CDE, resulting in reduced compliance costs and overall benefits for the organization including but not limited to:

+* **Cost savings** - by limiting audit scope, organizations reduce time, resources, and expenses to undergo an audit, which leads to cost savings.

+* **Reduced risk exposure** - a smaller PCI audit scope reduces potential risks associated with processing, storing, and transmitting cardholder data. If the number of systems, networks, and applications subject to an audit are limited, organizations focus on securing their critical assets and reducing their risk exposure.

+* **Streamlined compliance** - narrowing audit scope makes PCI-DSS compliance more manageable and streamlined. Results are more efficient audits, fewer compliance issues, and a reduced risk of incurring noncompliance penalties.

+* **Improved security posture** - with a smaller subset of systems and processes, organizations allocate security resources and efforts efficiently. Outcomes are a stronger security posture, as security teams concentrate on securing critical assets and identifying vulnerabilities in a targeted and effective manner.

+## Strategies to reduce PCI audit scope

+An organizationΓÇÖs definition of its CDE determines PCI audit scope. Organizations document and communicate this definition to the PCI-DSS Qualified Security Assessor (QSA) performing the audit. The QSA assesses controls for the CDE to determine compliance.

+Adherence to PCI standards and use of effective risk mitigation helps businesses protect customer personal and financial data, which maintains trust in their operations. The following section outlines strategies to reduce risk in PCI audit scope.

+### Tokenization

+Tokenization is a data security technique. Use tokenization to replace sensitive information, such as credit card numbers, with a unique token stored and used for transactions, without exposing sensitive data. Tokens reduce the scope of a PCI audit for the following requirements:

+* **Requirement 3** - Protect Stored Account Data

+* **Requirement 4** - Protect Cardholder Data with strong Cryptography During Transmission Over Open Public Networks

+* **Requirement 9** - Restrict Physical Access to Cardholder Data

+* **Requirement 10** - Log and Monitor All Access to Systems Components and Cardholder Data.

+When using cloud-based processing methodologies, consider the relevant risks to sensitive data and transactions. To mitigate these risks, it's recommended you implement relevant security measures and contingency plans to protect data and prevent transaction interruptions. As a best practice, use payment tokenization as a methodology to declassify data, and potentially reduce the footprint of the CDE. With payment tokenization, sensitive data is replaced with a unique identifier that reduces the risk of data theft and limits the exposure of sensitive information in the CDE.

+### Secure CDE

+PCI-DSS requires organizations to maintain a secure CDE. With effectively configured CDE, businesses can mitigate their risk exposure and reduce the associated costs for both on-premises and cloud environments. This approach helps minimize the scope of a PCI audit, making it easier and more cost-effective to demonstrate compliance with the standard.

+To configure Azure AD to secure the CDE:

+* Use passwordless credentials for users: Windows Hello for Business, FIDO2 security keys, and Microsoft Authenticator app

+* Use strong credentials for workload identities: certificates and managed identities for Azure resources.

+ * Integrate access technologies such as VPN, remote desktop, and network access points with Azure AD for authentication, if applicable

+* Enable privileged identity management and access reviews for Azure AD roles, privileged access groups and Azure resources

+* Use Conditional Access policies to enforce PCI-requirement controls: credential strength, device state, and enforce them based on location, group membership, applications, and risk

+* Use modern authentication for DCE workloads

+* Archive Azure AD logs in security information and event management (SIEM) systems

+Where applications and resources use Azure AD for identity and access management (IAM), the Azure AD tenant(s) are in scope of PCI audit, and the guidance herein is applicable. Organizations must evaluate identity and resource isolation requirements, between non-PCI and PCI workloads, to determine their best architecture.

+Learn more

+* [Introduction to delegated administration and isolated environments](../fundamentals/secure-introduction.md)

+* [How to use the Microsoft Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc)

+* [What are managed identities for Azure resources?](../managed-identities-azure-resources/overview.md)

+* [What are access reviews?](../governance/access-reviews-overview.md)

+* [What is Conditional Access?](../conditional-access/overview.md)

+* [Audit logs in Azure AD](../reports-monitoring/concept-audit-logs.md)

+### Establish a responsibility matrix

+PCI compliance is the responsibility of entities that process payment card transactions including but not limited to:

+* Merchants

+* Card service providers

+* Merchant service providers

+* Acquiring banks

+* Payment processors

+* Payment card issuers

+* Hardware vendors

+These entities ensure payment card transactions are processed securely and are PCI-DSS compliant. All entities involved in payment card transactions have a role to help ensure PCI compliance.

+Azure PCI DSS compliance status doesn't automatically translate to PCI-DSS validation for the services you build or host on Azure. You ensure that you achieve compliance with PCI-DSS requirements.

+### Establish continuous processes to maintain compliance

+Continuous processes entail ongoing monitoring and improvement of compliance posture. Benefits of continuous processes to maintain PCI compliance:

+* Reduced risk of security incidents and noncompliance

+* Improved data security

+* Better alignment with regulatory requirements

+* Increased customer and stakeholder confidence

+With ongoing processes, organizations respond effectively to changes in the regulatory environment and ever-evolving security threats.

+* **Risk assessment** ΓÇô conduct this process to identify credit-card data vulnerabilities and security risks. Identify potential threats, assess the likelihood threats occurring, and evaluate the potential effects on the business.

+* **Security awareness training** - employees who handle credit card data receive regular security awareness training to clarify the importance of protecting cardholder data and the measures to do so.

+* **Vulnerability management** -conduct regular vulnerability scans and penetration testing to identify network or system weaknesses exploitable by attackers.

+* **Monitor and maintain access control policies** - access to credit card data is restricted to authorized individuals. Monitor access logs to identify unauthorized access attempts.

+* **Incident response** ΓÇô an incident response plan helps security teams take action during security incidents involving credit card data. Identify incident cause, contain the damage, and restore normal operations in a timely manner.

+* **Compliance monitoring** - and auditing is conducted to ensure ongoing compliance with PCI-DSS requirements. Review security logs, conduct regular policy reviews, and ensure system components are accurately configured and maintained.

+### Implement strong security for shared infrastructure

+Typically, web services such as Azure, have a shared infrastructure wherein customer data might be stored on the same physical server or data storage device. This scenario creates the risk of unauthorized customers accessing data they donΓÇÖt own, and the risk of malicious actors targeting the shared infrastructure. Azure AD security features help mitigate risks associated with shared infrastructure:

+* User authentication to network access technologies that support modern authentication protocols: virtual private network (VPN), remote desktop, and network access points.

+* Access control policies that enforce strong authentication methods and device compliance based on signals such as user context, device, location, and risk.

+* Conditional Access provides an identity-driven control plane and brings signals together, to make decisions, and enforce organizational policies.

+* Privileged role governance - access reviews, just-in-time (JIT) activation, etc.

+Learn more: [What is Conditional Access?](../conditional-access/overview.md)

+### Data residency

+PCI-DSS cites no specific geographic location for credit card data storage. However, it requires cardholder data is stored securely, which might include geographic restrictions, depending on the organization's security and regulatory requirements. Different countries and regions have data protection and privacy laws. Consult with a legal or compliance advisor to determine applicable data residency requirements.

+Learn more: [Azure AD and data residency](../fundamentals/data-residency.md)

+### Third-party security risks

+A non-PCI compliant third-party provider poses a risk to PCI compliance. Regularly assess and monitor third-party vendors and service providers to ensure they maintain required controls to protect cardholder data.

+Azure AD features and functions in **Data residency** help mitigate risks associated with third-party security.

+### Logging and monitoring

+Implement accurate logging and monitoring to detect, and respond to, security incidents in a timely manner. Azure AD helps manage PCI compliance with audit and activity logs, and reports that can be integrated with a SIEM system. Azure AD has role -based access control (RBAC) and MFA to secure access to sensitive resources, encryption, and threat protection features to protect organizations from unauthorized access and data theft.

+Learn more:

+ΓÇó [What are Azure AD reports?](../reports-monitoring/overview-reports.md)

+ΓÇó [Azure AD built-in roles](../roles/permissions-reference.md)

+### Multi-application environments: host outside the CDE

+PCI-DSS ensures that companies that accept, process, store, or transmit credit card information maintain a secure environment. Hosting outside the CDE introduces risks such as:

+* Poor access control and identity management might result in unauthorized access to sensitive data and systems

+* Insufficient logging and monitoring of security events impedes detection and response to security incidents

+* Insufficient encryption and threat protection increases the risk of data theft and unauthorized access

+* Poor, or no security awareness and training for users might result in avoidable social engineering attacks, such as phishing

+## Next steps

+PCI-DSS requirements **3**, **4**, **9**, and **12** aren't applicable to Azure AD, therefore there are no corresponding articles. To see all requirements, go to pcisecuritystandards.org: [Official PCI Security Standards Council Site](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf).

+To configure Azure AD to comply with PCI-DSS, see the following articles.

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md) (You're here)

+* [Requirement 1: Install and Maintain Network Security Controls](pci-requirement-1.md)

+* [Requirement 2: Apply Secure Configurations to All System Components](pci-requirement-2.md)

+* [Requirement 5: Protect All Systems and Networks from Malicious Software](pci-requirement-5.md)

+* [Requirement 6: Develop and Maintain Secure Systems and Software](pci-requirement-6.md)

+* [Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know](pci-requirement-7.md)

+* [Requirement 8: Identify Users and Authenticate Access to System Components](pci-requirement-8.md)

+* [Requirement 10: Log and Monitor All Access to System Components and Cardholder Data](pci-requirement-10.md)

+* [Requirement 11: Test Security of Systems and Networks Regularly](pci-requirement-11.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)

+ Title: Azure Active Directory PCI-DSS Multi-Factor Authentication guidance

+description: Learn the authentication methods supported by Azure AD to meet PCI MFA requirements

+# Azure Active Directory PCI-DSS Multi-Factor Authentication guidance

+**Information Supplement: Multi-Factor Authentication v 1.0**

+Use the following table of authentication methods supported by Azure Active Directory (Azure AD) to meet requirements in the PCI Security Standards Council [Information Supplement, Multi-Factor Authentication v 1.0](https://listings.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf).

+|Method|To meet requirements|Protection|MFA element|

+|-|-|-|-|

+|[Passwordless phone sign in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md)|Something you have (device with a key), something you know or are (PIN or biometric) </br> In iOS, Authenticator Secure Element (SE) stores the key in Keychain. [Apple Platform Security, Keychain data protection](https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web) </br> In Android, Authenticator uses Trusted Execution Engine (TEE) by storing the key in Keystore. [Developers, Android Keystore system](https://developer.android.com/training/articles/keystore) </br> When users authenticate using Microsoft Authenticator, Azure AD generates a random number the user enters in the app. This action fulfills the out-of-band authentication requirement. |Customers configure device protection policies to mitigate device compromise risk. For instance, Microsoft Intune compliance policies. |Users unlock the key with the gesture, then Azure AD validates the authentication method. |

+|[Windows Hello for Business Deployment Prerequisite Overview](/windows/security/identity-protection/hello-for-business/hello-identity-verification) |Something you have (Windows device with a key), and something you know or are (PIN or biometric). </br> Keys are stored with device Trusted Platform Module (TPM). Customers use devices with hardware TPM 2.0 or later to meet the authentication method independence and out-of-band requirements. </br> [Certified Authenticator Levels](https://fidoalliance.org/certification/authenticator-certification-levels/)|Configure device protection policies to mitigate device compromise risk. For instance, Microsoft Intune compliance policies. |Users unlock the key with the gesture for Windows device sign in.|

+|[Enable passwordless security key sign-in, Enable FIDO2 security key method](../authentication/howto-authentication-passwordless-security-key.md)|Something that you have (FIDO2 security key) and something you know or are (PIN or biometric). </br> Keys are stored with hardware cryptographic features. Customers use FIDO2 keys, at least Authentication Certification Level 2 (L2) to meet the authentication method independence and out-of-band requirement.|Procure hardware with protection against tampering and compromise.|Users unlock the key with the gesture, then Azure AD validates the credential. |

+|[Overview of Azure AD certificate-based authentication](../authentication/concept-certificate-based-authentication.md)|Something you have (smart card) and something you know (PIN). </br> Physical smart cards or virtual smartcards stored in TPM 2.0 or later, are a Secure Element (SE). This action meets the authentication method independence and out-of-band requirement.|Procure smart cards with protection against tampering and compromise.|Users unlock the certificate private key with the gesture, or PIN, then Azure AD validates the credential. |

+## Next steps

+PCI-DSS requirements **3**, **4**, **9**, and **12** aren't applicable to Azure AD, therefore there are no corresponding articles. To see all requirements, go to pcisecuritystandards.org: [Official PCI Security Standards Council Site](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf).

+To configure Azure AD to comply with PCI-DSS, see the following articles.

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md)

+* [Requirement 1: Install and Maintain Network Security Controls](pci-requirement-1.md)

+* [Requirement 2: Apply Secure Configurations to All System Components](pci-requirement-2.md)

+* [Requirement 5: Protect All Systems and Networks from Malicious Software](pci-requirement-5.md)

+* [Requirement 6: Develop and Maintain Secure Systems and Software](pci-requirement-6.md)

+* [Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know](pci-requirement-7.md)

+* [Requirement 8: Identify Users and Authenticate Access to System Components](pci-requirement-8.md)

+* [Requirement 10: Log and Monitor All Access to System Components and Cardholder Data](pci-requirement-10.md)

+* [Requirement 11: Test Security of Systems and Networks Regularly](pci-requirement-11.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md) (You're here)

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)

+For more information about Azure AD authentication methods that meet PCI requirements, see: [Information Supplement: Multi-Factor Authentication](pci-dss-mfa.md).

+* [Azure AD PCI-DSS guidance](pci-dss-guidance.md)

+* [Azure AD PCI-DSS Multi-Factor Authentication guidance](pci-dss-mfa.md)

+> If you are upgrading an existing AKS cluster, then it must be created with Azure CNI powered by Cilium. For more information, see [Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS)](azure-cni-powered-by-cilium.md).

+- An existing Azure Kubernetes Service (AKS) cluster running Azure CNI powered by Cilium. If you don't have an existing AKS cluster, you can create one from the Azure portal. For more information, see [Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS)](azure-cni-powered-by-cilium.md).

+- [Configure Azure CNI Powered by Cilium in Azure Kubernetes Service (AKS)](azure-cni-powered-by-cilium.md)

+- [What is Azure Kubernetes Service?](intro-kubernetes.md)

+* No extra cost incurred as the result of not having to create additional Azure objects, such as disk, snapshots, etc.

+Migration from in-tree to CSI is supported by creating a static volume:

+* No need to clean up original configuration using in-tree storage class.

+* Low risk as you're only performing a logical deletion of Kubernetes PV/PVC, the actual physical data isn't deleted.

+* No extra cost incurred as the result of not having to create additional Azure objects, such as file shares, etc.

+## Limit the extension to certain nodes

+## Install Dapr in multiple availability zones while in HA mode

+By default, the placement service uses a storage class of type `standard_LRS`. It is recommended to create a `zone redundant storage class` while installing Dapr in HA mode across multiple availability zones. For example, to create a `zrs` type storage class:

+```yaml

+kind: StorageClass

+apiVersion: storage.k8s.io/v1

+metadata:

+ name: custom-zone-redundant-storage

+provisioner: disk.csi.azure.com

+reclaimPolicy: Delete

+allowVolumeExpansion: true

+volumeBindingMode: WaitForFirstConsumer

+parameters:

+ storageaccounttype: Premium_ZRS

+```

+When installing Dapr, use the above storage class:

+```azurecli

+az k8s-extension create --cluster-type managedClusters

+--cluster-name XXX

+--resource-group XXX

+--name XXX

+--extension-type Microsoft.Dapr

+--auto-upgrade-minor-version XXX

+--version XXX

+--configuration-settings "dapr_placement.volumeclaims.storageClassName=custom-zone-redundant-storage"

+```

+$storageContext = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageKey

+[azure-storage-ip-firewall]: ../storage/common/storage-network-security.md#grant-access-from-an-internet-ip-range

+In this article, you learn how to use a single API Management instance for internal and external consumers and make it act as a single front end for both on-premises and cloud APIs. You create an API Management instance of the newer single-tenant version 2 (stv2) type. You also understand how to expose only a subset of your APIs for external consumption by using routing functionality available in Application Gateway. In the example, the APIs are highlighted in green.

+* **Custom domain certificates**: To access API Management from the internet, create DNS records to map its host names to the Application Gateway front-end IP address. This mapping ensures that the Host header and certificate sent to API Management are valid. In this example, we use three certificates. They're for API Management's gateway (the back end), the developer portal, and the management endpoint.

+ $trustedRootCert = New-AzApplicationGatewayTrustedRootCertificate -Name "allowlistcert1" -CertificateFile $trustedRootCertCerPath

+* API Management [authorizations](../authorizations-overview.md) can also be used to simplify the process of managing authorization tokens to OAuth 2.0 backend services.

+**Visual Studio** ΓÇô In Azure Government, you can enable monitoring on your ASP.NET, ASP.NET Core, Java, and Node.js based applications running on Azure App Service. For more information, see [Application monitoring for Azure App Service overview](../azure-monitor/app/azure-web-apps.md). In Visual Studio, go to Tools|Options|Accounts|Registered Azure Clouds|Add New Azure Cloud and select Azure US Government as the Discovery endpoint. After that, adding an account in File|Account Settings will prompt you for which cloud you want to add from.

+**SDK endpoint modifications** ΓÇô In order to send data from Application Insights to an Azure Government region, you'll need to modify the default endpoint addresses that are used by the Application Insights SDKs. Each SDK requires slightly different modifications, as described in [Application Insights overriding default endpoints](/previous-versions/azure/azure-monitor/app/create-new-resource#override-default-endpoints).

+**Firewall exceptions** ΓÇô Application Insights uses several IP addresses. You might need to know these addresses if the app that you're monitoring is hosted behind a firewall. For more information, see [IP addresses used by Azure Monitor](../azure-monitor/app/ip-addresses.md) from where you can download Azure Government IP addresses.

+### [Azure Front Door](../frontdoor/index.yml)

+Azure Front Door Standard and Premium tiers are available in public preview in Azure Government regions US Gov Arizona and US Gov Texas. During public preview, the following Azure Front Door **features aren't supported** in Azure Government:

+- Managed certificate for enabling HTTPS; instead, you need to use your own certificate.

+- [Migration](../frontdoor/tier-migration.md) from classic to Standard/Premium tier.

+- [Managed identity integration](../frontdoor/managed-identity.md) for Azure Front Door Standard/Premium access to Azure Key Vault for your own certificate.

+- [Tier upgrade](../frontdoor/tier-upgrade.md) from Standard to Premium.

+- Web Application Firewall (WAF) policies creation via WAF portal extension; instead, WAF policies can be created via Azure Front Door Standard/Premium portal extension. Updates and deletions to WAF policies and rules are supported on WAF portal extension.

+Both Azure and Azure Government can help you meet your EAR compliance requirements. Except for the Azure region in Hong Kong SAR, Azure and Azure Government datacenters aren't located in proscribed countries/regions or in the Russian Federation.

+There's no ITAR compliance certification; however, both Azure and Azure Government can help you meet your ITAR compliance obligations. Except for the Azure region in Hong Kong SAR, Azure and Azure Government datacenters aren't located in proscribed countries/regions or in the Russian Federation. Azure services rely on [FIPS 140](/azure/compliance/offerings/offering-fips-140-2) validated cryptographic modules in the underlying operating system, and provide you with [many options for encrypting data](../security/fundamentals/encryption-overview.md) in transit and at rest, including encryption key management using [Azure Key Vault](../key-vault/general/overview.md). The Key Vault service can store encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control, also known as [customer-managed keys (CMK)](../security/fundamentals/encryption-models.md). Keys generated inside the Azure Key Vault HSMs aren't exportable ΓÇô there can be no clear-text version of the key outside the HSMs. This binding is enforced by the underlying HSM. **Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents don't see or extract your cryptographic keys.** For extra assurances, see [How does Azure Key Vault protect your keys?](../key-vault/managed-hsm/mhsm-control-data.md#how-does-azure-key-vault-managed-hsm-protect-your-keys)

+The [Office of Foreign Assets Control](https://home.treasury.gov/policy-issues/office-of-foreign-assets-control-sanctions-programs-and-information) (OFAC) is responsible for administering and enforcing economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries/regions, terrorists, international narcotics traffickers, and those entities engaged in activities related to the proliferation of weapons of mass destruction.

+As stated in the Microsoft Online Services Terms [Data Protection Addendum](https://aka.ms/dpa) (DPA), &#8220;Microsoft doesn't control or limit the regions from which customer or customerΓÇÖs end users may access or move customer data.&#8221; For Microsoft online services, Microsoft conducts due diligence to prevent transactions with entities from OFAC embargoed countries/regions. For example, a sanctions target isn't allowed to provision Azure services. OFAC hasn't issued guidance, like the guidance provided by BIS for the EAR that draws a distinction between cloud service providers and customers when it comes to deemed export. Therefore, it would be **your responsibility to exclude sanctions targets from online transactions** involving your applications, including web sites, deployed on Azure. Microsoft doesn't block network traffic to your web sites deployed on Azure. Even though OFAC mentions that customers can restrict access based in IP table ranges, they also acknowledge that this approach doesn't fully address an internetΓÇÖs firm compliance risks. Therefore, OFAC recommends that e-commerce firms should know their customers directly. Microsoft isn't responsible for and doesn't have the means to know directly the end users that interact with your applications deployed on Azure.

+- The CLOUD Act isn't a mechanism for greater government surveillance; it's a mechanism toward ensuring that your data is ultimately protected by the laws of your home country/region while continuing to facilitate lawful access to evidence for legitimate criminal investigations. Law enforcement in the US still needs to obtain a warrant demonstrating probable cause of a crime from an independent court before seeking the contents of communications. The CLOUD Act requires similar protections for other countries/regions seeking bilateral agreements.

+Similar data classification schemes exist in many countries/regions.

+The [Use a snapping grid] sample snaps an HTML marker to a grid when it's dragged. Drawing tools are used to snap drawn shapes to the grid when the `drawingcomplete` event fires.

+<!--

+>

+The [Snap grid options] sample shows the different customization options available for the snap grid manager. The grid line styles can be customized by retrieving the underlying line layer using the snap grid managers `getGridLayer` function.

+<!--

+>

+> [Interaction types and keyboard shortcuts](drawing-tools-interactions-keyboard-shortcuts.md)

+[Use a snapping grid]: https://samples.azuremaps.com/?search=Use%20a%20snapping%20grid&sample=use-a-snapping-grid

+[Snap grid options]: https://samples.azuremaps.com/?search=grid&sample=snap-grid-options

+ Title: Add a tile layer to a map

+A Tile layer loads in tiles from a server. These images can either be prerendered or dynamically rendered. Prerendered images are stored like any other image on a server using a naming convention that the tile layer understands. Dynamically rendered images use a service to load the images close to real time. There are three different tile service naming conventions supported by Azure Maps [TileLayer](/javascript/api/azure-maps-control/atlas.layer.tilelayer) class:

+* `{subdomain}` - A placeholder for the subdomain values, if specified the `subdomain` is added.

+ This sample shows how to create a tile layer that points to a set of tiles. This sample uses the x, y, zoom tiling system. The source of this tile layer is the [OpenSeaMap project], which contains crowd sourced nautical charts. Ideally users would clearly see the labels of cities as they navigate the map when viewing radar data. This behavior can be implemented by inserting the tile layer below the `labels` layer.

+For a fully functional sample that shows how to create a tile layer that points to a set of tiles using the x, y, zoom tiling system, see the [Tile Layer using X, Y, and Z] sample in the [Azure Maps Samples]. The source of the tile layer in this sample is a nautical chart from the [OpenSeaMap project], an OpenStreetMaps project licensed under ODbL.

+<!--

+->

+A web-mapping service (WMTS) is an Open Geospatial Consortium (OGC) standard for serving images of map data. There are many open data sets available in this format that you can use with Azure Maps. This type of service can be used with a tile layer if the service supports the `EPSG:3857` coordinate reference system (CRS). When using a WMS service, set the width and height parameters to the value supported by the service, be sure to set this value in the `tileSize` option. In the formatted URL, set the `BBOX` parameter of the service with the `{bbox-epsg-3857}` placeholder.

+For a fully functional sample that shows how to create a tile layer that points to a Web Mapping Service (WMS), see the [WMS Tile Layer] sample in the [Azure Maps Samples].

+The following screenshot shows the [WMS Tile Layer] sample that overlays a web-mapping service of geological data from the [U.S. Geological Survey (USGS)] on top of the map and below the labels.

+<!--

+-->

+A web-mapping tile service (WMTS) is an Open Geospatial Consortium (OGC) standard for serving tiled based overlays for maps. There are many open data sets available in this format that you can use with Azure Maps. This type of service can be used with a tile layer if the service supports the `EPSG:3857` or `GoogleMapsCompatible` coordinate reference system (CRS). When using a WMTS service, set the width and height parameters to the same value supported by the service, be sure to also set this value in the `tileSize` option. In the formatted URL, replace the following placeholders accordingly:

+For a fully functional sample that shows how to create a tile layer that points to a Web Mapping Tile Service (WMTS), see the [WMTS Tile Layer] sample in the [Azure Maps Samples].

+The following screenshot shows the [WMTS Tile Layer] sample overlaying a web-mapping tile service of imagery from the [U.S. Geological Survey (USGS) National Map] on top of a map, below roads and labels.

+<!--

+-->

+The tile layer class has many styling options. The [Tile Layer Options] sample is a tool to try them out.

+<!--

+-->

+[Azure Maps Samples]: https://samples.azuremaps.com

+[Tile Layer using X, Y, and Z]: https://samples.azuremaps.com/?search=tile%20layer&sample=tile-layer-using-x%2C-y%2C-and-z

+[OpenSeaMap project]: https://openseamap.org/index.php

+[WMS Tile Layer]: https://samples.azuremaps.com/?search=tile%20layer&sample=wms-tile-layer

+[U.S. Geological Survey (USGS)]: https://mrdata.usgs.gov/

+[WMTS Tile Layer]: https://samples.azuremaps.com/?search=tile%20layer&sample=wmts-tile-layer

+[U.S. Geological Survey (USGS) National Map]:https://viewer.nationalmap.gov/services

+[Tile Layer Options]: https://samples.azuremaps.com/?search=tile%20layer&sample=tile-layer-options

+If your audience is spread across multiple countries/regions or speak different languages, localization is important.

+In Bing Maps, administrative boundaries for countries/regions, states, counties, cities, and postal codes are made available via the Geodata API. This API takes in either a coordinate or query to geocode. If a query is passed in, it's geocoded and the coordinates from the first result is used. This API takes the coordinates and retrieves the boundary of the specified entity type that intersects the coordinate. This API didn't necessarily return the boundary for the query that was passed in. If a query for `"Seattle, WA"` is passed in, but the entity type value is set to country/region, the boundary for the USA would be returned.

+Azure Maps also provides access to administrative boundaries (countries/regions, states, counties, cities, and postal codes). To retrieve a boundary, you must query one of the search APIs for the boundary you want (such as `Seattle, WA`). If the search result has an associated boundary, a geometry ID is provided in the result response. The search polygon API can then be used to retrieve the exact boundaries for one or more geometry IDs. This is a bit different than Bing Maps as Azure Maps returns the boundary for what was searched for, whereas Bing Maps returns a boundary for a specified entity type at a specified coordinate. Additionally, the boundary data returned by Azure Maps is in GeoJSON format.

+- Comparing customer satisfaction rates or shop performance among countries/regions.

+| 2 | The double arrow drills to the next level of the hierarchy for all locations at once. For example, if you're currently looking at countries/regions and then use this option to move to the next level, states, Power BI displays state data for all countries/regions. For geocoding, Power BI sends Azure Maps state data (no country/region data) for all locations. This option is useful if each level of your hierarchy is unrelated to the level above it. |

+| 3 | Similar to the drill-down option, except that you don't need to click on the map. It expands down to the next level of the hierarchy remembering the current level's context. For example, if you're currently looking at countries/regions and select this icon, you move down in the hierarchy to the next level--states. For geocoding, Power BI sends data for each state and its corresponding country/region to help Azure Maps geocode more accurately. In most maps, you'll either use this option or the drill-down option on the far right. This will send Azure as much information as possible and result in more accurate location information. |

+### [3.0.0-preview.8] (June 2, 2023)

+#### Bug fixes (3.0.0-preview.8)

+- Fixed an exception that occurred while updating the property of a layout that no longer exists.

+- Fixed an issue where BubbleLayer's accessible indicators didn't update when the data source was modified.

+- Fixed an error in subsequent `map.setStyle()` calls if the raw Maplibre style is retrieved in the `stylechanged` event callback on style serialization.

+#### Other changes (3.0.0-preview.8)

+- Updated attribution logo and link.

+#### Installation (3.0.0-preview.8)

+The preview is available on [npm][3.0.0-preview.8] and CDN.

+- **NPM:** Refer to the instructions at [azure-maps-control@3.0.0-preview.8][3.0.0-preview.8]

+- **CDN:** Reference the following CSS and JavaScript in the `<head>` element of an HTML file:

+ ```html

+ <link href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/3.0.0-preview.8/atlas.min.css" rel="stylesheet" />

+ <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/3.0.0-preview.8/atlas.min.js"></script>

+ ```

+### [3.0.0-preview.7] (May 2, 2023)

+- Fixed token expired exception on relaunches when using Azure AD / shared token / anonymous authentication by making sure authentication is resolved prior to any style definition request

+### [2.3.0] (June 2, 2023)

+#### New features (2.3.0)

+- **\[BREAKING\]** Refactored the internal StyleManager to replace `_stylePatch` with `transformStyle`. This change will allow road shield icons to update and render properly after a style switch.

+#### Bug fixes (2.3.0)

+- Fixed an exception that occurred while updating the property of a layout that that no longer exists.

+- Fixed an issue where BubbleLayer's accessible indicators didn't update when the data source was modified.

+#### Other changes (2.3.0)

+- Updated attribution logo and link.

+### [2.2.7] (May 2, 2023)

+- Fixed token expired exception on relaunches when using Azure AD / shared token / anonymous authentication by making sure authentication is resolved prior to any style definition request

+[3.0.0-preview.8]: https://www.npmjs.com/package/azure-maps-control/v/3.0.0-preview.8

+[2.3.0]: https://www.npmjs.com/package/azure-maps-control/v/2.3.0

+description: Render coverage tables list the countries/regions that support Azure Maps road tiles.

+The render coverage tables below list the countries/regions that support Azure Maps road tiles. Both raster and vector tiles are supported. At the lowest resolution, the entire world fits in a single tile. At the highest resolution, a single tile represents 38 square meters. You'll see more details about continents, regions, cities, and individual streets as you zoom in the map. For more information about tiles, see [Zoom levels and tile grid](zoom-levels-and-tile-grid.md).

+> After August 1, 2019, the **View** parameter will define the returned map content for the new countries/regions listed above. Azure Maps **View** parameter (also referred to as "user region parameter") is a two letter ISO-3166 Country Code that will show the correct maps for that country/region specifying which set of geopolitically disputed content is returned via Azure Maps services, including borders and labels displayed on the map.

+### Countries/Regions with SMS notification support

+### Countries/Regions with Voice notification support

+> [!NOTE]

+> For more information, see the [getting-started tutorial for OpenTelemetry .NET](https://github.com/open-telemetry/opentelemetry-dotnet/tree/main#getting-started)

+## Migrate management pack logic for VM workloads

+ Title: Best practices for monitoring virtual machines in Azure Monitor

+description: Best practices organized by the pillars of the Well-Architected Framework (WAF) for monitoring virtual machines in Azure Monitor.

+# Best practices for monitoring virtual machines in Azure Monitor

+This article provides architectural best practices for monitoring virtual machines and their client workloads using Azure Monitor. The guidance is based on the five pillars of architecture excellence described in [Azure Well-Architected Framework](/azure/architecture/framework/).

+## Reliability

+In the cloud, we acknowledge that failures happen. Instead of trying to prevent failures altogether, the goal is to minimize the effects of a single failing component. Use the following information to monitor your virtual machines and their client workloads for failure.

+## Security

+Security is one of the most important aspects of any architecture. Azure Monitor provides features to employ both the principle of least privilege and defense-in-depth. Use the following information to monitor the security of your virtual machines.

+## Cost optimization

+Cost optimization refers to ways to reduce unnecessary expenses and improve operational efficiencies. You can significantly reduce your cost for Azure Monitor by understanding your different configuration options and opportunities to reduce the amount of data that it collects. See [Azure Monitor cost and usage](usage-estimated-costs.md) to understand the different ways that Azure Monitor charges and how to view your monthly bill.

+> [!NOTE]

+> See [Optimize costs in Azure Monitor](best-practices-cost.md) for cost optimization recommendations across all features of Azure Monitor.

+## Operational excellence

+Operational excellence refers to operations processes required keep a service running reliably in production. Use the following information to minimize the operational requirements for monitoring of your virtual machines.

+## Performance efficiency

+Performance efficiency is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. Use the following information to monitor the performance of your virtual machines.

+## Next step

+- [Get complete guidance on configuring monitoring for virtual machines](vm/monitor-virtual-machine.md).

+A typical virtual machine generates between 1 GB and 3 GB of data per month. This data size depends on the configuration of the machine, the workloads running on it, and the configuration of your DCRs. Before you configure data collection across your entire virtual machine environment, begin collection on some representative machines to better predict your expected costs when deployed across your environment. Use [Log Analytics workspace insights](../logs/log-analytics-workspace-insights-overview.md) or log queries in [Data volume by computer](../logs/analyze-usage.md#data-volume-by-computer) to determine the amount of billable data collected for each machine and adjust accordingly.

+Evaluate collected data and filter out any that meets the following criteria to reduce your costs. Each data source that you collect may have a different method for filtering out unwanted data. See the sections below for the details each of the common data sources.

+- Not used for alerting.

+- No known forensic or diagnostic value.

+- Not required by regulators.

+- Not used in any dashboards or workbooks.

+You can also use [transformations](../essentials/data-collection-transformations.md) to implement more granular filtering and also to filter data from columns that provide little value. For example, you might have a Windows event that's valuable for alerting, but it includes columns with redundant or excessive data. You can create a transformation that allows the event to be collected but removes this excessive data.

+Filter data as much as possible before it's sent to Azure Monitor to avoid a [potential charge for filtering too much data using transformations](../essentials/data-collection-transformations.md#cost-for-transformations). Use [transformations](../essentials/data-collection-transformations.md) for record filtering using complex logic and for filtering columns with data that you don't require.

+> This guide describes how to implement complete monitoring of your enterprise Azure and hybrid virtual machine environment. To get started monitoring your first Azure virtual machine, see [Monitor Azure virtual machines](../../virtual-machines/monitor-vm.md).

+Azure Monitor focuses on operational data, while security monitoring in Azure is performed by other services such as [Microsoft Defender for Cloud](../../defender-for-cloud/index.yml) and [Microsoft Sentinel](../../sentinel/index.yml). Configuration of these services is not included in this guide.

+| Integration point | Azure Monitor | Microsoft<br>Defender for Cloud | Microsoft<br>Sentinel | Microsoft<br>Defender for Endpoint |

+ Title: Create availability alert rule for multiple Azure virtual machines (preview)

+description: Create a single alert rule in Azure Monitor to proactively notify you if any virtual machine in a subscription or resource group is unavailable.

+# Tutorial: Create availability alert rule for multiple Azure virtual machines (preview)

+One of the most common monitoring requirements for a virtual machine is to create an alert if it stops running. The best method for this is to create a metric alert rule in Azure Monitor using the [VM availability](../../virtual-machines/monitor-vm-reference.md#vm-availability-metric-preview) metric which is currently in public preview.

+You can create an availability alert rule for a single VM using the VM Availability metric with [recommended alerts](tutorial-monitor-vm-alert-recommended.md). This tutorial shows how to create a single rule that will apply to all virtual machines in a subscription or resource group in a particular region.

+> [!TIP]

+> While this article uses the metric value *VM availability metric,* you can use the same process to alert on any metric value.

+> * View the VM availability metric in metrics explorer.

+> * Create an alert rule targeting a subscription or resources group.

+- At least one Azure virtual machine to monitor.

+## View VM availability metric in metrics explorer

+There are multiple methods to create an alert rule in Azure Monitor. In this tutorial, we'll create it from [metrics explorer](../essentials/metrics-getting-started.md), which will prefill required values such as the scope and metric we want to monitor. You'll just need to provide the detailed logic for the alert rule.

+1. Select **Metrics** from the **Monitor** menu in the Azure portal.

+2. In **Select a scope**, select either a subscription or a resource group with VMs to monitor.

+3. Under **Refine scope**, for **Resource type**, select *Virtual machines*, and select the **Location** with VMs to monitor.

+5. Click **Apply** to set the scope for metrics explorer.

+ :::image type="content" source="media/tutorial-monitor-vm/metric-explorer-scope.png" alt-text="Screenshot of metrics explorer scope selection." lightbox="media/tutorial-monitor-vm/metric-explorer-scope.png":::

+6. Select *VM Availability metric (preview)* for **Metric**. The value is displayed for each VM in the selected scope.

+ :::image type="content" source="media/tutorial-monitor-vm/vm-availability-metric-explorer.png" alt-text="Screenshot of VM Availability metric in metrics explorer." lightbox="media/tutorial-monitor-vm/vm-availability-metric-explorer.png":::

+7. Click **New Alert Rule** to create an alert rule and open its configuration.

+8. Set the following values for the **Alert logic**. This specifies that the alert will fire whenever the average value of the availability metric falls below 1, which indicates that one of the VMs in the selected scope isn't running.

+ | Setting | Value |

+ |:|:|

+ | Threshold | Static |

+ | Aggregation Type | Average |

+ | Operator | Less than |

+ | Unit | Count |

+ | Threshold value | 1 |

+9. Set the following values for **When to evaluate**. This specifies that the rule will run every minute, using the collected values from the previous minute.

+ | Setting | Value |

+ |:|:|

+ | Check every | 1 minute |

+ | Loopback period | 1 minute |

+ :::image type="content" source="media/tutorial-monitor-vm/vm-availability-metric-alert-logic.png" alt-text="Screenshot of alert rule details for VM Availability metric." lightbox="media/tutorial-monitor-vm/vm-availability-metric-alert-logic.png":::

+1. Click **Create action group** to create a new one.

+ :::image type="content" source="media/tutorial-monitor-vm/vm-availability-metric-create-action-group.png" alt-text="Screenshot of option to create new action group." lightbox="media/tutorial-monitor-vm/vm-availability-metric-create-action-group.png":::

+2. Select a **Subscription** and **Resource group** for the action group and give it an **Action group name** that will appear in the portal and a **Display name** that will appear in email and SMS notifications.

+ :::image type="content" source="media/tutorial-monitor-vm/vm-availability-metric-action-group-basics.png" lightbox="./media/tutorial-monitor-vm/vm-availability-metric-action-group-basics.png" alt-text="Screenshot of action group basics.":::

+3. Select **Notifications** and add one or more methods to notify appropriate people when the alert is fired.

+ :::image type="content" source="media/tutorial-monitor-vm/action-group-notifications.png" lightbox="./media/tutorial-monitor-vm/action-group-notifications.png" alt-text="Screenshot showing action group notifications.":::

+1. Configure different settings for the alert rule on the **Details** page.

+ | Setting | Description |

+ |:|:|

+ | Subscription | Subscription where the alert rule will be stored. |

+ | Resource group | Resource group where the alert rule will be stored. This doesn't need to be in the same resource group as the resource that you're monitoring. |

+ | Severity | The severity allows you to group alerts with a similar relative importance. A severity of **Error** is appropriate for an unresponsive virtual machine. |

+ | Alert rule name | Name of the alert that's displayed when it fires. |

+ | Alert rule description | Optional description of the alert rule. |

+

+ :::image type="content" source="media/tutorial-monitor-vm/alert-rule-details.png" lightbox="media/tutorial-monitor-vm/alert-rule-details.png" alt-text="Screenshot showing alert rule details.":::

+2. Click **Review + create** to create the alert rule.

+To test the alert rule, stop one or more virtual machines in the scope you specified. If you configured a notification in your action group, then you should receive that notification within a few seconds. You'll also see an alert for each VM on the **Alerts** page.

+Now that you have alerting in place when the VM goes down, enable VM insights to install the Azure Monitor agent which collects additional data from the client and provides additional analysis tools.

+VM insights provides a quick and easy method for getting started monitoring the client workloads on your virtual machines and virtual machine scale sets. It displays an inventory of your existing VMs and provides a guided experience to enable base monitoring for them. It also monitors the performance and health of your virtual machines and virtual machine scale sets by collecting data on their running processes and dependencies on other resources.

+VM insights provides a set of predefined workbooks that allow you to view trending of collected performance data over time. You can view this data in a single VM from the virtual machine directly, or you can use Azure Monitor to deliver an aggregated view of multiple VMs.

+- VM insights collects a predefined set of metrics from the VM client and doesn't collect any event data. You can use the Azure portal to [create data collection rules](../agents/data-collection-rule-azure-monitor-agent.md) to collect events and additional performance counters using the same Azure Monitor agent used by VM insights.

+* [SAP HANA on Azure NetApp Files - Data protection with BlueXP backup and recovery](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-hana-on-azure-netapp-files-data-protection-with-bluexp/ba-p/3840116)

+## Dev tunnels limits

+ Title: Deploy vSAN stretched clusters

+# Deploy vSAN stretched clusters

+In this article, learn how to implement a vSAN stretched cluster for an Azure VMware Solution private cloud.

+## Stretched clusters region availability

+Azure VMware Solution stretched clusters are available in the following regions:

+- UK South (on AV36)

+- West Europe (on AV36)

+- Germany West Central (on AV36)

+- Australia East (on AV36P)

+Follow the [Request Host Quota](/azure/azure-vmware/request-host-quota-azure-vmware-solution) process to get the quota reserved for the required number of nodes. Provide the following details to facilitate the process:

+- Point of contact: email

+- Subscription ID: a new, separate subscription is required

+- Type of private cloud: "Stretched Cluster"

+- Region requested: UK South, West Europe, Germany West Central, or Australia East

+- Number of nodes in first stretched cluster: minimum 6, maximum 16 - in multiples of two

+- Estimated expansion plan

+## Deploy a stretched cluster private cloud

+## Storage policies supported

+The following SPBM policies are supported with a PFTT of "Dual Site Mirroring" and SFTT of "RAID 1 (Mirroring)" enabled as the default policies for the cluster:

+- Site disaster tolerance settings (PFTT):

+ - Dual site mirroring

+ - None - keep data on preferred

+ - None - keep data on non-preferred

+- Local failures to tolerate (SFTT):

+ - 1 failure ΓÇô RAID 1 (Mirroring)

+ - 1 failure ΓÇô RAID 5 (Erasure coding), requires a minimum of 4 hosts in each AZ

+ - 2 failures ΓÇô RAID 1 (Mirroring)

+ - 2 failures ΓÇô RAID 6 (Erasure coding), requires a minimum of 6 hosts in each AZ

+ - 3 failures ΓÇô RAID 1 (Mirroring)

+Currently, there are [four regions supported](#stretched-clusters-region-availability) for stretched clusters.

+### What kind of SLA does Azure VMware Solution provide with the stretched clusters?

+- Currently not supported in a stretched cluster environment:

+ - Recently released features like Public IP down to NSX Edge and external storage, like ANF datastores.

+ - Disaster recovery addons like VMware SRM, Zerto, and JetStream.

+- Open a [support ticket](https://rc.portal.azure.com/#create/Microsoft.Support) from the Azure portal for the following scenarios (be sure to select **Stretched Clusters** as a **Problem Type**):

+ - Connect a private cloud to a stretched cluster private cloud.

+ - Connect two stretched cluster private clouds in a single region.

+No. Customers won't see a charge for the witness node and the inter-AZ traffic. The witness node is entirely service managed, and Azure VMware Solution provides the required lifecycle management of the witness node. As the entire solution is service managed, the customer only needs to identify the appropriate SPBM policy to set for the workload virtual machines. The rest is managed by Microsoft.

+ Title: 'Upgrade or view a SKU: portal'

+description: Learn how to view a SKU and change tiers from the Basic to the Standard SKU.

+# View or upgrade a SKU

+This article helps you view and upgrade Azure Bastion from the Basic SKU tier to the Standard SKU tier. Once you upgrade, you can't revert back to the Basic SKU without deleting and reconfiguring Bastion. For more information about features and SKUs, see [Configuration settings](configuration-settings.md).

+## View a SKU

+To view the SKU for your bastion host, use the following steps.

+1. In the Azure portal, go to your bastion host.

+1. In the left pane, select **Configuration** to open the Configuration page. In the following example, Bastion is configured to use the **Basic** SKU tier.

+ Notice that when you use the Basic SKU, the features you can configure are limited. You can upgrade to a higher SKU using the steps in the next section.

+ :::image type="content" source="./media/upgrade-sku/view-sku.png" alt-text="Screenshot of the configuration page with the Basic SKU." lightbox="./media/upgrade-sku/view-sku.png":::

+## Upgrade a SKU

+Use the following steps to upgrade to the Standard SKU.

+ :::image type="content" source="./media/upgrade-sku/upgrade-sku.png" alt-text="Screenshot of tier select dropdown with Standard selected." lightbox="./media/upgrade-sku/upgrade-sku.png":::

+ "publisher": "almalinux",

+ "offer": "almalinux",

+ "sku": "9-gen1",

+ "nodeAgentSkuId": "batch.node.el 9",

+|`destinationContainerUrl`|The result can be stored in an Azure container. If you don't specify a container, the Speech service stores the results in a container managed by Microsoft. When the transcription job is deleted, the transcription result data is also deleted. For more information such as the supported security scenarios, see [Destination container URL](#destination-container-url).|

+> [!NOTE]

+> When you use the Speech CLI in a container, include the `--host` option. For example, run `spx recognize --host wss://localhost:5000/ --file myaudio.wav` to recognize speech from an audio file in a [speech to text container](speech-container-stt.md).

+> [!NOTE]

+> You can't use your computer's microphone when you run the Speech CLI within a Docker container. However, you can read from and save audio files in your local mounted directory.

+The following sections provide information about the content filtering categories, the filtering severity levels and their configurability, and API scenarios to be considered in application design and implementation.

+The content filtering system integrated in the Azure OpenAI Service contains neural multi-class classification models aimed at detecting and filtering harmful content; the models cover four categories (hate, sexual, violence, and self-harm) across four severity levels (safe, low, medium, and high). Content detected at the 'safe' severity level is labeled in annotations but is not subject to filtering and is not configurable.

+## Configurability (preview)

+The default content filtering configuration is set to filter at the medium severity threshold for all four content harm categories for both prompts and completions. That means that content that is detected at severity level medium or high is filtered, while content detected at severity level low is not filtered by the content filters. The configurability feature is available in preview and allows customers to adjust the settings, separately for prompts and completions, to filter content for each content category at different severity levels as described in the table below:

+| Severity filtered | Configurable for prompts | Configurable for completions | Descriptions |

+|-|--||--|

+| Low, medium, high | Yes | Yes | Strictest filtering configuration. Content detected at severity levels low, medium and high is filtered.|

+| Medium, high | Yes | Yes | Default setting. Content detected at severity level low is not filtered, content at medium and high is filtered.|

+| High | If approved^\*| If approved^\* | Content detected at severity levels low and medium is not filtered. Only content at severity level high is filtered. Requires approval^\*.|

+| No filters | If approved^\*| If approved^\*| No content is filtered regardless of severity level detected. Requires approval^\*.|

+^\* Only customers who have been approved for modified content filtering have full content filtering control, including configuring content filters at severity level high only or turning content filters off. Apply for modified content filters via this form: [Azure OpenAI Limited Access Review: Modified Content Filters and Abuse Monitoring (microsoft.com)](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xURE01NDY1OUhBRzQ3MkQxMUhZSE1ZUlJKTiQlQCN0PWcu)

+Content filtering configurations are created within a Resource in Azure AI Studio, and can be associated with Deployments. [Learn more about configurability here](../how-to/content-filters.md).

+ :::image type="content" source="../media/content-filters/configuration.png" alt-text="Screenshot of the content filter configuration UI" lightbox="../media/content-filters/configuration.png":::

+ response = openai.Completion.create(

+ prompt="<PROMPT>",

+ print(response)

+ Title: 'How to use content filters (preview) with Azure OpenAI Service'

+description: Learn how to use content filters (preview) with Azure OpenAI Service

+recommendations: false

+keywords:

+# How to configure content filters with Azure OpenAI Service

+> [!NOTE]

+> All customers have the ability to modify the content filters to be stricter (for example, to filter content at lower severity levels than the default). Approval is required for full content filtering control, including (i) configuring content filters at severity level high only (ii) or turning the content filters off. Managed customers only may apply for full content filtering control via this form: [Azure OpenAI Limited Access Review: Modified Content Filters and Abuse Monitoring (microsoft.com)](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xURE01NDY1OUhBRzQ3MkQxMUhZSE1ZUlJKTiQlQCN0PWcu).

+The content filtering system integrated into Azure OpenAI Service runs alongside the core models and uses an ensemble of multi-class classification models to detect four categories of harmful content (violence, hate, sexual, and self-harm) at four severity levels respectively (safe, low, medium, and high). The default content filtering configuration is set to filter at the medium severity threshold for all four content harms categories for both prompts and completions. That means that content that is detected at severity level medium or high is filtered, while content detected at severity level low or safe is not filtered by the content filters. Learn more about content categories, severity levels, and the behavior of the content filtering system [here](../concepts/content-filter.md).

+Content filters can be configured at resource level. Once a new configuration is created, it can be associated with one or more deployments. For more information about model deployment, see the [resource deployment guide](create-resource.md).

+The configurability feature is available in preview and allows customers to adjust the settings, separately for prompts and completions, to filter content for each content category at different severity levels as described in the table below. Content detected at the 'safe' severity level is labeled in annotations but is not subject to filtering and is not configurable.

+| Severity filtered | Configurable for prompts | Configurable for completions | Descriptions |

+|-|--||--|

+| Low, medium, high | Yes | Yes | Strictest filtering configuration. Content detected at severity levels low, medium and high is filtered.|

+| Medium, high | Yes | Yes | Default setting. Content detected at severity level low is not filtered, content at medium and high is filtered.|

+| High | If approved^\*| If approved^\* | Content detected at severity levels low and medium is not filtered. Only content at severity level high is filtered. Requires approval^\*.|

+| No filters | If approved^\*| If approved^\*| No content is filtered regardless of severity level detected. Requires approval^\*.|

+^\* Only approved customers have full content filtering control, including configuring content filters at severity level high only or turning the content filters off. Managed customers only can apply for full content filtering control via this form: [Azure OpenAI Limited Access Review: Modified Content Filters and Abuse Monitoring (microsoft.com)](https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR7en2Ais5pxKtso_Pz4b1_xURE01NDY1OUhBRzQ3MkQxMUhZSE1ZUlJKTiQlQCN0PWcu)

+## Configuring content filters via Azure AI Studio (preview)

+The following steps show how to set up a customized content filtering configuration for your resource.

+1. Go to Azure AI Studio and navigate to the Content Filters tab (in the bottom left navigation, as designated by the red box below).

+ :::image type="content" source="../media/content-filters/studio.png" alt-text="Screenshot of the AI Studio UI with Content Filters highlighted" lightbox="../media/content-filters/studio.png":::

+2. Create a new customized content filtering configuration.

+ :::image type="content" source="../media/content-filters/create-filter.png" alt-text="Screenshot of the content filtering configuration UI with create selected" lightbox="../media/content-filters/create-filter.png":::

+ This leads to the following configuration view, where you can choose a name for the custom content filtering configuration.

+ :::image type="content" source="../media/content-filters/filter-view.png" alt-text="Screenshot of the content filtering configuration UI" lightbox="../media/content-filters/filter-view.png":::

+3. This is the view of the default content filtering configuration, where content is filtered at medium and high severity levels for all categories. You can modify the content filtering severity level for both prompts and completions separately (configuration for prompts is in the left column and configuration for completions is in the right column, as designated with the blue boxes below) for each of the four content categories (content categories are listed on the left side of the screen, as designated with the green box below). There are three severity levels for each category that are partially or fully configurable: Low, medium, and high (labeled at the top of each column, as designated with the red box below).

+ :::image type="content" source="../media/content-filters/severity-level.png" alt-text="Screenshot of the content filtering configuration UI with user prompts and model completions highlighted" lightbox="../media/content-filters/severity-level.png":::

+4. If you determine that your application or usage scenario requires stricter filtering for some or all content categories, you can configure the settings, separately for prompts and completions, to filter at more severity levels than the default setting. An example is shown in the image below, where the filtering level for user prompts is set to the strictest configuration for hate and sexual, with low severity content filtered along with content classified as medium and high severity (outlined in the red box below). In the example, the filtering levels for model completions are set at the strictest configuration for all content categories (blue box below). With this modified filtering configuration in place, low, medium, and high severity content will be filtered for the hate and sexual categories in user prompts; medium and high severity content will be filtered for the self-harm and violence categories in user prompts; and low, medium, and high severity content will be filtered for all content categories in model completions.

+ :::image type="content" source="../media/content-filters/settings.png" alt-text="Screenshot of the content filtering configuration with low, medium, high, highlighted." lightbox="../media/content-filters/settings.png":::

+5. If your use case was approved for modified content filters as outlined above, you will receive full control over content filtering configurations. With full control, you can choose to turn filtering off, or filter only at severity level high, while accepting low and medium severity content. In the image below, filtering for the categories of self-harm and violence is turned off for user prompts (red box below), while default configurations are retained for other categories for user prompts. For model completions, only high severity content is filtered for the category self-harm (blue box below), and filtering is turned off for violence (green box below), while default configurations are retained for other categories.

+ :::image type="content" source="../media/content-filters/off.png" alt-text="Screenshot of the content filtering configuration with self harm and violence set to off." lightbox="../media/content-filters/off.png":::

+ You can create multiple content filtering configurations as per your requirements.

+ :::image type="content" source="../media/content-filters/multiple.png" alt-text="Screenshot of the content filtering configuration with multiple content filters configured." lightbox="../media/content-filters/multiple.png":::

+6. Next, to make a custom content filtering configuration operational, assign a configuration to one or more deployments in your resource. To do this, go to the **Deployments** tab and select **Edit deployment** (outlined near the top of the screen in a red box below).

+ :::image type="content" source="../media/content-filters/edit-deployment.png" alt-text="Screenshot of the content filtering configuration with edit deployment highlighted." lightbox="../media/content-filters/edit-deployment.png":::

+7. Go to advanced options (outlined in the blue box below) select the content filter configuration suitable for that deployment from the **Content Filter** dropdown (outlined near the bottom of the dialog box in the red box below).

+ :::image type="content" source="../media/content-filters/advanced.png" alt-text="Screenshot of edit deployment configuration with advanced options selected." lightbox="../media/content-filters/select-filter.png":::

+8. Select **Save and close** to apply the selected configuration to the deployment.

+ :::image type="content" source="../media/content-filters/select-filter.png" alt-text="Screenshot of edit deployment configuration with content filter selected." lightbox="../media/content-filters/select-filter.png":::

+9. You can also edit and delete a content filter configuration if required. To do this, navigate to the content filters tab and select the desired action (options outlined near the top of the screen in the red box below). You can edit/delete only one filtering configuration at a time.

+ :::image type="content" source="../media/content-filters/delete.png" alt-text="Screenshot of content filter configuration with edit and delete highlighted." lightbox="../media/content-filters/delete.png":::

+ > [!NOTE]

+ > Before deleting a content filtering configuration, you will need to unassign it from any deployment in the Deployments tab.

+## Best practices

+We recommend informing your content filtering configuration decisions through an iterative identification (for example, red team testing, stress-testing, and analysis) and measurement process to address the potential harms that are relevant for a specific model, application, and deployment scenario. After implementing mitigations such as content filtering, repeat measurement to test effectiveness. Recommendations and best practices for Responsible AI for Azure OpenAI, grounded in the [Microsoft Responsible AI Standard](https://aka.ms/RAI) can be found in the [Responsible AI Overview for Azure OpenAI](/legal/cognitive-services/openai/overview?context=%2Fazure%2Fcognitive-services%2Fopenai%2Fcontext%2Fcontext).

+## Next steps

+- Learn more about Responsible AI practices for Azure OpenAI: [Overview of Responsible AI practices for Azure OpenAI models](/legal/cognitive-services/openai/overview?context=%2Fazure%2Fcognitive-services%2Fopenai%2Fcontext%2Fcontext).

+- Read more about [content filtering categories and severity levels](../concepts/content-filter.md) with Azure OpenAI Service.

+- Learn more about red teaming from our: [Introduction to red teaming large language models (LLMs) article](../concepts/red-teaming.md).

+ Title: Manage Azure OpenAI Service quota

+description: Learn how to use Azure OpenAI to control your deployments rate limits.

+# Manage Azure OpenAI Service quota

+Quota provides the flexibility to actively manage the allocation of rate limits across the deployments within your subscription. This article walks through the process of managing your Azure OpenAI quota.

+## Introduction to quota

+Azure OpenAI's quota feature enables assignment of rate limits to your deployments, up-to a global limit called your ΓÇ£quota.ΓÇ¥ Quota is assigned to your subscription on a per-region, per-model basis in units of **Tokens-per-Minute (TPM)**. When you onboard a subscription to Azure OpenAI, you'll receive default quota for most available models. Then, you'll assign TPM to each deployment as it is created, and the available quota for that model will be reduced by that amount. You can continue to create deployments and assign them TPM until you reach your quota limit. Once that happens, you can only create new deployments of that model by reducing the TPM assigned to other deployments of the same model (thus freeing TPM for use), or by requesting and being approved for a model quota increase in the desired region.

+> [!NOTE]

+> With a quota of 240,000 TPM for GPT-35-Turbo in East US, a customer can create a single deployment of 240K TPM, 2 deployments of 120K TPM each, or any number of deployments in one or multiple Azure OpenAI resources as long as their TPM adds up to less than 240K total in that region.

+When a deployment is created, the assigned TPM will directly map to the tokens-per-minute rate limit enforced on its inferencing requests. A **Requests-Per-Minute (RPM)** rate limit will also be enforced whose value is set proportionally to the TPM assignment using the following ratio:

+6 RPM per 1000 TPM.

+The flexibility to distribute TPM globally within a subscription and region has allowed Azure OpenAI Service to loosen other restrictions:

+- The maximum resources per region are increased to 30.

+- The limit on creating no more than one deployments of the same model in a resource has been removed.

+## Assign quota

+When you create a model deployment, you have the option to assign Tokens-Per-Minute (TPM) to that deployment. TPM can be modified in increments of 1,000, and will map to the TPM and RPM rate limits enforced on your deployment, as discussed above.

+To create a new deployment from within the Azure AI Studio under **Management** select **Deployments** > **Create new deployment**.

+The option to set the TPM is under the **Advanced options** drop-down:

+Post deployment you can adjust your TPM allocation by selecting **Edit deployment** under **Management** > **Deployments** in Azure AI Studio. You can also modify this selection within the new quota management experience under **Management** > **Quotas**.

+> [!IMPORTANT]

+> Quotas and limits are subject to change, for the most up-date-information consult our [quotas and limits article](../quotas-limits.md).

+## Model specific settings

+Different model deployments, also called model classes have unique max TPM values that you're now able to control. **This represents the maximum amount of TPM that can be allocated to that type of model deployment in a given region.** While each model type represents its own unique model class, the max TPM value is currently only different for certain model classes:

+- GPT-4

+- GPT-4-32K

+- GPT-35-Turbo

+- Text-Davinci-003

+All other model classes have a common max TPM value.

+> [!NOTE]

+> Quota Tokens-Per-Minute (TPM) allocation is not related to the max input token limit of a model. Model input token limits are defined in the [models table](../concepts/models.md) and are not impacted by changes made to TPM.

+## View and request quota

+For an all up view of your quota allocations across deployments in a given region, select **Management** > **Quota** in Azure AI Studio:

+- **Quota Name**: There's one quota value per region for each model type. The quota covers all versions of that model. The quota name can be expanded in the UI to show the deployments that are using the quota.

+- **Deployment**: Model deployments divided by model class.

+- **Usage/Limit**: For the quota name, this shows how much quota is used by deployments and the total quota approved for this subscription and region. This amount of quota used is also represented in the bar graph.

+- **Request Quota**: The icon in this field navigates to a form where requests to increase quota can be submitted.

+## Migrating existing deployments

+As part of the transition to the new quota system and TPM based allocation, all existing Azure OpenAI model deployments have been automatically migrated to use quota. In cases where the existing TPM/RPM allocation exceeds the default values due to previous custom rate-limit increases, equivalent TPM were assigned to the impacted deployments.

+## Understanding rate limits

+Assigning TPM to a deployment sets the Tokens-Per-Minute (TPM) and Requests-Per-Minute (RPM) rate limits for the deployment, as described above. TPM rate limits are based on the maximum number of tokens that are estimated to be processed by a request at the time the request is received. It isn't the same as the token count used for billing, which is computed after all processing is completed.

+As each request is received, Azure OpenAI computes an estimated max processed-token count that includes the following:

+- Prompt text and count

+- The max_tokens parameter setting

+- The best_of parameter setting

+As requests come into the deployment endpoint, the estimated max-processed-token count is added to a running token count of all requests that is reset each minute. If at any time during that minute, the TPM rate limit value is reached, then further requests will receive a 429 response code until the counter resets.

+RPM rate limits are based on the number of requests received over time. The rate limit expects that requests be evenly distributed over a one-minute period. If this average flow isn't maintained, then requests may receive a 429 response even though the limit isn't met when measured over the course of a minute. To implement this behavior, Azure OpenAI Service evaluates the rate of incoming requests over a small period of time, typically 1 or 10 seconds. If the number of requests received during that time exceeds what would be expected at the set RPM limit, then new requests will receive a 429 response code until the next evaluation period. For example, if Azure OpenAI is monitoring request rate on 1-second intervals, then rate limiting will occur for a 600-RPM deployment if more than 10 requests are received during each 1-second period (600 requests per minute = 10 requests per second).

+### Rate limit best practices

+To minimize issues related to rate limits, it's a good idea to use the following techniques:

+- Set max_tokens and best_of to the minimum values that serve the needs of your scenario. For example, donΓÇÖt set a large max-tokens value if you expect your responses to be small.

+- Use quota management to increase TPM on deployments with high traffic, and to reduce TPM on deployments with limited needs.

+- Implement retry logic in your application.

+- Avoid sharp changes in the workload. Increase the workload gradually.

+- Test different load increase patterns.

+## Next steps

+- To review quota defaults for Azure OpenAI, consult the [quotas & limits article](../quotas-limits.md)

+The following sections provide you with a quick guide to the default quotas and limits that apply to Azure OpenAI:

+| OpenAI resources per region per Azure subscription | 30 |

+| Default quota per model and region (in tokens-per-minute)¹ |Text-Davinci-003: 120 K <br> GPT-4: 20 K <br> GPT-4-32K: 60 K <br> All others: 240 K |

+| Maximum prompt tokens per request | Varies per model. For more information, see [Azure OpenAI Service models](./concepts/models.md)|

+| Max fine-tuned model deployments | 2 |

+| Max Files per resource | 30 |

+¹ Default quota limits are subject to change.

+### General best practices to remain within rate limits

+To minimize issues related to rate limits, it's a good idea to use the following techniques:

+- Increase the quota assigned to your deployment. Move quota from another deployment, if necessary.

+Quota increase requests can be submitted from the [Quotas](./how-to/quota.md) page of Azure AI Studio. Please note that due to overwhelming demand, we are not currently approving new quota increase requests. Your request will be queued until it can be filled at a later time.

+For other rate limits, please [submit a service request](/azure/cognitive-services/cognitive-services-support-options?context=%2Fazure%2Fcognitive-services%2Fopenai%2Fcontext%2Fcontext).

+Explore how to [manage quota](./how-to/quota.md) for your Azure OpenAI deployments.

+### Screen sharing in macOS Ventura Safari (v16.3 and below)

+Screen sharing does not work in macOS Ventura Safari(v16.3 and below). Known issue from Safari and will be fixed in v16.4+

+### Excessive use of certain APIs like mute/unmute will result in throttling on ACS infrastructure

+As a result of the mute/unmute API call, ACS infrastructure informs other participants in the call about the state of audio of a local participant who invoked mute/unmute, so that participants in the call know who is muted/unmuted.

+Excessive use of mute/unmute will be blocked in ACS infrastructure. That will happen if the participant (or application on behalf of participant) will attempt to mute/unmute continuously, every second, more than 15 times in a 30-second rolling window.

+| Phone number type | Example | Country/Region availability | Phone Number Capability |Common use case |

+The capabilities that are available to you depend on the country/region that you're operating within, your use case, and the phone number type that you've selected. These capabilities vary by country/region due to regulatory requirements. Azure Communication Services offers the following phone number capabilities:

+For cloud calling, outbound calls are billed at per-minute rates depending on the target country/region. See the [current rate list for PSTN calls](https://github.com/Azure/Communication/blob/master/pricing/communication-services-pstn-rates.csv).

+> SMS capabilities depend on the phone number you use and the country/region that you're operating within as determined by your Azure billing address. For more information, visit the [Subscription eligibility](../../concepts/numbers/sub-eligibility-number-capability.md) documentation.

+

+## Spot container deployment

+ACI Spot containers allow customers to run interruptible, containerized workloads on unused Azure capacity at significantly discounted prices of up to 70% compared to regular-priority ACI containers. ACI spot containers may be preempted when Azure encounters a shortage of surplus capacity, and they're suitable for workloads without strict availability requirements. Customers are billed for per-second memory and core usage. To utilize ACI Spot containers, you can deploy your workload with a specific property flag indicating that you want to use Spot container groups and take advantage of the discounted pricing model.

+For more information, see [spot container groups](container-instances-spot-containers-overview.md).

+| Region | Max CPU | Max memory (GB) | VNET max CPU | VNET max memory (GB) | Storage (GB) | GPU SKUs (preview) | Availability Zone support | Confidential SKU (preview) | Spot containers (preview) |

+| Australia East | 4 | 16 | 4 | 16 | 50 | N/A | Y | N | N |

+| Australia Southeast | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| Brazil South | 4 | 16 | 4 | 16 | 50 | N/A | Y | N | N |

+| Canada Central | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| Canada East | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| Central India | 4 | 16 | 4 | 16 | 50 | V100 | N | N | N |

+| Central US | 4 | 16 | 4 | 16 | 50 | N/A | Y | N | N |

+| East Asia | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| East US | 4 | 16 | 4 | 16 | 50 | K80, P100, V100 | Y | Y | N |

+| East US 2 | 4 | 16 | 4 | 16 | 50 | N/A | Y | N | Y |

+| France Central | 4 | 16 | 4 | 16 | 50 | N/A | Y| N | N |

+| Germany West Central | 4 | 16 | 4 | 16 | 50 | N/A | Y | N | N |

+| Japan East | 4 | 16 | 4 | 16 | 50 | N/A | Y | N | N |

+| Japan West | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| Jio India West | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| Korea Central | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| North Central US | 4 | 16 | 4 | 16 | 50 | K80, P100, V100 | N | N | N |

+| North Europe | 4 | 16 | 4 | 16 | 50 | K80 | Y | Y | N |

+| Norway East | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| Norway West | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| South Africa North | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| South Central US | 4 | 16 | 4 | 16 | 50 | V100 | Y | N | N |

+| South India | 4 | 16 | 4 | 16 | 50 | K80 | N | N | N |

+| Southeast Asia | 4 | 16 | 4 | 16 | 50 | P100, V100 | Y | N | N |

+| Sweden Central | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| Sweden South | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| Switzerland North | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| Switzerland West | 4 | 16 | N/A | N/A | 50 | N/A | N | N | N |

+| UAE North | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| UK South | 4 | 16 | 4 | 16 | 50 | N/A | Y | N | N |

+| UK West | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| West Central US| 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+| West Europe | 4 | 16 | 4 | 16 | 50 | K80, P100, V100 | Y | Y | Y |

+| West India | 4 | 16 | N/A | N/A | 50 | N/A | N | N | N |

+| West US | 4 | 16 | 4 | 16 | 50 | N/A | N | Y | Y |

+| West US 2 | 4 | 16 | 4 | 16 | 50 | K80, P100, V100 | Y | N | N |

+| West US 3 | 4 | 16 | 4 | 16 | 50 | N/A | N | N | N |

+ Title: Azure Container Instances Spot containers

+description: Learn more about Spot container groups

+# Azure Container Instances Spot containers (preview)

+This article introduces the concept of Azure Container Instances (ACI) Spot containers, which allows you to run interruptible workloads in containerized form on unused Azure capacity. By utilizing Spot containers, you can enjoy up to a 70% discount compared to regular-priority ACI containers.

+Spot containers offer the best of both worlds by combining the simplicity of ACI with the cost-effectiveness of Spot VMs. This enables customers to easily and affordably scale their containerized interruptible workloads. It's important to note that Spot containers may be preempted at any time, particularly when Azure has limited surplus capacity. Customers are billed based on per-second memory and core usage.

+This feature is designed for customers who need to run interruptible workloads with no strict availability requirements. Azure Container Instances Spot Containers support both Linux and Windows containers, providing flexibility for different operating system environments.

+This article provides background about the feature, limitations, and resources. To see the availability of Spot containers in Azure regions, see [Resource and region availability](container-instances-region-availability.md).

+> [!NOTE]

+> Spot containers with Azure Container Instances is in preview and is not recommended for production scenarios.

+## Azure Container Instances Spot containers overview

+### Lift and shift applications

+ACI Spot containers are a cost-effective option for running containerized applications or parallelizable offline workloads including image rendering, Genomic processing, Monte Carlo simulations, etc. Customers can lift and shift their containerized Linux or Windows applications without needing to adopt specialized programming models to achieve the benefits of standard ACI containers along with low cost.

+## Eviction policies

+For Spot containers, customers can't choose eviction types or policies like Spot VMs. If an eviction occurs, the container groups hosting the customer workloads are automatically restarted without requiring any action from the customer.

+## Unsupported features

+ACI Spot containers preview release includes these limitations such as

+* **Public IP Endpoint**: ACI Spot container groups won't be assigned a public IP endpoint. This means that the container groups can't be accessed directly from the internet.

+* **Deployment Behind Virtual Network**: Spot container groups can't be deployed behind a virtual network.

+* **Confidential SKU Support**: ACI Spot containers don't support the Confidential SKU, which means that you can't use the Confidential Computing capabilities provided by Azure.

+* **Availability Zone Pinning**: ACI Spot containers don't support the ability to pin Availability Zones per container group deployment.

+## Next steps

+* For a deployment example with the Azure portal, see [Deploy a Spot container with Azure Container Instances using the Azure portal](container-instances-tutorial-deploy-spot-containers-portal.md)

+* For a deployment example with the Azure CLI, see [Deploy a Spot container with Azure Container Instances using the Azure CLI](container-instances-tutorial-deploy-spot-containers-cli.md)

+ Title: Tutorial - Deploy a Spot container group on Azure Container Instances

+description: In this quickstart, you use the Azure CLI to quickly deploy a Spot container on Azure Container Instances

+# Tutorial: Deploy a Spot container with Azure Container Instances using the Azure CLI (Preview)

+Spot Containers combine the simplicity of ACI with the low cost of Spot VMs making it easy and affordable for customers to run containerized interruptible workloads at scale. Use Azure Container Instances to run serverless Spot containers. Deploy an application to a Spot container on-demand when you want to run interruptible, containerized workloads on unused Azure capacity at low cost and you don't need a full container orchestration platform like Azure Kubernetes Service.

+In this quickstart, you use the Azure CLI to deploy a helloworld container using Spot containers. A few seconds after you execute a single deployment command, you can browse to the container logs:

+- This quickstart requires version 2xxx later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+## Create a resource group

+Azure container instances, like all Azure resources, must be deployed into a resource group. Resource groups allow you to organize and manage related Azure resources.

+First, create a resource group named *myResourceGroup* in the *westus* location with the following [az group create][az-group-create] command:

+```azurecli-interactive

+az group create --name myResourceGroup --location westus

+```

+## Create a container

+Now that you have a resource group, you can run a Spot container in Azure. To create a Spot container group with the Azure CLI, provide a resource group name, container instance name, container image and new property called 'priority' with value of 'Spot' to the [az container create][az-container-create] command. In this quickstart, you use the public `mcr.microsoft.com/azuredocs/aci-helloworld` image. This image packages a small web app written in Node.js that serves a static HTML page.

+You can't expose your spot containers to the internet by specifying one or more ports to open, a DNS name label, or both. In this quickstart, you deploy a container using helloworld image without a DNS name label. It won't be publicly reachable. You can query the container logs to verify container is listening on default port 80.

+Execute a command similar to the following to start a container instance.

+```azurecli-interactive

+az container create --resource-group acispotdemo --name acispotclitest --image mcr.microsoft.com/azuredocs/aci-helloworld --priority spot

+```

+Within a few seconds, you should get a response from the Azure CLI indicating that the deployment has completed. Check its status with the [az container show][az-container-show] command:

+```azurecli-interactive

+az container show --resource-group acispotdemo --name acispotclitest --query "{ProvisioningState:provisioningState}" --out table

+```

+When you run the command, the container's fully qualified domain name (FQDN) and its provisioning state are displayed.

+```output

+ContainerGroupName ProvisioningState

+ -

+acispotclitest Succeeded

+```

+If the container's `ProvisioningState` is **Succeeded**, congratulations! You've successfully deployed an application running in a Docker container to Azure.

+## Pull the container logs

+When you need to troubleshoot a container or the application it runs (or just see its output), start by viewing the container instance's logs.

+Pull the container instance logs with the [az container logs][az-container-logs] command:

+```azurecli-interactive

+az container logs --resource-group acispotdemo --name acispotclitest

+```

+The output displays the logs for the container, and should show the below output

+```output

+listening on port 80

+```

+## Attach output streams

+In addition to viewing the logs, you can attach your local standard out and standard error streams to that of the container.

+First, execute the [az container attach][az-container-attach] command to attach your local console to the container's output streams:

+```azurecli-interactive

+az container attach --resource-group acispotdemo --name acispotclitest

+```

+Once attached, refresh your browser a few times to generate some more output. When you're done, detach your console with `Control+C`. You should see output similar to the following:

+```output

+Container 'acispotclitest' is in state 'Running'...

+Start streaming logs:

+listening on port 80

+```

+## Clean up resources

+When you're done with the container, remove it using the [az container delete][az-container-delete] command:

+```azurecli-interactive

+az container delete --resource-group acispotdemo --name acispotclitest

+```

+To verify that the container has been deleted, execute the [az container list](/cli/azure/container#az-container-list) command:

+```azurecli-interactive

+az container list --resource-group acispotdemo --output table

+```

+The **acispotclitest** container shouldn't appear in the command's output. If you have no other containers in the resource group, no output is displayed.

+If you're done with the *acispotdemo* resource group and all the resources it contains, delete it with the [az group delete][az-group-delete] command:

+```azurecli-interactive

+az group delete --name acispotdemo

+```

+## Next steps

+In this tutorial, you created a Spot container on Azure Container Instances with a default quota and eviction policy using the Azure CLI.

+* [Check out the overview for ACI Spot containers](container-instances-spot-containers-overview.md)

+* [Try out Spot containers with Azure Container Instances using the Azure portal](container-instances-tutorial-deploy-spot-containers-portal.md)

+<!-- LINKS - External -->

+[app-github-repo]: https://github.com/Azure-Samples/aci-helloworld.git

+[azure-account]: https://azure.microsoft.com/free/

+[node-js]: https://nodejs.org

+<!-- LINKS - Internal -->

+[az-container-attach]: /cli/azure/container#az_container_attach

+[az-container-create]: /cli/azure/container#az_container_create

+[az-container-delete]: /cli/azure/container#az_container_delete

+[az-container-list]: /cli/azure/container#az_container_list

+[az-container-logs]: /cli/azure/container#az_container_logs

+[az-container-show]: /cli/azure/container#az_container_show

+[az-group-create]: /cli/azure/group#az_group_create

+[az-group-delete]: /cli/azure/group#az_group_delete

+[azure-cli-install]: /cli/azure/install-azure-cli

+[container-service]: ../aks/intro-kubernetes.md

+ Title: Tutorial - Deploy a Spot container to Azure Container Instances via Azure portal

+description: In this tutorial, you will deploy a spot container to Azure Container Instances via Azure portal.

+# Tutorial: Deploy a Spot container with Azure Container Instances using the Azure portal (Preview)

+In this tutorial, you will use Azure portal to deploy a spot container to Azure Container Instances with a default quota. After deploying the container, you can browse to the running application.

+## Sign in to Azure

+Sign in to the Azure portal at https://portal.azure.com

+If you don't have an Azure subscription, create a [free account][azure-free-account] before you begin.

+## Create a Spot container on Azure Container Instances

+1. On the Azure portal homepage, select **Create a resource**.

+ 

+1. Select **Containers** > **Container Instances**.

+1. On the **Basics** page, choose a subscription and enter the following values for **Resource group**, **Container name**, **Image source**, and **Container image**. Then to deploy ACI Spot container, opt for Spot discount by selecting **Run with Spot discount** field. This will enforce limitations for this feature in preview release automatically and allow you to deploy only in supported regions.

+ * Resource group: **Create new** > `acispotdemo`

+ * Container name: `acispotportaldemo`

+ * Region: One of `West Europe`/`East US2`/`West US`

+ * SKU: `Standard`

+ * Image source: **Quickstart images**

+ * Container image: `mcr.microsoft.com/azuredocs/aci-helloworld:v1` (Linux)

+ 

+ When deploying Spot container on Azure Container Instances you need to select only regions supported in public preview. You can change the restart policy, region, type of container images and compute resources. If you want more than default quota offered, please file a support request.

+

+1. Leave all other settings as their defaults, then select **Review + create**.

+1. When the validation completes, you're shown a summary of the container's settings. Select **Create** to submit your container deployment request. When the deployment starts, a notification appears that indicates the deployment is in progress. Another notification is displayed when the container group has been deployed.

+1. Open the overview for the container group by navigating to **Resource Groups** > **acispotdemo** > **acispotportaldemo**. Make a note of the **priority** property of the container instance and its **Status**.

+1. On the **Overview** page, note the **Status** of the instance.

+1. Once its status is *Running*, navigate to the AZ CLI and run the below command to check you are able to listen to container on default port 80.

+ 

+Congratulations! You have deployed a spot container on Azure Container Instances which is running sample hello world container application.

+## Clean up resources

+When you're done with the container, select **Overview** for the *helloworld* container instance, then select **Delete**.

+## Next steps

+In this tutorial, you created a Spot container on Azure Container Instances with a default quota and eviction policy using the Azure portal.

+* [ACI Spot containers overview](container-instances-spot-containers-overview.md)

+* [Try out Spot containers with Azure Container Instances using the Azure CLI](container-instances-tutorial-deploy-spot-containers-cli.md)

+<!-- LINKS - External -->

+[azure-free-account]: https://azure.microsoft.com/free/

+

+ # Variable for Subscription

+ subscriptionId="<subscription-id>"

+ accountId="/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/$accountName"

+ --uri "https://management.azure.com/$accountId?api-version=2022-11-15-preview" \

+ --uri "https://management.azure.com$accountId/services/materializedViewsBuilder?api-version=2022-11-15-preview" \

+ --uri "https://management.azure.com$accountId/services/materializedViewsBuilder?api-version=2022-11-15-preview"

+ "definition": "SELECT s.accountId, s.emailAddress FROM s"

+ 1. Create a variable for the name of the materialized view and source database name.

+

+ # Variable for database name used in later section

+ databaseName="<database-that-contains-source-collection>"

+ --uri "https://management.azure.com$accountId/sqlDatabases/";\

+ --uri "https://management.azure.com$accountId/sqlDatabases/";\

+- This feature can't be enabled along with Partition Merge feature or Analytical Store

+| Ability to geo-fence data to adhere to data governance restrictions | You need to check the restrictions of each country/region and implement it yourself. | Guarantees data governance for sovereign regions (Germany, China, US Gov, etc.). |

+* General availability: Customer defined database name is now available in [all regions](./resources-regions.md) at [cluster provisioning](./quickstart-create-portal.md) time.

+ * If the database name is not specified, the default `citus` name is used.

+* [Data encryption at rest using customer managed keys](./concepts-customer-managed-keys.md).

+Let us know about your experience using preview features or if you have other product feedback, by emailing [Ask

+ The **psql** string is of the form `psql "host=c-<cluster>.<uniqueID>.postgres.cosmos.azure.com port=5432 dbname=citus user=citus password={your_password} sslmode=require"`. Notice that the host name starts with a `c.`, for example `c-mycluster.12345678901234.postgres.cosmos.azure.com`. This prefix indicates the coordinator node of the cluster. The default `dbname` is `citus` and can be changed only at cluster provisioning time. The `user` can be any valid [Postgres role](./howto-create-users.md) on your cluster.

+ When psql successfully connects to the database, you see a new `citus=>` (or the custom name of your database) prompt:

+connect beyond these limits fails with an error.

+cluster. Creating another database is currently not allowed, and the CREATE DATABASE command fails

+By default this database is called `citus`. Azure Cosmos DB for PostgreSQL supports custom database names at cluster provisioning time only.

+What happens if things keep getting better? Suppose users from another country/region or continent notice your platform and start using it. What a great surprise!

+### Why do I see "There are no offers available in your country/region at this time"?

+Your billing address must be in the country/region that you select in the **About you** section. Verify that you have selected the correct country/region.

+ Title: Release notes for Microsoft Azure Data Manager for Agriculture Preview

+description: This article provides release notes for Azure Data Manager for Agriculture Preview releases, improvements, bug fixes, and known issues.

+ We provide information on latest releases, bug fixes, & deprecated functionality for Azure Data Manager for Agriculture Preview monthly.

+## April 2023

+## May 2023

+### Understanding throttling

+Azure Data Manager for Agriculture implements API throttling to ensure consistent performance by limiting the number of requests within a specified time frame. Throttling prevents resource overuse and maintains optimal performance and reliability for all customers. Details are available [here](concepts-understanding-throttling.md).

+Government Customer agrees to comply with and be responsible for all applicable import, export and general trade laws and regulations should Customer decide to transport the Azure Stack Edge Device beyond the country/region border in which Customer receives the Azure Stack Edge Device. For clarity, but not limited to, if a government Customer is in possession of an Azure Stack Edge Device, only the government Customer may, at government CustomerΓÇÖs sole risk and expense, transport the Azure Stack Edge Device to its different locations in accordance with this section and the requirements of the Additional Terms. Customer is responsible for obtaining at CustomerΓÇÖs own risk and expense any export license, import license and other official authorization for the exportation and importation of the Azure Stack Edge Device and CustomerΓÇÖs data to any different Customer location. Customer shall also be responsible for customs clearance to any different Customer location, and will bear all duties, taxes, and other official charges payable upon importation as well as all costs and risks of carrying out customs formalities in a timely manner.

+If Customer transports the Azure Stack Edge Device to a different location, Customer agrees to return the Azure Stack Edge Device to the country/region location where Customer received it initially, prior to shipping the Azure Stack Edge Device back to Microsoft. Customer acknowledges that there are inherent risks in shipping data on and in connection with the Azure Stack Edge Device, and that Microsoft will have no liability to Customer for any damage, theft, or loss occurring to an Azure Stack Edge Device or any data stored on one, including during transit. It is CustomerΓÇÖs responsibility to obtain the appropriate support agreement from Microsoft to meet CustomerΓÇÖs operating objectives for the Azure Stack Edge Device; however, depending on the location to which Customer intends to move the Azure Stack Edge Device, MicrosoftΓÇÖs ability to provide hardware servicing and support may be delayed, or may not be available.

+1. Select the subscription for the Azure Stack Edge Pro FPGA device and the country/region to ship the device to in **Ship to**.

+ 

+Azure Stack Edge services uses [Azure Regional Pairs](../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies) when storing and processing customer data in all the geos where the service is available. For the Southeast Asia (Singapore) region, the service is currently paired with Hong Kong. The Azure region pairing implies that any data stored in Singapore is replicated in Hong Kong. Singapore has laws in place that require that the customer data not leave the country/region boundaries.

+An additional [Type 2590 battery](https://www.bren-tronics.com/bt-70791ck.html) can be used along with the onboard battery to extend the use of the device between the charges. This battery should be compliant with all the safety, transportation, and environmental regulations applicable in the country/region of use.

+If Customer wishes to move a Data Box Device to another country/region, then Customer must be the exporter of record from the country/region of export and importer of record into the country/region where the Data Box Device is being imported. Customer is responsible for obtaining, at its own risk and expense, any export license, import license and other official authorization for the exportation and importation of the Data Box Device and CustomerΓÇÖs data to any such different Customer location. Customer shall also be responsible for customs clearance at any such different Customer location, and will bear all duties, taxes, fines, penalties (if applicable) and all charges payable for exporting and importing the Data Box Device, as well as any and all costs and risks of carrying out customs formalities in a timely manner. Customer agrees to comply with and be responsible for all applicable import, export and general trade laws and regulations should Customer decide to transport the Data Box Device beyond the country/region border in which Customer receives the Data Box Device. Additionally, if Customer transports the Data Box Device to a different country/region, prior to shipping the Data Box Device back to the original point of origin, whether a specified Microsoft entity or a Designated Azure Data Center, Customer agrees to return the Data Box Device to the country/region location where Customer initially received the Data Box Device. If requested, Microsoft may provide MicrosoftΓÇÖs estimated value of the Data Box Device as supplied by Microsoft to Customer and share available product certifications for the Data Box Device.

+Data Box can transfer data based on the region in which service is deployed, the country/region you ship the device to, and the target storage account where you transfer the data.

+Azure Security Center monitors all connected resources and generates security recommendations. Use these recommendations to strengthen your hybrid cloud posture and track compliance with the policies and standards relevant to your organization, industry, and country/region.

+* The **consent management** backend is part of customer management and keeps track of user authorization for data collection according to geographical country/region legislation.

+* Share data securely and addressing country/region-specific requirements for user consent with the broader **smart Mobility ecosystems**.

+- **SNAT** - More ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. Azure Firewall uses the primary public IP address first before it uses the other associated public IP addresses for a connection. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall. Consider using a [public IP address prefix](../virtual-network/ip-services/public-ip-address-prefix.md) to simplify this configuration.

+* Filter requests based on a specific IP address, port, or country/region.

+* Filter requests based on a specific IP address, or country/region.

+This error occurs when _aad-pod-identity_ is installed on the cluster and the _kube-system_ pods

+## authorizationresources

+- microsoft.authorization/roleassignments

+- microsoft.authorization/roledefinitions

+- microsoft.authorization/classicadministrators

+## Errors and solution

+Unmark the src folder as **Sources** if you get build failed errors as below:

+Unmark the src folder as **Sources** to solution this issue:

+1. Navigate to **File** and select the **Project Structure**.

+2. Select the **Modules** under the Project Settings.

+3. Select the **src** file and unmark as **Sources**.

+4. Click on Apply button and then click on OK button to close the dialog.

+ :::image type="content" source="./media/apache-spark-intellij-tool-plugin/unmark-src-as-sources.png" alt-text="Screenshot showing the unmark the src as sources." border="true":::

+- **Scalability**: DICOM service is designed out-of-the-box to support different workload levels at a hospital, country/region, and global scale without sacrificing any performance spec by using autoscaling features.

+- **Closing the feedback loop with teleradiologists**: Ideally a radiologist has access to a hospitalΓÇÖs clinical data to close the feedback loop after making a recommendation. However for teleradiologists, this is often not the case. Instead, they're often unable to close the feedback loop after performing a diagnosis, since they don't have access to patient data after the initial read. With no (or limited) access to clinical results or outcomes, they canΓÇÖt get the feedback necessary to improve their skills. As one teleradiologist put it: ΓÇ£Take parathyroid for example. We do more than any other clinic in the country/region, and yet I have to beg and plead for surgeons to tell me what they actually found. Out of the more than 500 studies I do each month, I get direct feedback on only three or four.ΓÇ¥ Through integration with FHIR&trade;, an organization can easily create a tool that will provide direct feedback to teleradiologists, helping them to hone their skills and make better recommendations in the future.

+- Country/region

+|Selecting regions|By default, labs were created in the same geography as the lab account. A geography typically aligns with a country/region and contains one or more Azure regions. Lab owners weren't able to manage exactly which Azure region the labs resided in.|In the lab plan, administrators now can manage the exact Azure regions allowed for lab creation. By default, labs will be created in the same Azure region as the lab plan. </br> Note, when a lab plan has advanced networking enabled, labs are created in the same Azure region as virtual network.|

+ Title: 'Workspace soft deletion'

+description: Soft delete allows you to recover workspace data after accidental deletion

+monikerRange: 'azureml-api-2'

+# Recover workspace data while soft deleted

+The soft delete feature for Azure Machine Learning workspace provides a data protection capability that enables you to attempt recovery of workspace data after accidental deletion. Soft delete introduces a two-step approach in deleting a workspace. When a workspace is deleted, it's first soft deleted. While in soft-deleted state, you can choose to recover or permanently delete a workspace and its data during a data retention period.

+When a workspace is soft deleted, data and metadata stored service-side get soft deleted, but some configurations get hard deleted. Below table provides an overview of which configurations and objects get soft deleted, and which are hard deleted.

+Data / configuration | Soft deleted | Hard deleted

+After soft deletion, the service keeps necessary data and metadata during the recovery [retention period](#soft-delete-retention-period). When the retention period expires, or in case you permanently delete a workspace, data and metadata will be actively deleted.

+## Soft delete retention period

+A default retention period of 14 days holds for deleted workspaces. The retention period indicates how long workspace data remains available after it's deleted. The clock starts on the retention period as soon as a workspace is soft deleted.

+During the retention period, soft deleted workspaces can be recovered or permanently deleted. Any other operations on the workspace, like submitting a training job, will fail.

+> [!IMPORTANT]

+> You can't reuse the name of a workspace that has been soft deleted until the retention period has passed or the workspace is permanently deleted. Once the retention period elapses, a soft deleted workspace automatically gets permanently deleted.

+The default deletion behavior when deleting a workspace is soft delete. Optionally, you may override the soft delete behavior by permanently deleting your workspace. Permanently deleting a workspace ensures workspace data is immediately deleted. Use this option to meet related compliance requirements, or whenever you require a workspace name to be reused immediately after deletion. This may be useful in dev/test scenarios where you want to create and later delete a workspace.

+When deleting a workspace from the Azure Portal, check __Delete the workspace permanently__. You can permanently delete only one workspace at a time, and not using a batch operation.

+If you are using the [Azure Machine Learning SDK or CLI](https://learn.microsoft.com/python/api/azure-ai-ml/azure.ai.ml.operations.workspaceoperations#azure-ai-ml-operations-workspaceoperations-begin-delete), you can set the `permanently_delete` flag.

+```python

+from azure.ai.ml import MLClient

+from azure.identity import DefaultAzureCredential

+ml_client = MLClient(

+ DefaultAzureCredential(),

+ subscription_id="<SUBSCRIPTION_ID>",

+ resource_group_name="<RESOURCE_GROUP>"

+)

+result = ml_client.workspaces.begin_delete(

+ name="myworkspace",

+ permanently_delete=True,

+ delete_dependent_resources=False

+).result()

+print(result)

+```

+Once permanently deleted, workspace data can no longer be recovered. Permanent deletion of workspace data is also triggered when the soft delete retention period expires.

+## Manage soft deleted workspaces

+Soft deleted workspaces can be managed under the Azure Machine Learning resource provider in the Azure portal. To list soft deleted workspaces, use the following steps:

+1. From the [Azure portal](https://portal.azure.com), select __More services__. From the __AI + machine learning__ category, select __Azure Machine Learning__.

+1. From the top of the page, select __Recently deleted__ to view workspaces that were soft-deleted and are still within the retention period.

+ :::image type="content" source="./media/concept-soft-delete/soft-delete-manage-recently-deleted.png" alt-text="Screenshot highlighting the recently deleted link.":::

+1. From the recently deleted workspaces view, you can recover or permanently delete a workspace.

+ :::image type="content" source="./media/concept-soft-delete/soft-delete-manage-recently-deleted-panel.png" alt-text="Screenshot of the recently deleted workspaces view.":::

+## Recover a soft deleted workspace

+When you select *Recover* on a soft deleted workspace, it initiates an operation to restore the workspace state. The service attempts recreation or reattachment of a subset of resources, including Azure RBAC role assignments. Hard-deleted resources including compute clusters should be recreated by you.

+Azure Machine Learning recovers Azure RBAC role assignments for the workspace identity, but doesn't recover role assignments you have added on the workspace. It may take up to 15 minutes for role assignments to propagate after workspace recovery.

+Recovery of a workspace may not always be possible. Azure Machine Learning stores workspace metadata on [other Azure resources associated with the workspace](concept-workspace.md#associated-resources). In the event these dependent Azure resources were deleted, it may prevent the workspace from being recovered or correctly restored. Dependencies of the Azure Machine Learning workspace must be recovered first, before recovering a deleted workspace. The following table outlines recovery options for each dependency of the Azure Machine Learning workspace.

+|Dependency|Recovery approach|

+|||

+|Azure Key Vault| [Recover a deleted Azure Key Vault instance](../key-vault/general/soft-delete-overview.md) |

+|Azure Storage|[Recover a deleted Azure storage account](../storage/common/storage-account-recover.md).|

+|Azure Container Registry|Azure Container Registry is not a hard requirement for workspace recovery. Azure Machine Learning can regenerate images for custom environments.|

+|Azure Application Insights| First, [recover your log analytics workspace](../azure-monitor/logs/delete-workspace.md). Then recreate an application insights with the original name.|

+In general, when a workspace is in soft deleted state, there are only two operations possible: 'permanently delete' and 'recover'. All other operations will fail. Therefore, even though the workspace exists, no compute operations can be performed and hence no usage will occur. When a workspace is soft deleted, any cost-incurring resources including compute clusters are hard deleted.

+> Workspaces that use [customer-managed keys for encryption](concept-data-encryption.md) store additional service data in your subscription in a managed resource group. When a workspace is soft deleted, the managed resource group and resources in it will not be deleted and will incur cost until the workspace is hard-deleted.

+After soft deletion, the service keeps necessary data and metadata during the recovery [retention period](#soft-delete-retention-period). From a GDPR and privacy perspective, a request to delete personal data should be interpreted as a request for *permanent* deletion of a workspace and not soft delete.

+fs = AzureMachineLearningFileSystem('azureml://subscriptions/<subid>/resourcegroups/<rgname>/workspaces/<workspace_name>/datastores/<datastorename>/paths/')

+ 1. Select the **Notebooks** tab.

+ 1. If the compute instance is stopped, select **Start compute** and wait until it is running.

+ :::image type="content" source="media/tutorial-azure-ml-in-a-day/start-compute.png" alt-text="Screenshot shows how to start compute if it is stopped." lightbox="media/tutorial-azure-ml-in-a-day/start-compute.png":::

+ 1. If the compute instance you wish to use is stopped, select it and then select **Start**.

+ 1. Once the compute instance is running, in the *Applications* column, select **VS Code (Web)**.

+ 1. If the compute instance is stopped, select **Start compute** and wait until it is running.

+ :::image type="content" source="media/tutorial-azure-ml-in-a-day/start-compute.png" alt-text="Screenshot shows how to start compute if it is stopped." lightbox="media/tutorial-azure-ml-in-a-day/start-compute.png":::

+ 1. Select the **Compute** tab.

+ 1. If the compute instance you wish to use is stopped, select it and then select **Start**.

+ 1. Once the compute instance is running, in the *Applications* column, select **VS Code (Desktop)**.

+4. The **Transfer type** is an import to Azure. Specify the country/region in which the data resides, and the Azure region to which you want to transfer the data.

+ Title: "Tutorial: Manage MySQL credentials in Azure Key Vault"

+description: "This tutorial shows how to store and get an Azure Database for MySQL Flexible Server connection string in Azure Key Vault"

+# Tutorial: Manage MySQL credentials in Azure Key Vault

+You can store the MySQL connection string in Azure Key Vault to ensure that sensitive information is securely managed and accessed only by authorized users or applications. Additionally, any changes to the connection string can be easily updated in the Key Vault without modifying the application code.

+## Prerequisites

+- You need an Azure subscription. If you don't already have a subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- All access to secrets takes place through Azure Key Vault. For this quickstart, create a key vault using [Azure portal](../../key-vault/general/quick-create-portal.md), [Azure CLI](../../key-vault/general/quick-create-cli.md), or [Azure PowerShell](../../key-vault/general/quick-create-powershell.md). Make sure you have the necessary permissions to manage and access the Key Vault.

+- Install .NET or Java or PHP or Python based on the framework you are using for your application.

+## Add a secret to Key Vault

+To add a secret to the vault, follow the steps:

+1. Navigate to your new key vault in the Azure portal

+1. On the Key Vault settings pages, select **Secrets**.

+1. Select on **Generate/Import**.

+1. On the **Create a secret** page, provide the following information:

+ - **Upload options**: Manual.

+ - **Name**: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be a 1-127 character string, starting with a letter and containing only 0-9, a-z, A-Z, and -. For more information on naming, see [Key Vault objects, identifiers, and versioning](../../key-vault/general/about-keys-secrets-certificates.md#objects-identifiers-and-versioning)

+ - **Value**: Type a value for the secret. Key Vault APIs accept and return secret values as strings.

+ - Leave the other values to their defaults. Select **Create**.

+Once that you receive the message that the secret has been successfully created, you may select on it on the list.

+For more information, see [About Azure Key Vault secrets](../../key-vault/secrets/secrets-best-practices.md)

+## Configure access policies

+In the Key Vault settings, configure the appropriate access policies to grant access to the users or applications that need to retrieve the MySQL connection string from the Key Vault. Ensure that the necessary permissions are granted for "Get" operations on secrets.

+1. In the [Azure portal](https://portal.azure.com), navigate to the Key Vault resource.

+1. Select **Access policies**, then select **Create**.

+1. Select the permissions you want under **Key permissions**, **Secret permissions**, and **Certificate permissions**.

+1. Under the **Principal** selection pane, enter the name of the user, app or service principal in the search field and select the appropriate result. If you're using a managed identity for the app, search for and select the name of the app itself.

+1. Review the access policy changes and select **Create** to save the access policy.

+1. Back on the **Access policies** page, verify that your access policy is listed.

+

+## Retrieve the MySQL connection string

+In your application or script, use the Azure Key Vault SDK or client libraries to authenticate and retrieve the MySQL connection string from the Key Vault. You need to provide the appropriate authentication credentials and access permissions to access the Key Vault. Once you have retrieved the MySQL connection string from Azure Key Vault, you can use it in your application to establish a connection to the MySQL database. Pass the retrieved connection string as a parameter to your database connection code.

+### Code samples to retrieve connection string

+Here are few code samples to retrieve the connection string from the key vault secret.

+### [.NET](#tab/dotnet)

+In this code, we are using [Azure SDK for .NET](https://github.com/Azure/azure-sdk-for-net). We define the URI of our Key Vault and the name of the secret (connection string) we want to retrieve. We then create a new DefaultAzureCredential object, which represents the authentication information for our application to access the Key Vault.

+```net

+using System;

+using System.Threading.Tasks;

+using Azure.Identity;

+using Azure.Security.KeyVault.Secrets;

+namespace KeyVaultDemo

+{

+ class Program

+ {

+ static async Task Main(string[] args)

+ {

+ var kvUri = "https://my-key-vault.vault.azure.net/";

+ var secretName = "my-db-conn-string";

+

+ var credential = new DefaultAzureCredential();

+ var client = new SecretClient(new Uri(kvUri), credential);

+ var secret = await client.GetSecretAsync(secretName);

+ var connString = secret.Value;

+ Console.WriteLine($"Connection string retrieved: {connString}");

+ }

+ }

+}

+```

+### [Java](#tab/java)

+In this Java code, we use the [Azure SDK for Java](https://github.com/Azure/azure-sdk-for-java) to interact with Azure Key Vault. We first define the Key Vault URL and the name of the secret (connection string) we want to retrieve. Then, we create a SecretClient object using the SecretClientBuilder class. We set the Key Vault URL and provide the DefaultAzureCredential to authenticate with Azure AD. The DefaultAzureCredential automatically authenticates using the available credentials, such as environment variables, managed identities, or Visual Studio Code authentication.

+Next, we use the _getSecret_ method on the **SecretClient** to retrieve the secret. The method returns a **KeyVaultSecret** object, from which we can obtain the secret value using the _getValue_ method. Finally, we print the retrieved connection string to the console. Make sure to replace the _keyVaultUrl_ and _secretName_ variables with your own Key Vault URL and secret name. Next, we create a new **SecretClient** object and pass in the Key Vault URI and the credential object. We can then call the GetSecretAsync method on the client object, passing in the name of the secret we want to retrieve.

+```java

+import com.azure.identity.DefaultAzureCredentialBuilder;

+import com.azure.security.keyvault.secrets.SecretClient;

+import com.azure.security.keyvault.secrets.SecretClientBuilder;

+import com.azure.security.keyvault.secrets.models.KeyVaultSecret;

+public class KeyVaultDemo {

+ public static void main(String[] args) {

+ String keyVaultUrl = "https://my-key-vault.vault.azure.net/";

+ String secretName = "my-db-conn-string";

+ SecretClient secretClient = new SecretClientBuilder()

+ .vaultUrl(keyVaultUrl)

+ .credential(new DefaultAzureCredentialBuilder().build())

+ .buildClient();

+ KeyVaultSecret secret = secretClient.getSecret(secretName);

+ String connString = secret.getValue();

+ System.out.println("Connection string retrieved: " + connString);

+ }

+}

+```

+### [PHP](#tab/php)

+In this PHP code, we first require the necessary autoload file and import the required classes from the [Azure SDK for PHP](https://github.com/Azure/azure-sdk-for-php). We define the _$keyVaultUrl_ variable with the URL of your Azure Key Vault and _$secretName_ variable with the name of the secret (connection string) you want to retrieve. Next, we create a **DefaultAzureCredential** object to authenticate with Azure AD, which automatically picks up the available credentials from your environment.

+We then create a **SecretClient** object, passing the Key Vault URL and the credential object to authenticate with the Key Vault. The _getSecret_ method on the **SecretClient** can retrieve the secret by passing the _$secretName_. The method returns a KeyVaultSecret object, from which we can obtain the secret value using the getValue method. Finally, we print the retrieved connection string to the console. Make sure to have the necessary Azure SDK packages installed and the autoload file included properly in your PHP project.

+```php

+require_once 'vendor/autoload.php';

+use Azure\Identity\DefaultAzureCredential;

+use Azure\Security\KeyVault\Secrets\SecretClient;

+$keyVaultUrl = 'https://my-key-vault.vault.azure.net/';

+$secretName = 'my-db-conn-string';

+$credential = new DefaultAzureCredential();

+$client = new SecretClient($keyVaultUrl, $credential);

+$secret = $client->getSecret($secretName);

+$connString = $secret->getValue();

+echo 'Connection string retrieved: ' . $connString;

+```

+### [Python](#tab/python)

+In this Python code, we first import the necessary modules from the [Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python). We define the _key_vault_url_ variable with the URL of your Azure Key Vault and _secret_name_ variable with the name of the secret (connection string) you want to retrieve. Next, we create a **DefaultAzureCredential** object to authenticate with Azure AD. The **DefaultAzureCredential** automatically authenticates using the available credentials, such as environment variables, managed identities, or Visual Studio Code authentication.

+Then, we create a **SecretClient** object, passing the Key Vault URL and the credential object to authenticate with the Key Vault. The _get_secret_ method on the **SecretClient** can retrieve the secret by passing the secret_name. The method returns a **KeyVaultSecret** object, from which we can obtain the secret value using the value property. Finally, we print the retrieved connection string to the console. Make sure to replace the _key_vault_url_ and _secret_name_ variables with your own Key Vault URL and secret name.

+```python

+from azure.identity import DefaultAzureCredential

+from azure.keyvault.secrets import SecretClient

+key_vault_url = "https://my-key-vault.vault.azure.net/"

+secret_name = "my-db-conn-string"

+credential = DefaultAzureCredential()

+secret_client = SecretClient(vault_url=key_vault_url, credential=credential)

+secret = secret_client.get_secret(secret_name)

+conn_string = secret.value

+print("Connection string retrieved:", conn_string)

+```

+--

+## Next steps

+[Azure Key Vault client libraries](../../key-vault/general/client-libraries.md)

+| Australia East | 40.79.161.1, 13.70.112.32 | 13.75.149.87 | |

+| Australia South East | 13.77.49.32, 13.77.48.10, 13.77.49.33 | 13.73.109.251 | |

+| Canada East | 40.69.105.32, 40.69.105.32 | 52.242.30.154, 40.86.226.166 | |

+| West Central US | 13.71.193.34 | 13.78.145.25, 52.161.100.158 | |

+|[Public Holidays](https://azure.microsoft.com/services/open-datasets/catalog/public-holidays/) | [Azure Notebooks](https://azure.microsoft.com/services/open-datasets/catalog/public-holidays/?tab=data-access#AzureNotebooks) <br> [Azure Databricks](https://azure.microsoft.com/services/open-datasets/catalog/public-holidays/?tab=data-access#AzureDatabricks) | Worldwide public holiday data, covering 41 countries or regions from 1970 to 2099. Includes country/region and whether most people have paid time off. |

+The intelligent tuning feature of Azure Database for PostgreSQL - Flexible Server is designed to enhance overall

+performance automatically and help prevent possible issues. It continuously monitors the database instance's overall

+status and performance and automatically optimizes the workload's performance.

+The Azure Database for PostgreSQL - Flexible Server is equipped with an inherent intelligence mechanism that can

+dynamically adapt the database to your workload, thereby automatically enhancing performance. This feature comprises two

+automatic tuning functionalities:

+* **Autovacuum tuning**: This function diligently tracks the bloat ratio and adjusts autovacuum settings accordingly. It

+ factors in both current and predicted resource usage to ensure your workload isn't disrupted.

+* **Writes tuning**: This feature persistently monitors the volume and patterns of write operations, modifying

+ parameters that affect write performance. These parameters

+ include `bgwriter_delay`, `checkpoint_completion_target`, `max_wal_size`, and `min_wal_size`. The primary aim of these

+ adjustments is to enhance both system performance and reliability, thereby proactively averting potential

+ complications.

+Learn how to enable intelligent tuning using [Azure portal](how-to-enable-intelligent-performance-portal.md) or [CLI](how-to-enable-intelligent-performance-cli.md).

+## Why intelligent tuning?

+The autovacuum process is a critical part of maintaining the health and performance of a PostgreSQL database. It helps

+to reclaim storage occupied by "dead" rows, freeing up space and ensuring the database continues to run smoothly.

+Equally important is the tuning of write operations within the database, a task that typically falls to database

+administrators (DBAs).

+However, constantly monitoring a database and fine-tuning write operations can be challenging and time-consuming. This

+becomes increasingly complex when dealing with multiple databases, and might even become an impossible task when

+managing a large number of them.

+This is where intelligent tuning steps in. Rather than manually overseeing and tuning your database, the intelligent

+tuning feature can effectively shoulder some of the load. It helps in the automatic monitoring and tuning of the

+database, allowing you to focus on other important tasks.

+Intelligent tuning provides an autovacuum tuning feature that vigilantly monitors the bloat ratio, adjusting settings as needed to ensure optimal resource utilization. It proactively manages the "cleaning" process of the database, mitigating performance issues caused by outdated data.

+In addition, the Writes Tuning aspect of intelligent tuning observes the quantity and transactional patterns of write operations. It intelligently adjusts parameters such as `bgwriter_delay`, `checkpoint_completion_target`, `max_wal_size`, and `min_wal_size`. By doing so, it effectively enhances system performance and reliability, ensuring smooth and efficient operation even under high write loads.

+In summary, intelligent tuning provides an efficient solution for database monitoring and tuning, taking the hard and

+tedious tasks off your plate. By using this automatic tuning feature, you can rely on the Azure Database for

+PostgreSQL - Flexible Server to maintain the optimal performance of your databases, saving you valuable time and

+resources.

+### How does intelligent tuning work?

+Intelligent Tuning is an ongoing monitoring and analysis process that not only learns about the characteristics of your

+workload but also tracks your current load and resource usage such as CPU or IOPS. By doing so, it makes sure not to

+disturb the normal operations of your application workload.

+The process allows the database to dynamically adjust to your workload by discerning the current bloat ratio, write

+performance, and checkpoint efficiency on your instance. Armed with these insights, intelligent tuning deploys tuning

+actions designed to not only enhance your workload's performance but also to circumvent potential pitfalls.

+## Autovacuum tuning

+Intelligent tuning adjusts five significant parameters related to

+autovacuum: `autovacuum_vacuum_scale_factor`, `autovacuum_cost_limit`, `autovacuum_naptime`, `autovacuum_vacuum_threshold`,

+and `autovacuum_vacuum_cost_delay`. These parameters regulate components such as the fraction of the table that sets off

+a VACUUM process, the cost-based vacuum delay limit, the pause interval between autovacuum runs, the minimum count of

+updated or dead tuples needed to start a VACUUM, and the pause duration between cleanup rounds.

+> [!IMPORTANT]

+> Autovacuum tuning is currently supported for the General Purpose and Memory Optimized server compute tiers that have

+> four or more vCores, Burstable server compute tier is not supported.

+> [!IMPORTANT]

+> It's important to keep in mind that intelligent tuning modifies autovacuum-related parameters at the server level, not

+> at individual table levels. Also, if autovacuum is turned off, intelligent tuning cannot operate correctly. For

+> intelligent tuning to optimize the process, the autovacuum feature must be enabled.

+While the autovacuum daemon triggers two operations - VACUUM and ANALYZE, intelligent tuning only fine-tunes the VACUUM

+process. The ANALYZE process, which gathers statistics on table contents to help the PostgreSQL query planner choose the

+most suitable query execution plan, is currently not adjusted by this feature.

+One key feature of intelligent tuning is that it includes safeguards to measure resource utilization like CPU and IOPS.

+This means that it will not ramp up autovacuum activity when your instance is under heavy load. This way, intelligent

+tuning ensures a balance between effective cleanup operations and the overall performance of your system.

+When optimizing autovacuum, intelligent tuning considers the server's average bloat, using statistics about live and

+dead tuples. To lessen bloat, intelligent tuning might reduce parameters like the scale factor or naptime, triggering

+the VACUUM process sooner and, if necessary, decreasing the delay between rounds.

+On the other hand, if the bloat is minimal and the autovacuum process is too aggressive, then parameters such as delay,

+scale factor, and naptime may be increased. This balance ensures minimal bloat and the efficient use of the resources by

+the autovacuum process.

+## Writes tuning

+Intelligent tuning adjusts four parameters related to writes

+tuning:`bgwriter_delay`, `checkpoint_completion_target`, `max_wal_size`, and `min_wal_size`. The behavior and benefits of adjusting some of these are described below.

+The `bgwriter_delay` parameter determines the frequency at which the background writer process is awakened to clean "dirty" buffers (those buffers that are new or modified). The background writer process is one of three processes in PostgreSQL

+that handle write operations, the other two being the checkpointer process and backends (standard client processes, such

+as application connections). The background writer process's primary role is to alleviate the load from the main

+checkpointer process and decrease the strain of backend writes. By adjusting the `bgwriter_delay` parameter, which governs the frequency of background writer rounds, we can also optimize the performance of DML queries.

+The `checkpoint_completion_target` parameter is part of the second write mechanism supported by PostgreSQL, specifically

+the checkpointer process. Checkpoints occur at constant intervals defined by `checkpoint_timeout` (unless forced by

+exceeding the configured space). To avoid overloading the I/O system with a surge of page writes, writing dirty buffers

+during a checkpoint is spread out over a period of time. This duration is controlled by

+the `checkpoint_completion_target`, specified as a fraction of the checkpoint interval, which is set

+using `checkpoint_timeout`.

+While the default value of `checkpoint_completion_target` is 0.9 (since PostgreSQL 14), which generally works best as it

+spreads the I/O load over the maximum time period, there might be rare instances where, due to unexpected fluctuations

+in the number of WAL segments needed, checkpoints may not complete in time. Hence, due to its potential impact on

+performance, `checkpoint_completion_target` has been chosen as a target metric for intelligent tuning.

+* ANALYZE settings are not adjusted by intelligent tuning.

+## Next steps

+* [Configure intelligent performance for Azure Database for PostgreSQL - Flexible Server using Azure portal](how-to-enable-intelligent-performance-portal.md)

+* [Configure intelligent performance for Azure Database for PostgreSQL - Flexible Server using Azure CLI](how-to-enable-intelligent-performance-cli.md)

+* [Troubleshooting guides for Azure Database for PostgreSQL - Flexible Server](concepts-troubleshooting-guides.md)

+* [Autovacuum Tuning in Azure Database for PostgreSQL - Flexible Server](how-to-autovacuum-tuning.md)

+* [Troubleshoot high IOPS utilization for Azure Database for PostgreSQL - Flexible Server](how-to-high-io-utilization.md)

+* [Best practices for uploading data in bulk in Azure Database for PostgreSQL - Flexible Server](how-to-bulk-load-data.md)

+* [Troubleshoot high CPU utilization in Azure Database for PostgreSQL - Flexible Server](how-to-high-cpu-utilization.md)

+* [Query Performance Insight for Azure Database for PostgreSQL - Flexible Server](concepts-query-performance-insight.md)

+ Title: Configure intelligent performance - Azure Database for PostgreSQL - Flexible Server

+description: This article describes how to configure intelligent performance in Azure Database for PostgreSQL - Flexible Server using the Azure CLI.

+ms.devlang: azurecli

+# Configure intelligent performance for Azure Database for PostgreSQL - Flexible Server using Azure CLI

+You can verify and update intelligent performance configuration for an Azure PostgreSQL server using the Command Line Interface (Azure CLI).

+To learn more about intelligent tuning, see the [overview](concepts-intelligent-tuning.md).

+## Prerequisites

+- If you don't have an Azure subscription, create a [free](https://azure.microsoft.com/free/) account before you begin.

+- Install or upgrade Azure CLI to the latest version. See [Install Azure CLI](/cli/azure/install-azure-cli).

+- Log in to Azure account using [az login](/cli/azure/reference-index#az-login) command. Note the **id** property, which refers to **Subscription ID** for your Azure account.

+ ```azurecli

+ az login

+ ````

+- If you have multiple subscriptions, choose the appropriate subscription in which you want to create the server using the ```az account set``` command.

+ ```azurecli-interactive

+ az account set --subscription <subscription id>

+ ```

+- Create a PostgreQL Flexible Server if you haven't already created one using the ```az postgres flexible-server create``` command.

+ ```azurecli-interactive

+ az postgres flexible-server create --resource-group myresourcegroup --name myservername

+ ```

+## Verify current settings

+Use the [az postgres flexible-server parameter show](/cli/azure/postgres/flexible-server/parameter#az-postgres-flexible-server-parameter-show) to confirm the current settings of the intelligent performance feature.

+You can verify if this feature is activated for the server **mydemoserver.postgres.database.azure.com** under the resource group **myresourcegroup** by using the command below.

+```azurecli-interactive

+az postgres flexible-server parameter show --resource-group myresourcegroup --server-name mydemoserver --name intelligent_tuning --query value

+```

+Also, you can inspect the current setting of the **intelligent_tuning.metric_targets** server parameter using:

+```azurecli-interactive

+az postgres flexible-server parameter show --resource-group myresourcegroup --server-name mydemoserver --name intelligent_tuning.metric_targets --query value

+```

+## Enable intelligent tuning

+For enabling or disabling the intelligent tuning, and choosing among the following tuning targets: `none`, `Storage-checkpoint_completion_target`, `Storage-min_wal_size`,`Storage-max_wal_size`, `Storage-bgwriter_delay`, `tuning-autovacuum`, `all`, you should use the [az postgres flexible-server parameter set](/cli/azure/postgres/flexible-server/parameter#az-postgres-flexible-server-parameter-set) command.

+> [!IMPORTANT]

+> Autovacuum tuning is currently supported for the General Purpose and Memory Optimized server compute tiers that have four or more vCores, Burstable server compute tier is not supported.

+To begin with, activate the intelligent tuning feature with the following command.

+```azurecli-interactive

+az postgres flexible-server parameter set --resource-group myresourcegroup --server-name mydemoserver --name intelligent_tuning --value ON

+```

+Next, select the tuning targets you wish to activate.

+For activating all tuning targets, use:

+```azurecli-interactive

+az postgres flexible-server parameter set --resource-group myresourcegroup --server-name mydemoserver --name intelligent_tuning.metric_targets --value all

+```

+For enabling autovacuum tuning only:

+```azurecli-interactive

+az postgres flexible-server parameter set --resource-group myresourcegroup --server-name mydemoserver --name intelligent_tuning.metric_targets --value tuning-autovacuum

+```

+For activating two tuning targets:

+```azurecli-interactive

+az postgres flexible-server parameter set --resource-group myresourcegroup --server-name mydemoserver --name intelligent_tuning.metric_targets --value tuning-autovacuum,Storage-bgwriter_delay

+```

+In case you wish to reset a parameter's value to default, simply exclude the optional `--value` parameter. The service then applies the default value. In the above example, it would look like the following and would set `intelligent_tuning.metric_targets` to `none`:

+```azurecli-interactive

+az postgres flexible-server parameter set --resource-group myresourcegroup --server-name mydemoserver --name intelligent_tuning.metric_targets

+```

+> [!NOTE]

+> Both `intelligent_tuning` and `intelligent_tuning.metric_targets` server parameters are dynamic, meaning no server restart is required when their values are changed.

+### Considerations for selecting `intelligent_tuning.metric_targets` values

+When choosing values from the `intelligent_tuning.metric_targets` server parameter take the following considerations into account:

+* The `NONE` value takes precedence over all other values. If `NONE` is chosen alongside any combination of other values, the parameter will be perceived as set to `NONE`. This is equivalent to `intelligent_tuning = OFF`, implying that no tuning will occur.

+* The `ALL` value takes precedence over all other values, with the exception of `NONE` as detailed above. If `ALL` is chosen with any combination, barring `NONE`, all the listed parameters will undergo tuning.

+> [!NOTE]

+> The `ALL` value encompasses all existing metric targets. Moreover, this value will also automatically apply to any new metric targets that might be added in the future. This allows for comprehensive and future-proof tuning of your PostgreSQL server.

+* If you wish to include an additional tuning target, you will need to specify both the existing and new tuning targets. For example, if `bgwriter_delay` is already enabled, and you want to add autovacuum tuning, your command would look like this:

+```azurecli-interactive

+az postgres flexible-server parameter set --resource-group myresourcegroup --server-name mydemoserver --name intelligent_tuning.metric_targets --value tuning-autovacuum,Storage-bgwriter_delay

+```

+Please note that specifying only a new value would overwrite the current settings. So, when adding a new tuning target, always ensure that you include the existing tuning targets in your command.

+## Next steps

+- [Perform intelligent tuning in Azure Database for PostgreSQL - Flexible Server

+](concepts-intelligent-tuning.md)

+ Title: Configure intelligent performance - Azure Database for PostgreSQL - Flexible Server - Portal

+description: This article describes how to configure intelligent performance in Azure Database for PostgreSQL Flexible Server through the Azure portal.

+# Configure intelligent performance for Azure Database for PostgreSQL - Flexible Server using Azure portal

+This article provides a step-by-step procedure to configure intelligent performance in Azure Database for PostgreSQL - Flexible Server using Azure portal.

+To learn more about intelligent tuning, see the [overview](concepts-intelligent-tuning.md).

+> [!IMPORTANT]

+> Autovacuum tuning is currently supported for the General Purpose and Memory Optimized server compute tiers that have four or more vCores, Burstable server compute tier is not supported.

+## Steps to enable intelligent tuning on your Flexible Server

+1. Visit the [Azure portal](https://portal.azure.com/) and select the flexible server on which you want to enable intelligent tuning.

+2. In the left pane, select **Server Parameters** and then search for **intelligent tuning**.

+

+ :::image type="content" source="media/how-to-intelligent-tuning-portal/enable-intelligent-tuning.png" alt-text="Screenshot of Server Parameter blade with search for intelligent tuning.":::

+3. You'll notice two parameters: `intelligent_tuning` and `intelligent_tuning.metric_targets`. To activate intelligent tuning, change `intelligent_tuning` to `ON`. You have the option to select one, multiple, or all available tuning targets in the `intelligent_tuning.metric_targets`. Click the `Save` button to apply these changes.

+> [!NOTE]

+> Both `intelligent_tuning` and `intelligent_tuning.metric_targets` server parameters are dynamic, meaning no server restart is required when their values are changed.

+### Considerations for selecting `intelligent_tuning.metric_targets` values

+When choosing values from the `intelligent_tuning.metric_targets` server parameter take the following considerations into account:

+* The `NONE` value takes precedence over all other values. If `NONE` is chosen alongside any combination of other values, the parameter will be perceived as set to `NONE`. This is equivalent to `intelligent_tuning = OFF`, implying that no tuning will occur.

+* The `ALL` value takes precedence over all other values, with the exception of `NONE` as detailed above. If `ALL` is chosen with any combination, barring `NONE`, all the listed parameters will undergo tuning.

+> [!NOTE]

+> The `ALL` value encompasses all existing metric targets. Moreover, this value will also automatically apply to any new metric targets that might be added in the future. This allows for comprehensive and future-proof tuning of your PostgreSQL server.

+## Next steps

+- [Perform intelligent tuning in Azure Database for PostgreSQL - Flexible Server

+](concepts-intelligent-tuning.md)

+When building custom application or some frameworks they maybe using `INT` instead of `BIGINT` for primary keys. When you use ```INT```, you run the risk of where the value in your database can exceed storage capacity of ```INT``` data type. Making this change to an existing production application can be time consuming with cost more development time. Another option is to use [UUID](https://www.postgresql.org/docs/current/datatype-uuid.html) for primary keys.This identifier uses an auto-generated 128-bit string, for example ```a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11```. Learn more about [PostgreSQL data types](https://www.postgresql.org/docs/current/datatype.html).

+There are many types of [indexes](https://www.postgresql.org/docs/current/indexes.html) in Postgres which can be used in different ways. Using an index helps the server find and retrieve specific rows much faster than it could do without an index. But indexes also add overhead to the database server, hence avoid having too many indexes.

+The [Query Store](./concepts-query-store.md) feature in Azure Database for PostgreSQL provides a method to track query statistics. We recommend this feature as an alternative to using pg_stats_statements.

+ |The Integrated Circuit Card Identification Number (ICCID). The ICCID identifies a specific physical SIM or eSIM, and includes information on the SIM's country/region and issuer. It's a unique numerical value between 19 and 20 digits in length, beginning with 89. |**ICCID**|`integratedCircuitCardIdentifier`|

+- The RAN units have completed the process of homologation and received regulatory approval for their use on a certain frequency band in a country/region.

+| The Integrated Circuit Card Identification Number (ICCID). The ICCID identifies a specific physical SIM or eSIM, and includes information on the SIM's country/region and issuer. The ICCID is a unique numerical value between 19 and 20 digits in length, beginning with 89. | **ICCID** | `integratedCircuitCardIdentifier` |

+| [Yes](#register) | [Yes](#scan) | [Yes](#scan) | [Yes](#scan)| [Yes](#scan)| [Source dependent](create-sensitivity-label.md) | [Yes](#access-policy) | [Source Dependent](catalog-lineage-user-guide.md)| No |

+Person's address classification is used to detect full address stored in a single column containing the following elements: House number, Street Name, City, State, Country/Region, Zip Code. Person's Address classifier uses machine learning model that is trained on the global addresses data set in English language.

+(\*) Certain regions are access restricted to support specific customer scenarios, such as in-country/region disaster recovery. These regions are available only upon request by [creating a new support request](/troubleshoot/azure/general/region-access-request-process#reserved-access-regions).

+ Title: Configure and view Backup status for your SAP system on Virtual Instance for SAP solutions (preview)

+description: Learn how to configure and view Backup status for your SAP system through the Virtual Instance for SAP solutions (VIS) resource in Azure Center for SAP solutions.

+#Customer intent: As an SAP Basis Admin, I want to understand how to configure backup for my SAP system and monitor it to ensure backups are running as expected.

+# Configure and monitor Azure Backup status for your SAP system through Virtual Instance for SAP solutions (Preview)

+> [!NOTE]

+> Configuration of Backup from Virtual Instance for SAP solutions feature is currently in Preview.

+In this how-to guide, you'll learn to configure and monitor Azure Backup for your SAP system through the Virtual Instance for SAP solutions (VIS) resource in Azure Center for SAP solutions.

+When you configure Azure Backup from the VIS resource, you get to enable Backup for all your **Central service and Application server virtual machines** and **HANA Database** in one go. For HANA Database, Azure Center for SAP solutions automates the step of running the [Pre-Registration script](/azure/backup/tutorial-backup-sap-hana-db#what-the-pre-registration-script-does).

+Once backup is configured, you can monitor the status of your Backup Jobs for both virtual machines and HANA DB from the VIS.

+If you have already configured Backup from Azure Backup Center for your SAP VMs and HANA DB, then VIS resource automatically detects this and enables you to monitor the status of Backup jobs.

+Before you can go ahead and use this feature in preview, register for it from the Backup (preview) tab on the Virtual Instance for SAP solutions resource on the Azure portal.

+## Prerequisites

+- A Virtual Instance for SAP solutions resource representing your SAP system on Azure Center for SAP solutions.

+- An Azure account with **Contributor** role access on the Subscription in which your SAP system exists.

+- Register **Microsoft.Features** Resource Provider on your subscription.

+- Register your subscription for this preview feature in Azure Center for SAP solutions.

+- After you have successfully registered for the Preview feature, re-register Microsoft.Workloads resource provider on the Subscription.

+- To be able to configure Backup from the VIS resource, assign **Backup Contributor** role access to **Azure Workloads Connector Service** first-party app. This step is not required if you have already configured Backup for your VMs and HANA DB using Azure Backup Center. You will be able to monitor Backup of your SAP system from the VIS.

+- For HANA database backup, ensure the [prerequisites](/azure/backup/tutorial-backup-sap-hana-db#prerequisites) required by Azure Backup are in place.

+- For HANA database backup, create a HDB Userstore key that will be used for preparing HANA DB for configuring Backup.

+> [!NOTE]

+> If you are configuring backup for HANA database from the Virtual Instance for SAP solutions resource, you can skip running the [Backup pre-registration script](/azure/backup/tutorial-backup-sap-hana-db#what-the-pre-registration-script-does). Azure Center for SAP solutions runs this script before configuring HANA backup.

+## Register for Backup integration preview feature

+Before you can start configuring Backup from the VIS resource or viewing Backup status on VIS resource in case Backup is already configured, you need to register for the Backup integration feature in Azure Center for SAP solutions. Follow these steps to register for the feature:

+1. Sign into the [Azure portal](https://portal.azure.com) as a user with **Contributor** role access.

+2. Search for **ACSS** and select **Azure Center for SAP solutions** from search results.

+3. On the left navigation, select **Virtual Instance for SAP solutions**.

+4. Select the **Backup (preview)** tab on the left navigation.

+5. Select the **Register for Preview** button.

+6. Registration for features can take upto 30 minutes and once it is complete, you can configure backup or view status of already configured backup.

+## Configure Backup for your SAP system

+You can configure Backup for your Central service and Application server virtual machines and HANA database from the Virtual Instance for SAP solutions resource following these steps:

+1. Sign into the [Azure portal](https://portal.azure.com).

+2. Search for **ACSS** and select **Azure Center for SAP solutions** from search results.

+3. On the left navigation, select **Virtual Instance for SAP solutions**.

+4. Select the **Backup (preview)** tab on the left navigation.

+5. If you have not registered for the preview feature, complete the registration process by selecting the **Register** button. This step is needed only once per Subscription.

+6. Select **Configure** button on the Backup (preview) page.

+7. Select the checkboxes **Central service + App server VMs Backup** and **Database Backup**.

+8. For Central service + App server VMs Backup, select an existing Recovery Services vault or Create new.

+ - Select a Backup policy that is to be used for backing up Central service and App server VMs.

+9. For Database Backup, select an existing Recovery Services vault or Create new.

+ - Select a Backup policy that is to be used for backing up HANA database.

+10. Provide a **HANA DB User Store** key name.

+11. If SSL enforce is enabled for the HANA database, provide the key store, trust store path and SSL hostname and crypto provider details.

+> [!NOTE]

+> If you are configuring backup for an HSR enabled HANA database from the Virtual Instance for SAP solutions resource, then the [Backup pre-registration script](/azure/backup/tutorial-backup-sap-hana-db#what-the-pre-registration-script-does) is run and backup configured only for the Primary HANA database node. In case of a failover, you will need to configure Backup on the new primary node.

+## Monitor Backup status of your SAP system

+After you configure Backup for the Virtual Machines and HANA Database of your SAP system either from the Virtual Instance for SAP solutions resource or from the Backup Center, you can monitor the status of Backup from the Virtual Instance for SAP solutions resource.

+To monitor Backup status:

+1. Sign into the [Azure portal](https://portal.azure.com).

+2. Search for **ACSS** and select **Azure Center for SAP solutions** from search results.

+3. On the left navigation, select **Virtual Instance for SAP solutions**.

+4. Select the **Backup (preview)** tab on the left navigation.

+5. If you have not registered for the preview feature, complete the registration process by selecting the **Register** button. This step is needed only once per Subscription.

+6. For Central service + App server VMs and HANA Database, view protection status of **Backup instances** and status of **Backup jobs** in the last 24 hours.

+> [!NOTE]

+> For a highly available HANA database, if you have configured Backup using the HSR Backup feature from Backup Center, that would not be detected and displayed under Database Backup section.

+## Next steps

+- [Monitor SAP system from the Azure portal](monitor-portal.md)

+- [Get quality checks and insights for a VIS resource](get-quality-checks-insights.md)

+- [Start and Stop SAP systems](start-stop-sap-systems.md)

+- [View Cost Analysis of SAP system](view-cost-analysis.md)

+| `Microsoft.Advisor/configurations/read` |

+| `Microsoft.Advisor/recommendations/read` |

+| **Azure Center for SAP solutions reader** |

+|- [Protection for on-premises Exchange and SharePoint content via the Rights Management connector](/azure/information-protection/deploy-rms-connector) | GA ^{[5](#aipnote5)} | GA ^{[6](#aipnote6)} | GA ^{[6](#aipnote6)} |

+|- [Control oversharing of information when using Outlook](/azure/information-protection/rms-client/clientv2-admin-guide-customizations) | GA | GA ^{[7](#aipnote7)} | GA ^{[7](#aipnote7)} |

+|**Classification and labeling** ^{[2](#aipnote2) / [8](#aipnote8)} | | | |

+^{<a name="aipnote6"></a>6} Only on-premises Exchange is supported. Outlook Protection Rules are not supported. On-premises SharePoint is not supported.

+^{<a name="aipnote7"></a>7} Sharing of protected documents and emails from government clouds to users in the commercial cloud is not currently available. Includes Microsoft 365 Apps users in the commercial cloud, non-Microsoft 365 Apps users in the commercial cloud, and users with an RMS for Individuals license.

+^{<a name="aipnote8"></a>8} The number of [Sensitive Information Types](/microsoft-365/compliance/sensitive-information-type-entity-definitions) in your Microsoft Purview compliance portal may vary based on region.

+We design and manage the Azure infrastructure to meet a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2. We also meet country-/region-specific standards, including Australia IRAP, UK G-Cloud, and Singapore MTCS. Rigorous third-party audits, such as those done by the British Standards Institute, verify adherence to the strict security controls these standards mandate.

+- In-country/region storage for compliance or latency considerations.

+- Out-of-country/region storage for security or disaster recovery purposes.

+**Description:** A match indicates that a user logged in remotely from a country/region that is different from the country/region of the user's last remote login. This rule might also indicate an account compromise, particularly if the rule matches occurred closely in time. This includes the scenario of impossible travel.

+| **MaliciousIPCountry** | The [MaliciousIP](#MaliciousIP) country/region, according to the geographic information at the time of the record ingestion. |

+ > - An **alert** is a collection of events that, taken together, are significant from a security standpoint. An alert could contain a single event if the event had significant security implications - an administrative login from a foreign country/region outside of office hours, for example.

+For example ΓÇô if we want to find all the cases of a user that failed to sign in to an Azure resource, where it was the user's first attempt to connect from a given country/region, and connections from that country/region are uncommon even for the user's peers, we can use the following query:

+| **TargetGeoRegion** | Optional | Region | The region associated with the target IP address.<br><br>Example: `Vermont` |

+| **SrcGeoRegion** | Optional | Region | The region associated with the source IP address.<br><br>Example: `Vermont` |

+| **DstGeoRegion** | Optional | Region | The region, or state, associated with the destination IP address. For more information, see [Logical types](normalization-about-schemas.md#logical-types).<br><br>Example: `Vermont` |

+| **DnsResponseIpRegion** | Optional | Region | The region, or state, associated with one of the IP addresses in the DNS response. For more information, see [Logical types](normalization-about-schemas.md#logical-types).<br><br>Example: `Vermont` |

+| **SrcGeoRegion** | Optional | Region | The region associated with the source IP address.<br><br>Example: `Vermont` |

+| **DstGeoRegion** | Optional | Region | The region, or state, associated with the destination IP address. For more information, see [Logical types](normalization-about-schemas.md#logical-types).<br><br>Example: `Vermont` |

+| **SrcGeoRegion** | Optional | Region | The region associated with the source IP address.<br><br>Example: `Vermont` |

+| **SrcGeoRegion** | Optional | Region | The region associated with the source IP address.<br><br>Example: `Vermont` |

+| **DstGeoRegion** | Region (String) | Vermont | The region associated with the destination IP address | Destination,<br>Geo |

+- **Install and manage out-of-the-box content**

+ Find packaged solutions for end-to-end products or standalone content from the content hub in Microsoft Sentinel. To install and manage content from the content hub, assign the [**Template Spec Contributor**](../role-based-access-control/built-in-roles.md#template-spec-contributor) role at the resource group level.

+

+- **Automate responses to threats with playbooks**

+ Microsoft Sentinel uses playbooks for automated threat response. Playbooks are built on Azure Logic Apps, and are a separate Azure resource. For specific members of your security operations team, you might want to assign the ability to use Logic Apps for Security Orchestration, Automation, and Response (SOAR) operations. You can use the [**Microsoft Sentinel Playbook Operator**](../role-based-access-control/built-in-roles.md#microsoft-sentinel-playbook-operator) role to assign explicit, limited permission for running playbooks, and the [**Logic App Contributor**](../role-based-access-control/built-in-roles.md#logic-app-contributor) role to create and edit playbooks.

+- **Give Microsoft Sentinel permissions to run playbooks**

+- **Connect data sources to Microsoft Sentinel**

+ For a user to add data connectors, you must assign the user **Write** permissions on the Microsoft Sentinel workspace. Notice the required extra permissions for each connector, as listed on the relevant connector page.

+- **Allow guest users to assign incidents**

+ If a guest user needs to be able to assign incidents, you need to assign the [**Directory Reader**](../active-directory/roles/permissions-reference.md#directory-readers) to the user, in addition to the **Microsoft Sentinel Responder** role. Note that the Directory Reader role is *not* an Azure role but an Azure Active Directory role, and that regular (non-guest) users have this role assigned by default.

+- **Create and delete workbooks**

+ To create and delete a Microsoft Sentinel workbook, the user needs either the **Microsoft Sentinel Contributor** role or a lesser Microsoft Sentinel role, together with the [**Workbook Contributor**](../role-based-access-control/built-in-roles.md#workbook-contributor) Azure Monitor role. This role isn't necessary for *using* workbooks, only for creating and deleting.

+| Role | View and run playbooks | Create and edit playbooks | Create and edit analytics rules, workbooks, and other Microsoft Sentinel resources | Manage incidents (dismiss, assign, etc.) | View data, incidents, workbooks, and other Microsoft Sentinel resources | Install and manage content from the content hub|

+|||||||--|

+| Microsoft Sentinel Reader | -- | -- | --[*](#workbooks) | -- | &#10003; | --|

+| Microsoft Sentinel Responder | -- | -- | --[*](#workbooks) | &#10003; | &#10003; | --|

+| Microsoft Sentinel Contributor | -- | -- | &#10003; | &#10003; | &#10003; | --|

+| Microsoft Sentinel Playbook Operator | &#10003; | -- | -- | -- | -- | --|

+| Logic App Contributor | &#10003; | &#10003; | -- | -- | -- |-- |

+| Template Spec Contributor | -- | -- | -- | -- | -- |&#10003; |

+||[Template Spec Contributor](../role-based-access-control/built-in-roles.md#template-spec-contributor)|Microsoft Sentinel's resource group |Install and manage content from the content hub.|

+> [!TIP]

+> Get notified when this page is updated by copying and pasting the following URL into your feed reader:

+>

+> `https://aka.ms/sentinel/rss`

+You can submit messages to a queue or a topic for delayed processing, setting a time when the message becomes available for consumption. Scheduled messages can also be canceled. For more information, see [Scheduled messages](message-sequencing.md#scheduled-messages).

+The **Support ordering** feature allows you to specify whether messages that are sent to a topic are forwarded to the subscription in the same order in which they were sent. This feature doesn't support partitioned topics. For more information, see [TopicProperties.SupportOrdering](/dotnet/api/azure.messaging.servicebus.administration.topicproperties.supportordering) in .NET or [TopicProperties.setOrderingSupported](/java/api/com.azure.messaging.servicebus.administration.models.topicproperties.setorderingsupported) in Java.

+Enabling duplicate detection helps keep track of the application-controlled `MessageId` of all messages sent into a queue or topic during a specified time window. If any new message is sent with `MessageId` that was logged during the time window, the message is reported as accepted (the send operation succeeds), but the newly sent message is instantly ignored and dropped. No other parts of the message other than the `MessageId` are considered.

+Application control of the identifier is essential, because only that allows the application to tie the `MessageId` to a business process context from which it can be predictably reconstructed when a failure occurs.

+For a business process in which multiple messages are sent in the course of handling some application context, the `MessageId` may be a composite of the application-level context identifier, such as a purchase order number, and the subject of the message, for example, **12345.2017/payment**.

+The `MessageId` can always be some GUID, but anchoring the identifier to the business process yields predictable repeatability, which is desired for using the duplicate detection feature effectively.

+>- For information about `SessionId`, `PartitionKey`, and `MessageId`, see [Use of partition keys](service-bus-partitioning.md#use-of-partition-keys).

+Apart from just enabling duplicate detection, you can also configure the size of the duplicate detection history time window during which message-ids are retained. This value defaults to 10 minutes for queues and topics, with a minimum value of 20 seconds to maximum value of 7 days.

+Enabling duplicate detection and the size of the window directly impact the queue (and topic) throughput, since all recorded message IDs must be matched against the newly submitted message identifier.

+Keeping the window small means that fewer message IDs must be retained and matched, and throughput is impacted less. For high throughput entities that require duplicate detection, you should keep the window as small as possible.

+See samples for the older .NET and Java client libraries here:

+You can also pass a SequenceNumber to a peek operation. It's used to determine where to start peeking from. You can make subsequent calls to the peek operation without specifying the parameter to enumerate further.

+See samples for the older .NET and Java client libraries here:

+For example, consider a web site that needs to reliably execute jobs on a scale-constrained backend, and which occasionally experiences traffic spikes or wants to be insulated against availability episodes of that backend. In the regular case, the server-side handler for the submitted user data pushes the information into a queue and subsequently receives a reply confirming successful handling of the transaction into a reply queue. If there's a traffic spike and the backend handler can't process its backlog items in time, the expired jobs are returned on the dead-letter queue. The interactive user can be notified that the requested operation will take a little longer than usual, and the request can then be put on a different queue for a processing path where the eventual processing result is sent to the user by email.

+- [Prefetch messages](service-bus-prefetch.md)

+## Sequence number

+## Timestamp

+- Use the schedule message API, pass both the normal message and the scheduled time. The API returns the scheduled message's **SequenceNumber**, which you can later use to cancel the scheduled message if needed.

+The IP firewall rules are applied at the Service Bus namespace level. Therefore, the rules apply to all connections from clients using any supported protocol. Any connection attempt from an IP address that doesn't match an allowed IP rule on the Service Bus namespace is rejected as unauthorized. The response doesn't mention the IP rule. IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.

+The virtual network rule is an association of the Service Bus namespace with a virtual network subnet. While the rule exists, all workloads bound to the subnet are granted access to the Service Bus namespace. Service Bus itself never establishes outbound connections, doesn't need to gain access, and is therefore never granted access to your subnet by enabling this rule.

+Unlike earlier expired draft versions from the AMQP working group that are still in use by a few message brokers, the working group's final, and standardized AMQP 1.0 protocol doesn't prescribe the presence of a message broker or any particular topology for entities inside a message broker.

+Service Bus doesn't support link recovery; if the client loses the connection to Service Bus with an unsettled message transfer pending, that message transfer is lost, and the client must reconnect, reestablish the link, and retry the transfer.

+The client and service communicate over a `control link` , which is established by the client. The `declare` and `discharge` messages are sent by the controller over the control link to allocate and complete transactions respectively (they don't represent the demarcation of transactional work). The actual send/receive isn't performed on this link. Each transactional operation requested is explicitly identified with the desired `txn-id` and therefore may occur on any link on the Connection. If the control link is closed while there exist non-discharged transactions it created, then all such transactions are immediately rolled back, and attempts to perform further transactional work on them will lead to failure. Messages on control link must not be pre settled.

+All transactional work is done with the transactional delivery state `transactional-state` that carries the txn-id. When sending messages, the transactional-state is carried by the message's transfer frame.

+The message exchanges used for the management protocol and for all other protocols that use the same pattern happen at the application level; they don't define new AMQP protocol-level gestures. That's intentional, so that applications can take immediate advantage of these extensions with compliant AMQP 1.0 stacks.

+Service Bus doesn't currently implement any of the core features of the management specification, but the request/response pattern defined by the management specification is foundational for the claims-based-security feature and for nearly all of the advanced capabilities discussed in the following sections:

+Azure Service Bus handles messages. Messages carry a payload and metadata. The metadata is in the form of key-value pairs, and describes the payload, and gives handling instructions to Service Bus and applications. Occasionally, that metadata alone is sufficient to carry the information that the sender wants to communicate to receivers, and the payload remains empty.

+A Service Bus message consists of a binary payload section that Service Bus never handles in any form on the service-side, and two sets of properties. The **broker properties** are predefined by the system. These predefined properties either control message-level functionality inside the broker, or they map to common and standardized metadata items. The **user properties** are a collection of key-value pairs that can be defined and set by the application.

+While the following names use pascal casing, note that JavaScript and Python clients would use camel and snake casing respectively.

+| `LockedΓÇïUntilΓÇïUtc` | For messages retrieved under a lock (peek-lock receive mode, not presettled) this property reflects the UTC instant until which the message is held locked in the queue/subscription. When the lock expires, the [DeliveryCount](/dotnet/api/microsoft.servicebus.messaging.brokeredmessage.deliverycount) is incremented and the message is again available for retrieval. This property is read-only. |

+- **Simple request/reply**: A publisher sends a message into a queue and expects a reply from the message consumer. To receive the reply, the publisher owns a queue into which it expects replies to be delivered. The address of the queue is expressed in the **ReplyTo** property of the outbound message. When the consumer responds, it copies the **MessageId** of the handled message into the **CorrelationId** property of the reply message and delivers the message to the destination indicated by the **ReplyTo** property. One message can yield multiple replies, depending on the application context.

+While this hidden serialization magic is convenient, applications should take explicit control of object serialization and turn their object graphs into streams before including them into a message, and do the reverse on the receiver side. This yields interoperable results. While AMQP has a powerful binary encoding model, it's tied to the AMQP messaging ecosystem, and HTTP clients will have trouble decoding such payloads.

+If the payload of a message can't be deserialized, then it's recommended to [dead-letter the message](./service-bus-dead-letter-queues.md?source=recommendations#application-level-dead-lettering).

+Restricted Regions reserved for in-country/region disaster recovery |Switzerland West reserved for Switzerland North, France South reserved for France Central, Norway West for Norway East customers, JIO India Central for JIO India West customers, Brazil Southeast for Brazil South customers, South Africa West for South Africa North customers, Germany North for Germany West Central customers, UAE Central for UAE North customers.<br/><br/> To use restricted regions as your primary or recovery region, get yourselves allowlisted by raising a request [here](/troubleshoot/azure/general/region-access-request-process) for both source and target subscriptions.

+The Azure Spring Apps Enterprise plan uses buildpack bindings to integrate [Azure Application Insights](../azure-monitor/app/app-insights-overview.md) with the type `ApplicationInsights`. For more information, see [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md).

+VMware Tanzu Buildpacks provide framework and runtime support for applications. Buildpacks typically examine your applications to determine what dependencies to download and how to configure applications to communicate with bound services.

+The [language family buildpacks](https://docs.vmware.com/en/VMware-Tanzu-Buildpacks/services/tanzu-buildpacks/GUID-https://docsupdatetracker.net/index.html) are [composite buildpacks](https://paketo.io/docs/concepts/buildpacks/#composite-buildpacks) that provide easy out-of-the-box support for the most popular language runtimes and app configurations. These buildpacks combine multiple component buildpacks into ordered groupings. The groupings satisfy each buildpack's requirements.

+The following table shows the sizes available for build agent pool scale sets:

+| Scale set | CPU/Gi |

+Tanzu Build Service allows at most one pool-sized build task to build and twice the pool-sized build tasks to queue. If the quota of the agent pool is insufficient for the build task, the request for this build gets the following error: `The usage of build results in Building or Queuing status are (cpu: xxx, memory: xxxMi) and the remained quota is insufficient for this build. please retry with smaller size of build resourceRequests, retry after the previous build process completed or increased your build agent pool size`.

+When you create a new Azure Spring Apps Enterprise service instance using the Azure portal, you can use the **VMware Tanzu settings** tab to configure the number of resources given to the build agent pool.

+The following image shows the resources given to the Tanzu Build Service Agent Pool after you've successfully provisioned the service instance. You can also update the configured agent pool size here after you've created the service instance.

+## Build service on demand

+You can enable or disable the build service when you create an Azure Spring Apps Enterprise plan instance.

+### Build and deployment characteristics

+By default, Tanzu Build Service is enabled so that you can use a container registry. If you disable the build service, you can deploy an application only with a custom container image. You have the following options:

+- Enable the build service and use the Azure Spring Apps managed container registry.

+ Azure Spring Apps provides a managed Azure Container Registry to store built images for your applications. You can execute build and deployment together only as one command, but not separately. You can use the built container images to deploy applications in the same service instance only. The images aren't accessible by other Azure Spring Apps Enterprise service instances.

+- Enable the build service and use your own container registry.

+ This scenario separates build from deployment. You can execute builds from an application's source code or artifacts to a container image separately from the application deployment. You can deploy the container images stored in your own container registry to multiple Azure Spring Apps Enterprise service instances.

+- Disable the build service.

+ When you disable the build service, you can deploy applications only with container images, which you can build from any Azure Spring Apps Enterprise service instance.

+### Configure build service settings

+You can configure Tanzu Build Service and container registry settings using the Azure portal or the Azure CLI.

+#### [Azure portal](#tab/azure-portal)

+Use the following steps to enable Tanzu Build Service when provisioning an Azure Spring Apps service instance:

+1. Open the [Azure portal](https://portal.azure.com).

+1. On the **Basics** tab, select **Enterprise tier** in the **Pricing** section, and then specify the required information.

+1. Select **Next: VMware Tanzu settings**.

+1. On the **VMware Tanzu settings** tab, select **Enable Build Service**. For **Container registry**, the default setting is **Use a managed Azure Container Registry to store built images**.

+ :::image type="content" source="media/how-to-enterprise-build-service/enable-build-service-with-default-acr.png" alt-text="Screenshot of the Azure portal showing V M ware Tanzu Settings for the Azure Spring Apps Create page with default Build Service settings highlighted." lightbox="media/how-to-enterprise-build-service/enable-build-service-with-default-acr.png":::

+1. If you select **Use your own container registry to store built images (preview)** for **Container registry**, provide your container registry's server, username, and password.

+ :::image type="content" source="media/how-to-enterprise-build-service/enable-build-service-with-user-acr.png" alt-text="Screenshot of the Azure portal showing V M ware Tanzu Settings for the Azure Spring Apps Create page with use your own container registry highlighted." lightbox="media/how-to-enterprise-build-service/enable-build-service-with-user-acr.png":::

+1. If you disable **Enable Build Service**, the container registry options aren't provided but you can deploy applications with container images.

+ :::image type="content" source="media/how-to-enterprise-build-service/disable-build-service.png" alt-text="Screenshot of the Azure portal showing V M ware Tanzu Settings for the Azure Spring Apps Create page with the Enable Build Service not selected." lightbox="media/how-to-enterprise-build-service/disable-build-service.png":::

+1. Select **Review and create**.

+#### [Azure CLI](#tab/azure-cli)

+Use the following steps to enable Tanzu Build Service when provisioning an Azure Spring Apps service instance:

+1. Use the following commands to sign in to the Azure CLI, list available subscriptions, and set your active subscription:

+ ```azurecli

+ az login

+ az account list --output table

+ az account set --subscription <subscription-id>

+ ```

+1. Use the following command to register the `Microsoft.Saas` namespace.

+ ```azurecli

+ az provider register --namespace Microsoft.SaaS

+ ```

+1. Use the following command to accept the legal terms and privacy statements for the Azure Spring Apps Enterprise plan. This step is necessary only if your subscription has never been used to create an Enterprise plan instance.

+ ```azurecli

+ az term accept \

+ --plan asa-ent-hr-mtr \

+ --product azure-spring-cloud-vmware-tanzu-2 \

+ --publisher vmware-inc

+ ```

+1. Select a location. The location must support the Azure Spring Apps Enterprise plan. For more information, see [Azure Spring Apps FAQ](faq.md).

+1. Use the following command to create a resource group:

+ ```azurecli

+ az group create \

+ --name <resource-group-name> \

+ --location <location>

+ ```

+ For more information about resource groups, see [What is Azure Resource Manager?](../azure-resource-manager/management/overview.md)

+1. Prepare a name for your Azure Spring Apps service instance. The name must be between 4 and 32 characters long and can contain only lowercase letters, numbers, and hyphens. The first character of the service name must be a letter and the last character must be either a letter or a number.

+1. Use one of the following commands to create an Azure Spring Apps service instance:

+ - Use the following command to create an Azure Spring Apps service instance with the build service enabled and using a managed Azure Container Registry. The build service is enabled by default.

+ ```azurecli

+ az spring create \

+ --resource-group <resource-group-name> \

+ --name <Azure-Spring-Apps-service-instance-name> \

+ --sku enterprise

+ ```

+ - Use the following command to create an Azure Spring Apps service instance with the build service enabled and using your own container registry. The build service is enabled by default.

+ ```azurecli

+ az spring create \

+ --resource-group <resource-group-name> \

+ --name <Azure-Spring-Apps-service-instance-name> \

+ --sku enterprise \

+ --registry-server <your-container-registry-login-server> \

+ --registry-username <your-container-registry-username> \

+ --registry-password <your-container-registry-password>

+ ```

+ - Use the following command to create an Azure Spring Apps service instance with the build service disabled.

+ ```azurecli

+ az spring create \

+ --resource-group <resource-group-name> \

+ --name <Azure-Spring-Apps-service-instance-name> \

+ --sku enterprise \

+ --disable-build-service

+ ```

+## Deploy polyglot applications

+You can deploy polyglot applications in an Azure Spring Apps Enterprise service instance with Tanzu Build Service either enabled or disabled. For more information, see [How to deploy polyglot apps in Azure Spring Apps Enterprise](how-to-enterprise-deploy-polyglot-apps.md).

+## Configure APM integration and CA certificates

+By using Tanzu Partner Buildpacks and CA Certificates Buildpack, the Azure Spring Apps Enterprise plan provides a simplified configuration experience to support application performance monitor (APM) integration. This integration includes certificate authority (CA) certificates integration scenarios for polyglot applications. For more information, see [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md).

+A build task is triggered when an application is deployed from an Azure CLI command. Build logs are streamed in real time as part of the CLI command output. For information about using build logs to diagnose problems, see [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md).

+- [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md)

+ Title: How to configure APM integration and CA certificates

+description: Shows you how to configure APM integration and CA certificates in the Azure Spring Apps Enterprise plan.

+# How to configure APM integration and CA certificates

+> [!NOTE]

+> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams.

+**This article applies to:** ❌ Basic/Standard ✔️ Enterprise

+This article shows you how to configure application performance monitor (APM) integration and certificate authority (CA) certificates in the Azure Spring Apps Enterprise plan.

+You can enable or disable Tanzu Build Service on an Azure Springs Apps Enterprise plan instance. For more information, see the [Build service on demand](how-to-enterprise-build-service.md#build-service-on-demand) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md).

+## Prerequisites

+- An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).

+- [Azure CLI](/cli/azure/install-azure-cli) version 2.45.0 or higher. Use the following command to install the Azure Spring Apps extension: `az extension add --name spring`

+## Supported scenarios - APM and CA certificates integration

+Tanzu Build Service is enabled by default in Azure Spring Apps Enterprise. If you choose to disable the build service, you can deploy applications but only by using a custom container image. This section provides guidance for both enabled and disabled scenarios.

+### [Build service enabled](#tab/enable-build-service)

+Tanzu Build Service uses buildpack binding to integrate with [Tanzu Partner Buildpacks](https://docs.pivotal.io/tanzu-buildpacks/partner-integrations/partner-integration-buildpacks.html) and other cloud native buildpacks such as the [ca-certificates](https://github.com/paketo-buildpacks/ca-certificates) buildpack on GitHub.

+Currently, Azure Spring Apps supports the following APM types and CA certificates:

+- ApplicationInsights

+- Dynatrace

+- AppDynamics

+- New Relic

+- ElasticAPM

+Azure Spring Apps supports CA certificates for all language family buildpacks, but not all supported APMs. The following table shows the binding types supported by Tanzu language family buildpacks.

+| Buildpack | ApplicationInsights | New Relic | AppDynamics | Dynatrace | ElasticAPM |

+|||--|-|--||

+| Java | Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Dotnet | | | | Γ£ö | |

+| Go | | | | Γ£ö | |

+| Python | | | | | |

+| NodeJS | | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+| Web servers | | | | Γ£ö | |

+For information about using Web servers, see [Deploy web static files](how-to-enterprise-deploy-static-file.md).

+When you enable the build service, the APM and CA Certificate are integrated with a builder, as described in the [Manage APM integration and CA certificates in Azure Spring Apps](#manage-apm-integration-and-ca-certificates-in-azure-spring-apps) section.

+When the build service uses the Azure Spring Apps managed container registry, you can build an application to an image and then deploy it, but only within the current Azure Spring Apps service instance.

+Use the following command to integrate APM and CA certificates into your deployments:

+```azurecli

+az spring app deploy \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name <app-name> \

+ --builder <builder-name> \

+ --artifact-path <path-to-your-JAR-file>

+```

+If you provide your own container registry to use with the build service, you can build an application into a container image and deploy the image to the current or other Azure Spring Apps Enterprise service instances.

+Providing your own container registry separates building from deployment. You can use the build command to create or update a build with a builder, then use the deploy command to deploy the container image to the service. In this scenario, you need to specify the APM-required environment variables on deployment.

+Use the following command to build an image:

+```azurecli

+az spring build-service build <create|update> \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name <app-name> \

+ --builder <builder-name> \

+ --artifact-path <path-to-your-JAR-file>

+```

+Use the following command to deploy with a container image, using the `--env` parameter to configure runtime environment:

+```azurecli

+az spring app deploy \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name <app-name> \

+ --container-image <your-container-image> \

+ --container-registry <your-container-registry> \

+ --registry-password <your-password> \

+ --registry-username <your-username> \

+ --env NEW_RELIC_APP_NAME=<app-name> \

+ NEW_RELIC_LICENSE_KEY=<your-license-key>

+```

+#### Supported APM resources with the build service enabled

+This section lists the supported languages and required environment variables for the APMs that you can use for your integrations.

+- **Application Insights**

+ Supported languages:

+ - Java

+ Environment variables required for buildpack binding:

+ - `connection-string`

+ Environment variables required for deploying an app with a custom image:

+ - `APPLICATIONINSIGHTS_CONNECTION_STRING`

+ > [!NOTE]

+ > Upper-case keys are allowed, and you can replace underscores (`_`) with hyphens (`-`).

+ For other supported environment variables, see [Application Insights Overview](../azure-monitor/app/app-insights-overview.md?tabs=java).

+- **DynaTrace**

+ Supported languages:

+ - Java

+ - .NET

+ - Go

+ - Node.js

+ - WebServers

+ Environment variables required for buildpack binding:

+ - `api-url` or `environment-id` (used in build step)

+ - `api-token` (used in build step)

+ - `TENANT`

+ - `TENANTTOKEN`

+ - `CONNECTION_POINT`

+ Environment variables required for deploying an app with a custom image:

+ - `DT_TENANT`

+ - `DT_TENANTTOKEN`

+ - `DT_CONNECTION_POINT`

+ For other supported environment variables, see [Dynatrace](https://www.dynatrace.com/support/help/shortlink/azure-spring#envvar)

+- **New Relic**

+ Supported languages:

+ - Java

+ - Node.js

+ Environment variables required for buildpack binding:

+ - `license_key`

+ - `app_name`

+ Environment variables required for deploying an app with a custom image:

+ - `NEW_RELIC_LICENSE_KEY`

+ - `NEW_RELIC_APP_NAME`

+ For other supported environment variables, see [New Relic](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables)

+- **Elastic**

+ Supported languages:

+ - Java

+ - Node.js

+ Environment variables required for buildpack binding:

+ - `service_name`

+ - `application_packages`

+ - `server_url`

+ Environment variables required for deploying an app with a custom image:

+ - `ELASTIC_APM_SERVICE_NAME`

+ - `ELASTIC_APM_APPLICATION_PACKAGES`

+ - `ELASTIC_APM_SERVER_URL`

+ For other supported environment variables, see [Elastic](https://www.elastic.co/guide/en/apm/agent/java/master/configuration.html)

+- **AppDynamics**

+ Supported languages:

+ - Java

+ - Node.js

+ Environment variables required for buildpack binding:

+ - `agent_application_name`

+ - `agent_tier_name`

+ - `agent_node_name`

+ - `agent_account_name`

+ - `agent_account_access_key`

+ - `controller_host_name`

+ - `controller_ssl_enabled`

+ - `controller_port`

+ Environment variables required for deploying an app with a custom image:

+ - `APPDYNAMICS_AGENT_APPLICATION_NAME`

+ - `APPDYNAMICS_AGENT_TIER_NAME`

+ - `APPDYNAMICS_AGENT_NODE_NAME`

+ - `APPDYNAMICS_AGENT_ACCOUNT_NAME`

+ - `APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY`

+ - `APPDYNAMICS_CONTROLLER_HOST_NAME`

+ - `APPDYNAMICS_CONTROLLER_SSL_ENABLED`

+ - `APPDYNAMICS_CONTROLLER_PORT`

+ For other supported environment variables, see [AppDynamics](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent#MonitorAzureSpringCloudwithJavaAgent-ConfigureUsingtheEnvironmentVariablesorSystemProperties)

+## Use CA certificates

+CA certificates use the [ca-certificates](https://github.com/paketo-buildpacks/ca-certificates) buildpack to support providing CA certificates to the system trust store at build and runtime.

+In the Azure Spring Apps Enterprise plan, the CA certificates use the **Public Key Certificates** tab on the **TLS/SSL settings** page in the Azure portal, as shown in the following screenshot:

+You can configure the CA certificates on the **Edit binding** page. The `succeeded` certificates are shown in the **CA Certificates** list.

+### [Build service disabled](#tab/disable-build-service)

+If you disable the build service, you can only deploy an application with a container image. For more information, see [Deploy an application with a custom container image](how-to-deploy-with-custom-container-image.md).

+You can use multiple instances of Azure Spring Apps Enterprise, where some instances build and deploy images and others only deploy images. Consider the following scenario:

+- For one instance, you enable the build service with a user container registry. Then you build from an artifact-file or source-code with APM or CA certificate into a container image and deploy to the current Azure Spring Apps instance or other service instances. For more information, see, the [Build and deploy polyglot applications](how-to-enterprise-deploy-polyglot-apps.md#build-and-deploy-polyglot-applications), section of [How to deploy polyglot apps in Azure Spring Apps Enterprise](How-to-enterprise-deploy-polyglot-apps.md).

+- In another instance with the build service disabled, you deploy an application with the container image in your registry and also make use of APM and CA certificates.

+Due to the deployment supporting only a custom container image, you must use the `--env` parameter to configure the runtime environment for deployment. The following command provides an example:

+```azurecli

+az spring app deploy \

+ --resource-group <resource-group-name> \

+ --service <Azure-Spring-Apps-instance-name> \

+ --name <app-name> \

+ --container-image <your-container-image> \

+ --container-registry <your-container-registry> \

+ --registry-password <your-password> \

+ --registry-username <your-username> \

+ --env NEW_RELIC_APP_NAME=<app-name> NEW_RELIC_LICENSE_KEY=<your-license-key>

+```

+### Supported APM resources with the build service disabled

+This section lists the supported languages and required environment variables for the APMs that you can use for your integrations.

+- **Application Insights**

+ Supported languages:

+ - Java

+ Required runtime environment variables:

+ - `APPLICATIONINSIGHTS_CONNECTION_STRING`

+ For other supported environment variables, see [Application Insights Overview](../azure-monitor/app/app-insights-overview.md?tabs=java)

+- **Dynatrace**

+ Supported languages:

+ - Java

+ - .NET

+ - Go

+ - Node.js

+ - WebServers

+ Required runtime environment variables:

+ - `DT_TENANT`

+ - `DT_TENANTTOKEN`

+ - `DT_CONNECTION_POINT`

+ For other supported environment variables, see [Dynatrace](https://www.dynatrace.com/support/help/shortlink/azure-spring#envvar)

+- **New Relic**

+ Supported languages:

+ - Java

+ - Node.js

+ Required runtime environment variables:

+ - `NEW_RELIC_LICENSE_KEY`

+ - `NEW_RELIC_APP_NAME`

+ For other supported environment variables, see [New Relic](https://docs.newrelic.com/docs/apm/agents/java-agent/configuration/java-agent-configuration-config-file/#Environment_Variables)

+- **ElasticAPM**

+ Supported languages:

+ - Java

+ - Node.js

+ Required runtime environment variables:

+ - `ELASTIC_APM_SERVICE_NAME`

+ - `ELASTIC_APM_APPLICATION_PACKAGES`

+ - `ELASTIC_APM_SERVER_URL`

+ For other supported environment variables, see [Elastic](https://www.elastic.co/guide/en/apm/agent/java/master/configuration.html)

+- **AppDynamics**

+ Supported languages:

+ - Java

+ - Node.js

+ Required runtime environment variables:

+ - `APPDYNAMICS_AGENT_APPLICATION_NAME`

+ - `APPDYNAMICS_AGENT_TIER_NAME`

+ - `APPDYNAMICS_AGENT_NODE_NAME`

+ - `APPDYNAMICS_AGENT_ACCOUNT_NAME`

+ - `APPDYNAMICS_AGENT_ACCOUNT_ACCESS_KEY`

+ - `APPDYNAMICS_CONTROLLER_HOST_NAME`

+ - `APPDYNAMICS_CONTROLLER_SSL_ENABLED`

+ - `APPDYNAMICS_CONTROLLER_PORT`

+ For other supported environment variables, see [AppDynamics](https://docs.appdynamics.com/21.11/en/application-monitoring/install-app-server-agents/java-agent/monitor-azure-spring-cloud-with-java-agent#MonitorAzureSpringCloudwithJavaAgent-ConfigureUsingtheEnvironmentVariablesorSystemProperties)

+## Manage APM integration and CA certificates in Azure Spring Apps

+This section applies only to an Azure Spring Apps Enterprise service instance with the build service enabled. With the build service enabled, one buildpack binding means either credential configuration against one APM type, or CA certificates configuration against the CA certificates type. For APM integration, follow the earlier instructions to configure the necessary environment variables or secrets for your APM.

+> [!NOTE]

+> When configuring environment variables for APM bindings, use key names without a prefix. For example, do not use a `DT_` prefix for a Dynatrace binding or `APPLICATIONINSIGHTS_` for Application Insights. Tanzu APM buildpacks will transform the key name to the original environment variable name with a prefix.

+You can manage buildpack bindings with the Azure portal or the Azure CLI.

+### [Azure portal](#tab/azure-portal)

+Use the following steps to view the buildpack bindings:

+1. In the Azure portal, go to your Azure Spring Apps Enterprise service instance.

+1. In the navigation pane, select **Build Service**.

+1. Select **Edit** under the **Bindings** column to view the bindings configured for a builder.

+ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/edit-binding.png" alt-text="Screenshot of Azure portal showing the Build Service page with the Bindings Edit link highlighted for a selected builder." lightbox="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/edit-binding.png":::

+1. Review the bindings on the **Edit binding for default builder** page.

+ :::image type="content" source="media/how-to-enterprise-configure-apm-integration-and-ca-certificates/show-service-binding.png" alt-text="Screenshot of Azure portal showing the Edit bindings for default builder page with the binding types and their status listed.":::

+### Create a buildpack binding

+To create a buildpack binding, select **Unbound** on the **Edit Bindings** page, specify the binding properties, and then select **Save**.

+### Unbind a buildpack binding

+You can unbind a buildpack binding by using the **Unbind binding** command, or by editing the binding properties.

+To use the **Unbind binding** command, select the **Bound** hyperlink, and then select **Unbind binding**.

+To unbind a buildpack binding by editing binding properties, select **Edit Binding**, and then select **Unbind**.

+When you unbind a binding, the bind status changes from **Bound** to **Unbound**.

+### [Azure CLI](#tab/azure-cli)

+### View buildpack bindings using the Azure CLI

+View the current buildpack bindings by using the following command:

+```azurecli

+az spring build-service builder buildpack-binding list \

+ --resource-group <your-resource-group-name> \

+ --service <your-service-instance-name> \

+ --builder-name <your-builder-name>

+```

+### Create a binding

+Use this command to change the binding from *Unbound* to *Bound* status:

+```azurecli

+az spring build-service builder buildpack-binding create \

+ --resource-group <your-resource-group-name> \

+ --service <your-service-instance-name> \

+ --name <your-buildpack-binding-name> \

+ --builder-name <your-builder-name> \

+ --type <your-binding-type> \

+ --properties a=b c=d \

+ --secrets e=f g=h

+```

+For information on the `properties` and `secrets` parameters for your buildpack, see the [Supported Scenarios - APM and CA Certificates Integration](#supported-scenariosapm-and-ca-certificates-integration) section.

+### Show the details for a specific binding

+You can view the details of a specific binding by using the following command:

+```azurecli

+az spring build-service builder buildpack-binding show \

+ --resource-group <your-resource-group-name> \

+ --service <your-service-instance-name> \

+ --name <your-buildpack-binding-name> \

+ --builder-name <your-builder-name>

+```

+### Edit the properties of a binding

+You can change a binding's properties by using the following command:

+```azurecli

+az spring build-service builder buildpack-binding set \

+ --resource-group <your-resource-group-name> \

+ --service <your-service-instance-name> \

+ --name <your-buildpack-binding-name> \

+ --builder-name <your-builder-name> \

+ --type <your-binding-type> \

+ --properties a=b c=d \

+ --secrets e=f2 g=h

+```

+For more information on the `properties` and `secrets` parameters for your buildpack, see the [Supported Scenarios - APM and CA Certificates Integration](#supported-scenariosapm-and-ca-certificates-integration) section.

+### Delete a binding

+Use the following command to change the binding status from *Bound* to *Unbound*.

+```azurecli

+az spring build-service builder buildpack-binding delete \

+ --resource-group <your-resource-group-name> \

+ --service <your-service-instance-name> \

+ --name <your-buildpack-binding-name> \

+ --builder-name <your-builder-name>

+```

+## Next steps

+- [How to deploy polyglot apps in Azure Spring Apps Enterprise](how-to-enterprise-deploy-polyglot-apps.md)