-| Provider | Biometric | USB | NFC | BLE | FIPS Certified | Contact |

-||:--:|::|::|::|:--:|--|

-| AuthenTrend | ![y] | ![y]| ![y]| ![y]| ![n] | https://authentrend.com/about-us/#pg-35-3 |

-| Ciright | ![n] | ![n]| ![y]| ![n]| ![n] | https://www.cyberonecard.com/ |

-| Crayonic | ![y] | ![n]| ![y]| ![y]| ![n] | https://www.crayonic.com/keyvault |

-| Ensurity | ![y] | ![y]| ![n]| ![n]| ![n] | https://www.ensurity.com/contact |

-| Excelsecu | ![y] | ![y]| ![y]| ![y]| ![n] | https://www.excelsecu.com/productdetail/esecufido2secu.html |

-| Feitian | ![y] | ![y]| ![y]| ![y]| ![y] | https://shop.ftsafe.us/pages/microsoft |

-| Fortinet | ![n] | ![y]| ![n]| ![n]| ![n] | https://www.fortinet.com/ |

-| Giesecke + Devrient (G+D) | ![y] | ![y]| ![y]| ![y]| ![n] | https://www.gi-de.com/en/identities/enterprise-security/hardware-based-authentication |

-| GoTrustID Inc. | ![n] | ![y]| ![y]| ![y]| ![n] | https://www.gotrustid.com/idem-key |

-| HID | ![n] | ![y]| ![y]| ![n]| ![n] | https://www.hidglobal.com/products/crescendo-key |

-| Hypersecu | ![n] | ![y]| ![n]| ![n]| ![n] | https://www.hypersecu.com/hyperfido |

-| Hypr | ![y] | ![y]| ![n]| ![y]| ![n] | https://www.hypr.com/true-passwordless-mfa |

-| Identiv | ![n] | ![y]| ![y]| ![n]| ![n] | https://www.identiv.com/products/logical-access-control/utrust-fido2-security-keys/nfc |

-| IDmelon Technologies Inc. | ![y] | ![y]| ![y]| ![y]| ![n] | https://www.idmelon.com/#idmelon |

-| Kensington | ![y] | ![y]| ![n]| ![n]| ![n] | https://www.kensington.com/solutions/product-category/why-biometrics/ |

-| KONA I | ![y] | ![n]| ![y]| ![y]| ![n] | https://konai.com/business/security/fido |

-| Movenda | ![y] | ![n]| ![y]| ![y]| ![n] | https://www.movenda.com/en/authentication/fido2/overview |

-| NeoWave | ![n] | ![y]| ![y]| ![n]| ![n] | https://neowave.fr/en/products/fido-range/ |

-| Nymi | ![y] | ![n]| ![y]| ![n]| ![n] | https://www.nymi.com/nymi-band |

-| Octatco | ![y] | ![y]| ![n]| ![n]| ![n] | https://octatco.com/ |

-| OneSpan Inc. | ![n] | ![y]| ![n]| ![y]| ![n] | https://www.onespan.com/products/fido |

-| Swissbit | ![n] | ![y]| ![y]| ![n]| ![n] | https://www.swissbit.com/en/products/security-products/swissbit-tse/ |

-| Thales Group | ![n] | ![y]| ![y]| ![n]| ![y] | https://cpl.thalesgroup.com/access-management/authenticators/fido-devices |

-| Thetis | ![y] | ![y]| ![y]| ![y]| ![n] | https://thetis.io/collections/fido2 |

-| Token2 Switzerland | ![y] | ![y]| ![y]| ![n]| ![n] | https://www.token2.swiss/shop/product/token2-t2f2-alu-fido2-u2f-and-totp-security-key |

-| Token Ring | ![y] | ![n]| ![y]| ![n]| ![n] | https://www.tokenring.com/ |

-| TrustKey Solutions | ![y] | ![y]| ![n]| ![n]| ![n] | https://www.trustkeysolutions.com/security-keys/ |

-| VinCSS | ![n] | ![y]| ![n]| ![n]| ![n] | https://passwordless.vincss.net |

-| WiSECURE Technologies | ![n] | ![y]| ![n]| ![n]| ![n] | https://wisecure-tech.com/en-us/zero-trust/fido/authtron |

-| Yubico | ![y] | ![y]| ![y]| ![n]| ![y] | https://www.yubico.com/solutions/passwordless/ |

-| Provider | Biometric | USB | NFC | BLE | FIPS Certified | Contact |

-||:--:|::|::|::|:--:|--|

-| AuthenTrend | ![y] | ![y]| ![y]| ![y]| ![n] | https://authentrend.com/about-us/#pg-35-3 |

-| Ciright | ![n] | ![n]| ![y]| ![n]| ![n] | https://www.cyberonecard.com/ |

-| Crayonic | ![y] | ![n]| ![y]| ![y]| ![n] | https://www.crayonic.com/keyvault |

-| Ensurity | ![y] | ![y]| ![n]| ![n]| ![n] | https://www.ensurity.com/contact |

-| Excelsecu | ![y] | ![y]| ![y]| ![y]| ![n] | https://www.excelsecu.com/productdetail/esecufido2secu.html |

-| Feitian | ![y] | ![y]| ![y]| ![y]| ![y] | https://shop.ftsafe.us/pages/microsoft |

-| Fortinet | ![n] | ![y]| ![n]| ![n]| ![n] | https://www.fortinet.com/ |

-| Giesecke + Devrient (G+D) | ![y] | ![y]| ![y]| ![y]| ![n] | https://www.gi-de.com/en/identities/enterprise-security/hardware-based-authentication |

-| GoTrustID Inc. | ![n] | ![y]| ![y]| ![y]| ![n] | https://www.gotrustid.com/idem-key |

-| HID | ![n] | ![y]| ![y]| ![n]| ![n] | https://www.hidglobal.com/products/crescendo-key |

-| Hypersecu | ![n] | ![y]| ![n]| ![n]| ![n] | https://www.hypersecu.com/hyperfido |

-| Hypr | ![y] | ![y]| ![n]| ![y]| ![n] | https://www.hypr.com/true-passwordless-mfa |

-| Identiv | ![n] | ![y]| ![y]| ![n]| ![n] | https://www.identiv.com/products/logical-access-control/utrust-fido2-security-keys/nfc |

-| IDmelon Technologies Inc. | ![y] | ![y]| ![y]| ![y]| ![n] | https://www.idmelon.com/#idmelon |

-| Kensington | ![y] | ![y]| ![n]| ![n]| ![n] | https://www.kensington.com/solutions/product-category/why-biometrics/ |

-| KONA I | ![y] | ![n]| ![y]| ![y]| ![n] | https://konai.com/business/security/fido |

-| Movenda | ![y] | ![n]| ![y]| ![y]| ![n] | https://www.movenda.com/en/authentication/fido2/overview |

-| NeoWave | ![n] | ![y]| ![y]| ![n]| ![n] | https://neowave.fr/en/products/fido-range/ |

-| Nymi | ![y] | ![n]| ![y]| ![n]| ![n] | https://www.nymi.com/nymi-band |

-| Octatco | ![y] | ![y]| ![n]| ![n]| ![n] | https://octatco.com/ |

-| OneSpan Inc. | ![n] | ![y]| ![n]| ![y]| ![n] | https://www.onespan.com/products/fido |

-| Swissbit | ![n] | ![y]| ![y]| ![n]| ![n] | https://www.swissbit.com/en/products/ishield-key/ |

-| Thales Group | ![n] | ![y]| ![y]| ![n]| ![y] | https://cpl.thalesgroup.com/access-management/authenticators/fido-devices |

-| Thetis | ![y] | ![y]| ![y]| ![y]| ![n] | https://thetis.io/collections/fido2 |

-| Token2 Switzerland | ![y] | ![y]| ![y]| ![n]| ![n] | https://www.token2.swiss/shop/product/token2-t2f2-alu-fido2-u2f-and-totp-security-key |

-| Token Ring | ![y] | ![n]| ![y]| ![n]| ![n] | https://www.tokenring.com/ |

-| TrustKey Solutions | ![y] | ![y]| ![n]| ![n]| ![n] | https://www.trustkeysolutions.com/security-keys/ |

-| VinCSS | ![n] | ![y]| ![n]| ![n]| ![n] | https://passwordless.vincss.net |

-| WiSECURE Technologies | ![n] | ![y]| ![n]| ![n]| ![n] | https://wisecure-tech.com/en-us/zero-trust/fido/authtron |

-| Yubico | ![y] | ![y]| ![y]| ![n]| ![y] | https://www.yubico.com/solutions/passwordless/ |

->This is an important security enhancement for users authenticating via telecom transports. This feature is currently in the state ΓÇÿMicrosoft managedΓÇÖ. Until June 9th, leaving the feature set to ΓÇÿMicrosoft managedΓÇÖ will have no impact on your users and the feature will remain turned off unless you explicitly change the state to enabled. The Microsoft managed value of this feature will be changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ on June 9th. We have made some changes to the feature configuration, so if you made an update before GA (5/17), please validate that the feature is in the correct state for your tenant prior to June 9th. If you do not wish for this feature to be enabled on June 9th, move the state to ΓÇÿdisabledΓÇÖ or set users to include and exclude groups.

-By default, Authenticator Lite is [Microsoft managed](concept-authentication-default-enablement.md#microsoft-managed-settings). Until June 9th, leaving the feature set to ΓÇÿMicrosoft managedΓÇÖ will have no impact on your users and the feature will remain turned off unless you explicitly change the state to enabled. The Microsoft managed value of this feature will be changed from ΓÇÿdisabledΓÇÖ to ΓÇÿenabledΓÇÖ on June 9th. We have made some changes to the feature configuration, so if you made an update before GA (5/17), please validate that the feature is in the correct state for your tenant prior to June 9th. If you do not wish for this feature to be enabled on June 9th, move the state to ΓÇÿdisabledΓÇÖ or set users to include and exclude groups.

-description: Learn how to configure and enable users to register Passwordless authentication methods by using a Temporary Access Pass

-# Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods

-Passwordless authentication methods, such as FIDO2 and Passwordless Phone Sign-in through the Microsoft Authenticator app, enable users to sign in securely without a password.

-A Temporary Access Pass is a time-limited passcode that can be configured for multi or single use to allow users to onboard other authentication methods including passwordless methods such as Microsoft Authenticator, FIDO2 or Windows Hello for Business.

-Although you can create a Temporary Access Pass for any user, only those included in the policy can sign-in with it.

- 

-1. Set the **Enable** to **Yes** to enable the policy. Then select the **Target** users.

- 

-1. (Optional) Select **Configure** and modify the default Temporary Access Pass settings, such as setting maximum lifetime, or length.

-

-1. Select **Save** to apply the policy.

- | Default lifetime | 1 hour | 10 ΓÇô 43,200 Minutes (30 days) | Default values can be overridden by the individual passes, within the minimum and maximum lifetime configured by the policy. |

- | One-time use | False | True / False | When the policy is set to false, passes in the tenant can be used either once or more than once during its validity (maximum lifetime). By enforcing one-time use in the Temporary Access Pass policy, all passes created in the tenant will be created as one-time use. |

-1. Sign in to the Azure portal as either a Global administrator, Privileged Authentication administrator, or Authentication administrator.

-1. If the user is included in the Temporary Access Pass policy, they'll see a screen to enter their Temporary Access Pass.

- 

->For federated domains, a Temporary Access Pass is preferred over federation. A user with a Temporary Access Pass will complete the authentication in Azure AD and will not get redirected to the federated Identity Provider (IdP).

-Users managing their security information at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) will see an entry for the Temporary Access Pass. If a user does not have any other registered methods, they'll be presented a banner at the top of the screen requesting them to add a new sign-in method. Users can additionally view the TAP expiration time, and delete the TAP if no longer needed.

-For Azure AD Joined devices:

-For Hybrid Azure AD Joined devices:

-The token lifetime (session token, refresh token, access token, etc.) obtained via a Temporary Access Pass login will be limited to the Temporary Access Pass lifetime. As a result, a Temporary Access Pass expiring will lead to the expiration of the associated token.

- - If the existing Temporary Access Pass is valid, the admin can create a new Temporary Access Pass which will override the existing valid Temporary Access Pass.

-Users in scope for these policies will get redirected to the [Interrupt mode of the combined registration](concept-registration-mfa-sspr-combined.md#combined-registration-modes). This experience doesn't currently support FIDO2 and Phone Sign-in registration.

- - The user is in scope for the Temporary Access Pass authentication method policy.

- - The user has a valid Temporary Access Pass, and if it's one-time use, it wasnΓÇÖt used yet.

- - The user has a multi-use Temporary Access Pass while the authentication method policy requires a one-time Temporary Access Pass.

- - A one-time Temporary Access Pass was already used.

-| All Permissions for Identity | Detailed | CSV | This report lists all the assigned permissions for the selected identities. | Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) | N/A |

-| Group Entitlements and Usage | Summary | CSV | This report tracks all group level entitlements and the permission assignment, PCI. The number of members is also listed as part of this report. | AWS, Azure, or GCP | Yes |

-| Identity Permissions | Summary | CSV | This report tracks any, or specific, task usage per **User**, **Group**, **Role**, or **App**. | AWS, Azure, or GCP | No |

-| NIST 800-53 | Detailed </p>Summary </p>Dashboard | CSV </p>PDF | **Dashboard**: This report helps track the overall progress of the NIST 800-53 benchmark. It lists the percentage passing, overall pass or fail of test control along with the breakup of L1/L2 per Auth system. </p>**Summary**: For each authorized system, this report lists the test control pass or fail per authorized system and the number of resources evaluated for each test control. </p>**Detailed**: This report helps auditors and administrators to track the resource level pass or fail per test control. | AWS, Azure, or GCP | Yes |

-| PCI DSS | Detailed </p>Summary </p>Dashboard | CSV | **Dashboard**: This report helps track the overall progress of the PCI-DSS benchmark. It lists the percentage passing, overall pass or fail of test control along with the breakup of L1/L2 per Auth system. </p>**Summary**: For each authorized system, this report lists the test control pass or fail per authorized system and the number of resources evaluated for each test control. </p>**Detailed**: This report helps auditors and administrators to track the resource level pass or fail per test control. | AWS, Azure, or GCP | Yes |

-| PCI History | Summary | CSV | This report helps track **Monthly PCI History** for each authorized system. It can be used to plot the trend of the PCI. | AWS, Azure, or GCP | Yes |

-| Permissions Analytics Report (PAR) | Summary | PDF | This report helps monitor the **Identity Privilege** related activity across the authorized systems. It captures any Identity permission change. </p>This report has the following main sections: **User Summary**, **Group Summary**, **Role Summary & Delete Task Summary**. </p>The **User Summary** lists the current granted permissions along with high-risk permissions and resources accessed in 1-day, 7-day, or 30-days durations. There are subsections for newly added or deleted users, users with PCI change, high-risk active/inactive users. </p>The **Group Summary** lists the administrator level groups with the current granted permissions along with high-risk permissions and resources accessed in 1-day, 7-day, or 30-day durations. There are subsections for newly added or deleted groups, groups with PCI change, High-risk active/inactive groups. </p>The **Role Summary** and the **Group Summary** list similar details. </p>The **Delete Task** summary section lists the number of times the **Delete Task** has been executed in the given period. | AWS, Azure, or GCP | No |

-| Permissions Analytics Report (PAR) | Detailed | CSV | This report lists the different key findings in the selected authorized systems. The key findings include **Super identities**, **Inactive identities**, **Over-provisioned active identities**, **Storage bucket hygiene**, **Access key age (AWS)**, and so on. </p>This report helps administrators to visualize the findings across the organization and make decisions. | AWS, Azure, or GCP | Yes |

-| Role/Policy Details | Summary | CSV | This report captures **Assigned/Unassigned** and **Custom/system policy with used/unused condition** for specific or all AWS accounts. </p>Similar data can be captured for Azure and GCP for assigned and unassigned roles. | AWS, Azure, or GCP | No |

-| User Entitlements and Usage | Detailed <p>Summary | CSV | This report provides a summary and details of **User entitlements and usage**. </p>**Data displayed on Usage Analytics** screen is downloaded as part of the **Summary** report. </p>**Detailed permissions usage per User** is listed in the Detailed report. | AWS, Azure, or GCP | Yes |

-Customers can access the Permissions Management interface with a link from the Azure AD extension in the Azure portal.

-You can read our blog and visit our web page. You can also get in touch with your Microsoft point of contact to schedule a demo.

-To find out how many resources you have across your multicloud infrastructure, view the Billable Resources tab in Permissions Management.

- **Option 2**: **Enter authorization systems** - you have the ability to specify only certain subscriptions to manage and monitor with MEPM (up to 10 per collector).

- - This example would create a policy that only allows access to Microsoft Azure Management from devices that are either hybrid Azure AD joined or devices marked as compliant.

-The first time the user must share their location from the Microsoft Authenticator app, the user receives a notification in the app. The user needs to open the app and grant location permissions. Every hour the user is accessing resources covered by the policy they need to approve a push notification from the app.

-Every time the user shares their GPS location, the app does jailbreak detection (Using the same logic as the Intune MAM SDK). If the device is jailbroken, the location isn't considered valid, and the user isn't granted access.

-> Do not set `acceptMappedClaims` property to `true` for multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app. Instead [configure a custom signing key](active-directory-claims-mapping.md#configure-a-custom-signing-key).

-You must be assigned one of the following roles to view or manage device settings in the Azure portal:

-1. On the **Manage claim** page, select **Add new claim**.

-1. On the **Manage claim** page, select **Add new claim**.

-Ensure that **"allowPublicClient": true** is set in the application manifest.

-1. In the left menu, under **Manage**, select **Manifest** to open application manifest.

-1. Find the **acceptMappedClaims** key and ensure its value is set to **true**.

- - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oidc/www.facebook.com`

- - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oidc/www.facebook.com`

- - `https://<tenant-ID>.ciamlogin.com/<tenant-ID>/federation/oauth2`

- - `https://<tenant-ID>.ciamlogin.com/<tenant-name>.onmicrosoft.com/federation/oauth2`

-1. For the **Client ID**, enter the Client ID of the Facebook application that you created earlier.

-1. For the **Client secret**, enter the Client Secret that you recorded.

-1. Select **Create**. The new user flow appears in the user flows list. (You might need to refresh the page.)

-* **Users**: Represents the human and non-human identities and attributes that access resources from devices.

-During the transition and while operating in this state, organizations grow the skills and expertise for using Azure AD for IAM solutions. Because user accounts and device attachments are relatively easy and a common part of day-to-day IT operations, this is the approach that most organizations have used.

-* All apps that previously used an AD DS-integrated federated identity provider, such as AD FS, are updated to use Azure AD for authentication. If you were using password-based authentication through that identity provider for Azure AD, it's migrated to password hash synchronization.

-In the 100%-cloud state, Azure AD and other Azure tools provide all IAM capability. This is the long-term aspiration for many organizations.

-1. **Move existing items to the new location**: You move items from the old location to the new location. You assess the business value of the items to determine if you'll move them as is, upgrade them, replace them, or deprecate them. For more information, see [Transition to the cloud](road-to-the-cloud-migrate.md).

-Identity Protection has added a new detection, using the Microsoft Threat Intelligence database, to detect sign-in's performed from IP addresses of known nation state and cyber-crime actors and allow customers to block these sign-ins's by using risk-based conditional access policies. For more information, see: [Sign-in risk](../identity-protection/concept-identity-protection-risks.md#sign-in-risk).

-Starting in June 2023, the secrets stored on a single group can't exceed 48 individual secrets, or have a total size greater than 10KB across all secrets on a single group. Groups with more than 10KB of secrets will immediately stop working in June 2023. In June, groups exceeding 48 secrets are unable to increase the number of secrets they have, though they may still update or delete those secrets. We highly recommend reducing to fewer than 48 secrets by January 2024.

-Authenticator Lite is an additional surface for Azure Active Directory users to complete multifactor authentication using push notifications on their Android or iOS device. With Authenticator Lite, users can satisfy a multifactor authentication requirement from the convenience of a familiar app. Authenticator Lite is currently enabled in the Outlook mobile app. Users may receive a notification in their Outlook mobile app to approve or deny, or use the Outlook app to generate an OATH verification code that can be entered during sign-in. The *'Microsoft managed'* setting for this feature will be set to enabled on May 26th, 2023. This enables the feature for all users in tenants where the feature is set to Microsoft managed. If you wish to change the state of this feature, please do so before May 26, 2023. For more information, see: [How to enable Microsoft Authenticator Lite for Outlook mobile (preview)](../authentication/how-to-mfa-authenticator-lite.md).

-If you utilize Conditional Access or Identity Protection, and have IPv6 enabled on any of your devices, you likely must take action to avoid impacting your users. For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to deprioritize IPv4 in any Azure AD features or services. We'll continue to share additional guidance on IPv6 enablement in Azure AD at this link: [IPv6 support in Azure Active Directory](/troubleshoot/azure/active-directory/azure-ad-ipv6-support).

-No functionalities will be removed. The new PDF viewer adds functionality and the limited visual changes in the end-user experiences will be communicated in a future update. If your organization has allow-listed only certain domains, you must ensure your allowlist includes the domains ΓÇÿmyaccount.microsoft.comΓÇÖ and ΓÇÿ*.myaccount.microsoft.comΓÇÖ for Terms of Use to continue working as expected.

-Privileged Identity Management (PIM) role activation has been expanded to the Billing and AD extensions in the Azure portal. Shortcuts have been added to Subscriptions (billing) and Access Control (AD) to allow users to activate PIM roles directly from these blades. From the Subscriptions blade, select **View eligible subscriptions** in the horizontal command menu to check your eligible, active, and expired assignments. From there, you can activate an eligible assignment in the same pane. In Access control (IAM) for a resource, you can now select **View my access** to see your currently active and eligible role assignments and activate directly. By integrating PIM capabilities into different Azure portal blades, this new feature allows users to gain temporary access to view or edit subscriptions and resources more easily.

-## December 2022

-### Public Preview - Windows 10+ Troubleshooter for Diagnostic Logs

-**Type:** New feature

-**Service category:** Audit

-**Product capability:** Monitoring & Reporting

-This feature analyzes uploaded client-side logs, also known as diagnostic logs, from a Windows 10+ device that is having an issue(s) and suggests remediation steps to resolve the issue(s). Admins can work with end user to collect client-side logs, and then upload them to this troubleshooter in the Entra Portal. For more information, see: [Troubleshooting Windows devices in Azure AD](../devices/troubleshoot-device-windows-joined.md).

-### General Availability - Multiple Password-less Phone Sign-ins for iOS Devices

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-End users can now enable password-less phone sign-in for multiple accounts in the Authenticator App on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use password-less phone sign-in for all of them from the same iOS device. The Azure AD accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-ins from one device.

-End users aren't required to enable the optional telemetry setting in the Authenticator App. For more information, see: [Enable passwordless sign-in with Microsoft Authenticator](../authentication/howto-authentication-passwordless-phone.md).

-### Public Preview(refresh) - Updates to Conditional Access templates

-**Type:** Changed feature

-**Service category:** Conditional Access

-**Product capability:** Identity Security & Protection

-Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. In total, there are 14 Conditional Access policy templates, filtered by five different scenarios; secure foundation, zero trust, remote work, protect administrators, and emerging threats.

-

-In this Public Preview refresh, we've enhanced the user experience with an updated design and added four new improvements:

-

-For more information, see: [Conditional Access templates (Preview)](../conditional-access/concept-conditional-access-policy-common.md).

-### Public Preview - Admins can restrict their users from creating tenants

-**Type:** New feature

-**Service category:** User Access Management

-**Product capability:** User Management

-The ability for users to create tenants from the Manage Tenant overview has been present in Azure AD since almost the beginning of the Azure portal. This new capability in the User Settings option allows admins to restrict their users from being able to create new tenants. There's also a new [Tenant Creator](../roles/permissions-reference.md#tenant-creator) role to allow specific users to create tenants. For more information, see [Default user permissions](../fundamentals/users-default-permissions.md#restrict-member-users-default-permissions).

-### General availability - Consolidated App launcher (My Apps) settings and new preview settings

-**Type:** New feature

-**Service category:** My Apps

-**Product capability:** End User Experiences

-We have consolidated relevant app launcher settings in a new App launchers section in the Azure and Entra portals. The entry point can be found under Enterprise applications, where Collections used to be. You can find the Collections option by selecting App launchers. In addition, we've added a new App launchers Settings option. This option has some settings you may already be familiar with like the Microsoft 365 settings. The new Settings options also have controls for previews. As an admin, you can choose to try out new app launcher features while they are in preview. Enabling a preview feature means that the feature turns on for your organization. This enabled feature reflects in the My Apps portal, and other app launchers for all of your users. To learn more about the preview settings, see: [End-user experiences for applications](../manage-apps/end-user-experiences.md).

-### Public preview - Converged Authentication Methods Policy

-**Type:** New feature

-**Service category:** MFA

-**Product capability:** User Authentication

-The Converged Authentication Methods Policy enables you to manage all authentication methods used for MFA and SSPR in one policy. You can migrate off the legacy MFA and SSPR policies, and target authentication methods to groups of users instead of enabling them for all users in the tenant. For more information, see: [Manage authentication methods for Azure AD](../authentication/concept-authentication-methods-manage.md).

-### General Availability - Administrative unit support for devices

-**Type:** New feature

-**Service category:** Directory Management

-**Product capability:** AuthZ/Access Delegation

-You can now use administrative units to delegate management of specified devices in your tenant by adding devices to an administrative unit. You're also able to assign built-in, and custom device management roles, scoped to that administrative unit. For more information, see: [Device management](../roles/administrative-units.md#device-management).

-### Public Preview - Frontline workers using shared devices can now use Microsoft Edge and Yammer apps on Android

-**Type:** New feature

-**Service category:** N/A

-**Product capability:** SSO

-Companies often provide mobile devices to frontline workers that need are shared between shifts. MicrosoftΓÇÖs shared device mode allows frontline workers to easily authenticate by automatically signing users in and out of all the apps that have enabled this feature. In addition to Microsoft Teams and Managed Home Screen being generally available, we're excited to announce that Microsoft Edge and Yammer apps on Android are now in Public Preview.

-For more information on deploying frontline solutions, see: [frontline deployment documentation](https://aka.ms/frontlinewhitepaper).

-For more information on shared-device mode, see: [Azure Active Directory Shared Device Mode documentation](../develop/msal-android-shared-devices.md#microsoft-applications-that-support-shared-device-mode).

-For steps to set up shared device mode with Intune, see: [Intune setup blog](https://techcommunity.microsoft.com/t5/intune-customer-success/enroll-android-enterprise-dedicated-devices-into-azure-ad-shared/ba-p/1820093).

-### Public preview - New provisioning connectors in the Azure AD Application Gallery - December 2022

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

-### General Availability - On-premises application provisioning

-**Type:** Changed feature

-**Service category:** Provisioning

-**Product capability:** Outbound to On-premises Applications

-Azure AD supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](../app-provisioning/on-premises-scim-provisioning.md) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](../app-provisioning/on-premises-ldap-connector-configure.md) user store, or a [SQL](../app-provisioning/tutorial-ecma-sql-connector.md) database, Azure AD can support those as well.

-### General Availability - New Federated Apps available in Azure AD Application gallery - December 2022

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In December 2022 we've added the following 44 new applications in our App gallery with Federation support:

-[Bionexo IDM](https://login.bionexo.com/), [SMART Meeting Pro](https://www.smarttech.com/en/business/software/meeting-pro), [Venafi Control Plane ΓÇô Datacenter](../saas-apps/venafi-control-plane-tutorial.md), [HighQ](../saas-apps/highq-tutorial.md), [Drawboard PDF](https://pdf.drawboard.com/), [ETU Skillsims](../saas-apps/etu-skillsims-tutorial.md), [TencentCloud IDaaS](../saas-apps/tencent-cloud-idaas-tutorial.md), [TeamHeadquarters Email Agent OAuth](https://thq.entry.com/), [Verizon MDM](https://verizonmdm.vzw.com/), [QRadar SOAR](../saas-apps/qradar-soar-tutorial.md), [Tripwire Enterprise](../saas-apps/tripwire-enterprise-tutorial.md), [Cisco Unified Communications Manager](../saas-apps/cisco-unified-communications-manager-tutorial.md), [Howspace](https://login.in.howspace.com/), [Flipsnack SAML](../saas-apps/flipsnack-saml-tutorial.md), [Albert](http://www.albertinvent.com/), [Altinget.no](https://www.altinget.no/), [Coveo Hosted Services](../saas-apps/coveo-hosted-services-tutorial.md), [Cybozu(cybozu.com)](../saas-apps/cybozu-tutorial.md), [BombBomb](https://app.bombbomb.com/app), [VMware Identity Service](../saas-apps/vmware-identity-service-tutorial.md), [HexaSync](https://app-az.hexasync.com/login), [Trifecta Teams](https://app.trifectateams.net/), [VerosoftDesign](https://verosoft-design.vercel.app/), [Mazepay](https://app.mazepay.com/), [Wistia](../saas-apps/wistia-tutorial.md), [Begin.AI](https://app.begin.ai/), [WebCE](../saas-apps/webce-tutorial.md), [Dream Broker Studio](https://dreambroker.com/studio/login/), [PKSHA Chatbot](../saas-apps/pksha-chatbot-tutorial.md), [PGM-BCP](https://ups-pgm-bcp.4gfactor.com/azure/), [ChartDesk SSO](../saas-apps/chartdesk-sso-tutorial.md), [Elsevier SP](../saas-apps/elsevier-sp-tutorial.md), [GreenCommerce IdentityServer](https://identity.jem-id.nl/Account/Login), [Fullview](https://app.fullview.io/sign-in), [Aqua Platform](../saas-apps/aqua-platform-tutorial.md), [SpedTrack](../saas-apps/spedtrack-tutorial.md), [Pinpoint](https://pinpoint.ddiworld.com/psg2?sso=true), [Darzin Outlook Add-in](https://outlook.darzin.com/graph-login.html), [Simply Stakeholders Outlook Add-in](https://outlook.simplystakeholders.com/graph-login.html), [tesma](../saas-apps/tesma-tutorial.md), [Parkable](../saas-apps/parkable-tutorial.md), [Unite Us](../saas-apps/unite-us-tutorial.md)

-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial,

-For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

-### ADAL End of Support Announcement

-**Type:** N/A

-**Service category:** Other

-**Product capability:** Developer Experience

-As part of our ongoing initiative to improve the developer experience, service reliability, and security of customer applications, we'll end support for the Azure Active Directory Authentication Library (ADAL). The final deadline to migrate your applications to Azure Active Directory Authentication Library (MSAL) has been extended to **June 30, 2023**.

-### Why are we doing this?

-As we consolidate and evolve the Microsoft Identity platform, we're also investing in making significant improvements to the developer experience and service features that make it possible to build secure, robust and resilient applications. To make these features available to our customers, we needed to update the architecture of our software development kits. As a result of this change, weΓÇÖve decided that the path forward requires us to sunset Azure Active Directory Authentication Library. This allows us to focus on developer experience investments with Azure Active Directory Authentication Library.

-### What happens?

-We recognize that changing libraries isn't an easy task, and can't be accomplished quickly. We're committed to helping customers plan their migrations to Microsoft Authentication Library and execute them with minimal disruption.

-### How to find out which applications in my tenant are using Azure Active Directory Authentication Library?

-Refer to our post on [Microsoft Q&A](/answers/questions/360928/information-how-to-find-apps-using-adal-in-your-te.html) for details on identifying Azure Active Directory Authentication Library apps with the help of [Azure Workbooks](../../azure-monitor/visualize/workbooks-overview.md).

-### If IΓÇÖm using Azure Active Directory Authentication Library, what can I expect after the deadline?

-### What features can I only access with Microsoft Authentication Library?

-

-The number of features and capabilities that we're adding to Microsoft Authentication Library libraries are growing weekly. Some of them include:

-And more. For an up-to-date list, refer to our [migration guide](../develop/msal-migration.md#how-to-migrate-to-msal).

-### How to migrate?

-To make the migration process easier, we published a [comprehensive guide](../develop/msal-migration.md#how-to-migrate-to-msal) that documents the migration paths across different platforms and programming languages.

-In addition to the Azure Active Directory Authentication Library to Microsoft Authentication Library update, we recommend migrating from Azure AD Graph API to Microsoft Graph. This change enables you to take advantage of the latest additions and enhancements, such as CAE, across the Microsoft service offering through a single, unified endpoint. You can read more in our [Migrate your apps from Azure AD Graph to Microsoft Graph](/graph/migrate-azure-ad-graph-overview) guide. You can post any questions to [Microsoft Q&A](/answers/topics/azure-active-directory.html) or [Stack Overflow](https://stackoverflow.com/questions/tagged/msal).

-After the installation finishes, select **Configure Now**.

-A PowerShell window opens to start the agent registration process. When you're prompted, sign in by using an Azure AD account that has permissions to register the agent. By default, the Hybrid Identity Administrator account has permissions.

-After you sign in, PowerShell continues the installation. When it finishes, you can close PowerShell. Configuration is complete.

-At this point, the agent services should start to automatically allow the agent to securely upload the required data to the cloud service.

-If you haven't met all the prerequisites, warnings appear in the PowerShell window. Be sure to complete the [requirements](how-to-connect-health-agent-install.md#requirements) before you install the agent. The following screenshot shows an example of these warnings.

-| Azure AD Connect (Sync) | Azure AD Connect Health Sync Insights Service | Collect AAD Connect-specific information (connectors, synchronization rules, etc.) | - AadSyncService-SynchronizationRules <br /> - AadSyncService-Connectors <br /> - AadSyncService-GlobalConfigurations <br /> - AadSyncService-RunProfileResults <br /> - AadSyncService-ServiceConfigurations <br /> - AadSyncService-ServiceStatus |

-| | Azure AD Connect Health Sync Monitoring Service | Collect AAD Connect-specific perf counters, ETW traces, files | Performance counter |

-| AD FS | Azure AD Connect Health AD FS Diagnostics Service | Perform synthetic tests | TestResult (creates the test results) |

-| | Azure AD Connect Health AD FS Insights Service | Collect ADFS usage metrics | Adfs-UsageMetrics |

-| | Azure AD Connect Health AD FS Monitoring Service | Collect ADFS-specific perf counters, ETW traces, files | TestResult (uploads the test results) |

-* Make sure that Azure AD Connect Health Agents services are **running** on the machine. For example, Connect Health for AD FS should have three services.

-description: Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to provide a common identity for Microsoft 365, Azure, and SaaS applications integrated with Azure AD.

-keywords: introduction to Azure AD Connect, Azure AD Connect overview, what is Azure AD Connect, install active directory, Germany, Black Forest

-# Azure AD Connect in Microsoft Cloud Germany - Public Preview

-## Introduction

-Azure AD Connect provides synchronization between your on-premises Active Directory and Azure Active Directory.

-Currently, many of the scenarios in [Microsoft Cloud Germany](https://azure.microsoft.com/global-infrastructure/germany/

-) must be done by the operator.

-When using Microsoft Cloud Germany, you must be aware of the following information:

-* The following URLs must be opened on a proxy server for synchronization to occur successfully:

-

- * *.microsoftonline.de

- * *.windows.net

- * * Certificate Revocation Lists

-* When you sign in to your Azure AD directory, you must use an account in the onmicrosoft.de domain.

-

-## Download

-You can download Azure AD Connect from the Azure AD Connect blade within the portal. Use the instructions below to locate the Azure AD Connect blade.

-### The Azure AD Connect Blade

-Once you've signed in to the Azure portal:

-1. Go to Browse

-2. Select Azure Active Directory

-3. Then select Azure AD Connect

-You'll see these details:

-

-The following table describes the features shown in the blade.

-| Title | Description |

-| | |

-| SYNC STATUS |Let's you know whether synchronization is enabled or disabled. |

-| LAST SYNC |The last time a successful sync completed. |

-| FEDERATED DOMAINS |Shows the number of federated domains currently configured. |

-## Installation

-To install Azure AD Connect, you can use the documentation [here](how-to-connect-install-roadmap.md).

-## Advanced features and Additional Information

-For additional information about custom settings or advanced configurations, go to [Integrating your on-premises identities with Azure Active Directory](../whatis-hybrid-identity.md). This page provides information and links to additional guidance.

-Azure AD Connect Health ADDS and ADFS Health Agents (version 3.2.2256.26, Download Center Only)

- - the change was to have the agents use ΓÇÿCloudStorageAccount.UseV1MD5 = falseΓÇÖ so the agent only uses only FIPS compliant cryptography, otherwise azure blob client causes FIPs exceptions to be thrown.

-Azure AD Connect Health for AD FS supports AD FS 2.0 on Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019. It also supports monitoring the AD FS proxy or web application proxy servers that provide authentication support for extranet access. With an easy and quick installation of the Health Agent, Azure AD Connect Health for AD FS provides you a set of key capabilities.

-description: Learn how to manage consent requests when user consent is disabled or restricted, and how to evaluate a request for tenant-wide admin consent to an application in Azure Active Directory.

-Microsoft recommends that you [restrict user consent](../../active-directory/manage-apps/configure-user-consent.md) to allow users to consent only for apps from verified publishers, and only for permissions that you select. For apps that don't meet these criteria, the decision-making process will be centralized with your organization's security and identity administrator team.

-After you've disabled or restricted user consent, you have several important steps to take to help keep your organization secure as you continue to allow business-critical applications to be used. These steps are crucial to minimize impact on your organization's support team and IT administrators, and to help prevent the use of un-managed accounts in third-party applications.

- 1. Consider enabling the [admin consent workflow](configure-admin-consent-workflow.md) to allow users to request administrator approval directly from the consent screen.

- 1. Ensure that all administrators understand the [permissions and consent framework](../develop/consent-framework.md), how the [consent prompt](../develop/application-consent-experience.md) works, and how to [evaluate a request for tenant-wide admin consent](#evaluate-a-request-for-tenant-wide-admin-consent).

- 1. Review your organization's existing processes for users to request administrator approval for an application, and update them if necessary. If processes are changed:

- * Update the relevant documentation, monitoring, automation, and so on.

- * Communicate process changes to all affected users, developers, support teams, and IT administrators.

-1. [Audit apps and granted permissions](../../security/fundamentals/steps-secure-identity.md#audit-apps-and-consented-permissions) in your organization to ensure that no unwarranted or suspicious applications have previously been granted access to data.

-2. Review the [Detect and Remediate Illicit Consent Grants in Office 365](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants) article for more best practices and safeguards against suspicious applications that request OAuth consent.

-3. If your organization has the appropriate license, do the following:

- * Use other [OAuth application auditing features in Microsoft Defender for Cloud Apps](/cloud-app-security/investigate-risky-oauth).

- * Use [Azure Monitor Workbooks](../reports-monitoring/howto-use-azure-monitor-workbooks.md) to monitor permissions and consent-related activity. The *Consent Insights* workbook provides a view of apps by number of failed consent requests. This information can help you prioritize applications for administrators to review and decide whether to grant them admin consent.

-1. Take an inventory of the apps already added to your organization with high usage, based on sign-in logs or consent grant activity. You can use a [PowerShell script](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09) to quickly and easily discover applications with a large number of user consent grants.

-2. Evaluate the top applications to grant admin consent.

-3. For each approved application, grant tenant-wide admin consent and consider restricting user access by [requiring user assignment](assign-user-or-group-access-portal.md).

-Granting tenant-wide admin consent is a sensitive operation. Permissions will be granted on behalf of the entire organization, and they can include permissions to attempt highly privileged operations. Examples of such operations are role management, full access to all mailboxes or all sites, and full user impersonation.

-* Understand the [permissions and consent framework](../develop/consent-framework.md) in the Microsoft identity platform.

-* Understand the difference between [delegated permissions and application permissions](../develop/v2-permissions-and-consent.md#permission-types).

-* Understand the permissions that are being requested.

-* Understand which application is requesting permissions and who published the application.

-* Ensure that the requested permissions are aligned with the features you expect from the application.

-The Azure Active Directory Authentication Library (ADAL) is [currently slated for end-of-support](../fundamentals/whats-new.md#adal-end-of-support-announcement) on June 30, 2023. We recommend that customers migrate to Microsoft Authentication Libraries (MSAL), which replaces ADAL.

-Contact Notion support to configure Notion to support provisioning with Azure AD.

-In this article, we cover the steps needed to integrate Microsoft Entra Verified ID with [AU10TIX](https://www.au10tix.com/). AU10TIX is a global leader in identity verification enabling companies to scale up their business by accelerating onboarding scenarios and ongoing verification throughout the customer lifecycle. It is an automated solution for the verification of ID documents + biometrics in 8 seconds or less. AU10TIX supports the verification of documents in over 190 countries reading documents in their regional languages.

->[!NOTE]

-> You must have CLI version 2.47.0 or later to use the `--network-plugin-mode` argument. For Windows, you must have the [latest aks-preview Azure CLI extension installed](#install-the-aks-preview-azure-cli-extensionwindows-only).

-## Upgrade an existing cluster to CNI Overlay (Preview)

-> [!NOTE]

-> The upgrade capability is still in preview and requires the preview AKS Azure CLI extension.

->

-> You can update an existing Azure CNI cluster to Overlay if the cluster meets the following criteria:

->

-> - The cluster is on Kubernetes version 1.22+.

-> - Doesn't use the dynamic pod IP allocation feature.

-> - Doesn't have network policies enabled.

-> - Doesn't use any Windows node pools with docker as the container runtime.

-The upgrade process triggers each node pool to be reimaged simultaneously. Upgrading each node pool separately to Overlay isn't supported. Any disruptions to cluster networking are similar to a node image upgrade or Kubernetes version upgrade where each node in a node pool is reimaged.

-Update an existing Azure CNI cluster to use Overlay using the [`az aks update`][az-aks-update] command.

-```azurecli-interactive

-clusterName="myOverlayCluster"

-resourceGroup="myResourceGroup"

-location="westcentralus"

-az aks update --name $clusterName \

-```

-The `--pod-cidr` parameter is required when upgrading from legacy CNI because the pods need to get IPs from a new overlay space, which doesn't overlap with the existing node subnet. The pod CIDR also can't overlap with any VNet address of the node pools. For example, if your VNet address is *10.0.0.0/8*, and your nodes are in the subnet *10.240.0.0/16*, the `--pod-cidr` can't overlap with *10.0.0.0/8* or the existing service CIDR on the cluster.

-> [!WARNING]

-> Prior to Windows OS Build 20348.1668, there was a limitation around Windows Overlay pods incorrectly SNATing packets from host network pods, which had a more detrimental effect for clusters upgrading to Overlay. To avoid this issue, **use Windows OS Build 20348.1668**.

-description: Learn about storage in Azure Kubernetes Service (AKS), including volumes, persistent volumes, storage classes, and claims

-Finally, you might need to collect and store sensitive data or application configuration information into pods.

-Traditional volumes are created as Kubernetes resources backed by Azure Storage. You can manually create data volumes to be assigned to pods directly, or have Kubernetes automatically create them. Data volumes can use: [Azure Disk][disks-types], [Azure Files][storage-files-planning], [Azure NetApp Files][azure-netapp-files-service-levels], or [Azure Blobs][storage-account-overview].

-> Depending on the VM SKU that's being used, the Azure Disk CSI driver might have a per-node volume limit. For some powerful VMs (for example, 16 cores), the limit is 64 volumes per node. To identify the limit per VM SKU, review the **Max data disks** column for each VM SKU offered. For a list of VM SKUs offered and their corresponding detailed capacity limits, see [General purpose virtual machine sizes][general-purpose-machine-sizes].

- skuName: Premium_LRS

- ingress-nginx/ingress-nginx 2.12.0 0.34.1 Ingress controller for Kubernetes using NGINX a...

- CONTROLLER_REGISTRY=k8s.gcr.io

- CONTROLLER_TAG=v0.48.1

- PATCH_REGISTRY=docker.io

- PATCH_IMAGE=jettech/kube-webhook-certgen

- PATCH_TAG=v1.5.1

- DEFAULTBACKEND_REGISTRY=k8s.gcr.io

-## Add a Windows Server 2019 node pool

-> Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end of life (EOL) and won't be supported in future releases. For more information about this retirement, see the [AKS release notes][aks-release-notes].

-When creating a Windows node pool, on Kubernetes version 1.24 or earlier, the default operating system will be Windows Server 2019. To use Windows Server 2019 node pools when not the default option, you need to specify an OS SKU type of `Windows2019`.

-```azurecli-interactive

-az aks nodepool add \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --os-type Windows \

- --os-sku Windows2019 \

- --name npwin \

- --node-count 1

-```

-The above command creates a new Windows Server 2019 node pool named *npwin* and adds it to the *myAKSCluster*. The above command also uses the default subnet in the default vnet created when running `az aks create`.

-## Add a Windows Server 2022 node pool

-When creating a Windows node pool, for Kubernetes 1.25 and higher the default operating system will be Windows Server 2022. To use Windows Server 2022 nodes when not default, you need to specify an OS SKU type of `Windows2022`.

-> [!NOTE]

-> Windows Server 2022 requires Kubernetes version "1.23.0" or higher.

-> | 1.24.0 or greater | 1.2.4 |

-> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.4* of OSM.

-> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.4* of OSM.

-> - If your cluster is running Kubernetes version 1.24.0 or greater, the OSM add-on installs version *1.2.4* of OSM.

-All clusters in a suspended or deleted subscription will be stopped immediately and deleted after 30 days

-> [!NOTE]

-> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022, and the project will be archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement).

-> The AKS Managed add-on begins deprecation in Sept. 2023.

-* The maximum number of secrets that a cluster enabled with KMS supports is 2,000.

-* With KMS enabled, you can't change associated Azure Key Vault model (public, private). To [change associated key vault mode][changing-associated-key-vault-mode], you need to disable and enable KMS again.

-* If a cluster is enabled KMS with private key vault and not using the `API Server VNet integration` tunnel, then stop/start cluster is not allowed.

-On 30 September, 2025, these identity providers will stop functioning. To avoid disruption of your developer portal, you need to update your Azure AD applications and identity provider configuration in Azure API Management by that date. Your developer portal might be at a security risk after Microsoft ADAL support ends in June 1, 2023. Learn more in [the official announcement](../../active-directory/fundamentals/whats-new.md#adal-end-of-support-announcement).

-*Azure App Service* is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and [Linux](#app-service-on-linux)-based environments.

-> [!NOTE]

-> Linux and Windows App Service plans can now share resource groups. This limitation has been lifted from the platform and existing resource groups have been updated to support this.

->

- > For the application gateway v2 SKU, you can only choose **Public** frontend IP configuration. Private frontend IP configuration is currently not enabled for this v2 SKU.

- azure-cognitive-service-document:

- ports:

- azure-cognitive-service-layout:

- container_name: azure-cognitive-service-layout

- image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/layout-3.0

- environment:

- - EULA=accept

- - billing={FORM_RECOGNIZER_ENDPOINT_URI}

- - apiKey={FORM_RECOGNIZER_KEY}

- azure-cognitive-service-invoice:

- azure-cognitive-service-layout:

- container_name: azure-cognitive-service-layout

- image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/layout-3.0

- environment:

- - EULA=accept

- - billing={FORM_RECOGNIZER_ENDPOINT_URI}

- - apiKey={FORM_RECOGNIZER_KEY}

- azure-cognitive-service-receipt:

- container_name: azure-cognitive-service-receipt

- image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/receipt-3.0

- environment:

- - EULA=accept

- - billing={FORM_RECOGNIZER_ENDPOINT_URI}

- - apiKey={FORM_RECOGNIZER_KEY}

- - AzureCognitiveServiceReadHost=http://azure-cognitive-service-read:5000

- ports:

- - "5000:5050"

- container_name: azure-cognitive-service-read

- image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/read-3.0

- environment:

- - EULA=accept

- - billing={FORM_RECOGNIZER_ENDPOINT_URI}

- - apiKey={FORM_RECOGNIZER_KEY}

- azure-cognitive-service-receipt:

- container_name: azure-cognitive-service-id-document

- image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/id-document-3.0

- environment:

- - EULA=accept

- - billing={FORM_RECOGNIZER_ENDPOINT_URI}

- - apiKey={FORM_RECOGNIZER_KEY}

- - AzureCognitiveServiceReadHost=http://azure-cognitive-service-read:5000

- ports:

- - "5000:5050"

- azure-cognitive-service-read:

- container_name: azure-cognitive-service-read

- image: mcr.microsoft.com/azure-cognitive-services/form-recognizer/read-3.0

- environment:

- - EULA=accept

- - billing={FORM_RECOGNIZER_ENDPOINT_URI}

- - apiKey={FORM_RECOGNIZER_KEY}

-# Enable transparent data encryption on Azure Arc-enabled SQL Managed Instance

-## Turn on transparent data encryption on the managed instance

-In service-managed mode, transparent data encryption requires the managed instance to use a service-managed database master key as well as the service-managed server certificate. These credentials are automatically created when service-managed transparent data encryption is enabled.

-In customer-managed mode, transparent data encryption uses a service-managed database master key and uses keys you provide for the server certificate. To configure customer-managed mode:

-> If you need to change from one mode to the other, you must disable TDE from the current mode before you apply the new mode. For details, see [Turn off transparent data encryption on the managed instance](#turn-off-transparent-data-encryption-on-the-managed-instance).

->

-> For example, if the service is encrypted using service-managed mode, go to `Disabled` mode before you enable customer-managed mode.

->

-> ```console

-> kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": "Disabled" } } } }'

-> ```

-To proceed, select the mode you want to use.

-### [Service-managed mode](#tab/service-managed-mode)

-To enable TDE in service-managed mode, run kubectl patch to enable service-managed TDE

-### [Customer-managed mode](#tab/customer-managed-mode)

-To enable TDE in customer managed mode:

-## Turn off transparent data encryption on the managed instance

-### [Service-managed mode](#tab/service-managed-mode)

-Run kubectl patch to disable service-managed TDE.

-```console

-kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": "Disabled" } } } }'

-Example:

-```console

-kubectl patch sqlmi sqlmi-tde --namespace arc --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": "Disabled" } } } }'

-```

-### [Customer-managed mode](#tab/customer-managed-mode)

-Run kubectl patch to disable customer-managed TDE.

-When you disable TDE in customer-managed mode, you need to set `"protectorSecret" : null`.

-kubectl patch sqlmi <sqlmi-name> --namespace <namespace> --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": "Disabled" , "protectorSecret": null } } } }'

-kubectl patch sqlmi sqlmi-tde --namespace arc --type merge --patch '{ "spec": { "security": { "transparentDataEncryption": { "mode": "Disabled" , "protectorSecret": null } } } }'

-## Back up a transparent data encryption credential

-## Restore a transparent data encryption credential to a managed instance

- ### [Windows](#tab/windows)

-Static configuration is recommended for Arc resource bridge because the resource bridge needs three static IPs in the same subnet for the control plane, appliance VM, and reserved appliance VM (for upgrade). The control plane corresponds to the `controlplanenedpoint` parameter, the appliance VM IP to `k8snodeippoolstart`, and reserved appliance VM to `k8snodeippoolend` in the `createconfig` command that creates the bridge configuration files. If using DHCP, reserve those IP addresses, ensuring they are outside the DHCP range.

-The subnet of the IP addresses for Arc resource bridge must lie in the IP address prefix that is passed in the `ipaddressprefix` parameter of the `createconfig` command. The IP address prefix is the IP prefix that is exposed by the network to which Arc resource bridge is connected. It is entered as the subnet's IP address range for the virtual network and subnet mask (IP Mask) in CIDR notation, for example `192.168.7.1/24`. Consult your system or network administrator to obtain the IP address prefix in CIDR notation. An IP Subnet CIDR calculator may be used to obtain this value.

-### DNS Server

-If using a proxy, Arc resource bridge must be configured for proxy so that it can connect to the Azure services. To configure the Arc resource bridge with proxy, provide the proxy certificate file path during creation of the configuration files. Only pass the single proxy certificate. If a certificate bundle is passed then the deployment will fail. The proxy server endpoint can't be a .local domain. Proxy configuration of the management machine isn't configured by Arc resource bridge.

-There are only two certificates that should be relevant when deploying the Arc resource bridge behind an SSL proxy: the SSL certificate for your SSL proxy (so that the managment machine and on-premises appliance VM trust your proxy FQDN and can establish an SSL connection to it), and the SSL certificate of the Microsoft download servers. This certificate must be trusted by your proxy server itself, as the proxy is the one establishing the final connection and needs to trust the endpoint. Non-Windows machines may not trust this second certificate by default, so you may need to ensure that it's trusted.

-In order to deploy Arc resource bridge, images need to be downloaded to the management machine and then uploaded to the on-premises private cloud gallery. If your proxy server throttles download speed, this may impact your ability to download the required images (~3 GB) within the alotted time (90 min).

-| Token Credential | `<CONNECTION_NAME_PREFIX>__credential` | Defines how a token should be obtained for the connection. This setting is recommended only when specifying a user-assigned identity, when it should be set to "managedidentity". This value is only valid when hosted in the Azure Functions service. |

-| Client ID | `<CONNECTION_NAME_PREFIX>__clientId` | When `credential` is set to "managedidentity", this property specifies the user-assigned identity to be used when obtaining a token. The property accepts a client ID corresponding to a user-assigned identity assigned to the application. If not specified, the system-assigned identity is used. This property is used differently in [local development scenarios](#local-development-with-identity-based-connections), when `credential` should not be set. |

-*Last updated: November 2022*

-| [Batch](../../batch/index.yml) | &#x2705; | &#x2705; |

-| [Cognitive

-| [Dedicated HSM](../../dedicated-hsm/index.yml) | &#x2705; | &#x2705; |

-| [File Sync](../../storage/file-sync/index.yml) | &#x2705; | &#x2705; |

-| [Lab Services](../../lab-services/index.yml) | &#x2705; | &#x2705; |

-| [Microsoft Defender for IoT](../../defender-for-iot/index.yml) (formerly Azure Security for IoT) | &#x2705; | &#x2705; |

-| [Microsoft Purview](../../purview/index.yml) (Includes Data Map, Governance Portal, and Data Estate Insight) | &#x2705; | &#x2705; |

-| [Microsoft Sentinel](../../sentinel/index.yml) | &#x2705; | &#x2705; |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-*Last updated: January 2023*

-| [App Configuration](../../azure-app-configuration/index.yml) | &#x2705; | &#x2705; | &#x2705; |&#x2705; | |

-| [Cloud Shell](../../cloud-shell/overview.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |

-| [Microsoft Sentinel](../../sentinel/index.yml) (formerly Azure Sentinel) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |

-# How to create data registry (preview)

- https://us.atlas.microsoft.com/dataRegistries/{udid}?api-version=2022-12-01-preview&subscription-key={Your-Azure-Maps-Subscription-key}

-https://us.atlas.microsoft.com/dataRegistries/operations/{udid}?api-version=2022-12-01-preview&subscription-key={Your-Azure-Maps-Primary-Subscription-key}

-https://us.atlas.microsoft.com/dataRegistries?api-version=2022-12-01-preview&subscription-key={Azure-Maps-Subscription-key}

- "downloadURL": "https://us.atlas.microsoft.com/dataRegistries/f6495f62-94f8-0ec2-c252-45626f82fcb2/content?api-version=2022-12-01-preview",

- "downloadURL": "https://us.atlas.microsoft.com/dataRegistries/8b1288fa-1958-4a2b-b68e-13a7i5af7d7c/content?api-version=2022-12-01-preview",

- "downloadURL": "https://us.atlas.microsoft.com/dataRegistries/7c1288fa-2058-4a1b-b68f-13a6h5af7d7c/content?api-version=2022-12-01-preview",

-| downloadURL | The download URL of the underlying data. Used to [Get content from a data registry](#get-content-from-a-data-registry). |

-## Get content from a data registry

-Once you've uploaded one or more files to an Azure storage account, created and Azure Maps datastore to link to those files, then registered them using the [register] API, you can access the data contained in the files.

-Use the `udid` to get the content of a file registered in an Azure Maps account:

- ```http

-https://us.atlas.microsoft.com/dataRegistries/{udid}/content?api-version=2022-12-01-preview&subscription-key={Your-Azure-Maps-Subscription-key}

-```

-The contents of the file appear in the body of the response. For example, a text based GeoJSON file appears similar to the following example:

-```json

-{

- "type": "FeatureCollection",

- "features": [

- {

- "type": "Feature",

- "geometry": {

- "type": "Point",

- "coordinates": [

- -122.126986,

- 47.639754

- ]

- },

- "properties": {

- "geometryId": "001",

- "radius": 500

- }

- }

- ]

-}

-```

-The file type is returned in the `content-type` key of the response header.

-Both text and binary files can be saved to a local hard drive or used directly in other processes like importing into the Azure Maps Creator conversion process.

-Below is the complete running code sample of the above functionality.

-<br/>

-<iframe height='500' scrolling='no' title='Add a pop up using Azure Maps' src='//codepen.io/azuremaps/embed/MPRPvz/?height=500&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/MPRPvz/'>Add a pop up using Azure Maps</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<br/>

-<br/>

-> - All scripts, forms, pointer lock and top navigation functionality is disabled. Links are allowed to open up in a new tab when clicked.

->

-> If you trust the data being loaded into the popups and potentially want these scripts loaded into popups be able to access your application, you can disable this by setting the popup templates `sandboxContent` option to false.

-The String template replaces placeholders with values of the feature properties. The properties of the feature don't have to be assigned a value of type String. For example, `value1` holds an integer. These values are then passed to the content property of the `popupTemplate`.

-<br/>

-<br/>

-Popups can be opened, closed, and dragged. The popup class provides events to help developers react to these events. The following sample highlights which events fire when the user opens, closes, or drags the popup.

-<br/>

-To load a map, create a new instance of the [Map class](/javascript/api/azure-maps-control/atlas.map). When initializing the map, pass a DIV element ID to render the map and pass a set of options to use when loading the map. If default authentication information isn't specified on the `atlas` namespace, this information will need to be specified in the map options when loading the map. The map loads several resources asynchronously for performance. As such, after creating the map instance, attach a `ready` or `load` event to the map and then add any additional code that interacts with the map to the event handler. The `ready` event fires as soon as the map has enough resources loaded to be interacted with programmatically. The `load` event fires after the initial map view has finished loading completely.

-<br/>

-> You can load multiple maps on the same page. Multiple map on the same page may use the same or different authentication and language settings.

-When the map is zoomed out on a wide screen, multiple copies of the world will appear horizontally. This option is great for some scenarios, but for other applications it's desirable to see a single copy of the world. This behavior is implemented by setting the maps `renderWorldCopies` option to `false`.

-<br/>

-When creating a map there, are several different types of options that can be passed in to customize how the map functions as listed below.

-These options can also be updated after the map has been loaded using the `setCamera`, `setServiceOptions`, `setStyle`, and `setUserInteraction` functions.

-//Set the camera options when creating the map.

-In the following code, a [Map object](/javascript/api/azure-maps-control/atlas.map) is created and the center and zoom options are set. Map properties, such as center and zoom level, are part of the [CameraOptions](/javascript/api/azure-maps-control/atlas.cameraoptions).

-<br/>

-A bounding box can be used to update the map camera. If the bounding box was calculated from point data, it is often useful to also specify a pixel padding value in the camera options to account for the icon size. This will help ensure that points don't fall off the edge of the map viewport.

-In the following code, a [Map object](/javascript/api/azure-maps-control/atlas.map) is constructed via `new atlas.Map()`. Map properties such as `CameraBoundsOptions` can be defined via [setCamera](/javascript/api/azure-maps-control/atlas.map) function of the Map class. Bounds and padding properties are set using `setCamera`.

-<br/>

-In the following code, the first code block creates a map and sets the enter and zoom map styles. In the second code block, a click event handler is created for the animate button. When this button is clicked, the `setCamera` function is called with some random values for the [CameraOptions](/javascript/api/azure-maps-control/atlas.cameraoptions) and [AnimationOptions](/javascript/api/azure-maps-control/atlas.animationoptions).

-<br/>

-Sometimes it is useful to be able to modify HTTP requests made by the map control. For example:

-The [service options](/javascript/api/azure-maps-control/atlas.serviceoptions) of the map has a `transformRequest` that can be used to modify all requests made by the map before they are made. The `transformRequest` option is a function that takes in two parameters; a string URL, and a resource type string that indicates what the request is used for. This function must return a [RequestParameters](/javascript/api/azure-maps-control/atlas.requestparameters) result.

-When using a request transform you must return a `RequestParameters` object that contains a `url` property at a minimum. The following are the properties that can be included in a `RequestParameters` object.

-The resource types most relevant to content you add to the map are listed in the table below:

-| Source | A request for source information, such as a TileJSON request. Some requests from the base map styles will also use this resource type when loading source information. |

-Here are some resource types that are passed through the request transform that are related to the base map styles: StyleDefinitions, Style, SpriteImage, SpriteJSON, Glyphs, Attribution. You will normally want to ignore these and simply return the `url` value.

-## Try out the code

-Look at the code samples. You can edit the JavaScript code inside the **JS tab** and see the map view changes on the **Result tab**. You can also click **Edit on CodePen**, in the top-right corner, and modify the code in CodePen.

-<br/>

-A choropleth map can be rendered using the polygon extrusion layer. Set the `height` and `fillColor` properties of the extrusion layer to the measurement of the statistical variable in the `Polygon` and `MultiPolygon` feature geometries. The following code sample shows an extruded choropleth map of the United States based on the measurement of the population density by state.

-<br/>

- See the Pen <a href='https://codepen.io/azuremaps/pen/eYYYNox'>Extruded choropleth map</a> by Azure Maps(<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-Azure Maps uses an extended version of the GeoJSON schema that provides a [definition for circles] (./extend-geojson.md#circle). An extruded circle can be rendered on the map by creating a `point` feature with a `subType` property of `Circle` and a numbered `Radius` property representing the radius in **meters**. For example:

-<br/>

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-The Polygon Extrusion layer has several styling options. Here is a tool to try them out.

-<br/>

-<iframe height='700' scrolling='no' title='PoogBRJ' src='//codepen.io/azuremaps/embed/PoogBRJ/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/PoogBRJ/'>PoogBRJ</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

- You can also use custom properties to extract and manipulate data from alert payloads that use the common schema. You can use those values in the action group webhook or logic app.

-|Azure Functions - dependencies | :x: | :x: | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[2](#Preview)</sup> | :x: | [ :white_check_mark: :link: ](monitor-functions.md#distributed-tracing-for-python-function-apps) |

-* [Application map](app-map.md)

-For more information, see [Monitoring Azure Functions with Azure Monitor Application Insights](./monitor-functions.md#distributed-tracing-for-java-applications-preview).

-## Distributed tracing for Java applications (preview)

-This feature is currently in public preview for Java Azure Functions for both Windows and Linux.

- cluster: <CLUSTER-NAME>

-A backup policy enables a volume to be protected on a regularly scheduled interval. It does not require snapshot policies to be configured. Backup policies continues the daily cadence based on the time of day when the backup policy is linked to the volume, using the time zone of the Azure region where the volume exists. Weekly schedules are preset to occur each Sunday after 11:59 p.m. Monthly schedules are preset to occur after 11:59 p.m. on the last day of each calendar month. If backups are needed at a specific time/day, consider using [manual backups](backup-configure-manual.md).

-A filter in the OData language is a Boolean expression. It can be one of several expression types, as shown in the following EBNF description:

-```

-/* Identifiers */

-string_identifier ::= 'connectionId' | 'userId'

-collection_identifier ::= 'groups'

-/* Rules for $filter */

-boolean_expression ::= logical_expression

- | comparison_expression

- | in_expression

- | boolean_literal

- | boolean_function_call

- | '(' boolean_expression ')'

-```

-| [Country](https://docs.vdms.com/cdn/Content/HRE/M/Country.htm) | Identifies requests that originate from the specified countries. |

-> We are retiring the standard voices from September 1, 2021 through August 31, 2024. If you used a standard voice with your Speech resource prior to September 1, 2021 then you can continue to do so until August 31, 2024. All other Speech resources can only use prebuilt neural voices. You can choose from the supported [neural voice names](language-support.md?tabs=tts). After August 31, the standard voices won't be supported with any Speech resource.

-The table in this section summarizes the locales and voices supported for Speech to text. Please see the table footnotes for more details.

-The table in this section summarizes the locales and voices supported for Text to speech. Please see the table footnotes for more details.

-> We are retiring the standard voices from September 1, 2021 through August 31, 2024. If you used a standard voice with your Speech resource prior to September 1, 2021 then you can continue to do so until August 31, 2024. All other Speech resources can only use prebuilt neural voices. You can choose from the supported [neural voice names](language-support.md?tabs=tts). After August 31, the standard voices won't be supported with any Speech resource.

-> [!NOTE]

-> When you use the Speech CLI in a container, include the `--host` option. For example, run `spx recognize --host wss://localhost:5000/ --file myaudio.wav` to recognize speech from an audio file in a [speech to text container](speech-container-stt.md).

-With HTTP on Spark, any web service can be used in your big data pipeline. In this example, we use the [World Bank API](http://api.worldbank.org/v2/country/) to get information about various countries around the world.

-# Create a dataframe with spcificies which countries we want data on

-> This article only describes the limits for pre-configured features in Azure Cognitive Service for Language:

-When using features of the Language service, keep the following in mind:

-* Pricing is not affected by data or rate limits. Pricing is based on the number of text records you send to the API, and is subject to your Language resource's [pricing details](https://aka.ms/unifiedLanguagePricing).

-| Conversation issue and resolution summarization| 40,000 characters as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements).|

-| All other pre-configured features (synchronous) | 5,120 as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements). If you need to submit larger documents, consider using the feature asynchronously (described below). |

-| All other pre-configured features ([asynchronous](use-asynchronously.md)) | 125,000 characters across all submitted documents, as measured by [StringInfo.LengthInTextElements](/dotnet/api/system.globalization.stringinfo.lengthintextelements) (maximum of 25 documents). |

-If a document exceeds the character limit, the API will behave differently depending on how you're sending requests.

-* The API won't process a document that exceeds the maximum size, and will return an invalid document error for it. If an API request has multiple documents, the API will continue processing them if they are within the character limit.

-* The API will reject the entire request and return a `400 bad request` error if any document within it exceeds the maximum size.

-| All pre-configured features | 1MB |

-Exceeding the following document limits will generate an HTTP 400 error code.

-Your rate limit will vary with your [pricing tier](https://azure.microsoft.com/pricing/details/cognitive-services/text-analytics/). These limits are the same for both versions of the API. These rate limits don't apply to the Text Analytics for health container, which does not have a set rate limit.

-| Personally Identifiable Information (PII) detection | `2020-07-01`, `2021-01-15*`, `2023-01-01-preview**` |

-* [Enrich a Cognitive Search index tutorial](../tutorials/cognitive-search.md)

-description: Improve your cognitive search indices using custom Named Entity Recognition (NER)

-# Tutorial: Enrich a Cognitive Search index with custom entities from your data

-In enterprise, having an abundance of electronic documents can mean that searching through them is a time-consuming and expensive task. [Azure Cognitive Search](../../../../search/search-create-service-portal.md) can help with searching through your files, based on their indices. Custom named entity recognition can help by extracting relevant entities from your files, and enriching the process of indexing these files.

-In this tutorial, you learn how to:

-* Create a custom named entity recognition project.

-* Publish Azure function.

-* Add an index to Azure Cognitive Search.

-## Prerequisites

-* [An Azure Language resource connected to an Azure blob storage account](../how-to/create-project.md).

- * We recommend following the instructions for creating a resource using the Azure portal, for easier setup.

-* [An Azure Cognitive Search service](../../../../search/search-create-service-portal.md) in your current subscription

- * You can use any tier, and any region for this service.

-* An [Azure function app](../../../../azure-functions/functions-create-function-app-portal.md)

-## Upload sample data to blob container

-# [Language Studio](#tab/Language-studio)

-## Create a custom named entity recognition project

-Once your resource and storage account are configured, create a new custom NER project. A project is a work area for building your custom ML models based on your data. Your project can only be accessed by you and others who have access to the Language resource being used.

-## Train your model

-Typically after you create a project, you go ahead and start [tagging the documents](../how-to/tag-data.md) you have in the container connected to your project. For this tutorial, you have imported a sample tagged dataset and initialized your project with the sample JSON tags file.

-## Deploy your model

-Generally after training a model you would review its [evaluation details](../how-to/view-model-evaluation.md) and [make improvements](../how-to/view-model-evaluation.md) if necessary. In this quickstart, you will just deploy your model, and make it available for you to try in Language Studio, or you can call the [prediction API](https://aka.ms/ct-runtime-swagger).

-# [REST APIs](#tab/REST-APIs)

-### Get your resource keys and endpoint

-## Create a custom NER project

-Once your resource and storage account are configured, create a new custom NER project. A project is a work area for building your custom ML models based on your data. Your project can only be accessed by you and others who have access to the Language resource being used.

-Use the tags file you downloaded from the [sample data](https://github.com/Azure-Samples/cognitive-services-sample-data-files) in the previous step and add it to the body of the following request.

-### Trigger import project job

-### Get import job status

- [!INCLUDE [get import project status](../includes/rest-api/get-import-status.md)]

-## Train your model

-Typically after you create a project, you go ahead and start [tagging the documents](../how-to/tag-data.md) you have in the container connected to your project. For this tutorial, you have imported a sample tagged dataset and initialized your project with the sample JSON tags file.

-### Start training job

-After your project has been imported, you can start training your model.

-### Get training job status

-Training could take sometime between 10 and 30 minutes for this sample dataset. You can use the following request to keep polling the status of the training job until it's successfully completed.

- [!INCLUDE [get training model status](../includes/rest-api/get-training-status.md)]

-## Deploy your model

-Generally after training a model you would review its [evaluation details](../how-to/view-model-evaluation.md) and [make improvements](../how-to/view-model-evaluation.md) if necessary. In this tutorial, you will just deploy your model, and make it available for you to try in Language Studio, or you can call the [prediction API](https://aka.ms/ct-runtime-swagger).

-### Start deployment job

-### Get deployment job status

-## Use CogSvc language utilities tool for Cognitive search integration

-

-### Publish your Azure Function

-1. Download and use the [provided sample function](https://aka.ms/CustomTextAzureFunction).

-2. After you download the sample function, open the *program.cs* file in Visual Studio and [publish the function to Azure](../../../../azure-functions/functions-develop-vs.md?tabs=in-process#publish-to-azure).

-### Prepare configuration file

-1. Download [sample configuration file](https://aka.ms/CognitiveSearchIntegrationToolAssets) and open it in a text editor.

-2. Get your storage account connection string by:

-

- 1. Navigating to your storage account overview page in the [Azure portal](https://portal.azure.com/#home).

- 2. In the **Access Keys** section in the menu to the left of the screen, copy your **Connection string** to the `connectionString` field in the configuration file, under `blobStorage`.

- 3. Go to the container where you have the files you want to index and copy container name to the `containerName` field in the configuration file, under `blobStorage`.

-3. Get your cognitive search endpoint and keys by:

-

- 1. Navigating to your resource overview page in the [Azure portal](https://portal.azure.com/#home).

- 2. Copy the **Url** at the top-right section of the page to the `endpointUrl` field within `cognitiveSearch`.

- 3. Go to the **Keys** section in the menu to the left of the screen. Copy your **Primary admin key** to the `apiKey` field within `cognitiveSearch`.

-4. Get Azure Function endpoint and keys

-

- 1. To get your Azure Function endpoint and keys, go to your function overview page in the [Azure portal](https://portal.azure.com/#home).

- 2. Go to **Functions** menu on the left of the screen, and select on the function you created.

- 3. From the top menu, select **Get Function Url**. The URL will be formatted like this: `YOUR-ENDPOINT-URL?code=YOUR-API-KEY`.

- 4. Copy `YOUR-ENDPOINT-URL` to the `endpointUrl` field in the configuration file, under `azureFunction`.

- 5. Copy `YOUR-API-KEY` to the `apiKey` field in the configuration file, under `azureFunction`.

-5. Get your resource keys endpoint

- [!INCLUDE [Get resource keys and endpoint](../includes/get-keys-endpoint-azure.md)]

-6. Get your custom NER project secrets

- 1. You will need your **project-name**, project names are case-sensitive. Project names can be found in **project settings** page.

- 2. You will also need the **deployment-name**. Deployment names can be found in **Deploying a model** page.

-### Run the indexer command

-After you've published your Azure function and prepared your configs file, you can run the indexer command.

-```cli

- indexer index --index-name <name-your-index-here> --configs <absolute-path-to-configs-file>

-```

-Replace `name-your-index-here` with the index name that appears in your Cognitive Search instance.

-## Next steps

-* [Search your app with with the Cognitive Search SDK](../../../../search/search-howto-dotnet-sdk.md#run-queries)

-description: Improve your cognitive search indices using custom text classification

-# Tutorial: Enrich Cognitive Search index with custom classes from your data

-With the abundance of electronic documents within the enterprise, the problem of search through them becomes a tiring and expensive task. [Azure Cognitive Search](../../../../search/search-create-service-portal.md) helps with searching through your files based on their indices. Custom text classification helps in enriching the indexing of these files by classifying them into your custom classes.

-In this tutorial, you will learn how to:

-* Create a custom text classification project.

-* Publish Azure function.

-* Add Index to your Azure Cognitive search.

-## Prerequisites

-* [An Azure Language resource connected to an Azure blob storage account](../how-to/create-project.md).

- * We recommend following the instructions for creating a resource using the Azure portal, for easier setup.

-* [An Azure Cognitive Search service](../../../../search/search-create-service-portal.md) in your current subscription

- * You can use any tier, and any region for this service.

-* An [Azure function app](../../../../azure-functions/functions-create-function-app-portal.md)

-## Upload sample data to blob container

-# [Language studio](#tab/Language-studio)

-## Create a custom text classification project

-Once your resource and storage container are configured, create a new custom text classification project. A project is a work area for building your custom ML models based on your data. Your project can only be accessed by you and others who have access to the Language resource being used.

-## Train your model

-Typically after you create a project, you go ahead and start [tagging the documents](../how-to/tag-data.md) you have in the container connected to your project. For this tutorial, you have imported a sample tagged dataset and initialized your project with the sample JSON tags file.

-## Deploy your model

-Generally after training a model you would review it's [evaluation details](../how-to/view-model-evaluation.md) and [make improvements](../how-to/view-model-evaluation.md) if necessary. In this quickstart, you will just deploy your model, and make it available for you to try in Language Studio, or you can call the [prediction API](https://aka.ms/ct-runtime-swagger).

-# [REST APIs](#tab/REST-APIs)

-### Get your resource keys and endpoint

-## Create a custom text classification project

-Once your resource and storage container are configured, create a new custom text classification project. A project is a work area for building your custom ML models based on your data. Your project can only be accessed by you and others who have access to the Language resource being used.

-### Trigger import project job

-### Get import job Status

- [!INCLUDE [get import project status](../includes/rest-api/get-import-status.md)]

-## Train your model

-Typically after you create a project, you go ahead and start [tagging the documents](../how-to/tag-data.md) you have in the container connected to your project. For this tutorial, you have imported a sample tagged dataset and initialized your project with the sample JSON tags file.

-### Start training your model

-After your project has been imported, you can start training your model.

-### Get training job status

-Training could take sometime between 10 and 30 minutes for this sample dataset. You can use the following request to keep polling the status of the training job until it is successfully completed.

- [!INCLUDE [get training model status](../includes/rest-api/get-training-status.md)]

-## Deploy your model

-Generally after training a model you would review it's [evaluation details](../how-to/view-model-evaluation.md) and [make improvements](../how-to/view-model-evaluation.md) if necessary. In this quickstart, you will just deploy your model, and make it available for you to try in Language Studio, or you can call the [prediction API](https://aka.ms/ct-runtime-swagger).

-### Submit deployment job

-### Get deployment job status

-## Use CogSvc language utilities tool for Cognitive search integration

-

-### Publish your Azure Function

-1. Download and use the [provided sample function](https://aka.ms/CustomTextAzureFunction).

-2. After you download the sample function, open the *program.cs* file in Visual Studio and [publish the function to Azure](../../../../azure-functions/functions-develop-vs.md?tabs=in-process#publish-to-azure).

-### Prepare configuration file

-1. Download [sample configuration file](https://aka.ms/CognitiveSearchIntegrationToolAssets) and open it in a text editor.

-2. Get your storage account connection string by:

-

- 1. Navigating to your storage account overview page in the [Azure portal](https://portal.azure.com/#home).

- 2. In the **Access Keys** section in the menu to the left of the screen, copy your **Connection string** to the `connectionString` field in the configuration file, under `blobStorage`.

- 3. Go to the container where you have the files you want to index and copy container name to the `containerName` field in the configuration file, under `blobStorage`.

-3. Get your cognitive search endpoint and keys by:

-

- 1. Navigating to your resource overview page in the [Azure portal](https://portal.azure.com/#home).

- 2. Copy the **Url** at the top-right section of the page to the `endpointUrl` field within `cognitiveSearch`.

- 3. Go to the **Keys** section in the menu to the left of the screen. Copy your **Primary admin key** to the `apiKey` field within `cognitiveSearch`.

-4. Get Azure Function endpoint and keys

-

- 1. To get your Azure Function endpoint and keys, go to your function overview page in the [Azure portal](https://portal.azure.com/#home).

- 2. Go to **Functions** menu on the left of the screen, and click on the function you created.

- 3. From the top menu, click **Get Function Url**. The URL will be formatted like this: `YOUR-ENDPOINT-URL?code=YOUR-API-KEY`.

- 4. Copy `YOUR-ENDPOINT-URL` to the `endpointUrl` field in the configuration file, under `azureFunction`.

- 5. Copy `YOUR-API-KEY` to the `apiKey` field in the configuration file, under `azureFunction`.

-5. Get your resource keys endpoint

- [!INCLUDE [Get keys and endpoint Azure Portal](../includes/get-keys-endpoint-azure.md)]

-6. Get your custom text classification project secrets

- 1. You will need your **project-name**, project names are case-sensitive. Project names can be found in **project settings** page.

- 2. You will also need the **deployment-name**. Deployment names can be found in **Deploying a model** page.

-### Run the indexer command

-After you've published your Azure function and prepared your configs file, you can run the indexer command.

-```cli

- indexer index --index-name <name-your-index-here> --configs <absolute-path-to-configs-file>

-```

-Replace `name-your-index-here` with the index name that appears in your Cognitive Search instance.

-## Next steps

-* [Search your app with with the Cognitive Search SDK](../../../../search/search-howto-dotnet-sdk.md#run-queries)

-zone_pivot_groups: usage-custom-language-features

-## GPT-4 models

-> [!IMPORTANT]

-> The currently listed deprecation dates in Azure OpenAI Studio and via REST API for gpt-35-turbo (0301) is a temporary placeholder. Deprecation will not happen prior to October 1st 2023.

-> [!IMPORTANT]

-> The currently listed deprecation dates in Azure OpenAI Studio and via REST API for the gpt-4 and gpt-4-32k (0314) models are temporary placeholders. Deprecation will not happen prior to October 1st 2023.

-openai.api_version = "2023-05-15"

-url = openai.api_base + "/openai/deployments?api-version=2023-05-15"

-> The following refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/faq.yml)). To enable these logs for your Communications Services, see: [Enable logging in Diagnostic Settings](../enable-logging.md)

-* **Usage logs** - provides usage data associated with each billed service offering

-* **Call Automation operational logs** - provides operational information on Call Automation API requests. These logs can be used to identify failure points, query all requests made in a call (using Correlation ID or Server Call ID) or query all requests made by a specific service application in the call (using Participant ID).

-| -- | |

-| `Timestamp` | The timestamp (UTC) of when the log was generated. |

-| `Operation Name` | The operation associated with log record. |

-| `Operation Version` | The `api-version` associated with the operation, if the operationName was performed using an API. If there's no API that corresponds to this operation, the version represents the version of that operation in case the properties associated with the operation change in the future. |

-| `Category` | The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. |

-| `Correlation ID` | The ID for correlated events. Can be used to identify correlated events between multiple tables. |

-| `Properties` | Other data applicable to various modes of Communication Services. |

-| `Record ID` | The unique ID for a given usage record. |

-| `Usage Type` | The mode of usage. (for example, Chat, PSTN, NAT, etc.) |

-| `Unit Type` | The type of unit that usage is based off for a given mode of usage. (for example, minutes, megabytes, messages, etc.). |

-| `Quantity` | The number of units used or consumed for this record. |

-| `OperationName` | The operation associated with log record. |

-| `Category` | The log category of the event. Category is the granularity at which you can enable or disable logs on a particular resource. The properties that appear within the properties blob of an event are the same within a particular log category and resource type. |

-| `ResultSignature` | The sub status of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call. |

-| `SubOperationName` | Used to identify the sub type of media operation (play, recognize) |

-# End of call survey (preview)

-|`Country`|Represent the countries where the SMS messages were sent to or received from|

-## Customers with US Azure billing addresses

-| Number | Type | Send SMS | Receive SMS | Make Calls | Receive Calls |

-| :- | :- | :- | :- | :- | : |

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | General Availability | General Availability\* |

-| USA & Puerto Rico | Local | - | - | General Availability | General Availability\* |

-| USA | Short-Codes\** | General Availability | General Availability | - | - |

-| UK | Toll-Free | - | - | General Availability | General Availability\* |

-| UK | Local | - | - |

-| Canada | Toll-Free | General Availability | General Availability | General Availability | General Availability\* |

-| Canada | Local | - | - | General Availability | General Availability\* |

-| Denmark | Toll-Free | - | - | Public Preview | Public Preview\* |

-| Denmark | Local | - | - | Public Preview | Public Preview\* |

-| Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID\** | Public Preview | - | - | - |

-\** Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with UK Azure billing addresses

-| Number | Type | Send SMS | Receive SMS | Make Calls | Receive Calls |

-| :-- | :- | :- | :- | : | : |

-| UK | Toll-Free | - | - | General Availability | General Availability\* |

-| UK | Local | - | - | General Availability | General Availability\* |

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | General Availability | General Availability\* |

-| USA & Puerto Rico | Local | - | - | General Availability | General Availability\* |

-| Canada | Toll-Free | General Availability | General Availability | General Availability | General Availability\* |

-| Canada | Local | - | - | General Availability | General Availability\* |

-| United Kingdom, Germany, Netherlands, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \** | Public Preview | - | - | - |

-\** Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Ireland Azure billing addresses

-| Number | Type | Send SMS | Receive SMS | Make Calls | Receive Calls |

-| :- | :-- | :- | :- | :- | : |

-| Ireland | Toll-Free | - | - | General Availability | General Availability\* |

-| Ireland | Local | - | - | General Availability | General Availability\* |

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | General Availability | General Availability\* |

-| USA & Puerto Rico | Local | - | - | General Availability | General Availability\* |

-| Denmark | Toll-Free | - | - | Public Preview | Public Preview\* |

-| Denmark | Local | - | - | Public Preview | Public Preview\* |

-| Italy | Toll-Free** | - | - | General Availability | General Availability\* |

-| Italy | Local** | - | - | General Availability | General Availability\* |

-| Sweden | Toll-Free | - | - | General Availability | General Availability\* |

-| Sweden | Local | - | - | General Availability | General Availability\* |

-| Ireland, Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \** | Public Preview | - | - | - |

-| Denmark, Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \** | Public Preview | - | - | - |

-\** Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Canada Azure billing addresses

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | General Availability | General Availability\* |

-| USA & Puerto Rico | Local | - | - | General Availability | General Availability\* |

-| Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \** | Public Preview | - | - | - |

-\** Phone numbers in Italy can only be purchased for own use. Reselling or suballocating to another party is not allowed.

-## Customers with Sweden Azure billing addresses

-| Sweden | Toll-Free | - | - | General Availability | General Availability\* |

-| Sweden | Local | - | - | General Availability | General Availability\* |

-| Canada | Toll-Free | General Availability | General Availability | General Availability | General Availability\* |

-| Canada | Local | - | - | General Availability | General Availability\* |

-| USA & Puerto Rico | Toll-Free | General Availability | General Availability | General Availability | General Availability\* |

-| USA & Puerto Rico | Local | - | - | General Availability | General Availability\* |

-| Ireland | Toll-Free | - | - | General Availability | General Availability\* |

-| Ireland | Local | - | - | General Availability | General Availability\* |

-| Denmark | Toll-Free | - | - | Public Preview | Public Preview\* |

-| Denmark | Local | - | - | Public Preview | Public Preview\* |

-| Italy | Toll-Free** | - | - | General Availability | General Availability\* |

-| Italy | Local** | - | - | General Availability | General Availability\* |

-| Sweden, Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \** | Public Preview | - | - | - |

-\* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details.

-\** Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with France Azure billing addresses

-| France | Local** | - | - | Public Preview | Public Preview\* |

-| France, Germany, Netherlands, United Kingdom, Australia, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \*** | Public Preview | - | - | - |

-\* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details.

-\** Phone numbers in France can only be purchased for own use. Reselling or suballocating to another party is not allowed.

-\*** Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Spain Azure billing addresses

-| Spain | Toll-Free | - | - | Public Preview | Public Preview\* |

-| Spain | Local | - | - | Public Preview | Public Preview\* |

-| Spain, Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \** | Public Preview | - | - | - |

-\** Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Switzerland Azure billing addresses

-| Switzerland | Toll-Free | - | - | Public Preview | Public Preview\* |

-| Switzerland | Local | - | - | Public Preview | Public Preview\* |

-| Switzerland, Germany, Netherlands, United Kingdom, Australia, France, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \** | Public Preview | - | - | - |

-\** Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Belgium Azure billing addresses

-| Belgium | Toll-Free | - | - | Public Preview | Public Preview\* |

-| Belgium | Local | - | - | Public Preview | Public Preview\* |

-## Customers with Luxembourg Azure billing addresses

-| Number | Type | Send SMS | Receive SMS | Make Calls | Receive Calls |

-| :- | :-- | :- | :- | :- | : |

-| Luxembourg | Toll-Free | - | - | Public Preview | Public Preview\* |

-| Luxembourg | Local | - | - | Public Preview | Public Preview\* |

-\* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details.

-## Customers with Austria Azure billing addresses

-| Austria | Toll-Free** | - | - | Public Preview | Public Preview\* |

-| Austria | Local** | - | - | Public Preview | Public Preview\* |

-| Austria, Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \*** | Public Preview | - | - | - |

-\* Please refer to [Inbound calling capabilities page](../telephony/inbound-calling-capabilities.md) for details.

-\** Phone numbers in Austria can only be purchased for own use. Reselling or suballocating to another party is not allowed.

-\** Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Norway Azure billing addresses

-| Norway | Local** | - | - | Public Preview | Public Preview\* |

-| Norway | Toll-Free | - | - | Public Preview | Public Preview\* |

-\** Phone numbers in Norway can only be purchased for own use. Reselling or suballocating to another party is not allowed.

-## Customers with Netherlands Azure billing addresses

-| Netherlands | Toll-Free | - | - | Public Preview | Public Preview\* |

-| Netherlands | Local | - | - | Public Preview | Public Preview\* |

-| Netherlands, Germany, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \** | Public Preview | - | - | - |

-\** Alphanumeric sender ID in Netherlands can only be purchased for own use. Reselling or suballocating to another party is not allowed. Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Germany Azure billing addresses

-| Germany | Local | - | - | Public Preview | Public Preview\* |

-| Germany | Toll-Free | - | - | Public Preview | Public Preview\* |

-| Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \** | Public Preview | - | - | - |

-\** Alphanumeric sender ID in Netherlands can only be purchased for own use. Reselling or suballocating to another party is not allowed. Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Australia Azure billing addresses

-| Number | Type | Send SMS | Receive SMS | Make Calls | Receive Calls |

-| :- | :-- | :- | :- | :- | : |

-| Australia, Germany, Netherlands, United Kingdom, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \* | Public Preview | - | - | - |

-\* Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Poland Azure billing addresses

-| Number | Type | Send SMS | Receive SMS | Make Calls | Receive Calls |

-| :- | :-- | :- | :- | :- | : |

-| Poland, Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Austria, Lithuania, Latvia, Estonia | Alphanumeric Sender ID \* | Public Preview | - | - | - |

-\* Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Lithuania Azure billing addresses

-| Number | Type | Send SMS | Receive SMS | Make Calls | Receive Calls |

-| :- | :-- | :- | :- | :- | : |

-| Lithuania, Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Latvia, Estonia | Alphanumeric Sender ID \* | Public Preview | - | - | - |

-\* Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Latvia Azure billing addresses

-| Number | Type | Send SMS | Receive SMS | Make Calls | Receive Calls |

-| :- | :-- | :- | :- | :- | : |

-| Latvia, Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Estonia | Alphanumeric Sender ID \* | Public Preview | - | - | - |

-\* Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-## Customers with Estonia Azure billing addresses

-| Number | Type | Send SMS | Receive SMS | Make Calls | Receive Calls |

-| :- | :-- | :- | :- | :- | : |

-| Estonia, Germany, Netherlands, United Kingdom, Australia, France, Switzerland, Sweden, Italy, Spain, Denmark, Ireland, Portugal, Poland, Austria, Lithuania, Latvia | Alphanumeric Sender ID \* | Public Preview | - | - | - |

-\* Please refer to [SMS Concepts page](../sms/concepts.md) for supported destinations for this service.

-Note: Pricing for all countries is subject to change as pricing is market-based and depends on third-party suppliers of telephony services. Additionally, pricing may include requisite taxes and fees.

-The table below lists the main properties of `room` objects:

-| `validFrom` | Earliest time a `room` can be used. |

-| `participants` | List of participants to a `room`. Specified as a `CommunicationIdentifier`. |

-Once you've created the room and configured it, you can learn how to [join a rooms call](join-rooms-call.md).

-dev services allow you to use OSS services without the burden of manual downloads, creation, and configuration.

-Continuous backup mode supports two ways to restore deleted containers, databases. Existing restore mechanism restores into a [new account](restore-account-continuous-backup.md) as documented here. Restore into existing account is described [here](restore-account-continuous-backup.md). The choice between two depends on the scenarios and impact. Most of the deleted containers, databases can prefer in-account (existing) account restore to prevent data transfer which is required in case you restored to a new account. For scenarios where you have modified the data accidently restore into new account is the right thing to do.

-| SLA violated | Requests contain multiple failure error codes, like `410` and `IsValid is true`. | Points to a problem with the Azure Cosmos DB service. |

-| SLA violated | Requests contain multiple failure error codes, like `410` and `IsValid is false`. | Points to a problem with the machine. |

-### Step 3: Calculate the number of RU/s to start with

-`Starting RU/s = Number of physical partitions * Initial throughput per physical partition`.

-When you create or edit a budget for a subscription or resource group scope, you can configure it to call an action group. The action group can perform various actions when your budget threshold is met.

-Action Groups are currently only supported for subscription and resource group scopes. For more information about creating action groups, see [action groups](../../azure-monitor/alerts/action-groups.md).

-## View budgets in the Azure mobile app

-Users in the following countries/locales don't see the **Settle balance** option. Instead, they use the [Pay now](../understand/pay-bill.md#pay-now-in-the-azure-portal) option to pay their bill.

-| **Unused savings plan report** | Request for an AmortizedCost report.<br><br> Once you've ingested all of the usage, filter for usage records with ChargeType = 'UnusedBenefit' and PricingModel ='SavingsPlan'. |

-| Unused benefit (provides the number of hours the savings plan wasn't used in a day and the monetary value of the waste) | Not applicable in the view. | To get the data, filter on `ChargeType` = `UnusedBenefit`.<br><br> Refer to `BenefitID` or `BenefitName` to know which savings plan was underutilized. It's how much of the savings plan was wasted for the day. |

-| Unused savings plan report | Request for an AmortizedCost report.<br><br> Once you've ingested all of the usage, filter for usage records with ChargeType = `UnusedBenefit` and `PricingModel` =`SavingsPlan`. |

-Get Amortized Cost data and filter for `ChargeType` = `UnusedBenefit` and `PricingModel` = `SavingsPlan`. You get the daily unused savings plan quantity and the cost. You can filter the data for a Savings Plan or Savings Plan order using `BenefitId` and `ProductOrderId` fields, respectively. If a Savings Plan was 100% utilized, the record has a quantity of 0.

-Keep in mind that if you have an underutilized savings plan, the `UnusedBenefit` entry for `ChargeType` becomes a factor to consider. When you have a fully utilized savings plan, you receive the maximum savings possible. Any `UnusedBenefit` quantity reduces savings.

-Group by **Charge Type** to see a breakdown of usage, purchases, and refunds; or by **Pricing Model** for a breakdown of savings plan and on-demand costs. You can also group by **Benefit** and use the **BenefitId** and **BenefitName** associated with your savings plan to identify the costs related to specific savings plan purchases. The only savings plan costs you'll see when looking at actual cost are purchases. Costs will be allocated to the individual resources that used the benefit when looking at amortized cost. You'll also see a new **UnusedBenefit** plan charge type when looking at amortized cost.

-There are a few countries that don't allow the use of debit cards, however in general, you can use them to pay your Azure bill. Virtual and prepaid debit cards can't be used to pay your Azure bill.

-1. Go to template **PII detection and masking**. Create a **New** connection to your source storage store or choose an existing connection. The source storage store is where you want to read files from.

-2. Create a **New** connection to your destination storage store or choose an existing connection.

- :::image type="content" source="media/solution-template-pii-detection-and-masking/pii-detection-and-masking-2.png" alt-text="Screenshot of template set up page to create a new connection or select an existing connection to Cognitive Services from a drop down menu.":::

-3. Select **Use this template**.

-4. You should see the following pipeline:

-5. Clicking into the dataflow activity will show the following dataflow:

-6. Turn on **Data flow debug**.

-7. Update **Parameters** in **Debug Settings** and **Save**.

-8. Preview the results in **Data Preview**.

-9. When data preview results are as expected, update the **Parameters**.

-10. Return to pipeline and select **Debug**. Review results and publish.

-To find out the countries and geographic regions where Azure Stack Edge models are available, see the product overview:

-In countries other than the USA and Canada, network cables (not provided with the equipment) shall not be installed with this equipment if their length is greater than 3 meters.

-This device may operate in all member states of the EU. Observe national/regional and local regulations where the device is used. This device is restricted to indoor use only when operating in the 5150-5350 MHz frequency range in the following countries:

-

- :::image type="content" source="./media/ddos-protection-quickstarts/ddos-protection-create-ip.png" alt-text="Screenshot of create standard IP address in Azure portal.":::

- :::image type="content" source="./media/ddos-protection-quickstarts/ddos-protection-view-status.png" alt-text="Screenshot showing view of Public IP Properties." lightbox="./media/ddos-protection-quickstarts/ddos-protection-view-status.png":::

- :::image type="content" source="./media/ddos-protection-quickstarts/ddos-protection-select-status.png" alt-text="Screenshot of selecting IP Protection in Public IP Properties.":::

- :::image type="content" source="./media/ddos-protection-quickstarts/ddos-protection-disable-status.png" alt-text="Screenshot of disabling IP Protection in Public IP Properties.":::

- :::image type="content" source="./media/ddos-protection-quickstarts/ddos-protection-protected-status.png" alt-text="Screenshot of status of IP Protection in Public IP Properties." lightbox="./media/ddos-protection-quickstarts/ddos-protection-protected-status.png":::

-Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines.

-

- > If you see a group name with the prefix "REVIEWGROUP", it contains machines with a partially consistent list of applications. Microsoft Defender for Cloud can't see a pattern but recommends reviewing this group to see whether _you_ can manually define some adaptive application controls rules as described in [Edit a group's adaptive application controls rule](#edit-a-groups-adaptive-application-controls-rule).

-1. Select a group.

-

-

- >

- 1. To apply the rule, select **Audit**.

-You might decide to edit the allowlist for a group of machines because of known changes in your organization.

-

- >

- > * Using a wildcard at the end of a path to allow all executables within this folder and sub-folders.

- > * Using a wildcard in the middle of a path to enable a known executable name with a changing folder name (for example, personal user folders containing a known executable, automatically generated folder names, etc).

-## Manage application controls via the REST API

-To manage your adaptive application controls programmatically, use our REST API.

-* **List** retrieves all your group recommendations and provides a JSON with an object for each group.

-* **Get** retrieves the JSON with the full recommendation data (that is, list of machines, publisher/path rules, and so on).

-* **Put** configures your rule (use the JSON you retrieved with **Get** as the body for this request).

-

-[Microsoft Defender for Servers](defender-for-servers-introduction.md) includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. For details of this scanner and instructions for how to deploy it, see [Defender for Cloud's integrated Qualys vulnerability assessment solution](deploy-vulnerability-assessment-vm.md).

-To ensure no alerts are generated when Defender for Cloud deploys the scanner, the adaptive application controls recommended allowlist includes the scanner for all machines.

-* [Understanding just-in-time (JIT) VM access](just-in-time-access-overview.md)

-* [Securing your Azure Kubernetes clusters](defender-for-kubernetes-introduction.md)

-1. Select the adaptive network hardening tile (1), or the insights panel item related to adaptive network hardening (2).

- > The insights panel shows the percentage of your VMs currently defended with adaptive network hardening.

- * **Unhealthy resources**: VMs that currently have recommendations and alerts that were triggered by running the adaptive network hardening algorithm.

- * **Healthy resources**: VMs without alerts and recommendations.

- * **Unscanned resources**: VMs that the adaptive network hardening algorithm cannot be run on because of one of the following reasons:

- * **VMs are Classic VMs**: Only Azure Resource Manager VMs are supported.

- * **Not enough data is available**: In order to generate accurate traffic hardening recommendations, Defender for Cloud requires at least 30 days of traffic data.

- * **VM is not protected by Microsoft Defender for Servers**: Only VMs protected with [Microsoft Defender for Servers](defender-for-servers-introduction.md) are eligible for this feature.

- - [Delete a rule](#delete-rule)

-3. Select the rules that you want to apply on the NSG, and select **Enforce**.

-3. To apply the updated rule, from the list, select the updated rule and select **Enforce**.

-3. To apply the new rule, from the list, select the new rule and select **Enforce**.

-Adaptive network hardening recommendations are only supported on the following specific ports (for both UDP and TCP):

-|Pricing:|Free<br>(Most security alerts are only available with [Defender plans](defender-for-cloud-introduction.md#protect-cloud-workloads))|

- - **Name** - A name for the rule. Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes (-) or underscores (_).

-You can create, view, or delete alert suppression rules using the Defender for Cloud REST API.

- - To list all rules configured for a specified subscription. This method returns an array of the applicable rules.

- - To get the details of a specific rule on a specified subscription. This method returns one suppression rule.

- - To simulate the impact of a suppression rule still in the design phase. This call identifies which of your existing alerts would have been dismissed if the rule had been active.

-

-1. From Defender for Cloud's portal pages, open the **Recommendations** page.

-

-The Azure Monitor Agent requires Log analytics workspace solutions. These solutions are automatically installed when you auto-provision the Azure Monitor Agent with the default workspace.

- - Security posture management (CSPM) ΓÇô **SecurityCenterFree solution**

- - Defender for Servers Plan 2 ΓÇô **Security solution**

-| Supported use cases:| :::image type="icon" source="./media/icons/yes-icon.png"::: Vulnerability assessment (powered by Defender Vulnerability Management)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Software inventory (powered by Defender Vulnerability Management) |

- - `Microsoft.Compute/disks/read`

- - `Microsoft.Compute/disks/beginGetAccess/action`

- - `Microsoft.Compute/virtualMachines/instanceView/read`

- - `Microsoft.Compute/virtualMachines/read`

- - `Microsoft.Compute/virtualMachineScaleSets/instanceView/read`

- - `Microsoft.Compute/virtualMachineScaleSets/read`

- - `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read`

- - `Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read`

-

-

-

-

-The optional Defender CSPM plan, provides advanced posture management capabilities such as [Attack path analysis](how-to-manage-attack-path.md), [Cloud security explorer](how-to-manage-cloud-security-explorer.md), advanced threat hunting, [security governance capabilities](governance-rules.md), and also tools to assess your [security compliance](review-security-recommendations.md) with a wide range of benchmarks, regulatory standards, and any custom security policies required in your organization, industry, or region.

- Microsoft Defender CSPM protects across all your multicloud workloads, but billing only applies for Servers, Databases and Storage accounts at $15/billable resource/month. The underlying compute services for AKS are regarded as servers for billing purposes.

-> If you have enabled Defender for DevOps, you will only gain cloud security graph and attack path analysis to the artifacts that arrive through those connectors.

-# Quickstart: Configure email notifications for security alerts

-

- - The recommendations [System updates should be installed on your machines (powered by Update Center)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e1145ab1-eb4f-43d8-911b-36ddf771d13f) and [System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27) each has one 'sub' recommendation per outstanding system update.

- - The recommendation [Machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1195afff-c881-495e-9bc5-1486211ae03f) has a 'sub' recommendation for every vulnerability identified by the vulnerability scanner.

-## Set up a continuous export

- Here you see the export options. There's a tab for each available export target, either Event hub or Log Analytics workspace.

- You can also send the data to an [Event hubs or Log Analytics workspace in a different tenant](#export-data-to-an-azure-event-hub-or-log-analytics-workspace-in-another-tenant).

-You can also send the data to an [Event Hubs or Log Analytics workspace in a different tenant](#export-data-to-an-azure-event-hub-or-log-analytics-workspace-in-another-tenant).

-* **Greater volume** - You can create multiple export configurations on a single subscription with the API. The **Continuous Export** page in the Azure portal supports only one export configuration per subscription.

-* **Additional features** - The API offers parameters that aren't shown in the Azure portal. For example, you can add tags to your automation resource and define your export based on a wider set of alert and recommendation properties than the ones offered in the **Continuous Export** page in the Azure portal.

-* **More focused scope** - The API provides a more granular level for the scope of your export configurations. When defining an export with the API, you can do so at the resource group level. If you're using the **Continuous Export** page in the Azure portal, you have to define it at the subscription level.

-## Export data to an Azure Event hub or Log Analytics workspace in another tenant

-You can export data to an Azure Event hub or Log Analytics workspace in a different tenant, without using [Azure Lighthouse](../lighthouse/overview.md). When collecting data into a tenant, you can analyze the data from one central location.

-To export data to an Azure Event hub or Log Analytics workspace in a different tenant:

-1. In the tenant that has the Azure Event hub or Log Analytics workspace, [invite a user](../active-directory/external-identities/what-is-b2b.md#easily-invite-guest-users-from-the-azure-portal) from the tenant that hosts the continuous export configuration.

-1. Configure the continuous export configuration and select the Event hub or Analytics workspace to send the data to.

-## Continuously export to an Event Hub behind a firewall

-You can enable continuous export as a trusted service, so that you can send data to an Event Hub that has an Azure Firewall enabled.

-**To grant access to continuous export as a trusted service**:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Navigate to the selected Event Hub.

-

-1. Select **Access Control** > **Add role assignment**

-

-

-

-

-1. Select **+ Select members**.

-

-## View exported alerts and recommendations in Azure Monitor

- * For **Resource**, select the Log Analytics workspace to which you exported security alerts and recommendations.

- * For **Condition**, select **Custom log search**. In the page that appears, configure the query, lookback period, and frequency period. In the search query, you can type *SecurityAlert* or *SecurityRecommendation* to query the data types that Defender for Cloud continuously exports to as you enable the Continuous export to Log Analytics feature.

-

- * Optionally, configure the [Action Group](../azure-monitor/alerts/action-groups.md) that you'd like to trigger. Action groups can trigger email sending, ITSM tickets, WebHooks, and more.

-Workbooks provide a rich set of capabilities for visualizing your Azure data. For detailed examples of each visualization type, see the [visualizations examples and documentation](../azure-monitor/visualize/workbooks-text-visualizations.md).

-**Cloud availability**: :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds :::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)

->

-You can keep drilling down - right down to the recommendation level - to view the resources that have passed or failed each control.

-The MITRE ATT&CK tactics display by the order of the kill-chain, and the number of alerts the subscription has at each stage.

-By selecting Map View, you can also see all alerts based on their location.

-Select a location on the map to view all of the alerts for that location.

-> [!NOTE]

- - the VM instance in which your App Service is running, and its management interface

- - the requests and responses sent to and from your App Service apps

- - the underlying sandboxes and VMs

- - App Service internal logs - available thanks to the visibility that Azure has as a cloud provider

-For related material, see the following articles:

-You should also regularly monitor existing resources for configuration changes that could have created security risks, drift from recommended baselines, and security alerts.

-|Pricing:|**Microsoft Defender for container registries** is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/)|

-

- - **Kubernetes data plane recommendations** for AKS clusters are GA

- - **Kubernetes data plane recommendations** for EKS clusters are preview

- - **Microsoft Defender for Cloud's security alerts page** - Shows alerts for all resources protected by Defender for Cloud in the subscriptions you've got permissions to view.

- - The resource's **Microsoft Defender for Cloud** page - Shows alerts and recommendations for one specific resource, as shown above in [Enable enhanced security](#enable-enhanced-security).

-

-

- :::image type="content" source="media/defender-for-databases-usage/specific-alert-details.png" alt-text="Details of a specific alert." lightbox="media/defender-for-databases-usage/specific-alert-details.png":::

-Threat protection at the cluster level is provided by the analysis of the Kubernetes audit logs.

-|Pricing:|**Microsoft Defender for Kubernetes** is billed as shown on the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).|

-No. Subscriptions that have either Microsoft Defender for Kubernetes or Microsoft Defender for Containers Registries enabled doesn't need to be upgraded to the new Microsoft Defender for Containers plan. However, they won't benefit from the new and improved capabilities and theyΓÇÖll have an upgrade icon shown alongside them in the Azure portal.

-### Does the new plan reflect a price increase?

-The new comprehensive Container security plan combines Kubernetes protection and container registry image scanning, and removes the previous dependency on the (paid) Defender for Servers plan. The price for the service may change and is dependent on your container architecture and coverage. The cost may increase or decrease, depending on the number of images in your Container Registry, or the number of Kubernetes nodes among other reasons.

-> [!Note]

-> This article is about the new Defender for Storage plan that was launched on March 28, 2023.  It includes new features like Malware Scanning and Sensitive Data Threat Detection. This plan also provides a more predictable pricing structure for better control over coverage and costs. Additionally, all new Defender features will only be added to the new plan.  Migrating to the new plan is a simple process, read here about how to migrate from the classic plan.

-Microsoft Defender for Storage provides comprehensive security by analyzing the data plane and control plane telemetry generated by [Azure Blob Storage](https://azure.microsoft.com/services/storage/blobs/), [Azure Files](https://azure.microsoft.com/products/storage/files/), and [Azure Data Lake Storage](https://azure.microsoft.com/products/storage/data-lake-storage) services. It uses advanced threat detection capabilities powered by [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684), Microsoft Defender Antivirus, and [Sensitive Data Discovery](defender-for-storage-data-sensitivity.md) to help you discover and mitigate potential threats.

-With a simple agentless setup at scale, you can [enable Defender for Storage](../storage/common/azure-defender-storage-configure.md) at the subscription or resource levels through the portal or programmatically. When enabled at the subscription level, all existing and newly created storage accounts under that subscription will be automatically protected. You can also exclude specific storage accounts from protected subscriptions.

-### Activity monitoring

-Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time, leveraging Microsoft Defender Antivirus capabilities. It is designed to help fulfill security and compliance requirements to handle untrusted content. Every file type is scanned, and scan results are returned for every file. The Malware Scanning capability is an agentless SaaS solution that allows simple setup at scale, with zero maintenance, and supports automating response at scale.

-The ΓÇÿsensitive data threat detectionΓÇÖ capability enables security teams to efficiently prioritize and examine security alerts by considering the sensitivity of the data that could be at risk, leading to better detection and preventing data breaches.

-ΓÇÿSensitive data threat detectionΓÇÖ is powered by the ΓÇ£Sensitive Data DiscoveryΓÇ¥ engine, an agentless engine that uses a smart sampling method to find resources with sensitive data.

-This is a configurable feature in the new Defender for Storage plan. You can choose to enable or disable it with no additional cost.

-For more details, visit [Sensitive data threat detection](defender-for-storage-data-sensitivity.md).

-## Pricing and cost controls

-The new Microsoft Defender for Storage plan has predictable pricing based on the number of storage accounts you protect. With the option to enable at the subscription or resource level and exclude specific storage accounts from protected subscriptions, you have increased flexibility to manage your security coverage. The pricing plan simplifies the cost calculation process, allowing you to scale easily as your needs change. Additional charges may apply to storage accounts with high-volume transactions.

-### Malware Scanning - Billing per GB, monthly capping, and configuration

-Malware Scanning is charged on a per-gigabyte basis for scanned data. To ensure cost predictability, a monthly cap can be established for each storage account's scanned data volume, per-month basis. This cap can be set subscription-wide, affecting all storage accounts within the subscription, or applied to individual storage accounts. Under protected subscriptions, you can configure specific storage accounts with different limits.

-### Enablement at scale with granular controls

-If you want to switch back to the Defender for Storage (classic) plan, you need to do two things. First, disable the new Defender for Storage plan that is enabled now. Second, check if there are any policies that can re-enable the new plan and turn them off too. **The two Azure built-in policies enabling the new plan are Configure Microsoft Defender for Storage to be enabled** and **Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only).**

-| Scenario  | Description  | Requirements  |

-|: |: |: |

-| Malicious content upload  | [Malware Scanning](defender-for-storage-malware-scan.md) scans every blob uploaded to your storage accounts. It detects ransomware, viruses, spyware, and other malware uploaded to the storage account, helping you prevent it from entering the organization and spreading. The classic malware hash analysis alert operates differently from Malware Scanning. It compares the uploaded blob/file hash with a list of known malicious hash signatures rather than analyzing the file contents for malware.  | Malware Scanning needs to be enabled, free during preview.<br>Supported only on Azure Blob (Standard general-purpose v2, Azure Data Lake Storage Gen2 or premium block blobs) storage accounts. |

-| Sensitive data exposure event  | Detection of access level change allowing unauthenticated public access to blob containers with sensitive data from the internet  | [Sensitive Data Threat Detection](defender-for-storage-data-sensitivity.md) needs to be enabled, no additional charge<br>Supported only on Azure Blob Storage storage accounts.  |

-| Suspicious activities on resources with sensitive data  | Detection of suspicious activities occurring on blob containers containing sensitive data  | [Sensitive Data Threat Detection](defender-for-storage-data-sensitivity.md) needs to be enabled, no additional charge<br>Supported only on Azure Blob Storage storage accounts.  |

-| Compromised, misconfigured and unusual authentication tokens  | Detection of compromised SAS tokens used for data plane authentication and operations, and detection of unusual SAS tokens that can be generated by a malicious actor  | |

-| Data and permissions inspection  | Detection of unusual exploration of the data and inspection of access permissions  | |

-| Data exfiltration  | Detection of unusual extraction of data from storage accounts  | |

-| Data deletion  | Detection of unusual deletions in storage accounts  | |

-| Blob-hunting attempts  | Detection of collection attempts by scanning and enumerating resources for publicly exposed storage resources.<br>Read more on [how to detect, investigate and prevent blob-hunting](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/protect-your-storage-resources-against-blob-hunting/ba-p/3735238).  | |

-| Unusual access patterns  | Detection of unusual access to storage accounts from unusual locations, applications, and with unusual authentication  | |

-| Suspicious access signatures  | Detection of known suspicious IP addresses by Microsoft Threat Intelligence, known Tor exit nodes, and known suspicious applications  | |

-| Phishing campaigns  | Detection of phishing content hosted on storage accounts and identified as part of a phishing attack impacting Microsoft 365 users  | |

- * **Healthy resources** ΓÇô Defender for Cloud has detected a vulnerability assessment solution running on these VMs.

- * **Unhealthy resources** ΓÇô A vulnerability scanner extension can be deployed to these VMs.

- * **Not applicable resources** ΓÇô these VMs can't have a vulnerability scanner extension deployed.

- > [!IMPORTANT]

- > Depending on your configuration, you might only see a subset of this list.

-> [!IMPORTANT]

-There are multiple Qualys platforms across various geographic locations. The SOC CIDR and URLs differ depending on the host platform of your Qualys subscription. To identify your Qualys host platform, use this page https://www.qualys.com/platform-identification/.

-## Availability

-Defender for Cloud includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. This page provides details of this scanner and instructions for how to deploy it.

-1. **Analyze** - Qualys' cloud service conducts the vulnerability assessment and sends its findings to Defender for Cloud.

- - **Unhealthy resources** ΓÇô A vulnerability scanner extension can be deployed to these machines.

- > Depending on your configuration, this list might appear differently.

- :::image type="content" source="./media/deploy-vulnerability-assessment-vm/recommendation-remediation-options-builtin.png" alt-text="The options for which type of remediation flow you want to choose when responding to the recommendation ** Machines should have a vulnerability assessment solution** recommendation page":::

-

-You can trigger an on-demand scan from the machine itself, using locally or remotely executed scripts or Group Policy Object (GPO). Alternatively, you can integrate it into your software distribution tools at the end of a patch deployment job.

-No. The built-in scanner is free to all Microsoft Defender for Servers users. The recommendation deploys the scanner with its licensing and configuration information. No additional licenses are required.

-### Can I remove the Defender for Cloud Qualys extension?

-If you want to remove the extension from a machine, you can do it manually or with any of your programmatic tools.

-* On Linux, the extension is called "LinuxAgent.AzureSecurityCenter" and the publisher name is "Qualys".

-* On Windows, the extension is called "WindowsAgent.AzureSecurityCenter" and the provider name is "Qualys".

-# Exempting resources and recommendations from your secure score

-| Aspect | Details |

-||:--|

-| Release state: | Preview<br>[!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)] |

-| Pricing: | This is a premium Azure Policy capability that's offered at no more cost for customers with Microsoft Defender for Cloud's enhanced security features enabled. For other users, charges might apply in the future. |

-| Required roles and permissions: | **Owner** or **Resource Policy Contributor** to create an exemption<br>To create a rule, you need permissions to edit policies in Azure Policy.<br>Learn more in [Azure RBAC permissions in Azure Policy](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy). |

-| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Azure China 21Vianet) |

- - If you're creating this rule to exempt one or more resources from the recommendation, choose "Selected resources"" and select the relevant ones from the list

- - **Resolved through 3rd party (mitigated)** ΓÇô if you're using a third-party service that Defender for Cloud hasn't identified.

-

-As explained earlier on this page, exemption rules are a powerful tool providing granular control over the recommendations affecting resources in your subscriptions and management groups.

- ['TenantID'] = tenantId,

- ['SubscriptionID'] = subscriptionId,

- ['AssessmentID'] = name,

- ['DisplayName'] = properties.displayName,

- ['ResourceType'] = tolower(split(properties.resourceDetails.Id,"/").[7]),

- ['ResourceName'] = tolower(split(properties.resourceDetails.Id,"/").[8]),

- ['ResourceGroup'] = resourceGroup,

- ['ContainsNestedRecom'] = tostring(properties.additionalData.subAssessmentsLink),

- ['StatusCode'] = properties.status.code,

- ['StatusDescription'] = properties.status.description,

- ['PolicyDefID'] = properties.metadata.policyDefinitionId,

- ['Description'] = properties.metadata.description,

- ['RecomType'] = properties.metadata.assessmentType,

- ['Remediation'] = properties.metadata.remediationDescription,

- ['Severity'] = properties.metadata.severity,

- ['Link'] = properties.links.azurePortal

- | where StatusDescription contains "Exempt"

-Sometimes, a security recommendation appears in more than one policy initiative. If you've got multiple instances of the same recommendation assigned to the same subscription, and you create an exemption for the recommendation, it will affect all of the initiatives that you have permission to edit.

-Before you set up the Azure services for exporting alerts, make sure you have:

- | LogRhythm | No| Instructions to set up LogRhythm to collect logs from an event hub are available [here](https://logrhythm.com/six-tips-for-securing-your-azure-cloud-environment/).

-As an alternative to Microsoft Sentinel and Azure Monitor, you can use Defender for Cloud's built-in integration with [Microsoft Graph Security API](https://www.microsoft.com/security/business/graph-security-api). No configuration is required and there are no additional costs.

-Defender for Cloud provides unified security management and threat protection across your hybrid and multicloud workloads. While the free features offer limited security for your Azure resources only, enabling enhanced security features extends these capabilities to on-premises and other clouds. Defender for Cloud helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack. You can try the enhanced security features at no cost. To learn more, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

-> * Defender for Cloud enabled on your Azure subscriptions

-> * [Enhanced security features](enhanced-security-features-overview.md) enabled on your Azure subscriptions

-> * Automatic data collection set up

-> * [Email notifications set up](configure-email-notifications.md) for security alerts

-> * Your hybrid and multicloud machines connected to Azure

-1. From the portal's menu, select **Defender for Cloud**.

- Defender for Cloud automatically, at no cost, enables any of your Azure subscriptions not previously onboarded by you or another subscription user.

-You can view and filter the list of subscriptions by selecting the **Subscriptions** menu item. Defender for Cloud will adjust the display to reflect the security posture of the selected subscriptions.

-| Prerequisite: | Requires the [Defender Cloud Security Posture Management (CSPM) plan](concept-cloud-security-posture-management.md) to be enabled.|

-> - Existing assignments remain as is and continue to work with no customization option or ability to create new ones.

-> - Existing rules will remain as is but wonΓÇÖt trigger new assignments creation.

-> - View and manage all governance rules effective in the organization using a single page.

-> - Create and apply rules on multiple scopes at once using management scopes cross cloud.

-> - Check effective rules on selected scope using the scope filter.

-Conflicting rules are applied in priority order. For example, rules on a management scope (Azure management groups, AWS accounts and GCP organizations), take effect before rules on scopes (for example, Azure subscriptions, AWS accounts, or GCP projects).

-> * Purview Catalog provides data context **only** for resources in subscriptions not onboarded to sensitive data discovery feature or resource types not supported by this feature.

-> * Data context provided by Purview Catalog is provided as is and does **not** consider the [data sensitivity settings](data-sensitivity-settings.md).

->

-Security teams regularly face the challenge of how to triage incoming issues.

-### Resource health

-When you select a single resource - whether from an alert, recommendation, or the inventory page - you reach a detailed health page showing a resource-centric view with the important security information related to that resource.

-Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. Data collection is only needed for compute resources such as VMs, Virtual Machine Scale Sets, IaaS containers, and non-Azure computers.

-* [Log Analytics agent for Windows supported operating systems](../azure-monitor/agents/agents-overview.md#supported-operating-systems)

-* [Log Analytics agent for Linux supported operating systems](../azure-monitor/agents/agents-overview.md#supported-operating-systems)

- - When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud doesn't override existing connections to user workspaces. Defender for Cloud will store security data from the VM in the workspace already connected, if the "Security" or "SecurityCenterFree" solution has been installed on it. Defender for Cloud may upgrade the extension version to the latest version in this process.

- - To see to which workspace the existing extension is sending data to, run the test to [Validate connectivity with Microsoft Defender for Cloud](/archive/blogs/yuridiogenes/validating-connectivity-with-azure-security-center). Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.

- - If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of [operating systems supported by Microsoft Defender for Cloud](security-center-os-coverage.md) to make sure your operating system is supported.

- - [**Cloud Security Posture Management (CSPM)**](overview-page.md) assesses your AWS resources according to AWS-specific security recommendations and reflects your security posture in your secure score. The [asset inventory](asset-inventory.md) gives you one place to see all of your protected AWS resources. The [regulatory compliance dashboard](regulatory-compliance-dashboard.md) shows your compliance with built-in standards specific to AWS, including AWS CIS, AWS PCI DSS, and AWS Foundational Security Best Practices.

- - [**Microsoft Defender for Servers**](defender-for-servers-introduction.md) brings threat detection and advanced defenses to [supported Windows and Linux EC2 instances](supported-machines-endpoint-solutions-clouds-servers.md?tabs=tab/features-multicloud).

- - [**Microsoft Defender for Containers**](defender-for-containers-introduction.md) brings threat detection and advanced defenses to [supported Amazon EKS clusters](supported-machines-endpoint-solutions-clouds-containers.md).

- - [**Microsoft Defender for SQL**](defender-for-sql-introduction.md) brings threat detection and advanced defenses to your SQL Servers running on AWS EC2, AWS RDS Custom for SQL Server.

-You can learn more by watching this video from the Defender for Cloud in the Field video series:

- - At least one Amazon EKS cluster with permission to access to the EKS K8s API server. If you need to create a new EKS cluster, follow the instructions in [Getting started with Amazon EKS ΓÇô eksctl](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html).

- - The resource capacity to create a new SQS queue, Kinesis Fire Hose delivery stream, and S3 bucket in the cluster's region.

- - Microsoft Defender for SQL enabled on your subscription. Learn how to [enable protection on all of your databases](quickstart-enable-database-protections.md).

- - (Recommended) Use the auto provisioning process to install Azure Arc on all of your existing and future EC2 instances.

- Auto provisioning is managed by AWS Systems Manager (SSM) using the SSM agent. Some Amazon Machine Images (AMIs) already have the SSM agent pre-installed. If you already have the SSM agent pre-installed, the AMIs are listed in [AMIs with SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html#ami-preinstalled-agent). If your EC2 instances don't have the SSM Agent, you'll need to install it using either of the following relevant instructions from Amazon:

- Ensure that your SSM agent has the managed policy ["AmazonSSMManagedInstanceCore"] (https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) that enables AWS Systems Manager service core functionality.

-

- - Microsoft Defender for Endpoint

- - VA solution (TVM/Qualys)

- - Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA)

- Make sure the selected LA workspace has security solution installed. The LA agent and AMA are currently configured in the subscription level. All of your AWS accounts and GCP projects under the same subscription will inherit the subscription settings for the LA agent and AMA.

-

-

- - Microsoft Defender for Servers enabled on your subscription. Learn how to enable plans in [Enable enhanced security features](enable-enhanced-security.md).

-

-

- - Azure Arc for servers installed on your EC2 instances.

- - (Recommended) Use the auto provisioning process to install Azure Arc on all of your existing and future EC2 instances.

-

- Auto provisioning is managed by AWS Systems Manager (SSM) using the SSM agent. Some Amazon Machine Images (AMIs) already have the SSM agent pre-installed. If that is the case, their AMIs are listed in [AMIs with SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-technical-details.html#ami-preinstalled-agent). If your EC2 instances don't have the SSM Agent, you'll need to install it using either of the following relevant instructions from Amazon:

- Ensure that your SSM agent has the managed policy ["AmazonSSMManagedInstanceCore"] (https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html) that enables AWS Systems Manager service core functionality.

-

-

-

- - Microsoft Defender for Endpoint

- - VA solution (TVM/Qualys)

- - Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA)

- Make sure the selected LA workspace has security solution installed. The LA agent and AMA are currently configured in the subscription level. All of your AWS accounts and GCP projects under the same subscription will inherit the subscription settings for the LA agent and AMA.

-

- - (Optional) Select **Configure**, to edit the configuration as required. We recommend you leave it set to the default configuration.

-1. Microsoft Defender for Cloud CSPM service acquires an Azure AD token with a validity life time of 1 hour that is signed by the Azure AD using the RS256 algorithm.

- 1. The Microsoft Defender for Cloud CSPM role is assumed only after the validation conditions defined at the trust relationship have been met. The conditions defined for the role level are used for validation within AWS and allows only the Microsoft Defender for Cloud CSPM application (validated audience) access to the specific role (and not any other Microsoft token).

-## CloudFormation deployment source

-As part of connecting an AWS account to Microsoft Defender for Cloud, a CloudFormation template should be deployed to the AWS account. This CloudFormation template creates all of the required resources necessary for Microsoft Defender for Cloud to connect to the AWS account.

-The CloudFormation template should be deployed using Stack (or StackSet if you have a management account).

-When deploying the CloudFormation template, the Stack creation wizard offers the following options:

-1. **Amazon S3 URL** ΓÇô upload the downloaded CloudFormation template to your own S3 bucket with your own security configurations. Enter the URL to the S3 bucket in the AWS deployment wizard.

-1. **Upload a template file** ΓÇô AWS will automatically create an S3 bucket that the CloudFormation template will be saved to. The automation for the S3 bucket will have a security misconfiguration that will cause the `S3 buckets should require requests to use Secure Socket Layer` recommendation to appear. You can remediate this recommendation by applying the following policy:

- ```

-1. Sign in to the [Azure portal](https://portal.azure.com).

-### Step 1. Set up AWS Security Hub:

- The Tags sections will list all Azure Tags that will be automatically created for each onboarded EC2 with its own relevant details to easily recognize it in Azure.

- - [**Cloud Security Posture Management (CSPM)**](overview-page.md) assesses your GCP resources according to GCP-specific security recommendations and reflects your security posture in your secure score. The resources are shown in Defender for Cloud's [asset inventory](asset-inventory.md) and are assessed for compliance with built-in standards specific to GCP.

- - [**Microsoft Defender for Servers**](defender-for-servers-introduction.md) brings threat detection and advanced defenses to [supported Windows and Linux VM instances](supported-machines-endpoint-solutions-clouds-servers.md?tabs=tab/features-multicloud). This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.

- - [**Microsoft Defender for Containers**](defender-for-containers-introduction.md) brings threat detection and advanced defenses to [supported Google GKE clusters](supported-machines-endpoint-solutions-clouds-containers.md). This plan includes Kubernetes threat protection, behavioral analytics, Kubernetes best practices, admission control recommendations, and more.

- - [**Microsoft Defender for SQL**](defender-for-sql-introduction.md) brings threat detection and advanced defenses to your SQL Servers running on GCP compute engine instances, including the advanced threat protection and vulnerability assessment scanning.

-|Required roles and permissions:| **Contributor** on the relevant Azure Subscription <br> **Owner** on the GCP organization or project|

-Follow the steps below to create your GCP cloud connector.

-1. Sign in to the [Azure portal](https://portal.azure.com).

- > [!NOTE]

- - **(Recommended) Auto-provisioning** - Auto-provisioning is enabled by default in the onboarding process and requires owner permissions on the subscription. Arc auto-provisioning process is using the OS config agent on GCP end. Learn more about the [OS config agent availability on GCP machines](https://cloud.google.com/compute/docs/images/os-details#vm-manager).

-

- > <br><br> Microsoft Defender for Servers does not install the OS config agent to a VM that does not have it installed. However, Microsoft Defender for Servers will enable communication between the OS config agent and the OS config service if the agent is already installed but not communicating with the service.

- > <br><br> This can change the OS config agent from `inactive` to `active` and will lead to additional costs.

- - Microsoft Defender for Endpoint

- - VA solution (Microsoft Defender Vulnerability Management/ Qualys)

- - Log Analytics (LA) agent on Arc machines or Azure Monitor agent (AMA). Ensure the selected workspace has security solution installed.

-

- The LA agent and AMA are currently configured in the subscription level, such that all the multicloud accounts and projects (from both AWS and GCP) under the same subscription will inherit the subscription settings regarding the LA agent and AMA.

- Learn more about [monitoring components](monitoring-components.md) for Defender for Cloud.

- > If Azure Arc is toggled **Off**, you will need to follow the manual installation process mentioned above.

-1. Select **Save**.

-1. Continue from step number 8 of the [Connect your GCP projects](#connect-your-gcp-projects) instructions.

- - **(Recommended) Auto-provisioning** - Auto-provisioning is enabled by default in the onboarding process and requires owner permissions on the subscription. Arc auto-provisioning process is using the OS config agent on GCP end. Learn more about the [OS config agent availability on GCP machines](https://cloud.google.com/compute/docs/images/os-details#vm-manager).

- > <br><br> Microsoft Defender for Servers does not install the OS config agent to a VM that does not have it installed. However, Microsoft Defender for Servers will enable communication between the OS config agent and the OS config service if the agent is already installed but not communicating with the service.

- > <br><br> This can change the OS config agent from `inactive` to `active` and will lead to additional costs.

- - SQL servers on machines. Ensure the plan is enabled on your subscription.

- - Log Analytics (LA) agent on Arc machines. Ensure the selected workspace has security solution installed.

- The LA agent and SQL servers on machines plan are currently configured in the subscription level, such that all the multicloud accounts and projects (from both AWS and GCP) under the same subscription will inherit the subscription settings and may result in extra charges.

- Learn more about [monitoring components](monitoring-components.md) for Defender for Cloud.

-1. Select **Save**.

-1. Continue from step number 8 of the [Connect your GCP projects](#connect-your-gcp-projects) instructions.

- - **(Recommended)** Enable the Defender for Container auto-provisioning at the project level as explained in the instructions below.

- - Defender for Cloud recommendations, for per cluster installation, which will appear on the Microsoft Defender for Cloud's Recommendations page. Learn how to [deploy the solution to specific clusters](defender-for-containers-enable.md?tabs=defender-for-container-gke#deploy-the-solution-to-specific-clusters).

- - Manual installation for [Arc-enabled Kubernetes](../azure-arc/kubernetes/quickstart-connect-cluster.md) and [extensions](../azure-arc/kubernetes/extensions.md).

-1. Continue from step number 8 of the [Connect your GCP projects](#connect-your-gcp-projects) instructions.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-Follow the steps below to create your GCP cloud connector.

-1. In the **GCP Console**, select a project from the organization in which you're creating the required service account.

- > When this service account is added at the organization level, it'll be used to access the data gathered by Security Command Center from all of the other enabled projects in the organization.

- 1. Select **Next**

-| Release state: | Preview <br> The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |

-| Required permissions: | **- Azure account:** with permissions to sign into Azure portal <br> **- Contributor:** on the Azure subscription where the connector will be created <br> **- Security Admin Role:** in Defender for Cloud <br> **- Organization Administrator:** in GitHub |

-| Clouds: | :::image type="icon" source="media/quickstart-onboard-github/check-yes.png" border="false"::: Commercial clouds <br> :::image type="icon" source="media/quickstart-onboard-github/x-no.png" border="false"::: National (Azure Government, Azure China 21Vianet) |

-|--|--| -- | -- | -- | -- | --|

-|--|--| -- | -- | -- | -- | --|

-|--|--| -- | -- | -- | -- | --|

-

-Microsoft Defender for Cloud continuously analyzes your hybrid cloud workloads using advanced analytics and threat intelligence to alert you about potentially malicious activities in your cloud resources. You can also integrate alerts from other security products and services into Defender for Cloud. Once an alert is raised, swift action is needed to investigate and remediate the potential security issue.

-> * Triage security alerts

-> * Investigate a security alert to determine the root cause

-> * Respond to a security alert and mitigate that root cause

-To step through the features covered in this tutorial, you must have Defender for Cloud's enhanced security features enabled. To learn more about Defender for Cloud's pricing, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

-The quickstart, [Get started with Defender for Cloud](get-started.md) walks you through the upgrade process.

-Defender for Cloud provides a unified view of all security alerts. Security alerts are ranked based on the severity of the detected activity.

-1. Open the **Take action** tab to see the recommended responses.

-1. Review the **Mitigate the threat** section for the manual investigation steps necessary to mitigate the issue.

-1. To harden your resources and prevent future attacks of this kind, remediate the security recommendations in the **Prevent future attacks** section.

-1. To trigger a logic app with automated response steps, use the **Trigger automated response** section.

-1. If the detected activity *isnΓÇÖt* malicious, you can suppress future alerts of this kind using the **Suppress similar alerts** section.

-1. When you've completed the investigation into the alert and responded in the appropriate way, change the status to **Dismissed**.

-1. We encourage you to provide feedback about the alert to Microsoft:

-Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue to work with subsequent quickstarts and tutorials, keep automatic provisioning and Defender for Cloud's enhanced security features enabled.

- > After you disable enhanced security features - whether you disable a single plan or all plans at once - data collection may continue for a short period of time.

-See the [full index of Azure Policy built-in policy definitions for Key Vault](https://learn.microsoft.com/azure/key-vault/policy-reference).

-> [!NOTE]

-> Your Azure subscription and the associated Log Analytics workspace both need to have Microsoft Defender for Cloud's enhanced security features enabled in order to enable the Windows Admin Center integration.

-> Enhanced security features are free for the first 30 days if you haven't previously used it on the subscription and workspace. For pricing details in your local currency or region, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

->

- * An Azure Gateway is registered.

- * The server has a workspace to report to and an associated subscription.

- * Defender for Cloud's Log Analytics solution is enabled on the workspace. This solution provides Microsoft Defender for Cloud's features for *all* servers and virtual machines reporting to this workspace.

- * Microsoft Defender for Servers is enabled on the subscription.

- * The Log Analytics agent is installed on the server and configured to report to the selected workspace. If the server already reports to another workspace, it's configured to report to the newly selected workspace as well.

-* To view security recommendations for all your Windows Admin Center servers, open [asset inventory](asset-inventory.md) and filter to the machine type that you want to investigate. select the **VMs and Computers** tab.

-* To view security alerts for all your Windows Admin Center servers, open **Security alerts**. Select **Filter** and ensure **only** "Non-Azure" is selected:

-## Create a logic app and define when it should automatically run

- 1. The consumption logic app that will run when your trigger conditions are met.

-

- > If you are using the legacy trigger "When a response to a Microsoft Defender for Cloud alert is triggered", your logic apps will not be launched by the Workflow Automation feature. Instead, use either of the triggers mentioned above.

- > 2. From the Azure Policy menu, select **Definitions** and search for them by name.

- 1. In the **Basics** tab, set the scope for the policy. To use centralized management, assign the policy to the Management Group containing the subscriptions that will use the workflow automation configuration.

- 1. In the Parameters tab, enter the required information.

- 1. For **Serialization type**, pick **Avro** serialization format that applies to all schemas in the schema group.

-

- > [!NOTE]

- > Currently, Schema Registry doesn't support **JSON** serialization.

- // Replace <EVENT HUB NAME> with the name of your event hug.

-<br>Defender EASM data connections offers users the ability to integrate two different kinds of attack surface data into the tool of their choice. Users can elect to migrate asset data, attack surface insights or both data types. Asset data provides granular details about your entire inventory, whereas attack surface insights provide immediately actionable insights based on Defender EASM dashboards.

-2. Select **Access control (IAM)** from the left-hand navigation pane. For more information on access control, see [identity documentation](/azure/cloud-adoption-framework/decision-guides/identity/).

- 

-3. On this page, select **+Add** to create a new role assignment.

-4. From the **Role** tab, select **Contributor**. Click **Next**.

-5. Open the **Members** tab. Click **+ Select members** to open a configuration pane. Search for **ΓÇ£EASM APIΓÇ¥** and click on the value in the members list. Once done, click **Select**, then **Review + assign.**

-6. Once the role assignment has been created, select **Agents** from the **Settings** section of the left-hand navigation menu.

- 

-7. Expand the **Log Analytics agent instructions** section to view your Workspace ID and Primary key. These values will be used to set up your data connection. Save the values in the following format: *WorkspaceId=XXX;ApiKey=YYY*

-5. Open the Data Explorer cluster that will ingest your Defender EASM data or [create a new cluster](/azure/data-explorer/create-cluster-database-portal).

-6. Select **Databases** in the Data section of the left-hand navigation menu.

-7. Select **+ Add Database** to create a database to house your Defender EASM data.

-1. Name your database, configure retention and cache periods, then select **Create**.

-1. Once your Defender EASM database has been created, click on the database name to open the details page. Select **Permissions** from the Overview section of the left-hand navigation menu.

-1. First, select **+ Add** and create a user. Search for ΓÇ£**EASM API**ΓÇ¥, select the value then click **Select**.

-1. Select **+ Add** to create an ingestor. Follow the same steps outlined above to add the **"EASM API"** as an ingestor.

-8. Your database is now ready to connect to Defender EASM. You will need the cluster name, database name and region in the following format when configuring your Data Connection: *ClusterName=XXX;Region=YYY;DatabaseName=ZZZ*

-A configuration pane will open on the right-hand side of the Data Connections screen. The following four fields are required:

- 

- Once all four fields are configured, select **Add** to create the data connection. At this point, the Data Connections page will display a banner that indicates the resource has been successfully created and data will begin populating within 30 minutes. Once connections are created, they will be listed under the applicable tool on the main Data Connections page.

-|Severity |Each signature has an associated severity level and assigned priority that indicates the probability that the signature is an actual attack.<br>- **Low (priority 1)**: An abnormal event is one that doesn't normally occur on a network or Informational events are logged. Probability of attack is low.<br>- **Medium (priority 2)**: The signature indicates an attack of a suspicious nature. The administrator should investigate further.<br>- **High (priority 3)**: The attack signatures indicate that an attack of a severe nature is being launched. There's little probability that the packets have a legitimate purpose.|

-|[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) |

-|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |

-|[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) |

-|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |

-|[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) |

-|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |

-|[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) |

-|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |

-|[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) |

-|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |

-|[Azure Web Application Firewall should be enabled for Azure Front Door entry-points](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) |