+- [Require multifactor authentication (Azure AD Multi-Factor Authentication)](../authentication/concept-mfa-howitworks.md)

+### Require multifactor authentication

+Selecting this checkbox will require users to perform Azure AD Multifactor Authentication. More information about deploying Azure AD Multifactor Authentication can be found in the article [Planning a cloud-based Azure AD Multifactor Authentication deployment](../authentication/howto-mfa-getstarted.md).

+[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) satisfies the requirement for multifactor authentication in Conditional Access policies.

+### User sign-in frequency and multifactor authentication

+Sign-in frequency previously applied to only to the first factor authentication on devices that were Azure AD joined, Hybrid Azure AD joined, and Azure AD registered. There was no easy way for our customers to re-enforce multifactor authentication (MFA) on those devices. Based on customer feedback, sign-in frequency will apply for MFA as well.

+- Require user reauthentication for risky sign-ins with the [require multifactor authentication](concept-conditional-access-grant.md#require-multifactor-authentication) grant control.

+> Before enabling Sign-in Frequency, make sure other reauthentication settings are disabled in your tenant. If "Remember MFA on trusted devices" is enabled, be sure to disable it before using Sign-in frequency, as using these two settings together may lead to prompting users unexpectedly. To learn more about reauthentication prompts and session lifetime, see the article, [Optimize reauthentication prompts and understand session lifetime for Azure AD Multifactor Authentication](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).

+> - [Flask](http://flask.pocoo.org/), [Flask-Session](https://pypi.org/project/Flask-Session/), [requests](https://github.com/psf/requests/graphs/contributors)

+| [Identity governance for applications](../governance/identity-governance-applications-prepare.md) | As part of your organization's controls to meet your compliance and risk management objectives for managing access for critical applications, you can use Azure AD features to set up and enforce appropriate access.|

+### Assign roles at attribute set scope

+#### Azure portal

+#### PowerShell

+Use [New-AzureADMSRoleAssignment](/powershell/module/azuread/new-azureadmsroleassignment) to assign the role. The following example assigns the Attribute Assignment Administrator role to a principal with an attribute set scope named Engineering.

+```powershell

+$roleDefinitionId = "58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d"

+$directoryScope = "/attributeSets/Engineering"

+$principalId = "f8ca5a85-489a-49a0-b555-0a6d81e56f0d"

+$roleAssignment = New-AzureADMSRoleAssignment -DirectoryScopeId $directoryScope -RoleDefinitionId $roleDefinitionId -PrincipalId $principalId

+```

+#### Microsoft Graph API

+Use the [Create unified Role Assignment](/graph/api/rbacapplication-post-roleassignments?view=graph-rest-beta&preserve-view=true) API to assign the role. The following example assigns the Attribute Assignment Administrator role to a principal with an attribute set scope named Engineering.

+```http

+POST https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.unifiedRoleAssignment",

+ "roleDefinitionId": "58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d",

+ "principalId": "f8ca5a85-489a-49a0-b555-0a6d81e56f0d",

+ "directoryScopeId": "/attributeSets/Engineering"

+}

+```

+### Assign roles at tenant scope

+#### Azure portal

+#### PowerShell

+Use [New-AzureADMSRoleAssignment](/powershell/module/azuread/new-azureadmsroleassignment) to assign the role. For more information, see [Assign Azure AD roles at different scopes](../roles/assign-roles-different-scopes.md).

+#### Microsoft Graph API

+Use the [Create unified Role Assignment](/graph/api/rbacapplication-post-roleassignments?view=graph-rest-beta&preserve-view=true) API to assign the role. For more information, see [Assign Azure AD roles at different scopes](../roles/assign-roles-different-scopes.md).

+Organizations with compliance requirements or risk management plans will have sensitive or business-critical applications. The application sensitivity may be based on its purpose or the data it contains, such as financial information or personal information of the organization's customers. For those applications, only a subset of all the users in the organization will typically be authorized to have access, and access should only be permitted based on documented business requirements. Azure AD can be integrated with many popular SaaS applications, on-premises applications, and applications that your organization has developed, using [standard protocol](../fundamentals/auth-sync-overview.md) and API interfaces. Through these interfaces, Azure AD can be the authoritative source to control who has access to those applications. As you integrate your applications with Azure AD, you can then use Azure AD access reviews to recertify the users who have access to those applications, and remove access of those users who no longer need access. You can also use other features, including terms of use, conditional access and entitlement management, for governing access to applications, as described in [how to govern access to applications in your environment](identity-governance-applications-prepare.md).

+* The application relies upon user or group lists that are provided to the application by Azure AD. This fulfillment could be done through a provisioning protocol such as System for Cross-Domain Identity Management (SCIM) or by the application querying Azure AD via Microsoft Graph. Those users that are denied by a review lose their application role assignment or group membership, and when those changes are made available to the application, then the denied users will no longer have access.

+|C| If the application doesn't rely solely on Azure AD for federated SSO, but does support provisioning via SCIM, or via updates to a SQL table of users or an LDAP directory. | In this pattern, you'll configure Azure AD to provision the users with application role assignments to the application's database or directory, update the application role assignments in Azure AD with a list of the users who currently have access, and then create a single access review of the application role assignments. For more information, see [Governing an application's existing users](identity-governance-applications-existing-users.md) to update the application role assignments in Azure AD.|

+1. If your application is integrated with pattern C, then you'll need to confirm that the users in this list are the same as those in the applications' internal data store, prior to starting the review. Azure AD does not automatically import the users or their access rights from an application, but you can [assign users to an application role via PowerShell](../manage-apps/assign-user-or-group-access-portal.md). See [Governing an application's existing users](identity-governance-applications-existing-users.md) for how to bring in users from different application data stores into Azure AD.

+* [Create an access review of a group or application](create-access-review.md)

+* [Govern access to applications](identity-governance-applications-prepare.md)

+- **Business critical data access:** for certain resources, such as [business critical applications](identity-governance-applications-prepare.md), it might be required as part of compliance processes to ask people to regularly reconfirm and give a justification on why they need continued access.

+Depending on what you want to review, you will create your access review in Azure AD access reviews, Azure AD enterprise apps (in preview), Azure AD PIM, or Azure AD entitlement management.

+| Access package assignments | Specified reviewers</br>Group members</br>Self-review | Azure AD entitlement management | Access panel |

+- [Prepare for an access review of users' access to an application](access-reviews-application-preparation.md)

+## Change approval settings of an existing access package assignment policy

+Follow these steps to specify the approval settings for requests for the access package through a policy:

+#Customer intent: As an administrator, I want detailed information about how I can edit an access package to include requestor information to screen requestors and get requestors the resources they need to perform their job.

+This article describes how to change the lifecycle settings for an existing access package assignment policy.

+As an access package manager, you can change the users who can request an access package at any time by editing a policy for access package assignment requests, or adding a new policy to the access package. This article describes how to change the request settings for an existing access package assignment policy.

+When you create an access package, you can specify the request, approval and lifecycle settings, which are stored on the first policy of the access package. Most access packages will have a single policy for users to request access, but a single access package can have multiple policies. You would create multiple policies for an access package if you want to allow different sets of users to be granted assignments with different request and approval settings.

+| I want to allow users in my directory and also users outside my directory to request an access package | Two |

+| I want to specify different approval settings for some users | One for each group of users |

+| I want some users access package assignments to expire while other users can extend their access | One for each group of users |

+| I want users to request access and other users to be assigned access by an administrator | Two |

+## Open an existing access package and add a new policy with different request settings

+## Open and edit an existing policy's request settings

+To change the request and approval settings for an access package, you need to open the corresponding policy with those settings. Follow these steps to open and edit the request settings for an access package assignment policy:

+To reduce the risk of stale access, you should enable periodic reviews of users who have active assignments to an access package in Azure AD entitlement management. You can enable reviews when you create a new access package or edit an existing access package assignment policy. This article describes how to enable access reviews of access packages.

+You can enable access reviews when [creating a new access package](entitlement-management-access-package-create.md) or [editing an existing access package assignment policy](entitlement-management-access-package-lifecycle-policy.md) policy. If you have multiple policies, for different communities of users to request access, you can have independent access review schedules for each policy. Follow these steps to enable access reviews of an access package's assignments:

+1. Open the **Lifecycle** tab for an access package assignment policy to specify when a user's assignment to the access package expires. You can also specify whether users can extend their assignments.

+ > For more information about how to create an access package see [Create a new access package in entitlement management](entitlement-management-access-package-create.md). For more information about how to edit an existing access package, see [Change request settings for an access package in Azure AD entitlement management](entitlement-management-access-package-request-policy.md#open-and-edit-an-existing-policys-request-settings).

+- Control who can get access to applications, groups, Teams and SharePoint sites, with multi-stage approval, and ensure users do not retain access indefinitely through time-limited assignments and recurring access reviews.

+1. [Open an existing policy's request settings](entitlement-management-access-package-request-policy.md#open-an-existing-access-package-and-add-a-new-policy-with-different-request-settings)

+1. [Update the approval settings](entitlement-management-access-package-approval-policy.md#change-approval-settings-of-an-existing-access-package-assignment-policy)

+1. [Open an existing policy's request settings](entitlement-management-access-package-request-policy.md#open-an-existing-access-package-and-add-a-new-policy-with-different-request-settings)

+1. [If users need different lifecycle settings, add a new policy to the access package](entitlement-management-access-package-request-policy.md#open-an-existing-access-package-and-add-a-new-policy-with-different-request-settings)

+ Title: Define organizational policies for governing access to applications in your environment| - Azure AD

+description: Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. You can define policies for how users should obtain access to your business critical applications integrated with Azure AD.

+documentationcenter: ''

+editor: markwahl-msft

+ na

+# Define organizational policies for governing access to applications in your environment

+Once you've identified one or more applications that you want to use Azure AD to [govern access](identity-governance-applications-prepare.md), write down the organization's policies for determining which users should have access, and any other constraints that the system should provide.

+## Identifies applications and their roles in scope

+Organizations with compliance requirements or risk management plans will have sensitive or business-critical applications. If this application is an existing application in your environment, you may already have documented the access policies for who 'should have access' to this application. If not, you may need to consult with various stakeholders, such as compliance and risk management teams, to ensure that the policies being used to automate access decisions are appropriate for your scenario.

+1. **Collect the roles and permissions that each application provides.** Some applications may have only a single role, for example, an application that only has the role "User". More complex applications may surface multiple roles to be managed through Azure AD. These application roles typically make broad constraints on the access a user with that role would have within the app. For example, an application that has an administrator persona might have two roles, "User" and "Administrator". Other applications may also rely upon group memberships or claims for finer-grained role checks, which can be provided to the application from Azure AD in provisioning or claims issued using federation SSO protocols. Finally, there may be roles that don't surface in Azure AD - perhaps the application doesn't permit defining the administrators in Azure AD, instead relying upon its own authorization rules to identify administrators.

+ > [!Note]

+ > If you're using an application from the Azure AD application gallery that supports provisioning, then Azure AD may import defined roles in the application and automatically update the application manifest with the application's roles automatically, once provisioning is configured.

+1. **Select which roles and groups have membership that are to be governed in Azure AD.** Based on compliance and risk management requirements, organizations often prioritize those roles or groups that give privileged access or access to sensitive information.

+## Define the organization's policy with prerequisites and other constraints for access to the application

+In this section, you'll write down the organizational policies you plan to use to determine access to the application. You can record this as a table in a spreadsheet, for example

+|Role|Prerequisite for access|Approvers|Default duration of access|Separation of duties constraints|Conditional access policies|

+|:--|-|-|-|-|-|

+|*Western Sales*|Member of sales team|user's manager|Yearly review|Cannot have *Eastern Sales* access|Multifactor authentication (MFA) and registered device required for access|

+|*Western Sales*|Any employee outside of sales|head of Sales department|90 days|N/A|MFA and registered device required for access|

+|*Western Sales*|Non-employee sales rep|head of Sales department|30 days|N/A|MFA required for access|

+|*Eastern Sales*|Member of sales team|user's manager|Yearly review|Cannot have *Western Sales* access|MFA and registered device required for access|

+|*Eastern Sales*|Any employee outside of sales|head of Sales department|90 days|N/A|MFA and registered device required for access|

+|*Eastern Sales*|Non-employee sales rep|head of Sales department|30 days|N/A|MFA required for access|

+1. **Identify if there are prerequisite requirements, standards that a user must meet before to they're given access to an application.** For example, under normal circumstances, only full time employees, or those in a particular department or cost center, should be allowed to have access to a particular department's application. Also, you may require the entitlement management policy for a user from some other department requesting access to have one or more additional approvers. While having multiple stages of approval may slow the overall process of a user gaining access, these extra stages ensure access requests are appropriate and decisions are accountable. For example, requests for access by an employee could have two stages of approval, first by the requesting user's manager, and second by one of the resource owners responsible for data held in the application.

+1. **Determine how long a user who has been approved for access, should have access, and when that access should go away.** For many applications, a user might retain access indefinitely, until they're no longer affiliated with the organization. In some situations, access may be tied to particular projects or milestones, so that when the project ends, access is removed automatically. Or, if only a few users are using an application through a policy, you may configure quarterly or yearly reviews of everyone's access through that policy, so that there's regular oversight. These processes can ensure users lose access eventually when access is no longer needed, even if there isn't a pre-determined project end date.

+1. **Inquire if there are separation of duties constraints.** For example, you may have an application with two roles, *Western Sales* and *Eastern Sales*, and you want to ensure that a user can only have one sales territory at a time. Include a list of any pairs of roles that are incompatible for your application, so that if a user has one role, they aren't allowed to request the second role.

+1. **Select the appropriate conditional access policy for access to the application.** We recommend that you analyze your applications and group them into applications that have the same resource requirements for the same users. If this is the first federated SSO application you're integrating with Azure AD for identity governance, you may need to create a new conditional access policy to express constraints, such as requirements for Multifactor authentication (MFA) or location-based access. You can configure users to be required to agree to [a terms of use](../conditional-access/require-tou.md). See [plan a conditional access deployment](../conditional-access/plan-conditional-access.md) for more considerations on how to define a conditional access policy.

+1. **Determine how exceptions to your criteria should be handled.** For example, an application may typically only be available for designated employees, but an auditor or vendor may need temporary access for a specific project. Or, an employee who is traveling may require access from a location that is normally blocked as your organization has no presence in that location. In these situations, you may choose to also have an entitlement management policy for approval that may have different stages, or a different time limit, or a different approver. A vendor who is signed in as a guest user in your Azure AD tenant may not have a manager, so instead their access requests could be approved by a sponsor for their organization, or by a resource owner, or a security officer.

+As the organizational policy for who should have access is being reviewed by the stakeholders, then you can begin [integrating the application](identity-governance-applications-integrate.md) with Azure AD. That way at a later step you'll be ready to [deploy the organization-approved policies](identity-governance-applications-deploy.md) for access in Azure AD identity governance.

+## Next steps

+- [Integrate an application with Azure AD](identity-governance-applications-integrate.md)

+- [Deploy governance policies](identity-governance-applications-deploy.md)

+ Title: Deploying policies for governing access to applications integrated with Azure AD| Microsoft Docs

+description: Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. You can use entitlement management and other identity governance features to enforce the policies for access.

+documentationcenter: ''

+editor: markwahl-msft

+ na

+# Deploying organizational policies for governing access to applications integrated with Azure AD

+In previous sections, you [defined your governance policies for an application](identity-governance-applications-define.md) and [integrated that application with Azure AD](identity-governance-applications-integrate.md). In this section, you'll configure the Azure AD conditional access and entitlement management features to control ongoing access to your applications. You'll establish

+* Conditional access policies, for how a user authenticates to Azure AD for an application integrated with Azure AD for single sign-on

+* Entitlement management policies, for how a user obtains and keeps assignments to application roles and membership in groups

+* Access review policies, for how often group memberships are reviewed

+Once these policies are deployed, you can then monitor the ongoing behavior of Azure AD as users request and are assigned access to the application.

+## Deploy conditional access policies for SSO enforcement

+In this section, you'll establish the Conditional Access policies that are in scope for determining whether an authorized user is able to sign into the app, based on factors like the user's authentication strength or device status.

+Conditional access is only possible for applications that rely upon Azure AD for single sign-on (SSO). If the application isn't able to be integrated for SSO, then continue in the next section.

+1. **Upload the terms of use (TOU) document, if needed.** If you require users to accept a terms of use (TOU) prior to accessing the application, then create and [upload the TOU document](../conditional-access/terms-of-use.md) so that it can be included in a conditional access policy.

+1. **Verify users are ready for Azure Active Directory Multi-Factor Authentication.** We recommend requiring Azure AD Multi-Factor Authentication for business critical applications integrated via federation. For these applications, there should be a policy that requires the user to have met a multi-factor authentication requirement prior to Azure AD permitting them to sign into the application. Some organizations may also block access by locations, or [require the user to access from a registered device](../conditional-access/howto-conditional-access-policy-compliant-device.md). If there's no suitable policy already that includes the necessary conditions for authentication, location, device and TOU, then [add a policy to your conditional access deployment](../conditional-access/plan-conditional-access.md).

+1. **Bring the application into scope of the appropriate conditional access policy**. If you have an existing conditional access policy that was created for another application subject to the same governance requirements, you could update that policy to have it apply to this application as well, to avoid having a large number of policies. Once you have made the updates, check to ensure that the expected policies are being applied. You can see what policies would apply to a user with the [Conditional Access what if tool](../conditional-access/troubleshoot-conditional-access-what-if.md).

+1. **Create a recurring access review if any users will need temporary policy exclusions**. In some cases, it may not be possible to immediately enforce conditional access policies for every authorized user. For example, some users may not have an appropriate registered device. If it's necessary to exclude one or more users from the CA policy and allow them access, then configure an access review for the group of [users who are excluded from Conditional Access policies](../governance/conditional-access-exclusion.md).

+1. **Document the token lifetime and applications' session settings.** How long a user who has been denied continued access can continue to use a federated application will depend upon the application's own session lifetime, and on the access token lifetime. The session lifetime for an application depends upon the application itself. To learn more about controlling the lifetime of access tokens, see [configurable token lifetimes](../develop/active-directory-configurable-token-lifetimes.md).

+## Deploy entitlement management policies for automating access assignment

+In this section, you'll configure Azure AD entitlement management so users can request access to your application's roles or to groups used by the application. In order to perform these tasks, you'll need to be in the *Global Administrator*, *Identity Governance Administrator* role, or be [delegated as a catalog creator](entitlement-management-delegate-catalog.md) and the owner of the application.

+1. **Access packages for governed applications should be in a designated catalog.** If you don't already have a catalog for your application governance scenario, [create a catalog](../governance/entitlement-management-catalog-create.md) in Azure AD entitlement management.

+1. **Populate the catalog with necessary resources.** Add the application, as well as any Azure AD groups that the application relies upon, [as resources in that catalog](../governance/entitlement-management-catalog-create.md).

+1. **Create an access package for each role or group which users can request.** For each of the applications' roles or groups, [create an access package](../governance/entitlement-management-access-package-create.md) that includes that role or group as its resource. At this stage of configuring that access package, configure the access package assignment policy for direct assignment, so that only administrators can create assignments. In that policy, set the access review requirements for existing users, if any, so that they don't keep access indefinitely.

+1. **Configure access packages to enforce separation of duties requirements.** If you have [separation of duties](entitlement-management-access-package-incompatible.md) requirements, then configure the incompatible access packages or existing groups for your access package. If your scenario requires the ability to override a separation of duties check, then you can also [set up additional access packages for those override scenarios](entitlement-management-access-package-incompatible.md#configuring-multiple-access-packages-for-override-scenarios).

+1. **Add assignments of existing users, who already have access to the application, to the access packages.** For each access package, assign existing users of the application in that role, or members of that group, to the access package. You can [directly assign a user](entitlement-management-access-package-assignments.md) to an access package using the Azure portal, or in bulk via Graph or PowerShell.

+1. **Create policies for users to request access.** In each access package, [create additional access package assignment policies](../governance/entitlement-management-access-package-request-policy.md#open-an-existing-access-package-and-add-a-new-policy-with-different-request-settings) for users to request access. Configure the approval and recurring access review requirements in that policy.

+1. **Create recurring access reviews for other groups used by the application.** If there are groups that are used by the application but aren't resource roles for an access package, then [create access reviews](create-access-review.md) for the membership of those groups.

+## View reports on access

+Azure AD, in conjunction with Azure Monitor, provides several reports to help you understand who has access to an application and if they're using that access.

+* An administrator, or a catalog owner, can [retrieve the list of users who have access package assignments](entitlement-management-access-package-assignments.md), via the Azure portal, Graph or PowerShell.

+* You can also send the audit logs to Azure Monitor and view a history of [changes to the access package](entitlement-management-logs-and-reporting.md#view-events-for-an-access-package), in the Azure portal, or via PowerShell.

+* You can view the last 30 days of sign ins to an application in the [sign ins report](../reports-monitoring/howto-find-activity-reports.md#sign-ins-report) in the Azure portal, or via [Graph](/graph/api/signin-list?view=graph-rest-1.0&tabs=http).

+* You can also send the [sign in logs to Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md) to archive sign in activity for up to two years.

+## Monitor to adjust entitlement management policies and access as needed

+At regular intervals, such as weekly, monthly or quarterly, based on the volume of application access assignment changes for your application, use the Azure portal to ensure that access is being granted in accordance with the policies. You can also ensure that the identified users for approval and review are still the correct individuals for these tasks.

+* **Watch for application role assignments and group membership changes.** If you have Azure AD configured to send its audit log to Azure Monitor, use the `Application role assignment activity` in Azure Monitor to [monitor and report on any application role assignments that weren't made through entitlement management](../governance/entitlement-management-access-package-incompatible.md#monitor-and-report-on-access-assignments). If there are role assignments that were created by an application owner directly, you should contact that application owner to determine if that assignment was authorized. In addition, if the application relies upon Azure AD security groups, also monitor for changes to those groups as well.

+* **Also watch for users granted access directly within the application.** If the following conditions are met, then it's possible for a user to obtain access to an application without being part of Azure AD, or without being added to the applications' user account store by Azure AD:

+ * The application has a local user account store within the app

+ * The user account store is in a database or in an LDAP directory

+ * The application doesn't rely solely upon Azure AD for single sign-on.

+ For an application with the properties in the previous list, you should regularly check that users were only added to the application's local user store through Azure AD provisioning. If users that were created directly in the application, contact the application owner to determine if that assignment was authorized.

+* **Ensure approvers and reviewers are kept up to date.** For each access package that you configured in the previous section, ensure the access package assignment policies continue to have the correct approvers and reviewers. Update those policies if the approvers and reviewers that were previously configured are no longer present in the organization, or are in a different role.

+* **Validate that reviewers are making decisions during a review.** Monitor that [recurring access reviews for those access packages](entitlement-management-access-package-lifecycle-policy.md) are completing successfully, to ensure reviewers are participating and making decisions to approve or deny user's continued need for access.

+* **Check that provisioning and deprovisioning are working as expected.** If you had previously configured provisioning of users to the application, then when the results of a review are applied, or a user's assignment to an access package expires, Azure AD will begin deprovisioning denied users from the application. You can [monitor the process of deprovisioning users](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md). If provisioning indicates an error with the application, you can [download the provisioning log](../reports-monitoring/concept-provisioning-logs.md) to investigate if there was a problem with the application.

+* **Update the Azure AD configuration with any role or group changes in the application.** If the application adds new roles, updates existing roles, or relies upon additional groups, then you'll need to update the access packages and access reviews to account for those new roles or groups.

+## Next steps

+- [Access reviews deployment plan](deploy-access-reviews.md)

+ Title: Governing an application's existing users in Azure AD with Microsoft PowerShell

+description: Planning for a successful access reviews campaign for a particular application includes identifying if there are any users in that application whose access doesn't derive from Azure AD.

+documentationCenter: ''

+editor:

+ na

+#Customer intent: As an IT admin, I want to ensure access to specific applications is governed, by setting up access reviews for those applications. For this, I need to have in Azure AD the existing users of that application assigned to the application.

+# Governing an application's existing users - Microsoft PowerShell

+There are two common scenarios in which it's necessary to populate Azure Active Directory (Azure AD) with existing users of an application, prior to using the application with an Azure AD identity governance feature such as [access reviews](access-reviews-application-preparation.md).

+### Application migrated to Azure AD after using its own identity provider

+The first scenario is one in which the application already exists in the environment, and previously used its own identity provider or data store to track which users had access. When you change the application to rely upon Azure AD, then only users who are in Azure AD and permitted access to that application can access it. As part of that configuration change, you can choose to bring in the existing users from that application's data store into Azure AD, so that those users continue to have access, through Azure AD. Having the users associated with the application represented in Azure AD will enable Azure AD to track users with access to the application, even though the user's relationship with the application originated elsewhere, such as in an applications' database or directory. Once Azure AD is aware of a user's assignment, Azure AD will be able send updates to the application's data store when that user's attributes change, or when the user goes out of scope of the application.

+### Application that doesn't use Azure AD as its only identity provider

+The second scenario is one in which an application doesn't solely rely upon Azure AD as its identity provider. In some cases, an application might support multiple identity providers, or have its own built-in credential storage. This scenario is described as Pattern C in [preparing for an access review of user's access to an application](access-reviews-application-preparation.md). If it isn't feasible to remove other identity providers or local credential authentication from the application, then in order to be able to use Azure AD to review who has access to that application, or remove someone's access from that application, you'll need to create assignments in Azure AD that represent the access by users of the application, those users who don't rely upon Azure AD for authentication. Having these assignments is necessary if you plan to review all users with access to the application, as part of an access review.

+For example, there's a user who's in the application's data store and Azure AD is configured to require role assignments to the application, however, the user doesn't have an application role assignment in Azure AD. If the user is updated in Azure AD, then no changes will be sent to the application. And if the application's role assignments are reviewed, the user won't be included in the review. To have all the users included in the review, then it's necessary to have application role assignments for all users of the application.

+## Terminology

+This article illustrates the process for managing application role assignments using the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph) and so uses Microsoft Graph terminology.

+

+In Azure AD, a `ServicePrincipal` represents an application in a particular organization's directory. The `ServicePrincipal` has a property `AppRoles` that lists the roles an application supports, such as `Marketing specialist`. An `AppRoleAssignment` links a `User` to a Service principal and specifies which role that user has in that application.

+You may also be using [Azure AD entitlement management](entitlement-management-overview.md) access packages to give users time-limited access to the application. In entitlement management, an `AccessPackage` contains one or more resource roles, potentially from multiple service principals, and has `Assignment` for users to the access package. When you create an assignment for a user to an access package, then Azure AD entitlement management automatically creates the necessary `AppRoleAssignment` for the user to each application. For more information, see the [Manage access to resources in Azure AD entitlement management](/powershell/microsoftgraph/tutorial-entitlement-management) tutorial on how to create access packages through PowerShell.

+## Before you begin

+- You must have one of the following licenses in your tenant:

+ - Azure AD Premium P2

+ - Enterprise Mobility + Security (EMS) E5 license

+- You'll need to have an appropriate administrative role. If this is the first time you're performing these steps, you'll need the `Global administrator` role to authorize the use of Microsoft Graph PowerShell in your tenant.

+- There needs to be a service principal for your application in your tenant.

+ - If the application uses an LDAP directory, follow the guide for [configuring Azure AD to provision users into LDAP directories](/azure/active-directory/app-provisioning/on-premises-ldap-connector-configure) through the section to Download, install, and configure the Azure AD Connect Provisioning Agent Package.

+ - If the application uses a SQL database, follow the guide for [configuring Azure AD to provision users into SQL based applications](/azure/active-directory/app-provisioning/on-premises-sql-connector-configure) through the section to Download, install and configure the Azure AD Connect Provisioning Agent Package.

+## Collect existing users from an application

+The first step to ensuring all users are recorded in Azure AD, is to collect the list of existing users who have access to the application. Some applications may have a built-in command to export a list of current users from its data store. In other cases, the application may rely upon an external directory or database. In some environments, the application may be located on a network segment or system that isn't appropriate for use for managing access to Azure AD, so you might need to extract the list of users from that directory or database, and then transfer it as a file to another system that can be used for Azure AD interactions. This section explains three approaches for how to get a list of users, held in a comma separated text file (CSV),

+* From an LDAP directory

+* From a SQL Server database

+* From another SQL-based database

+### Collect existing users from an application that uses an LDAP directory

+This section applies to applications that use an LDAP directory as its underlying data store for users who don't authenticate to Azure AD.

+Many LDAP directories, such as Active Directory, include a command that outputs a list of users.

+1. Identify which of the users in that directory are in scope of being users of the application. This choice will be dependent upon your application's configuration. For some applications, any user who exists in an LDAP directory is a valid user. Other applications may require the user to have a particular attribute or be a member of a group in that directory.

+1. Run the command that retrieves that subset of users from your directory. Ensure that the output includes the attributes of users that will be used for matching with Azure AD - such as an employee ID, account name or email address. For example, this command would produce a CSV file in the current directory with the `userPrincipalName` attribute of every person in the directory.

+ ```powershell

+ $out_filename = ".\users.csv"

+ csvde -f $out_filename -l userPrincipalName,cn -r "(objectclass=person)"

+ ```

+1. If needed, transfer the CSV file containing the list of users to a system with the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph) installed.

+1. Continue reading at the section below, **Confirm Azure AD has users for each user from the application**.

+### Collect existing users from an application's database table using a SQL Server wizard

+This section applies to applications that use SQL Server as its underlying data store.

+First, get a list of the users from the tables. Most databases provide a way to export the contents of tables to a standard file format, such as to a CSV file. If the application uses a SQL Server database, you can use the **SQL Server Import and Export Wizard** to export portions of a database. If you don't have a utility for your database, you can use the ODBC driver with PowerShell, described in the next section.

+1. Log in to the system where SQL Server is installed.

+1. Launch **SQL Server 2019 Import and Export (64 bit)** or the equivalent for your database.

+1. Select the existing database as the source.

+1. Select **Flat File Destination** as the destination. Provide a file name, and change the **Code page** to **65001 (UTF-8)**.

+1. Complete the wizard, and select to run immediately.

+1. Wait for the execution to complete.

+1. If needed, transfer the CSV file containing the list of users to a system with the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph) installed.

+1. Continue reading at the section below, **Confirm Azure AD has users for each user from the application**.

+### Collect existing users from an application's database table using PowerShell

+This section applies to applications that use another SQL database as its underlying data store, where you're using the [ECMA Connector Host](/azure/active-directory/app-provisioning/on-premises-sql-connector-configure) to provision users into that application. If you've not yet configured the provisioning agent, use that guide to create the DSN connection file you'll use in this section.

+1. Log in to the system where the provisioning agent is or will be installed.

+1. Launch PowerShell.

+1. Construct a connection string for connecting to your database system. The components of a connection string will depend upon the requirements of your database. If you are using SQL Server, then see the [list of DSN and Connection String Keywords and Attributes](/sql/connect/odbc/dsn-connection-string-attribute). If you are using a different database, then you'll need to include the mandatory keywords for connecting to that database. For example, if your database uses the fully-qualified pathname of the DSN file, a userID and password, then construct the connection string using the following commands.

+ ```powershell

+ $filedsn = "c:\users\administrator\documents\db.dsn"

+ $db_cs = "filedsn=" + $filedsn + ";uid=p;pwd=secret"

+ ```

+1. Open a connection to your database, providing that connection string, using the following commands.

+ ```powershell

+ $db_conn = New-Object data.odbc.OdbcConnection

+ $db_conn.ConnectionString = $db_cs

+ $db_conn.Open()

+ ```

+1. Construct a SQL query to retrieve the users from the database table. Be sure to include the columns that will be used to match users in the application's database with those users in Azure AD, such as an employee ID, account name or email address. For example, if your users are held in a database table named `USERS` and have columns `name` and `email`, then type the following command.

+ ```powershell

+ $db_query = "SELECT name,email from USERS"

+ ```

+1. Send the query to the database via the connection, and retrieve the results.

+ ```powershell

+ $result = (new-object data.odbc.OdbcCommand($db_query,$db_conn)).ExecuteReader()

+ $table = new-object System.Data.DataTable

+ $table.Load($result)

+ ```

+1. Write the result, the list of rows representing users that were retrieved from the query, to a CSV file.

+ ```powershell

+ $out_filename = ".\users.csv"

+ $table.Rows | Export-Csv -Path $out_filename -NoTypeInformation -Encoding UTF8

+ ```

+1. If this system doesn't have the Microsoft Graph PowerShell cmdlets installed, or doesn't have connectivity to Azure AD, then transfer the CSV file that was generated in the previous step, containing the list of users, to a system that has the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph) installed.

+## Confirm Azure AD has users for each user from the application

+Now that you have a list of all the users obtained from the application, you'll next match those users from the application's data store with users in Azure AD. Before proceeding, review the section on [matching users in the source and target systems](/azure/active-directory/app-provisioning/customize-application-attributes#matching-users-in-the-source-and-target--systems), as you'll configure Azure AD provisioning with equivalent mappings afterwards. That step will allow Azure AD provisioning to query the application's data store with the same matching rules.

+### Retrieve the IDs of the users in Azure AD

+This section shows how to interact with Azure AD using [Microsoft Graph PowerShell](https://www.powershellgallery.com/packages/Microsoft.Graph) cmdlets. The first time your organization use these cmdlets for this scenario, you'll need to be in a Global Administrator role to consent Microsoft Graph PowerShell to be used for these scenarios in your tenant. Subsequent interactions can use a lower privileged role, such as User Administrator role if you anticipate creating new users, or the Application Administrator or [Identity Governance Administrator](/azure/active-directory/roles/permissions-reference#identity-governance-administrator) role, if you're just managing application role assignments.

+1. Launch PowerShell.

+1. If you don't have the [Microsoft Graph PowerShell modules](https://www.powershellgallery.com/packages/Microsoft.Graph) already installed, install the `Microsoft.Graph.Users` module and others using

+ ```powershell

+ Install-Module Microsoft.Graph

+ ```

+1. If you already have the modules installed, ensure you are using a recent version.

+ ```powershell

+ Update-Module microsoft.graph.users,microsoft.graph.identity.governance,microsoft.graph.applications

+ ```

+1. Connect to Azure AD.

+ The first time you run these scripts, you'll need to be an administrator, to be able to consent Microsoft Graph PowerShell for these permissions.

+ ```powershell

+ $msg = Connect-MgGraph -ContextScope Process -Scopes "User.Read.All,Application.Read.All,AppRoleAssignment.ReadWrite.All,EntitlementManagement.ReadWrite.All"

+ ```

+1. Read the list of users obtained from the application's data store into the PowerShell session. If the list of users was in a CSV file, then you can use the PowerShell cmdlet `Import-Csv` and provide the filename of the file from the previous section as an argument. For example, if the file is named `users.csv` and located in the current directory, type the command

+ ```powershell

+ $filename = ".\users.csv"

+ $dbusers = Import-Csv -Path $filename -Encoding UTF8

+ ```

+1. Pick the column of the `users` file that will match with an attribute of a user in Azure AD.

+ For example, you might have users in the database where the value in the column named `EMail` is the same value as in the Azure AD attribute `mail`.

+ ```powershell

+ $db_match_column_name = "EMail"

+ $azuread_match_attr_name = "mail"

+ ```

+1. Retrieve the IDs of those users in Azure AD.

+ The following PowerShell script will use the `$dbusers`, `$db_match_column_name` and `$azuread_match_attr_name` specified above, and will query Azure AD to locate a user that has a matching value for each record in the source file. If there are many users in the database, this script may take several minutes to complete.

+ ```powershell

+ $dbu_not_queried_list = @()

+ $dbu_not_matched_list = @()

+ $dbu_match_ambiguous_list = @()

+ $dbu_query_failed_list = @()

+ $azuread_match_id_list = @()

+ foreach ($dbu in $dbusers) {

+ if ($null -ne $dbu.$db_match_column_name -and $dbu.$db_match_column_name.Length -gt 0) {

+ $val = $dbu.$db_match_column_name

+ $escval = $val -replace "'","''"

+ $filter = $azuread_match_attr_name + " eq '" + $escval + "'"

+ try {

+ $ul = @(Get-MgUser -Filter $filter -All -ErrorAction Stop)

+ if ($ul.length -eq 0) { $dbu_not_matched_list += $dbu; } elseif ($ul.length -gt 1) {$dbu_match_ambiguous_list += $dbu } else {

+ $id = $ul[0].id;

+ $azuread_match_id_list += $id;

+ }

+ } catch { $dbu_query_failed_list += $dbu }

+ } else { $dbu_not_queried_list += $dbu }

+ }

+ ```

+1. View the results of the previous queries to see if any of the users in the database couldn't be located in Azure AD, due to errors or missing matches.

+ The following PowerShell script will display the counts of records that weren't located.

+ ```powershell

+ $dbu_not_queried_count = $dbu_not_queried_list.Count

+ if ($dbu_not_queried_count -ne 0) {

+ Write-Error "Unable to query for $dbu_not_queried_count records as rows lacked values for $db_match_column_name."

+ }

+ $dbu_not_matched_count = $dbu_not_matched_list.Count

+ if ($dbu_not_matched_count -ne 0) {

+ Write-Error "Unable to locate $dbu_not_matched_count records in Azure AD by querying for $db_match_column_name values in $azuread_match_attr_name."

+ }

+ $dbu_match_ambiguous_count = $dbu_match_ambiguous_list.Count

+ if ($dbu_match_ambiguous_count -ne 0) {

+ Write-Error "Unable to locate $dbu_match_ambiguous_count records in Azure AD."

+ }

+ $dbu_query_failed_count = $dbu_query_failed_list.Count

+ if ($dbu_query_failed_count -ne 0) {

+ Write-Error "Unable to locate $dbu_query_failed_count records in Azure AD as queries returned errors."

+ }

+ if ($dbu_not_queried_count -ne 0 -or $dbu_not_matched_count -ne 0 -or $dbu_match_ambiguous_count -ne 0 -or $dbu_query_failed_count -ne 0) {

+ Write-Output "You will need to resolve those issues before access of all existing users can be reviewed."

+ }

+ $azuread_match_count = $azuread_match_id_list.Count

+ Write-Output "Users corresponding to $azuread_match_count records were located in Azure AD."

+ ```

+1. When the script completes, it will indicate an error if there were any records from the data source that weren't located in Azure AD. If not all the records for users from the application's data store could be located as users in Azure AD, then you'll need to investigate which records didn't match and why. For example, someone's email address may have been changed in Azure AD without their corresponding `mail` property being updated in the application's data source. Or, they may have already left the organization, but still be in the application's data source. Or there might be a vendor or super-admin account in the application's data source who does not correspond to any specific person in Azure AD.

+1. If there were users that couldn't be located in Azure AD, but you want to have their access be reviewed or their attributes updated in the database, you'll need to create Azure AD users for the users that could not be located. You can create users in bulk using either a CSV file, as described in [bulk create users in the Azure AD portal](../enterprise-users/users-bulk-add.md), or by using the [New-MgUser](/powershell/module/microsoft.graph.users/new-mguser?view=graph-powershell-1.0#examples) cmdlet. When doing so, ensure that the users are populated with the attributes required for Azure AD to later match these new users to the existing users in the application.

+1. After adding any missing users to Azure AD, then run the script from step 7 above again, and then the script from step 8, and check that no errors are reported.

+ ```powershell

+ $dbu_not_queried_list = @()

+ $dbu_not_matched_list = @()

+ $dbu_match_ambiguous_list = @()

+ $dbu_query_failed_list = @()

+ $azuread_match_id_list = @()

+ foreach ($dbu in $dbusers) {

+ if ($null -ne $dbu.$db_match_column_name -and $dbu.$db_match_column_name.Length -gt 0) {

+ $val = $dbu.$db_match_column_name

+ $escval = $val -replace "'","''"

+ $filter = $azuread_match_attr_name + " eq '" + $escval + "'"

+ try {

+ $ul = @(Get-MgUser -Filter $filter -All -ErrorAction Stop)

+ if ($ul.length -eq 0) { $dbu_not_matched_list += $dbu; } elseif ($ul.length -gt 1) {$dbu_match_ambiguous_list += $dbu } else {

+ $id = $ul[0].id;

+ $azuread_match_id_list += $id;

+ }

+ } catch { $dbu_query_failed_list += $dbu }

+ } else { $dbu_not_queried_list += $dbu }

+ }

+ $dbu_not_queried_count = $dbu_not_queried_list.Count

+ if ($dbu_not_queried_count -ne 0) {

+ Write-Error "Unable to query for $dbu_not_queried_count records as rows lacked values for $db_match_column_name."

+ }

+ $dbu_not_matched_count = $dbu_not_matched_list.Count

+ if ($dbu_not_matched_count -ne 0) {

+ Write-Error "Unable to locate $dbu_not_matched_count records in Azure AD by querying for $db_match_column_name values in $azuread_match_attr_name."

+ }

+ $dbu_match_ambiguous_count = $dbu_match_ambiguous_list.Count

+ if ($dbu_match_ambiguous_count -ne 0) {

+ Write-Error "Unable to locate $dbu_match_ambiguous_count records in Azure AD."

+ }

+ $dbu_query_failed_count = $dbu_query_failed_list.Count

+ if ($dbu_query_failed_count -ne 0) {

+ Write-Error "Unable to locate $dbu_query_failed_count records in Azure AD as queries returned errors."

+ }

+ if ($dbu_not_queried_count -ne 0 -or $dbu_not_matched_count -ne 0 -or $dbu_match_ambiguous_count -ne 0 -or $dbu_query_failed_count -ne 0) {

+ Write-Output "You will need to resolve those issues before access of all existing users can be reviewed."

+ }

+ $azuread_match_count = $azuread_match_id_list.Count

+ Write-Output "Users corresponding to $azuread_match_count records were located in Azure AD."

+ ```

+## Check for users who are not already assigned to the application

+The previous steps have confirmed that all the users in the application's data store exist as users in Azure AD. However, they may not all currently be assigned to the application's roles in Azure AD. So the next steps are to see which users don't have assignments to application roles.

+1. Retrieve the users who currently have assignments to the application in Azure AD.

+ For example, if the enterprise application is named `CORPDB1`, then type the following commands

+ ```powershell

+ $azuread_app_name = "CORPDB1"

+ $azuread_sp_filter = "displayName eq '" + ($azuread_app_name -replace "'","''") + "'"

+ $azuread_sp = Get-MgServicePrincipal -Filter $azuread_sp_filter -All

+ $azuread_existing_assignments = @(Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $azuread_sp.Id -All)

+ ```

+1. Compare the list of user IDs from the previous section to those users currently assigned to the application.

+ ```powershell

+ $azuread_not_in_role_list = @()

+ foreach ($id in $azuread_match_id_list) {

+ $found = $false

+ foreach ($existing in $azuread_existing_assignments) {

+ if ($existing.principalId -eq $id) {

+ $found = $true; break;

+ }

+ }

+ if ($found -eq $false) { $azuread_not_in_role_list += $id }

+ }

+ $azuread_not_in_role_count = $azuread_not_in_role_list.Count

+ Write-Output "$azuread_not_in_role_count users in the application's data store are not assigned to the application roles."

+ ```

+ If 0 users aren't assigned to application roles, indicating that all users are assigned to application roles, then no further changes are needed before performing an access review.

+ However, if one or more users aren't currently assigned to the application roles, you'll need to add them to one of the application's roles, as described in the sections below.

+1. Select the role of the application to assign the remaining users to.

+ An application may have more than one role. Use this command to list the available roles.

+ ```powershell

+ $azuread_sp.AppRoles | where-object {$_.AllowedMemberTypes -contains "User"} | ft DisplayName,Id

+ ```

+ Select the appropriate role from the list, and obtain its role ID. For example, if the role name is `Admin`, then provide that value in the following PowerShell commands.

+ ```powershell

+ $azuread_app_role_name = "Admin"

+ $azuread_app_role_id = ($azuread_sp.AppRoles | where-object {$_.AllowedMemberTypes -contains "User" -and $_.DisplayName -eq $azuread_app_role_name}).Id

+ if ($null -eq $azuread_app_role_id) { write-error "role $azuread_app_role_name not located in application manifest"}

+ ```

+## Configure application provisioning

+Before creating new assignments, you'll want to configure [Azure AD provisioning](/azure/active-directory/app-provisioning/user-provisioning) of Azure AD users to the application. Configuring provisioning will enable Azure AD to match up the users in Azure AD with the application role assignments to the users already in the application's data store.

+1. Ensure that the application is configured to require users to have application role assignments, so that only selected users will be provisioned to the application.

+1. If provisioning hasn't been configured for the application, then configure, but do not start, [provisioning](/azure/active-directory/app-provisioning/user-provisioning).

+ * If the application uses an LDAP directory, follow the guide for [configuring Azure AD to provision users into LDAP directories](/azure/active-directory/app-provisioning/on-premises-ldap-connector-configure).

+ * If the application uses a SQL database, follow the guide for [configuring Azure AD to provision users into SQL based applications](/azure/active-directory/app-provisioning/on-premises-sql-connector-configure).

+1. Check the [attribute mappings](/azure/active-directory/app-provisioning/customize-application-attributes) for provisioning to that application. Make sure that *Match objects using this attribute* is set for the Azure AD attribute and column that you used in the sections above for matching. If these rules aren't using the same attributes as you used earlier, then when application role assignments are created, Azure AD may be unable to locate existing users in the applications' data store, and inadvertently create duplicate users.

+1. Check that there's an attribute mapping for **isSoftDeleted** to an attribute of the application. When a user is unassigned from the application, soft-deleted in Azure AD, or blocked from sign-in, then Azure AD provisioning will update the attribute mapped to **isSoftDeleted**. If no attribute is mapped, then users who later are unassigned from the application role will continue to exist in the application's data store.

+1. If provisioning has already been enabled for the application, check that the application provisioning is not in [quarantine](/azure/active-directory/app-provisioning/application-provisioning-quarantine-status). You'll need to resolve any issues that are causing the quarantine prior to proceeding.

+## Create app role assignments in Azure AD

+For Azure AD to match the users in the application with the users in Azure AD, you'll need to create application role assignments in Azure AD.

+When an application role assignment is created in Azure AD for a user to application, then

+ - Azure AD will query the application to determine if the user already exists.

+ - Subsequent updates to the user's attributes in Azure AD will be sent to the application.

+ - Users will remain in the application indefinitely, unless updated outside of Azure AD, or until the assignment in Azure AD is removed.

+ - On the next review of that application's role assignments, the user will be included in the review.

+ - If the user is denied in an access review, then their application role assignment will be removed, and Azure AD will notify the application that the user is blocked from sign in.

+1. Create application role assignments for users who don't currently have role assignments.

+ ```powershell

+ foreach ($u in $azuread_not_in_role_list) {

+ $res = New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $azuread_sp.Id -AppRoleId $azuread_app_role_id -PrincipalId $u -ResourceId $azuread_sp.Id

+ }

+ ```

+1. Wait 1 minute for changes to propagate within Azure AD.

+## Check that Azure AD provisioning has matched the existing users

+1. Requery Azure AD to obtain the updated list of role assignments.

+ ```powershell

+ $azuread_existing_assignments = @(Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $azuread_sp.Id -All)

+ ```

+1. Compare the list of user IDs from the previous section to those users now assigned to the application.

+ ```powershell

+ $azuread_still_not_in_role_list = @()

+ foreach ($id in $azuread_match_id_list) {

+ $found = $false

+ foreach ($existing in $azuread_existing_assignments) {

+ if ($existing.principalId -eq $id) {

+ $found = $true; break;

+ }

+ }

+ if ($found -eq $false) { $azuread_still_not_in_role_list += $id }

+ }

+ $azuread_still_not_in_role_count = $azuread_still_not_in_role_list.Count

+ if ($azuread_still_not_in_role_count -gt 0) {

+ Write-Output "$azuread_still_not_in_role_count users in the application's data store are not assigned to the application roles."

+ }

+ ```

+ If any users aren't assigned to application roles, check the Azure AD audit log for an error from a previous step.

+1. If the **Provisioning Status** of the application is **Off**, turn the **Provisioning Status** to **On**.

+1. Based on the guidance for [how long will it take to provision users](/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user#how-long-will-it-take-to-provision-users), wait for Azure AD provisioning to match the existing users of the application to those users just assigned.

+1. Monitor the [provisioning status](/azure/active-directory/app-provisioning/check-status-user-account-provisioning) to ensure that all users were matched successfully. If you don't see users being provisioned, check the troubleshooting guide for [no users being provisioned](/azure/active-directory/app-provisioning/application-provisioning-config-problem-no-users-provisioned). If you see an error in the provisioning status and are provisioning to an on-premises application, then check the [troubleshooting guide for on-premises application provisioning](/azure/active-directory/app-provisioning/on-premises-ecma-troubleshoot).

+Once the users have been matched by the Azure AD provisioning service, based on the application role assignments you've created, then subsequent changes will be sent to the application.

+## Next steps

+ - [Prepare for an access review of users' access to an application](access-reviews-application-preparation.md)

+ Title: Integrate your applications for identity governance and establishing a baseline of reviewed access - Azure AD

+description: Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. You can integrate your existing business critical third party on-premises and cloud-based applications with Azure AD for identity governance scenarios.

+documentationcenter: ''

+editor: markwahl-msft

+ na

+# Integrating applications with Azure AD and establishing a baseline of reviewed access

+Once you've [established the policies](identity-governance-applications-define.md) for who should have access to an application, then you can [connect your application to Azure AD](../manage-apps/what-is-application-management.md) and then [deploy the policies](identity-governance-applications-deploy.md) for governing access to them.

+Azure AD identity governance can be integrated with many applications, using [standards](../fundamentals/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Azure AD with many popular SaaS applications and on-premises applications, including applications that your organization has developed. This deployment plan covers how to connect your application to Azure AD and enable identity governance features to be used for that application.

+In order for Azure AD identity governance to be used for an application, the application must first be integrated with Azure AD. An application being integrated with Azure AD means one of two requirements must be met:

+* The application relies upon Azure AD for federated SSO, and Azure AD controls authentication token issuance. If Azure AD is the only identity provider for the application, then only users who are assigned to one of the application's roles in Azure AD are able to sign into the application. Those users that lose their application role assignment can no longer get a new token to sign in to the application.

+* The application relies upon user or group lists that are provided to the application by Azure AD. This fulfillment could be done through a provisioning protocol such as SCIM or by the application querying Azure AD via Microsoft Graph.

+If neither of those criteria are met for an application, for example when the application doesn't rely upon Azure AD, then identity governance can still be used. However, there may be some limitations using identity governance without meeting the criteria. For instance, users that aren't in your Azure AD, or aren't assigned to the application roles in Azure AD, won't be included in access reviews of the application, until you add them to the application roles. For more information, see [Preparing for an access review of users' access to an application](access-reviews-application-preparation.md).

+## Integrate the application with Azure AD to ensure only authorized users can access the application

+Typically this process of integrating an application begins when you configure that application to rely upon Azure AD for user authentication, with a federated single sign-on (SSO) protocol connection, and then add provisioning. The most commonly used protocols for SSO are [SAML and OpenID Connect](../develop/active-directory-v2-protocols.md). You can read more about the tools and process to [discover and migrate application authentication to Azure AD](../manage-apps/migrate-application-authentication-to-azure-active-directory.md).

+Next, if the application implements a provisioning protocol, then you should configure Azure AD to provision users to the application, so that Azure AD can signal to the application when a user has been granted access or a user's access has been removed. These provisioning signals permit the application to make automatic corrections, such as to reassign content created by an employee who has left to their manager.

+1. Check if your application is on the [list of enterprise applications](../manage-apps/view-applications-portal.md) or [list of app registrations](../develop/app-objects-and-service-principals.md). If the application is already present in your tenant, then skip to step 5 in this section.

+1. If your application is a SaaS application that isn't already registered in your tenant, then check if the application is available the [application gallery](../manage-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO. If it's in the gallery, then use the tutorials to integrate the application with Azure AD.

+ 1. Follow the [tutorial](../saas-apps/tutorial-list.md) to configure the application for federated SSO with Azure AD.

+ 1. if the application supports provisioning, [configure the application for provisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md).

+ 1. When complete, skip to the next section in this article.

+ If the SaaS application isn't in the gallery, then [ask the SaaS vendor to onboard](../manage-apps/v2-howto-app-gallery-listing.md).

+1. If this is a private or custom application, you can also select a single sign-on integration that's most appropriate, based on the location and capabilities of the application.

+ * If this application is in the public cloud, and it supports single sign-on, then configure single sign-on directly from Azure AD to the application.

+ |Application supports| Next steps|

+ |-|--|

+ | OpenID Connect | [Add an OpenID Connect OAuth application](../saas-apps/openidoauth-tutorial.md) |

+ | SAML 2.0 | Register the application and configure the application with [the SAML endpoints and certificate of Azure AD](../develop/active-directory-saml-protocol-reference.md) |

+ | SAML 1.1 | [Add a SAML-based application](../saas-apps/saml-tutorial.md) |

+ * Otherwise, if this is an on-premises or IaaS hosted application that supports single sign-on, then configure single sign-on from Azure AD to the application through the application proxy.

+ |Application supports| Next steps|

+ |-|--|

+ | SAML 2.0| Deploy the [application proxy](../app-proxy/application-proxy.md) and configure an application for [SAML SSO](../app-proxy/application-proxy-configure-single-sign-on-on-premises-apps.md) |

+ | Integrated Windows Auth (IWA) | Deploy the [application proxy](../app-proxy/application-proxy.md), configure an application for [Integrated Windows authentication SSO](../app-proxy/application-proxy-configure-single-sign-on-with-kcd.md), and set firewall rules to prevent access to the application's endpoints except via the proxy.|

+ | header-based authentication | Deploy the [application proxy](../app-proxy/application-proxy.md) and configure an application for [header-based SSO](../app-proxy/application-proxy-configure-single-sign-on-with-headers.md) |

+1. If your application has multiple roles, and relies upon Azure AD to send a user's role as part of a user signing into the application, then configure those application roles in Azure AD on your application. You can use the [app roles UI](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to add those roles.

+1. If the application supports provisioning, then [configure provisioning](../app-provisioning/configure-automatic-user-provisioning-portal.md) of assigned users and groups from Azure AD to that application. If this is a private or custom application, you can also select the integration that's most appropriate, based on the location and capabilities of the application.

+ * If this application is in the public cloud and supports SCIM, then configure provisioning of users via SCIM.

+ |Application supports| Next steps|

+ |-|--|

+ | SCIM | Configure an application with SCIM [for user provisioning](../app-provisioning/use-scim-to-provision-users-and-groups.md) |

+ * Otherwise, if this is an on-premises or IaaS hosted application, then configure provisioning to that application, either via SCIM or to the underlying database or directory of the application.

+ |Application supports| Next steps|

+ |-|--|

+ | SCIM | configure an application with the [provisioning agent for on-premises SCIM-based apps](../app-provisioning/on-premises-scim-provisioning.md)|

+ | local user accounts, stored in a SQL database | configure an application with the [provisioning agent for on-premises SQL-based applications](../app-provisioning/on-premises-sql-connector-configure.md)|

+ | local user accounts, stored in an LDAP directory | configure an application with the [provisioning agent for on-premises LDAP-based applications](../app-provisioning/on-premises-ldap-connector-configure.md) |

+1. If your application uses Microsoft Graph to query groups from Azure AD, then [consent](../develop/consent-framework.md) to the applications to have the appropriate permissions to read from your tenant.

+1. Set that access to **the application is only permitted for users assigned to the application**. This setting will prevent users from inadvertently seeing the application in MyApps, and attempting to sign into the application, prior to Conditional Access policies being enabled.

+## Perform an initial access review

+If this is a new application your organization hasn't used before, and therefore no one has pre-existing access, or if you've already been performing access reviews for this application, then skip to the [next section](identity-governance-applications-deploy.md).

+However, if the application already existed in your environment, then it's possible that users may have gotten access in the past through manual or out-of-band processes, and those users should now be reviewed to have confirmation that their access is still needed and appropriate going forward. We recommend performing an access review of the users who already have access to the application, before enabling policies for more users to be able to request access. This review will set a baseline of all users having been reviewed at least once, to ensure that those users are authorized for continued access.

+1. Follow the steps in [Preparing for an access review of users' access to an application](access-reviews-application-preparation.md).

+1. Bring in any [existing users and create application role assignments](identity-governance-applications-existing-users.md) for them.

+1. If the application wasn't integrated for provisioning, then once the review is complete, you may need to manually update the application's internal database or directory to remove those users who were denied.

+1. Once the review has been completed and the application access updated, or if no users have access, then continue on to the next steps to deploy conditional access and entitlement management policies for the application.

+Now that you have a baseline that ensures existing access has been reviewed, then you can [deploy the organization's policies](identity-governance-applications-deploy.md) for ongoing access and any new access requests.

+## Next steps

+- [Deploy governance policies](identity-governance-applications-deploy.md)

+ Title: Govern access for applications in your environment - Azure AD

+description: Azure Active Directory Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. These features can be used for your existing business critical third party on-premises and cloud-based applications.

+documentationcenter: ''

+editor: markwahl-msft

+ na

+# Govern access for applications in your environment

+Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. Its features ensure that the right people have the right access to the right resources in your organization at the right time.

+Organizations with compliance requirements or risk management plans will have sensitive or business-critical applications. The application sensitivity may be based on its purpose or the data it contains, such as financial information or personal information of the organization's customers. For those applications, only a subset of all the users in the organization will typically be authorized to have access, and access should only be permitted based on documented business requirements. As part of your organization's controls for managing access, you can use Azure AD features to

+* set up appropriate access

+* enforce access checks

+* produce reports to demonstrate how those controls are being used to meet your compliance and risk management objectives.

+In addition to the application access governance scenario, you can also use identity governance and the other Azure AD features for other scenarios, such as [reviewing and removing users from other organizations](../governance/access-reviews-external-users.md) or [managing users who are excluded from Conditional Access policies](../governance/conditional-access-exclusion.md). If your organization has multiple administrators in Azure AD or Azure, uses B2B or self-service group management, then you should [plan an access reviews deployment](deploy-access-reviews.md) for those scenarios.

+## Getting started with governing access to applications

+Azure AD identity governance can be integrated with many applications, using [standards](../fundamentals/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Azure AD with many popular SaaS applications, as well as on-premises applications, and applications that your organization has developed. Once you've prepared your Azure AD environment, as described in the section below, the three step plan covers how to connect an application to Azure AD and enable identity governance features to be used for that application.

+1. [Define your organization's policies for governing access to the application](identity-governance-applications-define.md)

+1. [Integrate the application with Azure AD](identity-governance-applications-integrate.md) to ensure only authorized users can access the application, and review user's existing access to the application to set a baseline of all users having been reviewed

+1. [Deploy those policies](identity-governance-applications-deploy.md) for controlling single sign-on (SSO) and automating access assignments for that application

+## Prerequisites before configuring Azure AD for identity governance

+Before you begin the process of governing application access from Azure AD, you should check your Azure AD environment is appropriately configured.

+* **Ensure your Azure AD and Microsoft Online Services environment is ready for the [compliance requirements](../standards/standards-overview.md) for the applications to be integrated and properly licensed**. Compliance is a shared responsibility among Microsoft, cloud service providers (CSPs), and organizations. To use Azure AD to govern access to applications, you must have one of the following licenses in your tenant:

+ * Azure AD Premium P2

+ * Enterprise Mobility + Security (EMS) E5 license

+ Your tenant will need to have at least as many licenses as the number of member (non-guest) users who have or can request access to the applications, approve, or review access to the applications. With an appropriate license for those users, you can then govern access to up to 1500 applications per user.

+* **If you will be governing guest's access to the application, link your Azure AD tenant to a subscription for MAU billing**. This step will be necessary prior to having a guest request or review their access. For more information, see [billing model for Azure AD External Identities](../external-identities/external-identities-pricing.md).

+* **Check that Azure AD is already sending its audit log, and optionally other logs, to Azure Monitor.** Azure Monitor is optional, but useful for governing access to apps, as Azure AD only stores audit events for up to 30 days in its audit log. You can keep the audit data for longer than the default retention period, outlined in [How long does Azure AD store reporting data?](../reports-monitoring/reference-reports-data-retention.md), and use Azure Monitor workbooks and custom queries and reports on historical audit data. You can check the Azure AD configuration to see if it is using Azure Monitor, in **Azure Active Directory** in the Azure portal, by clicking on **Workbooks**. If this integration isn't configured, and you have an Azure subscription and are in the `Global Administrator` or `Security Administrator` roles, you can [configure Azure AD to use Azure Monitor](../governance/entitlement-management-logs-and-reporting.md).

+* **Make sure only authorized users are in the highly privileged administrative roles in your Azure AD tenant.** Administrators in the *Global Administrator*, *Identity Governance Administrator*, *User Administrator*, *Application Administrator*, *Cloud Application Administrator* and *Privileged Role Administrator* can make changes to users and their application role assignments. If the memberships of those roles have not yet been recently reviewed, you'll need a user who is in the *Global Administrator* or *Privileged Role Administrator* to ensure that [access review of these directory roles](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md) are started. You should also ensure that users in Azure roles in subscriptions that hold the Azure Monitor, Logic Apps and other resources needed for the operation of your Azure AD configuration have been reviewed.

+* **Check your tenant has appropriate isolation.** If your organization is using Active Directory on-premises, and these AD domains are connected to Azure AD, then you'll need to ensure that highly-privileged administrative operations for cloud-hosted services are isolated from on-premises accounts. Check that you've [configured your systems to protect your Microsoft 365 cloud environment from on-premises compromise](../fundamentals/protect-m365-from-on-premises-attacks.md).

+Once you have checked your Azure AD environment is ready, then proceed to [define the governance policies](identity-governance-applications-define.md) for your applications.

+## Next steps

+- [Define governance policies](identity-governance-applications-define.md)

+- [Integrate an application with Azure AD](identity-governance-applications-integrate.md)

+- [Deploy governance policies](identity-governance-applications-deploy.md)

+When a user attempts to access applications, Azure AD enforces [Conditional Access](../conditional-access/index.yml) policies. For example, Conditional Access policies can include displaying a [terms of use](../conditional-access/terms-of-use.md) and [ensuring the user has agreed to those terms](../conditional-access/require-tou.md) prior to being able to access an application. For more information, see [govern access to applications in your environment](identity-governance-applications-prepare.md).

+|Access certification|Admins can enable recurring access recertification for: SaaS apps, on-premises apps, cloud group memberships, Azure AD or Azure Resource role assignments. Automatically remove resource access, block guest access and delete guest accounts.|[Access reviews](access-reviews-overview.md), also surfaced in [PIM](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md)|

+|Fulfillment and provisioning|Automatic provisioning and deprovisioning into Azure AD connected apps, including via SCIM, LDAP, SQL and into SharePoint Online sites. |[user provisioning](../app-provisioning/user-provisioning.md)|

+Check out the [Getting started tab](https://portal.azure.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/GettingStarted) of **Identity Governance** in the Azure portal to start using entitlement management, access reviews, Privileged Identity Management, and Terms of use, and see some common use cases.

+There are also tutorials for [managing access to resources in entitlement management](entitlement-management-access-package-first.md), [onboarding external users to Azure AD through an approval process](entitlement-management-onboard-external-user.md), [governing access to existing applications](identity-governance-applications-prepare.md). You can also automate identity governance tasks through Microsoft Graph and PowerShell.

+- [Plan an access reviews deployment to manage resource access lifecycle](deploy-access-reviews.md)

+|[Developer tutorial: AD FS to Azure AD application migration playbook for developers](https://aka.ms/adfsplaybook) | This set of ASP.NET code samples and accompanying tutorials will help you learn how to safely and securely migrate your applications integrated with Active Directory Federation Services (AD FS) to Azure Active Directory (Azure AD). This tutorial is focused towards developers who not only need to learn how to configure apps on both AD FS and Azure AD, but also become aware and confident of changes their code base will require in this process.|

+| [Deployment plan: Enabling single sign-on to a SaaS app with Azure AD](https://aka.ms/SSODPDownload) | Single sign-on (SSO) helps you access all the apps and resources you need to do business, while signing in only once, using a single user account. For example, after a user has signed in, the user can move from Microsoft Office, to SalesForce, to Box without authenticating (for example, typing a password) a second time.

+| [Deployment plans](../fundamentals/active-directory-deployment-plans.md) | Find more deployment plans for deploying features such as Azure AD multi-factor authentication, Conditional Access, user provisioning, seamless SSO, self-service password reset, and more! |

+| [Migrating apps from Symantec SiteMinder to Azure AD](https://azure.microsoft.com/mediahandler/files/resourcefiles/migrating-applications-from-symantec-siteminder-to-azure-active-directory/Migrating-applications-from-Symantec-SiteMinder-to-Azure-Active-Directory.pdf) | Get step by step guidance on application migration and integration options with an example that walks you through migrating applications from Symantec SiteMinder to Azure AD. |

+| [Identity governance for applications](../governance/identity-governance-applications-prepare.md)| This guide outlines what you need to do if you're migrating identity governance for an application from a previous identity governance technology, to connect Azure AD to that application.|

+ Title: Submit a request to publish your application

+description: Learn how to publish your application in Azure Active Directory application gallery.

+# Submit a request to publish your application in Azure Active Directory application gallery

+You can publish applications you develop in the *Azure Active Directory* (Azure AD) application gallery, which is a catalog of thousands of apps. When you publish your applications, they're made publicly available for users to add to their tenants. For more information, see [Overview of the Azure Active Directory application gallery](overview-application-gallery.md).

+To publish your application in the Azure AD gallery, you need to complete the following tasks:

+To publish your application in the gallery, you must first read and agree to specific [terms and conditions](https://azure.microsoft.com/support/legal/active-directory-app-gallery-terms/).

+- Implement support for *single sign-on* (SSO). To learn more about supported options, see [Plan a single sign-on deployment](plan-sso-deployment.md).

+ - For password SSO, make sure that your application supports form authentication so that password vaulting can be used.

+ - For federated applications (OpenID and SAML/WS-Fed), the application must support the [software-as-a-service (SaaS) model](https://azure.microsoft.com/overview/what-is-saas/). Enterprise gallery applications must support multiple user configurations and not any specific user.

+ - For Open ID Connect, the application must be multitenanted and the [Azure AD consent framework](../develop/consent-framework.md) must be correctly implemented.

+- Provisioning is optional yet highly recommended. To learn more about Azure AD SCIM, see [build a SCIM endpoint and configure user provisioning with Azure AD](../app-provisioning/use-scim-to-provision-users-and-groups.md).

+You can sign up for a free, test Development account. It's free for 90 days and you get all of the premium Azure AD features with it. You can also extend the account if you use it for development work: [Join the Microsoft 365 Developer Program](/office/developer-program/microsoft-365-developer-program).

+### Provide app documentation for your site

+Ease of adoption is an important factor for those that make decisions about enterprise software. Documentation that is clear and easy to follow helps your users adopt technology and it reduces support costs.

+Create documentation that includes the following information at minimum:

+- An introduction to your SSO functionality

+ - Protocols

+ - List of supported identity providers with documentation links

+- If you use OIDC/OAuth, a list of permissions required for consent, with business justifications

+- Details about your SCIM endpoint, including supported resources and attributes

+### App documentation on the Microsoft site

+When your application is added to the gallery, documentation is created that explains the step-by-step process. For an example, see [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md). This documentation is created based on your submission to the gallery. You can easily update the documentation if you make changes to your application by using your GitHub account.

+After you've tested that your application works with Azure AD, submit your application request in the [Microsoft Application Network portal](https://microsoft.sharepoint.com/teams/apponboarding/Apps). The first time you try to sign in to the portal you are presented with one of two screens.

+After your account is added, you can sign in to the Microsoft Application Network portal and submit the request by selecting the **Submit Request (ISV)** tile on the home page. If you see the "Your sign-in was blocked" error while logging in, see [Troubleshoot sign-in to the Microsoft Application Network portal](troubleshoot-app-publishing.md).

+On the application **Registration** form, select the feature that you want to enable. Select **OpenID Connect & OAuth 2.0**, **SAML 2.0/WS-Fed**, or **Password SSO(UserName & Password)** depending on the feature that your application supports.

+If you're implementing a [SCIM](../app-provisioning/use-scim-to-provision-users-and-groups.md) 2.0 endpoint for user provisioning, select **User Provisioning (SCIM 2.0)**. Download the schema to provide in the onboarding request. For more information, see [Export provisioning configuration and roll back to a known good state](../app-provisioning/export-import-provisioning-configuration.md). The schema that you configured is used when testing the non-gallery application to build the gallery application.

+If you wish to register an MDM application in the Azure AD gallery, select **Register an MDM app**.

+Listing an SAML 2.0 or WS-Fed application in the gallery takes 7 to 10 business days.

+Listing an OpenID Connect application in the gallery takes 2 to 5 business days.

+Listing an SCIM provisioning application in the gallery varies, depending on numerous factors.

+Not all applications are onboarded. Per the terms and conditions, a decision can be made not to list an application. Onboarding applications is at the sole discretion of the onboarding team.

+To escalate issues of any kind, send an email to the [Azure AD SSO Integration Team](mailto:SaaSApplicationIntegrations@service.microsoft.com). A response is typically sent as soon as possible.

+## Update or Remove the application from the Gallery

+You can submit your application update request in the [Microsoft Application Network portal](https://microsoft.sharepoint.com/teams/apponboarding/Apps). The first time you try to sign into the portal you are presented with one of two screens.

+- If you receive the message "That didn't work", then you need to contact the [Azure AD SSO Integration Team](mailto:SaaSApplicationIntegrations@service.microsoft.com). Provide the email account that you want to use for submitting the request. A business email address such as `name@yourbusiness.com` is preferred. The Azure AD team will add the account in the Microsoft Application Network portal.

+- If you see a "Request Access" page, then fill in the business justification and select **Request Access**.

+After the account is added, you can sign in to the Microsoft Application Network portal and submit the request by selecting the **Submit Request (ISV)** tile on the home page and select **Update my applicationΓÇÖs listing in the gallery** and select one of the following options as per your choice -

+* If you want to update applications SSO feature, select **Update my applicationΓÇÖs Federated SSO feature**.

+* If you want to update Password SSO feature, select **Update my applicationΓÇÖs Password SSO feature**.

+* If you want to upgrade your listing from Password SSO to Federated SSO, select **Upgrade my application from Password SSO to Federated SSO**.

+* If you want to update MDM listing, select **Update my MDM app**.

+* If you want to improve User Provisioning feature, select **Improve my applicationΓÇÖs User Provisioning feature**.

+* If you want to remove the application from Azure AD gallery, select **Remove my application listing from the gallery**.

+If you see the **Your sign-in was blocked** error while logging in, see [Troubleshoot sign-in to the Microsoft Application Network portal](troubleshoot-app-publishing.md).

+The Microsoft Partner Network provides instant access to exclusive programs, tools, connections, and resources. To join the network and create your go-to-market plan, see [Reach commercial customers](https://partner.microsoft.com/explore/commercial#gtm).

+- Learn more about managing enterprise applications with [What is application management in Azure Active Directory?](what-is-application-management.md)

+ Title: 'Tutorial: Azure AD SSO integration with Anyone Home CRM'

+# Tutorial: Azure AD SSO integration with Anyone Home CRM

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Anyone Home CRM supports **IDP** initiated SSO.

+## Add Anyone Home CRM from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for Anyone Home CRM

+To configure and test Azure AD SSO with Anyone Home CRM, perform the following steps:

+1. In the Azure portal, on the **Anyone Home CRM** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Anyone Home CRM for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Anyone Home CRM tile in the My Apps, you should be automatically signed in to the Anyone Home CRM for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Anyone Home CRM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with ChronicX®'

+# Tutorial: Azure AD SSO integration with ChronicX®

+In this tutorial, you'll learn how to integrate ChronicX® with Azure Active Directory (Azure AD). When you integrate ChronicX® with Azure AD, you can:

+* Control in Azure AD who has access to ChronicX®.

+* Enable your users to be automatically signed-in to ChronicX® with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* ChronicX® single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* ChronicX® supports **SP** initiated SSO.

+* ChronicX® supports **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add ChronicX® from the gallery

+To configure the integration of ChronicX® into Azure AD, you need to add ChronicX® from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **ChronicX®** in the search box.

+1. Select **ChronicX®** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for ChronicX®

+Configure and test Azure AD SSO with ChronicX® using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ChronicX®.

+To configure and test Azure AD SSO with ChronicX®, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure ChronicX SSO](#configure-chronicx-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create ChronicX test user](#create-chronicx-test-user)** - to have a counterpart of B.Simon in ChronicX® that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **ChronicX®** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type the value:

+

+ b. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<subdomain>.chronicx.com/ups/processlogonSSO.jsp`

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up ChronicX®** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ChronicX®.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **ChronicX®**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure ChronicX SSO

+To configure single sign-on on **ChronicX®** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [ChronicX® support team](https://www.casebank.com/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to ChronicX® Sign-On URL where you can initiate the login flow.

+* Go to ChronicX® Sign-On URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the ChronicX® tile in the My Apps, this will redirect to ChronicX® Sign-On URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure ChronicX® you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Cincom CPQ'

+description: Learn how to configure single sign-on between Azure Active Directory and Cincom CPQ.

+# Tutorial: Azure AD SSO integration with Cincom CPQ

+In this tutorial, you'll learn how to integrate Cincom CPQ with Azure Active Directory (Azure AD). When you integrate Cincom CPQ with Azure AD, you can:

+* Control in Azure AD who has access to Cincom CPQ.

+* Enable your users to be automatically signed-in to Cincom CPQ with their Azure AD accounts.

+* Cincom CPQ single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Cincom CPQ supports **SP and IDP** initiated SSO.

+## Add Cincom CPQ from the gallery

+To configure the integration of Cincom CPQ into Azure AD, you need to add Cincom CPQ from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. In the **Add from the gallery** section, type **Cincom CPQ** in the search box.

+1. Select **Cincom CPQ** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Cincom CPQ

+Configure and test Azure AD SSO with Cincom CPQ using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Cincom CPQ.

+To configure and test Azure AD SSO with Cincom CPQ, perform the following steps:

+2. **[Configure Cincom CPQ SSO](#configure-cincom-cpq-sso)** - to configure the Single Sign-On settings on application side.

+ 1. **[Create Cincom CPQ test user](#create-cincom-cpq-test-user)** - to have a counterpart of B.Simon in Cincom CPQ that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **Cincom CPQ** application integration page, find the **Manage** section and select **Single sign-on**.

+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ In the **Sign-on URL** text box, type the URL:

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Cincom CPQ Client support team](https://supportweb.cincom.com/default.aspx) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+ 

+6. On the **Set up Cincom CPQ** section, copy the appropriate URL(s) based on your requirement.

+ 

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Cincom CPQ.

+1. In the applications list, select **Cincom CPQ**.

+## Configure Cincom CPQ SSO

+To configure single sign-on on **Cincom CPQ** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Cincom CPQ support team](https://supportweb.cincom.com/default.aspx). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Cincom CPQ test user

+In this section, you create a user called B.Simon in Cincom CPQ. Work with [Cincom CPQ support team](https://supportweb.cincom.com/default.aspx) to add the users in the Cincom CPQ platform. Users must be created and activated before you use single sign-on.

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Cincom CPQ Sign-On URL where you can initiate the login flow.

+* Go to Cincom CPQ Sign-On URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Cincom CPQ for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Cincom CPQ tile in the My Apps, if configured in SP mode you would be redirected to the application Sign-On page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Cincom CPQ for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Cincom CPQ you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with FirmPlay - Employee Advocacy for Recruiting'

+# Tutorial: Azure AD SSO integration with FirmPlay - Employee Advocacy for Recruiting

+In this tutorial, you'll learn how to integrate FirmPlay - Employee Advocacy for Recruiting with Azure Active Directory (Azure AD). When you integrate FirmPlay - Employee Advocacy for Recruiting with Azure AD, you can:

+* Control in Azure AD who has access to FirmPlay - Employee Advocacy for Recruiting.

+* Enable your users to be automatically signed-in to FirmPlay - Employee Advocacy for Recruiting with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+* FirmPlay - Employee Advocacy for Recruiting supports **SP** initiated SSO.

+## Add FirmPlay - Employee Advocacy for Recruiting from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **FirmPlay - Employee Advocacy for Recruiting** in the search box.

+1. Select **FirmPlay - Employee Advocacy for Recruiting** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for FirmPlay - Employee Advocacy for Recruiting

+Configure and test Azure AD SSO with FirmPlay - Employee Advocacy for Recruiting using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FirmPlay - Employee Advocacy for Recruiting.

+To configure and test Azure AD SSO with FirmPlay - Employee Advocacy for Recruiting, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

+ 2. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

+2. **[Configure FirmPlay - Employee Advocacy for Recruiting SSO](#configure-firmplayemployee-advocacy-for-recruiting-sso)** - to configure the Single Sign-On settings on application side.

+ 1. **[Create FirmPlay - Employee Advocacy for Recruiting test user](#create-firmplayemployee-advocacy-for-recruiting-test-user)** - to have a counterpart of Britta Simon in FirmPlay - Employee Advocacy for Recruiting that is linked to the Azure AD representation of user.

+6. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **FirmPlay - Employee Advocacy for Recruiting** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to FirmPlay - Employee Advocacy for Recruiting.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **FirmPlay - Employee Advocacy for Recruiting**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure FirmPlay - Employee Advocacy for Recruiting SSO

+To configure single sign-on on **FirmPlay - Employee Advocacy for Recruiting** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [FirmPlay - Employee Advocacy for Recruiting support team](mailto:engineering@firmplay.com). They set this setting to have the SAML SSO connection set properly on both sides.

+In this section, you create a user called Britta Simon in FirmPlay - Employee Advocacy for Recruiting. Work with [FirmPlay - Employee Advocacy for Recruiting support team](mailto:engineering@firmplay.com) to add the users in the FirmPlay - Employee Advocacy for Recruiting platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to FirmPlay - Employee Advocacy for Recruiting Sign-on URL where you can initiate the login flow.

+* Go to FirmPlay - Employee Advocacy for Recruiting Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the FirmPlay - Employee Advocacy for Recruiting tile in the My Apps, this will redirect to FirmPlay - Employee Advocacy for Recruiting Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure FirmPlay - Employee Advocacy for Recruiting you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with ForeSee CX Suite'

+# Tutorial: Azure AD SSO integration with ForeSee CX Suite

+In this tutorial, you'll learn how to integrate ForeSee CX Suite with Azure Active Directory (Azure AD). When you integrate ForeSee CX Suite with Azure AD, you can:

+* Control in Azure AD who has access to ForeSee CX Suite.

+* Enable your users to be automatically signed-in to ForeSee CX Suite with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+* ForeSee CX Suite supports **SP** initiated SSO.

+* ForeSee CX Suite supports **Just In Time** user provisioning.

+## Add ForeSee CX Suite from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **ForeSee CX Suite** in the search box.

+1. Select **ForeSee CX Suite** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for ForeSee CX Suite

+Configure and test Azure AD SSO with ForeSee CX Suite using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ForeSee CX Suite.

+To configure and test Azure AD SSO with ForeSee CX Suite, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 2. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+2. **[Configure ForeSee CX Suite SSO](#configure-foresee-cx-suite-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create ForeSee CX Suite test user](#create-foresee-cx-suite-test-user)** - to have a counterpart of B.Simon in ForeSee CX Suite that is linked to the Azure AD representation of user.

+3. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **ForeSee CX Suite** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+ d. In the **Sign-on URL** text box, type a URL:

+ e. In the **Identifier** textbox, type a URL using the following pattern: https:\//www.okta.com/saml2/service-provider/\<UniqueID>

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+3. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 2. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 3. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 4. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to ForeSee CX Suite.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+3. In the app's overview page, find the **Manage** section and select **Users and groups**.

+4. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+5. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+6. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+7. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure ForeSee CX Suite SSO

+To configure single sign-on on **ForeSee CX Suite** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [ForeSee CX Suite support team](mailto:support@foresee.com). They set this setting to have the SAML SSO connection set properly on both sides.

+In this section, you create a user called Britta Simon in ForeSee CX Suite. Work with [ForeSee CX Suite support team](mailto:support@foresee.com) to add the users or the domain that must be added to an allowlist for the ForeSee CX Suite platform. If the domain is added by the team, users will get automatically provisioned to the ForeSee CX Suite platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to ForeSee CX Suite Sign-on URL where you can initiate the login flow.

+* Go to ForeSee CX Suite Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the ForeSee CX Suite tile in the My Apps, this will redirect to ForeSee CX Suite Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure ForeSee CX Suite you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+9. Review the user attributes that are synchronized from Azure AD to G Suite in the **Attribute-Mapping** section. Select the **Save** button to commit any changes.

+> [!NOTE]

+> GSuite Provisioning currently only supports the use of primaryEmail as the matching attribute.

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: 'Tutorial: Azure AD SSO integration with Insignia SAML SSO | Microsoft Docs'

+# Tutorial: Azure AD SSO integration with Insignia SAML SSO

+In this tutorial, you'll learn how to integrate Insignia SAML SSO with Azure Active Directory (Azure AD). When you integrate Insignia SAML SSO with Azure AD, you can:

+* Control in Azure AD who has access to Insignia SAML SSO.

+* Enable your users to be automatically signed-in to Insignia SAML SSO with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).

+* Insignia SAML SSO single sign-on enabled subscription.

+* Insignia SAML SSO supports **SP** initiated SSO.

+## Add Insignia SAML SSO from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Insignia SAML SSO** in the search box.

+1. Select **Insignia SAML SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Insignia SAML SSO

+Configure and test Azure AD SSO with Insignia SAML SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Insignia SAML SSO.

+To configure and test Azure AD SSO with Insignia SAML SSO, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 2. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+2. **[Configure Insignia SAML SSO](#configure-insignia-saml-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Insignia SAML SSO test user](#create-insignia-saml-sso-test-user)** - to have a counterpart of B.Simon in Insignia SAML SSO that is linked to the Azure AD representation of user.

+3. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Insignia SAML SSO** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+ a. In the **Sign on URL** text box, type a URL using one of the following patterns:

+ | Sign on URL|

+ ||

+ | `https://<customername>.insigniails.com/ils` |

+ | `https://<customername>.insigniails.com/` |

+ | `https://<customername>.insigniailsusa.com/` |

+ |

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+3. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 2. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 3. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 4. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Insignia SAML SSO.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+3. In the app's overview page, find the **Manage** section and select **Users and groups**.

+4. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+5. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+6. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+7. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Insignia SAML SSO

+To configure single sign-on on **Insignia SAML SSO** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Insignia SAML SSO support team](http://www.insigniasoftware.com/insignia/Techsupport.aspx). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Insignia SAML SSO Sign-on URL where you can initiate the login flow.

+* Go to Insignia SAML SSO Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Insignia SAML SSO tile in the My Apps, this will redirect to Insignia SAML SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Insignia SAML SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with iQualify LMS'

+# Tutorial: Azure AD SSO integration with iQualify LMS

+In this tutorial, you'll learn how to integrate iQualify LMS with Azure Active Directory (Azure AD). When you integrate iQualify LMS with Azure AD, you can:

+* Control in Azure AD who has access to iQualify LMS.

+* Enable your users to be automatically signed-in to iQualify LMS with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* iQualify LMS single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* iQualify LMS supports **SP and IDP** initiated SSO.

+* iQualify LMS supports **Just In Time** user provisioning.

+## Add iQualify LMS from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **iQualify LMS** in the search box.

+1. Select **iQualify LMS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for iQualify LMS

+Configure and test Azure AD SSO with iQualify LMS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in iQualify LMS.

+To configure and test Azure AD SSO with iQualify LMS, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure iQualify LMS SSO](#configure-iqualify-lms-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create iQualify LMS test user](#create-iqualify-lms-test-user)** - to have a counterpart of B.Simon in iQualify LMS that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **iQualify LMS** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a URL using one the following patterns:

+ | **Identifier** |

+ ||

+ | Production Environment: `https://<yourorg>.iqualify.com/` |

+ | Test Environment: `https://<yourorg>.iqualify.io` |

+ b. In the **Reply URL** text box, type a URL using one of the following patterns:

+ | **Reply URL** |

+ |--|

+ | Production Environment: `https://<yourorg>.iqualify.com/auth/saml2/callback` |

+ | Test Environment: `https://<yourorg>.iqualify.io/auth/saml2/callback` |

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type a URL using one of the following patterns:

+ | **Sign-on URL** |

+ |-|

+ | Production Environment: `https://<yourorg>.iqualify.com/login` |

+ | Test Environment: `https://<yourorg>.iqualify.io/login` |

+1. Your iQualify LMS application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open **User Attributes** dialog.

+ 

+1. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps:

+ 

+ 

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up iQualify LMS** section, copy the appropriate URL(s) as per your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to iQualify LMS.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **iQualify LMS**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure iQualify LMS SSO

+ 

+ 

+ 

+ 

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration using the My Apps.

+When you click the iQualify LMS tile in the My Apps, you should get login page of your iQualify LMS application.

+ 

+For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure iQualify LMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Novatus'

+# Tutorial: Azure AD SSO integration with Novatus

+In this tutorial, you'll learn how to integrate Novatus with Azure Active Directory (Azure AD). When you integrate Novatus with Azure AD, you can:

+* Control in Azure AD who has access to Novatus.

+* Enable your users to be automatically signed-in to Novatus with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).

+* Novatus single sign-on enabled subscription.

+* Novatus supports **SP** initiated SSO.

+* Novatus supports **Just In Time** user provisioning.

+## Add Novatus from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Novatus** in the search box.

+1. Select **Novatus** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Novatus

+Configure and test Azure AD SSO with Novatus using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Novatus.

+To configure and test Azure AD SSO with Novatus, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 2. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+2. **[Configure Novatus SSO](#configure-novatus-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Novatus test user](#create-novatus-test-user)** - to have a counterpart of B.Simon in Novatus that is linked to the Azure AD representation of user.

+3. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Novatus** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+3. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 2. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 3. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 4. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Novatus.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+3. In the app's overview page, find the **Manage** section and select **Users and groups**.

+4. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+5. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+6. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+7. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Novatus SSO

+To configure single sign-on on **Novatus** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Novatus support team](mailto:jvinci@novatusinc.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Novatus Sign-on URL where you can initiate the login flow.

+* Go to Novatus Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Novatus tile in the My Apps, this will redirect to Novatus Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+## Next steps

+Once you configure Novatus you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with NS1 SSO for Azure'

+# Tutorial: Azure AD SSO integration with NS1 SSO for Azure

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+1. Sign in to the Azure portal by using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for NS1 SSO for Azure

+1. In the Azure portal, on the **NS1 SSO for Azure** application integration page, find the **Manage** section. Select **single sign-on**.

+ 

+1. In the **Basic SAML Configuration** section, perform the following steps:

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ 

+ 

+ 

+ 

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to NS1 SSO for Azure Sign-on URL where you can initiate the login flow.

+* Go to NS1 SSO for Azure Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the NS1 SSO for Azure for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the NS1 SSO for Azure tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the NS1 SSO for Azure for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure NS1 SSO for Azure you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with SevOne Network Monitoring System (NMS)'

+description: Learn how to configure single sign-on between Azure Active Directory and SevOne Network Monitoring System (NMS).

+# Tutorial: Azure AD SSO integration with SevOne Network Monitoring System (NMS)

+In this tutorial, you'll learn how to integrate SevOne Network Monitoring System (NMS) with Azure Active Directory (Azure AD). When you integrate SevOne Network Monitoring System (NMS) with Azure AD, you can:

+* Control in Azure AD who has access to SevOne Network Monitoring System (NMS).

+* Enable your users to be automatically signed-in to SevOne Network Monitoring System (NMS) with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* SevOne Network Monitoring System (NMS) single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* SevOne Network Monitoring System (NMS) supports **SP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add SevOne Network Monitoring System (NMS) from the gallery

+To configure the integration of SevOne Network Monitoring System (NMS) into Azure AD, you need to add SevOne Network Monitoring System (NMS) from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **SevOne Network Monitoring System (NMS)** in the search box.

+1. Select **SevOne Network Monitoring System (NMS)** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for SevOne Network Monitoring System (NMS)

+Configure and test Azure AD SSO with SevOne Network Monitoring System (NMS) using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at SevOne Network Monitoring System (NMS).

+To configure and test Azure AD SSO with SevOne Network Monitoring System (NMS), perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure SevOne Network Monitoring System (NMS) SSO](#configure-sevone-network-monitoring-system-nms-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create SevOne Network Monitoring System (NMS) test user](#create-sevone-network-monitoring-system-nms-test-user)** - to have a counterpart of B.Simon in SevOne Network Monitoring System (NMS) that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **SevOne Network Monitoring System (NMS)** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type the URL:

+ `https://azwcusehnmspas01.corp.microsoft.com/sso/callback`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://azwcusehnmspas01.corp.microsoft.com/sso/callback`

+ c. In the **Sign on URL** text box, type the URL:

+ `https://azwcusehnmspas01.corp.microsoft.com/sso/callback`

+ d. In the **Relay State** text box, type the value:

+ `sevonenms`

+1. SevOne Network Monitoring System (NMS) application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, SevOne Network Monitoring System (NMS) application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | displayname | user.displayname |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up SevOne Network Monitoring System (NMS)** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SevOne Network Monitoring System (NMS).

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **SevOne Network Monitoring System (NMS)**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure SevOne Network Monitoring System (NMS) SSO

+To configure single sign-on on **SevOne Network Monitoring System (NMS)** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [SevOne Network Monitoring System (NMS) support team](mailto:support@sevone.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create SevOne Network Monitoring System (NMS) test user

+In this section, you create a user called Britta Simon at SevOne Network Monitoring System (NMS). Work with [SevOne Network Monitoring System (NMS) support team](mailto:support@sevone.com) to add the users in the SevOne Network Monitoring System (NMS) platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to SevOne Network Monitoring System (NMS) Sign-On URL where you can initiate the login flow.

+* Go to SevOne Network Monitoring System (NMS) Sign-On URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the SevOne Network Monitoring System (NMS) tile in the My Apps, this will redirect to SevOne Network Monitoring System (NMS) Sign-On URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure SevOne Network Monitoring System (NMS) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Weekdone'

+# Tutorial: Azure AD SSO integration with Weekdone

+In this tutorial, you'll learn how to integrate Weekdone with Azure Active Directory (Azure AD). When you integrate Weekdone with Azure AD, you can:

+* Control in Azure AD who has access to Weekdone.

+* Enable your users to be automatically signed-in to Weekdone with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).

+* Weekdone single sign-on enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Weekdone supports **SP** and **IDP** initiated SSO.

+* Weekdone supports **Just In Time** user provisioning.

+## Add Weekdone from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Weekdone** in the search box.

+1. Select **Weekdone** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Weekdone

+Configure and test Azure AD SSO with Weekdone using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Weekdone.

+To configure and test Azure AD SSO with Weekdone, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Weekdone SSO](#configure-weekdone-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Weekdone test user](#create-weekdone-test-user)** - to have a counterpart of B.Simon in Weekdone that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Weekdone** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+1. Click **Set additional URLs** and perform the following step, if you wish to configure the application in **SP** initiated mode:

+ 

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Weekdone.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Weekdone**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Weekdone SSO

+To configure single sign-on on **Weekdone** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Weekdone support team](mailto:hello@weekdone.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Weekdone Sign-On URL where you can initiate the login flow.

+* Go to Weekdone Sign-On URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Weekdone for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Weekdone tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Weekdone for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Weekdone you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+## Create an AKS Private cluster with API Server VNet Integration using Managed VNet

+## Create an AKS Private cluster with API Server VNet Integration using bring-your-own VNet

+If the resource needs of your applications change, you can manually scale an AKS cluster to run a different number of nodes. When you scale down, nodes are carefully [cordoned and drained][kubernetes-drain] to minimize disruption to running applications. When you scale up, AKS waits until nodes are marked **Ready** by the Kubernetes cluster before pods are scheduled on them.

+> [!NOTE]

+> Removing nodes from a node pool using the kubectl command is not supported. Doing so can create scaling issues with your AKS cluster.

+```azurepowershell-interactive

+## Windows containers have connectivity issues after a cluster upgrade operation

+For older clusters with Calico network policies applied before Windows Calico support, Windows Calico will be enabled by default after a cluster upgrade. After Windows Calico is enabled on Windows, you may have connectivity issues if the Calico network policies denied ingress/egress. You can mitigate this issue by creating a new Calico policy on the cluster that allows all ingress/egress for Windows using either PodSelector or IPBlock.

+Uptime SLA is a tier to enable a financially backed, higher SLA for an AKS cluster. Clusters with Uptime SLA, also referred to as [Paid SKU tier][paid-sku-tier] in AKS REST APIs, come with greater amount of control plane resources and automatically scale to meet the load of your cluster. Uptime SLA guarantees 99.95% availability of the Kubernetes API server endpoint for clusters that use [Availability Zones][availability-zones], and 99.9% of availability for clusters that don't use Availability Zones. AKS uses master node replicas across update and fault domains to ensure SLA requirements are met.

+AKS recommends use of Uptime SLA in production workloads to ensure availability of control plane components. By contrast, clusters on the **Free SKU tier** support fewer replicas and limited resources for the control plane and are not suitable for production workloads.

+You can still create unlimited number of free clusters with a service level objective (SLO) of 99.5% and opt for the preferred SLO.

+[Azure CLI](/cli/azure/install-azure-cli) version 2.8.0 or later and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+To create a new cluster with the Uptime SLA, you use the Azure CLI. Create a new cluster in an existing resource group or create a new one. To learn more about resource groups and working with them, see [managing resource groups using the Azure CLI][manage-resource-group-cli].

+Use the [az aks create][az-aks-create] command to create an AKS cluster. The following example creates a cluster named *myAKSCluster* with one node enables the Uptime SLA. This operation takes several minutes to complete:

+After a few minutes, the command completes and returns JSON-formatted information about the cluster. The following example output of the JSON snippet shows the paid tier for the SKU, indicating your cluster is enabled with Uptime SLA:

+You can update your existing clusters to use Uptime SLA.

+> [!NOTE]

+> Updating your cluster to enable the Uptime SLA does not disrupt its normal operation or impact its availability.

+The following command uses the [az aks update][az-aks-update] command to update the existing cluster:

+This process takes several minutes to complete. When finished, the following example JSON snippet shows the paid tier for the SKU, indicating your cluster is enabled with Uptime SLA:

+At any time you can opt out of using the Uptime SLA by updating your cluster to change it back to the free tier.

+> [!NOTE]

+> Updating your cluster to stop using the Uptime SLA does not disrupt its normal operation or impact its availability.

+The following command uses the [az aks update][az-aks-update] command to update the existing cluster:

+ az aks update --resource-group myResourceGroup --name myAKSCluster --no-uptime-sla

+This process takes several minutes to complete.

+## Next steps

+- Use [Availability Zones][availability-zones] to increase high availability with your AKS cluster workloads.

+- Configure your cluster to [limit egress traffic](limit-egress-traffic.md).

+[paid-sku-tier]: /rest/api/aks/managed-clusters/create-or-update#managedclusterskutier

+[manage-resource-group-cli]: /azure-resource-manager/management/manage-resource-groups-cli

+[install-azure-cli]: /cli/azure/install-azure-cli

+| Supported platforms | Linux | Linux, Windows Server 2019 and 2022 |

+| Supported networking options | Azure CNI | Azure CNI (Linux, Windows Server 2019 and 2022) and kubenet (Linux) |

+If you plan on adding Windows node pools to your cluster, include the `windows-admin-username` and `windows-admin-password` parameters with that meet the [Windows Server password requirements][windows-server-password].

+description: A collection of .NET migration resources available to Azure App Service.

+## Migrate from multiple servers at-scale

+> [!NOTE]

+> [Learn how to migrate .NET apps to App Service using the .NET migration tutorial.](../migrate/tutorial-migrate-webapps.md)

+>

+Once you have successfully assessed readiness, you should proceed with migration of ASP.NET web apps to Azure App Services.

+There are existing tools which enable migration of a standalone ASP.Net web app or multiple ASP.NET web apps hosted on a single IIS server as explained in [Migrate .NET apps to Azure App Service](../migrate/tutorial-migrate-webapps.md). With introduction of At-Scale or bulk migration feature integrated with Azure Migrate we are now opening up the possibilities to migrate multiple ASP.NET application hosted on multiple on-premises IIS servers.

+Azure Migrate provides at-scale, agentless discovery, and assessment of ASP.NET web apps. You can discover ASP.NET web apps running on Internet Information Services (IIS) servers in a VMware environment and assess them for migration to Azure App Service. Assessments will help you determine the web app migration readiness, migration blockers, remediation guidance, recommended SKU, and hosting costs. At-scale migration resources for are found below.

+Bulk migration provides the following key capabilities:

+- Bulk Migration of ASP.NET web apps to Azure App Services multitenant or App services environment

+- Migrate ASP.NET web apps assessed as "Ready" & "Ready with Conditions"

+- Migrate up to five App Service Plans (and associated web apps) as part of a single E2E migration flow

+- Ability to change suggested SKU for the target App Service Plan (Ex: Change suggested Pv3 SKU to Standard PV2 SKU)

+- Ability to change web apps suggested web apps packing density for target app service plan (Add or Remove web apps associated with an App Service Plan)

+- Change target name for app service plans and\or web apps

+- Bulk edit migration settings\attributes

+- Download CSV with details of target web app and app service plan name

+- Track progress of migration using ARM template deployment experience

+| [Migrate .NET apps to App Service](../migrate/tutorial-migrate-webapps.md) |

+ Title: Assess .NET apps

+description: Assess .NET web apps before migrating to Azure App Service

+ms.devlang: csharp

+# At-scale assessment of .NET web apps

+Once you've discovered ASP.NET web apps you should proceed to the next step of assessing these web apps. Assessment provides you with migration readiness and sizing recommendations based on properties defined by you. Below is the list of key assessment capabilities:

+- Modify assessment properties as per your requirements like target Azure region, application isolation requirements, and reserved instance pricing.

+- Provide App Service SKU recommendation and display monthly cost estimates

+- Provide per web app migration readiness information and provide detailed information on blockers and errors.

+You can create multiple assessments for the same web apps with different sets of assessment properties

+For more information on web apps assessment, see:

+- [At scale discovery and assessment for ASP.NET app migration with Azure Migrate](https://channel9.msdn.com/Shows/Inside-Azure-for-IT/At-scale-discovery-and-assessment-for-ASPNET-app-migration-with-Azure-Migrate)

+- [Create an Azure App Service assessment](../migrate/how-to-create-azure-app-service-assessment.md)

+- [Tutorial to assess web apps for migration to Azure App Service](../migrate/tutorial-assess-webapps.md)

+- [Azure App Service assessments in Azure Migrate Discovery and assessment tool](../migrate/concepts-azure-webapps-assessment-calculation.md)

+- [Assessment best practices in Azure Migrate Discovery and assessment tool](../migrate/best-practices-assessment.md)

+Next steps:

+[At-scale migration of .NET web apps](/learn/modules/migrate-app-service-migration-assistant/)

+ Title: Discover .NET apps to Azure App Service

+description: Discover .NET migration resources available to Azure App Service.

+ms.devlang: csharp

+# At-scale discovery of .NET web apps

+For ASP. Net web apps discovery you need to either install a new Azure Migrate appliance or upgrade an existing Azure Migrate appliance.

+Once the appliance is configured, Azure Migrate initiates the discovery of web apps deployed on IIS web servers hosted within your on-premises VMware environment. Discovery of ASP.NET web apps provide the following key capabilities:

+- Agentless discovery of up to 20,000 web apps with a single Azure Migrate appliance

+- Provide a rich & interactive dashboard with a list of IIS web servers and underlying VM infra details. Web apps discovery surfaces information such as:

+ - web app name

+ - web server type and version

+ - URLs

+ - binding port

+ - application pool

+- If web app discovery has failed then the discovery dashboard allows easy navigation to review relevant error messages, possible causes of failure and suggested remediation actions

+For more information about web apps discovery please refer to:

+- [At scale discovery and assessment for ASP.NET app migration with Azure Migrate](https://channel9.msdn.com/Shows/Inside-Azure-for-IT/At-scale-discovery-and-assessment-for-ASPNET-app-migration-with-Azure-Migrate)

+- [Discover and assess ASP.NET apps at-scale with Azure Migrate](https://azure.microsoft.com/blog/discover-and-assess-aspnet-apps-atscale-with-azure-migrate/)

+- [At scale discovery and assessment for ASP.NET app migration with Azure Migrate](https://channel9.msdn.com/Shows/Inside-Azure-for-IT/At-scale-discovery-and-assessment-for-ASPNET-app-migration-with-Azure-Migrate)

+- [Discover software inventory on on-premises servers with Azure Migrate](../migrate/how-to-discover-applications.md)

+- [Discover web apps and SQL Server instances](../migrate/how-to-discover-sql-existing-project.md)

+Next steps:

+[At-scale assessment of .NET web apps](/learn/modules/migrate-app-service-migration-assistant/)

+- Configure individual custom domain [IP SSL bindings](..\configure-ssl-bindings.md#create-binding) with your apps.

+1. On the **Virtual Network** tab, configure a virtual network and subnet where the private endpoint network interface should be provisioned to. Configure whether the private endpoint should have a dynamic or static IP address. Select **Next**.

+Custom template (formerly custom form) are easy-to-train models that accurately extract labeled key-value pairs, selection marks, tables, regions, and signatures from documents. Template models use layout cues to extract values from documents and are suitable to extract fields from highly structured documents with defined visual templates.

+> [!NOTE]

+> **Detected languages vs extracted languages**

+>

+> This section lists the languages we can detect from the documents using the Read model, if present. Please note that this list differs from list of languages we support extracting text from, which is specified in the above sections for each model.

+### [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio) June Update

+The June release is the latest update to the Form Recognizer Studio. There are considerable UX and accessbility improvements addressed in this update:

+* 🆕 **Code sample for Javascript and C#**. Studio code tab now includes sample codes written in Javascript and C# in addition to the already existing Python code.

+* 🆕 **New document upload UI**. Studio now supports uploading a document with drag & drop into the new upload UI.

+* 🆕 **New feature for custom projects**. Custom projects now support creating storage account and file directories when configuring the project. In addition, custom project now supports uploading training files directly within the Studio and copying the existing custom model.

+The **2022-06-30-preview** release is the latest update to the Form Recognizer service for v3.0 capabilities and presents extensive updates across the feature APIs:

+> The example commands below assume that you created a data controller named `arc-dc` and Kubernetes namespace named `arc`. If you used different values update the script accordingly.

+kubectl get datacontroller/arc-dc --namespace arc

+> The example commands below assume that you created a data controller named `arc-dc` and Kubernetes namespace named `arc`. If you used different values update the script accordingly.

+kubectl get datacontroller/arc-dc --namespace arc

+ Title: Create a Data Controller using Kubernetes tools

+description: Create a Data Controller using Kubernetes tools

+# Create Azure Arc data controller using Kubernetes tools

+To create the Azure Arc data controller using Kubernetes tools you will need to have the Kubernetes tools installed. The examples in this article will use `kubectl`, but similar approaches could be used with other Kubernetes tools such as the Kubernetes dashboard, `oc`, or `helm` if you are familiar with those tools and Kubernetes yaml/json.

+> Some of the steps to create the Azure Arc data controller that are indicated below require Kubernetes cluster administrator permissions. If you are not a Kubernetes cluster administrator, you will need to have the Kubernetes cluster administrator perform these steps on your behalf.

+If you installed the Azure Arc data controller in the past on the same cluster and deleted the Azure Arc data controller, there may be some cluster level objects that would still need to be deleted.

+Run the following commands to delete the Azure Arc data controller cluster level objects:

+Creating the Azure Arc data controller has the following high level steps:

+ > [!IMPORTANT]

+ > Some of the steps below require Kubernetes cluster administrator permissions.

+1. Create the custom resource definitions for the Arc data controller, Azure SQL managed instance, and PostgreSQL Hyperscale.

+1. Create a namespace in which the data controller will be created.

+1. Create the webhook deployment job, cluster role and cluster role binding.

+## Create the custom resource definitions

+Run the following command to create the custom resource definitions.

+ > [!IMPORTANT]

+ > Requires Kubernetes cluster administrator permissions.

+```console

+kubectl create -f https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/custom-resource-definitions.yaml

+```

+If other people will be using this namespace that are not cluster administrators, we recommend creating a namespace admin role and granting that role to those users through a role binding. The namespace admin should have full permissions on the namespace. More granular roles and example role bindings can be found on the [Azure Arc GitHub repository](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/deploy/yaml/rbac).

+The bootstrapper service handles incoming requests for creating, editing, and deleting custom resources such as a data controller, SQL managed instances, or PostgreSQL Hyperscale server groups.

+Run the following command to create a bootstrapper service, a service account for the bootstrapper service, and a role and role binding for the bootstrapper service account.

+kubectl create --namespace arc -f https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/bootstrapper.yaml

+Verify that the bootstrapper pod is running using the following command. You may need to run it a few times until the status changes to `Running`.

+kubectl get pod --namespace arc

+The bootstrapper.yaml template file defaults to pulling the bootstrapper container image from the Microsoft Container Registry (MCR). If your environment does not have access directly to the Microsoft Container Registry, you can do the following:

+- [Create an image pull secret](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-lin) for your private container registry.

+- Add an image pull secret to the bootstrapper container. See example below.

+- Change the image location for the bootstrapper image. See example below.

+The example below assumes that you created a image pull secret name `arc-private-registry`.

+```yaml

+#Just showing only the relevant part of the bootstrapper.yaml template file here

+ spec:

+ serviceAccountName: sa-bootstrapper

+ nodeSelector:

+ kubernetes.io/os: linux

+ imagePullSecrets:

+ - name: arc-private-registry #Create this image pull secret if you are using a private container registry

+ containers:

+ - name: bootstrapper

+ image: mcr.microsoft.com/arcdata/arc-bootstrapper:v1.1.0_2021-11-02 #Change this registry location if you are using a private container registry.

+ imagePullPolicy: Always

+```

+## Create the webhook deployment job, cluster role and cluster role binding

+First, create a copy of the [template file](https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/web-hook.yaml) locally on your computer so that you can modify some of the settings.

+Edit the file and replace `{{namespace}}` in all places with the name of the namespace you created in the previous step. **Save the file.**

+Run the following command to create the cluster role and cluster role bindings.

+ > [!IMPORTANT]

+ > Requires Kubernetes cluster administrator permissions.

+```console

+kubectl create -n arc -f <path to the edited template file on your computer>

+```

+First, create a copy of the [template file](https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/data-controller.yaml) locally on your computer so that you can modify some of the settings.

+- **dockerRegistry**: The image pull secret to use to pull the images from a private container registry if required.

+- [Create a PostgreSQL Hyperscale server group using Kubernetes-native tools](./create-postgresql-hyperscale-server-group-kubernetes-native-tools.md)

+Open the Azure portal by using this special URL: [https://ms.portal.azure.com/?feature.canmodifystamps=true&Microsoft_Azure_HybridData_Platform=preview#home](https://ms.portal.azure.com/?feature.canmodifystamps=true&Microsoft_Azure_HybridData_Platform=preview#home).

+[Release notes - Azure Arc-enabled data services](release-notes.md)

+ Title: Upgrade indirectly connected Azure Arc data controller using Kubernetes tools

+description: Article describes how to upgrade an indirectly connected Azure Arc data controller using Kubernetes tools

+# Upgrade an indirectly connected Azure Arc data controller using Kubernetes tools

+1. Specify a service account.

+1. Set the cluster roles.

+1. Set the cluster role bindings.

+1. Set the job.

+Prior to beginning the upgrade of the Azure Arc data controller, you'll need:

+To upgrade the Azure Arc data controller using Kubernetes tools, you need to have the Kubernetes tools installed.

+## Create or download .yaml file

+To upgrade the data controller, you'll apply a yaml file to the Kubernetes cluster. The example file for the upgrade is available in GitHub at <https://github.com/microsoft/azure_arc/blob/main/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml>.

+You can download the file - and other Azure Arc related demonstration files - by cloning the repository. For example:

+```azurecli

+git clone https://github.com/microsoft/azure-arc

+```

+For more information, see [Cloning a repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository) in the GitHub docs.

+The following steps use files from the repository.

+In the yaml file, you'll replace ```{{namespace}}``` with your namespace.

+You'll need to connect and authenticate to a Kubernetes cluster and have an existing Kubernetes context selected prior to beginning the upgrade of the Azure Arc data controller.

+### Specify the service account

+The upgrade requires an elevated service account for the upgrade job.

+To specify the service account:

+1. Describe the service account in a .yaml file. The following example sets a name for `ServiceAccount` as `sa-arc-upgrade-worker`:

+ :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="2-4":::

+1. Edit the file as needed.

+### Set the cluster roles

+A cluster role (`ClusterRole`) grants the service account permission to perform the upgrade.

+1. Describe the cluster role and rules in a .yaml file. The following example defines a cluster role for `arc:cr-upgrade-worker` and allows all API groups, resources, and verbs.

+ :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="7-9":::

+1. Edit the file as needed.

+### Set the cluster role binding

+A cluster role binding (`ClusterRoleBinding`) links the service account and the cluster role.

+1. Describe the cluster role binding in a .yaml file. The following example describes a cluster role binding for the service account.

+ :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="20-21":::

+1. Edit the file as needed.

+### Specify the job

+A job creates a pod to execute the upgrade.

+1. Describe the job in a .yaml file. The following example creates a job called `arc-bootstrapper-upgrade-job`.

+ :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="31-48":::

+1. Edit the file for your environment.

+Specify the image tag to upgrade the data controller to.

+ :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="50-56":::

+### Apply the resources

+Run the following kubectl command to apply the resources to your cluster.

+``` bash

+kubectl apply -n <namespace> -f upgrade-indirect-k8s.yaml

+```

+ kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --user=$AAD_ENTITY_OBJECT_ID

+ kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --user=$AAD_ENTITY_OBJECT_ID

+ kubectl create serviceaccount demo-user

+ kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --serviceaccount default:demo-user

+1. Create a service account token:

+ kubectl apply -f - <<EOF

+ apiVersion: v1

+ kind: Secret

+ metadata:

+ name: demo-user-secret

+ annotations:

+ kubernetes.io/service-account.name: demo-user

+ type: kubernetes.io/service-account-token

+ EOF

+ $TOKEN=(kubectl get secret demo-user-secret -o jsonpath='{$.data.token}' | base64 -d | sed $'s/$/\\\n/g')

+ kubectl create serviceaccount demo-user

+ kubectl create clusterrolebinding demo-user-binding --clusterrole cluster-admin --serviceaccount default:demo-user

+1. Create a service account token by :

+ kubectl apply -f demo-user-secret.yaml

+ ```

+

+ Contents of `demo-user-secret.yaml`:

+ ```yaml

+ apiVersion: v1

+ kind: Secret

+ metadata:

+ name: demo-user-secret

+ annotations:

+ kubernetes.io/service-account.name: demo-user

+ type: kubernetes.io/service-account-token

+ $TOKEN = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((kubectl get secret demo-user-secret -o jsonpath='{$.data.token}'))))

+Each Azure Fluid Relay resource you create is assigned a **tenant ID** and its own unique **tenant secret key**. The secret key is a **shared secret**. Your app/service knows it, and the Azure Fluid Relay service knows it. TokenProviders must know the secret key to sign requests, but the secret key cannot be included in client code.

+One option for building a secure token provider is to create HTTPS endpoint and create a TokenProvider implementation that makes authenticated HTTPS requests to that endpoint to retrieve tokens. This path enables you to store the *tenant secret key* in a secure location, such as [Azure Key Vault](../../key-vault/general/overview.md).

+The `generateToken` function, found in the `@fluidframework/azure-service-utils` package, generates a token for the given user that is signed using the tenant's secret key. This method enables the token to be returned to the client without exposing the secret. Instead, the token is generated server-side using the secret to provide scoped access to the given document. The example ITokenProvider below makes HTTP requests to this Azure Function to retrieve tokens.

+TokenProviders can be implemented in many ways, but must implement two separate API calls: `fetchOrdererToken` and `fetchStorageToken`. These APIs are responsible for fetching tokens for the Fluid orderer and storage services respectively. Both functions return `TokenResponse` objects representing the token value. The Fluid Framework runtime calls these two APIs as needed to retrieve tokens. Note that while your application code is using only one service endpoint to establish conectivity with the Azure Fluid Relay service, the azure-client internally in conjunction with the service translate that one endpoint to an orderer and storage endpoint pair. Those two endpoints are used from that point on for that session. That is why you need to implement the two separate functions for fetching tokens, one for each.

+ endpoint: "https://myServiceEndpointUrl",

+ type: "remote",

+ endpoint: "https://myServiceEndpointUrl",

+ type: "remote",

+Queries executed by the input binding are [parameterized](/dotnet/api/microsoft.data.sqlclient.sqlparameter) in Microsoft.Data.SqlClient to reduce the risk of [SQL injection](/sql/relational-databases/security/sql-injection) from the parameter values passed into the binding.

+The output bindings uses the T-SQL [MERGE](/sql/t-sql/statements/merge-transact-sql) statement which requires [SELECT](/sql/t-sql/statements/merge-transact-sql#permissions) permissions on the target database.

+recommendations: false

+This article explains how you can use security features in Azure cloud services to help achieve compliance with the Trusted Internet Connections (TIC) initiative. It applies to both Azure and Azure Government cloud service environments, and covers TIC implications for Azure infrastructure as a service (IaaS) and Azure platform as a service (PaaS) cloud service models.

+The purpose of the TIC initiative is to enhance network security across the US federal government. This objective was initially realized by consolidating external connections and routing all network traffic through approved devices at TIC access points. In the intervening years, cloud computing became well established, paving the way for modern security architectures and a shift away from the primary focus on perimeter security. Accordingly, the TIC initiative evolved to provide federal agencies with increased flexibility to use modern security capabilities.

+The TIC initiative was originally outlined in the Office of Management and Budget (OMB) [Memorandum M-08-05](https://georgewbush-whitehouse.archives.gov/omb/memoranda/fy2008/m08-05.pdf) released in November 2007, and referred to in this article as TIC 2.0 guidance. The TIC program was envisioned to improve federal network perimeter security and incident response functions. TIC was originally designed to perform network analysis of all inbound and outbound .gov traffic. The goal was to identify specific patterns in network data flows and uncover behavioral anomalies, such as botnet activity. Agencies were mandated to consolidate their external network connections and route all traffic through intrusion detection and prevention devices known as EINSTEIN. The devices are hosted at a limited number of network endpoints, which are referred to as *trusted internet connections*.

+As part of its responsibility to protect the .gov network, DHS requires the raw data feeds of agency net flow data to correlate incidents across the federal enterprise and perform analyses by using specialized tools. DHS routers enable collection of IP network traffic as it enters or exits an interface. Network administrators can analyze the net flow data to determine the source and destination of traffic, the class of service, and other parameters. Net flow data is considered to be "non-content data" similar to the header, source IP, destination IP, and so on. Non-content data allows DHS to learn about the content: who was doing what and for how long.

+The TIC 2.0 initiative also includes security policies, guidelines, and frameworks that assume an on-premises infrastructure. Government agencies move to the cloud to achieve cost savings, operational efficiency, and innovation. However, the implementation requirements of TIC 2.0 can slow down network traffic. The speed and agility with which government users can access their cloud-based data is limited as a result.

+In September 2019, OMB released [Memorandum M-19-26](https://www.whitehouse.gov/wp-content/uploads/2019/09/M-19-26.pdf) that rescinded prior TIC-related memorandums and introduced [TIC 3.0 guidance](https://www.cisa.gov/trusted-internet-connections). The previous OMB memorandums required agency traffic to flow through a physical TIC access point, which has proven to be an obstacle to the adoption of cloud-based infrastructure. For example, TIC 2.0 focused exclusively on perimeter security by channeling all incoming and outgoing agency data through a TIC access point. In contrast, TIC 3.0 recognizes the need to account for multiple and diverse security architectures rather than a single perimeter security approach. This flexibility allows agencies to choose how to implement security capabilities in a way that fits best into their overall network architecture, risk management approach, and more.

+To enable this flexibility, the Cybersecurity & Infrastructure Security Agency (CISA) works with federal agencies to conduct pilots in diverse agency environments, which result in the development of TIC 3.0 use cases. For TIC 3.0 implementations, CISA encourages agencies to use [TIC 3.0 Core Guidance Documents](https://www.cisa.gov/publication/tic-30-core-guidance-documents) with the National Institute of Standards and Technology (NIST) [Cybersecurity Framework](https://www.nist.gov/cyberframework) (CSF) and [NIST SP 800-53](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) *Security and Privacy Controls for Federal Information Systems and Organizations*. These documents can help agencies design a secure network architecture and determine appropriate requirements from cloud service providers.

+TIC 3.0 complements other federal initiatives focused on cloud adoption such as the Federal Risk and Authorization Management Program (FedRAMP), which is based on the NIST SP 800-53 standard augmented by FedRAMP controls and control enhancements. Agencies can use existing Azure and Azure Government [FedRAMP High](/azure/compliance/offerings/offering-fedramp) provisional authorizations to operate (P-ATO) issued by the FedRAMP Joint Authorization Board. They can also use Azure and Azure Government support for the [NIST CSF](/azure/compliance/offerings/offering-nist-csf). To assist agencies with TIC 3.0 implementation when selecting cloud-based security capabilities, CISA has mapped TIC capabilities to the NIST CSF and NIST SP 800-53. For example, TIC 3.0 security objectives can be mapped to the five functions of the NIST CSF, including Identify, Protect, Detect, Respond, and Recover. The TIC security capabilities are mapped to the NIST CSF in the TIC 3.0 Security Capabilities Catalog available from [TIC 3.0 Core Guidance Documents](https://www.cisa.gov/publication/tic-30-core-guidance-documents).

+TIC 3.0 is a non-prescriptive cybersecurity guidance developed to provide agencies with flexibility to implement security capabilities that match their specific risk tolerance levels. While the guidance requires agencies to comply with all applicable telemetry requirements such as the National Cybersecurity Protection System (NCPS) and Continuous Diagnosis and Mitigation (CDM), TIC 3.0 currently only requires agencies to self-attest on their adherence to the TIC guidance.

+With TIC 3.0, agencies can maintain the legacy TIC 2.0 implementation that uses TIC access points while adopting TIC 3.0 capabilities. CISA provided guidance on how to implement the traditional TIC model in TIC 3.0, known as the [Traditional TIC Use Case](https://www.cisa.gov/publication/tic-30-core-guidance-documents).

+The rest of this article provides guidance that is pertinent to Azure capabilities needed for legacy TIC 2.0 implementations; however, some of this guidance is also useful for TIC 3.0 requirements.

+- **Direct internet connection** ΓÇô Connect to Azure services directly through an open internet connection. The medium and the connection are public. Application and transport-level encryption are relied on to ensure data protection. Bandwidth is limited by a site's connectivity to the internet. Use more than one active provider to ensure resiliency.

+- **Virtual Private Network (VPN)** ΓÇô Connect to your Azure virtual network privately by using a VPN gateway. The medium is public because it traverses a site's standard internet connection, but the connection is encrypted in a tunnel to ensure data protection. Bandwidth is limited depending on the VPN devices and the configuration you choose. Azure point-to-site connections usually are limited to 100 Mbps. Site-to-site connections range from 100 Mbps to 10 Gbps.

+- **Azure ExpressRoute** ΓÇô ExpressRoute is a direct connection to Microsoft services. ExpressRoute uses a provider at a peering location to connect to Microsoft Enterprise edge routers. ExpressRoute uses different peering types for IaaS and PaaS/SaaS services, private peering and Microsoft peering. Bandwidth ranges from 50 Mbps to 10 Gbps.

+- **Azure ExpressRoute Direct** ΓÇô ExpressRoute Direct allows for direct fiber connections from your edge to the Microsoft Enterprise edge routers at the peering location. ExpressRoute Direct removes a third-party connectivity provider from the required hops. Bandwidth ranges from 10 Gbps to 100 Gbps.

+To enable the connection from the *agency* to Azure or Microsoft 365, without routing traffic through the agency TIC, the agency must use:

+- An encrypted tunnel, or

+- A dedicated connection to the cloud service provider (CSP).

+The CSP services can ensure that connectivity to the agency cloud assets isn't offered via the public Internet for direct agency personnel access.

+For Azure only, the second option (VPN) and third option (ExpressRoute) can meet these requirements when they're used with services that limit access to the Internet.

+The main requirement to help assure compliance with the TIC 2.0 reference architecture is to ensure your virtual network is a private extension of the agency network. To be a *private* extension, the policy requires that no traffic is allowed to leave your network except via the on-premises TIC network connection. This process is known as *forced tunneling*. For TIC 2.0 compliance, the process routes all traffic from any system in the CSP environment through an on-premises gateway on an organization's network out to the Internet through the TIC.

+To configure a TIC-compliant architecture with Azure, you must first prevent direct Internet access to your virtual network, and then force Internet traffic through the on-premises network.

+All traffic that leaves the virtual network needs to route through the on-premises connection, to ensure that all traffic traverses the agency TIC. You create custom routes by creating user-defined routes, or by exchanging Border Gateway Protocol (BGP) routes between your on-premises network gateway and an Azure VPN gateway.

+- For more information about user-defined routes, see [Virtual network traffic routing: User-defined routes](../../virtual-network/virtual-networks-udr-overview.md#user-defined).

+- For more information about the BGP, see [Virtual network traffic routing: Border Gateway Protocol](../../virtual-network/virtual-networks-udr-overview.md#border-gateway-protocol).

+Confirm your default route propagation by observing the *effective routes* for a particular virtual machine, a specific NIC, or a user-defined route table in the [Azure portal](../../virtual-network/diagnose-network-routing-problem.md#diagnose-using-azure-portal) or in [Azure PowerShell](../../virtual-network/diagnose-network-routing-problem.md#diagnose-using-powershell). The **Effective Routes** show the relevant user-defined routes, BGP advertised routes, and system routes that apply to the relevant entity, as shown in the following figure:

+- **Deploy a dedicated instance of a service** ΓÇô An increasing number of PaaS services are deployable as dedicated instances with virtual network-attached endpoints, sometimes called *VNet injection*. You can deploy an App Service Environment in *isolated mode* to allow the network endpoint to be constrained to a virtual network. The App Service Environment can then host many Azure PaaS services, such as Web Apps, API Management, and Functions. For more information, see [Deploy dedicated Azure services into virtual networks](../../virtual-network/virtual-network-for-azure-services.md).

+- **Use virtual network service endpoints** ΓÇô An increasing number of PaaS services allow the option to move their endpoint to a virtual network private IP instead of a public address. For more information, see [Virtual Network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md).

+- **Use Azure Private Link** ΓÇô Provide a shared service with a private endpoint in your virtual network. Traffic between your virtual network and the service travels across the Microsoft backbone network and doesn't traverse the public Internet. For more information, see [Azure Private Link](../../private-link/private-link-overview.md).

+2. Azure VPN Gateway, when used with ExpressRoute and Microsoft Peering, can overlay end-to-end IPSec encryption between the customer virtual network and the on-premises edge.

+6. The PaaS service endpoint is secured to **default deny all** and to only allow access from specified subnets within the customer virtual network. Securing service resources to a virtual network provides improved security by fully removing public Internet access to resources and allowing traffic only from your virtual network.

+An increasing number of Azure multi-tenant services offer *service endpoints*. Service endpoints are an alternate method for integrating to Azure virtual networks. Virtual network service endpoints extend your virtual network IP address space and the identity of your virtual network to the service over a direct connection. Traffic from the virtual network to the Azure service always stays within the Azure backbone network.

+You can use [Azure Private Link](../../private-link/private-link-overview.md) to access Azure PaaS services and Azure-hosted customer or partner services over a [private endpoint](../../private-link/private-endpoint-overview.md) in your virtual network, ensuring that traffic between your virtual network and the service travels across the Microsoft global backbone network. This approach eliminates the need to expose the service to the public Internet. You can also create your own [private link service](../../private-link/private-link-service-overview.md) in your own virtual network and deliver it to your customers.

+Azure private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. Private endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network.

+[Azure Policy](../../governance/policy/overview.md) is an Azure service that provides your organization with better ability to audit and enforce compliance initiatives. You can plan and test your Azure Policy rules now to assure future TIC compliance.

+You can easily configure network access to help comply with TIC 2.0 guidance and use Azure support for the NIST CSF and NIST SP 800-53 to address TIC 3.0 requirements.

+## Next steps

+- [Acquiring and accessing Azure Government](https://azure.microsoft.com/offers/azure-government/)

+- [Azure Government overview](../documentation-government-welcome.md)

+- [Azure Government security](../documentation-government-plan-security.md)

+- [Azure Government compliance](../documentation-government-plan-compliance.md)

+- [FedRAMP High](/azure/compliance/offerings/offering-fedramp)

+- [DoD Impact Level 4](/azure/compliance/offerings/offering-dod-il4)

+- [DoD Impact Level 5](/azure/compliance/offerings/offering-dod-il5)

+- [Azure Government isolation guidelines for Impact Level 5 workloads](../documentation-government-impact-level-5.md)

+- [Secure Azure Computing Architecture](./secure-azure-computing-architecture.md)

+- [Azure guidance for secure isolation](../azure-secure-isolation-guidance.md)

+- [Azure Policy overview](../../governance/policy/overview.md)

+- [Azure Policy regulatory compliance built-in initiatives](../../governance/policy/samples/index.md#regulatory-compliance)

+- [Create a data collection rule](data-collection-rule-azure-monitor-agent.md) to collect data from the agent and send it to Azure Monitor.

+ You can associate virtual machines to multiple data collection rules. This allows you to define each data collection rule to address a particular requirement, and associate the data collection rules to virtual machines based on the specific data you want to collect from each machine.

+To send data to Log Analytics, create the data collection rule in the **same region** as your Log Analytics workspace. You can still associate the rule to machines in other supported regions.

+1. Create a DCR file using the JSON format shown in [Sample DCR](data-collection-rule-sample-agent.md).

+ms. reviewer: shseth

+ Title: Azure AD authentication for Application Insights

+# Azure AD authentication for Application Insights

+Application Insights now supports [Azure Active Directory (Azure AD) authentication](../../active-directory/authentication/overview-authentication.md#what-is-azure-active-directory-authentication). By using Azure AD, you can ensure that only authenticated telemetry is ingested in your Application Insights resources.

+Using various authentication systems can be cumbersome and risky because it's difficult to manage credentials at scale. You can now choose to [opt-out of local authentication](#disable-local-authentication) to ensure only telemetry exclusively authenticated using [Managed Identities](../../active-directory/managed-identities-azure-resources/overview.md) and [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) is ingested in your resource. This feature is a step to enhance the security and reliability of the telemetry used to make both critical operational ([alerting](../alerts/alerts-overview.md#what-are-azure-monitor-alerts), [autoscale](../autoscale/autoscale-overview.md#overview-of-autoscale-in-microsoft-azure), etc.) and business decisions.

+## Prerequisites

+The following are prerequisites to enable Azure AD authenticated ingestion.

+- Understand the [unsupported scenarios](#unsupported-scenarios).

+Below is an example of how to configure Java agent to use system-assigned managed identity for authentication with Azure AD.

+Below is an example of how to configure Java agent to use user-assigned managed identity for authentication with Azure AD.

+Below is an example of how to configure Java agent to use service principal for authentication with Azure AD. We recommend users to use this type of authentication only during development. The ultimate goal of adding authentication feature is to eliminate secrets.

+Below are the following types of authentication that are supported by the `Opencensus` Azure Monitor exporters. Managed identities are recommended in production environments.

+After the Azure AD authentication is enabled, you can choose to disable local authentication. This configuration will allow you to ingest telemetry authenticated exclusively by Azure AD and impacts data access (for example, through API Keys).

+ :::image type="content" source="./media/azure-ad-authentication/enabled.png" alt-text="Screenshot of Properties under the *Configure* selected and enabled (select to change) local authentication button.":::

+ :::image type="content" source="./media/azure-ad-authentication/overview.png" alt-text="Screenshot of overview tab with the disabled (select to change) highlighted.":::

+## Unsupported scenarios

+The following SDK's and features are unsupported for use with Azure AD authenticated ingestion.

+- [Application Insights Java 2.x SDK](java-2x-agent.md)<br>

+ Azure AD authentication is only available for Application Insights Java Agent >=3.2.0.

+- [ApplicationInsights JavaScript Web SDK](javascript.md).

+- [Application Insights OpenCensus Python SDK](opencensus-python.md) with Python version 3.4 and 3.5.

+- [Certificate/secret based Azure AD](../../active-directory/authentication/active-directory-certificate-based-authentication-get-started.md) isn't recommended for production. Use Managed Identities instead.

+- On-by-default Codeless monitoring (for languages) for App Service, VM/Virtual machine scale sets, Azure Functions etc.

+- [Availability tests](availability-overview.md).

+- [Profiler](profiler-overview.md).

+#### HTTP/1.1 400 Authentication not supported

+This error indicates that the resource has been configured for Azure AD only. The SDK hasn't been correctly configured and is sending to the incorrect API.

+This error indicates that the SDK has been correctly configured, but was unable to acquire a valid token. This error may indicate an issue with Azure Active Directory.

+This error indicates that the SDK has been configured with credentials that haven't been given permission to the Application Insights resource or subscription.

+`Failed to get AAD Token. Error message: `

+Internal logs could be turned on using the following setup. Once enabled, error logs will be shown in the console including any error related to Azure AD integration. For example, failure to generate the token when wrong credentials are supplied or errors when ingestion endpoint fails to authenticate using the provided credentials.

+If the following exception is seen in the log file `com.azure.identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established`, it indicates the agent wasn't successful in acquiring the access token. The probable reason might be you've provided invalid `clientId` in your User Assigned Managed Identity configuration

+If the following WARN message is seen in the log file, `WARN c.m.a.TelemetryChannel - Failed to send telemetry with status code: 403, please check your credentials`, it indicates the agent wasn't successful in sending telemetry. This warning might be because of the provided credentials don't grant the access to ingest the telemetry into the component

+If the following exception is seen in the log file `com.microsoft.aad.msal4j.MsalServiceException: Specified tenant identifier <TENANT-ID> is neither a valid DNS name, nor a valid external domain.`, it indicates the agent wasn't successful in acquiring the access token. The probable reason might be you've provided invalid/wrong `tenantId` in your client secret configuration.

+If the following exception is seen in the log file `com.microsoft.aad.msal4j.MsalServiceException: Invalid client secret is provided`, it indicates the agent wasn't successful in acquiring the access token. The probable reason might be you've provided invalid `clientSecret` in your client secret configuration.

+If the following exception is seen in the log file `com.microsoft.aad.msal4j.MsalServiceException: Application with identifier <CLIENT_ID> was not found in the directory`, it indicates the agent wasn't successful in acquiring the access token. The probable reason might be you've provided invalid/wrong "clientId" in your client secret configuration

+ This scenario can occur if the application hasn't been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

+Something is incorrect about the credential you're using and the client isn't able to obtain a token for authorization. It's due to lacking the required data for the state. An example would be passing in a system ManagedIdentityCredential but the resource isn't configured to use system-managed identity.

+Geolocation data can be removed in the following ways.

+* [Remove the client IP initializer](../app/configuration-with-applicationinsights-config.md)

+* [Use a custom initializer](../app/api-filtering-sampling.md)

+> - Exception records are no longer recorded for failed dependencies, they are only recorded for failed requests.

+* Quartz

+* Log4j (including MDC/Thread Context properties)

+* Logback (including MDC properties)

+* JBoss Logging (including MDC properties)

+* [Azure Cosmos DB](/java/api/overview/azure/cosmos-readme) 4.22.0+

+[//]: # "Cosmos 4.22.0+ due to https://github.com/Azure/azure-sdk-for-java/pull/25571"

+[//]: # "the remaining above names and links scraped from https://azure.github.io/azure-sdk/releases/latest/java.html"

+See the dedicated [troubleshooting article](java-standalone-troubleshoot.md).

+InstrumentationKey=...;IngestionEndpoint=...;LiveEndpoint=...

+If you have multiple applications deployed in the same JVM and want them to send telemetry to different instrumentation

+keys, see [Instrumentation key overrides (preview)](#instrumentation-key-overrides-preview).

+If you have multiple applications deployed in the same JVM and want them to send telemetry to different cloud role

+names, see [Cloud role name overrides (preview)](#cloud-role-name-overrides-preview).

+## Instrumentation key overrides (preview)

+## Cloud role name overrides (preview)

+This feature is in preview, starting from 3.3.0.

+Cloud role name overrides allow you to override the [default cloud role name](#cloud-role-name), for example:

+* Set one cloud role name for one http path prefix `/myapp1`.

+* Set another cloud role name for another http path prefix `/myapp2/`.

+```json

+{

+ "preview": {

+ "roleNameOverrides": [

+ {

+ "httpPathPrefix": "/myapp1",

+ "roleName": "12345678-0000-0000-0000-0FEEDDADBEEF"

+ },

+ {

+ "httpPathPrefix": "/myapp2",

+ "roleName": "87654321-0000-0000-0000-0FEEDDADBEEF"

+ }

+ ]

+ }

+}

+```

+Starting from version 3.2.0, if you want to capture controller "InProc" dependencies, please use the following configuration:

+Log4j, Logback, JBoss Logging, and java.util.logging are auto-instrumented,

+and logging performed via these logging frameworks is auto-collected.

+| level | Log4j | Logback | JBoss | JUL |

+|-|--||--||

+| OFF | OFF | OFF | OFF | OFF |

+| FATAL | FATAL | ERROR | FATAL | SEVERE |

+| ERROR (or SEVERE) | ERROR | ERROR | ERROR | SEVERE |

+| WARN (or WARNING) | WARN | WARN | WARN | WARNING |

+| INFO | INFO | INFO | INFO | INFO |

+| CONFIG | DEBUG | DEBUG | DEBUG | CONFIG |

+| DEBUG (or FINE) | DEBUG | DEBUG | DEBUG | FINE |

+| FINER | DEBUG | DEBUG | DEBUG | FINER |

+| TRACE (or FINEST) | TRACE | TRACE | TRACE | FINEST |

+| ALL | ALL | ALL | ALL | ALL |

+Starting from version 3.3.0, you can capture request and response headers on your server (request) telemetry:

+ "quartz": {

+ "enabled": false

+ },

+## Recovery from ingestion failures

+When sending telemetry to the Application Insights service fails, Application Insights Java 3.x will store the telemetry

+to disk and continue retrying from disk.

+The default limit for disk persistence is 50 Mb. If you have high telemetry volume, or need to be able to recover from

+longer network or ingestion service outages, you can increase this limit starting from version 3.3.0:

+```json

+{

+ "preview": {

+ "diskPersistenceMaxSizeMb": 50

+ }

+}

+```

+This use case is supported in Application Insights Java 3.x using [Instrumentation key overrides (preview)](./java-standalone-config.md#instrumentation-key-overrides-preview).

+- [Define alerts and automated actions from Azure Monitor data](best-practices-alerts.md)

+>[!NOTE]

+> As per the Kubernetes [upstream announcement](https://kubernetes.io/blog/2020/12/16/third-party-device-metrics-reaches-ga/#nvidia-gpu-metrics-deprecated), Kubernetes is deprecating GPU metrics that are being reported by the kubelet, for Kubernetes ver. 1.20+. This means Container Insights will no longer be able to collect the following metrics out of the box:

+> * containerGpuDutyCycle

+> * containerGpumemoryTotalBytes

+> * containerGpumemoryUsedBytes

+>

+> To continue collecting GPU metrics through Container Insights, please migrate by December 31, 2022 to your GPU vendor specific metrics exporter and configure [Prometheus scraping](./container-insights-prometheus-integration.md) to scrape metrics from the deployed vendor specific exporter.

+|containerGpuDutyCycle* |container.azm.ms/clusterId, container.azm.ms/clusterName, containerName, gpuId, gpuModel, gpuVendor|Percentage of time over the past sample period (60 seconds) during which GPU was busy/actively processing for a container. Duty cycle is a number between 1 and 100. |

+|containerGpumemoryTotalBytes* |container.azm.ms/clusterId, container.azm.ms/clusterName, containerName, gpuId, gpuModel, gpuVendor |Amount of GPU Memory in bytes available to use for a specific container. |

+|containerGpumemoryUsedBytes* |container.azm.ms/clusterId, container.azm.ms/clusterName, containerName, gpuId, gpuModel, gpuVendor |Amount of GPU Memory in bytes used by a specific container. |

+\* Based on Kubernetes upstream changes, these metrics are no longer collected out of the box, as a temporary hotfix, for AKS, upgrade your GPU Node pool to the latest version or \*-2022.06.08 or higher. For Arc enabled Kubernetes, enable feature gate DisableAcceleratorUsageMetrics=false in Kubelet configuration of the node and restart the Kubelet. Once the upstream changes reach GA, this fix will not longer work, make plans to migrate to using your GPU vendor specific metrics exporter by December 31, 2022.

+>[!NOTE]

+> As per the Kubernetes [upstream announcement](https://kubernetes.io/blog/2020/12/16/third-party-device-metrics-reaches-g)

+- [Add continuous monitoring](./app/continuous-monitoring.md) to your release pipeline.

+ms.reviwer: nikeist

+ms.reviwer: nikeist

+ms.reviwer: nikeist

+ --resource-group templateSpecRG \

+ --resource-group storageRG \

+ --resource-group templateSpecRG \

+ --resource-group storageRG \

+When analyzing a remote image, you specify the image's URL by formatting the request body like this: `{"url":"http://example.com/images/test.jpg"}`.

+To analyze a local image, you'd put the binary image data in the HTTP request body.

+> [!TIP]

+> You can also analyze a local image. See the [ComputerVisionClient](/dotnet/api/microsoft.azure.cognitiveservices.vision.computervision.computervisionclient) methods, such as **AnalyzeImageInStreamAsync**. Or, see the sample code on [GitHub](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/dotnet/ComputerVision/ImageAnalysisQuickstart.cs) for scenarios involving local images.

+> [!TIP]

+> You can also analyze a local image. See the [ComputerVision](/java/api/com.microsoft.azure.cognitiveservices.vision.computervision.computervision) methods, such as **AnalyzeImage**. Or, see the sample code on [GitHub](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/java/ComputerVision/src/main/java/ImageAnalysisQuickstart.java) for scenarios involving local images.

+> [!TIP]

+> You can also analyze a local image. See the [ComputerVisionClient](/javascript/api/@azure/cognitiveservices-computervision/computervisionclient) methods, such as **describeImageInStream**. Or, see the sample code on [GitHub](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/javascript/ComputerVision/ImageAnalysisQuickstart.js) for scenarios involving local images.

+> [!TIP]

+> You can also analyze a local image. See the [ComputerVisionClientOperationsMixin](/python/api/azure-cognitiveservices-vision-computervision/azure.cognitiveservices.vision.computervision.operations.computervisionclientoperationsmixin) methods, such as **analyze_image_in_stream**. Or, see the sample code on [GitHub](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/ComputerVision/ImageAnalysisQuickstart.py) for scenarios involving local images.

+* Configure the container and deploy it on a host machine.

+ Title: Run Spatial Analysis on a local video file

+description: Use this guide to learn how to run Spatial Analysis on a recorded local video.

+# Run Spatial Analysis on a local video file

+You can use Spatial Analysis with either recorded or live video. Use this guide to learn how to run Spatial Analysis on a recorded local video.

+## Prerequisites

+* Set up a Spatial Analysis container by following the steps in [Set up the host machine and run the container](spatial-analysis-container.md).

+## Analyze a video file

+To use Spatial Analysis for recorded video, record a video file and save it as a .mp4 file. Then take the following steps:

+1. Create a blob storage account in Azure, or use an existing one. Then update the following blob storage settings in the Azure portal:

+ 1. Change **Secure transfer required** to **Disabled**

+ 1. Change **Allow Blob public access** to **Enabled**

+1. Navigate to the **Container** section, and either create a new container or use an existing one. Then upload the video file to the container. Expand the file settings for the uploaded file, and select **Generate SAS**. Be sure to set the **Expiry Date** long enough to cover the testing period. Set **Allowed Protocols** to *HTTP* (*HTTPS* is not supported).

+1. Select on **Generate SAS Token and URL** and copy the Blob SAS URL. Replace the starting `https` with `http` and test the URL in a browser that supports video playback.

+1. Replace `VIDEO_URL` in the deployment manifest for your [Azure Stack Edge device](https://go.microsoft.com/fwlink/?linkid=2142179), [desktop machine](https://go.microsoft.com/fwlink/?linkid=2152270), or [Azure VM with GPU](https://go.microsoft.com/fwlink/?linkid=2152189) with the URL you created, for all of the graphs. Set `VIDEO_IS_LIVE` to `false`, and redeploy the Spatial Analysis container with the updated manifest. See the example below.

+The Spatial Analysis module will start consuming video file and will continuously auto replay as well.

+```json

+"zonecrossing": {

+ "operationId" : "cognitiveservices.vision.spatialanalysis-personcrossingpolygon",

+ "version": 1,

+ "enabled": true,

+ "parameters": {

+ "VIDEO_URL": "Replace http url here",

+ "VIDEO_SOURCE_ID": "personcountgraph",

+ "VIDEO_IS_LIVE": false,

+ "VIDEO_DECODE_GPU_INDEX": 0,

+ "DETECTOR_NODE_CONFIG": "{ \"gpu_index\": 0, \"do_calibration\": true }",

+ "SPACEANALYTICS_CONFIG": "{\"zones\":[{\"name\":\"queue\",\"polygon\":[[0.3,0.3],[0.3,0.9],[0.6,0.9],[0.6,0.3],[0.3,0.3]], \"events\": [{\"type\": \"zonecrossing\", \"config\": {\"threshold\": 16.0, \"focus\": \"footprint\"}}]}]}"

+ }

+ },

+```

+## Next steps

+* [Deploy a People Counting web application](spatial-analysis-web-app.md)

+* [Configure Spatial Analysis operations](spatial-analysis-operations.md)

+* [Logging and troubleshooting](spatial-analysis-logging.md)

+* [Camera placement guide](spatial-analysis-camera-placement.md)

+* [Zone and line placement guide](spatial-analysis-zone-line-placement.md)

+### Responsible AI for Face

+#### Face transparency documentation

+#### Retirement of sensitive attributes

+#### Fairlearn package and Microsoft's Fairness Dashboard

+#### Limited Access policy

+### Computer Vision 3.2-preview deprecation

+The preview versions of the 3.2 API are scheduled to be retired in December of 2022. Customers are encouraged to use the generally available (GA) version of the API instead. Mind the following changes when migrating from the 3.2-preview versions:

+1. The [Analyze Image](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) and [Read](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/5d986960601faab4bf452005) API calls now take an optional _model-version_ parameter that you can use to specify which AI model to use. By default, they will use the latest model.

+1. The [Analyze Image](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) and [Read](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/5d986960601faab4bf452005) API calls also return a `model-version` field in successful API responses. This field reports which model was used.

+1. Image Analysis APIs now use a different error-reporting format. See the [API reference documentation](https://westus.dev.cognitive.microsoft.com/docs/services/computer-vision-v3-2/operations/56f91f2e778daf14a499f21b) to learn how to adjust any error-handling code.

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+```azurecli

+Each request to an Azure Cognitive Service must include an authentication header. This header passes along a subscription key or authentication token, which is used to validate your subscription for a service or group of services. In this article, you'll learn about three ways to authenticate a request and the requirements for each.

+Both single service and multi-service subscription keys can be exchanged for authentication tokens. Authentication tokens are valid for 10 minutes. They're stored in JSON Web Token (JWT) format and can be queried programmatically using the [JWT libraries](https://jwt.io/libraries).

+## Submit an asynchronous job using the REST API

+To submit an asynchronous job, review the [reference documentation](/rest/api/language/text-analysis-runtime/submit-job) for the JSON body you'll send in your request.

+1. In the `tasks` object, include the operations you want performed on your data. For example, if you wanted to perform sentiment analysis, you would include the `SentimentAnalysisLROTask` object.

+ 1. Choose a specific [version of the model](model-lifecycle.md) used on your data.

+Once you've created the JSON body for your request, add your key to the `Ocp-Apim-Subscription-Key` header. Then send your API request to job creation endpoint. For example:

+POST https://your-endpoint.cognitiveservices.azure.com/language/analyze-text/jobs?api-version=2022-05-01

+GET {Endpoint}/language/analyze-text/jobs/12345678-1234-1234-1234-12345678?api-version=2022-05-01

+To [get the status and retrieve the results](/rest/api/language/text-analysis-runtime/job-status) of the request, send a GET request to the URL you received in the `operation-location` header from the previous API response. Remember to include your key in the `Ocp-Apim-Subscription-Key`. The response will include the results of your API call.

+* There is a new endpoint URL and request format for making REST API calls to prebuilt Language service features. See the following quickstart guides and [reference documentation](/rest/api/language/) for information on structuring your API calls. All text analytics 3.2-preview.2 API users can begin migrating their workloads to this new endpoint.

+ * [Entity linking](./entity-linking/quickstart.md?pivots=rest-api)

+ * [Language detection](./language-detection/quickstart.md?pivots=rest-api)

+ * [Key phrase extraction](./key-phrase-extraction/quickstart.md?pivots=rest-api)

+ * [Named entity recognition](./named-entity-recognition/quickstart.md?pivots=rest-api)

+ * [PII detection](./personally-identifiable-information/quickstart.md?pivots=rest-api)

+ * [Sentiment analysis and opinion mining](./sentiment-opinion-mining/quickstart.md?pivots=rest-api)

+ * [Text analytics for health](./text-analytics-for-health/quickstart.md?pivots=rest-api)

+As its name suggests, Azure confidential ledger utilizes the [Azure Confidential Computing platform](../confidential-computing/index.yml) and the [Confidential Consortium Framework](https://ccf.dev) to provide a high integrity solution that is tamper-protected and evident. One ledger spans across three or more identical instances, each of which run in a dedicated, fully attested hardware-backed enclave. The ledger's integrity is maintained through a consensus-based blockchain.

+The ledger APIs support certificate-based authentication process with owner roles as well as Azure Active Directory (AAD) based authentication and also role-based access (for example, owner, reader, and contributor).

+The data to the ledger is sent through TLS 1.3 connection and the TLS 1.3 connection terminates inside the hardware backed security enclaves (Intel® SGX enclaves). This ensures that no one can intercept the connection between a customer's client and the confidential ledger server nodes.

+- Once a confidential ledger is created, you cannot change the ledger type (private or public).

+| Ledger | An immutable append-only record of transactions (also known as a Blockchain) |

+| Commit | A confirmation that a transaction has been appended to the ledger. |

+| [Container file system](#container-file-system) | Temporary storage scoped to the local container | Writing a local app cache. |

+The `acr purge` command is currently distributed in a public container image (`mcr.microsoft.com/acr/acr-cli:0.5`), built from source code in the [acr-cli](https://github.com/Azure/acr-cli) repo in GitHub. `acr purge` is currently in preview.

+* `--filter` - A repository name *regular expression* and a tag name *regular expression* to filter images in the registry. Examples: `--filter "hello-world:.*"` matches all tags in the `hello-world` repository, `--filter "hello-world:^1.*"` matches tags beginning with `1` in the `hello-world` repository, and `--filter ".*/cache:.*"` matches all tags in the repositories ending in `/cache`. You can also pass multiple `--filter` parameters.

+| `acr` | `mcr.microsoft.com/acr/acr-cli:0.5` |

+| `az` | `mcr.microsoft.com/acr/azure-cli:7ee1d7f` |

+| `bash` | `mcr.microsoft.com/acr/bash:7ee1d7f` |

+| `curl` | `mcr.microsoft.com/acr/curl:7ee1d7f` |

+ "image": "$upstream:8000/acr/connected-registry:0.7.0",

+> The current implementation of burst capacity is subject to change in the future. Usage of burst capacity is subject to system resource availability and is not guaranteed. Azure Cosmos DB may also use burst capacity for background maintenance tasks. If your workload requires consistent throughput beyond what you have provisioned, it's recommended to provision your RU/s accordingly without relying on burst capacity. Before enabling burst capacity, it is also recommended to evaluate if your partition layout can be [merged](merge.md) to permanently give more RU/s per physical partition without relying on burst capacity.

+To get started using burst capacity, enroll in the preview by submitting a request for the **Azure Cosmos DB Burst Capacity** feature via the [**Preview Features** page](../azure-resource-manager/management/preview-features.md) in your Azure Subscription overview page. You can also select the **Register for preview** button in the eligibility check page to open the **Preview Features** page.

+Before submitting your request:

+- Ensure that you have at least 1 Azure Cosmos DB account in the subscription. This may be an existing account or a new one you've created to try out the preview feature. If you have no accounts in the subscription when the Azure Cosmos DB team receives your request, it will be declined, as there are no accounts to apply the feature to.

+- Verify that your Azure Cosmos DB account(s) meet all the [preview eligibility criteria](#preview-eligibility-criteria).

+The Azure Cosmos DB team will review your request and contact you via email to confirm which account(s) in the subscription you want to enroll in the preview.

+To check whether an Azure Cosmos DB account is eligible for the preview, you can use the built-in eligibility checker in the Azure portal. From your Azure Cosmos DB account overview page in the Azure portal, navigate to **Diagnose and solve problems** -> **Throughput and Scaling** -> **Burst Capacity**. Run the **Check eligibility for burst capacity preview** diagnostic.

+ - There are no SDK or driver requirements to use the feature with Cassandra API, Gremlin API, or API for MongoDB.

+ - Azure Cosmos DB Spark connector

+ - Azure Cosmos DB data migration tool

+ - Any 3rd party library or tool that has a dependency on an Azure Cosmos DB SDK that is not .NET V3 SDK v3.27.0 or higher

+* Azure Data Factory<sup>1</sup>

+* Azure Stream Analytics<sup>1</sup>

+* Logic Apps<sup>1</sup>

+* Azure Functions<sup>1</sup>

+* Azure Search<sup>1</sup>

+* Azure Cosmos DB Spark connector<sup>1</sup>

+* Azure Cosmos DB data migration tool

+* Any 3rd party library or tool that has a dependency on an Azure Cosmos DB SDK that is not .NET V3 SDK v3.27.0 or higher

+<sup>1</sup>Support for these connectors is planned for the future.

+## <a id="disable-analytical-store"></a> Optional - Disable analytical store in a SQL API container

+Analytical store can be disabled in SQL API containers using Azure CLI or PowerShell.

+> [!NOTE]

+> Please note that currently this action can't be undone. If analytical store is disabled in a container, it can never be re-enabled.

+> [!NOTE]

+> Please note that disabling analitical store is not available for MongoDB API collections.

+### Azure CLI

+Set `--analytical-storage-ttl` parameter to 0 using the `az cosmosdb sql container update` Azure CLI command.

+### PowerShell

+Set `-AnalyticalStorageTtl` paramenter to 0 using the `Update-AzCosmosDBSqlContainer` PowerShell command.

+Merging partitions in Azure Cosmos DB (preview) allows you to reduce the number of physical partitions used for your container in place. With merge, containers that are fragmented in throughput (have low RU/s per partition) or storage (have low storage per partition) can have their physical partitions reworked. If a container's throughput has been scaled up and needs to be scaled back down, merge can help resolve throughput fragmentation issues. For the same amount of provisioned RU/s, having fewer physical partitions means each physical partition gets more of the overall RU/s. Minimizing partitions reduces the chance of rate limiting if a large quantity of data is removed from a container and RU/s per partition is low. Merge can help clear out unused or empty partitions, effectively resolving storage fragmentation problems.

+To get started using partition merge, enroll in the preview by submitting a request for the **Azure Cosmos DB Partition Merge** feature via the [**Preview Features** page](../azure-resource-manager/management/preview-features.md) in your Azure Subscription overview page. You can also select the **Register for preview** button in the eligibility check page to open the **Preview Features** page.

+Before submitting your request:

+- Ensure that you have at least 1 Azure Cosmos DB account in the subscription. This may be an existing account or a new one you've created to try out the preview feature. If you have no accounts in the subscription when the Azure Cosmos DB team receives your request, it will be declined, as there are no accounts to apply the feature to.

+- Verify that your Azure Cosmos DB account(s) meet all the [preview eligibility criteria](#preview-eligibility-criteria).

+The Azure Cosmos DB team will review your request and contact you via email to confirm which account(s) in the subscription you want to enroll in the preview.

+To check whether an Azure Cosmos DB account is eligible for the preview, you can use the built-in eligibility checker in the Azure portal. From your Azure Cosmos DB account overview page in the Azure portal, navigate to **Diagnose and solve problems** -> **Throughput and Scaling** -> **Partition Merge**. Run the **Check eligibility for partition merge preview** diagnostic.

+ * Azure Cosmos DB Spark connector

+ * Azure Cosmos DB data migration tool

+ * Any 3rd party library or tool that has a dependency on an Azure Cosmos DB SDK that is not .NET V3 SDK v3.27.0 or higher

+* Azure Data Factory<sup>1</sup>

+* Azure Stream Analytics<sup>1</sup>

+* Logic Apps<sup>1</sup>

+* Azure Functions<sup>1</sup>

+* Azure Search<sup>1</sup>

+* Azure Cosmos DB Spark connector<sup>1</sup>

+* Azure Cosmos DB data migration tool

+* Any 3rd party library or tool that has a dependency on an Azure Cosmos DB SDK that is not .NET V3 SDK v3.27.0 or higher

+<sup>1</sup>Support for these connectors is planned for the future.

+ 1. Migrate your account from periodic to continuous backup mode with ``continuous30days`` tier or ``continuous7days`` days. If a tier value isn't provided, it's assumed to be ``continuous30days``:

+1. Migrate the account to ``continuous30days`` or ``continuous7days`` tier. If tier value isn't provided, it's assumed to be ``continuous30days``:

+You can switch between ``Continuous30Days`` and ``Continous7Days`` in Azure PowerShell, Azure CLI or the Azure portal.

+The following cmdlet is an example of continuous backup account configured with the ``Continuous30days`` tier:

+The following cmdlet is an example of an account with continuous backup policy configured with the ``Continuous30days`` tier:

+ log.Fatal("Failed to create database client:", err)

+ log.Fatal("Failed to create a container client:", err)

+**Create a Cosmos DB database**

+import (

+ "context"

+ "log"

+ "github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos"

+)

+func createDatabase (client *azcosmos.Client, databaseName string) error {

+// databaseName := "adventureworks"

+ // sets the name of the database

+ databaseProperties := azcosmos.DatabaseProperties{ID: databaseName}

+ // creating the database

+ ctx := context.TODO()

+ databaseResp, err := client.CreateDatabase(ctx, databaseProperties, nil)

+ if err != nil {

+ log.Fatal(err)

+ }

+ return nil

+import (

+ "context"

+ "log"

+ "github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos"

+)

+func createContainer (client *azcosmos.Client, databaseName, containerName, partitionKey string) error {

+// databaseName = "adventureworks"

+// containerName = "customer"

+// partitionKey = "/customerId"

+

+ databaseClient, err := client.NewDatabase(databaseName) // returns a struct that represents a database

+ if err != nil {

+ log.Fatal("Failed to create a database client:", err)

+ }

+ // Setting container properties

+ containerProperties := azcosmos.ContainerProperties{

+ ID: containerName,

+ PartitionKeyDefinition: azcosmos.PartitionKeyDefinition{

+ Paths: []string{partitionKey},

+ },

+ }

+ // Setting container options

+ throughputProperties := azcosmos.NewManualThroughputProperties(400) //defaults to 400 if not set

+ options := &azcosmos.CreateContainerOptions{

+ ThroughputProperties: &throughputProperties,

+ }

+ ctx := context.TODO()

+ containerResponse, err := databaseClient.CreateContainer(ctx, containerProperties, options)

+ if err != nil {

+ log.Fatal(err)

+ }

+ log.Printf("Container [%v] created. ActivityId %s\n", containerName, containerResponse.ActivityID)

+

+ return nil

+import (

+ "context"

+ "log"

+ "github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos"

+)

+func createItem(client *azcosmos.Client, databaseName, containerName, partitionKey string, item any) error {

+// databaseName = "adventureworks"

+// containerName = "customer"

+// partitionKey = "1"

+/*

+ item = struct {

+ ID string `json:"id"`

+ CustomerId string `json:"customerId"`

+ Title string

+ FirstName string

+ LastName string

+ EmailAddress string

+ PhoneNumber string

+ CreationDate string

+ }{

+ ID: "1",

+ CustomerId: "1",

+ Title: "Mr",

+ FirstName: "Luke",

+ LastName: "Hayes",

+ EmailAddress: "luke12@adventure-works.com",

+ PhoneNumber: "879-555-0197",

+ }

+*/

+ // Create container client

+ containerClient, err := client.NewContainer(databaseName, containerName)

+ if err != nil {

+ return fmt.Errorf("failed to create a container client: %s", err)

+ }

+ // Specifies the value of the partiton key

+ pk := azcosmos.NewPartitionKeyString(partitionKey)

+ b, err := json.Marshal(item)

+ if err != nil {

+ return err

+ }

+ // setting item options upon creating ie. consistency level

+ itemOptions := azcosmos.ItemOptions{

+ ConsistencyLevel: azcosmos.ConsistencyLevelSession.ToPtr(),

+ }

+ ctx := context.TODO()

+ itemResponse, err := containerClient.CreateItem(ctx, pk, b, &itemOptions)

+ if err != nil {

+ return err

+ }

+ log.Printf("Status %d. Item %v created. ActivityId %s. Consuming %v Request Units.\n", itemResponse.RawResponse.StatusCode, pk, itemResponse.ActivityID, itemResponse.RequestCharge)

+ return nil

+import (

+ "context"

+ "log"

+ "fmt"

+ "github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos"

+)

+func readItem(client *azcosmos.Client, databaseName, containerName, partitionKey, itemId string) error {

+// databaseName = "adventureworks"

+// containerName = "customer"

+// partitionKey = "1"

+// itemId = "1"

+ // Create container client

+ containerClient, err := client.NewContainer(databaseName, containerName)

+ if err != nil {

+ return fmt.Errorf("Failed to create a container client: %s", err)

+ }

+ // Specifies the value of the partiton key

+ pk := azcosmos.NewPartitionKeyString(partitionKey)

+ // Read an item

+ ctx := context.TODO()

+ itemResponse, err := containerClient.ReadItem(ctx, pk, itemId, nil)

+ if err != nil {

+ return err

+ }

+ itemResponseBody := struct {

+ ID string `json:"id"`

+ CustomerId string `json:"customerId"`

+ Title string

+ FirstName string

+ LastName string

+ EmailAddress string

+ PhoneNumber string

+ CreationDate string

+ }{}

+ err = json.Unmarshal(itemResponse.Value, &itemResponseBody)

+ if err != nil {

+ return err

+ }

+ b, err := json.MarshalIndent(itemResponseBody, "", " ")

+ if err != nil {

+ return err

+ }

+ fmt.Printf("Read item with customerId %s\n", itemResponseBody.CustomerId)

+ fmt.Printf("%s\n", b)

+ log.Printf("Status %d. Item %v read. ActivityId %s. Consuming %v Request Units.\n", itemResponse.RawResponse.StatusCode, pk, itemResponse.ActivityID, itemResponse.RequestCharge)

+ return nil

+import (

+ "context"

+ "log"

+ "github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos"

+)

+func deleteItem(client *azcosmos.Client, databaseName, containerName, partitionKey, itemId string) error {

+// databaseName = "adventureworks"

+// containerName = "customer"

+// partitionKey = "1"

+// itemId = "1"

+ // Create container client

+ containerClient, err := client.NewContainer(databaseName, containerName)

+ if err != nil {

+ return fmt.Errorf("Failed to create a container client: %s", err)

+ }

+ // Specifies the value of the partiton key

+ pk := azcosmos.NewPartitionKeyString(partitionKey)

+ // Delete an item

+ ctx := context.TODO()

+ res, err := containerClient.DeleteItem(ctx, pk, itemId, nil)

+ if err != nil {

+ return err

+ }

+ log.Printf("Status %d. Item %v deleted. ActivityId %s. Consuming %v Request Units.\n", res.RawResponse.StatusCode, pk, res.ActivityID, res.RequestCharge)

+ return nil

+Use the values copied from the Azure portal to set the following environment variables:

+export AZURE_COSMOS_ENPOINT=<Your_AZURE_COSMOS_URI>

+export AZURE_COSMOS_KEY=<Your_COSMOS_PRIMARY_KEY>

+$env:AZURE_COSMOS_ENDPOINT=<Your_AZURE_COSMOS_URI>

+$env:AZURE_COSMOS_KEY=<Your_AZURE_COSMOS_URI>

+```go

+package main

+import (

+ "context"

+ "encoding/json"

+ "errors"

+ "fmt"

+ "log"

+ "os"

+ "github.com/Azure/azure-sdk-for-go/sdk/azcore"

+ "github.com/Azure/azure-sdk-for-go/sdk/data/azcosmos"

+)

+func main() {

+ endpoint := os.Getenv("AZURE_COSMOS_ENDPOINT")

+ if endpoint == "" {

+ log.Fatal("AZURE_COSMOS_ENDPOINT could not be found")

+ }

+ key := os.Getenv("AZURE_COSMOS_KEY")

+ if key == "" {

+ log.Fatal("AZURE_COSMOS_KEY could not be found")

+ }

+ var databaseName = "adventureworks"

+ var containerName = "customer"

+ var partitionKey = "/customerId"

+ item := struct {

+ ID string `json:"id"`

+ CustomerId string `json:"customerId"`

+ Title string

+ FirstName string

+ LastName string

+ EmailAddress string

+ PhoneNumber string

+ CreationDate string

+ }{

+ ID: "1",

+ CustomerId: "1",

+ Title: "Mr",

+ FirstName: "Luke",

+ LastName: "Hayes",

+ EmailAddress: "luke12@adventure-works.com",

+ PhoneNumber: "879-555-0197",

+ }

+ cred, err := azcosmos.NewKeyCredential(key)

+ if err != nil {

+ log.Fatal("Failed to create a credential: ", err)

+ }

+ // Create a CosmosDB client

+ client, err := azcosmos.NewClientWithKey(endpoint, cred, nil)

+ if err != nil {

+ log.Fatal("Failed to create cosmos db client: ", err)

+ }

+

+ err = createDatabase(client, databaseName)

+ if err != nil {

+ log.Printf("createDatabase failed: %s\n", err)

+ }

+ err = createContainer(client, databaseName, containerName, partitionKey)

+ if err != nil {

+ log.Printf("createContainer failed: %s\n", err)

+ }

+ err = createItem(client, databaseName, containerName, item.CustomerId, item)

+ if err != nil {

+ log.Printf("createItem failed: %s\n", err)

+ }

+ err = readItem(client, databaseName, containerName, item.CustomerId, item.ID)

+ if err != nil {

+ log.Printf("readItem failed: %s\n", err)

+ }

+

+ err = deleteItem(client, databaseName, containerName, item.CustomerId, item.ID)

+ if err != nil {

+ log.Printf("deleteItem failed: %s\n", err)

+ }

+}

+func createDatabase(client *azcosmos.Client, databaseName string) error {

+// databaseName := "adventureworks"

+ databaseProperties := azcosmos.DatabaseProperties{ID: databaseName}

+ // This is a helper function that swallows 409 errors

+ errorIs409 := func(err error) bool {

+ var responseErr *azcore.ResponseError

+ return err != nil && errors.As(err, &responseErr) && responseErr.StatusCode == 409

+ }

+ ctx := context.TODO()

+ databaseResp, err := client.CreateDatabase(ctx, databaseProperties, nil)

+ switch {

+ case errorIs409(err):

+ log.Printf("Database [%s] already exists\n", databaseName)

+ case err != nil:

+ return err

+ default:

+ log.Printf("Database [%v] created. ActivityId %s\n", databaseName, databaseResp.ActivityID)

+ }

+ return nil

+}

+func createContainer(client *azcosmos.Client, databaseName, containerName, partitionKey string) error {

+// databaseName = adventureworks

+// containerName = customer

+// partitionKey = "/customerId"

+ databaseClient, err := client.NewDatabase(databaseName)

+ if err != nil {

+ return err

+ }

+ // creating a container

+ containerProperties := azcosmos.ContainerProperties{

+ ID: containerName,

+ PartitionKeyDefinition: azcosmos.PartitionKeyDefinition{

+ Paths: []string{partitionKey},

+ },

+ }

+ // this is a helper function that swallows 409 errors

+ errorIs409 := func(err error) bool {

+ var responseErr *azcore.ResponseError

+ return err != nil && errors.As(err, &responseErr) && responseErr.StatusCode == 409

+ }

+ // setting options upon container creation

+ throughputProperties := azcosmos.NewManualThroughputProperties(400) //defaults to 400 if not set

+ options := &azcosmos.CreateContainerOptions{

+ ThroughputProperties: &throughputProperties,

+ }

+ ctx := context.TODO()

+ containerResponse, err := databaseClient.CreateContainer(ctx, containerProperties, options)

+

+ switch {

+ case errorIs409(err):

+ log.Printf("Container [%s] already exists\n", containerName)

+ case err != nil:

+ return err

+ default:

+ log.Printf("Container [%s] created. ActivityId %s\n", containerName, containerResponse.ActivityID)

+ }

+ return nil

+}

+func createItem(client *azcosmos.Client, databaseName, containerName, partitionKey string, item any) error {

+// databaseName = "adventureworks"

+// containerName = "customer"

+// partitionKey = "1"

+/* item = struct {

+ ID string `json:"id"`

+ CustomerId string `json:"customerId"`

+ Title string

+ FirstName string

+ LastName string

+ EmailAddress string

+ PhoneNumber string

+ CreationDate string

+ }{

+ ID: "1",

+ CustomerId: "1",

+ Title: "Mr",

+ FirstName: "Luke",

+ LastName: "Hayes",

+ EmailAddress: "luke12@adventure-works.com",

+ PhoneNumber: "879-555-0197",

+ CreationDate: "2014-02-25T00:00:00",

+ }

+*/

+ // create container client

+ containerClient, err := client.NewContainer(databaseName, containerName)

+ if err != nil {

+ return fmt.Errorf("failed to create a container client: %s", err)

+ }

+ // specifies the value of the partiton key

+ pk := azcosmos.NewPartitionKeyString(partitionKey)

+ b, err := json.Marshal(item)

+ if err != nil {

+ return err

+ }

+ // setting the item options upon creating ie. consistency level

+ itemOptions := azcosmos.ItemOptions{

+ ConsistencyLevel: azcosmos.ConsistencyLevelSession.ToPtr(),

+ }

+ // this is a helper function that swallows 409 errors

+ errorIs409 := func(err error) bool {

+ var responseErr *azcore.ResponseError

+ return err != nil && errors.As(err, &responseErr) && responseErr.StatusCode == 409

+ }

+ ctx := context.TODO()

+ itemResponse, err := containerClient.CreateItem(ctx, pk, b, &itemOptions)

+

+ switch {

+ case errorIs409(err):

+ log.Printf("Item with partitionkey value %s already exists\n", pk)

+ case err != nil:

+ return err

+ default:

+ log.Printf("Status %d. Item %v created. ActivityId %s. Consuming %v Request Units.\n", itemResponse.RawResponse.StatusCode, pk, itemResponse.ActivityID, itemResponse.RequestCharge)

+ }

+

+ return nil

+}

+func readItem(client *azcosmos.Client, databaseName, containerName, partitionKey, itemId string) error {

+// databaseName = "adventureworks"

+// containerName = "customer"

+// partitionKey = "1"

+// itemId = "1"

+ // Create container client

+ containerClient, err := client.NewContainer(databaseName, containerName)

+ if err != nil {

+ return fmt.Errorf("failed to create a container client: %s", err)

+ }

+ // Specifies the value of the partiton key

+ pk := azcosmos.NewPartitionKeyString(partitionKey)

+ // Read an item

+ ctx := context.TODO()

+ itemResponse, err := containerClient.ReadItem(ctx, pk, itemId, nil)

+ if err != nil {

+ return err

+ }

+ itemResponseBody := struct {

+ ID string `json:"id"`

+ CustomerId string `json:"customerId"`

+ Title string

+ FirstName string

+ LastName string

+ EmailAddress string

+ PhoneNumber string

+ CreationDate string

+ }{}

+ err = json.Unmarshal(itemResponse.Value, &itemResponseBody)

+ if err != nil {

+ return err

+ }

+ b, err := json.MarshalIndent(itemResponseBody, "", " ")

+ if err != nil {

+ return err

+ }

+ fmt.Printf("Read item with customerId %s\n", itemResponseBody.CustomerId)

+ fmt.Printf("%s\n", b)

+ log.Printf("Status %d. Item %v read. ActivityId %s. Consuming %v Request Units.\n", itemResponse.RawResponse.StatusCode, pk, itemResponse.ActivityID, itemResponse.RequestCharge)

+ return nil

+}

+func deleteItem(client *azcosmos.Client, databaseName, containerName, partitionKey, itemId string) error {

+// databaseName = "adventureworks"

+// containerName = "customer"

+// partitionKey = "1"

+// itemId = "1"

+ // Create container client

+ containerClient, err := client.NewContainer(databaseName, containerName)

+ if err != nil {

+ return fmt.Errorf("failed to create a container client:: %s", err)

+ }

+ // Specifies the value of the partiton key

+ pk := azcosmos.NewPartitionKeyString(partitionKey)

+ // Delete an item

+ ctx := context.TODO()

+ res, err := containerClient.DeleteItem(ctx, pk, itemId, nil)

+ if err != nil {

+ return err

+ }

+ log.Printf("Status %d. Item %v deleted. ActivityId %s. Consuming %v Request Units.\n", res.RawResponse.StatusCode, pk, res.ActivityID, res.RequestCharge)

+ return nil

+}

+```

+Create a new file named `main.go` and copy the code from the sample section above.

+If you aren't seeing 429 responses and your end to end latency is acceptable, then no action to reconfigure RU/s per partition is required. If you have a workload that has consistent traffic with occasional unpredictable spikes across *all your partitions*, it's recommended to use [autoscale](../provision-throughput-autoscale.md) and [burst capacity (preview)](../burst-capacity.md). Autoscale and burst capacity will ensure you can meet your throughput requirements. If you have a small amount of RU/s per partition, you can also use the [partition merge (preview)](../merge.md) to reduce the number of partitions and ensure more RU/s per partition for the same total provisioned throughput.

+To get started using distributed throughput across partitions, enroll in the preview by submitting a request for the **Azure Cosmos DB Throughput Redistribution Across Partitions** feature via the [**Preview Features** page](../../azure-resource-manager/management/preview-features.md) in your Azure Subscription overview page. You can also select the **Register for preview** button in the eligibility check page to open the **Preview Features** page.

+Before submitting your request:

+- Ensure that you have at least 1 Azure Cosmos DB account in the subscription. This may be an existing account or a new one you've created to try out the preview feature. If you have no accounts in the subscription when the Azure Cosmos DB team receives your request, it will be declined, as there are no accounts to apply the feature to.

+- Verify that your Azure Cosmos DB account(s) meet all the [preview eligibility criteria](#preview-eligibility-criteria).

+The Azure Cosmos DB team will review your request and contact you via email to confirm which account(s) in the subscription you want to enroll in the preview.

+To check whether an Azure Cosmos DB account is eligible for the preview, you can use the built-in eligibility checker in the Azure portal. From your Azure Cosmos DB account overview page in the Azure portal, navigate to **Diagnose and solve problems** -> **Throughput and Scaling** -> **Throughput redistribution across partition**. Run the **Check eligibility for throughput redistribution across partitions preview** diagnostic.

+ - Azure Cosmos DB Spark connector

+ - Azure Cosmos DB data migration tool

+ - Any 3rd party library or tool that has a dependency on an Azure Cosmos DB SDK that is not .NET V3 SDK v3.27.0 or higher

+

+* Azure Data Factory<sup>1</sup>

+* Azure Stream Analytics<sup>1</sup>

+* Logic Apps<sup>1</sup>

+* Azure Functions<sup>1</sup>

+* Azure Search<sup>1</sup>

+* Azure Cosmos DB Spark connector<sup>1</sup>

+* Azure Cosmos DB data migration tool

+* Any 3rd party library or tool that has a dependency on an Azure Cosmos DB SDK that is not .NET V3 SDK v3.27.0 or higher

+<sup>1</sup>Support for these connectors is planned for the future.

+ - Subscription and reservation transfer are supported for direct EA customers. A direct enterprise agreement is one that's signed between Microsoft and an enterprise agreement customer.

+ - Only subscription transfers are supported for indirect EA customers. Reservation transfers aren't supported. An indirect EA agreement is one where a customer signs an agreement with a Microsoft partner.

+ | If the error message contains "Execution Timeout Expired", it's usually caused by query timeout. | Configure **Query timeout** in the source and **Write batch timeout** in the sink to increase timeout. |

+- Google AdWords

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ If there's a failure, an alert is raised. The alert details the cause and the recommendation to fix the issue. The alert also links to a file that has the complete summary of the failures including the files that failed to update or delete.

+ 

+ 

+ 

+ 

+ 

+ 

+You can use the Azure Edge Hardware Center to explore and order various hardware from the Azure hybrid portfolio including Azure Stack Edge Pro 2 devices.

+| **Suspicious extraction of Azure Cosmos DB account keys** (AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal) | A suspicious source extracted Azure Cosmos DB account access keys from your subscription. If this source is not a legitimate source, this may be a high impact issue. The access key that was extracted provides full control over the associated databases and the data stored within. See the details of each specific alert to understand why the source was flagged as suspicious. | Credential Access | high |

+> For a comprehensive list of all Defender for Azure Cosmos DB alerts, see the [alerts reference page](alerts-reference.md#alerts-azurecosmos). This is useful for workload owners who want to know what threats can be detected and help SOC teams gain familiarity with detections before investigating them. Learn more about what's in a Defender for Cloud security alert, and how to manage your alerts in [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.md).

+You can learn more by watching these video from the Defender for Cloud in the Field video series:

+- [Microsoft Defender for Containers in a multi-cloud environment](episode-nine.md)

+- [Protect Containers in GCP with Defender for Containers](episode-ten.md)

+You can learn more by watching this video from the Defender for Cloud in the Field video series:

+- [Microsoft Defender for Containers](episode-three.md)

+You can learn more by watching these videos from the Defender for Cloud in the Field video series:

+- [Microsoft Defender for Servers](episode-five.md)

+- [Enhanced workload protection features in Defender for Servers](episode-twelve.md)

+- [Deploy in Defender for Servers in AWS and GCP](episode-fourteen.md)

+You can learn more by watching this video from the Defender for Cloud in the Field video series:

+- [Defender for Storage in the field](episode-thirteen.md)

+You can learn more by watching this video from the Defender for Cloud in the Field video series:

+- [Microsoft Defender for Servers](episode-five.md)

+- [How can I monitor my daily usage](#how-can-i-monitor-my-daily-usage)

+### How can I monitor my daily usage

+description: Learn all about Microsoft Defender for Servers.

+You can learn more by watching this video from the Defender for Cloud in the Field video series:

+- [Integration with Azure Purview](episode-two.md)

+You can learn more by watching this video from the Defender for Cloud in the Field video series:

+- [New AWS connector](episode-one.md)

+You can learn more by watching this video from the Defender for Cloud in the Field video series:

+- [Security posture management improvements](episode-four.md)

+| Domain | Feature | Supported Resources | Linux release state <sup>[1](#footnote1)</sup> | Windows release state <sup>[1](#footnote1)</sup> | Agentless/Agent-based | Pricing Tier | Azure clouds availability |

+| Compliance | Docker CIS | VM, VMSS | GA | - | Log Analytics agent | Defender for Servers Plan 2 | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Hardening | Kubernetes data plane recommendations | AKS | GA | - | Azure Policy | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Runtime protection| Threat detection (workload) | AKS | Preview | - | Defender profile | Defender for Containers | Commercial clouds |

+| Discovery and provisioning | Auto provisioning of Defender profile | AKS | Preview | - | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Discovery and provisioning | Auto provisioning of Azure policy add-on | AKS | GA | - | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

+| Domain | Feature | Supported Resources | Linux release state <sup>[1](#footnote1)</sup> | Windows release state <sup>[1](#footnote1)</sup> | Agentless/Agent-based | Pricing tier |

+| Compliance | Docker CIS | EC2 | Preview | - | Log Analytics agent | Defender for Servers Plan 2 |

+| Hardening | Kubernetes data plane recommendations | EKS | Preview | - | Azure Policy extension | Defender for Containers |

+| Runtime protection| Threat detection (workload) | EKS | Preview | - | Defender extension | Defender for Containers |

+| Discovery and provisioning | Discovery of unprotected clusters | EKS | Preview | - | Agentless | Free |

+| Domain | Feature | Supported Resources | Linux release state <sup>[1](#footnote1)</sup> | Windows release state <sup>[1](#footnote1)</sup> | Agentless/Agent-based | Pricing tier |

+| Compliance | Docker CIS | GCP VMs | Preview | - | Log Analytics agent | Defender for Servers Plan 2 |

+| Hardening | Kubernetes data plane recommendations | GKE | Preview | - | Azure Policy extension | Defender for Containers |

+| Runtime protection| Threat detection (workload) | GKE | Preview | - | Defender extension | Defender for Containers |

+| Discovery and provisioning | Discovery of unprotected clusters | GKE | Preview | - | Agentless | Free |

+| Discovery and provisioning | Auto provisioning of Defender extension | GKE | Preview | - | Agentless | Defender for Containers |

+| Discovery and provisioning | Auto provisioning of Azure policy extension | GKE | Preview | - | Agentless | Defender for Containers |

+| Domain | Feature | Supported Resources | Linux release state <sup>[1](#footnote1)</sup> | Windows release state <sup>[1](#footnote1)</sup> | Agentless/Agent-based | Pricing tier |

+| Compliance | Docker CIS | Arc enabled VMs | Preview | - | Log Analytics agent | Defender for Servers Plan 2 |

+| Vulnerability Assessment | View vulnerabilities for running images | Arc enabled K8s clusters | Preview | - | Defender extension | Defender for Containers |

+| Hardening | Kubernetes data plane recommendations | Arc enabled K8s clusters | Preview | - | Azure Policy extension | Defender for Containers |

+| Runtime protection| Threat detection (workload) | Arc enabled K8s clusters | Preview | - | Defender extension | Defender for Containers |

+| Discovery and provisioning | Discovery of unprotected clusters | Arc enabled K8s clusters | Preview | - | Agentless | Free |

+| Discovery and provisioning | Auto provisioning of Azure policy extension | Arc enabled K8s clusters | Preview | - | Agentless | Defender for Containers |

+<sup><a name="footnote2"></a>2</sup>To get [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md) protection for you should onboard to [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and enable Defender for Containers as an Arc extension.

+ Title: Azure Digital Twins Explorer (preview)

+description: Learn about the capabilities and purpose of Azure Digital Twins Explorer (preview) and when it can be a useful tool for visualizing digital models, twins, and graphs.

+This article contains information about the Azure Digital Twins Explorer, including its use cases and an overview of its features. For detailed steps on using each feature, see [Use Azure Digital Twins Explorer (preview)](how-to-use-azure-digital-twins-explorer.md).

+ >To resolve, either run `az login` in Cloud Shell prior to running the command, or use the [local CLI](/cli/azure/install-azure-cli) instead of Cloud Shell. For more detail on this, see [Azure Digital Twins known issues](troubleshoot-known-issues.md#400-client-error-bad-request-in-cloud-shell).

+ Title: Use Azure Digital Twins Explorer (preview)

+description: Learn how to use all the features of Azure Digital Twins Explorer (preview)

+[Azure Digital Twins Explorer (preview)](concepts-azure-digital-twins-explorer.md) is a tool for visualizing and working with Azure Digital Twins. This article describes the features of Azure Digital Twins Explorer, and how to use them to manage the data in your Azure Digital Twins instance. You can interact with the Azure Digital Twins Explorer using clicks or [keyboard shortcuts](#accessibility-and-advanced-settings).

+# Azure Digital Twins known issues

+You don't need to change any DNS client settings on your virtual machines (VMs) to use the Azure DNS Private Resolver.

+This scenario is shown below. We have a virtual network named "A" containing two VMs (VNETA-VM1 and VNETA-VM2). Each VM has a private IP associated. Once you've created a private zone, for example, `contoso.com`, and link virtual network "A" as a registration virtual network, Azure DNS will automatically create two A records in the zone referencing the two VMs. DNS queries from VNETA-VM1 can now resolve `VNETA-VM2.contoso.com` and will receive a DNS response that contains the private IP address of VNETA-VM2.

+## Quotas and limits

+There's a limit on the number of IP firewall rules and private endpoint connections per topic or domain. See [Event Grid quotas and limits](quotas-limits.md).

+| **Paris2** | [Equinix](https://www.equinix.com/data-centers/europe-colocation/france-colocation/paris-data-centers/pa4) | 1 | France Central | Supported | Equinix |

+| **Tokyo** | [Equinix TY4](https://www.equinix.com/locations/asia-colocation/japan-colocation/tokyo-data-centers/ty4/) | 2 | Japan East | Supported | Aryaka Networks, AT&T NetBond, BBIX, British Telecom, CenturyLink Cloud Connect, Colt, Equinix, Intercloud, Internet Initiative Japan Inc. - IIJ, Megaport, NTT Communications, NTT EAST, Orange, Softbank, Telehouse - KDDI, Verizon </br></br> |

+| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** |Supported |Supported | Amsterdam, Amsterdam2, Atlanta, Berlin, Bogota, Canberra2, Chicago, Dallas, Dubai2, Dublin, Frankfurt, Frankfurt2, Geneva, Hong Kong SAR, London, London2, Los Angeles*, Los Angeles2, Melbourne, Miami, Milan, New York, Osaka, Paris, Paris2, Quebec City, Rio de Janeiro, Sao Paulo, Seattle, Seoul, Silicon Valley, Singapore, Singapore2, Stockholm, Sydney, Tokyo, Toronto, Washington DC, Zurich</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Please create new circuits in Los Angeles2.* |

+ Title: 'Quickstart: Secure virtual hub using Azure Firewall Manager - Bicep'

+description: In this quickstart, you learn how to secure your virtual hub using Azure Firewall Manager and Bicep.

+# Quickstart: Secure your virtual hub using Azure Firewall Manager - Bicep

+In this quickstart, you use Bicep to secure your virtual hub using Azure Firewall Manager. The deployed firewall has an application rule that allows connections to `www.microsoft.com` . Two Windows Server 2019 virtual machines are deployed to test the firewall. One jump server is used to connect to the workload server. From the workload server, you can only connect to `www.microsoft.com`.

+For more information about Azure Firewall Manager, see [What is Azure Firewall Manager?](overview.md).

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Review the Bicep file

+This Bicep file creates a secured virtual hub using Azure Firewall Manager, along with the necessary resources to support the scenario.

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/fwm-docs-qs/).

+Multiple Azure resources are defined in the Bicep file:

+- [**Microsoft.Network/virtualWans**](/azure/templates/microsoft.network/virtualWans)

+- [**Microsoft.Network/virtualHubs**](/azure/templates/microsoft.network/virtualHubs)

+- [**Microsoft.Network/firewallPolicies**](/azure/templates/microsoft.network/firewallPolicies)

+- [**Microsoft.Network/azureFirewalls**](/azure/templates/microsoft.network/azureFirewalls)

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks)

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines)

+- [**Microsoft.Storage/storageAccounts**](/azure/templates/microsoft.storage/storageAccounts)

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces)

+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups)

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses)

+- [**Microsoft.Network/routeTables**](/azure/templates/microsoft.network/routeTables)

+## Deploy the Bicep file

+1. Save the Bicep file as `main.bicep` to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminUsername=<admin-user>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -adminUsername "<admin-user>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<admin-user\>** with the administrator login username for the servers. You'll be prompted to enter **adminPassword**.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Validate the deployment

+Use Azure CLI or Azure PowerShell to review the deployed resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+Now, test the firewall rules to confirm that it works as expected.

+1. From the Azure portal, review the network settings for the **Workload-Srv** virtual machine and note the private IP address.

+2. Connect a remote desktop to **Jump-Srv** virtual machine, and sign in. From there, open a remote desktop connection to the **Workload-Srv** private IP address.

+3. Open Internet Explorer and browse to `www.microsoft.com`.

+4. Select **OK** > **Close** on the Internet Explorer security alerts.

+ You should see the Microsoft home page.

+5. Browse to `www.google.com`.

+ You should be blocked by the firewall.

+Now you've verified that the firewall rules are working, you can browse to the one allowed FQDN, but not to any others.

+## Clean up resources

+When you no longer need the resources that you created with the firewall, use Azure portal, Azure CLI, or Azure PowerShell to delete the resource group. This removes the firewall and all the related resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Learn about security partner providers](trusted-security-partners.md)

+| `url_path` | Identifies the specific resource in the host that the web client wants to access. This is the part of the request URI without the arguments.<br />For example, in the request `http://contoso.com:8080/article.aspx?id=123&title=fabrikam`, the `url_path` value will be `/article.aspx`.<br/> To access this server variable in a match condition, use [Request path](rules-match-conditions.md?toc=%2fazure%2ffrontdoor%2fstandard-premium%2ftoc.json#request-path).|

+az eventgrid system-topic create --name PolicyStateChanges --location global --topic-type Microsoft.PolicyInsights.PolicyStates --source "/subscriptions/<subscriptionID>" --resource-group "<resource_group_name>"

+```

+If your Event Grid system topic will be applied to the management group scope, then the Azure CLI `--source` parameter syntax is a bit different. Here's an example:

+```azurecli-interactive

+az eventgrid system-topic create --name PolicyStateChanges --location global --topic-type Microsoft.PolicyInsights.PolicyStates --source "/tenants/<tenantID>/providers/Microsoft.Management/managementGroups/<management_group_name>" --resource-group "<resource_group_name>"

+hold the Event Grid topic:

+az policy assignment create --name 'requiredtags-events' --display-name 'Require tag on RG' --scope '<ResourceGroupScope>' --policy '<policy definition ID>' --params '{ \"tagName\": { \"value\": \"EventTest\" } }'

+Read the next article in this series: [Storage best practices for on-premises to Azure HDInsight Hadoop migration](apache-hadoop-on-premises-migration-best-practices-storage.md).

+* [HDInsight with Express Route](../connect-on-premises-network.md)

+* If you need more help, you can submit a support request from the [Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade/). Select **Support** from the menu bar or open the **Help + support** hub. For more detailed information, review [How to create an Azure support request](../../azure-portal/supportability/how-to-create-azure-support-request.md). Access to Subscription Management and billing support is included with your Microsoft Azure subscription, and Technical Support is provided through one of the [Azure Support Plans](https://azure.microsoft.com/support/plans/).

+> [!NOTE]

+To ensure that your MedTech service works properly, it must have granted access permissions to the Azure Event Hubs and FHIR service. The Azure Event Hubs Data Receiver role allows the MedTech service that's being assigned this role to receive data from this event hub. For more information about application roles, see [Authentication & Authorization for Azure Health Data Services](./../healthcare-apis/authentication-authorization.md)

+- Create a new event hub or use an existing one

+- Assign roles to allow the MedTech service to access [Event Hubs](./../healthcare-apis/iot/deploy-iot-connector-in-azure.md#granting-the-medtech-service-access) and [FHIR service](./../healthcare-apis/iot/deploy-iot-connector-in-azure.md#accessing-the-medtech-service-from-the-fhir-service)

+- Send data to the event hub, which is associated with the MedTech service

+ Title: Deploy the MedTech service in the Azure portal - Azure Health Data Services

+description: In this article, you'll learn how to deploy the MedTech service in the Azure portal.

+# Deploy the MedTech service in the Azure portal

+If you already have an active Azure account, you can use this [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.healthcareapis%2Fworkspaces%2Fiotconnectors%2Fazuredeploy.json) button to deploy a MedTech service that will include the following resources and permissions:

+ * An Azure Event Hubs Namespace and device message event hub (the event hub is named: **devicedata**).

+ * An Azure event hub sender role (the sender role is named: **devicedatasender**).

+ * An Azure Health Data Services workspace.

+ * An Azure Health Data Services FHIR service.

+ * An Azure Health Data Services MedTech service including the necessary system managed identity permissions to the device message event hub and FHIR service.

+When the Azure portal launches, the following fields must be filled out:

+ * **Subscription** - Choose the Azure subscription you would like to use for the deployment.

+ * **Resource Group** - Choose an existing Resource Group or create a new Resource Group.

+ * **Region** - The Azure region of the Resource Group used for the deployment. This field will auto-fill based on the Resource Group region.

+ * **Basename** - Will be used to append the name the Azure services to be deployed.

+ * **Location** - Use the drop-down list to select a supported Azure region for the Azure Health Data Services (could be the same or different region than your Resource Group).

+Leave the **Device Mapping** and **Destination Mapping** fields with their default values.

+Select the **Review + create** button once the fields are filled out.

+After the validation has passed, select the **Create** button to begin the deployment.

+After a successful deployment, there will be remaining configurations that will need to be completed by you for a fully functional MedTech service:

+ * Provide a working device mapping file. For more information, see [How to use device mappings](how-to-use-device-mappings.md).

+ * Provide a working destination mapping file. For more information, see [How to use FHIR destination mappings](how-to-use-fhir-mappings.md).

+ * Use the Shared access policies (SAS) key (**devicedatasender**) for connecting your device or application to the MedTech service device message event hub (**devicedata**). For more information, see [Connection string for a specific event hub in a namespace](../../event-hubs/event-hubs-get-connection-string.md#connection-string-for-a-specific-event-hub-in-a-namespace).

+## Deploy the MedTech service

+## Configure the MedTech service to ingest data

+## Configure the Device mapping properties

+## Configure the FHIR destination mapping properties

+## Granting the MedTech service access

+ For more information about assigning roles to the FHIR service, see [Configure Azure Role-based Access Control (RBAC)](.././configure-azure-rbac.md).

+In this article, you've learned how to deploy a MedTech service in the Azure portal. To learn more about the device and FHIR destination mapping files for the MedTech service, see

+>[How to use Device mappings](how-to-use-device-mappings.md)

+>

+>[How to use FHIR destination mappings](how-to-use-fhir-mappings.md)

+FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+## Create the FHIR service and an event hub

+The MedTech service works with Azure Event Hubs and the FHIR service. You can create a new [FHIR service](../fhir/get-started-with-fhir.md) or use an existing one in the same or different workspace. Similarly, you can create a new [Event Hub](../../event-hubs/event-hubs-create.md) or use an existing one.

+## Assign roles to allow MedTech service to access Event Hubs

+By design, the MedTech service retrieves data from the specified event hub using the system-managed identity. For more information on how to assign the role to the MedTech service from [Event Hubs](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md#granting-the-medtech-service-access).

+You can send data to the event hub, which is associated with the MedTech service. If you don't see any data in the FHIR service, check the mappings and role assignments for the MedTech service.

+ 1. Create or open the `du-config.json` file for editing by using:

+ * [Azure Functions Core Tools - 3.x version](https://github.com/Azure/azure-functions-core-tools/releases/tag/3.0.4585) by using the Microsoft Installer (MSI) version, which is `func-cli-X.X.XXXX-x*.msi`. Don't install the 4.x version, which isn't supported and won't work.

+These sub resources are the main resources that are made in the AzureML workspace.

+* VMs: provide computing power for your AzureML workspace and are an integral part in deploying and training models.

+## Use Azure AD security groups to manage workspace access

+You can use Azure AD security groups to manage their access to workspace. This approach has following benefits:

+ * Team or project leaders can manage user access to workspace as security group owners, without needing Owner role on the workspace resource directly.

+ * You can organize, manage and revoke users' permissions on workspace and other resources as a group, without having to manage permissions on user-by-user basis.

+ * Using Azure AD groups helps you to avoid reaching the [subscription limit](https://docs.microsoft.com/azure/role-based-access-control/troubleshooting#azure-role-assignments-limit) on role assignments.

+To use Azure AD security groups:

+ 1. [Create a security group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal).

+ 2. [Add a group owner](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-accessmanagement-managing-group-owners). This user has permissions to add or remove group members. Note that the group owner is not required to be group member, or have direct RBAC role on the workspace.

+ 3. Assign the group an RBAC role on the workspace, such as AzureML Data Scientist, Reader or Contributor.

+ 4. [Add group members](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal). The members consequently gain access to the workspace.

+ # Enter details of your AzureML workspace

+ workspace = "<AZUREML_WORKSPACE_NAME>"

+Remove any existing installation of the of `ml` extension and also the CLI v1 `azure-cli-ml` extension:

+If the cluster was created with Databricks Runtime 7.3 LTS (*not* ML), run the following command in the first cell of your notebook to install the AzureML SDK.

+- If you need a **Standard Load Balancer(SLB)** deployed in your cluster instead of a Basic Load Balancer(BLB), create a cluster in the AKS portal/CLI/SDK and then **attach** it to the AzureML workspace.

+ The AzureML control plane does not talk to this Public IP. It talks to the AKS control plane for deployments.

+- If you **attach** an AKS cluster, which has an [Authorized IP range enabled to access the API server](../aks/api-server-authorized-ip-ranges.md), enable the AzureML control plane IP ranges for the AKS cluster. The AzureML control plane is deployed across paired regions and deploys inference pods on the AKS cluster. Without access to the API server, the inference pods cannot be deployed. Use the [IP ranges](https://www.microsoft.com/download/confirmation.aspx?id=56519) for both the [paired regions](../availability-zones/cross-region-replication-azure.md) when enabling the IP ranges in an AKS cluster.

+After defining the training function successfully, you can use @command_component in Azure Machine Learning SDK v2 to wrap your function as a component, which can be used in AzureML pipelines.

+> * [v2 (current version)](how-to-create-register-data-assets.md)

+- [Read data in a job](how-to-read-write-data-v2.md#read-data-in-a-job)

+adlsgen2_datastore_name = '<ADLS gen2 storage account alias>' #set ADLS Gen2 storage account alias in AzureML

+# retrieve data via AzureML datastore

+ help=f'Defines how much time the AzureML compute target '

+ help=f'Defines how much time the AzureML compute target '

+ # enter details of your AzureML workspace

+ workspace = "<AZUREML_WORKSPACE_NAME>"

+# things such as dependencies and AzureML components.

+The following example is how you download and load a model in-memory that was trained in AzureML compute with `ScriptRunConfig`. This code can run in the same notebook you used the Azure ML SDK `ScriptRunConfig`.

+ # enter details of your AzureML workspace

+ workspace = "<AZUREML_WORKSPACE_NAME>"

+**For AKS deployment**, you can enable TLS termination when you [create or attach an AKS cluster](how-to-create-attach-kubernetes.md) in AzureML workspace. At AKS model deployment time, you can disable TLS termination with deployment configuration object, otherwise all AKS model deployment by default will have TLS termination enabled at AKS cluster create or attach time.

+When you [create or attach an AKS cluster](how-to-create-attach-kubernetes.md) in AzureML workspace, you can enable TLS termination with **[AksCompute.provisioning_configuration()](/python/api/azureml-core/azureml.core.compute.akscompute#provisioning-configuration-agent-count-none--vm-size-none--ssl-cname-none--ssl-cert-pem-file-none--ssl-key-pem-file-none--location-none--vnet-resourcegroup-name-none--vnet-name-none--subnet-name-none--service-cidr-none--dns-service-ip-none--docker-bridge-cidr-none--cluster-purpose-none--load-balancer-type-none--load-balancer-subnet-none-)** and **[AksCompute.attach_configuration()](/python/api/azureml-core/azureml.core.compute.akscompute#attach-configuration-resource-group-none--cluster-name-none--resource-id-none--cluster-purpose-none-)** configuration objects. Both methods return a configuration object that has an **enable_ssl** method, and you can use **enable_ssl** method to enable TLS.

+ Title: Track, monitor, and analyze jobs in studio

+description: Learn how to start, monitor, and track your machine learning experiment jobs with the Azure Machine Learning studio.

+# Start, monitor, and track job history in studio

+You can use [Azure Machine Learning studio](https://ml.azure.com) to monitor, organize, and track your jobs for training and experimentation. Your ML job history is an important part of an explainable and repeatable ML development process.

+* Add job display name.

+* Add a job description.

+* Tag and find jobs.

+* Run search over your job history.

+* Cancel or fail jobs.

+* Monitor the job status by email notification.

+> * If you're looking for information on using the Azure Machine Learning SDK v1 or CLI v1, see [How to track, monitor, and analyze jobs (v1)](./v1/how-to-track-monitor-analyze-runs.md).

+> * If you're looking for information on monitoring training jobs from the CLI or SDK v2, see [Track experiments with MLflow and CLI v2](how-to-use-mlflow-cli-runs.md).

+## Job display name

+The job display name is an optional and customizable name that you can provide for your job. To edit the job display name:

+1. Navigate to the **Jobs** list.

+1. Select the job to edit.

+ :::image type="content" source="media/how-to-track-monitor-analyze-runs/select-job.png" alt-text="Screenshot of Jobs list.":::

+1. Select the **Edit** button to edit the job display name.

+ :::image type="content" source="media/how-to-track-monitor-analyze-runs/display-name.gif" alt-text="Screenshot of how to edit the display name.":::

+To view your jobs in the studio:

+1. Navigate to the **Jobs** tab.

+1. Select either **All experiments** to view all the jobs in an experiment or select **All jobs** to view all the jobs submitted in the Workspace.

+In the **All jobs'** page, you can filter the jobs list by tags, experiments, compute target and more to better organize and scope your work.

+1. Make customizations to the page by selecting jobs to compare, adding charts or applying filters. These changes can be saved as a **Custom View** so you can easily return to your work. Users with workspace permissions can edit, or view the custom view. Also, share the custom view with team members for enhanced collaboration by selecting **Share view**.

+1. To view the job logs, select a specific job and in the **Outputs + logs** tab, you can find diagnostic and error logs for your job.

+ :::image type="content" source="media/how-to-track-monitor-analyze-runs/custom-views-2.gif" alt-text="Screenshot of how to create a custom view.":::

+## Job description

+A job description can be added to a job to provide more context and information to the job. You can also search on these descriptions from the jobs list and add the job description as a column in the jobs list.

+Navigate to the **Job Details** page for your job and select the edit or pencil icon to add, edit, or delete descriptions for your job. To persist the changes to the jobs list, save the changes to your existing Custom View or a new Custom View. Markdown format is supported for job descriptions, which allows images to be embedded and deep linking as shown below.

+## Tag and find jobs

+In Azure Machine Learning, you can use properties and tags to help organize and query your jobs for important information.

+ You can add, edit, or delete job tags from the studio. Navigate to the **Job Details** page for your job and select the edit, or pencil icon to add, edit, or delete tags for your jobs. You can also search and filter on these tags from the jobs list page.

+ :::image type="content" source="media/how-to-track-monitor-analyze-runs/run-tags.gif" alt-text="Screenshot of how to add, edit, or delete job tags.":::

+ You can query jobs within an experiment to return a list of jobs that match specific properties and tags.

+ To search for specific jobs, navigate to the **All jobs** list. From there you have two options:

+ 1. Use the **Add filter** button and select filter on tags to filter your jobs by tag that was assigned to the job(s). <br><br>

+ 1. Use the search bar to quickly find jobs by searching on the job metadata like the job status, descriptions, experiment names, and submitter name.

+## Cancel or fail jobs

+If you notice a mistake or if your job is taking too long to finish, you can cancel the job.

+To cancel a job in the studio, using the following steps:

+1. Go to the running pipeline in either the **Jobs** or **Pipelines** section.

+1. Select the pipeline job number you want to cancel.

+## Monitor the job status by email notification

+* For more information about managing jobs with the Azure Machine Learning SDK, see the [manage jobs notebook](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/track-and-monitor-experiments/manage-runs/manage-runs.ipynb).

+* To learn how to log metrics for your experiments, see [Log metrics during training jobs](how-to-log-view-metrics.md).

+#Enter details of your AzureML workspace

+workspace = '<AZUREML_WORKSPACE_NAME>'

+ Min / Max nodes| To profile data, you must specify 1 or more nodes. Enter the maximum number of nodes for your compute. The default is 6 nodes for an AzureML Compute.

+After that, the code checks if the AzureML compute target `'cpu-cluster'` already exists. If not, we specify that we want a small CPU-based compute target. If you plan to use automated ML's deep learning features (for instance, text featurization with DNN support) you should choose a compute with strong GPU support, as described in [GPU optimized virtual machine sizes](../virtual-machines/sizes-gpu.md).

+ # enter details of your AzureML workspace

+ workspace = "<AZUREML_WORKSPACE_NAME>"

+ You can specify AzureML registered datastore or if your data is publicly available, specify the public path.

+# [Using the Azure ML SDK v2](#tab/azuremlsdk)

+#Enter details of your AzureML workspace

+workspace = '<AZUREML_WORKSPACE_NAME>'

+| AmlProjectId | The unique identifier of the AzureML project. |

+| AmlProjectName | The name of the AzureML project. |

+| AmlWorkspaceId | A GUID and unique ID of the AzureML workspace. |

+| AmlDatasetId | The ID of the AzureML Data Set. |

+| AmlDatasetName | The name of the AzureML Data Set. |

+| AmlWorkspaceId | A GUID and unique ID of the AzureML workspace. |

+| AmlDatastoreName | The name of the AzureML Data Store. |

+| AmlServiceName | The name of the AzureML Service. |

+| AmlServiceName | The name of the AzureML Service. |

+| AmlModelName | The name of the AzureML Model. |

+| AmlWorkspaceId | A GUID and unique ID of the AzureML workspace. |

+| AmlWorkspaceId | The name of the AzureML workspace. |

+| AmlModelName | The name of the AzureML Model. |

+| AmlPipelineId | The ID of the AzureML pipeline. |

+| AmlParentPipelineId | The ID of the parent AzureML pipeline (in the case of cloning). |

+| AmlPipelineDraftId | The ID of the AzureML pipeline draft. |

+| AmlPipelineDraftName | The name of the AzureML pipeline draft. |

+| AmlPipelineEndpointId | The ID of the AzureML pipeline endpoint. |

+| AmlPipelineEndpointName | The name of the AzureML pipeline endpoint. |

+| AmlWorkspaceId | A GUID and unique ID of the AzureML workspace. |

+| AmlEnvironmentName | The name of the AzureML environment configuration. |

+| AmlEnvironmentVersion | The name of the AzureML environment configuration version. |

+| `image_url` | Image location in AzureML datastore<br>`Required, String` | `"AmlDatastore://data_directory/Image_01.jpg"` |

+| `image_url` | Image location in AzureML datastore<br>`Required, String` | `"AmlDatastore://data_directory/Image_01.jpg"` |

+| `image_url` | Image location in AzureML datastore<br>`Required, String` | `"AmlDatastore://data_directory/Image_01.jpg"` |

+| `image_url` | Image location in AzureML datastore<br>`Required, String` | `"AmlDatastore://data_directory/Image_01.jpg"` |

+* Azure Machine Learning compute instances preview is not supported in a workspace where Private Endpoint is enabled for now, but CI will be supported in the next deployment for the service expansion to all AzureML regions.

+ > If you are using hybrid cluster as a method of migrating historic data into the new Azure Managed Instance Cassandra data centers, ensure that you disable automatic repairs:

+ > ```azurecli-interactive

+ > az managed-cassandra cluster update --cluster-name --resource-group--repair-enabled false

+ > ```

+ > Then run `nodetool repair --full` on all the nodes in your existing cluster's data center. You should run this only after all of the above steps have been taken. This should ensure that all historical data is replicated to your new data centers in Azure Managed Instance for Apache Cassandra. If you have a very large amount of data in your existing cluster, it may be necessary to run the repairs at the keyspace or even table level - see [here](https://cassandra.apache.org/doc/latest/cassandra/operating/repair.html) for more details on running repairs in Cassandra. Prior to changing the replication settings, you should also make sure that any application code that connects to your existing Cassandra cluster is using LOCAL_QUORUM. You should leave it at this setting during the migration (it can be switched back afterwards if required). After everyhting is done and the old datacenter decommissioned you can enable automatic repair again).

+ > [!NOTE]

+ > To speed up repairs we advise (if system load permits it) to increase both stream throughput and compaction throughput as in the example below:

+ >```azure-cli

+ > az managed-cassandra cluster invoke-command --resource-group $resourceGroupName --cluster-name $clusterName --host $host --command-name nodetool --arguments "setstreamthroughput"="" "7000"=""

+ >

+ > az managed-cassandra cluster invoke-command --resource-group $resourceGroupName --cluster-name $clusterName --host $host --command-name nodetool --arguments "setcompactionthroughput"="" "960"=""

+ >```

+1. In the **Principal ID** box, provide the Azure AD object ID of the user, group, or application that you want to be granted permission to the managed resource group. Select a user from the list at the [Azure Active Directory users blade](https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers) and copy the Object ID value of that user.

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+To configure the lead management in Partner Center:

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination.

+1. Complete the fields that appear. For detailed steps, see the following articles:

+ - [Configure your offer to send leads to the Azure table](./partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md#configure-your-offer-to-send-leads-to-the-azure-table)

+ - [Configure your offer to send leads to Dynamics 365 Customer Engagement](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md#configure-your-offer-to-send-leads-to-dynamics-365-customer-engagement) (formerly Dynamics CRM Online)

+ - [Configure your offer to send leads to HTTPS endpoint](./partner-center-portal/commercial-marketplace-lead-management-instructions-https.md#configure-your-offer-to-send-leads-to-the-https-endpoint)

+ - [Configure your offer to send leads to Marketo](./partner-center-portal/commercial-marketplace-lead-management-instructions-marketo.md#configure-your-offer-to-send-leads-to-marketo)

+ - [Configure your offer to send leads to Salesforce](./partner-center-portal/commercial-marketplace-lead-management-instructions-salesforce.md#configure-your-offer-to-send-leads-to-salesforce)

+1. To validate the configuration you provided, select the **Validate** link.

+1. Select **Connect**.

+ For more information, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+1. Select **Save draft** before continuing to the next tab in the left-nav menu, **Properties**.

+When a customer activates a test drive, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the offer to your customer relationship management (CRM) system to manage leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+To configure the lead management in Partner Center:

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination.

+1. Complete the fields that appear. For detailed steps, see the following articles:

+ - [Configure your offer to send leads to the Azure table](./partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md#configure-your-offer-to-send-leads-to-the-azure-table)

+ - [Configure your offer to send leads to Dynamics 365 Customer Engagement](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md#configure-your-offer-to-send-leads-to-dynamics-365-customer-engagement) (formerly Dynamics CRM Online)

+ - [Configure your offer to send leads to HTTPS endpoint](./partner-center-portal/commercial-marketplace-lead-management-instructions-https.md#configure-your-offer-to-send-leads-to-the-https-endpoint)

+ - [Configure your offer to send leads to Marketo](./partner-center-portal/commercial-marketplace-lead-management-instructions-marketo.md#configure-your-offer-to-send-leads-to-marketo)

+ - [Configure your offer to send leads to Salesforce](./partner-center-portal/commercial-marketplace-lead-management-instructions-salesforce.md#configure-your-offer-to-send-leads-to-salesforce)

+1. To validate the configuration you provided, select the **Validate** link.

+1. Select **Connect**.

+ For more information, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+1. Select **Save draft** before continuing to the next tab in the left-nav menu, **Properties**.

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+1. In Partner Center, go to the **Offer setup** tab.

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination from the list.

+1. Complete the fields that appear. For detailed steps, see the following articles:

+1. To validate the configuration you provided, select the **Validate link**.

+1. When youΓÇÖve configured the connection details, select **Connect**.

+1. Select **Save draft**.

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination from the list.

+1. To validate the configuration you provided, select the **Validate link**.

+1. When youΓÇÖve configured the connection details, select **Connect**.

+1. Select **Save draft**.

+ After you submit your offer for publication in Partner Center, we'll validate the connection and send you a test lead. While you preview the offer before it goes live, test your lead connection by trying to purchase the offer yourself in the preview environment.

+ > [!TIP]

+ > Make sure the connection to the lead destination stays updated so you don't lose any leads.

+1. Select **Save draft** before continuing to the next tab, **Properties**.

+### Configure the connection details in Partner Center

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> Connecting to a CRM system is optional.

+To configure the lead management in Partner Center:

+1. In Partner Center, go to the **Offer setup** tab.

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination from the list.

+4. Complete the fields that appear. For detailed steps, see the following articles:

+ - [Configure your offer to send leads to the Azure table](./partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md#configure-your-offer-to-send-leads-to-the-azure-table)

+ - [Configure your offer to send leads to Dynamics 365 Customer Engagement](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md#configure-your-offer-to-send-leads-to-dynamics-365-customer-engagement) (formerly Dynamics CRM Online)

+ - [Configure your offer to send leads to HTTPS endpoint](./partner-center-portal/commercial-marketplace-lead-management-instructions-https.md#configure-your-offer-to-send-leads-to-the-https-endpoint)

+ - [Configure your offer to send leads to Marketo](./partner-center-portal/commercial-marketplace-lead-management-instructions-marketo.md#configure-your-offer-to-send-leads-to-marketo)

+ - [Configure your offer to send leads to Salesforce](./partner-center-portal/commercial-marketplace-lead-management-instructions-salesforce.md#configure-your-offer-to-send-leads-to-salesforce)

+1. To validate the configuration you provided, select the **Validate link**.

+1. When youΓÇÖve configured the connection details, select **Connect**.

+1. Select **Save draft**.

+1. Select **Save draft** before continuing to the next tab, **Properties**.

+- **Contact me** ΓÇô Collect customer contact information in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. You can also connect your customer relationship management (CRM) system to manage leads there.

+ > [!NOTE]

+ > Connecting to a CRM system is optional. For more information about configuring your CRM, see [Customer leads](#customer-leads).

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+To configure the lead management in Partner Center:

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination.

+1. Complete the fields that appear. For detailed steps, see the following articles:

+ - [Configure your offer to send leads to the Azure table](./partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md#configure-your-offer-to-send-leads-to-the-azure-table)

+ - [Configure your offer to send leads to Dynamics 365 Customer Engagement](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md#configure-your-offer-to-send-leads-to-dynamics-365-customer-engagement) (formerly Dynamics CRM Online)

+ - [Configure your offer to send leads to HTTPS endpoint](./partner-center-portal/commercial-marketplace-lead-management-instructions-https.md#configure-your-offer-to-send-leads-to-the-https-endpoint)

+ - [Configure your offer to send leads to Marketo](./partner-center-portal/commercial-marketplace-lead-management-instructions-marketo.md#configure-your-offer-to-send-leads-to-marketo)

+ - [Configure your offer to send leads to Salesforce](./partner-center-portal/commercial-marketplace-lead-management-instructions-salesforce.md#configure-your-offer-to-send-leads-to-salesforce)

+1. To validate the configuration you provided, select the **Validate** link.

+1. Select **Connect**.

+ For more information, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+1. Select **Save draft** before continuing to the next tab in the left-nav menu, **Properties**.

+ - **Contact me** ΓÇô Collect customer contact information in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. You can also connect your customer relationship management (CRM) system to manage leads there.

+ > [!NOTE]

+ > Connecting to a CRM system is optional. For more information about configuring your CRM, see [Customer leads](#customer-leads).

+To enable a test drive, select the **Enable a test drive** check box and select the **Type of test drive**. You will configure the test drive later. To remove test drive from your offer, clear this check box.

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+To configure the lead management in Partner Center:

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination.

+1. Complete the fields that appear. For detailed steps, see the following articles:

+ - [Configure your offer to send leads to the Azure table](./partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md#configure-your-offer-to-send-leads-to-the-azure-table)

+ - [Configure your offer to send leads to Dynamics 365 Customer Engagement](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md#configure-your-offer-to-send-leads-to-dynamics-365-customer-engagement) (formerly Dynamics CRM Online)

+ - [Configure your offer to send leads to HTTPS endpoint](./partner-center-portal/commercial-marketplace-lead-management-instructions-https.md#configure-your-offer-to-send-leads-to-the-https-endpoint)

+ - [Configure your offer to send leads to Marketo](./partner-center-portal/commercial-marketplace-lead-management-instructions-marketo.md#configure-your-offer-to-send-leads-to-marketo)

+ - [Configure your offer to send leads to Salesforce](./partner-center-portal/commercial-marketplace-lead-management-instructions-salesforce.md#configure-your-offer-to-send-leads-to-salesforce)

+1. To validate the configuration you provided, select the **Validate** link.

+1. Select **Connect**.

+ For more information, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+1. Select **Save draft** before continuing to the next tab in the left-nav menu, **Properties**.

+To enable a test drive, select the **Enable a test drive** check box and select the **Type of test drive**. You will configure the test drive later. To remove test drive from your offer, clear this check box.

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+To configure the lead management in Partner Center:

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination.

+1. Complete the fields that appear. For detailed steps, see the following articles:

+ - [Configure your offer to send leads to the Azure table](./partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md#configure-your-offer-to-send-leads-to-the-azure-table)

+ - [Configure your offer to send leads to Dynamics 365 Customer Engagement](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md#configure-your-offer-to-send-leads-to-dynamics-365-customer-engagement) (formerly Dynamics CRM Online)

+ - [Configure your offer to send leads to HTTPS endpoint](./partner-center-portal/commercial-marketplace-lead-management-instructions-https.md#configure-your-offer-to-send-leads-to-the-https-endpoint)

+ - [Configure your offer to send leads to Marketo](./partner-center-portal/commercial-marketplace-lead-management-instructions-marketo.md#configure-your-offer-to-send-leads-to-marketo)

+ - [Configure your offer to send leads to Salesforce](./partner-center-portal/commercial-marketplace-lead-management-instructions-salesforce.md#configure-your-offer-to-send-leads-to-salesforce)

+1. To validate the configuration you provided, select the **Validate** link.

+1. Select **Connect**.

+ For more information, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+1. Select **Save draft** before continuing to the next tab in the left-nav menu.

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+To configure the lead management in Partner Center:

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination.

+1. Complete the fields that appear. For detailed steps, see the following articles:

+ - [Configure your offer to send leads to the Azure table](./partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md#configure-your-offer-to-send-leads-to-the-azure-table)

+ - [Configure your offer to send leads to Dynamics 365 Customer Engagement](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md#configure-your-offer-to-send-leads-to-dynamics-365-customer-engagement) (formerly Dynamics CRM Online)

+ - [Configure your offer to send leads to HTTPS endpoint](./partner-center-portal/commercial-marketplace-lead-management-instructions-https.md#configure-your-offer-to-send-leads-to-the-https-endpoint)

+ - [Configure your offer to send leads to Marketo](./partner-center-portal/commercial-marketplace-lead-management-instructions-marketo.md#configure-your-offer-to-send-leads-to-marketo)

+ - [Configure your offer to send leads to Salesforce](./partner-center-portal/commercial-marketplace-lead-management-instructions-salesforce.md#configure-your-offer-to-send-leads-to-salesforce)

+1. To validate the configuration you provided, select the **Validate** link.

+1. Select **Connect**.

+ For more information, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+1. Select **Save draft** before continuing to the next tab in the left-nav menu, **Properties**.

+| Azure Virtual Machine | Monthly¹ | No | Usage-based, BYOL |

+| Dynamics 365 apps on Dataverse and Power Apps² | Monthly and annual | No | Per user |

+¹ Azure Virtual Machine offers support usage-based billing plans. These plans are billed monthly for hourly use of the subscription based on per core, per core size, or per market and core size usage.

+² Dynamics 365 apps on Dataverse and Power Apps offers that you transact through Microsoft are automatically enabled for license management. See [ISV app license management](isv-app-license.md).

+- **Dynamics 365 Dataverse apps and Power Apps**: Select ΓÇ£Per userΓÇ¥ pricing to enable Dynamics 365 Dataverse apps and Power Apps to be sold in AppSource marketplace. Customers can manage licenses of these offers in Microsoft Admin Center.

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+## Customer leads

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+ "id": "<guid>",

+ "activityId": "<guid>",

+ "publisherId": "XXX",

+ "offerId": "YYY",

+ "planId": "plan1",

+ "quantity": 100,

+ "subscriptionId": "<guid>",

+ "timeStamp": "2022-02-14T20:26:05.1419317Z",

+ "action": "ChangeQuantity",

+ "status": "InProgress",

+ "operationRequestSource": "Partner",

+ "subscription":

+ {

+ "id": "<guid>",

+ "name": "Test",

+ "publisherId": "XXX",

+ "offerId": "YYY",

+ "planId": "plan1",

+ "quantity": 10,

+ "beneficiary":

+ {

+ "emailId": "XX@gmail.com",

+ "objectId": "<guid>",

+ "tenantId": "<guid>",

+ "puid": "1234567890",

+ },

+ "purchaser":

+ {

+ "emailId": "XX@gmail.com",

+ "objectId": "<guid>",

+ "tenantId": "<guid>",

+ "puid": "1234567890",

+ },

+ "allowedCustomerOperations": ["Delete", "Update", "Read"],

+ "sessionMode": "None",

+ "isFreeTrial": false,

+ "isTest": false,

+ "sandboxType": "None",

+ "saasSubscriptionStatus": "Subscribed",

+ "term":

+ {

+ "startDate": "2022-02-10T00:00:00Z",

+ "endDate": "2022-03-12T00:00:00Z",

+ "termUnit": "P1M",

+ "chargeDuration": null,

+ },

+ "autoRenew": true,

+ "created": "2022-01-10T23:15:03.365988Z",

+ "lastModified": "2022-02-14T20:26:04.5632549Z",

+ },

+ "purchaseToken": null,

+}

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+The commercial marketplace will collect leads with customer information so you can access them in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center. Leads will include information such as customer details along with the offer name, ID, and online store where the customer found your offer.

+You can also choose to connect your CRM system to your offer. The commercial marketplace supports Dynamics 365, Marketo, and Salesforce, along with the option to use an Azure table or configure an HTTPS endpoint using Power Automate. For detailed guidance, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+To configure the lead management in Partner Center:

+1. In Partner Center, go to the **Offer setup** tab.

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination from the list.

+1. Complete the fields that appear. For detailed steps, see the following articles:

+ - [Configure your offer to send leads to the Azure table](./partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md#configure-your-offer-to-send-leads-to-the-azure-table)

+ - [Configure your offer to send leads to Dynamics 365 Customer Engagement](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md#configure-your-offer-to-send-leads-to-dynamics-365-customer-engagement) (formerly Dynamics CRM Online)

+ - [Configure your offer to send leads to HTTPS endpoint](./partner-center-portal/commercial-marketplace-lead-management-instructions-https.md#configure-your-offer-to-send-leads-to-the-https-endpoint)

+ - [Configure your offer to send leads to Marketo](./partner-center-portal/commercial-marketplace-lead-management-instructions-marketo.md#configure-your-offer-to-send-leads-to-marketo)

+ - [Configure your offer to send leads to Salesforce](./partner-center-portal/commercial-marketplace-lead-management-instructions-salesforce.md#configure-your-offer-to-send-leads-to-salesforce)

+1. To validate the configuration you provided, select the **Validate link**.

+1. When youΓÇÖve configured the connection details, select **Connect**.

+ For more information, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+1. Select **Save draft** before continuing to the next tab in the left-nav menu, **Properties**.

+When a customer expresses interest or deploys your product, youΓÇÖll receive a lead in the [Referrals workspace](https://partner.microsoft.com/dashboard/referrals/v2/leads) in Partner Center.

+You can also connect the product to your customer relationship management (CRM) system to handle leads there.

+> [!NOTE]

+> Connecting to a CRM system is optional.

+To configure the lead management in Partner Center:

+1. In Partner Center, go to the **Offer setup** tab.

+1. Under **Customer leads**, select the **Connect** link.

+1. In the **Connection details** dialog box, select a lead destination from the list.

+1. Complete the fields that appear. For detailed steps, see the following articles:

+ - [Configure your offer to send leads to the Azure table](./partner-center-portal/commercial-marketplace-lead-management-instructions-azure-table.md#configure-your-offer-to-send-leads-to-the-azure-table)

+ - [Configure your offer to send leads to Dynamics 365 Customer Engagement](./partner-center-portal/commercial-marketplace-lead-management-instructions-dynamics.md#configure-your-offer-to-send-leads-to-dynamics-365-customer-engagement) (formerly Dynamics CRM Online)

+ - [Configure your offer to send leads to HTTPS endpoint](./partner-center-portal/commercial-marketplace-lead-management-instructions-https.md#configure-your-offer-to-send-leads-to-the-https-endpoint)

+ - [Configure your offer to send leads to Marketo](./partner-center-portal/commercial-marketplace-lead-management-instructions-marketo.md#configure-your-offer-to-send-leads-to-marketo)

+ - [Configure your offer to send leads to Salesforce](./partner-center-portal/commercial-marketplace-lead-management-instructions-salesforce.md#configure-your-offer-to-send-leads-to-salesforce)

+1. To validate the configuration you provided, select the **Validate link**.

+1. When youΓÇÖve configured the connection details, select **Connect**.

+ For more information, see [Customer leads from your commercial marketplace offer](partner-center-portal/commercial-marketplace-get-customer-leads.md).

+1. Select **Save draft** before continuing to the next tab in the left-nav menu, **Properties**.

+## Postgres 14 extensions

+The following extensions are available in Azure Database for PostgreSQL - Flexible Servers which have Postgres version 14.

+> [!div class="mx-tableFixed"]

+> | **Extension**| **Extension version** | **Description** |

+> ||||

+> |[address_standardizer](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 3.1.1 | Used to parse an address into constituent elements. |

+> |[address_standardizer_data_us](http://postgis.net/docs/manual-2.5/Address_Standardizer.html) | 3.1.1 | Address Standardizer US dataset example|

+> |[amcheck](https://www.postgresql.org/docs/13/amcheck.html) | 1.2 | functions for verifying relation integrity|

+> |[bloom](https://www.postgresql.org/docs/13/bloom.html) | 1.0 | bloom access method - signature file based index|

+> |[btree_gin](https://www.postgresql.org/docs/13/btree-gin.html) | 1.3 | support for indexing common datatypes in GIN|

+> |[btree_gist](https://www.postgresql.org/docs/13/btree-gist.html) | 1.5 | support for indexing common datatypes in GiST|

+> |[citext](https://www.postgresql.org/docs/13/citext.html) | 1.6 | data type for case-insensitive character strings|

+> |[cube](https://www.postgresql.org/docs/13/cube.html) | 1.4 | data type for multidimensional cubes|

+> |[dblink](https://www.postgresql.org/docs/13/dblink.html) | 1.2 | connect to other PostgreSQL databases from within a database|

+> |[dict_int](https://www.postgresql.org/docs/13/dict-int.html) | 1.0 | text search dictionary template for integers|

+> |[dict_xsyn](https://www.postgresql.org/docs/13/dict-xsyn.html) | 1.0 | text search dictionary template for extended synonym processing|

+> |[earthdistance](https://www.postgresql.org/docs/13/earthdistance.html) | 1.1 | calculate great-circle distances on the surface of the Earth|

+> |[fuzzystrmatch](https://www.postgresql.org/docs/13/fuzzystrmatch.html) | 1.1 | determine similarities and distance between strings|

+> |[hstore](https://www.postgresql.org/docs/13/hstore.html) | 1.7 | data type for storing sets of (key, value) pairs|

+> |[intagg](https://www.postgresql.org/docs/13/intagg.html) | 1.1 | integer aggregator and enumerator. (Obsolete)|

+> |[intarray](https://www.postgresql.org/docs/13/intarray.html) | 1.3 | functions, operators, and index support for 1-D arrays of integers|

+> |[isn](https://www.postgresql.org/docs/13/isn.html) | 1.2 | data types for international product numbering standards|

+> |[lo](https://www.postgresql.org/docs/13/lo.html) | 1.1 | large object maintenance |

+> |[ltree](https://www.postgresql.org/docs/13/ltree.html) | 1.2 | data type for hierarchical tree-like structures|

+ > |[orafce](https://github.com/orafce/orafce) | 3.1.8 |implements in Postgres some of the functions from the Oracle database that are missing|

+> |[pageinspect](https://www.postgresql.org/docs/13/pageinspect.html) | 1.8 | inspect the contents of database pages at a low level|

+> |[pg_buffercache](https://www.postgresql.org/docs/13/pgbuffercache.html) | 1.3 | examine the shared buffer cache|

+> |[pg_cron](https://github.com/citusdata/pg_cron) | 1.4 | Job scheduler for PostgreSQL|

+> |[pg_freespacemap](https://www.postgresql.org/docs/13/pgfreespacemap.html) | 1.2 | examine the free space map (FSM)|

+> |[pg_partman](https://github.com/pgpartman/pg_partman) | 4.6.1 | Extension to manage partitioned tables by time or ID |

+> |[pg_prewarm](https://www.postgresql.org/docs/13/pgprewarm.html) | 1.2 | prewarm relation data|

+> |[pg_repack](https://github.com/reorg/pg_repack) | 1.4.7 | reorganize tables in PostgreSQL databases with minimal locks|

+> |[pg_stat_statements](https://www.postgresql.org/docs/13/pgstatstatements.html) | 1.8 | track execution statistics of all SQL statements executed|

+> |[pg_trgm](https://www.postgresql.org/docs/13/pgtrgm.html) | 1.5 | text similarity measurement and index searching based on trigrams|

+> |[pg_visibility](https://www.postgresql.org/docs/13/pgvisibility.html) | 1.2 | examine the visibility map (VM) and page-level visibility info|

+> |[pgaudit](https://www.pgaudit.org/) | 1.6.2 | provides auditing functionality|

+> |[pgcrypto](https://www.postgresql.org/docs/13/pgcrypto.html) | 1.3 | cryptographic functions|

+> |[pglogical](https://github.com/2ndQuadrant/pglogical) | 2.3.2 | Logical streaming replication |

+> |[pgrouting](https://pgrouting.org/) | 3.3.0 | geospatial database to provide geospatial routing|

+> |[pgrowlocks](https://www.postgresql.org/docs/13/pgrowlocks.html) | 1.2 | show row-level locking information|

+> |[pgstattuple](https://www.postgresql.org/docs/13/pgstattuple.html) | 1.5 | show tuple-level statistics|

+> |[plpgsql](https://www.postgresql.org/docs/13/plpgsql.html) | 1.0 | PL/pgSQL procedural language|

+> |[plv8](https://plv8.github.io/) | 3.0.0 | Trusted Javascript language extension|

+> |[postgis](https://www.postgis.net/) | 3.2.0 | PostGIS geometry, geography |

+> |[postgis_raster](https://www.postgis.net/) | 3.2.0 | PostGIS raster types and functions|

+> |[postgis_sfcgal](https://www.postgis.net/) | 3.2.0 | PostGIS SFCGAL functions|

+> |[postgis_tiger_geocoder](https://www.postgis.net/) | 3.2.0 | PostGIS tiger geocoder and reverse geocoder|

+> |[postgis_topology](https://postgis.net/docs/Topology.html) | 3.2.0 | PostGIS topology spatial types and functions|

+> |[postgres_fdw](https://www.postgresql.org/docs/13/postgres-fdw.html) | 1.0 | foreign-data wrapper for remote PostgreSQL servers|

+> |[sslinfo](https://www.postgresql.org/docs/13/sslinfo.html) | 1.2 | information about SSL certificates|

+> |[timescaledb](https://github.com/timescale/timescaledb) | 2.5.1 | Open-source relational database for time-series and analytics|

+> |[tsm_system_rows](https://www.postgresql.org/docs/13/tsm-system-rows.html) | 1.0 | TABLESAMPLE method which accepts number of rows as a limit|

+> |[tsm_system_time](https://www.postgresql.org/docs/13/tsm-system-time.html) | 1.0 | TABLESAMPLE method which accepts time in milliseconds as a limit|

+> |[unaccent](https://www.postgresql.org/docs/13/unaccent.html) | 1.1 | text search dictionary that removes accents|

+> |[uuid-ossp](https://www.postgresql.org/docs/13/uuid-ossp.html) | 1.1 | generate universally unique identifiers (UUIDs)|

+## PostgreSQL version 14

+The current minor release is **14.3**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/14/static/release-14-3.html) to learn more about improvements and fixes in this release. New servers will be created with this minor version.

+The current minor release is **13.7**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/13/static/release-13-7.html) to learn more about improvements and fixes in this release. New servers will be created with this minor version.

+The current minor release is **12.11**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/12/static/release-12-11.html) to learn more about improvements and fixes in this release. New servers will be created with this minor version. Your existing servers will be automatically upgraded to the latest supported minor version in your future scheduled maintenance window.

+The current minor release is **11.16**. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/11/static/release-11-16.html) to learn more about improvements and fixes in this release. New servers will be created with this minor version. Your existing servers will be automatically upgraded to the latest supported minor version in your future scheduled maintenance window.

+* Support for [**PostgreSQL version 14**](./concepts-supported-versions.md).

+* Support for [minor versions](./concepts-supported-versions.md) 14.3, 13.7, 12.11, 11.16. ^$

+* Azure Database for PostgreSQL is [**Generally Available**](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/azure-database-for-postgresql-flexible-server-is-now-ga/ba-p/2987030).

+* Hyperscale (Citus)

+| PostgreSQL 14 | | X | X |

+| [PostgreSQL 14](https://www.postgresql.org/about/news/postgresql-14-released-2318/) | [Features](https://www.postgresql.org/docs/14/release-14.html) | October 1, 2021 (Hyperscale Citus) <br> June 29, 2022 (Flexible Server)| November 12, 2026

+You can create private endpoints for various Azure services, such as Azure SQL and Azure Storage.

+- An Azure account with an active subscription. If you don't already have an Azure account, [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An Azure web app with a *PremiumV2-tier* or higher app service plan, deployed in your Azure subscription.

+ - For more information and an example, see [Quickstart: Create an ASP.NET Core web app in Azure](../app-service/quickstart-dotnetcore.md).

+ - The example webapp in this article is named **myWebApp1979**. Replace the example with your webapp name.

+2. In the search box at the top of the portal, enter **Virtual network**. In the search results, select **Virtual networks**.

+3. Select **+ Create** in **Virtual networks**.

+4. In the **Basics** tab of **Create virtual network**, enter or select the following information.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **Create new**. </br> Enter **CreatePrivateEndpointQS-rg** in **Name** and select **OK**. |

+ | **Instance details** | |

+ | Name | Enter **myVNet**. |

+ | Region | Select **West Europe**. |

+5. Select **Next: IP Addresses** or the **IP Addresses** tab.

+6. Select the **IP Addresses** tab or select **Next: IP Addresses** at the bottom of the page.

+7. In the **IP Addresses** tab, enter the following information:

+ | Setting | Value |

+ |--|-|

+ | IPv4 address space | Enter **10.1.0.0/16** |

+8. Under **Subnet name**, select the word **default**. If a subnet isn't present, select **+ Add subnet**.

+9. In **Edit subnet**, enter the following information:

+ | Setting | Value |

+ |--|-|

+ | Subnet name | Enter **mySubnet** |

+ | Subnet address range | Enter **10.1.0.0/24** |

+10. Select **Save** or **Add**.

+11. Select **Next: Security**, or the **Security** tab.

+12. Under **BastionHost**, select **Enable**. Enter the following information:

+ | Setting | Value |

+ |--|-|

+ | Bastion name | Enter **myBastionHost** |

+ | AzureBastionSubnet address space | Enter **10.1.1.0/27** |

+ | Public IP Address | Select **Create new**. </br> For **Name**, enter **myBastionIP**. </br> Select **OK**. |

+13. Select the **Review + create** tab or select the **Review + create** button.

+14. Select **Create**.

+

+ > [!NOTE]

+ > The virtual network and subnet are created immediately. The Bastion host creation is submitted as a job and will complete within 10 minutes. You can proceed to the next steps while the Bastion host is created.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines**.

+2. Select **+ Create** then **Azure virtual machine** in **Virtual machines**.

+3. In the **Basics** tab of **Create a virtual machine**, enter or select the following information.

+ | **Project details** | |

+ | **Instance details** | |

+ | Security type | Select **Standard**. |

+ | **Administrator account** | |

+ | **Inbound port rules** | |

+ | Public inbound ports | Select **None**. |

+4. Select the **Networking** tab.

+5. In the **Networking** tab, enter or select the following information.

+ | **Network interface** | |

+ | Virtual network | Select **myVNet**. |

+ | Subnet | Select **mySubnet (10.1.0.0/24)**. |

+6. Select **Review + create**.

+7. Review the settings, and then select **Create**.

+> [!IMPORTANT]

+> You must have a previously deployed Azure WebApp to proceed with the steps in this article. For more information, see [Prerequisites](#prerequisites) .

+1. In the search box at the top of the portal, enter **Private endpoint**. Select **Private endpoints**.

+2. Select **+ Create** in **Private endpoints**.

+3. In the **Basics** tab of **Create a private endpoint**, enter or select the following information.

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your subscription. |

+ | Resource group | Select **CreatePrivateEndpointQS-rg** |

+ | **Instance details** | |

+ | Name | Enter **myPrivateEndpoint**. |

+ | Network Interface Name | Leave the default of **myPrivateEndpoint-nic**. |

+ | Region | Select **West Europe**. |

+4. Select **Next: Resource**.

+

+5. In the **Resource** pane, enter or select the following information.

+ | Setting | Value |

+ | - | -- |

+ | Connection method | Leave the default of **Connect to an Azure resource in my directory.** |

+ | Subscription | Select your subscription. |

+ | Resource type | Select **Microsoft.Web/sites**. |

+ | Resource | Select **mywebapp1979**. |

+ | Target subresource | Select **sites**. |

+6. Select **Next: Virtual Network**.

+7. In **Virtual Network**, enter or select the following information.

+ | Setting | Value |

+ | - | -- |

+ | **Networking** | |

+ | Virtual network | Select **myVNet**. |

+ | Subnet | Select **myVNet/mySubnet (10.1.0.0/24)**. |

+ | Enable network policies for all private endpoints in this subnet. | Select the checkbox if you plan to apply Application Security Groups or Network Security groups to the subnet that contains the private endpoint. </br> For more information, see [Manage network policies for private endpoints](disable-private-endpoint-network-policy.md) |

+# [**Dynamic IP**](#tab/dynamic-ip)

+| Setting | Value |

+| - | -- |

+| **Private IP configuration** | Select **Dynamically allocate IP address**. |

+# [**Static IP**](#tab/static-ip)

+| Setting | Value |

+| - | -- |

+| **Private IP configuration** | Select **Statically allocate IP address**. |

+| Name | Enter **myIPconfig**. |

+| Private IP | Enter **10.1.0.10**. |

+8. Select **Next: DNS**.

+9. Leave the defaults in **DNS**. Select **Next: Tags**, then **Next: Review + create**.

+10. Select **Create**.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines**.

+2. Select **myVM**.

+3. On the overview page for **myVM**, select **Connect**, and then select **Bastion**.

+4. Enter the username and password that you used when you created the VM.

+5. Select **Connect**.

+6. After you've connected, open PowerShell on the server.

+7. Enter `nslookup mywebapp1979.azurewebsites.net`. You'll receive a message that's similar to the following example:

+ Name: mywebapp1979.privatelink.azurewebsites.net

+ Aliases: mywebapp1979.azurewebsites.net

+ A private IP address of **10.1.0.5** is returned for the web app name if you chose dynamic IP address in the previous steps. This address is in the subnet of the virtual network you created earlier.

+8. In the bastion connection to **myVM**, open the web browser.

+9. Enter the URL of your web app, **https://mywebapp1979.azurewebsites.net**.

+10. Close the connection to **myVM**.

+If you're not going to continue to use this web app, delete the virtual network, virtual machine, and web app by doing the following steps:

+2. Select **CreatePrivateEndpointQS-rg**.

+3. Select **Delete resource group**.

+4. Under **Type the resource group name**, enter **CreatePrivateEndpointQS-rg**.

+5. Select **Delete**.

+## Next steps

+| Azure Container Registry (Microsoft.ContainerRegistry/registries) / registry | privatelink.azurecr.io </br> {region}.privatelink.azurecr.io | azurecr.io </br> {region}.azurecr.io |

+ Title: Pricing guidelines for Data Estate Insights

+description: This article provides a guideline to understand and strategize pricing for the Data Estate Insights components of Microsoft Purview (formerly Azure Purview).

+# Pricing for Data Estate Insights

+> [!IMPORTANT]

+> The option to disable the Data Estate Insights application will only be available July 1st after 9am PST.

+This guide covers pricing guidelines for Data Estate Insights.

+For a full pricing guideline details for Microsoft Purview (formerly Azure Purview), see the [pricing guideline overview.](concept-guidelines-pricing.md)

+For specific price details, see the [Microsoft Purview (formerly Azure Purview) pricing page](https://azure.microsoft.com/pricing/details/purview/). This article will guide you through the features and factors that will affect pricing for Data Estate Insights.

+## Guidelines

+Data Estate Insights is billed on two dimensions:

+- **Report generation** - this incorporates the jobs that aggregate metrics about your Microsoft Purview account that will appear in specific reports.

+ > [!NOTE]

+ > On the [pricing page](https://azure.microsoft.com/pricing/details/purview/), you can find details for report generation pricing under Data Map Enrichment.

+ > :::image type="content" source="media/concept-guidelines-pricing/data-map-enrichment.png" alt-text="Screenshot of the pricing page headers, showing Data Map Enrichment selected." :::

+- **Report consumption** - This incorporates access of the report features (currently served through the UX). On the [pricing page](https://azure.microsoft.com/pricing/details/purview/), you can find details for report generation pricing under Data Estate Insights.

+ :::image type="content" source="media/concept-guidelines-pricing/data-estate-insights.png" alt-text="Screenshot of the pricing page headers, showing Data Estate Insights selected." :::

+> [!IMPORTANT]

+> The Data Estate Insights application is **on** by default when you create a Microsoft Purview account. This means, ΓÇ£StateΓÇ¥ is on and ΓÇ£Refresh FrequencyΓÇ¥ is set to automatic*.

+>

+> \* At this time automatic refresh is weekly.

+If you don't plan on using Data Estate Insights for a while, a **[data curator](catalog-permissions.md#roles) on the [root collection](reference-azure-purview-glossary.md#root-collection)** can disable Data Estate Insights features in one of two ways:

+- [Disable the Data Estate Insights application](#disable-the-data-estate-insights-application) - this will stop billing from both report generation and report consumption.

+- [Disable report refresh](#disable-report-refresh) - [insights readers](catalog-permissions.md#roles) have access to current reports, but reports won't be refreshed. Billing will occur for report consumption but not report generation.

+> [!NOTE]

+> The application or report refresh can be enabled again later at any time.

+A **[data curator](catalog-permissions.md#roles) on your account's [root collection](reference-azure-purview-glossary.md#root-collection)** can make these changes in the Management section of the Microsoft Purview governance portal in **Overview**, under **Feature options**. For specific steps, see the [enable or disable Data Estates Insights article](enable-disable-data-estate-insights.md)

+### Disable the Data Estate Insights application

+Disabling Data Estate Insights will disable the entire application, including these reports:

+- Stewardship

+- Asset

+- Glossary

+- Classification

+- Labeling

+The application icon will still show in the menu, but insights readers won't have access to reports at all, and report generation jobs will be stopped. The Microsoft Purview account won't receive any bill for Data Estate Insights.

+For steps to disable the Data Estate Insights application, see the [disable article.](enable-disable-data-estate-insights.md#disable-the-data-estate-insights-application)

+### Disable report refresh

+You can choose to disable report refreshes instead of disabling the entire Data Estate Insights application.

+When you disable report refreshes, insight readers will be able view reports but they'll see a banner on top of each report, warning that the report may not be current. It will also indicate the date the report was last generated.

+In this case, graphs showing data from last 30 days will appear blank after 30 days. Graphs showing snapshot of the data map will continue to show graph and details. When an [insights readers](catalog-permissions.md#roles) accesses an insight report, report consumption meter will be triggered, and the Microsoft Purview account will be billed.

+For steps to disable report refresh see the [disable article.](enable-disable-data-estate-insights.md#disable-report-refresh)

+## Next steps

+- [Enable or disable Data Estate Insights](enable-disable-data-estate-insights.md)

+- [Microsoft Purview, formerly Azure Purview, pricing page](https://azure.microsoft.com/pricing/details/azure-purview/)

+- [Pricing guideline overview](concept-guidelines-pricing.md)

+- [Pricing guideline Data Map](concept-guidelines-pricing-data-map.md)

+ Title: Pricing guidelines for the Microsoft Purview elastic data map

+description: This article provides a guideline to understand and strategize pricing for the elastic data map in the Microsoft Purview governance portal.

+# Pricing for the Microsoft Purview Data Map

+This guide covers pricing guidelines for the data map in the Microsoft Purview governance portal.

+For a full pricing guideline details for Microsoft Purview (formerly Azure Purview), see the [pricing guideline overview.](concept-guidelines-pricing.md)

+For specific price details, see the [Microsoft Purview (formerly Azure Purview) pricing page](https://azure.microsoft.com/pricing/details/purview/). This article will guide you through the features and factors that will affect pricing for the Microsoft Purview Data Map.

+Direct costs impacting pricing for the Microsoft Purview Data Map are based on the following three dimensions:

+- [**Elastic data map**](#elastic-data-map)

+- [**Automated scanning & classification**](#automated-scanning-classification-and-ingestion)

+- [**Advanced resource sets**](#advanced-resource-sets)

+## Elastic data map

+- The **Data map** is the foundation of the Microsoft Purview governance portal architecture and so needs to be up to date with asset information in the data estate at any given point

+- The data map is charged in terms of **Capacity Unit** (CU). The data map is provisioned at one CU if the catalog is storing up to 10 GB of metadata storage and serves up to 25 data map operations/sec

+- The data map is always provisioned at one CU when an account is first created

+- However, the data map scales automatically between the minimal and maximal limits of that elasticity window, to cater to changes in the data map with respect to two key factors - **operation throughput** and **metadata storage**

+### Operation throughput

+- An event driven factor based on the Create, Read, Update, Delete operations performed on the data map

+- Some examples of the data map operations would be:

+ - Creating an asset in Data Map

+ - Adding a relationship to an asset such as owner, steward, parent, lineage

+ - Editing an asset to add business metadata such as description, glossary term

+ - Keyword-search returning results to search result page

+ - Importing or exporting information using API

+- If there are multiple queries executed on the Data Map, the number of I/O operations also increases resulting in the scaling up of the data map

+- The number of concurrent users also forms a factor governing the data map capacity unit

+- Other factors to consider are type of search query, API interaction, workflows, approvals, and so on

+- Data burst level

+ - When there's a need for more operations/second throughput, the Data map can autoscale within the elasticity window to cater to the changed load

+ - This constitutes the **burst characteristic** that needs to be estimated and planned for

+ - The burst characteristic comprises the **burst level** and the **burst duration** for which the burst exists

+ - The **burst level** is a multiplicative index of the expected consistent elasticity under steady state

+ - The **burst duration** is the percentage of the month that such bursts (in elasticity) are expected because of growing metadata or higher number of operations on the data map

+### Metadata storage

+- If the number of assets reduces in the data estate, and are then removed in the data map through subsequent incremental scans, the storage component automatically reduces and so the data map scales down

+## Automated scanning, classification, and ingestion

+There are two major automated processes that can trigger ingestion of metadata into the Microsoft Purview Data Map:

+- Automatic scans using native [connectors](azure-purview-connector-overview.md). This process includes three main steps:

+ - Metadata scan

+ - Automatic classification

+ - Ingestion of metadata into the Microsoft Purview Data Map

+- Automated ingestion using Azure Data Factory and/or Azure Synapse pipelines. This process includes:

+ - Ingestion of metadata and lineage into the Microsoft Purview Data Map if the account is connected to any Azure Data Factory or Azure Synapse pipelines.

+### Automatic scans using native connectors

+- A **full scan** processes all assets within a selected scope of a data source whereas an **incremental scan** detects and processes assets, which have been created, modified, or deleted since the previous successful scan

+- All scans (full or Incremental scans) will pick up **updated, modified, or deleted** assets

+- It's important to consider and avoid the scenarios when multiple people or groups belonging to different departments set up scans for the same data source resulting in more pricing for duplicate scanning

+- Schedule **frequent incremental scans** post the initial full scan aligned with the changes in the data estate. This will ensure the data map is kept up to date always and the incremental scans consume lesser v-core hours as compared to a full scan

+- The **ΓÇ£View DetailsΓÇ¥** link for a data source will enable users to run a full scan. However, consider running incremental scans after a full scan for optimized scanning excepting when there's a change to the scan rule set (classifications/file types)

+- **Register the data source at a parent collection** and **Scope scans at child collection** with different access controls to ensure there are no duplicate scanning costs being entailed

+- Curtail the users who are allowed to register data sources for scanning through **fine grained access control** and **Data Source Administrator** role using [Collection authorization](./catalog-permissions.md). This will ensure only valid data sources are allowed to be registered and scanning v-core hours is controlled resulting in lower costs for scanning

+- Consider that the **type of data source** and the **number of assets** being scanned affect the scan duration

+- **Create custom scan rule sets** to include only the subset of **file types** available in your data estate and **classifications** that are relevant to your business requirements to ensure optimal use of the scanners

+- While creating a new scan for a data source, follow the **order of preparation** recommended before actually running the scan. This includes gathering the requirements for **business specific classifications** and **file types** (for storage accounts) to enable appropriate scan rule sets to be defined to avoid multiple scans and control unnecessary costs for multiple scans through missed requirements

+- Align your scan schedules with Self-Hosted Integration Runtime (SHIR) VMs (Virtual Machines) size to avoid extra costs linked to virtual machines

+### Automated ingestion using Azure Data Factory and/or Azure Synapse pipelines

+- Metadata and lineage are ingested from Azure Data Factory or Azure Synapse pipelines every time the pipelines run in the source system.

+## Advanced resource sets

+- The Microsoft Purview Data Map uses **resource sets** to address the challenge of mapping large numbers of data assets to a single logical resource by providing the ability to scan all the files in the data lake and find patterns (GUID, localization patterns, etc.) to group them as a single asset in the data map

+- **Advanced Resource Set** is an optional feature, which allows for customers to get enriched resource set information computed such as Total Size, Partition Count, etc., and enables the customization of resource set grouping via pattern rules. If Advanced Resource Set feature isn't enabled, your data catalog will still contain resource set assets, but without the aggregated properties. There will be no "Resource Set" meter billed to the customer in this case.

+- Use the basic resource set feature, before switching on the Advanced Resource Sets in the Microsoft Purview Data Map to verify if requirements are met

+- Consider turning on Advanced Resource Sets if:

+ - Your data lakes schema is constantly changing, and you're looking for more value beyond the basic Resource Set feature to enable the Microsoft Purview Data Map to compute parameters such as #partitions, size of the data estate, etc., as a service

+ - There's a need to customize how resource set assets get grouped.

+- It's important to note that billing for Advanced Resource Sets is based on the compute used by the offline tier to aggregate resource set information and is dependent on the size/number of resource sets in your catalog

+## Next steps

+- [Microsoft Purview, formerly Azure Purview, pricing page](https://azure.microsoft.com/pricing/details/azure-purview/)

+- [Pricing guideline overview](concept-guidelines-pricing.md)

+- [Pricing guideline Data Estate Insights](concept-guidelines-pricing-data-estate-insights.md)

+# Overview of pricing for Microsoft Purview (formerly Azure Purview)

+For specific price details, see the [Microsoft Purview (formerly Azure Purview) pricing page](https://azure.microsoft.com/pricing/details/purview/). This article will guide you through the features and factors that will affect pricing.

+Direct costs impacting Microsoft Purview pricing are based on these applications:

+- [The Microsoft Purview Data Map](concept-guidelines-pricing-data-map.md)

+- [Data Estate Insights](concept-guidelines-pricing-data-estate-insights.md)

+For guidelines about pricing for these applications, select the links above.

+## Indirect costs

+- [Microsoft Purview, formerly Azure Purview, pricing page](https://azure.microsoft.com/pricing/details/azure-purview/)

+- [Pricing guideline Data Estate Insights](concept-guidelines-pricing-data-estate-insights.md)

+- [Pricing guideline Data Map](concept-guidelines-pricing-data-map.md)

+ Title: Disable or enable Data Estate Insights

+description: This article provides the steps to disable or enable Data Estate Insights in the Microsoft Purview governance portal.

+# Disable or enable Data Estate Insights

+> [!IMPORTANT]

+> The option to disable the Data Estate Insights application will only be available July 1st after 9am PST.

+Microsoft Purview Data Estate Insights automatically aggregates metrics and creates reports about your Microsoft Purview account and your data estate. When you scan registered sources and populate your Microsoft Purview Data Map, the Data Estate Insights application automatically extracts valuable governance gaps and highlights them in its top metrics. It also provides drill-down experience that enables all stakeholders, such as data owners and data stewards, to take appropriate action to close the gaps.

+These features are optional and can be enabled or disabled at any time. This article provides the specific steps required to enable or disable Microsoft Purview Data Estate Insights features.

+> [!IMPORTANT]

+> The Data Estate Insights application is **on** by default when you create a Microsoft Purview account. This means, ΓÇ£StateΓÇ¥ is on and ΓÇ£Refresh FrequencyΓÇ¥ is set to automatic*. As the Data Map is populated and curated, Insights App shows data in the reports. The reports are ready for consumption to anyone with Insights Reader role.

+>

+> \* At this time automatic refresh is weekly.

+If you don't plan on using Data Estate Insights for a time, a **[data curator](catalog-permissions.md#roles) on the [root collection](reference-azure-purview-glossary.md#root-collection)** can disable the Data Estate Insights in one of two ways:

+- [Disable the Data Estate Insights application](#disable-the-data-estate-insights-application) - this will stop billing from both report generation and report consumption.

+- [Disable report refresh](#disable-report-refresh) - Insights readers have access to current reports, but reports won't be refreshed. Billing will occur for report consumption but not report generation.

+Steps for both methods, and for re-enablement, are below.

+For more information about billing for Data Estates Insights, see our [pricing guidelines](concept-guidelines-pricing-data-estate-insights.md).

+## Disable the Data Estate Insights application

+> [!NOTE]

+> To be able to disable this application, you will need to have the [data curator role](catalog-permissions.md#roles) on your account's [root collection.](reference-azure-purview-glossary.md#root-collection)

+Disabling Data Estate Insights will disable the entire application, including these reports:

+- Stewardship

+- Asset

+- Glossary

+- Classification

+- Labeling

+The application icon will still show in the menu, but insights readers won't have access to reports at all, and report generation jobs will be stopped. The Microsoft Purview account won't receive any bill for Data Estate Insights.

+To disable the Data Estate Insights application, a user with the [data curator role](catalog-permissions.md#roles) at the [root collection](reference-azure-purview-glossary.md#root-collection) can follow these steps:

+1. In the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/), go to the **Management** section.

+ :::image type="content" source="media/enable-disable-data-estate-insights/locate-management.png" alt-text="Screenshot of the Microsoft Purview governance portal left menu, with the Management section highlighted and overview shown selected in the next menu." :::

+1. Then select **Overview**.

+1. In the **Feature options** menu, locate Data Estate Insights, and select the **State** toggle to change it to **Off**.

+ :::image type="content" source="media/enable-disable-data-estate-insights/disable-option.png" alt-text="Screenshot of the Overview window in the Management section of the Microsoft Purview governance portal with the State toggle highlighted for Data Estate Insights feature options." :::

+Once you have disabled Data Estate Insights, the icon will still appear in the left hand menu, but users will receive a warning stating that the application has been disabled when attempting to access it.

+## Disable report refresh

+> [!NOTE]

+> To be able to disable or edit report refresh, you will need to have the [data curator role](catalog-permissions.md#roles) on your account's [root collection.](reference-azure-purview-glossary.md#root-collection)

+You can choose to disable report refreshes instead of disabling the entire Data Estate Insights application. When you disable report refreshes, users with the [insights reader role](catalog-permissions.md#roles) will still be able view reports, but they'll see warning at the top of each report indicating that the data may not be current and the date of the last refresh.

+Graphs that show data from the last 30 days will appear blank after 30 days while graphs showing snapshot of the data map will continue to show graphs and details.

+To disable the Data Estate Insights report refresh, a user with the [data curator role](catalog-permissions.md#roles) at the [root collection](reference-azure-purview-glossary.md#root-collection) can follow these steps:

+1. In the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/), go to the **Management** section.

+ :::image type="content" source="media/enable-disable-data-estate-insights/locate-management.png" alt-text="Screenshot of the Microsoft Purview governance portal left menu, with the Management section highlighted." :::

+1. Then select **Overview**.

+1. In the **Feature options** menu, locate Data Estate Insights, select the **Refresh frequency** drop-down menu, and select **Off**.

+ :::image type="content" source="media/enable-disable-data-estate-insights/refresh-frequency.png" alt-text="Screenshot of the Overview window in the Management section of the Microsoft Purview governance portal with the refresh frequency dropdown highlighted for Data Estate Insights feature options." :::

+## Enable Data Estate Insights and report refresh

+> [!NOTE]

+> To be able to enable Data Estate Insights, enable report refresh, or edit report refresh, you will need to have the [data curator role](catalog-permissions.md#roles) on your account's [root collection.](reference-azure-purview-glossary.md#root-collection)

+If Data Estate Insights or report refresh has been disabled in your Microsoft Purview governance portal environment, a user with the [data curator role](catalog-permissions.md#roles) at the [root collection](reference-azure-purview-glossary.md#root-collection) can re-enable either at any time by following these steps:

+1. In the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/), go to the **Management** section.

+ :::image type="content" source="media/enable-disable-data-estate-insights/locate-management.png" alt-text="Screenshot of the Microsoft Purview governance portal Management section highlighted.":::

+1. Then select **Overview**.

+1. In the **Feature options** menu, locate Data Estate Insights, select the **Refresh frequency** drop-down menu, and select a refresh rate to enable report refresh. Or select the State toggle to change it to **On** to re-enable the entire application.

+ :::image type="content" source="media/enable-disable-data-estate-insights/disable-data-estate-insights.png" alt-text="Screenshot of the Overview window in the Management section of the Microsoft Purview governance portal with Data Estate Insights highlighted." :::

+ 1. App registration exists in your Azure Active Directory tenant.

+ 2. Under **API permissions**, the following **delegated permissions** and **grant admin consent for the tenant** is set up with read for the following APIs:

+ 3. Under **Authentication**, **Allow public client flows** is enabled.

+2. Validate Self-hosted runtime settings:

+ 3. Under **Authentication**, **Allow public client flows** is enabled.

+2. Review network configuration and validate if:

+

+1. Under **Advanced settings**, enable **Allow Public client flows**.

+2. In the Microsoft Purview Studio, navigate to the **Data map** in the left menu.