+1. Change the value of:

+

+ 1. `PolicyId` to `B2C_1A_signup_signin_saml`

+

+ 1. `PublicPolicyUri` to `http://<tenant-name>.onmicrosoft.com/B2C_1A_signup_signin_saml`. Replace `<tenant-name>` placeholder with the subdomain of your Azure AD B2C tenant's domain name. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn [how to read your tenant details](tenant-management-read-tenant-name.md#get-your-tenant-name).

+ TenantId="<tenant-name>.onmicrosoft.com"

+Replace the entire `<TechnicalProfile>` element in the `<RelyingParty>` element with the following technical profile XML.

+| Handler | No | When the protocol name is set to `Proprietary`, specifies the name of the assembly that's used by Azure AD B2C to determine the protocol handler. If you set the protocol *Name* attribute to `None`, do not include the *Handler* attribute.|

+ ssh -l contosoadmin@AADDSCONTOSO.com rhel.aaddscontoso.com

+ pwd

+ id

+>The Microsoft managed value for Authenticator Lite will move from disabled to enabled on June 26th, 2023. All tenants left in the default state **Microsoft managed** will be enabled for the feature on June 26th.

+| [Registration campaign](how-to-mfa-registration-campaign.md) | Beginning in July, 2023, enabled for SMS and voice call users with free and trial subscriptions. |

+As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using SMS and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication.

+In addition to choosing who can be nudged, you can define how many days a user can postpone, or "snooze", the nudge. If a user taps **Not now** to postpone the app setup, they'll be nudged again on the next MFA attempt after the snooze duration has elapsed. Users with free and trial subscriptions can postpone the app setup up to three times.

+1. If a user wishes to not install the Authenticator app, they can tap **Not now** to snooze the prompt for up to 14 days, which can be set by an admin. Users with free and trial subscriptions can snooze the prompt up to three times.

+1. For **State**, click **Microsoft managed** or **Enabled**. In the following screenshot, the registration campaign is **Microsoft managed**. That setting allows Microsoft to set the default value to be either enabled or disabled. For the registration campaign, the Microsoft managed value is Enabled for voice call and SMS users with free and trial subscriptions. For more information, see [Protecting authentication methods in Azure Active Directory](concept-authentication-default-enablement.md).

+1. Select any users or groups to exclude from the registration campaign, and then click **Save**.

+Dsregcmd /status

+> [!NOTE]

+> Users will only be able to register Microsoft Authenticator via combined registration if the Microsoft Authenticator authentication mode is to Any or Push.

+#### Enable phone sign-in

+To simplify and secure sign-in to applications and services, Azure Active Directory (Azure AD) provides multiple authentication options. SMS-based authentication lets users sign-in without providing, or even knowing, their user name and password. After their account is created by an identity administrator, they can enter their phone number at the sign-in prompt. They receive an SMS authentication code that they can provide to complete the sign-in. This authentication method simplifies access to applications and services, especially for Frontline workers.

+* Each user that's enabled in the SMS authentication method policy must be licensed, even if they don't use it. Each enabled user must have one of the following Azure AD, EMS, Microsoft 365 licenses:

+1. From the list of available authentication methods, select **SMS**.

+ 

+1. Click **Enable** and select **Target users**. You can choose to enable SMS-based authentication for *All users* or *Select users* and groups.

+ 

+1. In the SMS authentication policy window, set **Target** to *Select users*.

+Each user that's enabled in SMS authentication method policy must be licensed, even if they don't use it. Make sure you have the appropriate licenses for the users you enable in the authentication method policy, especially when you enable the feature for large groups of users.

+1. An SMS message is sent to the phone number provided. To complete the sign-in process, enter the 6-digit code provided in the SMS message at the sign-in prompt.

+ 

+1. Confirm that the user account is enabled in the **SMS** authentication method policy.

+> [!IMPORTANT]

+> The following changes have been made to Token Protection since the initial public preview release:

+> * **Sign In logs output:** The value of the string used in "enforcedSessionControls" and "sessionControlsNotSatisfied" changed from "Binding" to "SignInTokenProtection" in late June 2023. Queries on Sign In Log data should be updated to reflect this change.

+ - The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in an August release.

+> [!NOTE]

+> **Sign In logs output:** The value of the string used in "enforcedSessionControls" and "sessionControlsNotSatisfied" changed from "Binding" to "SignInTokenProtection" in late June 2023. Queries on Sign In Log data should be updated to reflect this change.

+| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["SignInTokenProtection"]'

+| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow')

+| where ConditionalAccessPolicies.enforcedSessionControls contains '["SignInTokenProtection"]'

+| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow')

+Microsoft is providing Conditional Access templates to organizations in report-only mode starting in January of 2023. We may add more policies as new threats emerge.

+The modern security perimeter extends beyond an organization's network perimeter to include user and device identity. Organizations now use identity-driven signals as part of their access control decisions.

+Azure AD Conditional Access brings signals together, to make decisions, and enforce organizational policies. Conditional Access is Microsoft's [Zero Trust policy engine](/security/zero-trust/deploy/identity) taking signals from various sources into account when enforcing policy decisions.

+Conditional Access takes signals from various sources into account when making access decisions.

+These signals include:

+ - Signals integration with [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) allows Conditional Access policies to identify and remediate risky users and sign-in behavior.

+ - Enables user application access and sessions to be monitored and controlled in real time. This integration increases visibility and control over access to and activities done within your cloud environment.

+ - Less restrictive decision, can require one or more of the following options:

+ - Require authentication strength

+ - Require app protection policy

+ - Require password change

+ - Require terms of use

+Administrators can create policies from scratch or start from a template policy in the portal or using the Microsoft Graph API.

+## Administrator experience

+Administrators with the [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) role can manage policies in Azure AD.

+Conditional Access is found in the Azure portal under **Azure Active Directory** > **Security** > **Conditional Access**.

+- The **Overview** page provides a summary of policy state, users, devices, and applications as well as general and security alerts with suggestions.

+- The **Coverage** page provides a synopsis of applications with and without Conditional Access policy coverage over the last seven days.

+- The **Monitoring** page allows administrators to see a graph of sign-ins that can be filtered to see potential gaps in policy coverage.

+When licenses required for Conditional Access expire, policies aren't automatically disabled or deleted. This grants customers the ability to migrate away from Conditional Access policies without a sudden change in their security posture. Remaining policies can be viewed and deleted, but no longer updated.

+You can specify the lifetime of an access, ID, or SAML token issued by the Microsoft identity platform. You can set token lifetimes for all apps in your organization or for a multi-tenant (multi-organization) application. We currently don't support configuring the token lifetimes for [managed identity service principals](../managed-identities-azure-resources/overview.md).

+|Single-Factor Session Token Max Age |MaxAgeSessionSingleFactor |Session tokens (persistent and non-persistent) |Until-revoked |

+|Multi-Factor Session Token Max Age |MaxAgeSessionMultiFactor |Session tokens (persistent and non-persistent) |Until-revoked |

+### Service principal policies

+You can use the following Microsoft Graph REST API commands for service principal policies.</br></br>

+| Command | Description |

+| | |

+| [Assign tokenLifetimePolicy](/graph/api/application-post-tokenlifetimepolicies) | Specify the service principal object ID to link the specified policy to a service principal. |

+| [List assigned tokenLifetimePolicy](/graph/api/application-list-tokenlifetimepolicies) | Specify the service principal object ID to get the policies that are assigned to a service principal. |

+| [Remove tokenLifetimePolicy](/graph/api/application-delete-tokenlifetimepolicies) | Specify the service principal object ID to remove a policy from the service principal. |

+You can use the following commands to manage policies.

+| Cmdlet | Description |

+| Cmdlet | Description |

+In the following steps, you'll implement a common policy scenario that imposes new rules for token lifetime. It's possible to specify the lifetime of an access, SAML, or ID token issued by the Microsoft identity platform. This can be set for all apps in your organization or for a specific app or service principal. They can also be set for multi-organizations (multi-tenant application).

+## Create a policy and assign it to an app

+In the following steps, you'll create a policy that requires users to authenticate less frequently in your web app. Assign the policy to an app, which sets the lifetime of the access/ID tokens for your web app.

+## Create a policy and assign it to a service principal

+In the following steps, you'll create a policy that requires users to authenticate less frequently in your web app. Assign the policy to service principal, which sets the lifetime of the access/ID tokens for your web app.

+Create a token lifetime policy.

+```http

+POST https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies

+Content-Type: application/json

+{

+ "definition": [

+ "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}"

+ ],

+ "displayName": "Contoso token lifetime policy",

+ "isOrganizationDefault": false

+}

+```

+Assign the policy to a service principal.

+```http

+POST https://graph.microsoft.com/v1.0/servicePrincipals/11111111-1111-1111-1111-111111111111/tokenLifetimePolicies/$ref

+Content-Type: application/json

+{

+ "@odata.id":"https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/22222222-2222-2222-2222-222222222222"

+}

+```

+List the policies on the service principal.

+```http

+GET https://graph.microsoft.com/v1.0/servicePrincipals/11111111-1111-1111-1111-111111111111/tokenLifetimePolicies

+```

+Remove the policy from the service principal.

+```http

+DELETE https://graph.microsoft.com/v1.0/servicePrincipals/11111111-1111-1111-1111-111111111111/tokenLifetimePolicies/22222222-2222-2222-2222-222222222222/$ref

+```

+ Title: Azure AD B2C and MSAL.NET

+description: Considerations when using Azure AD B2C with the Microsoft Authentication Library for .NET (MSAL.NET).

+# Customer intent: As an application developer, I want to learn about specific considerations when using Azure AD B2C and MSAL.NET so I can decide if this platform meets my application development needs and requirements.

+# Use MSAL.NET to sign in users with social identities

+You can use MSAL.NET to sign in users with social identities by using [Azure Active Directory B2C (Azure AD B2C)](../../active-directory-b2c/overview.md). Azure AD B2C is built around the notion of policies. In MSAL.NET, specifying a policy translates to providing an authority.

+- When you instantiate the public client application, specify the policy as part of the authority.

+- When you want to apply a policy, call an override of `AcquireTokenInteractive` that accepts the `authority` parameter.

+This article applies to MSAL.NET 3.x. For MSAL.NET 2.x, see [Azure AD B2C specifics in MSAL 2.x](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/AAD-B2C-Specifics-MSAL-2.x) in the MSAL.NET Wiki on GitHub.

+## Authority for an Azure AD B2C tenant and policy

+The authority format for Azure AD B2C is: `https://{azureADB2CHostname}/tfp/{tenant}/{policyName}`

+- `azureADB2CHostname` - The name of the Azure AD B2C tenant plus the host. For example, _contosob2c.b2clogin.com_.

+- `tenant` - The domain name or the directory (tenant) ID of the Azure AD B2C tenant. For example, _contosob2c.onmicrosoft.com_ or a GUID, respectively.

+- `policyName` - The name of the user flow or custom policy to apply. For example, a sign-up/sign-in policy like _b2c_1_susi_.

+For more information about Azure AD B2C authorities, see [Set redirect URLs to b2clogin.com](../../active-directory-b2c/b2clogin.md).

+## Instantiating the application

+Provide the authority by calling `WithB2CAuthority()` when you create the application object:

+```csharp

+// Azure AD B2C Coordinates

+public static string Tenant = "fabrikamb2c.onmicrosoft.com";

+public static string AzureADB2CHostname = "fabrikamb2c.b2clogin.com";

+public static string ClientID = "90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6";

+public static string PolicySignUpSignIn = "b2c_1_susi";

+public static string PolicyEditProfile = "b2c_1_edit_profile";

+public static string PolicyResetPassword = "b2c_1_reset";

+public static string AuthorityBase = $"https://{AzureADB2CHostname}/tfp/{Tenant}/";

+public static string Authority = $"{AuthorityBase}{PolicySignUpSignIn}";

+public static string AuthorityEditProfile = $"{AuthorityBase}{PolicyEditProfile}";

+public static string AuthorityPasswordReset = $"{AuthorityBase}{PolicyResetPassword}";

+application = PublicClientApplicationBuilder.Create(ClientID)

+ .WithB2CAuthority(Authority)

+ .Build();

+```

+## Acquire a token to apply a policy

+Acquiring a token for an Azure AD B2C-protected API in a public client application requires you to use the overrides with an authority:

+```csharp

+AuthenticationResult authResult = null;

+IEnumerable<IAccount> accounts = await application.GetAccountsAsync(policy);

+IAccount account = accounts.FirstOrDefault();

+try

+{

+ authResult = await application.AcquireTokenSilent(scopes, account)

+ .ExecuteAsync();

+}

+catch (MsalUiRequiredException ex)

+{

+ authResult = await application.AcquireTokenInteractive(scopes)

+ .WithAccount(account)

+ .WithParentActivityOrWindow(ParentActivityOrWindow)

+ .ExecuteAsync();

+}

+```

+In the preceding code snippet:

+- `policy` is a string containing the name of your Azure AD B2C user flow or custom policy (for example, `PolicySignUpSignIn`).

+- `ParentActivityOrWindow` is required for Android (the Activity) and is optional for other platforms that support a parent UI like windows on Microsoft Windows and UIViewController in iOS. For more information on the UI dialog, see [WithParentActivityOrWindow](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Acquiring-tokens-interactively#withparentactivityorwindow) on the MSAL Wiki.

+Applying a user flow or custom policy (for example, letting the user edit their profile or reset their password) is currently done by calling `AcquireTokenInteractive`. For these two policies, you don't use the returned token/authentication result.

+## Profile edit policies

+To enable your users to sign in with a social identity and then edit their profile, apply the Azure AD B2C edit profile policy.

+Do so by calling `AcquireTokenInteractive` with the authority for that policy. Because the user is already signed in and has an active cookie session, use `Prompt.NoPrompt` to prevent the account selection dialog from being displayed.

+```csharp

+private async void EditProfileButton_Click(object sender, RoutedEventArgs e)

+{

+ IEnumerable<IAccount> accounts = await application.GetAccountsAsync(PolicyEditProfile);

+ IAccount account = accounts.FirstOrDefault();

+ try

+ {

+ var authResult = await application.AcquireTokenInteractive(scopes)

+ .WithPrompt(Prompt.NoPrompt),

+ .WithAccount(account)

+ .WithB2CAuthority(AuthorityEditProfile)

+ .ExecuteAsync();

+ }

+ catch

+ {

+ }

+}

+```

+## Resource owner password credentials (ROPC)

+For more information on the ROPC flow, see [Sign in with resource owner password credentials grant](v2-oauth-ropc.md).

+The ROPC flow is **not recommended** because asking a user for their password in your application isn't secure. For more information about this problem, see [WhatΓÇÖs the solution to the growing problem of passwords?](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/).

+By using username/password in an ROPC flow, you sacrifice several things:

+- Core tenets of modern identity: The password can be fished or replayed because the shared secret can be intercepted. By definition, ROPC is incompatible with passwordless flows.

+- Users who use multi-factor authentication (MFA) won't be able to sign in as there's no interaction.

+- Users won't be able to use single sign-on (SSO).

+### Configure the ROPC flow in Azure AD B2C

+In your Azure AD B2C tenant, create a new user flow and select **Sign in using ROPC** to enable ROPC for the user flow. For more information, see [Configure the resource owner password credentials flow](../../active-directory-b2c/add-ropc-policy.md).

+`IPublicClientApplication` contains the `AcquireTokenByUsernamePassword` method:

+```csharp

+AcquireTokenByUsernamePassword(

+ IEnumerable<string> scopes,

+ string username,

+ SecureString password)

+```

+The `AcquireTokenByUsernamePassword` method takes the following parameters:

+- The _scopes_ for which to obtain an access token.

+- A _username_.

+- A SecureString _password_ for the user.

+### Limitations of the ROPC flow

+The ROPC flow **only works for local accounts**, where your users have registered with Azure AD B2C using an email address or username. This flow doesn't work when federating to an external identity provider supported by Azure AD B2C (Facebook, Google, etc.).

+## Google auth and embedded webview

+If you're using Google as an identity provider, we recommend you use the system browser as Google doesn't allow [authentication from embedded webviews](https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html). Currently, `login.microsoftonline.com` is a trusted authority with Google and will work with embedded webview. However, `b2clogin.com` isn't a trusted authority with Google, so users won't be able to authenticate.

+## Token caching in MSAL.NET

+### Known issue with Azure AD B2C

+MSAL.NET supports a [token cache](/dotnet/api/microsoft.identity.client.tokencache). The token caching key is based on the claims returned by the identity provider (IdP).

+Currently, MSAL.NET needs two claims to build a token cache key:

+- `tid` (the tenant ID)

+- `preferred_username`

+Both of these claims may be missing in Azure AD B2C scenarios because not all social identity providers (Facebook, Google, and others) return them in the tokens they return to Azure AD B2C.

+A symptom of such a scenario is that MSAL.NET returns `Missing from the token response` when you access the `preferred_username` claim value in tokens issued by Azure AD B2C. MSAL uses the `Missing from the token response` value for `preferred_username` to maintain cache cross-compatibility between libraries.

+### Workarounds

+#### Mitigation for missing tenant ID

+The suggested workaround is to use [caching by policy](#acquire-a-token-to-apply-a-policy) described earlier.

+Alternatively, you can use the `tid` claim if you're using [custom policies](../../active-directory-b2c/user-flow-overview.md) in Azure AD B2C. Custom policies can return additional claims to your application by using [claims transformation](../../active-directory-b2c/claims-transformation-technical-profile.md).

+#### Mitigation for "Missing from the token response"

+One option is to use the `name` claim instead of `preferred_username`. To include the `name` claim in ID tokens issued by Azure AD B2C, select **Display Name** when you configure your user flow.

+For more information about specifying which claims are returned by your user flows, see [Tutorial: Create user flows in Azure AD B2C](../../active-directory-b2c/tutorial-create-user-flows.md).

+## Next steps

+More details about acquiring tokens interactively with MSAL.NET for Azure AD B2C applications are provided in the following sample.

+| Sample | Platform | Description |

+| -- | | |

+| [active-directory-b2c-xamarin-native](https://github.com/Azure-Samples/active-directory-b2c-xamarin-native) | Xamarin iOS, Xamarin Android, UWP | A Xamarin Forms app that uses MSAL.NET to authenticate users via Azure AD B2C and then access a web API with the tokens returned. |

+ Title: OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform

+description: A guide to OAuth 2.0 and OpenID Connect protocols as supported by the Microsoft identity platform.

+# OAuth 2.0 and OpenID Connect (OIDC) in the Microsoft identity platform

+Knowing about OAuth or OpenID Connect (OIDC) at the protocol level isn't required to use the Microsoft identity platform. However, you'll encounter protocol terms and concepts as you use the identity platform to add authentication to your apps. As you work with the Azure portal, our documentation, and authentication libraries, knowing some fundamentals can assist your integration and overall experience.

+## Roles in OAuth 2.0

+Four parties are generally involved in an OAuth 2.0 and OpenID Connect authentication and authorization exchange. These exchanges are often called *authentication flows* or *auth flows*.

+

+* **Authorization server** - The Microsoft identity platform is the authorization server. Also called an *identity provider* or *IdP*, it securely handles the end-user's information, their access, and the trust relationships between the parties in the auth flow. The authorization server issues the security tokens your apps and APIs use for granting, denying, or revoking access to resources (authorization) after the user has signed in (authenticated).

+* **Client** - The client in an OAuth exchange is the application requesting access to a protected resource. The client could be a web app running on a server, a single-page web app running in a user's web browser, or a web API that calls another web API. You'll often see the client referred to as *client application*, *application*, or *app*.

+* **Resource owner** - The resource owner in an auth flow is usually the application user, or *end-user* in OAuth terminology. The end-user "owns" the protected resource (their data) which your app accesses on their behalf. The resource owner can grant or deny your app (the client) access to the resources they own. For example, your app might call an external system's API to get a user's email address from their profile on that system. Their profile data is a resource the end-user owns on the external system, and the end-user can consent to or deny your app's request to access their data.

+* **Resource server** - The resource server hosts or provides access to a resource owner's data. Most often, the resource server is a web API fronting a data store. The resource server relies on the authorization server to perform authentication and uses information in bearer tokens issued by the authorization server to grant or deny access to resources.

+## Tokens

+The parties in an authentication flow use **bearer tokens** to assure, verify, and authenticate a principal (user, host, or service) and to grant or deny access to protected resources (authorization). Bearer tokens in the Microsoft identity platform are formatted as [JSON Web Tokens](https://tools.ietf.org/html/rfc7519) (JWT).

+Three types of bearer tokens are used by the identity platform as *security tokens*:

+* [Access tokens](access-tokens.md) - Access tokens are issued by the authorization server to the client application. The client passes access tokens to the resource server. Access tokens contain the permissions the client has been granted by the authorization server.

+* [ID tokens](id-tokens.md) - ID tokens are issued by the authorization server to the client application. Clients use ID tokens when signing in users and to get basic information about them.

+* [Refresh tokens](refresh-tokens.md) - The client uses a refresh token, or *RT*, to request new access and ID tokens from the authorization server. Your code should treat refresh tokens and their string content as sensitive data because they're intended for use only by authorization server.

+## App registration

+Your client app needs a way to trust the security tokens issued to it by the Microsoft identity platform. The first step in establishing trust is by [registering your app](quickstart-register-app.md). When you register your app, the identity platform automatically assigns it some values, while others you configure based on the application's type.

+Two of the most commonly referenced app registration settings are:

+* **Application (client) ID** - Also called *application ID* and *client ID*, this value is assigned to your app by the identity platform. The client ID uniquely identifies your app in the identity platform and is included in the security tokens the platform issues.

+* **Redirect URI** - The authorization server uses a redirect URI to direct the resource owner's *user-agent* (web browser, mobile app) to another destination after completing their interaction. For example, after the end-user authenticates with the authorization server. Not all client types use redirect URIs.

+Your app's registration also holds information about the authentication and authorization *endpoints* you'll use in your code to get ID and access tokens.

+## Endpoints

+The Microsoft identity platform offers authentication and authorization services using standards-compliant implementations of OAuth 2.0 and OpenID Connect (OIDC) 1.0. Standards-compliant authorization servers like the identity platform provide a set of HTTP endpoints for use by the parties in an auth flow to execute the flow.

+The endpoint URIs for your app are generated automatically when you register or configure your app. The endpoints you use in your app's code depend on the application's type and the identities (account types) it should support.

+Two commonly used endpoints are the [authorization endpoint](v2-oauth2-auth-code-flow.md#request-an-authorization-code) and [token endpoint](v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token). Here are examples of the `authorize` and `token` endpoints:

+```

+# Authorization endpoint - used by client to obtain authorization from the resource owner.

+https://login.microsoftonline.com/<issuer>/oauth2/v2.0/authorize

+# Token endpoint - used by client to exchange an authorization grant or refresh token for an access token.

+https://login.microsoftonline.com/<issuer>/oauth2/v2.0/token

+# NOTE: These are examples. Endpoint URI format may vary based on application type,

+# sign-in audience, and Azure cloud instance (global or national cloud).

+# The {issuer} value in the path of the request can be used to control who can sign into the application.

+# The allowed values are **common** for both Microsoft accounts and work or school accounts,

+# **organizations** for work or school accounts only, **consumers** for Microsoft accounts only,

+# and **tenant identifiers** such as the tenant ID or domain name.

+```

+To find the endpoints for an application you've registered, in the [Azure portal](https://portal.azure.com) navigate to:

+**Azure Active Directory** > **App registrations** > \<YOUR-APPLICATION\> > **Endpoints**

+## Next steps

+Next, learn about the OAuth 2.0 authentication flows used by each application type and the libraries you can use in your apps to perform them:

+* [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)

+* [Microsoft Authentication Library (MSAL)](msal-overview.md)

+**We strongly advise against crafting your own library or raw HTTP calls to execute authentication flows.** A [Microsoft Authentication Library](reference-v2-libraries.md) is safer and easier. However, if your scenario prevents you from using our libraries or you'd just like to learn more about the Microsoft identity platform's implementation, we have protocol reference:

+* [Authorization code grant flow](v2-oauth2-auth-code-flow.md) - Single-page apps (SPA), mobile apps, native (desktop) applications

+* [Client credentials flow](v2-oauth2-client-creds-grant-flow.md) - Server-side processes, scripts, daemons

+* [On-behalf-of (OBO) flow](v2-oauth2-on-behalf-of-flow.md) - Web APIs that call another web API on a user's behalf

+* [OpenID Connect](v2-protocols-oidc.md) - User sign-in, sign out, and single sign-on (SSO)

+>This information last updated on June 22nd, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Exchange Online (Plan 2) for Faculty | EXCHANGEENTERPRISE_FACULTY | 0b7b15a8-7fd2-4964-bb96-5a566d4e3c15 | EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>INTUNE_O365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>BPOS_S_TODO_1 (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>RMS_S_BASIC (31cf2cfc-6b0d-4adc-a336-88b724ed8122) | Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0)<br/>Mobile Device Management for Office 365 (882e1d05-acd1-4ccb-8708-6ee03664b117)<br/>To-Do (Plan 1) (5e62787c-c316-451f-b873-1d05acd4d12c)<br/>Microsoft Azure Rights Management Service (31cf2cfc-6b0d-4adc-a336-88b724ed8122) |

+| Microsoft 365 A3 Suite features for faculty | Microsoft_365_A3_Suite_features_for_faculty | 32a0e471-8a27-4167-b24f-941559912425 | MDE_LITE (292cc034-7b7c-4950-aaf5-943befd3f1d4)<br/>INTUNE_EDU (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>REMOTE_HELP (a4c6cf29-1168-4076-ba5c-e8fe0e62b17e) | Microsoft Defender for Endpoint Plan 1 (292cc034-7b7c-4950-aaf5-943befd3f1d4)<br/>Microsoft Intune Plan 1 for Education (da24caf9-af8e-485c-b7c8-e73336da2693)<br/>Remote help (a4c6cf29-1168-4076-ba5c-e8fe0e62b17e) |

+| Microsoft 365 A5 Suite features for faculty | M365_A5_SUITE_COMPONENTS_FACULTY | 9b8fe788-6174-4c4e-983b-3330c93ec278 | Content_Explorer (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>INSIDER_RISK (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>ML_CLASSIFICATION (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>SAFEDOCS (bf6f5520-59e3-4f82-974b-7dbbc4fd27c7)<br/>MICROSOFTENDPOINTDLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>INTUNE_EDU (da24caf9-af8e-485c-b7c8-e73336da2693) | Information Protection and Governance Analytics - Premium (d9fa6af4-e046-4c89-9226-729a0786685d)<br/>Microsoft Insider Risk Management (d587c7a3-bda9-4f99-8776-9bcf59c84f75)<br/>Microsoft ML-Based Classification (d2d51368-76c9-4317-ada2-a12c004c432f)<br/>Office 365 SafeDocs (bf6f5520-59e3-4f82-974b-7dbbc4fd27c7)<br/>Microsoft Endpoint DLP (64bfac92-2b17-4482-b5e5-a0304429de3e)<br/>Microsoft Intune Plan 1 for Education (da24caf9-af8e-485c-b7c8-e73336da2693) |

+| Windows 10/11 Enterprise A5 for faculty | WIN10_ENT_A5_FAC | 7b1a89a9-5eb9-4cf8-9467-20c943f1122c | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>WINDEFATP (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>UNIVERSAL_PRINT_01 (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>Virtualization Rights for Windows 10 (E3/E5+VDA) (e7c91390-7625-45be-94e0-e16907e03118)<br/>WINDOWSUPDATEFORBUSINESS_DEPLOYMENTSERVICE (7bf960f6-2cd9-443a-8046-5dbff9558365) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Defender for Endpoint (871d91ec-ec1a-452b-a83f-bd76c7d770ef)<br/>Universal Print (795f6fe0-cc4d-4773-b050-5dde4dc704c9)<br/>Windows 10/11 Enterprise (e7c91390-7625-45be-94e0-e16907e03118)<br/>Windows Update for Business Deployment Service (7bf960f6-2cd9-443a-8046-5dbff9558365) |

+ 

+1. Select **Customer**, and then **Continue**.

+> In the customer tenant, we have two options to add custom text to the sign-up and sign-in experience. The function is available under each user flow during language customization and under [Company Branding](/azure/active-directory/external-identities/customers/how-to-customize-branding-customers). Although we have to ways to customize strings (via Company branding and via User flows), both ways modify the same JSON file. The most recent change made either via User flows or via Company branding will always override the previous one.

+1. Select **Create App**. Select **Set up Facebook Login**, and then select **Next**.

+1. For **Select an app type**, select **Consumer**, then select **Next**.

+1. Add an app name and a valid app contact mail.

+1. Select **Create app**. This step may require you to accept Facebook platform policies and complete an online security check.

+ 1. Copy the value of **App ID**. Then select **Show** and copy the value of **App Secret**. You use both of these values to configure Facebook as an identity provider in your tenant. **App Secret** is an important security credential.

+ 1. Choose a **Category**, for example `Business and pages`. Facebook requires this value, but it's not used by Azure AD.

+1. At the bottom of the page, select **Add platform**, select **Website**, and then select **Next**.

+1. Select **Save changes**.

+1. From the menu, select **Products**. Next to **Facebook Login**, select **Configure** > **Settings**.

+1. In **Valid OAuth Redirect URIs**, enter the following URIs, replacing `<tenant-ID>` with your customer tenant ID and `<tenant-name>` with your customer tenant name:

+1. Select **Save changes** at the bottom of the page.

+1. At this point, only Facebook application owners can sign in. Because you registered the app, you can sign in with your Facebook account. To make your Facebook application available to your users, from the menu, select **Go live**. Follow all of the steps listed to complete all requirements. You'll likely need to complete the business verification to verify your identity as a business entity or organization. For more information, see [Meta App Development](https://developers.facebook.com/docs/development/release).

+- [An API registration](how-to-register-ciam-app.md?tabs=webapi&preserve-view=true) that exposes at least one scope (delegated permissions) and one app role (application permission) such as *ToDoList.Read*. If you haven't already, register an API in the Microsoft Entra admin center by following the registration steps.

+1. [Register your web API](how-to-register-ciam-app.md?tabs=webapi&preserve-view=true) in the Microsoft Entra admin center.

+ "AzureAd": {

+ "Instance": "https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/",

+ "TenantId": "Enter_the_Tenant_Id_Here",

+ "ClientId": "Enter_the_Application_Id_Here",

+builder.Services.AddDbContext<ToDoContext>(opt =>

+using ToDoListAPI.Context;

+ Title: Quickstart - Set up a tenant

+description: In this quickstart, you learn how to create a tenant with customer configurations.

+#Customer intent: As a dev, devops, or IT admin, I want to create a tenant with customer configurations.

+# Quickstart: Create a tenant (preview)

+Azure Active Directory (Azure AD) offers a customer identity access management (CIAM) solution that lets you create secure, customized sign-in experiences for your customer-facing apps and services. You'll need to create a tenant with customer configurations in the Microsoft Entra admin center to get started. Once the tenant with customer configurations is created, you can access it in both the Microsoft Entra admin center and the Azure portal.

+In this quickstart, you'll learn how to create a tenant with customer configurations if you already have an Azure subscription. If you don't have an Azure subscription, you can create a customer tenant free trial. For more information about the free trial, see [Set up a free trial](quickstart-trial-setup.md).

+## Prerequisites

+- An Azure subscription.

+- An Azure account that's been assigned at least the [Contributor](/azure/role-based-access-control/built-in-roles#contributor) role scoped to the subscription or to a resource group within the subscription.

+## Create a new tenant with customer configurations

+1. Sign in to your organization's [Microsoft Entra admin center](https://entra.microsoft.com/).

+1. From the left menu, select **Azure Active Directory** > **Overview**.

+1. Select **Manage tenants** at the top of the page.

+1. Select **Create**.

+ :::image type="content" source="media/how-to-create-customer-tenant-portal/create-tenant.png" alt-text="Screenshot of the create tenant option.":::

+1. Select **Customer**, and then select **Continue**.

+ :::image type="content" source="media/how-to-create-customer-tenant-portal/select-tenant-type.png" alt-text="Screenshot of the select tenant type screen.":::

+1. Select **Use an Azure Subscription**. If you're creating a tenant with customer configurations for the first time, you have the option to create a trial tenant that doesn't require an Azure subscription. For more information about the free trial, see [Set up a free trial](quickstart-trial-setup.md).

+

+ :::image type="content" source="media/how-to-create-customer-tenant-portal/create-first-customer-tenant.png" alt-text="Screenshot of the two tenants with customer configurations options available during the initial tenant creation.":::

+1. On the **Basics** tab, in the **Create a tenant for customers** page, enter the following information:

+ :::image type="content" source="media/how-to-create-customer-tenant-portal/add-basics-to-customer-tenant.png" alt-text="Screenshot of the Basics tab.":::

+ - Type your desired **Tenant Name** (for example *Contoso Customers*).

+ - Type your desired **Domain Name** (for example *Contosocustomers*).

+ - Select your desired **Location**. This selection can't be changed later.

+1. Select **Next: Add a subscription**.

+1. On the **Add a subscription** tab, enter the following information:

+ - Next to **Subscription**, select your subscription from the menu.

+ - Next to **Resource group**, select a resource group from the menu. If there are no available resource groups, select **Create new**, add a name, and then select **OK**.

+ - If **Resource group location** appears, select the geographic location of the resource group from the menu.

+ :::image type="content" source="media/how-to-create-customer-tenant-portal/add-subscription.png" alt-text="Screenshot that shows the subscription settings.":::

+1. Select **Next: Review + Create**. If the information that you entered is correct, select **Create**. The tenant creation process can take up to 30 minutes. You can monitor the progress of the tenant creation process in the **Notifications** pane. Once the tenant is created, you can access it in both the Microsoft Entra admin center and the Azure portal.

+ :::image type="content" source="media/how-to-create-customer-tenant-portal/tenant-successfully-created.png" alt-text="Screenshot that shows the link to the new tenant.":::

+## Clean up resources

+If you're not going to continue to use this tenant, you can delete it using the following steps:

+1. Ensure that you're signed in to the directory that you want to delete through the **Directory + subscription** filter in the Azure portal. Switch to the target directory if needed.

+1. From the left menu, select **Azure Active Directory** > **Overview**.

+1. Select **Manage tenants** at the top of the page.

+1. Select the tenant you want to delete, and then select **Delete**.

+ :::image type="content" source="media/how-to-create-customer-tenant-portal/delete-tenant.png" alt-text="Screenshot that shows how to delete the tenant.":::

+1. You might need to complete required actions before you can delete the tenant. For example, you might need to delete all user flows in the tenant. If you're ready to delete the tenant, select **Delete**.

+The tenant and its associated information are deleted.

+## Next steps

+- [Customize the sign-in experience](how-to-customize-branding-customers.md)

+- [Register an app](how-to-register-ciam-app.md)

+- [Create user flows](how-to-user-flow-sign-up-sign-in-customers.md)

+Get started with Azure AD for customers (Preview) that lets you create secure, customized sign-in experiences for your customer-facing apps and services. With these built-in customer configuration features, Azure AD for customers can serve as the identity provider and access management service for your customers.

+In this quickstart, you'll learn how to set up a customer tenant free trial. If you already have an Azure subscription, you can create a tenant with customer configurations in the Microsoft Entra admin center. For more information about how to create a tenant see [Set up a tenant](quickstart-tenant-setup.md).

+Your free trial of a tenant with customer configurations provides you with the opportunity to try new features and build applications and processes during the free trial period. Organization (tenant) admins can invite other users. Each user account can only have one active free trial tenant at a time. The free trial isn't designed for scale testing. Trial tenant will support up to 10K resources, learn more about Azure AD service limits [here](/azure/active-directory/enterprise-users/directory-service-limits-restrictions). During your free trial, you'll have the option to unlock the full set of features by upgrading to [Azure free account](https://azure.microsoft.com/free/).

+If you prefer, you can add your company logo, change the background color or adjust the sign-in layout. These optional changes will apply to the look and feel of all your apps in this tenant with customer configurations. After you have the created tenant, additional branding options are available. You can [customize the default branding](how-to-customize-branding-customers.md) and [add languages](how-to-customize-languages-customers.md). Once you're finished with the customization, select **Continue**.

+1. Select the **Run it now** button. A new browser tab will open with the sign-in page for your tenant that can be used to create and sign in users.

+1. Select **No account? Create one** to create a new user in the tenant.

+In some situations, after acquisition the organization may converge on a single HR platform, but still run existing identity management systems. In this scenario, MIM could provision users into multiple Active Directory systems, depending on which part of the organization the user is affiliated with. They could continue to use B2B so that users authenticate their existing directory, and have a unified GAL.

+# Check the status of a workflow

+1. On the left menu, select **Lifecycle Workflows**.

+1. On the Lifecycle Workflows overview page, select **Workflows**.

+1. In the left menu, select **Lifecycle Workflows**.

+1. select **Workflows**.

+1. On the workflow overview screen, select **Workflow history**.

+# Check execution user scope of a workflow

+1. In the left menu, select **Lifecycle workflows**.

+1. On the workflow overview page, select **Execution conditions**.

+# Configure a Logic App for Lifecycle Workflow use

+Before you can use an existing Azure Logic App with the custom task extension feature of Lifecycle Workflows, it must first be made compatible. This reference guide provides a list of steps that must be taken to make the Azure Logic App compatible. For a guide on creating a new compatible Logic App via the Lifecycle Workflows portal, see [Trigger Logic Apps based on custom task extensions](trigger-custom-task.md).

+To determine the security token type of your custom task extension, you'd check the **Custom extensions** page:

+ Policy type: AADPOP

+- [Lifecycle workflow extensibility](lifecycle-workflow-extensibility.md)

+ Title: Create a lifecycle workflow - Azure AD

+# Create a lifecycle workflow

+Lifecycle workflows allow for tasks associated with the lifecycle process to be run automatically for users as they move through their lifecycle in your organization. Workflows consist of:

+1. On the left menu, select **Lifecycle Workflows**.

+1. Select **Workflows**.

+# Customize emails sent from workflow tasks

+Lifecycle workflows provide several tasks that send email notifications. You can customize email notifications to suit the needs of a specific workflow. For a list of these tasks, see [Lifecycle workflow built-in tasks](lifecycle-workflow-tasks.md).

+1. On the left menu, select **Lifecycle workflows**.

+1. On the left menu, select **Workflows**.

+1. Select **Tasks**.

+- Custom branding set within Azure AD if you want to use your custom branding in emails. To set organizational branding within your Azure tenant, see [Configure your company branding](../fundamentals/how-to-customize-branding.md).

+1. On the page for lifecycle workflows, select **Workflow settings**.

+1. On the **Workflow settings** pane, for **Email domain**, select your domain from the drop-down list of verified domains.

+# Customize the schedule of workflows

+Workflows that you create within lifecycle workflows follow the same schedule that you define on the **Workflow settings** pane. To adjust the schedule, follow these steps:

+1. On the left menu, select **Lifecycle workflows**.

+1. On the **Lifecycle workflows** overview page, select **Workflow settings**.

+1. On the **Workflow settings** pane, set the schedule of workflows as an interval of 1 to 24.

+# Delete a lifecycle workflow

+1. On the left menu, select **Lifecycle Workflows**.

+1. Select **Workflows**.

+1. On the left pane, select **Deleted workflows**.

+- [Check the status of a workflow](check-status-workflow.md)

+- [Trigger Logic Apps based on custom task extensions](trigger-custom-task.md)

+- [Configure a Logic App for Lifecycle Workflow use](configure-logic-app-lifecycle-workflows.md)

+# Lifecycle Workflows history

+Summaries allow you to quickly gain details about how a workflow ran for itself, or users, without going into further details in logs. For a step by step guide on getting this information, see [Check the status of a workflow](check-status-workflow.md).

+Separating processing of the workflow from the tasks is important because, in a workflow, processing a user certain tasks could be successful, while others could fail. Whether or not a task runs after a failed task in a workflow depends on parameters such as enabling continue On Error, and their placement within the workflow. For more information, see [Common task parameters](lifecycle-workflow-tasks.md#common-task-parameters).

+# Lifecycle Workflow built-in tasks

+# Lifecycle Workflows templates

+- [Manage workflow Properties](manage-workflow-properties.md)

+- [Manage workflow versions](manage-workflow-tasks.md)

+- For more information on custom extensions, see [Lifecycle Workflow extensibility](lifecycle-workflow-extensibility.md)

+# Manage workflow properties

+1. On the left menu, select **Lifecycle workflows**.

+1. On the left menu, select **Workflows**.

+6. To change the display name or description, select **Properties**.

+# Manage workflow versions

+1. In the left menu, select **Lifecycle workflows**.

+1. In the left menu, select **workflows**.

+1. On the left side of the screen, select **Tasks**.

+1. On the left menu of Lifecycle Workflows, select **Workflows**.

+1. On the left side of the screen, select **Execution conditions**.

+1. On the left menu of Lifecycle Workflows, select **Workflows**.

+1. On the left side of the screen, select **Versions**.

+# Run a workflow on-demand

+1. On the left menu, select **Lifecycle workflows**.

+1. select **Workflows**

+# Trigger Logic Apps based on custom task extensions

+1. In the left menu, select **Lifecycle Workflows**.

+1. In the left menu, select **Lifecycle workflows**.

+1. In the left menu, select **Workflows**.

+- [Lifecycle workflow extensibility](lifecycle-workflow-extensibility.md)

+ Title: Execute employee termination tasks by using lifecycle workflows

+description: Learn how to remove users from an organization in real time on their last day of work by using lifecycle workflows in the Azure portal.

+# Execute employee termination tasks by using lifecycle workflows

+This tutorial provides a step-by-step guide on how to execute a real-time employee termination by using lifecycle workflows in the Azure portal.

+4. Select **Lifecycle workflows**.

+At any time, you can monitor the status of workflows and tasks. Three data pivots, users runs, and tasks are currently available. You can learn more in the how-to guide [Check the status of a workflow](check-status-workflow.md). In this tutorial, you check the status by using the user-focused reports.

+1. On the **Overview** page for the workflow, select **Workflow history**.

+- [Prepare user accounts for lifecycle workflows](tutorial-prepare-azure-ad-user-accounts.md)

+ Title: 'Automate employee onboarding tasks before their first day of work with Azure portal'

+description: Tutorial for onboarding users to an organization using Lifecycle workflows with Azure portal.

+# Automate employee onboarding tasks before their first day of work with Azure portal

+ 4. Select **Lifecycle workflows**.

+ 5. On the **Overview** page, select **New workflow**.

+At any time, you may monitor the status of the workflows and the tasks. As a reminder, there are three different data pivots, users runs, and tasks that are currently available. You may learn more in the how-to guide [Check the status of a workflow](check-status-workflow.md). In the course of this tutorial, we look at the status using the user focused reports.

+ 1. To begin, select the **Workflow history** tab to view the user summary and associated workflow tasks and statuses.

+1. Once the **Workflow history** tab has been selected, you land on the workflow history page as shown.

+After running your workflow on-demand and checking that everything is working fine, you may want to enable the workflow schedule. To enable the workflow schedule, you may select the **Enable Schedule** checkbox on the Properties page.

+- [Tutorial: Preparing user accounts for Lifecycle workflows](tutorial-prepare-azure-ad-user-accounts.md)

+ Title: 'Tutorial: Preparing user accounts for Lifecycle workflows'

+description: Tutorial for preparing user accounts for Lifecycle workflows.

+# Preparing user accounts for Lifecycle workflows tutorials

+There are some additional steps that you should be aware of when testing either the [On-boarding users to your organization using Lifecycle workflows with Azure portal](tutorial-onboard-custom-workflow-portal.md) tutorial or the [On-boarding users to your organization using Lifecycle workflows with Microsoft Graph](tutorial-onboard-custom-workflow-graph.md) tutorial.

+There are some additional steps that you should be aware of when testing either the Off-boarding users from your organization using Lifecycle workflows with Azure portal tutorial or the Off-boarding users from your organization using Lifecycle workflows with Microsoft Graph tutorial.

+- [On-boarding users to your organization using Lifecycle workflows with Azure portal](tutorial-onboard-custom-workflow-portal.md)

+- [On-boarding users to your organization using Lifecycle workflows with Microsoft Graph](tutorial-onboard-custom-workflow-graph.md)

+- [Tutorial: Off-boarding users from your organization using Lifecycle workflows with Azure portal](tutorial-offboard-custom-workflow-portal.md)

+- [Tutorial: Off-boarding users from your organization using Lifecycle workflows with Microsoft Graph](tutorial-offboard-custom-workflow-graph.md)

+ Title: Automate employee offboarding tasks after their last day of work with Azure portal

+description: Tutorial for post off-boarding users from an organization using Lifecycle workflows with Azure portal.

+# Automate employee offboarding tasks after their last day of work with Azure portal

+ 4. Select **Lifecycle workflows**.

+ 5. On the **Overview** page, select **New workflow**.

+At any time, you may monitor the status of the workflows and the tasks. As a reminder, there are three different data pivots, users runs, and tasks that are currently available. You may learn more in the how-to guide [Check the status of a workflow](check-status-workflow.md). In the course of this tutorial, we'll look at the status using the user focused reports.

+ 1. To begin, select the **Workflow history** tab on the left to view the user summary and associated workflow tasks and statuses.

+1. Once the **Workflow history** tab has been selected, you'll land on the workflow history page as shown.

+After running your workflow on-demand and checking that everything is working fine, you may want to enable the workflow schedule. To enable the workflow schedule, you may select the **Enable Schedule** checkbox on the Properties page.

+- [Preparing user accounts for Lifecycle workflows](tutorial-prepare-azure-ad-user-accounts.md)

+# What are lifecycle workflows?

+Lifecycle workflows are a new identity governance feature that enables organizations to manage Azure Active Directory (Azure AD) users by automating these three basic lifecycle processes:

+ Title: 'Lifecycle workflows FAQs'

+description: Frequently asked questions about Lifecycle workflows.

+# Lifecycle workflows - FAQs

+We currently donΓÇÖt support the ability to create new tasks outside of the set of tasks supported in the task templates. As an alternative, you may accomplish this by setting up a logic app and then creating a logic apps task in Lifecycle Workflows with the URL. For more information, see [Trigger Logic Apps based on custom task extensions](trigger-custom-task.md)

+- [What are Lifecycle workflows?](what-are-lifecycle-workflows.md)

+> Action required: Synchronization will stop working on October 1, 2023, for any customers still running Azure AD Connect Sync V1. Customers using cloud sync or Azure AD Connect V2 will remain fully operational with no action required. For more information and next step guidance, see [Decommission Azure AD Connect V1](https://aka.ms/DecommissionAADConnectV1) if an upgrade is required.

+6/19/2023: Released for download and autoupgrade.

+ - We have added Microsoft Azure AD Connect Agent Updater service to the install. This new service will be used for future auto upgrades.

+ GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and consentType eq 'Principal'

+Restricted management administrative units allow you to protect specific objects in your tenant from modification by anyone other than a specific set of administrators that you designate. This allows you to meet security or compliance requirements without having to remove tenant-level role assignments from your administrators.

+ Title: Azure Active Directory SSO integration with AlertEnterprise-Guardian

+description: Learn how to configure single sign-on between Azure Active Directory and AlertEnterprise-Guardian.

+# Azure Active Directory SSO integration with AlertEnterprise-Guardian

+In this article, you'll learn how to integrate AlertEnterprise-Guardian with Azure Active Directory (Azure AD). Application automates the identity management lifecycle. Built-in Regulatory Compliance ensures controls are in place before granting access to identities. When you integrate AlertEnterprise-Guardian with Azure AD, you can:

+* Control in Azure AD who has access to AlertEnterprise-Guardian.

+* Enable your users to be automatically signed-in to AlertEnterprise-Guardian with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for AlertEnterprise-Guardian in a test environment. AlertEnterprise-Guardian supports **IDP** initiated single sign-on.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with AlertEnterprise-Guardian, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* AlertEnterprise-Guardian single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the AlertEnterprise-Guardian application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add AlertEnterprise-Guardian from the Azure AD gallery

+Add AlertEnterprise-Guardian from the Azure AD application gallery to configure single sign-on with AlertEnterprise-Guardian. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **AlertEnterprise-Guardian** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type the value:

+ `urn:mace:saml:pac4j.org`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<SUBDOMAIN>.alerthsc.com/api/auth/sso/callback?client_name=<Client_Name>`

+ > [!Note]

+ > The Reply URL is not real. Update this value with the actual Reply URL. Contact [AlertEnterprise-Guardian support team](mailto:info@alertenterprise.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. AlertEnterprise-Guardian application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, AlertEnterprise-Guardian application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | tenant | <Share_By_ALERT_Team> |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+## Configure AlertEnterprise-Guardian SSO

+To configure single sign-on on **AlertEnterprise-Guardian** side, you need to send the **App Federation Metadata Url** to [AlertEnterprise-Guardian support team](mailto:info@alertenterprise.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create AlertEnterprise-Guardian test user

+In this section, you create a user called Britta Simon at AlertEnterprise-Guardian. Work with [AlertEnterprise-Guardian support team](mailto:info@alertenterprise.com) to add the users in the AlertEnterprise-Guardian platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the AlertEnterprise-Guardian for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the AlertEnterprise-Guardian tile in the My Apps, you should be automatically signed in to the AlertEnterprise-Guardian for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure AlertEnterprise-Guardian you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with ISG GovernX Federation

+description: Learn how to configure single sign-on between Azure Active Directory and ISG GovernX Federation.

+# Azure Active Directory SSO integration with ISG GovernX Federation

+In this article, you'll learn how to integrate ISG GovernX Federation with Azure Active Directory (Azure AD). Template for Federation between ISG and Clients IDP. When you integrate ISG GovernX Federation with Azure AD, you can:

+* Control in Azure AD who has access to ISG GovernX Federation.

+* Enable your users to be automatically signed-in to ISG GovernX Federation with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for ISG GovernX Federation in a test environment. ISG GovernX Federation supports both **SP** and **IDP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with ISG GovernX Federation, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* ISG GovernX Federation single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the ISG GovernX Federation application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add ISG GovernX Federation from the Azure AD gallery

+Add ISG GovernX Federation from the Azure AD application gallery to configure single sign-on with ISG GovernX Federation. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **ISG GovernX Federation** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://www.okta.com/saml2/service-provider/<GovernX_UniqueID>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://isg-one.okta.com/sso/saml2/<ID>`

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://isg-one.okta.com/sso/saml2/<ID>`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [ISG GovernX Federation support team](mailto:infrastructureteam@isg-one.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up ISG GovernX Federation** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure ISG GovernX Federation SSO

+To configure single sign-on on **ISG GovernX Federation** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [ISG GovernX Federation support team](mailto:infrastructureteam@isg-one.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create ISG GovernX Federation test user

+In this section, a user called B.Simon is created in ISG GovernX Federation. ISG GovernX Federation supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in ISG GovernX Federation, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to ISG GovernX Federation Sign-on URL where you can initiate the login flow.

+* Go to ISG GovernX Federation Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ISG GovernX Federation for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the ISG GovernX Federation tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ISG GovernX Federation for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure ISG GovernX Federation you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+To configure single sign-on on **IT-Conductor** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [IT-Conductor support team](mailto:support@itconductor.com). They set this setting to have the SAML SSO connection set properly on both sides. For more information, please refer [this](https://docs.itconductor.com/start-here/sso-setup) link.

+Once you configure IT-Conductor you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with ThreatQ Platform

+description: Learn how to configure single sign-on between Azure Active Directory and ThreatQ Platform.

+# Azure Active Directory SSO integration with ThreatQ Platform

+In this article, you'll learn how to integrate ThreatQ Platform with Azure Active Directory (Azure AD). ThreatQ improves the efficiency and effectiveness of security operations by fusing disparate data sources, tools and teams to accelerate and automate threat detection, investigation and response. When you integrate ThreatQ Platform with Azure AD, you can:

+* Control in Azure AD who has access to ThreatQ Platform.

+* Enable your users to be automatically signed-in to ThreatQ Platform with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for ThreatQ Platform in a test environment. ThreatQ Platform supports **SP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with ThreatQ Platform, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* ThreatQ Platform single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the ThreatQ Platform application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add ThreatQ Platform from the Azure AD gallery

+Add ThreatQ Platform from the Azure AD application gallery to configure single sign-on with ThreatQ Platform. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **ThreatQ Platform** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<Customer_Environment>.threatq.online/api/saml/metadata`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<Customer_Environment>.threatq.online/api/saml/acs`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<Customer_Environment>.threatq.online/`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [ThreatQ Platform support team](mailto:support@threatq.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Your ThreatQ Platform application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but ThreatQ Platform expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.

+ 

+1. In addition to above, ThreatQ Platform application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | uid | user.mail |

+ | Groups | user.groups |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up ThreatQ Platform** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure ThreatQ Platform SSO

+To configure single sign-on on **ThreatQ Platform** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Azure portal to [ThreatQ Platform support team](mailto:support@threatq.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create ThreatQ Platform test user

+In this section, a user called B.Simon is created in ThreatQ Platform. ThreatQ Platform supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in ThreatQ Platform, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to ThreatQ Platform Sign-on URL where you can initiate the login flow.

+* Go to ThreatQ Platform Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the ThreatQ Platform tile in the My Apps, this will redirect to ThreatQ Platform Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure ThreatQ Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+* These instructions assume you are using the new [Single Sign On/Just-in-Time Provisioning feature from Veracode](https://docs.veracode.com/r/about_saml). To activate this feature if it is not already active, please contact Veracode Support.

+Once you configure Veracode you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+To configure single sign-on on **LINE WORKS** side, please read the [LINE WORKS SSO documents](https://jp1-developers.worksmobile.com/jp/docs/?lang=en) and configure a LINE WORKS setting.

+Learn more about [Kubernetes service - UseEphemeralOSdisk (Use Ephemeral OS disk)](../aks/concepts-storage.md#ephemeral-os-disk).

+|**Cluster architecture:** Consider using [ephemeral OS disks](concepts-storage.md#ephemeral-os-disk).|Ephemeral OS disks provide lower read/write latency, along with faster node scaling and cluster upgrades. Containers aren't designed to have local state persisted to the managed OS disk, and this behavior offers limited value to AKS. AKS defaults to an ephemeral OS disk if you chose the right VM series and the OS disk can fit in the VM cache or temporary storage SSD.|

+|**Cluster and workload architectures:** Cost management using monitoring and observability tools. | OpenCost on AKS introduces a new community-driven [specification](https://github.com/opencost/opencost/blob/develop/spec/opencost-specv01.md) and implementation to bring greater visibility into current and historic Kubernetes spend and resource allocation. OpenCost, born out of [Kubecost](https://www.kubecost.com/), is an open-source, vendor-neutral [CNCF sandbox project](https://www.cncf.io/sandbox-projects/) that recently became a [FinOps Certified Solution](https://www.finops.org/partner-certifications/#finops-certified-solution). Customer specific prices are now included using the [Azure Consumption Price Sheet API](/rest/api/consumption/price-sheet), ensuring accurate cost reporting that accounts for consumption and savings plan discounts. For out-of-cluster analysis or to ingest allocation data into an existing BI pipeline, you can export a CSV with daily infrastructure cost breakdown by Kubernetes constructs (namespace, controller, service, pod, job and more) to your Azure Storage Account or local storage with minimal configuration. CSV also includes resource utilization metrics for CPU, GPU, memory, load balancers, and persistent volumes. For in-cluster visualization, OpenCost UI enables real-time cost drill down by Kubernetes constructs. Alternatively, directly query the OpenCost API to access cost allocation data. For more information on Azure specific integration, see [OpenCost docs](https://www.opencost.io/docs).|

+## Use Ephemeral OS on new clusters

+Configure the cluster to use ephemeral OS disks when the cluster is created. Use the `--node-osdisk-type` argument to set Ephemeral OS as the OS disk type for the new cluster.

+If you want to create a regular cluster using network-attached OS disks, you can do so by specifying the `--node-osdisk-type=Managed` argument. You can also choose to add other ephemeral OS node pools as described below.

+## Use Ephemeral OS on existing clusters

+Configure a new node pool to use Ephemeral OS disks. Use the `--node-osdisk-type` argument to set as the OS disk type as the OS disk type for that node pool.

+## Ephemeral OS disk

+By default, Azure automatically replicates the operating system disk for a virtual machine to Azure storage to avoid data loss when the VM is relocated to another host. However, since containers aren't designed to have local state persisted, this behavior offers limited value while providing some drawbacks. These drawbacks include, but aren't limited to, slower node provisioning and higher read/write latency.

+By contrast, ephemeral OS disks are stored only on the host machine, just like a temporary disk. With this configuration, you get lower read/write latency, together with faster node scaling and cluster upgrades.

+> [!NOTE]

+> When you don't explicitly request [Azure managed disks][azure-managed-disks] for the OS, AKS defaults to ephemeral OS if possible for a given node pool configuration.

+Size requirements and recommendations for ephemeral OS disks are available in the [Azure VM documentation][azure-vm-ephemeral-os-disks]. The following are some general sizing considerations:

+* If you chose to use the AKS default VM size [Standard_DS2_v2](../virtual-machines/dv2-dsv2-series.md#dsv2-series) SKU with the default OS disk size of 100 GB, the default VM size supports ephemeral OS, but only has 86 GiB of cache size. This configuration would default to managed disks if you don't explicitly specify it. If you do request an ephemeral OS, you receive a validation error.

+* If you request the same [Standard_DS2_v2](../virtual-machines/dv2-dsv2-series.md#dsv2-series) SKU with a 60 GiB OS disk, this configuration would default to ephemeral OS. The requested size of 60 GiB is smaller than the maximum cache size of 86 GiB.

+* If you select the [Standard_D8s_v3](../virtual-machines/dv3-dsv3-series.md#dsv3-series) SKU with 100 GB OS disk, this VM size supports ephemeral OS and has 200 GiB of cache space. If you don't specify the OS disk type, the node pool would receive ephemeral OS by default.

+The latest generation of VM series doesn't have a dedicated cache, but only temporary storage. For example, if you selected the [Standard_E2bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) VM size with the default OS disk size of 100 GiB, it supports ephemeral OS disks, but only has 75 GB of temporary storage. This configuration would default to managed OS disks if you don't explicitly specify it. If you do request an ephemeral OS disk, you receive a validation error.

+* If you request the same [Standard_E2bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) VM size with a 60 GiB OS disk, this configuration defaults to ephemeral OS disks. The requested size of 60 GiB is smaller than the maximum temporary storage of 75 GiB.

+* If you select [Standard_E4bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) SKU with 100 GiB OS disk, this VM size supports ephemeral OS

+and has 150 GiB of temporary storage. If you don't specify the OS disk type, by default Azure provisions an ephemeral OS disk to the node pool.

+### Customer Managed key

+You can manage encryption for your ephemeral OS disk with your own keys on an AKS cluster. For more information, see [Azure ephemeral OS disks Customer Managed key][azure-disk-customer-managed-key].

+> Depending on the VM SKU you're using, the Azure Disk CSI driver might have a per-node volume limit. For some high perfomance VMs (for example, 16 cores), the limit is 64 volumes per node. To identify the limit per VM SKU, review the **Max data disks** column for each VM SKU offered. For a list of VM SKUs offered and their corresponding detailed capacity limits, see [General purpose virtual machine sizes][general-purpose-machine-sizes].

+[azure-managed-disks]: ../virtual-machines/managed-disks-overview.md

+[azure-vm-ephemeral-os-disks]: ../virtual-machines/ephemeral-os-disks.md

+[azure-files-azure-netapp-comparison]: ../storage/files/storage-files-netapp-comparison.md

+[azure-disk-customer-managed-key]: ../virtual-machines/ephemeral-os-disks.md#customer-managed-key

+The sustainable software engineering principles are a set of competencies to help you define, build, and run sustainable applications. The overall goal is to reduce the carbon footprint in every aspect of your application. The Azure Well-Architected Framework guidance for sustainability aligns with the [The Principles of Sustainable Software Engineering](https://principles.green/) from the [Green Software Foundation](https://greensoftware.foundation/) and provides an overview of the principles of sustainable software engineering.

+Sustainable software engineering is a shift in priorities and focus. In many cases, the way most software is designed and run highlights fast performance and low latency. Sustainable software engineering focuses on reducing as much carbon emission as possible.

+* Applying sustainable software engineering principles can give you faster performance or lower latency, such as lowering total network traversal.

+The following guidance focuses on services you're building or operating on Azure with Azure Kubernetes Service (AKS). This article includes design and configuration checklists, recommended design practices, and configuration options. Before applying sustainable software engineering principles to your application, review the priorities, needs, and trade-offs of your application.

+* It's crucial you have clearly defined business requirements when building applications, as they might have a direct impact on both cluster and workload architectures and configurations. When building or updating existing applications, review the Well-Architected Framework sustainability design areas, alongside your application's holistic lifecycle.

+Sustainability is a shared responsibility between the cloud provider and the customer or partner designing and deploying AKS clusters on the platform. Deploying AKS doesn't automatically make it sustainable, even if the [data centers are optimized for sustainability](https://infrastructuremap.microsoft.com/fact-sheets). Applications that aren't properly optimized may still emit more carbon than necessary.

+* **[Carbon Efficiency](https://learn.greensoftware.foundation/practitioner/carbon-efficiency)**: Emit the least amount of carbon possible.

+ A carbon efficient cloud application is one that's optimized, and the starting point is the cost optimization.

+* **[Energy Efficiency](https://learn.greensoftware.foundation/practitioner/energy-efficiency/)**: Use the least amount of energy possible.

+ One way to increase energy efficiency is to run the application on as few servers as possible with the servers running at the highest utilization rate, also increasing hardware efficiency.

+* **[Hardware Efficiency](https://learn.greensoftware.foundation/practitioner/hardware-efficiency)**: Use the least amount of embodied carbon possible.

+ There are two main approaches to hardware efficiency:

+ - For end-user devices, it's extending hardware lifespan.

+ - For cloud computing, it's increasing resource utilization.

+* **[Carbon Awareness](https://learn.greensoftware.foundation/practitioner/carbon-awareness)**: Do more when the electricity is cleaner and do less when the electricity is dirtier.

+ Being carbon aware means responding to shifts in carbon intensity by increasing or decreasing your demand.

+Before reviewing the detailed recommendations in each of the design areas, we recommend you carefully consider the following design patterns for building sustainable workloads on AKS:

+| [Enable cluster and node autoupdates](#enable-cluster-and-node-autoupdates) | | ✔️ |

+| [Match the scalability needs and utilize autoscaling and bursting capabilities](#match-the-scalability-needs-and-utilize-autoscaling-and-bursting-capabilities) | | ✔️ |

+A microservice architecture may reduce the compute resources required, as it allows for independent scaling of its logical components and ensures they're scaled according to demand.

+* Consider using the [Dapr Framework](https://dapr.io/) or [other CNCF projects](/azure/architecture/example-scenario/apps/build-cncf-incubated-graduated-projects-aks) to help you separate your application functionality into different microservices and to allow independent scaling of its logical components.

+When you scale your workload based on relevant business metrics, such as HTTP requests, queue length, and cloud events, you can help reduce resource utilization and carbon emissions.

+* Use [Keda](https://keda.sh/) when building event-driven applications to allow scaling down to zero when there's no demand.

+### Enable cluster and node autoupdates

+* Enable [cluster autoupgrade](./auto-upgrade-cluster.md) and [apply security updates to nodes automatically using GitHub Actions](./node-upgrade-github-actions.md) to ensure your cluster has the latest improvements.

+Add-ons and extensions covered by the [AKS support policy](./support-policies.md) provide further supported functionalities to your cluster while allowing you to benefit from the latest performance improvements and energy optimizations throughout your cluster lifecycle.

+* Install [KEDA](./integrations.md#available-add-ons) as an add-on.

+* Install [GitOps & Dapr](./cluster-extensions.md?tabs=azure-cli#currently-available-extensions) as extensions.

+### Match the scalability needs and utilize autoscaling and bursting capabilities

+An oversized cluster doesn't maximize utilization of compute resources and can lead to a waste of energy. Separate your applications into different node pools to allow for cluster right-sizing and independent scaling according to the application requirements. As you run out of capacity in your AKS cluster, grow from AKS to ACI to scale out extra pods to serverless nodes and ensure your workload uses all the allocated resources efficiently.

+* Size your cluster to match the scalability needs of your application. Use the [cluster autoscaler](./cluster-autoscaler.md) with [virtual nodes](./virtual-nodes.md) to rapidly scale and maximize compute resource utilization.

+* You can also [enforce resource quotas](./operator-best-practices-scheduler.md#enforce-resource-quotas) at the namespace level and [scale user node pools to zero](./scale-cluster.md?tabs=azure-cli#scale-user-node-pools-to-0) when there's no demand.

+Workloads may not need to run continuously and could be turned off to reduce energy waste and carbon emissions. You can completely turn off (stop) your node pools in your AKS cluster, allowing you to also save on compute costs.

+* Use the [node pool stop/start](./start-stop-nodepools.md) to turn off your node pools outside of business hours.

+* Use the [KEDA CRON scaler](https://keda.sh/docs/2.7/scalers/cron/) to scale down your workloads (pods) based on time.

+You should identify and delete any unused resources, such as unreferenced images and storage resources, as they have a direct impact on hardware and energy efficiency. To ensure continuous energy optimization, you must treat identifying and deleting unused resources as a process rather than a point-in-time activity.

+* Use [Azure Advisor](../advisor/advisor-cost-recommendations.md) to identify unused resources.

+* Use [ImageCleaner](./image-cleaner.md?tabs=azure-cli) to clean up stale images and remove an area of risk in your cluster.

+* Understand the needs of your application to [choose the appropriate storage](./operator-best-practices-storage.md#choose-the-appropriate-storage-type) and define it using [storage classes](./operator-best-practices-storage.md#create-and-use-storage-classes-to-define-application-needs) to avoid storage underutilization.

+* Consider [provisioning volumes dynamically](./operator-best-practices-storage.md#dynamically-provision-volumes) to automatically scale the number of storage resources.

+The distance from a data center to users has a significant impact on energy consumption and carbon emissions. Shortening the distance a network packet travels improves both your energy and carbon efficiency.

+* Review your application requirements and [Azure geographies](https://azure.microsoft.com/explore/global-infrastructure/geographies/#overview) to choose a region closest to where most network packets are going.

+Placing nodes in a single region or a single availability zone reduces the physical distance between the instances. However, for business critical workloads, you need to ensure your cluster is spread across multiple availability zones, which may result in more network traversal and increase in your carbon footprint.

+* Consider deploying your nodes within a [proximity placement group](../virtual-machines/co-location.md) to reduce the network traversal by ensuring your compute resources are physically located close to each other.

+* For critical workloads, configure [proximity placement groups with availability zones](./reduce-latency-ppg.md#configure-proximity-placement-groups-with-availability-zones).

+A service mesh deploys extra containers for communication, typically in a [sidecar pattern](/azure/architecture/patterns/sidecar), to provide more operational capabilities, which leads to an increase in CPU usage and network traffic. Nevertheless, it allows you to decouple your application from these capabilities as it moves them out from the application layer and down to the infrastructure layer.

+Sending and storing all logs from all possible sources (workloads, services, diagnostics, and platform activity) can increase storage and network traffic, which impacts costs and carbon emissions.

+* Make sure you're collecting and retaining only the necessary log data to support your requirements. [Configure data collection rules for your AKS workloads](../azure-monitor/containers/container-insights-agent-config.md#data-collection-settings) and implement design considerations for [optimizing your Log Analytics costs](/azure/architecture/framework/services/monitoring/log-analytics/cost-optimization).

+* Ensure you [follow best practices](/azure/architecture/best-practices/cdn) for CDN.

+* Consider using [Azure CDN](../cdn/cdn-how-caching-works.md?toc=%2fazure%2ffrontdoor%2fTOC.json) to lower the consumed bandwidth and keep costs down.

+* Review the information on TLS termination when using [Application Gateway](../application-gateway/ssl-overview.md) or [Azure Front Door](../application-gateway/ssl-overview.md). Determine whether you can terminate TLS at your border gateway, and continue with non-TLS to your workload load balancer and workload.

+Azure Front Door and Application Gateway help manage traffic from web applications, while Azure Web Application Firewall provides protection against OWASP top 10 attacks and load shedding bad bots at the network edge. These capabilities help remove unnecessary data transmission and reduce the burden on the cloud infrastructure with lower bandwidth and fewer infrastructure requirements.

+* Follow recommendations from [Microsoft Defender for Cloud](/security/benchmark/azure/security-control-vulnerability-management).

+* Run automated vulnerability scanning tools, such as [Defender for Containers](../defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md), to avoid unnecessary resource usage. These tools help identify vulnerabilities in your images and minimize the window of opportunity for attackers.

+description: How to install and use Draft on your Azure Kubernetes Service (AKS) cluster using the Draft extension.

+- `draft create`: Creates the Dockerfile and the proper manifest files.

+- `draft setup-gh`: Sets up your GitHub OIDC.

+- `draft generate-workflow`: Generates the GitHub Action workflow file for deployment onto your cluster.

+- `draft up`: Sets up your GitHub OIDC and generates a GitHub Action workflow file, combining the previous two commands.

+1. Install the `aks-preview` extension using the [`az extension add`][az-extension-add] command.

+ ```azurecli-interactive

+ az extension add --name aks-preview

+ ```

+2. Update the extension to make sure you have the latest version using the [`az extension update`][az-extension-update] command.

+ ```azurecli-interactive

+ az extension update --name aks-preview

+ ```

+You can use `draft create` to create Dockerfiles, Helm charts, Kubernetes manifests, or Kustomize files needed to deploy your application onto an AKS cluster.

+- Create an artifact using the [`az aks draft create`][az-aks-draft-create] command.

+ ```azure-cli-interactive

+ az aks draft create

+ ```

+ - You can also run the command on a specific directory using the `--destination` flag, as shown in the following example:

+ ```azure-cli-interactive

+ az aks draft create --destination /Workspaces/ContosoAir

+ ```

+- Register your application with GitHub using the [`az aks draft setup-gh`][az-aks-draft-setup-gh] command.

+ ```azure-cli-interactive

+ az aks draft setup-gh

+ ```

+After you create your artifacts and set up GitHub OIDC, you can use `draft generate-workflow` to generate a GitHub Action workflow file, creating an action that deploys your application onto your AKS cluster. Once your workflow file is generated, you must commit it into your repository in order to initiate the GitHub Action.

+- Generate a GitHub Action workflow file using the [`az aks draft generate-workflow`][az-aks-draft-generate-workflow] command.

+ ```azure-cli-interactive

+ az aks draft generate-workflow

+ ```

+ - You can also run the command on a specific directory using the `--destination` flag, as shown in the following example:

+ ```azure-cli-interactive

+ az aks draft generate-workflow --destination /Workspaces/ContosoAir

+ ```

+- Set up GitHub OIDC and generate a GitHub Action workflow file using the [`az aks draft up`][az-aks-draft-up] command.

+ ```azure-cli-interactive

+ az aks draft up

+ ```

+ - You can also run the command on a specific directory using the `--destination` flag, as shown in the following example:

+ ```azure-cli-interactive

+ az aks draft up --destination /Workspaces/ContosoAir

+ ```

+[Web Application Routing][web-app-routing] is the easiest way to get your web application up and running in Kubernetes securely. Web Application Routing removes the complexity of ingress controllers and certificate and DNS management, and it offers configuration for enterprises looking to bring their own. Web Application Routing offers a managed ingress controller based on nginx that you can use without restrictions and integrates out of the box with Open Service Mesh to secure intra-cluster communications.

+- Set up Draft with Web Application Routing using the [`az aks draft update`][az-aks-draft-update] and pass in the DNS name and Azure Key Vault-stored certificate when prompted.

+ ```azure-cli-interactive

+ az aks draft update

+ ```

+ - You can also run the command on a specific directory using the `--destination` flag, as shown in the following example:

+ ```azure-cli-interactive

+ az aks draft update --destination /Workspaces/ContosoAir

+ ```

+[az-aks-draft-update]: /cli/azure/aks/draft#az-aks-draft-update

+[az-aks-draft-up]: /cli/azure/aks/draft#az-aks-draft-up

+[az-aks-draft-create]: /cli/azure/aks/draft#az-aks-draft-create

+[az-aks-draft-setup-gh]: /cli/azure/aks/draft#az-aks-draft-setup-gh

+[az-aks-draft-generate-workflow]: /cli/azure/aks/draft#az-aks-draft-generate-workflow

+> [!NOTE]

+> This guidance can also be executed from a local developer command line with Azure CLI installed. To learn how to install the Azure CLI, see [How to install the Azure CLI](/cli/azure/install-azure-cli).

+ Title: "Deploy WebLogic Server on Azure Kubernetes Service using the Azure portal"

+description: Shows how to quickly stand up WebLogic Server on Azure Kubernetes Service.

+# Deploy a Java application with WebLogic Server on an Azure Kubernetes Service (AKS) cluster

+This article shows you how to quickly deploy WebLogic Application Server (WLS) on Azure Kubernetes Service (AKS) with the simplest possible set of configuration choices using the Azure portal. For a more full featured tutorial, including the use of Azure Application Gateway to make WLS on AKS securely visible on the public Internet, see [Tutorial: Migrate a WebLogic Server cluster to Azure with Azure Application Gateway as a load balancer](/azure/developer/java/migration/migrate-weblogic-with-app-gateway).

+For step-by-step guidance in setting up WebLogic Server on Azure Kubernetes Service, see the official documentation from Oracle at [Azure Kubernetes Service](https://oracle.github.io/weblogic-kubernetes-operator/samples/azure-kubernetes-service/).

+## Prerequisites

+- [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]

+- Ensure the Azure identity you use to sign in and complete this article has either the [Owner](/azure/role-based-access-control/built-in-roles#owner) role in the current subscription or the [Contributor](/azure/role-based-access-control/built-in-roles#contributor) and [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) roles in the current subscription. For an overview of Azure roles, see [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview) For details on the specific roles required by WLS on AKS, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles).

+- Have the credentials for an Oracle single sign-on (SSO) account. To create one, see [Create Your Oracle Account](https://aka.ms/wls-aks-create-sso-account).

+- Accept the license terms for WLS.

+ - Visit the [Oracle Container Registry](https://container-registry.oracle.com/) and sign in.

+ - If you have a support entitlement, select **Middleware**, then search for and select **weblogic_cpu**.

+ - If you don't have a support entitlement from Oracle, select **Middleware**, then search for and select **weblogic**.

+ > [!NOTE]

+ > Get a support entitlement from Oracle before going to production. Failure to do so results in running insecure images that are not patched for critical security flaws. For more information on Oracle's critical patch updates, see [Critical Patch Updates, Security Alerts and Bulletins](https://www.oracle.com/security-alerts/) from Oracle.

+ - Accept the license agreement.

+## Create a storage account and storage container to hold the sample application

+Use the following steps to create a storage account and container. Some of these steps direct you to other guides. After completing the steps, you can upload a sample application to run on WLS on AKS.

+1. Download a sample application as a *.war* or *.ear* file. The sample app should be self-contained and not have any database, messaging, or other external connection requirements. The sample app from the WLS Kubernetes Operator documentation is a good choice. You can download [testwebapp.war](https://aka.ms/wls-aks-testwebapp) from Oracle. Save the file to your local filesystem.

+1. Sign in to the [Azure portal](https://aka.ms/publicportal).

+1. Create a storage account by following the steps in [Create a storage account](/azure/storage/common/storage-account-create). You don't need to perform all the steps in the article. Just fill out the fields as shown on the **Basics** pane, then select **Review + create** to accept the default options. Proceed to validate and create the account, then return to this article.

+1. Create a storage container within the account. Then, upload the sample application you downloaded in step 1 by following the steps in [Quickstart: Upload, download, and list blobs with the Azure portal](/azure/storage/blobs/storage-quickstart-blobs-portal). Upload the sample application as the blob, then return to this article.

+## Deploy WLS on AKS

+The steps in this section direct you to deploy WLS on AKS in the simplest possible way. WLS on AKS offers a broad and deep selection of Azure integrations. For more information, see [What are solutions for running Oracle WebLogic Server on the Azure Kubernetes Service?](/azure/virtual-machines/workloads/oracle/weblogic-aks)

+The following steps show you how to find the WLS on AKS offer and fill out the **Basics** pane.

+1. In the search bar at the top of the Azure portal, enter *weblogic*. In the auto-suggested search results, in the **Marketplace** section, select **Oracle WebLogic Server on Azure Kubernetes Service**.

+ :::image type="content" source="media/howto-deploy-java-wls-app/marketplace-search-results.png" alt-text="Screenshot of Azure portal showing WLS in search results." lightbox="media/howto-deploy-java-wls-app/marketplace-search-results.png":::

+ You can also go directly to the [Oracle WebLogic Server on Azure Kubernetes Service](https://aka.ms/wlsaks) offer.

+1. On the offer page, select **Create**.

+1. On the **Basics** pane, ensure the value shown in the **Subscription** field is the same one that has the roles listed in the prerequisites section.

+1. You must deploy the offer in an empty resource group. In the **Resource group** field, select **Create new** and fill in a value for the resource group. Because resource groups must be unique within a subscription, pick a unique name. An easy way to have unique names is to use a combination of your initials, today's date, and some identifier. For example, `ejb0723wls`.

+1. Under **Instance details**, select the region for the deployment. For a list of Azure regions where AKS is available, see [AKS region availability](https://azure.microsoft.com/global-infrastructure/services/?products=kubernetes-service).

+1. Under **Credentials for WebLogic**, leave the default value for **Username for WebLogic Administrator**.

+1. Fill in `wlsAksCluster2022` for the **Password for WebLogic Administrator**. Use the same value for the confirmation and **Password for WebLogic Model encryption** fields.

+1. Scroll to the bottom of the **Basics** pane and notice the helpful links for documentation, community support, and how to report problems.

+1. Select **Next: Configure AKS cluster**.

+The following steps show you how to start the deployment process.

+1. Scroll to the section labeled **Provide an Oracle Single Sign-On (SSO) account**. Fill in your Oracle SSO credentials from the preconditions.

+1. Accurately answer the question **Is the specified SSO account associated with an active Oracle support contract?** by selecting **Yes** or **No** accordingly. If you answer this question incorrectly, the steps in this quickstart won't work. If in doubt, select **No**.

+1. In the section **Java EE Application**, next to **Deploy your application package**, select **Yes**.

+1. Next to **Application package (.war,.ear,.jar)**, select **Browse**.

+1. Start typing the name of the storage account from the preceding section. When the desired storage account appears, select it.

+1. Select the storage container from the preceding section.

+1. Select the checkbox next to the sample app uploaded from the preceding section. Select **Select**.

+The following steps make it so the WLS admin console and the sample app are exposed to the public Internet with a built-in Kubernetes `LoadBalancer` service. For a more secure and scalable way to expose functionality to the public Internet, see [Tutorial: Migrate a WebLogic Server cluster to Azure with Azure Application Gateway as a load balancer](/azure/developer/java/migration/migrate-weblogic-with-app-gateway).

+1. Select the **Networking** pane.

+1. Next to the question **Create Standard Load Balancer services for Oracle WebLogic Server?**, select **Yes**.

+1. In the table that appears, under **Service name prefix**, fill in the values as shown in the following table. The port values of *7001* for the admin server and *8001* for the cluster must be filled in exactly as shown.

+ | Service name prefix | Target | Port |

+ ||--||

+ | console | admin-server | 7001 |

+ | app | cluster-1 | 8001 |

+ :::image type="content" source="media/howto-deploy-java-wls-app/load-balancer-minimal-config.png" alt-text="Screenshot of Azure portal showing the simplest possible load balancer configuration on the Create Oracle WebLogic Server on Azure Kubernetes Service page." lightbox="media/howto-deploy-java-wls-app/load-balancer-minimal-config.png":::

+1. Select **Review + create**. Ensure the green **Validation Passed** message appears at the top. If it doesn't, fix any validation problems, then select **Review + create** again.

+1. Select **Create**.

+1. Track the progress of the deployment on the **Deployment is in progress** page.

+Depending on network conditions and other activity in your selected region, the deployment may take up to 30 minutes to complete.

+## Examine the deployment output

+The steps in this section show you how to verify that the deployment has successfully completed.

+If you navigated away from the **Deployment is in progress** page, the following steps will show you how to get back to that page. If you're still on the page that shows **Your deployment is complete**, you can skip to the steps after the image below.

+1. In the upper left of any portal page, select the hamburger menu and select **Resource groups**.

+1. In the box with the text **Filter for any field**, enter the first few characters of the resource group you created previously. If you followed the recommended convention, enter your initials, then select the appropriate resource group.

+1. In the left navigation pane, in the **Settings** section, select **Deployments**. You'll see an ordered list of the deployments to this resource group, with the most recent one first.

+1. Scroll to the oldest entry in this list. This entry corresponds to the deployment you started in the preceding section. Select the oldest deployment, as shown in the following screenshot.

+ :::image type="content" source="media/howto-deploy-java-wls-app/resource-group-deployments.png" alt-text="Screenshot of Azure portal showing the resource group deployments list." lightbox="media/howto-deploy-java-wls-app/resource-group-deployments.png":::

+1. In the left panel, select **Outputs**. This list shows the output values from the deployment. Useful information is included in the outputs.

+1. The **adminConsoleExternalUrl** value is the fully qualified, public Internet visible link to the WLS admin console for this AKS cluster. Select the copy icon next to the field value to copy the link to your clipboard. Save this value aside for later.

+1. The **clusterExternalUrl** value is the fully qualified, public Internet visible link to the sample app deployed in WLS on this AKS cluster. Select the copy icon next to the field value to copy the link to your clipboard. Save this value aside for later.

+The other values in the outputs are beyond the scope of this article, but are explained in detail in the [WebLogic on AKS user guide](https://aka.ms/wls-aks-docs).

+## Verify the functionality of the deployment

+The following steps show you how to verify the functionality of the deployment by viewing the WLS admin console and the sample app.

+1. Paste the value for **adminConsoleExternalUrl** in an Internet-connected web browser. You should see the familiar WLS admin console login screen as shown in the following screenshot.

+ :::image type="content" source="media/howto-deploy-java-wls-app/wls-admin-login.png" alt-text="Screenshot of WLS admin login screen." border="false":::

+ > [!NOTE]

+ > This article shows the WLS admin console merely by way of demonstration. Don't use the WLS admin console for any durable configuration changes when running WLS on AKS. The cloud-native design of WLS on AKS requires that any durable configuration must be represented in the initial docker images or applied to the running AKS cluster using CI/CD techniques such as updating the model, as described in the [Oracle documentation](https://aka.ms/wls-aks-docs-update-model).

+1. Understand the `context-path` of the sample app you deployed. If you deployed the recommended sample app, the `context-path` is `testwebapp`.

+1. Construct a fully qualified URL for the sample app by appending the `context-path` to the value of **clusterExternalUrl**. If you deployed the recommended sample app, the fully qualified URL will be something like `http://123.456.789.012:8001/testwebapp/`.

+1. Paste the fully qualified URL in an Internet-connected web browser. If you deployed the recommended sample app, you should see results similar to the following screenshot.

+ :::image type="content" source="media/howto-deploy-java-wls-app/test-web-app.png" alt-text="Screenshot of test web app." border="false":::

+## Clean up resources

+To avoid Azure charges, you should clean up unnecessary resources. When you no longer need the cluster, use the [az group delete](/cli/azure/group#az-group-delete) command. The following command will remove the resource group, container service, container registry, and all related resources.

+```azurecli

+az group delete --name <resource-group-name> --yes --no-wait

+```

+## Next steps

+Learn more about running WLS on AKS or virtual machines by following these links:

+> [!div class="nextstepaction"]

+> [WLS on AKS](/azure/virtual-machines/workloads/oracle/weblogic-aks)

+> [!div class="nextstepaction"]

+> [WLS on virtual machines](/azure/virtual-machines/workloads/oracle/oracle-weblogic)

+ Title: Add-ons, extensions, and other integrations with Azure Kubernetes Service (AKS)

+description: Learn about the add-ons, extensions, and open-source integrations you can use with Azure Kubernetes Service (AKS).

+# Add-ons, extensions, and other integrations with Azure Kubernetes Service (AKS)

+Azure Kubernetes Service (AKS) provides extra functionality for your clusters using add-ons and extensions. Open-source projects and third parties provide by more integrations that are commonly used with AKS. The [AKS support policy][aks-support-policy] doesn't support the open-source and third-party integrations.

+Add-ons are a fully supported way to provide extra capabilities for your AKS cluster. The installation, configuration, and lifecycle of add-ons is managed by AKS. You can use the [`az aks enable-addons`][az-aks-enable-addons] command to install an add-on or manage the add-ons for your cluster.

+AKS uses the following rules for applying updates to installed add-ons:

+- Only an add-on's patch version can be upgraded within a Kubernetes minor version. The add-on's major/minor version isn't upgraded within the same Kubernetes minor version.

+- The major/minor version of the add-on is only upgraded when moving to a later Kubernetes minor version.

+- Any breaking or behavior changes to the add-on are announced well before, usually 60 days, for a GA minor version of Kubernetes on AKS.

+- You can patch add-ons weekly with every new release of AKS, which is announced in the release notes. You can control AKS releases using the [maintenance windows][maintenance-windows] and [release tracker][release-tracker].

+- Add-ons are upgraded to a new major/minor version (or breaking change) within a Kubernetes minor version if either the cluster's Kubernetes version or the add-on version are in preview.

+- There may be unavoidable circumstances, such as CVE security patches or critical bug fixes, when you need to update an add-on within a GA minor version.

+| web_application_routing | Use a managed NGINX ingress controller with your AKS cluster.| [Web Application Routing Overview][web-app-routing] |

+| keda | Use event-driven autoscaling for the applications on your AKS cluster. | [Simplified application autoscaling with Kubernetes Event-driven Autoscaling (KEDA) add-on][keda]|

+Cluster extensions build on top of certain Helm charts and provide an Azure Resource Manager-driven experience for installation and lifecycle management of different Azure capabilities on top of your Kubernetes cluster.

+- For more information on the specific cluster extensions for AKS, see [Deploy and manage cluster extensions for Azure Kubernetes Service (AKS)][cluster-extensions].

+- For more information on available cluster extensions, see [Currently available extensions][cluster-extensions-current].

+### Difference between extensions and add-ons

+Extensions and add-ons are both supported ways to add functionality to your AKS cluster. When you install an add-on, the functionality is added as part of the AKS resource provider in the Azure API. When you install an extension, the functionality is added as part of a separate resource provider in the Azure API.

+GitHub Actions helps you automate your software development workflows from within GitHub.

+- For more information on using GitHub Actions with Azure, see [GitHub Actions for Azure][github-actions].

+- For an example of using GitHub Actions with an AKS cluster, see [Build, test, and deploy containers to Azure Kubernetes Service using GitHub Actions][github-actions-aks].

+## Open-source and third-party integrations

+There are many open-source and third-party integrations you can install on your AKS cluster. The [AKS support policy][aks-support-policy] doesn't support the following open-source and third-party integrations.

+| [Prometheus][prometheus] | An open-source monitoring and alerting toolkit. | [Container insights with metrics in Prometheus format][prometheus-az-monitor], [Prometheus Helm chart][prometheus-helm-chart] |

+| [Apache Spark][apache-spark] | An open-source, fast engine for large-scale data processing. | Running Apache Spark jobs requires a minimum node size of *Standard_D3_v2*. See [running Spark on Kubernetes][spark-kubernetes] for more details on running Spark jobs on Kubernetes. |

+| [Consul][consul] | An open-source, identity-based networking solution. | [Getting Started with Consul Service Mesh for Kubernetes][consul-install] |

+<!-- LINKS -->

+[az-aks-enable-addons]: /cli/azure/aks#az-aks-enable-addons

+az aks get-credentials --name myAKSCluster --resource-group myResourceGroup

+ --enable-azure-monitor-metrics \

+az aks get-credentials --name myAKSCluster --resource-group myResourceGroup

+ Title: Best practices for network resources in Azure Kubernetes Service (AKS)

+description: Learn the cluster operator best practices for virtual network resources and connectivity in Azure Kubernetes Service (AKS).

+As you create and manage clusters in Azure Kubernetes Service (AKS), you provide network connectivity for your nodes and applications. These network resources include IP address ranges, load balancers, and ingress controllers.

+>

+> **Best practice guidance**

+>

+* **Azure CNI networking**: Deploys into a virtual network and uses the [Azure CNI][cni-networking] Kubernetes plugin. Pods receive individual IPs that can route to other network services or on-premises resources.

+* **Kubenet networking**: Azure manages the virtual network resources as the cluster is deployed and uses the [kubenet][kubenet] Kubernetes plugin.

+Azure CNI and kubenet are both valid options for production deployments.

+Azure CNI is a vendor-neutral protocol that lets the container runtime make requests to a network provider. It assigns IP addresses to pods and nodes, and provides IP address management (IPAM) features as you connect to existing Azure virtual networks. Each node and pod resource receives an IP address in the Azure virtual network. There's no need for extra routing to communicate with other resources or services.

+When you use Azure CNI networking, the virtual network resource is in a separate resource group to the AKS cluster. Delegate permissions for the AKS cluster identity to access and manage these resources. The cluster identity used by the AKS cluster must have at least [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) permissions on the subnet within your virtual network.

+* `Microsoft.Network/virtualNetworks/subnets/join/action`

+* `Microsoft.Network/virtualNetworks/subnets/read`

+By default, AKS uses a managed identity for its cluster identity. However, you can use a service principal instead.

+* For more information about AKS service principal delegation, see [Delegate access to other Azure resources][sp-delegation].

+* For more information about managed identities, see [Use managed identities](use-managed-identity.md).

+As each node and pod receives its own IP address, plan out the address ranges for the AKS subnets. Keep the following criteria in mind:

+* The subnet must be large enough to provide IP addresses for every node, pod, and network resource you deploy.

+ * With both kubenet and Azure CNI networking, each running node has default limits to the number of pods.

+* Avoid using IP address ranges that overlap with existing network resources.

+ * It's necessary to allow connectivity to on-premises or peered networks in Azure.

+* To handle scale out events or cluster upgrades, you need extra IP addresses available in the assigned subnet.

+ * This extra address space is especially important if you use Windows Server containers, as those node pools require an upgrade to apply the latest security patches. For more information on Windows Server nodes, see [Upgrade a node pool in AKS][nodepool-upgrade].

+When creating a cluster with Azure CNI networking, you specify other address ranges for the cluster, such as the Docker bridge address, DNS service IP, and service address range. In general, make sure these address ranges don't overlap each other or any networks associated with the cluster, including any virtual networks, subnets, on-premises and peered networks.

+Although kubenet doesn't require you to set up the virtual networks before deploying the cluster, there are disadvantages to waiting, such as:

+Since you don't create the virtual network and subnets separately from the AKS cluster, Kubenet is ideal for the following scenarios:

+* Small development or test workloads.

+You can also [configure your own IP address ranges and virtual networks using kubenet][aks-configure-kubenet-networking]. Like Azure CNI networking, these address ranges shouldn't overlap each other or any networks associated with the cluster (virtual networks, subnets, on-premises and peered networks).

+> **Best practice guidance**

+>

+While an Azure load balancer can distribute customer traffic to applications in your AKS cluster, it's limited in understanding that traffic. A load balancer resource works at *layer 4* and distributes traffic based on protocol or ports.

+Most web applications using HTTP or HTTPS should use Kubernetes ingress resources and controllers, which work at *layer 7*. Ingress can distribute traffic based on the URL of the application and handle TLS/SSL termination. Ingress also reduces the number of IP addresses you expose and map.

+There are two components for ingress:

+1. An ingress *resource*

+2. An ingress *controller*

+The *ingress resource* is a YAML manifest of `kind: Ingress`. It defines the host, certificates, and rules to route traffic to services running in your AKS cluster.

+The following example YAML manifest distributes traffic for *myapp.com* to one of two services, *blogservice* or *storeservice*, and directs the customer to one service or the other based on the URL they access.

+Typically, an ingress controller is a Kubernetes resource in your AKS cluster that distributes traffic to services and applications. The controller runs as a daemon on an AKS node, and consumes some of the node's resources, like CPU, memory, and network bandwidth. In larger environments, you may want to consider the following:

+For that extra layer of security, a web application firewall (WAF) filters the incoming traffic. With a set of rules, the Open Web Application Security Project (OWASP) watches for attacks like cross-site scripting or cookie poisoning. [Azure Application Gateway][app-gateway] (currently in preview in AKS) is a WAF that integrates with AKS clusters, locking in these security features before the traffic reaches your AKS cluster and applications.

+> **Best practice guidance**

+To use network policy, enable the feature when you create a new AKS cluster. You can't enable network policy on an existing AKS cluster. Plan ahead to enable network policy on the necessary clusters.

+> Network policy should only be used for Linux-based nodes and pods in AKS.

+You create a network policy as a Kubernetes resource using a YAML manifest. Policies are applied to defined pods, with ingress or egress rules defining traffic flow.

+The following example applies a network policy to pods with the *app: backend* label applied to them. The ingress rule only allows traffic from pods with the *app: frontend* label.

+> **Best practice guidance**

+You should also secure the management network for the bastion host. Use an [Azure ExpressRoute][expressroute] or [VPN gateway][vpn-gateway] to connect to an on-premises network and control access using network security groups.

+Be sure to upgrade Azure CLI to the latest version using [`az upgrade`](/cli/azure/update-azure-cli#manual-update).

+ Title: Subscribe to Azure Kubernetes Service events with Azure Event Grid

+description: Use Azure Event Grid to subscribe to Azure Kubernetes Service events

+In this quickstart, you create an AKS cluster and subscribe to AKS events.

+> [!NOTE]

+> In case there are issues specifically with EventGrid notifications, as can be seen here [Service Outages](https://azure.status.microsoft/status), please note that AKS operations wont be impacted and they are independent of Event Grid outages.

+Create an AKS cluster using the [`az aks create`][az-aks-create] command. The following example creates a resource group *MyResourceGroup* and a cluster named *MyAKS* with one node in the *MyResourceGroup* resource group:

+```azurecli-interactive

+az group create --name MyResourceGroup --location eastus

+az aks create -g MyResourceGroup -n MyAKS --location eastus --node-count 1 --generate-ssh-keys

+```

+Create an AKS cluster using the [`New-AzAksCluster`][new-azakscluster] command. The following example creates a resource group *MyResourceGroup* and a cluster named *MyAKS* with one node in the *MyResourceGroup* resource group:

+```azurepowershell-interactive

+New-AzResourceGroup -Name MyResourceGroup -Location eastus

+New-AzAksCluster -ResourceGroupName MyResourceGroup -Name MyAKS -Location eastus -NodeCount 1 -GenerateSshKey

+```

+Create a namespace and event hub using [`az eventhubs namespace create`][az-eventhubs-namespace-create] and [`az eventhubs eventhub create`][az-eventhubs-eventhub-create]. The following example creates a namespace *MyNamespace* and an event hub *MyEventGridHub* in *MyNamespace*, both in the *MyResourceGroup* resource group.

+```azurecli-interactive

+az eventhubs namespace create --location eastus --name MyNamespace -g MyResourceGroup

+az eventhubs eventhub create --name MyEventGridHub --namespace-name MyNamespace -g MyResourceGroup

+```

+> [!NOTE]

+> The *name* of your namespace must be unique.

+Subscribe to the AKS events using [`az eventgrid event-subscription create`][az-eventgrid-event-subscription-create]:

+```azurecli-interactive

+SOURCE_RESOURCE_ID=$(az aks show -g MyResourceGroup -n MyAKS --query id --output tsv)

+ENDPOINT=$(az eventhubs eventhub show -g MyResourceGroup -n MyEventGridHub --namespace-name MyNamespace --query id --output tsv)

+az eventgrid event-subscription create --name MyEventGridSubscription \

+--source-resource-id $SOURCE_RESOURCE_ID \

+--endpoint-type eventhub \

+--endpoint $ENDPOINT

+```

+Verify your subscription to AKS events using `az eventgrid event-subscription list`:

+```azurecli-interactive

+az eventgrid event-subscription list --source-resource-id $SOURCE_RESOURCE_ID

+```

+The following example output shows you're subscribed to events from the *MyAKS* cluster and those events are delivered to the *MyEventGridHub* event hub:

+```output

+[

+ {

+ "deadLetterDestination": null,

+ "deadLetterWithResourceIdentity": null,

+ "deliveryWithResourceIdentity": null,

+ "destination": {

+ "deliveryAttributeMappings": null,

+ "endpointType": "EventHub",

+ "resourceId": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.EventHub/namespaces/MyNamespace/eventhubs/MyEventGridHub"

+ },

+ "eventDeliverySchema": "EventGridSchema",

+ "expirationTimeUtc": null,

+ "filter": {

+ "advancedFilters": null,

+ "enableAdvancedFilteringOnArrays": null,

+ "includedEventTypes": [

+ "Microsoft.ContainerService.NewKubernetesVersionAvailable","Microsoft.ContainerService.ClusterSupportEnded","Microsoft.ContainerService.ClusterSupportEnding","Microsoft.ContainerService.NodePoolRollingFailed","Microsoft.ContainerService.NodePoolRollingStarted","Microsoft.ContainerService.NodePoolRollingSucceeded"

+ ],

+ "isSubjectCaseSensitive": null,

+ "subjectBeginsWith": "",

+ "subjectEndsWith": ""

+ },

+ "id": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerService/managedClusters/MyAKS/providers/Microsoft.EventGrid/eventSubscriptions/MyEventGridSubscription",

+ "labels": null,

+ "name": "MyEventGridSubscription",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "MyResourceGroup",

+ "retryPolicy": {

+ "eventTimeToLiveInMinutes": 1440,

+ "maxDeliveryAttempts": 30

+ },

+ "systemData": null,

+ "topic": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/microsoft.containerservice/managedclusters/MyAKS",

+ "type": "Microsoft.EventGrid/eventSubscriptions"

+ }

+]

+```

+Create a namespace and event hub using [New-AzEventHubNamespace][new-azeventhubnamespace] and [New-AzEventHub][new-azeventhub]. The following example creates a namespace *MyNamespace* and an event hub *MyEventGridHub* in *MyNamespace*, both in the *MyResourceGroup* resource group.

+```azurepowershell-interactive

+New-AzEventHubNamespace -Location eastus -Name MyNamespace -ResourceGroupName MyResourceGroup

+New-AzEventHub -Name MyEventGridHub -Namespace MyNamespace -ResourceGroupName MyResourceGroup

+```

+> [!NOTE]

+> The *name* of your namespace must be unique.

+Subscribe to the AKS events using [New-AzEventGridSubscription][new-azeventgridsubscription]:

+```azurepowershell-interactive

+$SOURCE_RESOURCE_ID = (Get-AzAksCluster -ResourceGroupName MyResourceGroup -Name MyAKS).Id

+$ENDPOINT = (Get-AzEventHub -ResourceGroupName MyResourceGroup -EventHubName MyEventGridHub -Namespace MyNamespace).Id

+$params = @{

+ EventSubscriptionName = 'MyEventGridSubscription'

+ ResourceId = $SOURCE_RESOURCE_ID

+ EndpointType = 'eventhub'

+ Endpoint = $ENDPOINT

+}

+New-AzEventGridSubscription @params

+```

+Verify your subscription to AKS events using `Get-AzEventGridSubscription`:

+```azurepowershell-interactive

+Get-AzEventGridSubscription -ResourceId $SOURCE_RESOURCE_ID | Select-Object -ExpandProperty PSEventSubscriptionsList

+```

+The following example output shows you're subscribed to events from the *MyAKS* cluster and those events are delivered to the *MyEventGridHub* event hub:

+```Output

+EventSubscriptionName : MyEventGridSubscription

+Id : /subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerService/managedClusters/MyAKS/providers/Microsoft.EventGrid/eventSubscriptions/MyEventGridSubscription

+Type : Microsoft.EventGrid/eventSubscriptions

+Topic : /subscriptions/SUBSCRIPTION_ID/resourceGroups/myresourcegroup/providers/microsoft.containerservice/managedclusters/myaks

+Filter : Microsoft.Azure.Management.EventGrid.Models.EventSubscriptionFilter

+Destination : Microsoft.Azure.Management.EventGrid.Models.EventHubEventSubscriptionDestination

+ProvisioningState : Succeeded

+Labels :

+EventTtl : 1440

+MaxDeliveryAttempt : 30

+EventDeliverySchema : EventGridSchema

+ExpirationDate :

+DeadLetterEndpoint :

+Endpoint : /subscriptions/SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.EventHub/namespaces/MyNamespace/eventhubs/MyEventGridHub

+```

+When AKS events occur, you see those events appear in your event hub. For example, when the list of available Kubernetes versions for your clusters changes, you see a `Microsoft.ContainerService.NewKubernetesVersionAvailable` event. There are also new events available now for upgrades and cluster within support. For more information on the events AKS emits, see [Azure Kubernetes Service (AKS) as an Event Grid source][aks-events].

+Use the [az group delete][az-group-delete] command to remove the resource group, the AKS cluster, namespace, and event hub, and all related resources.

+```azurecli-interactive

+az group delete --name MyResourceGroup --yes --no-wait

+```

+Use the [`Remove-AzResourceGroup`][remove-azresourcegroup] cmdlet to remove the resource group, the AKS cluster, namespace, and event hub, and all related resources.

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name MyResourceGroup

+```

+> [!NOTE]

+> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion][sp-delete].

+>

+> If you used a managed identity, the identity is managed by the platform and does not require removal.

+To learn more about AKS, and walk through a complete code to deployment example, continue to the Kubernetes cluster tutorial.

+[ephemeral-os]: concepts-storage.md#ephemeral-os-disk

+ Title: Use Azure Policy to secure your Azure Kubernetes Service (AKS) clusters

+description: Learn how to use Azure Policy to secure your Azure Kubernetes Service (AKS) clusters.

+# Secure your Azure Kubernetes Service (AKS) clusters with Azure Policy

+You can apply and enforce built-in security policies on your Azure Kubernetes Service (AKS) clusters using [Azure Policy][azure-policy]. Azure Policy helps enforce organizational standards and assess compliance at-scale. After you install the [Azure Policy add-on for AKS][kubernetes-policy-reference], you can apply individual policy definitions or groups of policy definitions called initiatives (sometimes called policysets) to your cluster. See [Azure Policy built-in definitions for AKS][aks-policies] for a complete list of AKS policy and initiative definitions.

+- This article assumes you have an existing AKS cluster. If you need an AKS cluster, you can create one using [Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or [Azure portal][aks-quickstart-portal].

+- You need the [Azure Policy add-on for AKS installed on your AKS cluster][azure-policy-addon].

+You can apply a policy definition or initiative in the Azure portal using the following steps:

+1. Navigate to the Azure Policy service in Azure portal called **Policy**.

+1. Under **Categories**, select `Kubernetes`.

+1. Choose the policy definition or initiative you want to apply. For this example, select the **Kubernetes cluster pod security baseline standards for Linux-based workloads** initiative.

+1. Set the **Scope** to the resource group of the AKS cluster with the Azure Policy add-on enabled.

+1. Select the **Parameters** page and update the **Effect** from `audit` to `deny` to block new deployments violating the baseline initiative. You can also add extra namespaces to exclude from evaluation. For this example, keep the default values.

+1. Select **Review + create** > **Create** to submit the policy assignment.

+Custom policies allow you to define rules for using Azure. For example, you can enforce the following types of rules:

+> Azure Policy now utilizes a new property known as *templateInfo* that allows you to define the source type for the constraint template. When you define *templateInfo* in policy definitions, you donΓÇÖt have to define *constraintTemplate* or *constraint* properties. You still need to define *apiGroups* and *kinds*. For more information on this, see [Understanding Azure Policy effects][azure-policy-effects-audit].

+Once you create your custom policy definition, see [Assign a policy definition][custom-policy-tutorial-assign] for a step-by-step walkthrough of assigning the policy to your Kubernetes cluster.

+## Validate an Azure Policy is running

+- Confirm the policy assignments are applied to your cluster using the following `kubectl get` command.

+ ```azurecli-interactive

+ kubectl get constrainttemplates

+ ```

+ > [!NOTE]

+ > Policy assignments can take [up to 20 minutes to sync][azure-policy-assign-policy] into each cluster.

+ Your output should be similar to the following example output:

+ ```output

+ NAME AGE

+ k8sazureallowedcapabilities 23m

+ k8sazureallowedusersgroups 23m

+ k8sazureblockhostnamespace 23m

+ k8sazurecontainerallowedimages 23m

+ k8sazurecontainerallowedports 23m

+ k8sazurecontainerlimits 23m

+ k8sazurecontainernoprivilege 23m

+ k8sazurecontainernoprivilegeescalation 23m

+ k8sazureenforceapparmor 23m

+ k8sazurehostfilesystem 23m

+ k8sazurehostnetworkingports 23m

+ k8sazurereadonlyrootfilesystem 23m

+ k8sazureserviceallowedports 23m

+ ```

+### Validate rejection of a privileged pod

+Let's first test what happens when you schedule a pod with the security context of `privileged: true`. This security context escalates the pod's privileges. The initiative disallows privileged pods, so the request is denied, which results in the deployment being rejected.

+1. Create a file named `nginx-privileged.yaml` and paste in the following YAML manifest.

+ ```yaml

+ apiVersion: v1

+ kind: Pod

+ metadata:

+ name: nginx-privileged

+ spec:

+ containers:

+ - name: nginx-privileged

+ image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ securityContext:

+ privileged: true

+ ```

+2. Create the pod using the [`kubectl apply`][kubectl-apply] command and specify the name of your YAML manifest.

+ ```azurecli-interactive

+ kubectl apply -f nginx-privileged.yaml

+ ```

+ As expected, the pod fails to be scheduled, as shown in the following example output:

+ ```output

+ Error from server ([denied by azurepolicy-container-no-privilege-00edd87bf80f443fa51d10910255adbc4013d590bec3d290b4f48725d4dfbdf9] Privileged container is not allowed: nginx-privileged, securityContext: {"privileged": true}): error when creating "privileged.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by azurepolicy-container-no-privilege-00edd87bf80f443fa51d10910255adbc4013d590bec3d290b4f48725d4dfbdf9] Privileged container is not allowed: nginx-privileged, securityContext: {"privileged": true}

+ ```

+ The pod doesn't reach the scheduling stage, so there are no resources to delete before you move on.

+In the previous example, the container image automatically tried to use root to bind NGINX to port 80. The policy initiative denies this request, so the pod fails to start. Now, let's try running that same NGINX pod without privileged access.

+1. Create a file named `nginx-unprivileged.yaml` and paste in the following YAML manifest.

+ ```yaml

+ apiVersion: v1

+ kind: Pod

+ metadata:

+ name: nginx-unprivileged

+ spec:

+ containers:

+ - name: nginx-unprivileged

+ image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ ```

+2. Create the pod using the [`kubectl apply`][kubectl-apply] command and specify the name of your YAML manifest.

+ ```azurecli-interactive

+ kubectl apply -f nginx-unprivileged.yaml

+ ```

+3. Check the status of the pod using the [`kubectl get pods`][kubectl-get] command.

+ ```azurecli-interactive

+ kubectl get pods

+ ```

+ Your output should be similar to the following example output, which shows the pod is successfully scheduled and has a status of *Running*:

+ ```output

+ NAME READY STATUS RESTARTS AGE

+ nginx-unprivileged 1/1 Running 0 18s

+ ```

+ This example shows the baseline initiative affecting only the deployments that violate policies in the collection. Allowed deployments continue to function.

+4. Delete the NGINX unprivileged pod using the [`kubectl delete`][kubectl-delete] command and specify the name of your YAML manifest.

+ ```azurecli-interactive

+ kubectl delete -f nginx-unprivileged.yaml

+ ```

+You can remove the baseline initiative in the Azure portal using the following steps:

+1. Navigate to the **Policy** pane on the Azure portal.

+2. Select **Assignments**.

+3. Select the **...** button next to the **Kubernetes cluster pod security baseline standards for Linux-based workload** initiative.

+4. Select **Delete assignment**.

+For more information about how Azure Policy works, see the following articles:

+- [Azure Policy overview][azure-policy]

+- [Azure Policy initiatives and policies for AKS][aks-policies]

+- Remove the [Azure Policy add-on][azure-policy-addon-remove].

+ Title: Bring your own Container Network Interface (CNI) plugin with Azure Kubernetes Service (AKS)

+description: Learn how to bring your own Container Network Interface (CNI) plugin with Azure Kubernetes Service (AKS).

+Kubernetes doesn't provide a network interface system by default. Instead, [network plugins][kubernetes-cni] provide this functionality. Azure Kubernetes Service (AKS) provides several supported CNI plugins. For information on supported plugins, see the [AKS networking concepts][aks-network-concepts].

+The supported plugins meet most networking needs in Kubernetes. However, advanced AKS users might want the same CNI plugin used in on-premises Kubernetes environments or to use advanced functionalities available in other CNI plugins.

+This article shows how to deploy an AKS cluster with no CNI plugin preinstalled. From there, you can then install any third-party CNI plugin that works in Azure.

+Microsoft support can't assist with CNI-related issues in clusters deployed with Bring your own Container Network Interface (BYOCNI). For example, CNI-related issues would cover most east/west (pod to pod) traffic, along with `kubectl proxy` and similar commands. If you want CNI-related support, use a supported AKS network plugin or seek support from the BYOCNI plugin third-party vendor.

+Support is still provided for non-CNI-related issues.

+* For Azure Resource Manager (ARM) or Bicep, use at least template version 2022-01-02-preview or 2022-06-01.

+* For Azure CLI, use at least version 2.39.0.

+* The subnet assigned to the AKS node pool can't be a [delegated subnet](../virtual-network/subnet-delegation-overview.md).

+* AKS doesn't apply Network Security Groups (NSGs) to its subnet or modify any of the NSGs associated with that subnet. If you provide your own subnet and add NSGs associated with that subnet, you must ensure the security rules in the NSGs allow traffic within the node CIDR range. For more information, see [Network security groups][aks-network-nsg].

+## Create an AKS cluster with no CNI plugin preinstalled

+1. Create an Azure resource group for your AKS cluster using the [`az group create`][az-group-create] command.

+ az group create -l eastus -n myResourceGroup

+2. Create an AKS cluster using the [`az aks create`][az-aks-create] command. Pass the `--network-plugin` parameter with the parameter value of `none`.

+ az aks create -l eastus -g myResourceGroup -n myAKSCluster --network-plugin none

+> [!NOTE]

+> For information on how to deploy this template, see the [ARM template documentation][deploy-arm-template].

+> [!NOTE]

+> For information on how to deploy this template, see the [Bicep template documentation][deploy-bicep-template].

+## Deploy a CNI plugin

+Once the AKS provisioning completes, the cluster is online, but all the nodes are in a `NotReady` state, as shown in the following example:

+ ```bash

+ $ kubectl get nodes

+ NAME STATUS ROLES AGE VERSION

+ aks-nodepool1-23902496-vmss000000 NotReady agent 6m9s v1.21.9

+ $ kubectl get node -o custom-columns='NAME:.metadata.name,STATUS:.status.conditions[?(@.type=="Ready")].message'

+ NAME STATUS

+ aks-nodepool1-23902496-vmss000000 container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: cni plugin not initialized

+ ```

+[az-group-create]: /cli/azure/group#az_group_create

+[deploy-arm-template]: ../azure-resource-manager/templates/deploy-cli.md

+When you notice an app consumes more memory than expected as indicated via monitoring or service recommendations, consider the [App Service Auto-Healing feature](https://azure.microsoft.com/blog/auto-healing-windows-azure-web-sites). One of the options for the Auto-Healing feature is taking custom actions based on a memory threshold. Actions span the spectrum from email notifications to investigation via memory dump to on-the-spot mitigation by recycling the worker process. Auto-healing can be configured via web.config and via a friendly user interface as described at in this blog post for the App Service Support Site Extension.

+There are a few scenarios where you can improve your environment when running Internet of Things (IoT) devices that are connected to App Service. One very common practice with IoT devices is "certificate pinning". To avoid any unforeseen downtime due to changes in the service's managed certificates, you should never pin certificates to the default \*.azurewebsites.net certificate nor to an App Service Managed Certificate. If your system needs to rely on certificate pinning behavior, it is recommended to add a custom domain to a web app and provide a custom TLS certificate for the domain which can then be relied on for certificate pinning. You can refer to the [certificate pinning](#certificatepinning) section of this article for more information.

+To increase resiliency in your environment, you should not rely on a single endpoint for all your devices. You should at least host your web apps in two different regions to avoid a single point of failure and be ready to failover traffic. On App Service, you can add identical custom domain to different web apps as long as these web apps are hosted in different regions. This ensures that if you need to pin certificates, you can also pin on the custom TLS certificate that you provided. Another option would be to use a load balancer in front of the web apps, such as Azure Front Door or Traffic Manager, to ensure high availability for your web apps. You can refer to [Quickstart: Create a Front Door for a highly available global web application](../frontdoor/quickstart-create-front-door.md) or [Controlling Azure App Service traffic with Azure Traffic Manager](./web-sites-traffic-manager.md) for more information.

+### Migrate to the Microsoft Graph

+Some older apps may also have been set up with a dependency on the [deprecated Azure AD Graph][aad-graph], which is scheduled for full retirement. For example, your app code may have called Azure AD graph to check group membership as part of an authorization filter in a middleware pipeline. Apps should move to the [Microsoft Graph](/graph/overview) by following the [guidance provided by AAD as part of the Azure AD Graph deprecation process][aad-graph]. In following those instructions, you may need to make some changes to your configuration of App Service authentication. Once you have added Microsoft Graph permissions to your app registration, you can:

+1. Update the **Issuer URL** to include the "/v2.0" suffix if it doesn't already. See [Enable Azure Active Directory in your App Service app](#-step-2-enable-azure-active-directory-in-your-app-service-app) for general expectations around this value.

+1. Remove requests for Azure AD Graph permissions from your login configuration. The properties to change depend on [which version of the management API you're using](./configure-authentication-api-version.md):

+ - If you're using the V1 API (`/authsettings`), this would be in the `additionalLoginParams` array.

+ - If you're using the V2 API (`/authsettingsV2`), this would be in the `loginParameters` array.

+

+ You would need to remove any reference to "https://graph.windows.net", for example. This includes the `resource` parameter (which isn't supported by the "/v2.0" endpoint) or any scopes you're specifically requesting that are from the Azure AD Graph.

+ You would also need to update the configuration to request the new Microsoft Graph permissions you set up for the application registration. You can use the [.default scope](../active-directory/develop/scopes-oidc.md#the-default-scope) to simplify this setup in many cases. To do so, add a new login parameter `scope=openid profile email https://graph.microsoft.com/.default`.

+With these changes, when App Service Authentication attempts to log in, it will no longer request permissions to the Azure AD Graph, and instead it will get a token for the Microsoft Graph. Any use of that token from your application code would also need to be updated, as per the [guidance provided by AAD][aad-graph].

+[aad-graph]: /graph/migrate-azure-ad-graph-overview

+ az webapp config set --resource-group <resource-group-name> --name <app-name> --linux-fx-version "PYTHON|3.11"

+ Title: 'App Service authentication recommendations'

+description: There are several different authentication solutions available for web apps or web APIs hosted on App Service. This article provides recommendations on which auth solution(s) can be used for specific scenarios such as quickly and simply limiting access to your web app, custom authorization, and incremental consent.

+# Authentication scenarios and recommendations

+You can add authentication to your web app or API running in Azure App Service to limit the users who can access it. There are several different authentication solutions available. This article describes which authentication solution to use for specific scenarios.

+## Authentication solutions

+- **Azure App Service built-in authentication** - Allows you to sign users in and access data by writing minimal or no code in your web app, RESTful API, or mobile back end. ItΓÇÖs built directly into the platform and doesnΓÇÖt require any particular language, library, security expertise, or even any code to use.

+- **Microsoft Authentication Library (MSAL)** - Enables developers to acquire security tokens from the Microsoft identity platform to authenticate users and access secured web APIs. Available for multiple supported platforms and frameworks, these are general purpose libraries that can be used in various hosted environments. Developers can also integrate with multiple sign-in providers, like Azure AD, Facebook, Google, Twitter.

+- **Microsoft.Identity.Web** - A higher-level library wrapping MSAL.NET, it provides a set of ASP.NET Core abstractions that simplify adding authentication support to web apps and web APIs integrating with the Microsoft identity platform. It provides a single-surface API convenience layer that ties together ASP.NET Core, its authentication middleware, and MSAL.NET. This library can be used in apps in various hosted environments. You can integrate with multiple sign-in providers, like Azure AD, Facebook, Google, Twitter.

+## Scenario recommendations

+The following table lists each authentication solution and some important factors for when you would use it.

+|Authentication method|When to use|

+|--|--|

+|Built-in App Service authentication |* You want less code to own and manage.<br>* Your app's language and SDKs don't provide user sign-in or authorization.<br>* You don't have the ability to modify your app code (for example, when migrating legacy apps).<br>* You need to handle authentication through configuration and not code.<br>* You need to sign in external or social users.|

+|Microsoft Authentication Library (MSAL)|* You need a code solution in one of several different languages<br>* You need to add custom authorization logic.<br>* You need to support incremental consent.<br>* You need information about the signed-in user in your code.<br>* You need to sign in external or social users.<br>* Your app needs to handle the access token expiring without making the user sign in again.|

+|Microsoft.Identity.Web |* You have an ASP.NET Core app. <br>* You need single sign-on support in your IDE during local development.<br>* You need to add custom authorization logic.<br>* You need to support incremental consent.<br>* You need conditional access in your web app.<br>* You need information about the signed-in user in your code.<br>* You need to sign in external or social users.<br>* Your app needs to handle the access token expiring without making the user sign in again.|

+The following table lists authentication scenarios and the authentication solution(s) you would use.

+|Scenario |App Service built-in auth| Microsoft Authentication Library | Microsoft.Identity.Web |

+|:--|:--:|:--:|:--:|

+| Need a fast and simple way to limit access to users in your organization? | ✅ | ❌ | ❌ |

+| Unable to modify the application code (app migration scenario)? | ✅ | ❌ | ❌ |

+| Your app's language and libraries support user sign-in/authorization? | ❌ | ✅ | ✅ |

+| Even if you can use a code solution, would you rather *not* use libraries? Don't want the maintenance burden? | ✅ | ❌ | ❌ |

+| Does your web app need to provide incremental consent? | ❌ | ✅ | ✅ |

+| Do you need conditional access in your web app? | ❌ | ❌ | ✅ |

+| Your app need to handle the access token expiring without making the user sign in again (use a refresh token)? | ❌ | ✅ | ✅ |

+| Need custom authorization logic or info about the signed-in user? | ❌ | ✅ | ✅ |

+| Need to sign in users from external or social identity providers? | ✅ | ✅ | ✅ |

+| You have an ASP.NET Core app? | ✅ | ❌ | ✅ |

+| You have a single page app or static web app? | ✅ | ✅ | ✅ |

+| Want Visual Studio integration? | ❌ | ❌ | ✅ |

+| Need single sign-on support in your IDE during local development? | ❌ | ❌ | ✅ |

+## Next steps

+To get started with built-in App Service authentication, read:

+- [Enable App Service built-in authentication](scenario-secure-app-authentication-app-service.md)

+To get started with [Microsoft Authentication Library (MSAL)](/entra/msal/), read:

+- [Add sign-in with Microsoft to a web app](/azure/active-directory/develop/web-app-quickstart)

+- [Only allow authenticated user to access a web API](/azure/active-directory/develop/scenario-protected-web-api-overview)

+- [Sign in users to a single-page application (SPA)](/azure/active-directory/develop/scenario-spa-overview)

+To get started with [Microsoft.Identity.Web](/entra/msal/dotnet/microsoft-identity-web/), read:

+- [Sign in users to a web app](/azure/active-directory/develop/web-app-quickstart?pivots=devlang-aspnet-core)

+- [Protect a web API](/azure/active-directory/develop/web-api-quickstart?pivots=devlang-aspnet-core)

+- [Sign in users to a Blazor Server app](/azure/active-directory/develop/tutorial-blazor-server)

+Learn more about [App Service built-in authentication and authorization](overview-authentication-authorization.md)

+Your app might need to support more complex scenarios such as Visual Studio integration or incremental consent. There are several different authentication solutions available to support these scenarios. To learn more, read [Identity scenarios](identity-scenarios.md).

+* **Security and compliance** - App Service is [ISO, SOC, and PCI compliant](https://www.microsoft.com/trustcenter). Create [IP address restrictions](app-service-ip-restrictions.md) and [managed service identities](overview-managed-identity.md). [Prevent subdomain takeovers](reference-dangling-subdomain-prevention.md).

+* **Authentication** - [Authenticate users](overview-authentication-authorization.md) using the built-in authentication component. Authenticate users with [Azure Active Directory](configure-authentication-provider-aad.md), [Google](configure-authentication-provider-google.md), [Facebook](configure-authentication-provider-facebook.md), [Twitter](configure-authentication-provider-twitter.md), or [Microsoft account](configure-authentication-provider-microsoft.md).

+1. Install <a href="https://www.python.org/downloads/" target="_blank">Python</a>.

+In this quickstart, you'll deploy a Python web app (Django or Flask) to [Azure App Service](./overview.md#app-service-on-linux). Azure App Service is a fully managed web hosting service that supports Python apps hosted in a Linux server environment.

+ $azureaduser=(az ad user list --filter "userPrincipalName eq '<user-principal-name>'" --query '[].id' --output tsv)

+> $groupid=(az ad group create --display-name myAzureSQLDBAccessGroup --mail-nickname myAzureSQLDBAccessGroup --query objectId --output tsv)

+> $msiobjectid=(az webapp identity show --resource-group myResourceGroup --name <app-name> --query principalId --output tsv)

+In this tutorial, you'll deploy a data-driven Python web app (**[Django](https://www.djangoproject.com/)** or **[Flask](https://flask.palletsprojects.com/)**) to **[Azure App Service](./overview.md#app-service-on-linux)** with the **[Azure Database for PostgreSQL](../postgresql/index.yml)** relational database service. Azure App Service supports [Python](https://www.python.org/downloads/) in a Linux server environment.

+> If the virtual network Application Gateway is deployed into doesn't reside in the same resource group as the AKS nodes, please ensure the identity used by AGIC has the **Microsoft.Network/virtualNetworks/subnets/join/action** permission delegated to the subnet Application Gateway is deployed into. If a custom role is not defined with this permission, you may use the built-in _Network Contributor_ role, which contains the _Microsoft.Network/virtualNetworks/subnets/join/action_ permission.

+If the virtual network Application Gateway is deployed into doesn't reside in the same resource group as the AKS nodes, please ensure the identity used by AGIC has the **Microsoft.Network/virtualNetworks/subnets/join/action** permission delegated to the subnet Application Gateway is deployed into. If a custom role is not defined with this permission, you may use the built-in _Network Contributor_ role, which contains the _Microsoft.Network/virtualNetworks/subnets/join/action_ permission.

+The state should be `Ready`. If the value isn't `Ready`, you need to wait. If state is error, get the message field, collect logs, and contact support. See [Collect the logs](#collect-the-logs).

+If you didn't find primary, kill the pod that doesn't have any `role.ag.mssql.microsoft.com` label. If this doesn't resolve the issue, collect logs and contact support. See [Collect the logs](#collect-the-logs).

+If you find it isn't synchronized or not connected unexpectedly, try to kill the pod which has the problem. If problem persists, collect logs and contact support. See [Collect the logs](#collect-the-logs).

+You should get `ServerName` from `Listener` of each replica. If you can't get `ServerName`, kill the pods which have the problem. If the problem persists after recovery, collect logs and contact support. See [Collect the logs](#collect-the-logs).

+## Connection between failover groups is lost

+If the failover groups between primary and geo-secondary Arc SQL Managed instances is configured to be in `sync` mode and the connection is lost for whatever reason for an extended period of time, then the logs on the primary Arc SQL managed instance cannot be truncated until the transactions are sent to the geo-secondary. This could lead to the logs filling up and potentially running out of space on the primary site. To break out of this situation, remove the failover groups and re-configure when the connection between the sites is re-established.

+## Collect the logs

+If the previous steps all succeeded without any problem and you still can't log in, collect the logs and contact support

+Arc resource bridge communicates outbound securely to Azure Arc over TCP port 443. If the appliance needs to connect through a firewall or proxy server to communicate over the internet, it communicates outbound using the HTTPS protocol. You may need to allow specific URLs to [ensure outbound connectivity is not blocked](troubleshoot-resource-bridge.md#not-able-to-connect-to-url) by your firewall or proxy server. For more information, see [Azure Arc resource bridge (preview) network requirements](network-requirements.md).

+> To use Azure Kubernetes Service (AKS) on Azure Stack HCI with Arc resource bridge, AKS must be deployed prior to deploying Arc resource bridge. If Arc resource bridge has already been deployed, AKS can't be installed unless you delete Arc resource bridge first. Once AKS is deployed to Azure Stack HCI, you can deploy Arc resource bridge again.

+## IP address prefix (subnet) requirements

+The IP address prefix (subnet) where Arc resource bridge will be deployed requires a minimum prefix of /29. The IP address prefix must have enough available IP addresses for the gateway IP, control plane IP, appliance VM IP, and reserved appliance VM IP.

+The IP address prefix is the subnet's IP address range for the virtual network and subnet mask (IP Mask) in CIDR notation, for example `192.168.7.1/24`. You provide the IP address prefix (in CIDR notation) during the creation of the configuration files for Arc resource bridge.

+Consult your system or network administrator to obtain the IP address prefix in CIDR notation. An IP Subnet CIDR calculator may be used to obtain this value.

+## Static configuration

+Static IP configuration is recommended for Arc resource bridge, because the resource bridge needs three static IPs in the same subnet for the control plane, appliance VM, and reserved appliance VM.

+If using DHCP, reserve those IP addresses, ensuring the IPs are outside of the assignable DHCP range of IPs (i.e. the control plane IP should be treated as a reserved/static IP that no other machine on the network will use or receive from DHCP). DHCP is generally not recommended because a change in IP address (ex: due to an outage) impacts the resource bridge availability.

+## Management machine requirements

+The machine used to run the commands to deploy and maintain Arc resource bridge is called the *management machine*.

+Management machine requirements:

+- Open communication to Appliance VM IP.

+- Open communication to the reserved Appliance VM IP.

+- Internet access

+

+## Appliance VM IP address requirements

+Arc resource bridge consists of an appliance VM that is deployed on-premises. The appliance VM has visibility into the on-premises infrastructure and can tag on-premises resources (guest management) for projection into Azure Resource Manager (ARM).

+The appliance VM is assigned an IP address from the `k8snodeippoolstart` parameter in the `createconfig` command; it may be referred to in partner products as Start Range IP, RB IP Start or VM IP 1.

+The appliance VM IP is the starting IP address for the appliance VM IP pool range. The VM IP pool range requires a minimum of 2 IP addresses.

+Appliance VM IP address requirements:

+- Open communication with the management machine and management endpoint (such as vCenter for VMware or MOC cloud agent service endpoint for Azure Stack HCI).

+- Internet connectivity to [required URLs](network-requirements.md#outbound-connectivity) enabled in proxy/firewall.

+- Static IP assigned (strongly recommended)

+ - If using DHCP, then the address must be reserved and outside of the assignable DHCP range of IPs. No other machine on the network will use or receive this IP from DHCP. DHCP is generally not recommended because a change in IP address (ex: due to an outage) impacts the resource bridge availability.

+- Must be from within the IP address prefix.

+- Internal and external DNS resolution.

+- If using a proxy, the proxy server has to be reachable from this IP and all IPs within the VM IP pool.

+Arc resource bridge reserves an additional IP address to be used for the appliance VM upgrade.

+The reserved appliance VM IP is assigned an IP address via the `k8snodeippoolend` parameter in the `az arcappliance createconfig` command. This IP address may be referred to as End Range IP, RB IP End, or VM IP 2.

+The reserved appliance VM IP is the ending IP address for the appliance VM IP pool range. If specifying an IP pool range larger than two IP addresses, the additional IPs are reserved.

+Reserved appliance VM IP requirements:

+- Open communication with the management machine and management endpoint (such as vCenter for VMware or MOC cloud agent service endpoint for Azure Stack HCI).

+- Internet connectivity to [required URLs](network-requirements.md#outbound-connectivity) enabled in proxy/firewall.

+- Static IP assigned (strongly recommended)

+ - If using DHCP, then the address must be reserved and outside of the assignable DHCP range of IPs. No other machine on the network will use or receive this IP from DHCP. DHCP is generally not recommended because a change in IP address (ex: due to an outage) impacts the resource bridge availability.

+ - Must be from within the IP address prefix.

+ - Internal and external DNS resolution.

+ - If using a proxy, the proxy server has to be reachable from this IP and all IPs within the VM IP pool.

+The appliance VM hosts a management Kubernetes cluster with a control plane that requires a single, static IP address. This IP is assigned from the `controlplaneendpoint` parameter in the `createconfig` command or equivalent configuration files creation command.

+Control plane IP requirements:

+ - Open communication with the management machine.

+ - Static IP address assigned; the IP address should be outside the DHCP range but still available on the network segment. This IP address can't be assigned to any other machine on the network.

+ - If using DHCP, the control plane IP should be a single reserved IP that is outside of the assignable DHCP range of IPs. No other machine on the network will use or receive this IP from DHCP. DHCP is generally not recommended because a change in IP address (ex: due to an outage) impacts the resource bridge availability.

+ - If using Azure Kubernetes Service on Azure Stack HCI (AKS hybrid) and installing Arc resource bridge, then the control plane IP for the resource bridge can't be used by the AKS hybrid cluster. For specific instructions on deploying Arc resource bridge with AKS on Azure Stack HCI, see [AKS on HCI (AKS hybrid) - Arc resource bridge deployment](/azure/aks/hybrid/deploy-arc-resource-bridge-windows-server).

+ - If using a proxy, the proxy server has to be reachable from IPs within the IP address prefix, including the reserved appliance VM IP.

+## DNS server

+

+DNS server(s) must have internal and external endpoint resolution. The appliance VM and control plane need to resolve the management machine and vice versa. All three IPs must be able to reach the required URLs for deployment.

+## Gateway

+

+The gateway IP should be an IP from within the subnet designated in the IP address prefix.

+## Example minimum configuration for static IP deployment

+

+The following example shows valid configuration values that can be passed during configuration file creation for Arc resource bridge. It is strongly recommended to use static IP addresses when deploying Arc resource bridge.

+Notice that the IP addresses for the gateway, control plane, appliance VM and DNS server (for internal resolution) are within the IP address prefix. This key detail helps ensure successful deployment of the appliance VM.

+ IP Address Prefix (CIDR format): 192.168.0.0/29

+ Gateway (IP format): 192.168.0.1

+ VM IP Pool Start (IP format): 192.168.0.2

+ VM IP Pool End (IP format): 192.168.0.3

+ Control Plane IP (IP format): 192.168.0.4

+ DNS servers (IP list format): 192.168.0.1, 10.0.0.5, 10.0.0.6

+Arc resource bridge may require a separate user account with the necessary roles to view and manage resources in the on-premises infrastructure (such as Arc-enabled VMware vSphere). If so, during creation of the configuration files, the `username` and `password` parameters will be required. The account credentials are then stored in a configuration file locally within the appliance VM.

+Three configuration files are created when the `createconfig` command completes (or the equivalent commands used by Azure Stack HCI and AKS hybrid): `<appliance-name>-resource.yaml`, `<appliance-name>-appliance.yaml` and `<appliance-name>-infra.yaml`.

+By default, these files are generated in the current CLI directory when `createconfig` completes. These files should be saved in a secure location on the management machine, because they're required for maintaining the appliance VM. Because the configuration files reference each other, all three files must be stored in the same location. If the files are moved from their original location at deployment, open the files to check that the reference paths to the configuration files are accurate.

+## AKS on Azure Stack HCI with Arc resource bridge

+

+To use AKS and Arc resource bridge together on Azure Stack HCI, AKS must be deployed prior to deploying Arc resource bridge. If Arc resource bridge has already been deployed, AKS can't be deployed unless you delete Arc resource bridge first. Once AKS is deployed to Azure Stack HCI, you can deploy Arc resource bridge.

+When you deploy Arc resource bridge with AKS on Azure Stack HCI (AKS Hybrid), the following configurations must be applied:

+- Arc resource bridge and AKS-HCI should share the same `vswitchname` and be in the same subnet, sharing the same value for the parameter, `ipaddressprefix` .

+- The IP address prefix (subnet) must contain enough IP addresses for both the Arc resource bridge and AKS-HCI.

+- Arc resource bridge should be given a unique `vnetname` that is different from the one used for AKS Hybrid.

+- The Arc resource bridge requires different IP addresses for `vippoolstart/end` and `k8snodeippoolstart/end`. These IPs can't be shared between the two.

+- Arc resource bridge and AKS-HCI must each have a unique control plane IP.

+For instructions to deploy Arc resource bridge on AKS Hybrid, see [How to install Azure Arc Resource Bridge on Windows Server - AKS hybrid](/azure/aks/hybrid/deploy-arc-resource-bridge-windows-server).

+- Review the [Azure Arc resource bridge (preview) overview](overview.md) to understand more about features and benefits.

+- Learn about [security configuration and considerations for Azure Arc resource bridge (preview)](security-overview.md).

+Arc resource bridge consists of an appliance VM that is deployed to the on-premises infrastructure. The appliance VM maintains a connection to the management endpoint of the on-premises infrastructure using locally stored credentials. If these credentials are not updated, the resource bridge is no longer able to communicate with the management endpoint. This may cause problems when trying to upgrade the resource bridge or manage VMs through Azure.

+## Networking issues

+When trying to deploy Arc resource bridge, you may see an error that contains `back-off pulling image \\\"url"\\\: FailFastPodCondition`. This error is caused when the appliance VM can't reach the URL specified in the error. To resolve this issue, make sure the appliance VM meets system requirements, including internet access connectivity to [required allowlist URLs](network-requirements.md).

+### Not able to connect to URL

+If you receive an error that contains `Not able to connect to https://example.url.com`, check with your network administrator to ensure your network allows all of the required firewall and proxy URLs to deploy Arc resource bridge. For more information, see [Azure Arc resource bridge (preview) network requirements](network-requirements.md).

+### .local not supported

+When trying to set the configuration for Arc resource bridge, you may receive an error message similar to:

+`"message": "Post \"https://esx.lab.local/52b-bcbc707ce02c/disk-0.vmdk\": dial tcp: lookup esx.lab.local: no such host"`

+This occurs when a `.local` path is provided for a configuration setting, such as proxy, dns, datastore or management endpoint (such as vCenter). Arc resource bridge appliance VM uses Azure Linux OS, which doesn't support `.local` by default. A workaround could be to provide the IP address where applicable.

+1. Appliance VM IP and Control Plane IP need internet access to [these required URLs](#not-able-to-connect-to-url). Azure Stack HCI requires [additional URLs](/azure-stack/hci/manage/azure-arc-vm-management-prerequisites). Work with your network administrator to ensure that the IPs can access the required URLs.

+1. In a non-proxy environment, the management machine must have external and internal DNS resolution. The management machine must be able to reach a DNS server that can resolve internal names such as vCenter endpoint for vSphere or cloud agent endpoint for Azure Stack HCI. The DNS server also needs to be able to [resolve external addresses](#not-able-to-connect-to-url), such as Azure URLs and OS image download URLs. Work with your system administrator to ensure that the management machine has internal and external DNS resolution. In a proxy environment, the DNS resolution on the proxy server should resolve internal endpoints and [required external addresses](#not-able-to-connect-to-url).

+## Move Arc resource bridge location

+Resource move of Arc resource bridge isn't currently supported. You'll need to delete the Arc resource bridge, then re-deploy it to the desired location.

+ az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview --body '{"properties": {"type": "default"}}'

+1. Configure your client application to acquire an Azure AD token for scope `acca5fbb-b7e4-4009-81f1-37e38fd66d78/.default` using the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview).

+| StackExchange.Redis | C#/.NET | [.NET code sample](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis) |

+| Node-redis | Node.js | [noredis code sample](https://aka.ms/redis/aad/sample-code/js-noderedis) |

+You might also see `CROSSSLOT` errors with Enterprise clustering policy. Only the following multi-key commands are allowed across slots with Enterprise clustering: `DEL`, `MSET`, `MGET`, `EXISTS`, `UNLINK`, and `TOUCH`.

+In Active-Active databases, multi-key write commands (`DEL`, `MSET`, `UNLINK`) can only be run on keys that are in the same slot. However, the following multi-key commands are allowed across slots in Active-Active databases: `MGET`, `EXISTS`, and `TOUCH`. For more information, see [Database clustering](https://docs.redis.com/latest/rs/databases/durability-ha/clustering/#multikey-operations).

+| E10 | 1,000,000 | 1,900,000 | 2,500,000 |

+* [Does scaling out using clustering help to increase the number of supported client connections?](#does-scaling-out-using-clustering-help-to-increase-the-number-of-supported-client-connections)

+- On the _Premium_ tier, AOF persistence isn't supported with [multiple replicas](cache-how-to-multi-replicas.md).

+On the **Enterprise** and **Enterprise Flash** tiers, data is persisted to a managed disk attached directly to the cache instance. The location isn't configurable nor accessible to the user. Using a managed disk increases the performance of persistence. The disk is encrypted using Microsoft managed keys (MMK) by default, but customer managed keys (CMK) can also be used. For more information, see [managing data encryption](#managing-data-encryption).

+ | **DNS name** | Enter a globally unique name. | The cache name must be a string between 1 and 63 characters that contain only numbers, letters, or hyphens. The name must start and end with a number or letter, and can't contain consecutive hyphens. The _host name_ for your cache instance's is `\<DNS name>.redis.cache.windows.net`. |

+ | **Authentication Method** | Drop-down and select an authentication method. Choices are **Managed Identity** or **Storage Key**| Choose your preferred authentication method. Using [managed identity](cache-managed-identity.md) allows you to use a storage account in a different subscription than the one in which your cache is located. |

+ | **Subscription** | Drop-down and select a subscription. | You can choose a storage account in a different subscription if you're using managed identity as the authentication method. |

+ > When RDB files are backed up to storage, they are stored in the form of page blobs. If you're using a storage account with HNS enabled, persistence will tend to fail because page blobs aren't supported in storage accounts with HNS enabled (ADLS Gen2).

+ | **Authentication Method** | Drop-down and select an authentication method. Choices are **Managed Identity** or **Storage Key**| Choose your preferred authentication method. Using [managed identity](cache-managed-identity.md) allows you to use a storage account in a different subscription than the one in which your cache is located. |

+ | **Subscription** | Drop-down and select a subscription. | You can choose a storage account in a different subscription if you're using managed identity as the authentication method. |

+1. Finish creating the cache by following the rest of the instructions in the [Enterprise tier quickstart guide](quickstart-create-redis-enterprise.md).

+Because Redis persistence creates data at rest, encrypting this data is an important concern for many users. Encryption options vary based on the tier of Azure Cache for Redis being used.

+With the **Premium** tier, data is streamed directly from the cache instance to Azure Storage when persistence is initiated. Various encryption methods can be used with Azure Storage, including Microsoft-managed keys, customer-managed keys, and customer-provided keys. For information on encryption methods, see [Azure Storage encryption for data at rest](../storage/common/storage-service-encryption.md).

+As long as CPU and Server Load are both less than 90%, there's a penalty on throughput, but the cache operates normally, otherwise. Above 90% CPU and Server Load, the throughput penalty can get much higher, and the latency of all commands processed by the cache increases. Latency increases because AOF persistence runs on both the primary and replica process, increasing the load on the node in use, and putting persistence on the critical path of data.

+Yes, you can use the same storage account for persistence across two different caches. The [limitations on subscriptions and regions](#prerequisites-and-limitations) still apply.

+We recommend that you avoid enabling soft delete on storage accounts when used with Azure Cache for Redis data persistence with the Premium tier. RDB and AOF persistence can write to your blobs as frequently as every hour, every few minutes, or every second. Also, enabling soft delete on a storage account means Azure Cache for Redis can't minimize storage costs by deleting the old backup data.

+Yes, you can change the backup frequency for RDB persistence using the Azure portal, CLI, or PowerShell.

+When you use the Premium tier, data stored in AOF files is divided into multiple page blobs per shard. By default, half of the blobs are saved in the primary storage account and half are saved in the secondary storage account. Splitting the data across multiple page blobs and two different storage accounts increases the performance.

+If the peak rate of writes to the cache isn't very high, then this extra performance might not be needed. In that case, the secondary storage account configuration can be removed. All of the AOF files are instead stored in just the single primary storage account. The following table displays how many total page blobs are used for each pricing tier:

+|::|:|

+| P1 | 8 per shard |

+| P2 | 16 per shard |

+| P3 | 32 per shard |

+| P4 | 40 per shard |

+When clustering is enabled, each shard in the cache has its own set of page blobs, as indicated in the previous table. For example, a P2 cache with three shards distributes its AOF file across 48 page blobs: sixteen blobs per shard, with three shards.

+Using managed identity adds the cache instance to the [trusted services list](../storage/common/storage-network-security.md?tabs=azure-portal), making firewall exceptions easier to carry out. If you aren't using managed identity and instead authorizing to a storage account using a key, then having firewall exceptions on the storage account tends to break the persistence process. This only applies to persistence in the Premium tier.

+Select the storage account that your cache is using for persistence. Select **Data Protection** from the Resource menu. In the working pane, check the state of _Enable soft delete for blobs_. For more information on soft delete in Azure storage accounts, see [Enable soft delete for blobs](/azure/storage/blobs/soft-delete-blob-enable?tabs=azure-portal).

+- By using [Azure Private Link](../private-link/private-link-overview.md), you can connect to an Azure Cache instance from your virtual network via a private endpoint. The endpoint is assigned a private IP address in a subnet within the virtual network. With this private link, cache instances are available from both within the VNet and publicly.

+ > [!IMPORTANT]

+ > Enterprise/Enterprise Flash caches with private link cannot be accessed publicly.

+- Once a private endpoint is created on Basic/Standard/Premium tier caches, access to the public network can be restricted through the `publicNetworkAccess` flag. This flag is set to `Disabled` by default, which will only allow private link access. You can set the value to `Enabled` or `Disabled` with a PATCH request. For more information, see [Azure Cache for Redis with Azure Private Link](cache-private-link.md).

+ > [!IMPORTANT]

+ > Enterprise/Enterprise Flash tier does not support `publicNetworkAccess` flag.

+- You can't inject an Azure Cache for Redis instance into a Virtual Network. You can only select this option when you _create_ the cache.

+You may wish to restrict the maximum number of instances an app used to scale out. This is most common for cases where a downstream component like a database has limited throughput. By default, Consumption plan functions scale out to as many as 200 instances, and Premium plan functions will scale out to as many as 100 instances. You can specify a lower maximum for a specific app by modifying the `functionAppScaleLimit` value. The `functionAppScaleLimit` can be set to `0` or `null` for unrestricted, or a valid value between `1` and the app maximum.

+# [Azure CLI](#tab/azure-cli)

+# [Azure PowerShell](#tab/azure-powershell)

+More samples for the Azure SQL input binding are available in the [GitHub repository](https://github.com/Azure/azure-functions-sql-extension/tree/main/samples/samples-csx).

+More samples for the Azure SQL output binding are available in the [GitHub repository](https://github.com/Azure/azure-functions-sql-extension/tree/main/samples/samples-csx).

+Target-based scaling replaces the previous Azure Functions incremental scaling model as the default for these extension types. Incremental scaling added or removed a maximum of one worker at [each new instance rate](event-driven-scaling.md#understanding-scaling-behaviors), with complex decisions for when to scale. In contrast, target-based scaling allows scale up of four instances at a time, and the scaling decision is based on a simple target-based equation:

+## Considerations

+The following considerations apply when using target-based scaling:

+Target-based scaling is enabled by default for function apps hosted on a Consumption plan or on a Premium plans. To disable target-based scaling and fall back to incremental scaling, add the following app setting to your function app:

+1. In the designer pane, select **Function-Try** to configure the target settings and then select the **</> Code view** button in the top menu to edit the code for the **Function-Try** element. In the request body, if you want to manage VMs across all resource groups in the subscription, modify the request body as shown in the following example.

+| Hong Kong Special Administrative Region | Γ£ô |

+| Macao Special Administrative Region | Γ£ô |

+* [`BooleanTypeStyleRule`](#booleantypestylerule)

+* [`NumericTypeStyleRule`](#numerictypestylerule)

+* [`StringTypeStyleRule`](#stringtypestylerule)

+The following code creates an instance of the drawing manager and sets the drawing **mode** option.

+The following image is an example of drawing mode of the `DrawingManager`. Select any place on the map to start drawing a polygon.

+<!--

+ (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+-->

+<!

+ (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+>

+The previous examples demonstrated how to customize drawing options while instantiating the Drawing Manager. You can also set the Drawing Manager options by using the `drawingManager.setOptions()` function.

+The [Drawing manager options] can be used to test out customization of all options for the drawing manager using the `setOptions` function.

+<!

+<iframe height="685" title="Customize drawing manager" src="//codepen.io/azuremaps/embed/LYPyrxR/?height=600&theme-id=0&default-tab=result" frameborder="no" allowtransparency="true" allowfullscreen="true">See the Pen <a href='https://codepen.io/azuremaps/pen/LYPyrxR/'>Get shape data</a> by Azure Maps

+ (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+>

+[Drawing manager options]: https://samples.azuremaps.com/drawing-tools-module/drawing-manager-options

+ Title: Add an Open Geospatial Consortium (OGC) map layer

+- GetFeatureInfo requires the service to support `EPSG:4326` or handle reprojections.

+The [OGC map layer] sample shows how to overlay an OGC map layer on the map.

+<!-

+<iframe height='700' scrolling='no' title='OGC Map layer example' src='//codepen.io/azuremaps/embed/xxGLZWB/?height=700&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/xxGLZWB/'>OGC Map layer example</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+->

+The [OGC map layer options] sample demonstrates the different OGC map layer options.

+<!-

+<iframe height='700' scrolling='no' title='OGC map layer options' src='//codepen.io/azuremaps/embed/abOyEVQ/?height=700&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/abOyEVQ/'>OGC map layer options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+->

+The [OGC Web Map Service explorer] sample overlays imagery from the Web Map Services (WMS) and Web Map Tile Services (WMTS) as layers. You may select which layers in the service are rendered on the map. You may also view the associated legends for these layers.

+<!-

+<iframe height='750' scrolling='no' title='OGC Web Map Service explorer' src='//codepen.io/azuremaps/embed/YzXxYdX/?height=750&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/YzXxYdX/'>OGC Web Map Service explorer</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+->

+> [Supported data format details](spatial-io-supported-data-format-details.md)

+[OGC map layer]: https://samples.azuremaps.com/spatial-io-module/ogc-map-layer-example

+[OGC map layer options]: https://samples.azuremaps.com/spatial-io-module/ogc-map-layer-options

+[OGC Web Map Service explorer]: https://samples.azuremaps.com/spatial-io-module/ogc-web-map-service-explorer

+ Title: Add a simple data layer

+The following code snippet demonstrates using a simple data layer, referencing the data from an online source.

+```javascript

+function InitMap()

+{

+ var map = new atlas.Map('myMap', {

+ center: [-73.967605, 40.780452],

+ zoom: 12,

+ view: "Auto",

+ //Add authentication details for connecting to Azure Maps.

+ authOptions: {

+ // Get an Azure Maps key at https://azuremaps.com/.

+ authType: 'subscriptionKey',

+ subscriptionKey: '{Your-Azure-Maps-Subscription-key}'

+ },

+ });

+ //Wait until the map resources are ready.

+ map.events.add('ready', function () {

+ //Create a data source and add it to the map.

+ var datasource = new atlas.source.DataSource();

+ map.sources.add(datasource);

+ //Add a simple data layer for rendering data.

+ var layer = new atlas.layer.SimpleDataLayer(datasource);

+ map.layers.add(layer);

+ //Load an initial data set.

+ loadDataSet('https://s3-us-west-2.amazonaws.com/s.cdpn.io/1717245/use-simple-data-layer.json');

+ function loadDataSet(url) {

+ //Read the spatial data and add it to the map.

+ atlas.io.read(url).then(r => {

+ if (r) {

+ //Update the features in the data source.

+ datasource.setShapes(r);

+ //If bounding box information is known for data, set the map view to it.

+ if (r.bbox) {

+ map.setCamera({

+ bounds: r.bbox,

+ padding: 50

+ });

+ }

+ }

+ });

+ }

+ });

+}

+```

+The url passed to the `loadDataSet` function points to the following json:

+Once you add features to the data source, the simple data layer figures out how best to render them. Styles for individual features can be set as properties on the feature.

+The above sample code shows a GeoJSON point feature with a `color` property set to `red`.

+This sample code renders the point feature using the simple data layer, and appears as follows:

+> [!NOTE]

+> Notice that the coordinates set when the map was initialized:

+>

+> &emsp; center: [-73.967605, 40.780452]

+>

+> Are overwritten by the value from the datasource:

+>

+> &emsp; "coordinates": [0, 0]

+<!

+<iframe height="500" scrolling="no" title="Use the Simple data layer" src="//codepen.io/azuremaps/embed/zYGzpQV/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true"> See the Pen <a href='https://codepen.io/azuremaps/pen/zYGzpQV/'>Use the simple data layer</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+>

+For example when parsing XML data feeds, you may not know the exact styles and geometry types of the features. The [Simple data layer options] sample shows the power of the simple data layer by rendering the features of a KML file. It also demonstrates various options that the simple data layer class provides.

+<!

+<iframe height="700" scrolling="no" title="Simple data layer options" src="//codepen.io/azuremaps/embed/gOpRXgy/?height=700&theme-id=0&default-tab=result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true"> See the Pen <a href='https://codepen.io/azuremaps/pen/gOpRXgy/'>Simple data layer options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+>

+> - All scripts, forms, pointer lock and top navigation functionality is disabled. Links are allowed to open up in a new tab when clicked.

+>

+> If you trust the data being loaded into the popups and potentially want these scripts loaded into popups be able to access your application, you can disable this by setting the popup templates `sandboxContent` option to false.

+[Simple data layer options]: https://samples.azuremaps.com/spatial-io-module/simple-data-layer-options

+ Title: Read and write spatial data

+| Property name | Type | Description |

+The [Load spatial data] sample shows how to read a spatial data set, and render it on the map using the `SimpleDataLayer` class. The code uses a GPX file pointed to by a URL. For the source code of this sample, see [Load spatial data source].

+<!--

+<iframe height='500' scrolling='no' title='Load Spatial Data Simple' src='//codepen.io/azuremaps/embed/yLNXrZx/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/yLNXrZx/'>Load Spatial Data Simple</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+>

+The [Load KML onto map] sample shows how to load KML or KMZ files onto the map. For the source code of this sample, see [Load KML onto map source].

+<!--

+<iframe height='500' scrolling='no' title='Load KML Onto Map' src='//codepen.io/azuremaps/embed/XWbgwxX/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/XWbgwxX/'>Load KML Onto Map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+>

+The following code snippet shows how to read a delimited file and render it on the map. In this case, the code uses a CSV file that has spatial data columns. Note that you must add a reference to the Azure Maps Spatial IO module.

+```javascript

+<!-- Add reference to the Azure Maps Spatial IO module. -->

+<script src="https://atlas.microsoft.com/sdk/javascript/spatial/0/atlas-spatial.min.js"></script>

+<script type="text/javascript">

+var map, datasource, layer;

+//a URL pointing to the CSV file

+var delimitedFileUrl = "https://s3-us-west-2.amazonaws.com/s.cdpn.io/1717245/earthquakes_gt7_alltime.csv";

+function InitMap()

+{

+ map = new atlas.Map('myMap', {

+ center: [-73.985708, 40.75773],

+ zoom: 12,

+ view: "Auto",

+ //Add authentication details for connecting to Azure Maps.

+ authOptions: {

+ // Get an Azure Maps key at https://azuremaps.com/.

+ authType: 'subscriptionKey',

+ subscriptionKey: '{Your-Azure-Maps-Subscription-key}'

+ },

+ });

+ //Wait until the map resources are ready.

+ map.events.add('ready', function () {

+ //Create a data source and add it to the map.

+ datasource = new atlas.source.DataSource();

+ map.sources.add(datasource);

+ //Add a simple data layer for rendering the data.

+ layer = new atlas.layer.SimpleDataLayer(datasource);

+ map.layers.add(layer);

+ //Read a CSV file from a URL or pass in a raw string.

+ atlas.io.read(delimitedFileUrl).then(r => {

+ if (r) {

+ //Add the feature data to the data source.

+ datasource.add(r);

+ //If bounding box information is known for data, set the map view to it.

+ if (r.bbox) {

+ map.setCamera({

+ bounds: r.bbox,

+ padding: 50

+ });

+ }

+ }

+ });

+ });

+}

+</script>

+```

+<!--

+<iframe height='500' scrolling='no' title='Add a Delimited File' src='//codepen.io/azuremaps/embed/ExjXBEb/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ExjXBEb/'>Add a Delimited File</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+>

+The [Spatial data write options] sample is a tool that demonstrates the majority of the write options that can be used with the `atlas.io.write` function. For the source code of this sample, see [Spatial data write options source].

+<!--

+<iframe height='700' scrolling='no' title='Spatial data write options' src='//codepen.io/azuremaps/embed/YzXxXPG/?height=700&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/YzXxXPG/'>Spatial data write options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+>

+The [Drag and drop spatial files onto map] sample allows you to drag and drop one or more KML, KMZ, GeoRSS, GPX, GML, GeoJSON or CSV files onto the map. For the source code of this sample, see [Drag and drop spatial files onto map source].

+<!--

+<iframe height='700' scrolling='no' title='Drag and drop spatial files onto map' src='//codepen.io/azuremaps/embed/zYGdGoO/?height=700&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/zYGdGoO/'>Drag and drop spatial files onto map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+>

+The [Read Well Known Text] sample shows how to read the well-known text string `POINT(-122.34009 47.60995)` and render it on the map using a bubble layer. For the source code of this sample, see [Read Well Known Text source].

+<!--

+<iframe height='500' scrolling='no' title='Read Well-Known Text' src='//codepen.io/azuremaps/embed/XWbabLd/?height=500&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/XWbabLd/'>Read Well-Known Text</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+-->

+The [Read and write Well Known Text] sample demonstrates how to read and write Well Known Text (WKT) strings as GeoJSON. For the source code of this sample, see [Read and write Well Known Text source].

+<!--

+<iframe height='700' scrolling='no' title='Read and write Well-Known Text' src='//codepen.io/azuremaps/embed/JjdyYav/?height=700&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/JjdyYav/'>Read and write Well-Known Text</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+-->

+[Load spatial data]: https://samples.azuremaps.com/spatial-io-module/load-spatial-data-(simple)

+[Load spatial data source]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/Load%20spatial%20data%20(simple)/Load%20spatial%20data%20(simple).html

+[Load KML onto map]: https://samples.azuremaps.com/spatial-io-module/load-kml-onto-map

+[Load KML onto map source]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/Load%20KML%20onto%20map/Load%20KML%20onto%20map.html

+[Spatial data write options]: https://samples.azuremaps.com/spatial-io-module/spatial-data-write-options

+[Spatial data write options source]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/Spatial%20data%20write%20options/Spatial%20data%20write%20options.html

+[Drag and drop spatial files onto map]: https://samples.azuremaps.com/spatial-io-module/drag-and-drop-spatial-files-onto-map

+[Drag and drop spatial files onto map source]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/Drag%20and%20drop%20spatial%20files%20onto%20map/Drag%20and%20drop%20spatial%20files%20onto%20map.html

+[Read Well Known Text]: https://samples.azuremaps.com/spatial-io-module/read-well-known-text

+[Read Well Known Text source]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/Read%20Well%20Known%20Text/Read%20Well%20Known%20Text.html

+[Read and write Well Known Text]: https://samples.azuremaps.com/spatial-io-module/read-and-write-well-known-text

+[Read and write Well Known Text source]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/Read%20and%20write%20Well%20Known%20Text/Read%20and%20write%20Well%20Known%20Text.html

+| 852 | Hong Kong Special Administrative Region|

+The preceding steps are enough to help you start collecting server-side telemetry. If your application has client-side components, follow the next steps to start collecting [usage telemetry](./usage-overview.md) using JavaScript (Web) SDK Loader Script injection by configuration.

+You can customize additional sampling settings using the [SamplingPercentageEstimatorSettings](https://github.com/microsoft/ApplicationInsights-dotnet/blob/main/BASE/src/ServerTelemetryChannel/Implementation/SamplingPercentageEstimatorSettings.cs) class:

+```csharp

+using Microsoft.ApplicationInsights.WindowsServer.Channel.Implementation;

+telemetryProcessorChainBuilder.UseAdaptiveSampling(new SamplingPercentageEstimatorSettings

+{

+ MinSamplingPercentage = 0.01,

+ MaxSamplingPercentage = 100,

+ MaxTelemetryItemsPerSecond = 5

+ }, null, excludedTypes: "Dependency");

+```

+1. Set the connection string in the `appsettings.json` file:

+ "ConnectionString" : "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://{region}.in.applicationinsights.azure.com/;LiveEndpoint=https://{region}.livediagnostics.monitor.azure.com/"

+2. Retrieve the connection string in `Program.cs` when registering the `ApplicationInsightsTelemetry` service:

+ var options = new ApplicationInsightsServiceOptions { ConnectionString = app.Configuration["ApplicationInsights:ConnectionString"] };

+> When deploying applications to Azure in production scenarios, consider placing connection strings or other configuration secrets in secure locations such as App Service configuration settings or Azure Key Vault. Avoid including secrets in your application code or checking them into source control where they might be exposed or misused. The preceding code example will also work if the connection string is stored in App Service configuration settings. Learn more about [configuring App Service settings](/azure/app-service/configure-common).

+Explicitly set the connection string in code:

+ ConnectionString = "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://{region}.in.applicationinsights.azure.com/;LiveEndpoint=https://{region}.livediagnostics.monitor.azure.com/"

+Set the connection string using a configuration file:

+ <ConnectionString>InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://{region}.in.applicationinsights.azure.com/;LiveEndpoint=https://{region}.livediagnostics.monitor.azure.com/</ConnectionString>

+ "connectionString": "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://{region}.in.applicationinsights.azure.com/;LiveEndpoint=https://{region}.livediagnostics.monitor.azure.com/"

+appInsights.setup("InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://{region}.in.applicationinsights.azure.com/;LiveEndpoint=https://{region}.livediagnostics.monitor.azure.com/");

+tracer = Tracer(exporter=AzureExporter(connection_string='InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://{region}.in.applicationinsights.azure.com/;LiveEndpoint=https://{region}.livediagnostics.monitor.azure.com/'), sampler=ProbabilitySampler(1.0))

+> [!NOTE]

+> Although the logs may refer to "scale up" and "scale down" actions, the actual action taken is scale in or scale out.

+This article shows you how to set up notifications so that you can call specific web URLs or send emails based on autoscale actions in Azure.

+Webhooks allow you to send HTTP requests to a specific URL endpoint (callback URL) when a certain event or trigger occurs. Using webhooks, you can automate and streamline processes by enabling the automatic exchange of information between different systems or applications. Use webhooks to trigger custom code, notifications, or other actions to run when an autoscale event occurs.

+You can send email to any valid email address when an autoscale event occurs. Administrators and co-administrators of the subscription where the rule is running are also notified.

+## Configure Notifications

+Use the Azure portal, CLI, PowerShell, or Resource Manager templates to configure notifications.

+### [Portal](#tab/portal)

+### Set up notifications using the Azure portal.

+Select the **Notify** tab on the autoscale settings page to configure notifications.

+Select the check boxes to send an email to the subscription administrator or co-administrators. You can also enter a list of email addresses to send notifications to.

+

+Enter a webhook URI to send a notification to a web service. You can also add custom headers to the webhook request. For example, you can add an authentication token in the header, query parameters, or add a custom header to identify the source of the request.

+### [CLI](#tab/cli)

+### Use CLI to configure notifications.

+Use the `az monitor autoscale update` or the `az monitor autoscale create` command to configure notifications using Azure CLI.

+The following parameters are used to configure notifications:

+For example, the following command adds an email notification and a webhook notification to and existing autoscale setting. The command also sends email to the subscription administrator.

+```azurecli

+ az monitor autoscale update \

+--resource-group <resource group name> \

+--name <autoscale setting name> \

+--email-administrator true \

+--add-action email pdavis@contoso.com \

+--add-action webhook http://myservice.com/webhook-listerner-123

+> [!NOTE]

+> You can add mote than one email or webhook notification by using the `--add-action` parameter multiple times. While multiple webhook notifications are supported and can be seen in the JSON, the portal only shows the first webhook.

+For more information, see [az monitor autoscale](https://learn.microsoft.com/cli/azure/monitor/autoscale?view=azure-cli-latest).

+### [PowerShell](#tab/powershell)

+### Use PowerShell to configure notifications.

+The following example shows how to configure a webhook and email notification.

+1. Create the webhook object.

+1. Create the notification object.

+1. Add the notification object to the autoscale setting using `New-AzAutoscaleSetting` or `Update-AzAutoscaleSetting` cmdlets.

+```powershell

+# Assumining you have already created a profile object and have a vmssName, resourceGroup, and subscriptionId

+ $webhook=New-AzAutoscaleWebhookNotificationObject `

+-Property @{"method"='GET'; "headers"= '"Authorization", "tokenvalue-12345678abcdef"'} `

+-ServiceUri "http://myservice.com/webhook-listerner-123"

+$notification=New-AzAutoscaleNotificationObject `

+-EmailCustomEmail "pdavis@contoso.com" `

+-EmailSendToSubscriptionAdministrator $true ` -EmailSendToSubscriptionCoAdministrator $true `

+-Webhook $webhook

+New-AzAutoscaleSetting -Name autoscalesetting2 `

+-ResourceGroupName $resourceGroup `

+-Location eastus `

+-Profile $profile `

+-Enabled -Notification $notification `

+-PropertiesName "autoscalesetting" `

+-TargetResourceUri "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Compute/virtualMachineScaleSets/$vmssName"

+```

+### [Resource Manager](#tab/resourcemanager)

+### Use Resource Manager templates to configure notifications.

+When you use the Resource Manager templates or REST API, include the `notifications` element in your [autoscale settings](https://learn.microsoft.com/azure/templates/microsoft.insights/autoscalesettings?pivots=deployment-language-arm-template#resource-format-1), for example:

+```JSON

+ "serviceUri": "https://my.webhook.example.com?token=abcd1234",

+The webhook can authenticate by using token-based authentication, where you save the webhook URI with a token ID as a query parameter. For example, `https://mysamplealert/webcallback?tokenid=123-abc456-7890&myparameter2=value123`.

+```JSON

+ "version": "1.0",

+ "status": "Activated",

+ "operation": "Scale Out",

+ "context": {

+ "timestamp": "2023-06-22T07:01:47.8926726Z",

+ "id": "/subscriptions/123456ab-9876-a1b2-a2b1-123a567b9f8767/resourceGroups/rg-001/providers/microsoft.insights/autoscalesettings/AutoscaleSettings-002",

+ "name": "AutoscaleSettings-002",

+ "details": "Autoscale successfully started scale operation for resource 'ScaleableAppServicePlan' from capacity '1' to capacity '2'",

+ "subscriptionId": "123456ab-9876-a1b2-a2b1-123a567b9f8767",

+ "resourceGroupName": "rg-001",

+ "resourceName": "ScaleableAppServicePlan",

+ "resourceType": "microsoft.web/serverfarms",

+ "resourceId": "/subscriptions/123456ab-9876-a1b2-a2b1-123a567b9f8767/resourceGroups/rg-001/providers/Microsoft.Web/serverfarms/ScaleableAppServicePlan",

+ "portalLink": "https://portal.azure.com/#resource/subscriptions/123456ab-9876-a1b2-a2b1-123a567b9f8767/resourceGroups/rg-001/providers/Microsoft.Web/serverfarms/ScaleableAppServicePlan",

+ "resourceRegion": "West Central US",

+ "oldCapacity": "1",

+ "newCapacity": "2"

+ },

+ "properties": {

+ "key1": "value1",

+ "key2": "value2"

+ }

+## Container logs

+Container logs for AKS are stored in [the ContainerLogV2 table](./container-insights-logging-v2.md). You can run the following sample queries to look for the stderr/stdout log output from target pods, deployments, or namespaces.

+### Container logs for a specific pod, namespace, and container

+```kusto

+ContainerLogV2

+| where _ResourceId =~ "clusterResourceID" //update with resource ID

+| where PodNamespace == "podNameSpace" //update with target namespace

+| where PodName == "podName" //update with target pod

+| where ContainerName == "containerName" //update with target container

+| project TimeGenerated, Computer, ContainerId, LogMessage, LogSource

+```

+### Container logs for a specific deployment

+``` kusto

+let KubePodInv = KubePodInventory

+| where _ResourceId =~ "clusterResourceID" //update with resource ID

+| where Namespace == "deploymentNamespace" //update with target namespace

+| where ControllerKind == "ReplicaSet"

+| extend deployment = reverse(substring(reverse(ControllerName), indexof(reverse(ControllerName), "-") + 1))

+| where deployment == "deploymentName" //update with target deployment

+| extend ContainerId = ContainerID

+| summarize arg_max(TimeGenerated, *) by deployment, ContainerId, PodStatus, ContainerStatus

+| project deployment, ContainerId, PodStatus, ContainerStatus;

+KubePodInv

+| join

+(

+ ContainerLogV2

+ | where TimeGenerated >= startTime and TimeGenerated < endTime

+ | where PodNamespace == "deploymentNamespace" //update with target namespace

+ | where PodName startswith "deploymentName" //update with target deployment

+) on ContainerId

+| project TimeGenerated, deployment, PodName, PodStatus, ContainerName, ContainerId, ContainerStatus, LogMessage, LogSource

+```

+### Container logs for any failed pod in a specific namespace

+``` kusto

+ let KubePodInv = KubePodInventory

+ | where TimeGenerated >= startTime and TimeGenerated < endTime

+ | where _ResourceId =~ "clustereResourceID" //update with resource ID

+ | where Namespace == "podNamespace" //update with target namespace

+ | where PodStatus == "Failed"

+ | extend ContainerId = ContainerID

+ | summarize arg_max(TimeGenerated, *) by ContainerId, PodStatus, ContainerStatus

+ | project ContainerId, PodStatus, ContainerStatus;

+ KubePodInv

+ | join

+ (

+ ContainerLogV2

+ | where TimeGenerated >= startTime and TimeGenerated < endTime

+ | where PodNamespace == "podNamespace" //update with target namespace

+ ) on ContainerId

+ | project TimeGenerated, PodName, PodStatus, ContainerName, ContainerId, ContainerStatus, LogMessage, LogSource

+```

+## Container insights default visualization queries

+These queries are generated from the [out of the box visualizations](./container-insights-analyze.md) from container insights. You can choose to use these if you have enabled custom [cost optimization settings](./container-insights-cost-config.md), in lieu of the default charts.

+### Node CPU and memory utilization

+The required tables for this chart include Perf and KubeNodeInventory.

+```kusto

+ let trendBinSize = 5m;

+ let MaxListSize = 1000;

+ let clusterId = 'clusterResourceID'; //update with resource ID

+ let clusterIdToken = strcat(clusterId, "/");

+

+ let materializedPerfData = materialize(Perf

+| where InstanceName startswith clusterIdToken

+| where ObjectName == 'K8SNode'

+| summarize arg_max(TimeGenerated, *) by CounterName, Computer, bin(TimeGenerated, trendBinSize)

+| where CounterName == 'cpuCapacityNanoCores' or CounterName == 'memoryCapacityBytes' or CounterName == 'cpuUsageNanoCores' or CounterName == 'memoryRssBytes'

+| project TimeGenerated, Computer, CounterName, CounterValue

+| summarize StoredValue = max(CounterValue) by Computer, CounterName, bin(TimeGenerated, trendBinSize));

+ let rawData = KubeNodeInventory

+| where ClusterId =~ clusterId

+| summarize arg_max(TimeGenerated, *) by Computer, bin(TimeGenerated, trendBinSize)

+| join( materializedPerfData

+| where CounterName == 'cpuCapacityNanoCores' or CounterName == 'memoryCapacityBytes'

+| project Computer, CounterName = iif(CounterName == 'cpuCapacityNanoCores', 'cpu', 'memory'), CapacityValue = StoredValue, TimeGenerated ) on Computer, TimeGenerated

+| join kind=inner( materializedPerfData

+| where CounterName == 'cpuUsageNanoCores' or CounterName == 'memoryRssBytes'

+| project Computer, CounterName = iif(CounterName == 'cpuUsageNanoCores', 'cpu', 'memory'), UsageValue = StoredValue, TimeGenerated ) on Computer, CounterName, TimeGenerated

+| project Computer, CounterName, TimeGenerated, UsagePercent = UsageValue * 100.0 / CapacityValue;

+ rawData

+| summarize Min = min(UsagePercent), Avg = avg(UsagePercent), Max = max(UsagePercent), percentiles(UsagePercent, 50, 90, 95) by bin(TimeGenerated, trendBinSize), CounterName

+| sort by TimeGenerated asc

+| project CounterName, TimeGenerated, Min, Avg, Max, P50 = percentile_UsagePercent_50, P90 = percentile_UsagePercent_90, P95 = percentile_UsagePercent_95

+| summarize makelist(TimeGenerated, MaxListSize), makelist(Min, MaxListSize), makelist(Avg, MaxListSize), makelist(Max, MaxListSize), makelist(P50, MaxListSize), makelist(P90, MaxListSize), makelist(P95, MaxListSize) by CounterName

+| join ( rawData

+| summarize Min = min(UsagePercent), Avg = avg(UsagePercent), Max = max(UsagePercent), percentiles(UsagePercent, 50, 90, 95) by CounterName ) on CounterName

+| project ClusterId = clusterId, CounterName, Min, Avg, Max, P50 = percentile_UsagePercent_50, P90 = percentile_UsagePercent_90, P95 = percentile_UsagePercent_95, list_TimeGenerated, list_Min, list_Avg, list_Max, list_P50, list_P90, list_P95

+```

+### Node count by status

+The required tables for this chart include KubeNodeInventory.

+```kusto

+ let trendBinSize = 5m;

+ let maxListSize = 1000;

+ let clusterId = 'clusterResourceID'; //update with resource ID

+

+ let rawData = KubeNodeInventory

+| where ClusterId =~ clusterId

+| distinct ClusterId, TimeGenerated

+| summarize ClusterSnapshotCount = count() by Timestamp = bin(TimeGenerated, trendBinSize), ClusterId

+| join hint.strategy=broadcast ( KubeNodeInventory

+| where ClusterId =~ clusterId

+| summarize TotalCount = count(), ReadyCount = sumif(1, Status contains ('Ready')) by ClusterId, Timestamp = bin(TimeGenerated, trendBinSize)

+| extend NotReadyCount = TotalCount - ReadyCount ) on ClusterId, Timestamp

+| project ClusterId, Timestamp, TotalCount = todouble(TotalCount) / ClusterSnapshotCount, ReadyCount = todouble(ReadyCount) / ClusterSnapshotCount, NotReadyCount = todouble(NotReadyCount) / ClusterSnapshotCount;

+ rawData

+| order by Timestamp asc

+| summarize makelist(Timestamp, maxListSize), makelist(TotalCount, maxListSize), makelist(ReadyCount, maxListSize), makelist(NotReadyCount, maxListSize) by ClusterId

+| join ( rawData

+| summarize Avg_TotalCount = avg(TotalCount), Avg_ReadyCount = avg(ReadyCount), Avg_NotReadyCount = avg(NotReadyCount) by ClusterId ) on ClusterId

+| project ClusterId, Avg_TotalCount, Avg_ReadyCount, Avg_NotReadyCount, list_Timestamp, list_TotalCount, list_ReadyCount, list_NotReadyCount

+```

+### Pod count by status

+The required tables for this chart include KubePodInventory.

+```kusto

+ let trendBinSize = 5m;

+ let maxListSize = 1000;

+ let clusterId = 'clusterResourceID'; //update with resource ID

+

+ let rawData = KubePodInventory

+| where ClusterId =~ clusterId

+| distinct ClusterId, TimeGenerated

+| summarize ClusterSnapshotCount = count() by bin(TimeGenerated, trendBinSize), ClusterId

+| join hint.strategy=broadcast ( KubePodInventory

+| where ClusterId =~ clusterId

+| summarize PodStatus=any(PodStatus) by TimeGenerated, PodUid, ClusterId

+| summarize TotalCount = count(), PendingCount = sumif(1, PodStatus =~ 'Pending'), RunningCount = sumif(1, PodStatus =~ 'Running'), SucceededCount = sumif(1, PodStatus =~ 'Succeeded'), FailedCount = sumif(1, PodStatus =~ 'Failed'), TerminatingCount = sumif(1, PodStatus =~ 'Terminating') by ClusterId, bin(TimeGenerated, trendBinSize) ) on ClusterId, TimeGenerated

+| extend UnknownCount = TotalCount - PendingCount - RunningCount - SucceededCount - FailedCount - TerminatingCount

+| project ClusterId, Timestamp = TimeGenerated, TotalCount = todouble(TotalCount) / ClusterSnapshotCount, PendingCount = todouble(PendingCount) / ClusterSnapshotCount, RunningCount = todouble(RunningCount) / ClusterSnapshotCount, SucceededCount = todouble(SucceededCount) / ClusterSnapshotCount, FailedCount = todouble(FailedCount) / ClusterSnapshotCount, TerminatingCount = todouble(TerminatingCount) / ClusterSnapshotCount, UnknownCount = todouble(UnknownCount) / ClusterSnapshotCount;

+ let rawDataCached = rawData;

+

+ rawDataCached

+| order by Timestamp asc

+| summarize makelist(Timestamp, maxListSize), makelist(TotalCount, maxListSize), makelist(PendingCount, maxListSize), makelist(RunningCount, maxListSize), makelist(SucceededCount, maxListSize), makelist(FailedCount, maxListSize), makelist(TerminatingCount, maxListSize), makelist(UnknownCount, maxListSize) by ClusterId

+| join ( rawDataCached

+| summarize Avg_TotalCount = avg(TotalCount), Avg_PendingCount = avg(PendingCount), Avg_RunningCount = avg(RunningCount), Avg_SucceededCount = avg(SucceededCount), Avg_FailedCount = avg(FailedCount), Avg_TerminatingCount = avg(TerminatingCount), Avg_UnknownCount = avg(UnknownCount) by ClusterId ) on ClusterId

+| project ClusterId, Avg_TotalCount, Avg_PendingCount, Avg_RunningCount, Avg_SucceededCount, Avg_FailedCount, Avg_TerminatingCount, Avg_UnknownCount, list_Timestamp, list_TotalCount, list_PendingCount, list_RunningCount, list_SucceededCount, list_FailedCount, list_TerminatingCount, list_UnknownCount

+```

+### List of containers by status

+The required tables for this chart include KubePodInventory and Perf.

+```kusto

+ let startDateTime = datetime('start time');

+ let endDateTime = datetime('end time');

+ let trendBinSize = 15m;

+ let maxResultCount = 10000;

+ let metricUsageCounterName = 'cpuUsageNanoCores';

+ let metricLimitCounterName = 'cpuLimitNanoCores';

+

+ let KubePodInventoryTable = KubePodInventory

+| where TimeGenerated >= startDateTime

+| where TimeGenerated < endDateTime

+| where isnotempty(ClusterName)

+| where isnotempty(Namespace)

+| where isnotempty(Computer)

+| project TimeGenerated, ClusterId, ClusterName, Namespace, ServiceName, ControllerName, Node = Computer, Pod = Name, ContainerInstance = ContainerName, ContainerID, ReadySinceNow = format_timespan(endDateTime - ContainerCreationTimeStamp , 'ddd.hh:mm:ss.fff'), Restarts = ContainerRestartCount, Status = ContainerStatus, ContainerStatusReason = columnifexists('ContainerStatusReason', ''), ControllerKind = ControllerKind, PodStatus;

+ let startRestart = KubePodInventoryTable

+| summarize arg_min(TimeGenerated, *) by Node, ContainerInstance

+| where ClusterId =~ 'clusterResourceID' //update with resource ID

+| project Node, ContainerInstance, InstanceName = strcat(ClusterId, '/', ContainerInstance), StartRestart = Restarts;

+ let IdentityTable = KubePodInventoryTable

+| summarize arg_max(TimeGenerated, *) by Node, ContainerInstance

+| where ClusterId =~ 'clusterResourceID' //update with resource ID

+| project ClusterName, Namespace, ServiceName, ControllerName, Node, Pod, ContainerInstance, InstanceName = strcat(ClusterId, '/', ContainerInstance), ContainerID, ReadySinceNow, Restarts, Status = iff(Status =~ 'running', 0, iff(Status=~'waiting', 1, iff(Status =~'terminated', 2, 3))), ContainerStatusReason, ControllerKind, Containers = 1, ContainerName = tostring(split(ContainerInstance, '/')[1]), PodStatus, LastPodInventoryTimeGenerated = TimeGenerated, ClusterId;

+ let CachedIdentityTable = IdentityTable;

+

+ let FilteredPerfTable = Perf

+| where TimeGenerated >= startDateTime

+| where TimeGenerated < endDateTime

+| where ObjectName == 'K8SContainer'

+| where InstanceName startswith 'clusterResourceID'

+| project Node = Computer, TimeGenerated, CounterName, CounterValue, InstanceName ;

+ let CachedFilteredPerfTable = FilteredPerfTable;

+

+ let LimitsTable = CachedFilteredPerfTable

+| where CounterName =~ metricLimitCounterName

+| summarize arg_max(TimeGenerated, *) by Node, InstanceName

+| project Node, InstanceName, LimitsValue = iff(CounterName =~ 'cpuLimitNanoCores', CounterValue/1000000, CounterValue), TimeGenerated;

+ let MetaDataTable = CachedIdentityTable

+| join kind=leftouter ( LimitsTable ) on Node, InstanceName

+| join kind= leftouter ( startRestart ) on Node, InstanceName

+| project ClusterName, Namespace, ServiceName, ControllerName, Node, Pod, InstanceName, ContainerID, ReadySinceNow, Restarts, LimitsValue, Status, ContainerStatusReason = columnifexists('ContainerStatusReason', ''), ControllerKind, Containers, ContainerName, ContainerInstance, StartRestart, PodStatus, LastPodInventoryTimeGenerated, ClusterId;

+ let UsagePerfTable = CachedFilteredPerfTable

+| where CounterName =~ metricUsageCounterName

+| project TimeGenerated, Node, InstanceName, CounterValue = iff(CounterName =~ 'cpuUsageNanoCores', CounterValue/1000000, CounterValue);

+ let LastRestartPerfTable = CachedFilteredPerfTable

+| where CounterName =~ 'restartTimeEpoch'

+| summarize arg_max(TimeGenerated, *) by Node, InstanceName

+| project Node, InstanceName, UpTime = CounterValue, LastReported = TimeGenerated;

+ let AggregationTable = UsagePerfTable

+| summarize Aggregation = max(CounterValue) by Node, InstanceName

+| project Node, InstanceName, Aggregation;

+ let TrendTable = UsagePerfTable

+| summarize TrendAggregation = max(CounterValue) by bin(TimeGenerated, trendBinSize), Node, InstanceName

+| project TrendTimeGenerated = TimeGenerated, Node, InstanceName , TrendAggregation

+| summarize TrendList = makelist(pack("timestamp", TrendTimeGenerated, "value", TrendAggregation)) by Node, InstanceName;

+ let containerFinalTable = MetaDataTable

+| join kind= leftouter( AggregationTable ) on Node, InstanceName

+| join kind = leftouter (LastRestartPerfTable) on Node, InstanceName

+| order by Aggregation desc, ContainerName

+| join kind = leftouter ( TrendTable) on Node, InstanceName

+| extend ContainerIdentity = strcat(ContainerName, ' ', Pod)

+| project ContainerIdentity, Status, ContainerStatusReason = columnifexists('ContainerStatusReason', ''), Aggregation, Node, Restarts, ReadySinceNow, TrendList = iif(isempty(TrendList), parse_json('[]'), TrendList), LimitsValue, ControllerName, ControllerKind, ContainerID, Containers, UpTimeNow = datetime_diff('Millisecond', endDateTime, datetime_add('second', toint(UpTime), make_datetime(1970,1,1))), ContainerInstance, StartRestart, LastReportedDelta = datetime_diff('Millisecond', endDateTime, LastReported), PodStatus, InstanceName, Namespace, LastPodInventoryTimeGenerated, ClusterId;

+containerFinalTable

+| limit 200

+```

+### List of Controllers by status

+The required tables for this chart include KubePodInventory and Perf.

+```kusto

+ let endDateTime = datetime('start time');

+ let startDateTime = datetime('end time');

+ let trendBinSize = 15m;

+ let metricLimitCounterName = 'cpuLimitNanoCores';

+ let metricUsageCounterName = 'cpuUsageNanoCores';

+

+ let primaryInventory = KubePodInventory

+| where TimeGenerated >= startDateTime

+| where TimeGenerated < endDateTime

+| where isnotempty(ClusterName)

+| where isnotempty(Namespace)

+| extend Node = Computer

+| where ClusterId =~ 'clusterResourceID' //update with resource ID

+| project TimeGenerated, ClusterId, ClusterName, Namespace, ServiceName, Node = Computer, ControllerName, Pod = Name, ContainerInstance = ContainerName, ContainerID, InstanceName, PerfJoinKey = strcat(ClusterId, '/', ContainerName), ReadySinceNow = format_timespan(endDateTime - ContainerCreationTimeStamp, 'ddd.hh:mm:ss.fff'), Restarts = ContainerRestartCount, Status = ContainerStatus, ContainerStatusReason = columnifexists('ContainerStatusReason', ''), ControllerKind = ControllerKind, PodStatus, ControllerId = strcat(ClusterId, '/', Namespace, '/', ControllerName);

+let podStatusRollup = primaryInventory

+| summarize arg_max(TimeGenerated, *) by Pod

+| project ControllerId, PodStatus, TimeGenerated

+| summarize count() by ControllerId, PodStatus = iif(TimeGenerated < ago(30m), 'Unknown', PodStatus)

+| summarize PodStatusList = makelist(pack('Status', PodStatus, 'Count', count_)) by ControllerId;

+let latestContainersByController = primaryInventory

+| where isnotempty(Node)

+| summarize arg_max(TimeGenerated, *) by PerfJoinKey

+| project ControllerId, PerfJoinKey;

+let filteredPerformance = Perf

+| where TimeGenerated >= startDateTime

+| where TimeGenerated < endDateTime

+| where ObjectName == 'K8SContainer'

+| where InstanceName startswith 'clusterResourceID' //update with resource ID

+| project TimeGenerated, CounterName, CounterValue, InstanceName, Node = Computer ;

+let metricByController = filteredPerformance

+| where CounterName =~ metricUsageCounterName

+| extend PerfJoinKey = InstanceName

+| summarize Value = percentile(CounterValue, 95) by PerfJoinKey, CounterName

+| join (latestContainersByController) on PerfJoinKey

+| summarize Value = sum(Value) by ControllerId, CounterName

+| project ControllerId, CounterName, AggregationValue = iff(CounterName =~ 'cpuUsageNanoCores', Value/1000000, Value);

+let containerCountByController = latestContainersByController

+| summarize ContainerCount = count() by ControllerId;

+let restartCountsByController = primaryInventory

+| summarize Restarts = max(Restarts) by ControllerId;

+let oldestRestart = primaryInventory

+| summarize ReadySinceNow = min(ReadySinceNow) by ControllerId;

+let trendLineByController = filteredPerformance

+| where CounterName =~ metricUsageCounterName

+| extend PerfJoinKey = InstanceName

+| summarize Value = percentile(CounterValue, 95) by bin(TimeGenerated, trendBinSize), PerfJoinKey, CounterName

+| order by TimeGenerated asc

+| join kind=leftouter (latestContainersByController) on PerfJoinKey

+| summarize Value=sum(Value) by ControllerId, TimeGenerated, CounterName

+| project TimeGenerated, Value = iff(CounterName =~ 'cpuUsageNanoCores', Value/1000000, Value), ControllerId

+| summarize TrendList = makelist(pack("timestamp", TimeGenerated, "value", Value)) by ControllerId;

+let latestLimit = filteredPerformance

+| where CounterName =~ metricLimitCounterName

+| extend PerfJoinKey = InstanceName

+| summarize arg_max(TimeGenerated, *) by PerfJoinKey

+| join kind=leftouter (latestContainersByController) on PerfJoinKey

+| summarize Value = sum(CounterValue) by ControllerId, CounterName

+| project ControllerId, LimitValue = iff(CounterName =~ 'cpuLimitNanoCores', Value/1000000, Value);

+let latestTimeGeneratedByController = primaryInventory

+| summarize arg_max(TimeGenerated, *) by ControllerId

+| project ControllerId, LastTimeGenerated = TimeGenerated;

+primaryInventory

+| distinct ControllerId, ControllerName, ControllerKind, Namespace

+| join kind=leftouter (podStatusRollup) on ControllerId

+| join kind=leftouter (metricByController) on ControllerId

+| join kind=leftouter (containerCountByController) on ControllerId

+| join kind=leftouter (restartCountsByController) on ControllerId

+| join kind=leftouter (oldestRestart) on ControllerId

+| join kind=leftouter (trendLineByController) on ControllerId

+| join kind=leftouter (latestLimit) on ControllerId

+| join kind=leftouter (latestTimeGeneratedByController) on ControllerId

+| project ControllerId, ControllerName, ControllerKind, PodStatusList, AggregationValue, ContainerCount = iif(isempty(ContainerCount), 0, ContainerCount), Restarts, ReadySinceNow, Node = '-', TrendList, LimitValue, LastTimeGenerated, Namespace

+| limit 250;

+```

+### List of Nodes by status

+The required tables for this chart include KubeNodeInventory, KubePodInventory, and Perf.

+```kusto

+ let endDateTime = datetime('start time');

+ let startDateTime = datetime('end time');

+ let binSize = 15m;

+ let limitMetricName = 'cpuCapacityNanoCores';

+ let usedMetricName = 'cpuUsageNanoCores';

+

+ let materializedNodeInventory = KubeNodeInventory

+| where TimeGenerated < endDateTime

+| where TimeGenerated >= startDateTime

+| project ClusterName, ClusterId, Node = Computer, TimeGenerated, Status, NodeName = Computer, NodeId = strcat(ClusterId, '/', Computer), Labels

+| where ClusterId =~ 'clusterResourceID'; //update with resource ID

+ let materializedPerf = Perf

+| where TimeGenerated < endDateTime

+| where TimeGenerated >= startDateTime

+| where ObjectName == 'K8SNode'

+| extend NodeId = InstanceName;

+ let materializedPodInventory = KubePodInventory

+| where TimeGenerated < endDateTime

+| where TimeGenerated >= startDateTime

+| where isnotempty(ClusterName)

+| where isnotempty(Namespace)

+| where ClusterId =~ 'clusterResourceID'; //update with resource ID

+ let inventoryOfCluster = materializedNodeInventory

+| summarize arg_max(TimeGenerated, Status) by ClusterName, ClusterId, NodeName, NodeId;

+ let labelsByNode = materializedNodeInventory

+| summarize arg_max(TimeGenerated, Labels) by ClusterName, ClusterId, NodeName, NodeId;

+ let countainerCountByNode = materializedPodInventory

+| project ContainerName, NodeId = strcat(ClusterId, '/', Computer)

+| distinct NodeId, ContainerName

+| summarize ContainerCount = count() by NodeId;

+ let latestUptime = materializedPerf

+| where CounterName == 'restartTimeEpoch'

+| summarize arg_max(TimeGenerated, CounterValue) by NodeId

+| extend UpTimeMs = datetime_diff('Millisecond', endDateTime, datetime_add('second', toint(CounterValue), make_datetime(1970,1,1)))

+| project NodeId, UpTimeMs;

+ let latestLimitOfNodes = materializedPerf

+| where CounterName == limitMetricName

+| summarize CounterValue = max(CounterValue) by NodeId

+| project NodeId, LimitValue = CounterValue;

+ let actualUsageAggregated = materializedPerf

+| where CounterName == usedMetricName

+| summarize Aggregation = percentile(CounterValue, 95) by NodeId //This line updates to the desired aggregation

+| project NodeId, Aggregation;

+ let aggregateTrendsOverTime = materializedPerf

+| where CounterName == usedMetricName

+| summarize TrendAggregation = percentile(CounterValue, 95) by NodeId, bin(TimeGenerated, binSize) //This line updates to the desired aggregation

+| project NodeId, TrendAggregation, TrendDateTime = TimeGenerated;

+ let unscheduledPods = materializedPodInventory

+| where isempty(Computer)

+| extend Node = Computer

+| where isempty(ContainerStatus)

+| where PodStatus == 'Pending'

+| order by TimeGenerated desc

+| take 1

+| project ClusterName, NodeName = 'unscheduled', LastReceivedDateTime = TimeGenerated, Status = 'unscheduled', ContainerCount = 0, UpTimeMs = '0', Aggregation = '0', LimitValue = '0', ClusterId;

+ let scheduledPods = inventoryOfCluster

+| join kind=leftouter (aggregateTrendsOverTime) on NodeId

+| extend TrendPoint = pack("TrendTime", TrendDateTime, "TrendAggregation", TrendAggregation)

+| summarize make_list(TrendPoint) by NodeId, NodeName, Status

+| join kind=leftouter (labelsByNode) on NodeId

+| join kind=leftouter (countainerCountByNode) on NodeId

+| join kind=leftouter (latestUptime) on NodeId

+| join kind=leftouter (latestLimitOfNodes) on NodeId

+| join kind=leftouter (actualUsageAggregated) on NodeId

+| project ClusterName, NodeName, ClusterId, list_TrendPoint, LastReceivedDateTime = TimeGenerated, Status, ContainerCount, UpTimeMs, Aggregation, LimitValue, Labels

+| limit 250;

+ union (scheduledPods), (unscheduledPods)

+| project ClusterName, NodeName, LastReceivedDateTime, Status, ContainerCount, UpTimeMs = UpTimeMs_long, Aggregation = Aggregation_real, LimitValue = LimitValue_real, list_TrendPoint, Labels, ClusterId

+```

+## Multi-line logging in Container Insights (preview)

+Customers must enable *ContainerLogV2* for multi-line logging to work. Go here to [enable ContainerLogV2](./container-insights-logging-v2.md#enable-the-containerlogv2-schema) in Container Insights.

+* Learn how [query data](./container-insights-log-query.md#container-logs) from ContainerLogV2

+### Delete the extension instance

+To delete the extension instance, use the following CLI command:

+```azurecli

+az k8s-extension delete --name azuremonitor-metrics -g <cluster_resource_group> -c<cluster_name> -t connectedClusters

+```

+The command only deletes the extension instance. The Azure Monitor workspace and its data are not deleted.

+ | Key Vault | [AZKVAuditLogs](/azure/azure-monitor/reference/tables/AZKVAuditLogs)<br>[AZKVPolicyEvaluationDetailsLogs](/azure/azure-monitor/reference/tables/AZKVPolicyEvaluationDetailsLogs) |

+Data export is optimized to move large data volume to your destinations. The export operation might fail if the destination doesn't have sufficient capacity or is unavailable. In the event of failure, the retry process continues for up to 12 hours. For more information about destination limits and recommended alerts, see [Create or update a data export rule](#create-or-update-a-data-export-rule). If the destinations are still unavailable after the retry period, the data is discarded. In certain cases, retry can cause duplication of a fraction of the exported records.

+Data export charges are based on the number of bytes exported to destinations in JSON formatted data, and measured in GB (10^9 bytes). Size calculation in workspace query can't correspond with export charges since doesn't include the JSON formatted data. You can use PowerShell to [calculate the total billing size of a blob container](../../storage/scripts/storage-blobs-container-calculate-billing-size-powershell.md).

+ Title: Set up resources required to send data to Azure Monitor Logs using the Logs Ingestion API

+description: Run a PowerShell script to set up all resources required to send data to Azure Monitor using the Logs Ingestion API.

+# Set up resources required to send data to Azure Monitor Logs using the Logs Ingestion API

+This article provides a PowerShell script that sets up all of the resources you need before you can send data to Azure Monitor Logs using the [Logs ingestion API](logs-ingestion-api-overview.md).

+> [!NOTE]

+> As a Microsoft MVP, [Morten Waltorp Knudsen](https://mortenknudsen.net/) contributed to and provided material feedback for this article. For an example of how you can automate the setup and ongoing use of the Log Ingestion API, see Morten's [AzLogDcrIngestPS PowerShell module](https://github.com/KnudsenMorten/AzLogDcrIngestPS).

+## Create resources and permissions

+The script creates these resources, if they don't already exist:

+- A Log Analytics workspace and a resource group for the Log Analytics workspace.

+

+ You probably already have a Log Analytics workspace, in which case, provide the workspace details so the script sets up the other resources in the same region as the workspace.

+- An Azure AD application to authenticate against the API and:

+ - A service principal on the Azure AD application

+ - A secret for the Azure AD application

+- A data collection endpoint (DCE) and a resource group for the data collection endpoint, in same region as Log Analytics workspace, to receive data.

+- A resource group for data collection rules (DCR) in the same region as the Log Analytics workspace.

+The script also grants the app `Contributor` permissions to:

+- The Log Analytics workspace

+- The resource group for data collection rules

+- The resource group for data collection endpoints

+## PowerShell script

+```powershell

+#

+# Prerequisite functions

+#

+Write-Output "Checking needed functions ... Please Wait !"

+$ModuleCheck = Get-Module -Name Az.Resources -ListAvailable -ErrorAction SilentlyContinue

+If (!($ModuleCheck))

+ {

+ Write-Output "Installing Az-module in CurrentUser scope ... Please Wait !"

+ Install-module -Name Az -Force -Scope CurrentUser

+ }

+$ModuleCheck = Get-Module -Name Microsoft.Graph -ListAvailable -ErrorAction SilentlyContinue

+If (!($ModuleCheck))

+ {

+ Write-Output "Installing Microsoft.Graph in CurrentUser scope ... Please Wait !"

+ Install-module -Name Microsoft.Graph -Force -Scope CurrentUser

+ }

+<#

+ Install-module Az -Scope CurrentUser

+ Install-module Microsoft.Graph -Scope CurrentUser

+ install-module Az.portal -Scope CurrentUser

+ Import-module Az -Scope CurrentUser

+ Import-module Az.Accounts -Scope CurrentUser

+ Import-module Az.Resources -Scope CurrentUser

+ Import-module Microsoft.Graph.Applications -Scope CurrentUser

+ Import-Module Microsoft.Graph.DeviceManagement.Enrolment -Scope CurrentUser

+#>

+#-

+# (1) Variables (Prerequisites, environment setup)

+#-

+$TenantId = "<your tenant ID>"

+# Azure app registration

+$AzureAppName = "Log-Ingestion-App"

+$AzAppSecretName = "Log-Ingestion-App secret"

+# Log Analytics workspace

+$LogAnalyticsSubscription = "<Log Analytics workspace ID>"

+$LogAnalyticsResourceGroup = "<Log Analytics workspace resource group>"

+$LoganalyticsWorkspaceName = "<Log Analytics workspace name>"

+$LoganalyticsLocation = "<Log Analytics workspace location>"

+# Data collection endpoint

+$AzDceName = "dce-log-ingestion-demo"

+$AzDceResourceGroup = "rg-dce-log-ingestion-demo"

+# Data collection rule

+$AzDcrResourceGroup = "rg-dcr-log-ingestion-demo"

+$AzDcrPrefix = "demo"

+$VerbosePreference = "SilentlyContinue" # "Continue"

+#-

+# (2) Connectivity

+#-

+ # Connect to Azure

+ Connect-AzAccount -Tenant $TenantId -WarningAction SilentlyContinue

+ # Get access token

+ $AccessToken = Get-AzAccessToken -ResourceUrl https://management.azure.com/

+ $AccessToken = $AccessToken.Token

+ # Build headers for Azure REST API with access token

+ $Headers = @{

+ "Authorization"="Bearer $($AccessToken)"

+ "Content-Type"="application/json"

+ }

+ # Connect to Microsoft Graph

+ $MgScope = @(

+ "Application.ReadWrite.All",`

+ "Directory.Read.All",`

+ "Directory.AccessAsUser.All",

+ "RoleManagement.ReadWrite.Directory"

+ )

+ Connect-MgGraph -TenantId $TenantId -ForceRefresh -Scopes $MgScope

+#-

+# (3) Prerequisites - deployment of environment (if missing)

+#-

+ <#

+ This section deploys all resources needed for ingesting logs using the Log Ingestion API.

+ The deployment includes the following steps:

+ (1) Create a resource group for the Log Analytics workspace

+ (2) Create the Log Analytics workspace

+ (3) Create an Azure App registration to send data to Azure Monitor Logs

+ (4) Create a service principal on the app

+ (5) Create a secret for the app

+ (6) Create a resource group for the data collection endpoint (DCE) in the same region as the Log Analytics workspace

+ (7) Create a resource group for data collection rules (DCR) in the same region as the Log Analytics workspace

+ (8) Create data collection endpoint (DCE) in same region as Log Analytics workspace

+ (9) Grant the Azure app permissions to the Log Analytics workspace

+ (10) Grant the Azure app permissions to the resource group for data collection rules (DCR)

+ (11) Grant the Azure app permissions to the resource group for data collection endpoints (DCE)

+ #>

+ #-

+ # Azure context

+ #-

+ Write-Output ""

+ Write-Output "Validating Azure context is subscription [ $($LogAnalyticsSubscription) ]"

+ $AzContext = Get-AzContext

+ If ($AzContext.Subscription -ne $LogAnalyticsSubscription )

+ {

+ Write-Output ""

+ Write-Output "Switching Azure context to subscription [ $($LogAnalyticsSubscription) ]"

+ $AzContext = Set-AzContext -Subscription $LogAnalyticsSubscription -Tenant $TenantId

+ }

+ #-

+ # Create the resource group for Log Analytics workspace

+ #-

+ Write-Output ""

+ Write-Output "Validating Azure resource group exist [ $($LogAnalyticsResourceGroup) ]"

+ try {

+ Get-AzResourceGroup -Name $LogAnalyticsResourceGroup -ErrorAction Stop

+ } catch {

+ Write-Output ""

+ Write-Output "Creating Azure resource group [ $($LogAnalyticsResourceGroup) ]"

+ New-AzResourceGroup -Name $LogAnalyticsResourceGroup -Location $LoganalyticsLocation

+ }

+ #-

+ # Create the workspace

+ #-

+ Write-Output ""

+ Write-Output "Validating Log Analytics workspace exist [ $($LoganalyticsWorkspaceName) ]"

+ try {

+ $LogWorkspaceInfo = Get-AzOperationalInsightsWorkspace -Name $LoganalyticsWorkspaceName -ResourceGroupName $LogAnalyticsResourceGroup -ErrorAction Stop

+ } catch {

+ Write-Output ""

+ Write-Output "Creating Log Analytics workspace [ $($LoganalyticsWorkspaceName) ] in $LogAnalyticsResourceGroup"

+ New-AzOperationalInsightsWorkspace -Location $LoganalyticsLocation -Name $LoganalyticsWorkspaceName -Sku PerGB2018 -ResourceGroupName $LogAnalyticsResourceGroup

+ }

+ #-

+ # Get workspace details

+ #-

+ $LogWorkspaceInfo = Get-AzOperationalInsightsWorkspace -Name $LoganalyticsWorkspaceName -ResourceGroupName $LogAnalyticsResourceGroup

+ $LogAnalyticsWorkspaceResourceId = $LogWorkspaceInfo.ResourceId

+ #-

+ # Create Azure app registration

+ #-

+ Write-Output ""

+ Write-Output "Validating Azure App [ $($AzureAppName) ]"

+ $AppCheck = Get-MgApplication -Filter "DisplayName eq '$AzureAppName'" -ErrorAction Stop

+ If ($AppCheck -eq $null)

+ {

+ Write-Output ""

+ Write-host "Creating Azure App [ $($AzureAppName) ]"

+ $AzureApp = New-MgApplication -DisplayName $AzureAppName

+ }

+ #-

+ # Create service principal on Azure app

+ #-

+ Write-Output ""

+ Write-Output "Validating Azure Service Principal on App [ $($AzureAppName) ]"

+ $AppInfo = Get-MgApplication -Filter "DisplayName eq '$AzureAppName'"

+ $AppId = $AppInfo.AppId

+ $ObjectId = $AppInfo.Id

+ $ServicePrincipalCheck = Get-MgServicePrincipal -Filter "AppId eq '$AppId'"

+ If ($ServicePrincipalCheck -eq $null)

+ {

+ Write-Output ""

+ Write-host "Creating Azure Service Principal on App [ $($AzureAppName) ]"

+ $ServicePrincipal = New-MgServicePrincipal -AppId $AppId

+ }

+ #-

+ # Create secret on Azure app

+ #-

+ Write-Output ""

+ Write-Output "Validating Azure Secret on App [ $($AzureAppName) ]"

+ $AppInfo = Get-MgApplication -Filter "AppId eq '$AppId'"

+ $AppId = $AppInfo.AppId

+ $ObjectId = $AppInfo.Id

+ If ($AzAppSecretName -notin $AppInfo.PasswordCredentials.DisplayName)

+ {

+ Write-Output ""

+ Write-host "Creating Azure Secret on App [ $($AzureAppName) ]"

+ $passwordCred = @{

+ displayName = $AzAppSecretName

+ endDateTime = (Get-Date).AddYears(1)

+ }

+ $AzAppSecret = (Add-MgApplicationPassword -applicationId $ObjectId -PasswordCredential $passwordCred).SecretText

+ Write-Output ""

+ Write-Output "Secret with name [ $($AzAppSecretName) ] created on app [ $($AzureAppName) ]"

+ Write-Output $AzAppSecret

+ Write-Output ""

+ Write-Output "AppId for app [ $($AzureAppName) ] is"

+ Write-Output $AppId

+ }

+ #-

+ # Create a resource group for data collection endpoints (DCE) in the same region as the Log Analytics workspace

+ #-

+ Write-Output ""

+ Write-Output "Validating Azure resource group exist [ $($AzDceResourceGroup) ]"

+ try {

+ Get-AzResourceGroup -Name $AzDceResourceGroup -ErrorAction Stop

+ } catch {

+ Write-Output ""

+ Write-Output "Creating Azure resource group [ $($AzDceResourceGroup) ]"

+ New-AzResourceGroup -Name $AzDceResourceGroup -Location $LoganalyticsLocation

+ }

+ #-

+ # Create a resource group for data collection rules (DCR) in the same region as the Log Analytics workspace

+ #-

+ Write-Output ""

+ Write-Output "Validating Azure resource group exist [ $($AzDcrResourceGroup) ]"

+ try {

+ Get-AzResourceGroup -Name $AzDcrResourceGroup -ErrorAction Stop

+ } catch {

+ Write-Output ""

+ Write-Output "Creating Azure resource group [ $($AzDcrResourceGroup) ]"

+ New-AzResourceGroup -Name $AzDcrResourceGroup -Location $LoganalyticsLocation

+ }

+ #-

+ # Create data collection endpoint

+ #-

+ Write-Output ""

+ Write-Output "Validating data collection endpoint exist [ $($AzDceName) ]"

+

+ $DceUri = "https://management.azure.com" + "/subscriptions/" + $LogAnalyticsSubscription + "/resourceGroups/" + $AzDceResourceGroup + "/providers/Microsoft.Insights/dataCollectionEndpoints/" + $AzDceName + "?api-version=2022-06-01"

+ Try

+ {

+ Invoke-RestMethod -Uri $DceUri -Method GET -Headers $Headers

+ }

+ Catch

+ {

+ Write-Output ""

+ Write-Output "Creating/updating DCE [ $($AzDceName) ]"

+ $DceObject = [pscustomobject][ordered]@{

+ properties = @{

+ description = "DCE for LogIngest to LogAnalytics $LoganalyticsWorkspaceName"

+ networkAcls = @{

+ publicNetworkAccess = "Enabled"

+ }

+ }

+ location = $LogAnalyticsLocation

+ name = $AzDceName

+ type = "Microsoft.Insights/dataCollectionEndpoints"

+ }

+ $DcePayload = $DceObject | ConvertTo-Json -Depth 20

+ $DceUri = "https://management.azure.com" + "/subscriptions/" + $LogAnalyticsSubscription + "/resourceGroups/" + $AzDceResourceGroup + "/providers/Microsoft.Insights/dataCollectionEndpoints/" + $AzDceName + "?api-version=2022-06-01"

+ Try

+ {

+ Invoke-WebRequest -Uri $DceUri -Method PUT -Body $DcePayload -Headers $Headers

+ }

+ Catch

+ {

+ }

+ }

+

+ #-

+ # Sleeping 1 min to let Azure AD replicate before delegation

+ #-

+ # Write-Output "Sleeping 1 min to let Azure AD replicate before doing delegation"

+ # Start-Sleep -s 60

+ #-

+ # Grant the Azure app permissions to the Log Analytics workspace

+ # Needed for table management - not needed for log ingestion - for simplicity, it's set up when there's one app

+ #-

+ Write-Output ""

+ Write-Output "Setting Contributor permissions for app [ $($AzureAppName) ] on the Log Analytics workspace [ $($LoganalyticsWorkspaceName) ]"

+ $LogWorkspaceInfo = Get-AzOperationalInsightsWorkspace -Name $LoganalyticsWorkspaceName -ResourceGroupName $LogAnalyticsResourceGroup

+ $LogAnalyticsWorkspaceResourceId = $LogWorkspaceInfo.ResourceId

+ $ServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "AppId eq '$AppId'").Id

+ $DcrRgResourceId = (Get-AzResourceGroup -Name $AzDcrResourceGroup).ResourceId

+ # Contributor on Log Analytics workspace

+ $guid = (new-guid).guid

+ $ContributorRoleId = "b24988ac-6180-42a0-ab88-20f7382dd24c" # Contributor

+ $roleDefinitionId = "/subscriptions/$($LogAnalyticsSubscription)/providers/Microsoft.Authorization/roleDefinitions/$($ContributorRoleId)"

+ $roleUrl = "https://management.azure.com" + $LogAnalyticsWorkspaceResourceId + "/providers/Microsoft.Authorization/roleAssignments/$($Guid)?api-version=2018-07-01"

+ $roleBody = @{

+ properties = @{

+ roleDefinitionId = $roleDefinitionId

+ principalId = $ServicePrincipalObjectId

+ scope = $LogAnalyticsWorkspaceResourceId

+ }

+ }

+ $jsonRoleBody = $roleBody | ConvertTo-Json -Depth 6

+ $result = try

+ {

+ Invoke-RestMethod -Uri $roleUrl -Method PUT -Body $jsonRoleBody -headers $Headers -ErrorAction SilentlyContinue

+ }

+ catch

+ {

+ }

+ #-

+ # Grant the Azure app permissions to the DCR resource group

+ #-

+ Write-Output ""

+ Write-Output "Setting Contributor permissions for app [ $($AzureAppName) ] on resource group [ $($AzDcrResourceGroup) ]"

+ $ServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "AppId eq '$AppId'").Id

+ $AzDcrRgResourceId = (Get-AzResourceGroup -Name $AzDcrResourceGroup).ResourceId

+ # Contributor

+ $guid = (new-guid).guid

+ $ContributorRoleId = "b24988ac-6180-42a0-ab88-20f7382dd24c" # Contributor

+ $roleDefinitionId = "/subscriptions/$($LogAnalyticsSubscription)/providers/Microsoft.Authorization/roleDefinitions/$($ContributorRoleId)"

+ $roleUrl = "https://management.azure.com" + $AzDcrRgResourceId + "/providers/Microsoft.Authorization/roleAssignments/$($Guid)?api-version=2018-07-01"

+ $roleBody = @{

+ properties = @{

+ roleDefinitionId = $roleDefinitionId

+ principalId = $ServicePrincipalObjectId

+ scope = $AzDcrRgResourceId

+ }

+ }

+ $jsonRoleBody = $roleBody | ConvertTo-Json -Depth 6

+ $result = try

+ {

+ Invoke-RestMethod -Uri $roleUrl -Method PUT -Body $jsonRoleBody -headers $Headers -ErrorAction SilentlyContinue

+ }

+ catch

+ {

+ }

+ Write-Output ""

+ Write-Output "Setting Monitoring Metrics Publisher permissions for app [ $($AzureAppName) ] on RG [ $($AzDcrResourceGroup) ]"

+ # Monitoring Metrics Publisher

+ $guid = (new-guid).guid

+ $monitorMetricsPublisherRoleId = "3913510d-42f4-4e42-8a64-420c390055eb"

+ $roleDefinitionId = "/subscriptions/$($LogAnalyticsSubscription)/providers/Microsoft.Authorization/roleDefinitions/$($monitorMetricsPublisherRoleId)"

+ $roleUrl = "https://management.azure.com" + $AzDcrRgResourceId + "/providers/Microsoft.Authorization/roleAssignments/$($Guid)?api-version=2018-07-01"

+ $roleBody = @{

+ properties = @{

+ roleDefinitionId = $roleDefinitionId

+ principalId = $ServicePrincipalObjectId

+ scope = $AzDcrRgResourceId

+ }

+ }

+ $jsonRoleBody = $roleBody | ConvertTo-Json -Depth 6

+ $result = try

+ {

+ Invoke-RestMethod -Uri $roleUrl -Method PUT -Body $jsonRoleBody -headers $Headers -ErrorAction SilentlyContinue

+ }

+ catch

+ {

+ }

+ #-

+ # Grant the Azure app permissions to the DCE resource group

+ #-

+ Write-Output ""

+ Write-Output "Setting Contributor permissions for app [ $($AzDceName) ] on RG [ $($AzDceResourceGroup) ]"

+ $ServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "AppId eq '$AppId'").Id

+ $AzDceRgResourceId = (Get-AzResourceGroup -Name $AzDceResourceGroup).ResourceId

+ # Contributor

+ $guid = (new-guid).guid

+ $ContributorRoleId = "b24988ac-6180-42a0-ab88-20f7382dd24c" # Contributor

+ $roleDefinitionId = "/subscriptions/$($LogAnalyticsSubscription)/providers/Microsoft.Authorization/roleDefinitions/$($ContributorRoleId)"

+ $roleUrl = "https://management.azure.com" + $AzDceRgResourceId + "/providers/Microsoft.Authorization/roleAssignments/$($Guid)?api-version=2018-07-01"

+ $roleBody = @{

+ properties = @{

+ roleDefinitionId = $roleDefinitionId

+ principalId = $ServicePrincipalObjectId

+ scope = $AzDceRgResourceId

+ }

+ }

+ $jsonRoleBody = $roleBody | ConvertTo-Json -Depth 6

+ $result = try

+ {

+ Invoke-RestMethod -Uri $roleUrl -Method PUT -Body $jsonRoleBody -headers $Headers -ErrorAction SilentlyContinue

+ }

+ catch

+ {

+ }

+ #--

+ # Summarize environment details

+ #--

+ # Azure App

+ Write-Output ""

+ Write-Output "Tenant Id:"

+ Write-Output $TenantId

+ # Azure App

+ $AppInfo = Get-MgApplication -Filter "DisplayName eq '$AzureAppName'"

+ $AppId = $AppInfo.AppId

+ $ObjectId = $AppInfo.Id

+ Write-Output ""

+ Write-Output "Log Ingestion Azure App name:"

+ Write-Output $AzureAppName

+ Write-Output ""

+ Write-Output "Log Ingestion Azure App ID:"

+ Write-Output $AppId

+ Write-Output ""

+ If ($AzAppSecret)

+ {

+ Write-Output "LogIngestion Azure App secret:"

+ Write-Output $AzAppSecret

+ }

+ Else

+ {

+ Write-Output "Log Ingestion Azure App secret:"

+ Write-Output "N/A (new secret must be made)"

+ }

+ # Azure Service Principal for App

+ $ServicePrincipalObjectId = (Get-MgServicePrincipal -Filter "AppId eq '$AppId'").Id

+ Write-Output ""

+ Write-Output "Log Ingestion service principal Object ID for app:"

+ Write-Output $ServicePrincipalObjectId

+ # Azure Loganalytics

+ Write-Output ""

+ $LogWorkspaceInfo = Get-AzOperationalInsightsWorkspace -Name $LoganalyticsWorkspaceName -ResourceGroupName $LogAnalyticsResourceGroup

+ $LogAnalyticsWorkspaceResourceId = $LogWorkspaceInfo.ResourceId

+ Write-Output ""

+ Write-Output "Log Analytics workspace resource ID:"

+ Write-Output $LogAnalyticsWorkspaceResourceId

+ # DCE

+ $DceUri = "https://management.azure.com" + "/subscriptions/" + $LogAnalyticsSubscription + "/resourceGroups/" + $AzDceResourceGroup + "/providers/Microsoft.Insights/dataCollectionEndpoints/" + $AzDceName + "?api-version=2022-06-01"

+ $DceObj = Invoke-RestMethod -Uri $DceUri -Method GET -Headers $Headers

+ $AzDceLogIngestionUri = $DceObj.properties.logsIngestion[0].endpoint

+ Write-Output ""

+ Write-Output "Data collection endpoint name:"

+ Write-Output $AzDceName

+ Write-Output ""

+ Write-Output "Data collection endpoint Log Ingestion URI:"

+ Write-Output $AzDceLogIngestionUri

+ Write-Output ""

+ Write-Output "-"

+```

+

+## Next steps

+- [Learn more about data collection rules](../essentials/data-collection-rule-overview.md)

+- [Learn more about writing transformation queries](../essentials//data-collection-transformations.md)

+| Prometheus Metrics | The service is currently free to use, with billing set to begin on 8/1/2023. Pricing for Azure Monitor managed service for Prometheus consists of data ingestion priced at $0.16/10 million samples ingested and metric queries priced at $0.001/10 million samples processed. Data is retained for 18 months at no extra charge. |

+ * **Encryption key source**

+ You can select `Microsoft Managed Key` or `Customer Managed Key`. See [Configure customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md) and [Azure NetApp Files double encryption at rest](double-encryption-at-rest.md) about using this field.

+ * **Encryption key source**

+ You can select `Microsoft Managed Key` or `Customer Managed Key`. See [Configure customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md) and [Azure NetApp Files double encryption at rest](double-encryption-at-rest.md) about using this field.

+

+ * **Encryption type** <a name="encryption_type"></a>

+ Specify whether you want the volumes in this capacity pool to use **single** or **double** encryption. See [Azure NetApp Files double encryption at rest](double-encryption-at-rest.md) for details.

+ > [!IMPORTANT]

+ > Azure NetApp Files double encryption at rest supports [Standard network features](azure-netapp-files-network-topologies.md#configurable-network-features), but not Basic network features. See [considerations](double-encryption-at-rest.md#considerations) for using Azure NetApp Files double encryption at rest.

+ >

+ > After the capacity pool is created, you canΓÇÖt modify the setting (switching between `single` or `double`) for the encryption type.

+ Azure NetApp Files double encryption at rest is currently in preview. If you are using this feature for the first time, you need to register the feature first.

+ 1. Register the feature:

+ ```azurepowershell-interactive

+ Register-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFDoubleEncryption

+ ```

+ 2. Check the status of the feature registration. `RegistrationState` may be in the `Registering` state for up to 60 minutes before changing to`Registered`. Wait until the status is `Registered` before continuing.

+ ```azurepowershell-interactive

+ Get-AzProviderFeature -ProviderNamespace Microsoft.NetApp -FeatureName ANFDoubleEncryption

+ ```

+ You can also use [Azure CLI commands](/cli/azure/feature) `az feature register` and `az feature show` to register the feature and display the registration status.

+ :::image type="content" source="../media/azure-netapp-files/azure-netapp-files-new-capacity-pool.png" alt-text="Screenshot showing the New Capacity Pool window.":::

+ The **Capacity pools** page shows the configurations for the capacity pool.

+

+- [Azure NetApp Files double encryption at rest](double-encryption-at-rest.md)

+* Dual-protocol volumes do not support the use of LDAP over TLS with Azure Active Directory Domain Services ([Azure AD DS](../active-directory-domain-services/overview.md)). LDAP over TLS is supported with Active Directory Domain Services (AD DS). See [LDAP over TLS considerations](configure-ldap-over-tls.md#considerations).

+ * **Encryption key source**

+ You can select `Microsoft Managed Key` or `Customer Managed Key`. See [Configure customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md) and [Azure NetApp Files double encryption at rest](double-encryption-at-rest.md) about using this field.

+ Title: Azure NetApp Files double encryption at rest | Microsoft Docs

+description: Explains Azure NetApp Files double encryption at rest to help you use this feature.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+# Azure NetApp Files double encryption at rest

+By default, Azure NetApp Files capacity pools use single encryption at rest. When you [create a capacity pool](azure-netapp-files-set-up-capacity-pool.md#encryption_type), you have the option to use double encryption at rest for the volumes in the capacity pool. You can do so by selecting `double` as the **encryption type** for the capacity pool that you are creating.

+Critical data is often found in places such as financial institutions, military users, business customer data, government records, health care medical records, and so on. While single encryption at rest may be considered sufficient for some data, you should use double encryption at rest for data where a breach of confidentiality would be catastrophic. Leaks of information such as customer sensitive data, names, addresses, and government identification can result in extremely high liability, and it can be mitigated by having data confidentiality protected by double encryption at rest.

+When data is transported over networks, additional encryption such as Transport Layer Security (TLS) can help to protect the transit of data. But once the data has arrived, protection of that data at rest helps to address the vulnerability. Using Azure NetApp Files double encryption at rest complements the security thatΓÇÖs inherent with the physically secure cloud storage in Azure data centers.

+Azure NetApp Files double encryption at rest provides two levels of encryption protection: both a hardware-based encryption layer (encrypted SSD drives) and a software-encryption layer. The hardware-based encryption layer resides at the physical storage level, using FIPS 140-2 certified drives. The software-based encryption layer is at the volume level completing the second level of encryption protection.

+If you are using this feature for the first time, you need to [register for the feature](azure-netapp-files-set-up-capacity-pool.md#encryption_type) and then create a double-encryption capacity pool. For details, see [Create a capacity pool for Azure NetApp Files](azure-netapp-files-set-up-capacity-pool.md).

+When you create a volume in a double-encryption capacity pool, the default key management (the **Encryption key source** field) is `Microsoft Managed Key`, and the other choice is `Customer Managed Key`. Using customer-managed keys requires additional preparation of an Azure Key Vault and other details. For more information about using volume encryption with customer managed keys, see [Configure customer-managed keys for Azure NetApp Files volume encryption](configure-customer-managed-keys.md).

+## Supported regions

+Azure NetApp Files double encryption at rest is supported for the following regions:

+* West Europe

+* East US 2

+* East Asia

+## Considerations

+* Azure NetApp Files double encryption at rest supports [Standard network features](azure-netapp-files-network-topologies.md#configurable-network-features), but not Basic network features.

+* For the cost of using Azure NetApp Files double encryption at rest, see the [Azure NetApp Files pricing](https://azure.microsoft.com/pricing/details/netapp/) page.

+* You can't convert volumes in a single-encryption capacity pool to use double encryption at rest. However, you can copy data in a single-encryption volume to a volume created in a capacity pool that is configured with double encryption.

+* For capacity pools created with double encryption at rest, volume names in the capacity pool are visible only to volume owners for maximum security.

+## Next steps

+* [Create a capacity pool for Azure NetApp Files](azure-netapp-files-set-up-capacity-pool.md)

+## Issues for double-encryption capacity pools

+| Error condition | Resolution |

+|-|-|

+| Out of storage capacity when creating or resizing volumes under double-encryption capacity pools: `There are currently insufficient resources available to create [or extend] a volume in this region. Please retry the operation. If the problem persists, contact Support.` | The error indicates insufficient resources in the region to support hardware-level data encryption. Retry the operation after some time. Resources may have been freed in the cluster, region, or zone in the interim. |

+* [Azure NetApp Files double encryption at rest](double-encryption-at-rest.md) (Preview)

+ We are excited to announce the addition of double encryption at rest for Azure NetApp Files volumes. This new feature provides an extra layer of protection for your critical data, ensuring maximum confidentiality and mitigating potential liabilities. Double encryption at rest is ideal for industries such as finance, military, healthcare, and government, where breaches of confidentiality can have catastrophic consequences. By combining hardware-based encryption with encrypted SSD drives and software-based encryption at the volume level, your data remains secure throughout its lifecycle. You can select **double** as the encryption type during capacity pool creation to easily enable this advanced security layer.

+1. From your Azure DevOps organization, select **Pipelines** and **Create pipeline**.

+ :::image type="content" source="./media/add-template-to-azure-pipelines/new-pipeline.png" alt-text="Screenshot of creating new pipeline.":::

+1. Specify where your code is stored. This quickstart uses Azure Repos Git.

+ :::image type="content" source="./media/add-template-to-azure-pipelines/select-source.png" alt-text="Screenshot of selecting code source.":::

+ :::image type="content" source="./media/add-template-to-azure-pipelines/select-repo.png" alt-text="Screenshot of selecting repository.":::

+ :::image type="content" source="./media/add-template-to-azure-pipelines/select-pipeline.png" alt-text="Screenshot of selecting pipeline.":::

+1. Replace your starter pipeline with the following YAML. It creates a resource group and deploys a Bicep file by using an [Azure Resource Manager Template Deployment task](/azure/devops/pipelines/tasks/reference/azure-resource-manager-template-deployment-v3).

+ ```yml

+ trigger:

+ - main

+ name: Deploy Bicep files

+ variables:

+ vmImageName: 'ubuntu-latest'

+ azureServiceConnection: '<your-connection-name>'

+ resourceGroupName: 'exampleRG'

+ location: '<your-resource-group-location>'

+ templateFile: './main.bicep'

+ pool:

+ vmImage: $(vmImageName)

+ steps:

+ - task: AzureResourceManagerTemplateDeployment@3

+ inputs:

+ deploymentScope: 'Resource Group'

+ azureResourceManagerConnection: '$(azureServiceConnection)'

+ action: 'Create Or Update Resource Group'

+ resourceGroupName: '$(resourceGroupName)'

+ location: '$(location)'

+ templateLocation: 'Linked artifact'

+ csmFile: '$(templateFile)'

+ overrideParameters: '-storageAccountType Standard_LRS'

+ deploymentMode: 'Incremental'

+ deploymentName: 'DeployPipelineTemplate'

+ ```

+1. Update the values of `azureServiceConnection` and `location`.

+1. Verify you have a `main.bicep` in your repo, and the content of the Bicep file.

+1. Select **Save**. The build pipeline automatically runs. Go back to the summary for your build pipeline, and watch the status.

+### Use Azure CLI task

+1. Replace your starter pipeline with the following YAML. It creates a resource group and deploys a Bicep file by using an [Azure CLI task](/azure/devops/pipelines/tasks/reference/azure-cli-v2):

+ ```yml

+ trigger:

+ - main

+ name: Deploy Bicep files

+ variables:

+ vmImageName: 'ubuntu-latest'

+ azureServiceConnection: '<your-connection-name>'

+ resourceGroupName: 'exampleRG'

+ location: '<your-resource-group-location>'

+ templateFile: 'main.bicep'

+ pool:

+ vmImage: $(vmImageName)

+ steps:

+ - task: AzureCLI@2

+ inputs:

+ azureSubscription: $(azureServiceConnection)

+ scriptType: bash

+ scriptLocation: inlineScript

+ useGlobalConfig: false

+ inlineScript: |

+ az --version

+ az group create --name $(resourceGroupName) --location $(location)

+ az deployment group create --resource-group $(resourceGroupName) --template-file $(templateFile)

+ ```

+ To override the parameters, update the last line of `inlineScript` to:

+ ```bicep

+ az deployment group create --resource-group $(resourceGroupName) --template-file $(templateFile) --parameters storageAccountType='Standard_GRS' location='eastus'

+ ```

+ For the descriptions of the task inputs, see [Azure CLI task](/azure/devops/pipelines/tasks/reference/azure-cli-v2). When using the task on air-gapped cloud, you must set the `useGlobalConfig` property of the task to `true`. The default value is `false`.

+1. Update the values of `azureServiceConnection` and `location`.

+1. Verify you have a `main.bicep` in your repo, and the content of the Bicep file.

+1. Select **Save**. The build pipeline automatically runs. Go back to the summary for your build pipeline, and watch the status.

+resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = {

+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = {

+resource sqlServer 'Microsoft.Sql/servers@2022-08-01-preview' = {

+resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {

+resource dScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = {

+| Microsoft.DocumentDB/databaseAccounts | [listConnectionStrings](/rest/api/cosmos-db-resource-provider/2022-11-15/database-accounts/list-connection-strings) |

+| Microsoft.DocumentDB/databaseAccounts | [listKeys](/rest/api/cosmos-db-resource-provider/2022-11-15/database-accounts/list-keys) |

+| Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces | [listConnectionInfo](/rest/api/cosmos-db-resource-provider/2022-11-15/notebook-workspaces/list-connection-info) |

+| Microsoft.MachineLearningServices/workspaces/computes | [listKeys](/rest/api/azureml/2023-04-01/compute/list-keys) |

+| Microsoft.MachineLearningServices/workspaces/computes | [listNodes](/rest/api/azureml/2023-04-01/compute/list-nodes) |

+| Microsoft.MachineLearningServices/workspaces | [listKeys](/rest/api/azureml/2023-04-01/workspaces/list-keys) |

+The Bicep files provide access to the reference function, although it is typically unnecessary. Instead, it is recommended to use the symbolic name of the resource. The reference function can only be used within the `properties` object of a resource and cannot be employed for top-level properties like `name` or `location`. The same generally applies to references using the symbolic name. However, for properties such as `name`, it is possible to generate a template without utilizing the reference function. Sufficient information about the resource name is known to directly emit the name. It is referred to as compile-time properties. Bicep validation can identify any incorrect usage of the symbolic name.

+The following example deploys a storage account. The first two outputs give you the same results.

+param storageAccountName string = uniqueString(resourceGroup().id)

+param location string = resourceGroup().location

+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {

+ location: location

+output storageObjectSymbolic object = storageAccount.properties

+output storageObjectReference object = reference('storageAccount')

+output storageName string = storageAccount.name

+output storageLocation string = storageAccount.location

+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {

+param location string = resourceGroup().location

+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {

+ location: location

+resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {

+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {

+resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2021-06-01' = {

+resource location_lock 'Microsoft.Authorization/policyAssignments@2021-06-01' = {

+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2022-06-01' = {

+ --parameters storage.bicepparam

+You can use inline parameters and a local parameters file in the same deployment operation. For example, you can specify some values in the local parameters file and add other values inline during deployment. If you provide values for a parameter in both the local parameters file and inline, the inline value takes precedence. This feature hasn't been implemented for Bicep parameters file.

+content_well_notification:

+ - AI-contribution

+<!--[!INCLUDE [AI attribution](../../../includes/ai-generated-attribution.md)]-->

+> [!IMPORTANT]

+> The move feature is under development for Cloud Services (extended support) and not available for Production use yet. The guidance will be updated once the feature is deployed for all customers and regions.

+ "resources": [

+ {

+ {

+ ],

+ "resources": [

+ {

+ ]

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+ "resources": [],

+This approach is applicable to continuous integration type of scenarios, where the diagnostics extension can be enabled as part of deploying the cloud service. When creating a new Cloud Service deployment, you can enable the diagnostics extension by passing in the *ExtensionConfiguration* parameter to the [New-AzureDeployment](/powershell/module/servicemanagement/azure/new-azuredeployment) cmdlet. The *ExtensionConfiguration* parameter takes an array of diagnostics configurations that can be created using the [New-AzureServiceDiagnosticsExtensionConfig](/powershell/module/servicemanagement/azure/new-azureservicediagnosticsextensionconfig) cmdlet.

+You can use the [Set-AzureServiceDiagnosticsExtension](/powershell/module/servicemanagement/azure/set-azureservicediagnosticsextension) cmdlet to enable or update diagnostics configuration on a Cloud Service that is already running.

+Use the [Get-AzureServiceDiagnosticsExtension](/powershell/module/servicemanagement/azure/get-azureservicediagnosticsextension) cmdlet to get the current diagnostics configuration for a cloud service.

+To turn off diagnostics on a cloud service, you can use the [Remove-AzureServiceDiagnosticsExtension](/powershell/module/servicemanagement/azure/remove-azureservicediagnosticsextension) cmdlet.

+* To learn how to enable the diagnostics extension for Virtual Machines, see [Create a Windows Virtual machine with monitoring and diagnostics using Azure Resource Manager Template](../virtual-machines/extensions/diagnostics-template.md)

+- All instances of your roles must be running before you can perform the swap. You can check the status of your instances on the **Overview** blade of the Azure portal. Alternatively, you can use the [Get-AzureRole](/powershell/module/servicemanagement/azure/get-azurerole) command in Windows PowerShell.

+* Configure [TLS/SSL certificates](cloud-services-configure-ssl-certificate-portal.md).

+3. Use the [Add-AzureAccount](/powershell/module/servicemanagement/azure/add-azureaccount) to sign in.

+* To manage the cloud service deployment, refer to the [Get-AzureService](/powershell/module/servicemanagement/azure/Get-AzureService), [Remove-AzureService](/powershell/module/servicemanagement/azure/Remove-AzureService), and [Set-AzureService](/powershell/module/servicemanagement/azure/set-azureservice) commands. You may also refer to [How to configure cloud services](cloud-services-how-to-configure-portal.md) for further information.

+The [Set-AzureServiceRemoteDesktopExtension](/powershell/module/servicemanagement/azure/set-azureserviceremotedesktopextension) cmdlet allows you to enable Remote Desktop on specified roles or all roles of your cloud service deployment. The cmdlet lets you specify the Username and Password for the remote desktop user through the *Credential* parameter that accepts a PSCredential object.

+The [Set-AzureServiceRemoteDesktopExtension](/powershell/module/servicemanagement/azure/set-azureserviceremotedesktopextension) cmdlet also accepts an *Expiration* parameter, which specifies a **DateTime** at which the user account expires. For example, you could set the account to expire a few days from the current date and time.

+The [Get-AzureRemoteDesktopFile](/powershell/module/servicemanagement/azure/get-azureremotedesktopfile) cmdlet is used to remote desktop into a specific role instance of your cloud service. You can use the *LocalPath* parameter to download the RDP file locally. Or you can use the *Launch* parameter to directly launch the Remote Desktop Connection dialog to access the cloud service role instance.

+The [Get-AzureServiceRemoteDesktopExtension](/powershell/module/servicemanagement/azure/get-azureremotedesktopfile) cmdlet displays that remote desktop is enabled or disabled on a service deployment. The cmdlet returns the username for the remote desktop user and the roles that the remote desktop extension is enabled for. By default, this happens on the deployment slot and you can choose to use the staging slot instead.

+To remove the remote desktop extension from the deployment, you can use the [Remove-AzureServiceRemoteDesktopExtension](/powershell/module/servicemanagement/azure/remove-azureserviceremotedesktopextension) cmdlet. You can also optionally specify the deployment slot and role from which you want to remove the remote desktop extension.

+[How to Configure Cloud Services](cloud-services-how-to-configure-portal.md)

+* D-series VMs are designed to run applications that demand higher compute power and temporary disk performance. D-series VMs provide faster processors, a higher memory-to-core ratio, and a solid-state drive (SSD) for the temporary disk. For details, see the announcement on the Azure blog, [New D-Series Virtual Machine Sizes](https://azure.microsoft.com/updates/d-series-virtual-machine-sizes).

+* [Summarization overview](overview.md)

+It's rare, but not impossible, to encounter a network issue that hits an entire region. If your service needs to always be available, then you should design it to either fail-over into another region or split the workload between two or more regions. Both approaches require at least two Azure OpenAI resources in different regions. This article provides general recommendations for how to implement Business Continuity and Disaster Recovery (BCDR) for your Azure OpenAI applications.

+1. Use the [models page](../concepts/models.md) to identify the list of available regions for Azure OpenAI.

+3. Create Azure OpenAI resources for each region selected.

+| Default DALL-E quota limits | 2 concurrent requests |

+# Azure Communication Services Call Automation logs

+Azure Communication Services offers logging capabilities that you can use to monitor and debug your Communication Services solution. You configure these capabilities through the Azure portal.

+Azure Communication Services provides monitoring and analytics features via [Azure Monitor Logs](../../../../azure-monitor/logs/data-platform-logs.md) and [Azure Monitor Metrics](../../../../azure-monitor/essentials/data-platform-metrics.md). Each Azure resource requires its own diagnostic setting, which defines the following criteria:

+* Categories of log and metric data sent to the destinations that the setting defines. The available categories vary by resource type.

+* One or more destinations to send the logs. Current destinations include Log Analytics workspace, Azure Event Hubs, and Azure Storage.

+ A single diagnostic setting can define no more than one of each destination type. If you want to send data to more than one destination type (for example, two Log Analytics workspaces), create multiple settings. Each resource can have up to five diagnostic settings.

+> You must enable a diagnostic setting in Azure Monitor to send the log data of your surveys to a Log Analytics workspace, an event hub, or an Azure storage account to receive and analyze your survey data. If you don't send Call Automation data to one of these options, your survey data won't be stored and will be lost.

+The following instructions configure your Azure Monitor resource to start creating logs and metrics for your Communication Services instance. For detailed documentation about using diagnostic settings across all Azure resources, see [Enable logging in diagnostic settings](../enable-logging.md).

+Under the diagnostic setting name, select **Operation Call Automation Logs** and **Call Automation Events Summary Logs** to enable the logs for Call Automation.

+* **Usage logs**: Provide usage data associated with each billed service offering.

+* **Call automation operational logs**: Provide operational information on Call Automation API requests. You can use these logs to identify failure points and query all requests made in a call (by using the correlation ID or server call ID).

+* **Call Automation media summary logs**: Provide information about the outcome of media operations. These logs come to you asynchronously when you're making media requests by using Call Automation APIs. You can use these logs to help identify failure points and possible patterns on how users interact with your application.

+## Usage log schema

+| `Timestamp` | The time stamp (UTC) of when the log was generated. |

+| `OperationVersion` | The `api-version` value associated with the operation, if the `OperationName` operation was performed through an API. If no API corresponds to this operation, the version represents the version of the operation, in case the properties associated with the operation change in the future. |

+| `Category` | The log category of the event. The category is the granularity at which you can enable or disable logs on a resource. The properties that appear within the `properties` blob of an event are the same within a log category and resource type. |

+| `CorrelationID` | The ID for correlated events. You can use it to identify correlated events between multiple tables. |

+| `Properties` | Other data that's applicable to various modes of Communication Services. |

+| `RecordID` | The unique ID for a usage record. |

+| `UsageType` | The mode of usage (for example, Chat, PSTN, or NAT). |

+| `UnitType` | The type of unit that usage is based on for a mode of usage (for example, minutes, megabytes, or messages). |

+| `TimeGenerated` | The time stamp (UTC) of when the log was generated. |

+| `OperationVersion` | The `api-version` version associated with the operation, if the `operationName` operation was performed through an API. If no API corresponds to this operation, the version represents the version of the operation, in case the properties associated with the operation change in the future. |

+| `Category` | The log category of the event. The category is the granularity at which you can enable or disable logs on a resource. The properties that appear within the `properties` blob of an event are the same within a log category and resource type. |

+| `ResultSignature` | The substatus of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call. |

+| `CallerIpAddress` | The caller IP address, if the operation corresponds to an API call that comes from an entity with a publicly available IP address. |

+| `CallConnectionId` | The ID that represents the call connection, if available. This ID is different for each participant and is used to identify their connection to the call. |

+| `SDKVersion` | The SDK version used for the request. |

+| `ParticipantId` | The ID to identify the call participant that made the request. |

+| `SubOperationName` | The name that's used to identify the subtype of media operation (play or recognize). |

+|`operationID`| The ID that's used to correlate asynchronous events.|

+Here's an example of a Call Automation operational log:

+| `TimeGenerated` | The time stamp (UTC) of the event.|

+| `level`| The severity level of the event. It must be one of `Informational`, `Warning`, `Error`, or `Critical`.ΓÇ» |

+| `resourceId` | The ID of the resource that emitted the event. |

+| `durationMs` | The duration of the operation in milliseconds. |

+| `callerIpAddress` | |

+| `correlationId` | The Skype chain ID.ΓÇ» |

+| `operationName` | The name of the operation that this event represents.|

+| `operationVersion` | |

+| `resultType` | The status of the event. Typical values include `Completed`, `Canceled`, and `Failed`.|

+| `resultSignature` | The substatus of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call.|

+| `operationId` | The operation ID that's used to correlate asynchronous events.|

+| `recognizePromptSubOperationName` | A subtype of the operation. Potential values include `File`, `TextToSpeech`, and `SSML`.|

+| `playInLoop` | `True` if looping was requested for the play operation. `False` if otherwise.|

+| `playToParticipant` | `True` if the play operation had a target. `False` if it was a play-to-all operation.|

+| `interrupted` | `True` if the prompt is interrupted. `False` if otherwise.|

+| `resultCode` | The result code of the operation. |

+| `resultSubcode` | The result subcode of the operation. |

+| `resultMessage` | The result message of the operation. |

+Here's an example of a Call Automation media summary log:

+## Next steps

+- Learn about the [insights dashboard to monitor Call Automation logs and metrics](/azure/communication-services/concepts/analytics/insights/call-automation-insights).

+# Azure Communication Services Call Recording logs

+Azure Communication Services offers logging capabilities that you can use to monitor and debug your Communication Services solution. You configure these capabilities through the Azure portal.

+The content in this article refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/faq.yml)). To enable these logs for Communication Services, see [Enable logging in diagnostic settings](../enable-logging.md).

+* **Usage logs**: Provide usage data associated with each billed service offering.

+* **Call Recording summary logs**: Provide summary information for call recordings, like:

+ * Call duration.

+ * Media content (for example, audio/video, unmixed, or transcription).

+ * Format types used for the recording (for example, WAV or MP4).

+ * The reason why the recording ended.

+* **Recording incoming operations logs**: Provide information about incoming requests for Call Recording operations. Every entry corresponds to the result of a call to the Call Recording APIs, such as StartRecording, StopRecording, PauseRecording, and ResumeRecording.

+A recording file is generated at the end of a call or meeting. Either a user or an app (bot) can start and stop the recording. The recording can also end because of a system failure.

+### Usage log schema

+| `operationName` | The operation associated with the log record. |

+| `operationVersion` | The `api-version` value associated with the operation, if the `operationName` operation was performed through an API. If no API corresponds to this operation, the version represents the version of the operation, in case the properties associated with the operation change in the future. |

+| `category` | The log category of the event. The category is the granularity at which you can enable or disable logs on a resource. The properties that appear within the `properties` blob of an event are the same within a log category and resource type. |

+| `correlationID` | The ID for correlated events. You can use it to identify correlated events between multiple tables. |

+| `Properties` | Other data that's applicable to various modes of Communication Services. |

+| `recordID` | The unique ID for a usage record. |

+| `usageType` | The mode of usage (for example, Chat, PSTN, or NAT). |

+| `unitType` | The type of unit that usage is based on for a mode of usage (for example, minutes, megabytes, or messages). |

+### Call Recording summary log schema

+| `timeGenerated` | DateTime | The time stamp (UTC) of when the log was generated. |

+| `operationName` | String | The operation associated with a log record. |

+| `correlationId` | String | The ID that's used to correlate events between tables. |

+| `recordingID` | String | The ID for the recording that this log refers to. |

+| `category` | String | The log category of the event. Logs with the same log category and resource type have the same property fields. |

+| `resultType` | String | The status of the operation. |

+| `level` |String| The severity level of the operation. |

+| `chunkCount` | Integer | The total number of chunks created for the recording. |

+| `channelType` | String | The channel type of the recording, such as mixed or unmixed. |

+| `recordingStartTime` | DateTime| The time that the recording started.|

+| `contentType` | String | The content of the recording, such as audio only, audio/video, or transcription. |

+| `formatType` | String | The file format of the recording. |

+| `recordingLength` | Double | The duration of the recording in seconds.|

+| `audioChannelsCount` | Integer | The total number of audio channels in the recording. |

+| `recordingEndReason` | String | The reason why the recording ended. |

+A call can have one recording or many recordings, depending on how many times a recording event is triggered.

+For example, if an agent starts an outbound call on a recorded line and the call drops because of a poor network signal, `callID` will have one `recordingID` value. If the agent calls back the customer, the system generates a new `callID` instance and a new `recordingID` value.

+If the agent starts a recording and then stops and restarts the recording multiple times while the call is still on, `callID` will have many `recordingID` values. The number of values depends on how many times the recording events were triggered.

+```json

+Here are the properties:

+| `timeGenerated` | The time stamp (UTC) of when the log was generated. |

+| `callConnectionId` | The ID of the call connection or leg, if available. |

+| `callerIpAddress` | The caller IP address, if the operation corresponds to an API call that comes from an entity with a publicly available IP address. |

+| `correlationId` | The ID for correlated events. You can use it to identify correlated events between multiple tables. |

+| `durationMs` | The duration of the operation in milliseconds. |

+| `level` | The severity level of the operation. |

+| `operationName` | The operation associated with log records. |

+| `operationVersion` | The API version associated with the operation or version of the operation (if there is no API version). |

+| `resourceId` | A unique identifier for the resource that the record is associated with. |

+| `resultSignature` | The substatus of the operation. If this operation corresponds to a REST API call, this field is the HTTP status code of the corresponding REST call. |

+| `resultType` | The status of the operation. |

+| `sdkType` | The SDK type used in the request. |

+| `sdkVersion` | The SDK version. |

+| `serverCallId` | The server call ID. |

+| `URI` | The URI of the request. |

+Here's an example:

+- Get [Call Recording insights](../insights/call-recording-insights.md).

+- Learn more about [Call Recording](../../voice-video-calling/call-recording.md).

+ Title: Azure Communication Services Voice Calling and Video Calling logs

+description: Learn about logging for Azure Communication Services Voice Calling and Video Calling.

+# Azure Communication Services Voice Calling and Video Calling logs

+Azure Communication Services offers logging capabilities that you can use to monitor and debug your Communication Services solution. You configure these capabilities through the Azure portal.

+The content in this article refers to logs enabled through [Azure Monitor](../../../../azure-monitor/overview.md) (see also [FAQ](../../../../azure-monitor/faq.yml)). To enable these logs for Communication Services, see [Enable logging in diagnostic settings](../enable-logging.md).

+## Data concepts

+The following high-level descriptions of data concepts are specific to Voice Calling and Video Calling. These concepts are important to review so that you can understand the meaning of the data captured in the logs.

+Become familiar with the following terms:

+- **Call**: As represented in the data, a call is an abstraction that's depicted by `correlationId`. Values for `correlationId` are unique for each call, and they're time-bound by `callStartTime` and `callDuration`.

+- **Participant**: This entity represents the connection between an endpoint and the server. A participant (`participantId`) is present only when the call is a group call.

+- **Endpoint**: This is the most unique entity, represented by `endpointId`. Every call is an event that contains data from two or more endpoints. Endpoints represent the participants in the call.

+ `EndpointType` tells you whether the endpoint is a human user (PSTN or VoIP), a bot, or the server that's managing multiple participants within a call. When an `endpointType` value is `"Server"`, the endpoint is not assigned a unique ID. You can analyze `endpointType` and the number of `endpointId` values to determine how many users and other nonhuman participants (bots and servers) join a call.

+ Native SDKs for Android and iOS reuse the same `endpointId` value for a user across multiple calls, so you can get an understanding of experiences across sessions. This process differs from web-based endpoints, which always generate a new `endpointId` value for each new call.

+- **Stream**: This is the most granular entity. There's one stream for each direction (inbound or outbound) and `mediaType` value (for example, `Audio` or `Video`).

+## Data definitions

+### Usage log schema

+| `Timestamp` | The time stamp (UTC) of when the log was generated. |

+| `Operation Name` | The operation associated with the log record. |

+| `Operation Version` | The `api-version` value associated with the operation, if the `Operation Name` operation was performed through an API. If no API corresponds to this operation, the version represents the version of the operation, in case the properties associated with the operation change in the future. |

+| `Category` | The log category of the event. The category is the granularity at which you can enable or disable logs on a resource. The properties that appear within the `properties` blob of an event are the same within a log category and resource type. |

+| `Correlation ID` | The ID for correlated events. You can use it to identify correlated events between multiple tables. |

+| `Properties` | Other data that's applicable to various modes of Communication Services. |

+| `Record ID` | The unique ID for a usage record. |

+| `Usage Type` | The mode of usage (for example, Chat, PSTN, or NAT). |

+| `Unit Type` | The type of unit that usage is based on for a mode of usage (for example, minutes, megabytes, or messages). |

+### Call summary log schema

+The call summary log contains data to help you identify key properties of all calls. A different call summary log is created for each `participantId` (`endpointId` in the case of peer-to-peer [P2P] calls) value in the call.

+> Participant information in the call summary log varies based on the participant tenant. The SDK version and OS version are redacted if the participant is not within the same tenant (also called *cross-tenant*) as the Communication Services resource. Cross-tenant participants are classified as external users invited by a resource tenant to join and collaborate during a call.

+| `time` | The time stamp (UTC) of when the log was generated. |

+| `operationName` | The operation associated with the log record. |

+| `operationVersion` | The `api-version` value associated with the operation, if the `operationName` operation was performed through an API. If no API corresponds to this operation, the version represents the version of the operation, in case the properties associated with the operation change in the future. |

+| `category` | The log category of the event. This property is the granularity at which you can enable or disable logs on a resource. The properties that appear within the `properties` blob of an event are the same within a log category and resource type. |

+| `correlationId` | The unique ID for a call. It identifies correlated events from all of the participants and endpoints that connect during a single call, and you can use it to join data from different logs. If you ever need to open a support case with Microsoft, you can use the `correlationId` value to easily identify the call that you're troubleshooting. |

+| `identifier` | The unique ID for the user. The identity can be an Azure Communication Services user, an Azure Active Directory (Azure AD) user ID, a Teams anonymous user ID, or a Teams bot ID. You can use this ID to correlate user events across logs. |

+| `callStartTime` | A time stamp for the start of the call, based on the first attempted connection from any endpoint. |

+| `callDuration` | The duration of the call, expressed in seconds. It's based on the first attempted connection and the end of the last connection between two endpoints. |

+| `callType` | The type of the call. It contains either `"P2P"` or `"Group"`. A `"P2P"` call is a direct 1:1 connection between only two, non-server endpoints. A `"Group"` call is a call that has more than two endpoints or is created as `"Group"` call before the connection. |

+| `teamsThreadId` | The Teams thread ID. This ID is relevant only when the call is organized as a Teams meeting. It then represents the use case of interoperability between Microsoft Teams and Azure Communication Services. <br><br>This ID is exposed in operational logs. You can also get this ID through the Chat APIs. |

+| `participantId` | The ID that's generated to represent the two-way connection between a `"Participant"` endpoint (`endpointType` = `"Server"`) and the server. When `callType` = `"P2P"`, there's a direct connection between two endpoints, and no `participantId` value is generated. |

+| `participantStartTime` | The time stamp for the beginning of the participant's first connection attempt. |

+| `participantDuration` | The duration of each participant connection in seconds, from `participantStartTime` to the time stamp when the connection ended. |

+| `participantEndReason` | The reason for the end of a participant connection. It contains Calling SDK error codes that the SDK emits (when relevant) for each `participantId` value. |

+| `endpointId` | The unique ID that represents each endpoint connected to the call, where `endpointType` defines the endpoint type. When the value is `null`, the connected entity is the Communication Services server (`endpointType` = `"Server"`). <br><br>The `endpointId` value can sometimes persist for the same user across multiple calls (`correlationId`) for native clients. The number of `endpointId` values determines the number of call summary logs. A distinct summary log is created for each `endpointId` value. |

+| `endpointType` | This value describes the properties of each endpoint that's connected to the call. It can contain `"Server"`, `"VOIP"`, `"PSTN"`, `"BOT"`, or `"Unknown"`. |

+| `sdkVersion` | The version string for the Communication Services Calling SDK version that each relevant endpoint uses (for example, `"1.1.00.20212500"`). |

+| `osVersion` | A string that represents the operating system and version of each endpoint device. |

+### Call diagnostic log schema

+Call diagnostic logs provide important information about the endpoints and the media transfers for each participant. They also provide measurements that help you understand quality problems.

+For each endpoint within a call, a distinct call diagnostic log is created for outbound media streams (audio or video, for example) between endpoints. In a P2P call, each log contains data that relates to each of the outbound streams associated with each endpoint. In group calls, `participantId` serves as a key identifier to join the related outbound logs into a distinct participant connection. Call diagnostic logs remain intact and are the same regardless of the participant tenant.

+> In this article, P2P and group calls are within the same tenant, by default, for all call scenarios that are cross-tenant. They're specified accordingly throughout the article.

+| `operationName` | The operation associated with the log record. |

+| `operationVersion` | The `api-version` value associated with the operation, if the `operationName` operation was performed through an API. If no API corresponds to this operation, the version represents the version of the operation, in case the properties associated with the operation change in the future. |

+| `category` | The log category of the event. This property is the granularity at which you can enable or disable logs on a resource. The properties that appear within the `properties` blob of an event are the same within a log category and resource type. |

+| `correlationId` | The unique ID for a call. It identifies correlated events from all of the participants and endpoints that connect during a single call. If you ever need to open a support case with Microsoft, you can use the `correlationId` value to easily identify the call that you're troubleshooting. |

+| `participantId` | The ID that's generated to represent the two-way connection between a `"Participant"` endpoint (`endpointType` = `"Server"`) and the server. When `callType` = `"P2P"`, there's a direct connection between two endpoints, and no `participantId` value is generated. |

+| `identifier` | The unique ID for the user. The identity can be an Azure Communication Services user, an Azure AD user ID, a Teams object ID, or a Teams bot ID. You can use this ID to correlate user events across logs. |

+| `endpointId` | The unique ID that represents each endpoint that's connected to the call, where `endpointType` defines the endpoint type. When the value is `null`, the connected entity is the Communication Services server. `EndpointId` can persist for the same user across multiple calls (`correlationId`) for native clients but is unique for every call when the client is a web browser. |

+| `endpointType` | The value that describes the properties of each `endpointId` instance. It can contain `"Server"`, `"VOIP"`, `"PSTN"`, `"BOT"`, `"Voicemail"`, `"Anonymous"`, or `"Unknown"`. |

+| `mediaType` | The string value that describes the type of media that's being transmitted between endpoints within each stream. Possible values include `"Audio"`, `"Video"`, `"VBSS"` (video-based screen sharing), and `"AppSharing"`. |

+| `streamId` | A non-unique integer that, together with `mediaType`, you can use to uniquely identify streams of the same `participantId` value.|

+| `transportType` | The string value that describes the network transport protocol for each `participantId` value. It can contain `"UDP"`, `"TCP"`, or `"Unrecognized"`. `"Unrecognized"` indicates that the system could not determine if the transport type was TCP or UDP. |

+| `roundTripTimeAvg` | The average time that it takes to get an IP packet from one endpoint to another within a `participantDuration` period. This network propagation delay is related to the physical distance between the two points, the speed of light, and any overhead that the various routers take in between. <br><br>The latency is measured as one-way time or round-trip time (RTT). Its value expressed in milliseconds. An RTT greater than 500 ms is negatively affecting the call quality. |

+| `roundTripTimeMax` | The maximum RTT (in milliseconds) measured fo reach media stream during a `participantDuration` period in a group call or during a `callDuration` period in a P2P call. |

+| `jitterAvg` | The average change in delay between successive packets. Azure Communication Services can adapt to some levels of jitter through buffering. When the jitter exceeds the buffering, which is approximately at a `jitterAvg` time greater than 30 ms, a negative quality impact is likely occurring. The packets arriving at different speeds cause a speaker's voice to sound robotic. <br><br>This metric is measured for each media stream over the `participantDuration` period in a group call or over the `callDuration` period in a P2P call. |

+| `jitterMax` | The maximum jitter value measured between packets for each media stream. Bursts in network conditions can cause problems in the audio/video traffic flow. |

+| `packetLossRateAvg` | The average percentage of packets that are lost. Packet loss directly affects audio quality. Small, individual lost packets have almost no impact, whereas back-to-back burst losses cause audio to cut out completely. The packets being dropped and not arriving at their intended destination cause gaps in the media. This situation results in missed syllables and words, along with choppy video and sharing. <br><br>A packet loss rate of greater than 10% (0.1) is likely having a negative quality impact. This metric is measured for each media stream over the `participantDuration` period in a group call or over the `callDuration` period in a P2P call. |

+| `packetLossRateMax` | This value represents the maximum packet loss rate (percentage) for each media stream over the `participantDuration` period in a group call or over the `callDuration` period in a P2P call. Bursts in network conditions can cause problems in the audio/video traffic flow.

+### P2P vs. group calls

+There are two types of calls, as represented by `callType`:

+- **P2P call**: A connection between only two endpoints, with no server endpoint. P2P calls are initiated as a call between those endpoints and are not created as a group call event before the connection.

+ :::image type="content" source="../media/call-logs-azure-monitor/p2p-diagram.png" alt-text="Diagram that shows a P2P call across two endpoints.":::

+- **Group call**: Any call that has more than two endpoints connected. Group calls include a server endpoint and the connection between each endpoint and the server. P2P calls that add another endpoint during the call cease to be P2P, and they become a group call. You can determine the timeline of when each endpoint joined the call by using the `participantStartTime` and `participantDuration` metrics.

+ :::image type="content" source="../media/call-logs-azure-monitor/group-call-version-a.png" alt-text="Diagram that shows a group call across multiple endpoints.":::

+## Log structure

+Azure Communication Services creates two types of logs:

+- **Call summary logs**: Contain basic information about the call, including all the relevant IDs, time stamps, endpoints, and SDK information. For each participant within a call, Communication Services creates a distinct call summary log.

+ If someone rejoins a call, that participant has the same `EndpointId` value but a different `ParticipantId` value. That endpoint can then have two call summary logs.

+- **Call diagnostic logs**: Contain information about the stream, along with a set of metrics that indicate quality of experience measurements. For each endpoint within a call (including the server), Communication Services creates a distinct call diagnostic log for each media stream (audio or video, for example) between endpoints.

+In a P2P call, each log contains data that relates to each of the outbound streams associated with each endpoint. In a group call, each stream associated with `endpointType` = `"Server"` creates a log that contains data for the inbound streams. All other streams create logs that contain data for the outbound streams for all non-server endpoints. In group calls, use the `participantId` value as the key to join the related inbound and outbound logs into a distinct participant connection.

+### Example: P2P call

+The following diagram represents two endpoints connected directly in a P2P call. In this example, Communication Services creates two call summary logs (one for each `participantID` value) and four call diagnostic logs (one for each media stream). Each log contains data that relates to the outbound stream of `participantID`.

+### Example: Group call

+The following diagram represents a group call example with three `participantID` values (which means three participants) and a server endpoint. Values for `endpointId` can potentially appear in multiple participants--for example, when they rejoin a call from the same device. Communication Services creates one call summary log for each `participantID` value. It creates four call diagnostic logs: one for each media stream per `participantID`.

+### Example: Cross-tenant P2P call

+The following diagram represents two participants across multiple tenants that are connected directly in a P2P call. In this example, Communication Services creates one call summary log (one for each participant) with redacted OS and SDK versions. Communication Services also creates four call diagnostic logs (one for each media stream). Each log contains data that relates to the outbound stream of `participantID`.

+### Example: Cross-tenant group call

+The following diagram represents a group call example with three `participantId` values across multiple tenants. Communication Services creates one call summary log for each participant with redacted OS and SDK versions. Communication Services also creates four call diagnostic logs that relate to each `participantId` value (one for each media stream).

+> This release supports only outbound diagnostic logs.

+> OS and SDK versions associated with the bot and the participant can be redacted because Communication Services treats identities of participants and bots the same way.

+## Sample data

+### P2P call

+Here are shared fields for all logs in a P2P call:

+#### Call summary logs

+Call summary logs have shared operation and category information:

+Here's a call summary for VoIP user 1:

+Here's a call summary for VoIP user 2:

+Here's a cross-tenant call summary log for VoIP user 1:

+Here's a call summary for a PSTN call: