- - When a user is managed by Azure AD Connect, the source of authority is on-premises Azure AD. So, user attributes can't be changed in Azure AD. This preview doesn't change the source of authority for users managed by Azure AD Connect.

-Within the [SCIM 2.0 protocol specification](http://www.simplecloud.info/#Specification), your application must support these requirements:

-If you've enabled Application Proxy enabled and installed a connector already, you can skip this section and go to [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy).

->System-preferred MFA is a key security upgrade to traditional second factor notifications. We highly recommend enabling system-preferred MFA in the near term for improved sign-in security.

-[FIDO2 security keys](../develop/support-fido2-authentication.md#mobile) on mobile devices and [registration for certificate-based authentication (CBA)](concept-certificate-based-authentication.md) aren't supported due to an issue that might surface when system-preferred MFA is enabled. Until a fix is available, we recommend not using FIDO2 security keys on mobile devices or registering for CBA. To disable system-preferred MFA for these users, you can either add them to an excluded group or remove them from an included group.

-1. [Certificate-based authentication](concept-certificate-based-authentication.md)

-### How does system-preferred MFA affect AD FS or NPS extension?

-System-preferred MFA doesn't affect users who sign in by using federation, such as Active Directory Federation Services (AD FS) or third-party providers, or Network Policy Server (NPS) extension. Those users don't see any change to their sign-in experience.

- |`https://autoupdate.msappproxaxy.net` | Azure AD Password Protection auto-upgrade functionality |

- services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

- .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))

- .EnableTokenAcquisitionToCallDownstreamApi()

- .AddMicrosoftGraph(Configuration.GetSection("Graph"))

- .AddInMemoryTokenCaches();

- services.AddRazorPages();

- "Domain": "fourthcoffeetest.onmicrosoft.com",

- "TenantId": "[tenant-id]",

- "ClientId": "[client-id]",

- // To call an API

- "ClientSecret": "[secret-from-portal]", // Not required by this scenario

- "Graph": {

- "BaseUrl": "https://graph.microsoft.com/v1.0",

- "Scopes": "user.read"

-[AuthorizeForScopes(Scopes = new[] { "user.read" })]

-description: In this tutorial, you build a console app for calling Microsoft Graph to a Node.js console app.

-# Tutorial: Call the Microsoft Graph API in a Node.js console app

-In this tutorial, you build a console app that calls Microsoft Graph API using its own identity. The console app you build uses the [Microsoft Authentication Library (MSAL) for Node.js](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).

-> - Create a Node.js console app project

-1. Start by creating a directory for this Node.js tutorial project. For example, *NodeConsoleApp*.

-NodeConsoleApp/

-Create an environment file to store the app registration details that will be used when acquiring tokens. To do so, create a file named *.env* inside the root folder of the sample (*NodeConsoleApp*), and add the following code:

-Start the Node.js console app by running the following command from within the root of your project folder:

-If you'd like to dive deeper into Node.js console application development on the Microsoft identity platform, see our multi-part scenario series:

-The sensitivity label option is only displayed for groups when all the following conditions are met:

-1. Labels are published in the Microsoft Purview compliance portal for this Azure AD organization.

-1. The group is a Microsoft 365 group.

-1. The organization has an active Azure Active Directory Premium P1 license.

-3. The current signed-in user has sufficient privileges to assign labels. The user must be either a Global Administrator, Group Administrator, or the group owner.

-4. The current signed-in user must be within the scope of the [sensitivity label publishing policy](/microsoft-365/compliance/sensitivity-labels?preserve-view=true&view=o365-worldwide#what-label-policies-can-do)

-Please make sure all the conditions are met in order to assign labels to a group.

-> [Prepare your app to sign in users >](how-to-browserless-app-node-sign-in-prepare-app.md)

-Learn how to [Use client certificate instead of a secret for authentication in your Node.js confidential app](how-to-web-app-node-use-certificate.md).

-> [Prepare your Azure AD for customers tenant for authorization >](how-to-daemon-node-call-api-prepare-tenant.md)

-> [Acquire an access token and call API >](how-to-daemon-node-call-api-call-api.md)

-> [Prepare your daemon application and web API >](how-to-daemon-node-call-api-prepare-app.md)

-> [Configure SPA for authentication](how-to-single-page-app-vanillajs-configure-authentication.md)

-> [Prepare your Vanilla JS SPA](how-to-single-page-app-vanillajs-prepare-app.md)

-> [Sign in and sign out](how-to-web-app-dotnet-sign-in-sign-out.md)

-> [Prepare your Azure AD for customers tenant for authentication >](how-to-web-app-node-sign-in-call-api-prepare-tenant.md)

-> [Call an API >](how-to-web-app-node-sign-in-call-api-call-api.md)

-> [Start building your Node.js web app >](how-to-web-app-node-sign-in-prepare-app.md)

-Post-authentication anomalous activity detection for workload identities. This detection focuses specifically on detection of post authenticated anomalous behavior performed by a workload identity (service principal). Post-authentication behavior is assessed for anomalies based on an action and/or sequence of actions occurring for the account. Based on the scoring of anomalies identified, the offline detection may score the account as low, medium, or high risk. The risk allocation from the offline detection will be available within the Risky workload identities reporting blade. A new detection type identified as Anomalous service principal activity appears in filter options. For more information, see: [Securing workload identities](../identity-protection/concept-workload-identity-risk.md).

-## November 2022

-### General Availability - Windows Hello for Business, cloud Kerberos trust deployment

-**Type:** New feature

-**Service category:** Authentications (Logins)

-**Product capability:** User Authentication

-We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, weΓÇÖve made Windows Hello for Business easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Hybrid Cloud Kerberos Trust Deployment](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust).

-### General Availability - Expression builder with Application Provisioning

-**Type:** Changed feature

-**Service category:** Provisioning

-**Product capability:** Outbound to SaaS Applications

-

-Accidental deletion of users in your apps or in your on-premises directory could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability. When a provisioning job would cause a spike in deletions, it will first pause and provide you with visibility into the potential deletions. You can then accept or reject the deletions and have time to update the jobΓÇÖs scope if necessary. For more information, see [Understand how expression builder in Application Provisioning works](../app-provisioning/expression-builder.md).

-

-### General Availability - SSPR writeback is now available for disconnected forests using Azure AD Connect Cloud sync

-**Type:** New feature

-**Service category:** Azure AD Connect Cloud Sync

-**Product capability:** Identity Lifecycle Management

-Azure AD Connect Cloud Sync Password writeback now provides customers the ability to synchronize Azure AD password changes made in the cloud to an on-premises directory in real time. This can be accomplished using the lightweight Azure AD cloud provisioning agent. For more information, see: [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md).

-### General Availability - Prevent accidental deletions

-**Type:** New feature

-**Service category:** Provisioning

-**Product capability:** Outbound to SaaS Applications

-Accidental deletion of users in any system could be disastrous. WeΓÇÖre excited to announce the general availability of the accidental deletions prevention capability as part of the Azure AD provisioning service. When the number of deletions to be processed in a single provisioning cycle spikes above a customer defined threshold, the Azure AD provisioning service pauses, provide you with visibility into the potential deletions, and allow you to accept or reject the deletions. This functionality has historically been available for Azure AD Connect, and Azure AD Connect Cloud Sync. It's now available across the various provisioning flows, including both HR-driven provisioning and application provisioning.

-For more information, see: [Enable accidental deletions prevention in the Azure AD provisioning service](../app-provisioning/accidental-deletions.md)

-### General Availability - Create group in administrative unit

-**Type:** New feature

-**Service category:** RBAC

-**Product capability:** AuthZ/Access Delegation

-

-Groups Administrators and other roles scoped to an administrative unit can now create groups within the administrative unit. Previously, creating a new group in administrative unit required a two-step process to first create the group, then add the group to the administrative unit. The second step required a Privileged Role Administrator or Global Administrator. Now, groups can be directly created in an administrative unit by anyone with appropriate roles scoped to the administrative unit, and this no longer requires a higher privilege admin role. For more information, see: [Add users, groups, or devices to an administrative unit](../roles/admin-units-members-add.md).

-

-### General Availability - Number matching for Microsoft Authenticator notifications

-**Type:** New feature

-**Service category:** Microsoft Authenticator App

-**Product capability:** User Authentication

-To prevent accidental notification approvals, admins can now require users to enter the number displayed on the sign-in screen when approving an MFA notification in the Microsoft Authenticator app. We've also refreshed the Azure portal admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update we have also added the highly requested ability for admins to exclude user groups from each feature.

-The number matching feature greatly up-levels the security posture of the Microsoft Authenticator app and protects organizations from MFA fatigue attacks. We highly encourage our customers to adopt this feature applying the rollout controls we have built. Number Matching will begin to be enabled for all users of the Microsoft Authenticator app starting 27th of February 2023.

-For more information, see: [How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy](../authentication/how-to-mfa-number-match.md).

-### General Availability - Additional context in Microsoft Authenticator notifications

-**Type:** New feature

-**Service category:** Microsoft Authenticator App

-**Product capability:** User Authentication

-Reduce accidental approvals by showing users additional context in Microsoft Authenticator app notifications. Customers can enhance notifications with the following:

-The feature is available for both MFA and Password-less Phone Sign-in notifications and greatly increases the security posture of the Microsoft Authenticator app. We've also refreshed the Azure portal Admin UX and Microsoft Graph APIs to make it easier for customers to manage Authenticator app feature roll-outs. As part of this update, we've also added the highly requested ability for admins to exclude user groups from certain features.

-We highly encourage our customers to adopt these critical security features to reduce accidental approvals of Authenticator notifications by end users.

-For more information, see: [How to use additional context in Microsoft Authenticator notifications - Authentication methods policy](../authentication/how-to-mfa-additional-context.md).

-With access reviews, you can create a downloadable review history to help your organization gain more insight. The report pulls the decisions that were taken by reviewers when a report is created. These reports can be constructed to include specific access reviews, for a specific time frame, and can be filtered to include different review types and review results.

-The reports provide details on a per-user basis showing the following:

-| AccessReviewId | Review object id |

-| AccessReviewSeriesId | Object id of the review series, if the review is an instance of a recurring review. If a one-time review, the value will be am empty GUID. |

-| ResourceId | Id of the resource being reviewed |

-| PrincipalId | Id of the principal being reviewed |

-| ReviewerId | Reviewer Id |

-|SubmissionResult | Review result submission status include applied, and not applied. |

-This article describes features and methods that allow you to pinpoint and select external identities so that you can review them and remove them from Azure AD if they are no longer needed. The cloud makes it easier than ever to collaborate with internal or external users. Embracing Office 365, organizations start to see the proliferation of external identities (including guests), as users work together on data, documents, or digital workspaces such as Teams. Organizations need to balance, enabling collaboration and meeting security and governance requirements. Part of these efforts should include evaluating and cleaning out external users, who were invited for collaboration into your tenant, that originating from partner organizations, and removing them from your Azure AD when they are no longer needed.

-In most organizations, end-users initiate the process of inviting business partners and vendors for collaboration. The need to collaborate drives organizations to provide resource owners and end users with a way to evaluate and attest external users regularly. Often the process of onboarding new collaboration partners is planned and accounted for, but with many collaborations not having a clear end date, it is not always obvious when a user no longer needs access. Also, identity life-cycle management drives enterprises to keep Azure AD clean and remove users who no longer need access to the organizationΓÇÖs resources. Keeping only the relevant identity references for partners and vendors in the directory helps reduce the risk of your employees, inadvertently selecting and granting access to external users that should have been removed. This document walks you through several options that range from recommended proactive suggestions to reactive and cleanup activities to govern external identities.

-Entitlement management features enable the [automated lifecycle of external identities](entitlement-management-external-users.md#manage-the-lifecycle-of-external-users) with access to resources. By establishing processes and procedures to manage access through Entitlement Management, and publishing resources through Access Packages, keeping track of external user access to resources becomes a far less complicated problem to solve. When managing access through [Entitlement Management Access Packages](entitlement-management-overview.md) in Azure AD, your organization can centrally define and manage access for your users, as well as users from partner organizations alike. Entitlement Management uses approvals and assignments of Access Packages to track where external users have requested and been assigned access. Should an external user lose all of their assignments, Entitlement Management can remove these external users automatically from the tenant.

-When employees are authorized to collaborate with external users, they may invite any number of users from outside your organization. Looking for and grouping external partners into company-aligned dynamic groups and reviewing them may not be feasible, as there may be too many different individual companies to review, or there is no owner or sponsor for the organization. Microsoft provides a sample PowerShell script that can help you analyze the use of external identities in a tenant. The script enumerates external identities and categorizes them. The script can help you identify and clean up external identities that may no longer be required. As part of the scriptΓÇÖs output, the script sample supports automated creation of security groups that contain the identified group-less external partners ΓÇô for further analysis and use with Azure AD Access Reviews.

-If you have external identities using resources such as Teams or other applications not yet governed by Entitlement Management, you may want to review access to these resources regularly, too. Azure AD [Access Reviews](create-access-review.md) gives you the ability to review external identitiesΓÇÖ access by either letting the resource owner,external identities themselves, or another delegated person you trust attest to whether continued access it required. Access Reviews target a resource and create a review activity scoped to either Everyone who has access to the resource or Guest users only. The reviewer then will see the resulting list of users they need to review ΓÇô either all users, including employees of your organization or external identities only.

-Users that no longer have access to any resources in your tenant can be removed if they no longer work with your organization. Before you block and delete these external identities, you may want to reach out to these external users and make sure you have not overlooked a project or standing access they have that they still need. When you create a group that contains all external identities as members that you found have no access to any resources in your tenant, you can use Access Reviews to have all externals self-attest to whether they still need or have access ΓÇô or will still need access in the future. As part of the review, the review creator in Access Reviews can use the **Require reason on approval** function to require external users to provide a justification for continued access, through which you can learn where and how they still need access in your tenant. Also, you can enable the setting **Additional content for reviewer email** feature, to let users know that they will be losing access if they donΓÇÖt respond and, should they still need access, a justification is required. If you want to go ahead and let Access Reviews **disable and delete** external identities, should they fail to respond or provide a valid reason for continued access, you can use the Disable and delete option, as described in the next section.

-When the review finishes, the **Results** page shows an overview of the response given by every external identity. You can choose to apply results automatically and let Access Reviews disable and delete them. Alternatively, you can look through the responses given and decide whether you want to remove a userΓÇÖs access or follow-up with them and get additional information before making a decision. If some users still have access to resources that you have not reviewed yet, you can use the review as part of your discovery and enrich your next review and attestation cycle.

-In addition to the option of removing unwanted external identities from resources such as groups or applications, Azure AD Access Reviews can block external identities from signing-in to your tenant and delete the external identities from your tenant after 30 days. Once you select **Block user from signing-in for 30 days, then remove user from the tenant**, the review will stay in the ΓÇ£applyingΓÇ¥ state for 30 days. During this period, settings, results, reviewers or Audit logs under the current review won't be viewable or configurable.

-This setting allows you to identify, block, and delete external identities from your Azure AD tenant. External identities who are reviewed and denied continued access by the reviewer will be blocked and deleted, irrespective of the resource access or group membership they have. This setting is best used as a last step after you have validated that the external users in-review no longer carries resource access and can safely be removed from your tenant or if you want to make sure they are removed, irrespective of their standing access. The ΓÇ£Disable and deleteΓÇ¥ feature blocks the external user first, taking away their ability to signing into your tenant and accessing resources. Resource access is not revoked in this stage, and in case you wanted to reinstantiate the external user, their ability to log on can be reconfigured. Upon no further action, a blocked external identity will be deleted from the directory after 30 days, removing the account as well as their access.

-You can track the progress of access reviews as they are completed.

-1. In the left menu, click **Access reviews**.

-1. In the list, click an access review.

- On the **Overview** page, you can see the progress of the **Current** instance of the review. If there is not an active instance open at the time, you will see information on the previous instance. No access rights are changed in the directory until the review is completed.

- If you are viewing an access review that reviews guest access across Microsoft 365 groups, the Overview blade lists each group in the review.

- Click on a group to see the progress of the review on that group, also to Stop, Reset, Apply, and Delete.

-1. If you want to stop an access review before it has reached the scheduled end date, click the **Stop** button.

-1. Click **Results** on the left nav menu under **Current**.

-1. Once you are on the results page, under **Status** it will tell you which stage the multi-stage review is in. The next stage of the review won't become active until the duration specified during the access review setup has passed.

-1. If a decision has been made, but the review duration for this stage has not expired yet, you can select **Stop current stage** button on the results page. This will trigger the next stage of review.

-To view the results for a review, click the **Results** page. To view just a user's access, in the Search box, type the display name or user principal name of a user whose access was reviewed.

-To view the results of a completed instance of an access review that is recurring, click **Review history**, then select the specific instance from the list of completed access review instances, based on the instance's start and end date. The results of this instance can be obtained from the **Results** page. Recurring access reviews allow you to have a constant picture of access to resources that may need to be updated more often than one-time access reviews.

-To retrieve the results of an access review, both in-progress or completed, click the **Download** button. The resulting CSV file can be viewed in Excel or in other programs that open UTF-8 encoded CSV files.

-If **Auto apply results to resource** was enabled based on your selections in **Upon completion settings**, auto-apply will be executed once a review instance completes, or earlier if you manually stop the review.

-If **Auto apply results to resource** wasn't enabled for the review, navigate to **Review History** under **Series** after the review duration ends or the review was stopped early, and click on the instance of the review youΓÇÖd like to Apply.

-Click **Apply** to manually apply the changes. If a user's access was denied in the review, when you click **Apply**, Azure AD removes their membership or application assignment.

-The status of the review will change from **Completed** through intermediate states such as **Applying** and finally to state **Result applied**. You should expect to see denied users, if any, being removed from the group membership or application assignment in a few minutes.

-Denied B2B direct connect users and teams will lose access to all shared channels in the Team.

-This article describes how to create one or more access reviews for PIM for Groups, which will include the active members of the group as well as the eligible members. Reviews can be performed on both active members of the group, who are active at the time the review is created, and the eligible members of the group.

-7. If you are conducting group membership review, you can create access reviews for only the inactive users in the group. In the *Users scope* section, check the box next to **Inactive users (on tenant level)**. If you check the box, the scope of the review will focus on inactive users only, those who have not signed in either interactively or non-interactively to the tenant. Then, specify **Days inactive** with a number of days inactive up to 730 days (two years). Users in the group inactive for the specified number of days will be the only users in the review.

-If you are reviewing access to an application, then before creating the review, see the article on how to [prepare for an access review of users' access to an application](access-reviews-application-preparation.md) to ensure the application is integrated with Azure AD.

-8. Or if you are conducting group membership review, you can create access reviews for only the inactive users in the group. In the *Users scope* section, check the box next to **Inactive users (on tenant level)**. If you check the box, the scope of the review will focus on inactive users only, those who have not signed in either interactively or non-interactively to the tenant. Then, specify **Days inactive** with a number of days inactive up to 730 days (two years). Users in the group inactive for the specified number of days will be the only users in the review.

-1. You can create a single-stage or multi-stage review. For a single stage review continue here. To create a multi-stage access review, follow the steps in [Create a multi-stage access review](#create-a-multi-stage-access-review)

- - **Auto apply results to resource**: Select this checkbox if you want access of denied users to be removed automatically after the review duration ends. If the option is disabled, you'll have to manually apply the results when the review finishes. To learn more about applying the results of the review, see [Manage access reviews](manage-access-review.md).

- 1. If you select **(Preview) User-to-Group Affiliation**, reviewers will get the recommendation to Approve or Deny access for the users based on userΓÇÖs average distance in the organizationΓÇÖs reporting-structure. Users who are very distant from all the other users within the group are considered to have "low affiliation" and will get a deny recommendation in the group access reviews.

-1. Click the checkbox next to **Multi-stage review**.

-1. If you select **Group owner(s)** or **Managers of Users**, you have the option to add a fallback reviewer. To add a fallback, click **Select fallback reviewers** and add the users you want to be fallback reviewers.

-1. By default, you will see two stages when you create a multi-stage review. However, you can add up to three stages. If you want to add a third stage, click **+ Add a stage** and complete the required fields.

-1. You can decide to allow 2nd and 3rd stage reviewers to the see decisions made in the previous stage(s).If you want to allow them to see the decisions made prior, click the box next to **Show previous stage(s) decisions to later stage reviewers** under **Reveal review results**. Leave the box unchecked to disable this setting if youΓÇÖd like your reviewers to review independently.

-1. The duration of each recurrence will be set to the sum of the duration day(s) you specified in each stage.

-1. Select **Teams + Groups** and then click **Select teams + groups** to set the **Review scope**. B2B direct connect users and teams are not included in reviews of **All Microsoft 365 groups with guest users**.

-* **Manage risk**: Access reviews provide you a way to review access to data and applications, which lowers the risk of data leakage and data spill. You gain the capability to regularly review external partners' access to corporate resources.

-The IT department will want to stay in control for all infrastructure-related access decisions and privileged role assignments.

-When you schedule a review, you nominate users who will do this review. These reviewers then receive an email notification of new reviews assigned to them and reminders before a review assigned to them expires.

-Before you implement your access reviews, plan the types of reviews relevant to your organization. To do so, you'll need to make business decisions about what you want to review and the actions to take based on those reviews.

-* What manual actions will be taken as a result based on the review?

-[Privileged Identity Management](../privileged-identity-management/pim-configure.md) simplifies how enterprises manage privileged access to resources in Azure AD. Using PIM keeps the list of privileged roles in [Azure AD](../roles/permissions-reference.md) and [Azure resources](../../role-based-access-control/built-in-roles.md) much smaller. It also increases the overall security of the directory.

-1. You may receive an email from Microsoft that asks you to review access. Locate the email to open the access review. Here is an example email to review access:

-1. Click the **Review user access** link to open the access review.

-1. Click **Access reviews** on the left navigation bar to see a list of pending access reviews assigned to you.

-1. Click the review that youΓÇÖd like to begin.

-Once you open the access review, you will see the names of users for which you need to review. There are two ways that you can approve or deny access:

-1. If you aren't sure, you can click the **DonΓÇÖt know** button.

-1. You may be required to provide a reason for your decision. Type in a reason and click **Submit**.

-To review access for multiple users more quickly, you can use the system-generated recommendations, accepting the recommendations with a single click. The recommendations are generated based on the user's sign-in activity.

-1. In the bar at the top of the page, click **Accept recommendations**.

- You'll see a summary of the recommended actions.

-1. Click **Submit** to accept the recommendations.

-Organizations with compliance requirements or risk management plans will have sensitive or business-critical applications. If this application is an existing application in your environment, you may already have documented the access policies for who 'should have access' to this application. If not, you may need to consult with various stakeholders, such as compliance and risk management teams, to ensure that the policies being used to automate access decisions are appropriate for your scenario.

-As the organizational policy for who should have access is being reviewed by the stakeholders, then you can begin [integrating the application](identity-governance-applications-integrate.md) with Azure AD. That way at a later step you'll be ready to [deploy the organization-approved policies](identity-governance-applications-deploy.md) for access in Azure AD identity governance.

-In previous sections, you [defined your governance policies for an application](identity-governance-applications-define.md) and [integrated that application with Azure AD](identity-governance-applications-integrate.md). In this section, you'll configure the Azure AD conditional access and entitlement management features to control ongoing access to your applications. You'll establish

-In this section, you'll establish the Conditional Access policies that are in scope for determining whether an authorized user is able to sign into the app, based on factors like the user's authentication strength or device status.

-1. **Upload the terms of use (TOU) document, if needed.** If you require users to accept a terms of use (TOU) prior to accessing the application, then create and [upload the TOU document](../conditional-access/terms-of-use.md) so that it can be included in a conditional access policy.

-1. **Document the token lifetime and application's session settings.** How long a user who has been denied continued access can continue to use a federated application will depend upon the application's own session lifetime, and on the access token lifetime. The session lifetime for an application depends upon the application itself. To learn more about controlling the lifetime of access tokens, see [configurable token lifetimes](../develop/configurable-token-lifetimes.md).

-In this section, you'll configure Azure AD entitlement management so users can request access to your application's roles or to groups used by the application. In order to perform these tasks, you'll need to be in the *Global Administrator*, *Identity Governance Administrator* role, or be [delegated as a catalog creator](entitlement-management-delegate-catalog.md) and the owner of the application.

-1. **Populate the catalog with necessary resources.** Add the application, as well as any Azure AD groups that the application relies upon, [as resources in that catalog](../governance/entitlement-management-catalog-create.md).

-Azure AD, in conjunction with Azure Monitor, provides several reports to help you understand who has access to an application and if they're using that access.

-* **Check that provisioning and deprovisioning are working as expected.** If you had previously configured provisioning of users to the application, then when the results of a review are applied, or a user's assignment to an access package expires, Azure AD will begin deprovisioning denied users from the application. You can [monitor the process of deprovisioning users](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md). If provisioning indicates an error with the application, you can [download the provisioning log](../reports-monitoring/concept-provisioning-logs.md) to investigate if there was a problem with the application.

-* **Update the Azure AD configuration with any role or group changes in the application.** If the application adds new application roles in its manifest, updates existing roles, or relies upon additional groups, then you'll need to update the access packages and access reviews to account for those new roles or groups.

- * Otherwise, if this is an on-premises or IaaS hosted application, and is not integrated with AD, then configure provisioning to that application, either via SCIM or to the underlying database or directory of the application.

-1. Set that access to **the application is only permitted for users assigned to the application**. This setting will prevent users from inadvertently seeing the application in MyApps, and attempting to sign into the application, prior to Conditional Access policies being enabled.

-However, if the application already existed in your environment, then it's possible that users may have gotten access in the past through manual or out-of-band processes, and those users should now be reviewed to have confirmation that their access is still needed and appropriate going forward. We recommend performing an access review of the users who already have access to the application, before enabling policies for more users to be able to request access. This review will set a baseline of all users having been reviewed at least once, to ensure that those users are authorized for continued access.

-1. If the application was not using Azure AD or AD, but does support a provisioning protocol or had an underlying SQL or LDAP database, bring in any [existing users and create application role assignments](identity-governance-applications-existing-users.md) for them.

-1. If the application was not using Azure AD or AD, and does not support a provisioning protocol, then [obtain a list of users from the application and create application role assignments for each of them](identity-governance-applications-not-provisioned-users.md).

-1. If the application was using AD security groups, then you'll need to review the membership of those security groups.

-1. If the application was using AD security groups, and those groups were created in AD, then once the review is complete, you'll need to manually update the AD groups to remove memberships of those users who were denied. Subsequently, to have denied access rights removed automatically, you can either update the application to use an AD group that was created in Azure AD and [written back to Azure AD](../enterprise-users/groups-write-back-portal.md), or move the membership from the AD group to the Azure AD group, and nest the written back group as the only member of the AD group.

-Organizations with compliance requirements or risk management plans will have sensitive or business-critical applications. The application sensitivity may be based on its purpose or the data it contains, such as financial information or personal information of the organization's customers. For those applications, only a subset of all the users in the organization will typically be authorized to have access, and access should only be permitted based on documented business requirements. As part of your organization's controls for managing access, you can use Microsoft Entra features to

-Microsoft Entra identity governance can be integrated with many applications, using [standards](../fundamentals/auth-sync-overview.md) such as OpenID Connect, SAML, SCIM, SQL and LDAP. Through these standards, you can use Azure AD with many popular SaaS applications, as well as on-premises applications, and applications that your organization has developed. Once you've prepared your Azure AD environment, as described in the section below, the three step plan covers how to connect an application to Azure AD and enable identity governance features to be used for that application.

- Your tenant will need to have at least as many licenses as the number of member (non-guest) users who have or can request access to the applications, approve, or review access to the applications. With an appropriate license for those users, you can then govern access to up to 1500 applications per user.

-* **If you will be governing guest's access to the application, link your Azure AD tenant to a subscription for MAU billing**. This step will be necessary prior to having a guest request or review their access. For more information, see [billing model for Azure AD External Identities](../external-identities/external-identities-pricing.md).

-* **Check that Azure AD is already sending its audit log, and optionally other logs, to Azure Monitor.** Azure Monitor is optional, but useful for governing access to apps, as Azure AD only stores audit events for up to 30 days in its audit log. You can keep the audit data for longer than the default retention period, outlined in [How long does Azure AD store reporting data?](../reports-monitoring/reference-reports-data-retention.md), and use Azure Monitor workbooks and custom queries and reports on historical audit data. You can check the Azure AD configuration to see if it is using Azure Monitor, in **Azure Active Directory** in the Azure portal, by clicking on **Workbooks**. If this integration isn't configured, and you have an Azure subscription and are in the `Global Administrator` or `Security Administrator` roles, you can [configure Azure AD to use Azure Monitor](../governance/entitlement-management-logs-and-reporting.md).

-* **Make sure only authorized users are in the highly privileged administrative roles in your Azure AD tenant.** Administrators in the *Global Administrator*, *Identity Governance Administrator*, *User Administrator*, *Application Administrator*, *Cloud Application Administrator* and *Privileged Role Administrator* can make changes to users and their application role assignments. If the memberships of those roles have not yet been recently reviewed, you'll need a user who is in the *Global Administrator* or *Privileged Role Administrator* to ensure that [access review of these directory roles](../privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md) are started. You should also ensure that users in Azure roles in subscriptions that hold the Azure Monitor, Logic Apps and other resources needed for the operation of your Azure AD configuration have been reviewed.

-* **Check your tenant has appropriate isolation.** If your organization is using Active Directory on-premises, and these AD domains are connected to Azure AD, then you'll need to ensure that highly-privileged administrative operations for cloud-hosted services are isolated from on-premises accounts. Check that you've [configured your systems to protect your Microsoft 365 cloud environment from on-premises compromise](../fundamentals/protect-m365-from-on-premises-attacks.md).

-This article will show you how to get started using Azure Automation for Microsoft Entra Identity Governance, by creating a simple runbook that queries entitlement management via Microsoft Graph PowerShell.

-1. Review the users and service principals who are listed there and ensure they are authorized. Remove any users who are unauthorized.

-1. After you have exported the files, you can remove the certificate and key pair from your local user certificate store. In subsequent steps you will remove the `.pfx` and `.crt` files as well, once the certificate and private key have been uploaded to the Azure Automation and Azure AD services.

-Your runbook in Azure Automation will retrieve the private key from the `.pfx` file, and use it for authenticating to Microsoft Graph.

-1. You can now delete the `.pfx` file from your local computer. However, do not delete the `.crt` file yet, as you will need this file in a subsequent step.

-By default, Azure Automation does not have any PowerShell modules preloaded for Microsoft Graph. You will need to add **Microsoft.Graph.Authentication**, and then additional modules, from the gallery to your Automation account. Note that you will need to choose whether to use the beta or v1.0 APIs through those modules, as you cannot mix both in a single runbook.

-1. In the Search bar, type **Microsoft.Graph.Authentication**. Select the module, select **Import**, and select **OK** to have Azure AD begin importing the module. After clicking OK, importing a module may take several minutes. Don't attempt to add more Microsoft Graph modules until the Microsoft.Graph.Authentication module import has completed, since those other modules have Microsoft.Graph.Authentication as a prerequisite.

-1. If you are using the cmdlets for Azure AD identity governance features, such as entitlement management, then repeat the import process for the module **Microsoft.Graph.Identity.Governance**.

-1. Import other modules that your script may require, such as **Microsoft.Graph.Users**. For example, if you are using Identity Protection, then you may wish to import the **Microsoft.Graph.Identity.SignIns** module.

-Next, you will create an app registration in Azure AD, so that Azure AD will recognize your Azure Automation runbook's certificate for authentication.

-1. Once the application registration is created, take note of the **Application (client) ID** and **Directory (tenant) ID** as you will need these items later.

-1. Select each of the permissions that your Azure Automation account will require, then select **Add permissions**.

- * If your runbook is only performing queries or updates within a single catalog, then you do not need to assign it tenant-wide application permissions; instead you can assign the service principal to the catalog's **Catalog owner** or **Catalog reader** role.

-In this step, you will create in the Azure automation account three variables that the runbook will use to determine how to authenticate to Azure AD.

-In this step, you will create an initial runbook. You can trigger this runbook to verify the authentication using the certificate created earlier is successful.

-1. Once the runbook is created, a text editing pane will appear for you to type in the PowerShell source code of the runbook.

-3. If the run was successful, the output instead of the welcome message will be a JSON array. The JSON array will include the ID and display name of each access package returned from the query.

-The format of the allowed parameters depends upon the calling service. If your runbook does take parameters from the caller, then you will need to add validation logic to your runbook to ensure that the parameter values supplied are appropriate for how the runbook could be started. For example, if your runbook is started by a [webhook](../../automation/automation-webhooks.md), Azure Automation doesn't perform any authentication on a webhook request as long as it's made to the correct URL, so you will need an alternate means of validating the request.

-Once your runbook is published, your can create a schedule in Azure Automation, and link your runbook to that schedule to run automatically. Scheduling runbooks from Azure Automation is suitable for runbooks that do not need to interact with other Azure or Office 365 services that do not have PowerShell interfaces.

-If you created a self-signed certificate following the steps above for authentication, keep in mind that the certificate will have a limited lifetime before it will expire. You will need to regenerate the certificate and upload the new certificate before its expiration date.

-Lifecycle Workflows currently have six built-in templates you can use or customize:

-4. In addition to users who denied their own need for continued access, you also can remove guest users who did not respond. You also can remove guest users who were not selected to participate, especially if they were not recently invited. Those users did not accept their invitation and so didn't have access to the application.

-3. Ask each guest to review their own membership. By default, each guest who accepted an invitation receives an email from Azure AD with a link to the access review in your organization's access panel. Azure AD has instructions for guests on how to [review access to groups or applications](perform-access-review.md). Those guests who didn't accept their invite will appear in the review results as "Not Notified".

-5. You can automatically delete the guest users Azure AD B2B accounts as part of an access review when you are configuring an Access review for **Select Team + Groups**. This option is not available for **All Microsoft 365 groups with guest users**.

-If you are reviewing access to an application, then before creating the review, see the article on how to [prepare for an access review of users' access to an application](access-reviews-application-preparation.md) to ensure the application is integrated with Azure AD.

-Microsoft Entra simplifies how enterprises manage access to groups and applications in Microsoft Entra and other Microsoft web services with a feature called access reviews. This article will cover how a designated reviewer performs an access review for members of a group or users with access to an application. If you want to review access to an access package, read [Review access of an access package in entitlement management](entitlement-management-access-reviews-review-access.md).

- If you're unsure if a user should continue to have access, you can select **Don't know**. The user gets to keep their access, and your choice is recorded in the audit logs. Keep in mind that any information you provide will be available to other reviewers. They can read your comments and take them into account when they review the request.

-1. The administrator of the access review might require you to supply a reason for your decision in the **Reason** box, even when a reason is not required. You can still provide a reason for your decision. The information that you include will be available to other approvers for review.

-To make access reviews easier and faster for you, we also provide recommendations that you can accept with a single selection. There are two ways that the system generates recommendations for the reviewer. One method is by the user's sign-in activity. If a user has been inactive for 30 days or more, the system will recommend that the reviewer deny access.

-The other method is based on the access that the user's peers have. If the user doesn't have the same access as their peers, the system will recommend that the reviewer deny that user access.

-If the administrator has enabled multi-stage access reviews, there will be two or three total stages of review. Each stage of review will have a specified reviewer.

-You will either review access manually or accept the recommendations based on sign-in activity for the stage you're assigned as the reviewer.

-If a team you review has shared channels, all B2B direct connect users and teams that access those shared channels are part of the review. This includes B2B collaboration users and internal users. When a B2B direct connect user or team is denied access in an access review, the user will lose access to every shared channel in the team. To learn more about B2B direct connect users, read [B2B direct connect](../external-identities/b2b-direct-connect-overview.md).

-A user is considered 'inactive' if they have not signed into the tenant within the last 30 days. This behavior is adjusted for reviews of application assignments, which checks each user's last activity in the app as opposed to the entire tenant. When inactive user recommendations are enabled for an access review, the last sign-in date for each user will be evaluated once the review starts, and any user that has not signed-in within 30 days will be given a recommended action of Deny. Additionally, when these decision helpers are enabled, reviewers will be able to see the last sign-in date for all users being reviewed. This sign-in date (as well as the resulting recommendation) is determined when the review begins and will not get updated while the review is in-progress.

-This recommendation detects user affiliation with other users within the group, based on organization's reporting-structure similarity. The recommendation relies on a scoring mechanism which is calculated by computing the userΓÇÖs average distance with the remaining users in the group. Users who are very distant from all the other group members based on their organization's chart, are considered to have "low affiliation" within the group.

-For example, Phil who works within the Personal care division is in a group with Debby, Irwin, and Emily who all work within the Cosmetics division. The group is called *Fresh Skin*. If an Access Review for the group Fresh Skin is performed, based on the reporting structure and distance away from the other group members, Phil would be considered to have low affiliation. The system will create a **Deny** recommendation in the group access review.

-1. Look for an email from Microsoft that asks you to review access. Here is an example email to review your access to a group.

-1. Click the **Review access** link to open the access review.

-1. In the upper-right corner of the page, click the user symbol, which displays your name and default organization. If more than one organization is listed, select the organization that requested an access review.

-1. On the right side of the page, click the **Access reviews** tile to see a list of the pending access reviews.

-1. Click the **Begin review** link for the access review you want to perform.

- If the request is to review access for others, the page will look different. For more information, see [Review access to groups or applications](perform-access-review.md).

-1. Click **Yes** to keep your access or click **No** to remove your access.

-1. If you click **Yes**, you might need to specify a justification in the **Reason** box.

-1. Click **Submit**.

- Your selection is submitted and you returned to the My Apps portal.

-2. Click the **Access reviews** tile to see a list of pending access reviews.

-3. Click on **Try it!** in the banner at the top of the page to go to the new My Access experience.

-2. Click the **Review access** link to open the access review.

-2. Click on the name of an Access review to get started.

- If the request is to review access for others, the page will look different. For more information, see [Review access to groups or applications](perform-access-review.md).

-1. If you click **Yes**, you might need to specify a justification in the **Reason** box.

-1. Click **Submit**.

- Your selection is submitted and you returned to the My Access page.

-* Enterprises with critical regulatory requirements for SAP apps will have a single consistent view of access controls. They can then enforce separation-of-duties checks across their financial and other business-critical applications, along with Azure AD-integrated applications.

- If the request is to review access for others, the page will look different. For more information, see [Review access to groups or applications](perform-access-review.md).

-This scenario can be configured with multi-stage reviews similar to how the "Reduce burden on later stage reviewers" scenario works. First, ask guest users to self-review and attest their continued interest and need for collaboration, including the requirement to provide a business justification. Only self-approved guests are progressed to a later stage, where an internal employee or sponsor approve or deny continued access or collaboration.

-For guest user reviews, also consider leveraging the **Inactive users (on tenant level) only** setting. This will scope the review to inactive external users that have not signed in to the resource tenant in the number of specified days.

-Each review stage will stay open for reviewers to add decisions for the length of the duration. Review administrators can stop a running stage and automatically progress the overall review to the next review stage on the reviewer overview page, by selecting **Stop current stage**.

-1. Use the [Get-MgServicePrincipal](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal?branch=main) command to get the service principal ID.

- AppRoles : {<AppRolesId>}

- "objectId": "{objectId}",

- "homepage": "{homepage}",

- "identifierUris": [],

- "publicClient": null,

- "replyUrls": [],

- "logoutUrl": null,

- "samlMetadataUrl": null,

- "errorUrl": null,

- "availableToOtherTenants": false,

- "requiredResourceAccess": []

- "objectId": "{objectId}",

- "deletionTimestamp": null,

- "appDisplayName": "Fabrikam",

- "appOwnerTenantId": "{targetTenantId}",

- "appRoleAssignmentRequired": true,

- "errorUrl": null,

- "homepage": "{homepage}",

- "samlMetadataUrl": null,

- "microsoftFirstParty": null,

- "publisherName": "{tenantDisplayName}",

- "preferredTokenSigningKeyEndDateTime": null,

- "notificationEmailAddresses": [],

- "passwordCredentials": []

-1. Save the service principal object ID.

-1. Initialize a variable with the service principal ID from the previous step.

- Be sure to use the service principal ID instead of the application ID.

- ```powershell

- $ServicePrincipalId = "<ServicePrincipalId>"

- ```

-1. Get the service principal object ID from the previous step.

- Be sure to use the service principal object ID instead of the application ID.

-1. Initialize the job ID for a later step.

- {

- {

- "value": [

- {

- "key": "CompanyId",

- "value": "{targetTenantId}"

- AppRoleId = "<AppRoleId>"

-1. In the source tenant, use the [New-MgServicePrincipalSynchronizationJobOnDemand](/powershell/module/microsoft.graph.applications/new-mgserviceprincipalsynchronizationjobondemand?view=graph-powershell-beta&preserve-view=true&branch=main) command to provision a test user on demand.

- RuleId = "<RuleId>"

-# Approve activation requests for group members and owners

-With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can configure activation of group membership and ownership to require approval, and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each group. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.

-As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. You can view pending requests in Privileged Identity Management.

-1. Select **Azure AD Privileged Identity Management -> Approve requests -> Groups**.

-1. In the **Requests for role activations** section, you'll see a list of requests pending your approval.

- :::image type="content" source="media/pim-for-groups/pim-group-9.png" alt-text="Screenshot of requests for role activations." lightbox="media/pim-for-groups/pim-group-9.png":::

-1. Select **Confirm**. An Azure notification is generated by your approval.

- :::image type="content" source="media/pim-for-groups/pim-group-10.png" alt-text="Screenshot of an Azure notification that is generated by your approval." lightbox="media/pim-for-groups/pim-group-10.png":::

-1. Select **Confirm**. An Azure notification is generated by the denial.

->[!Note]

->An administrator who believes that an approved user should not be active can remove the active group assignment in Privileged Identity Management. Although resource administrators are not notified of pending requests unless they are an approver, they can view and cancel pending requests for all users by viewing pending requests in Privileged Identity Management.

-### Permissions are not granted after activating a role

-When you activate a role in Privileged Identity Management, the activation may not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. If your activation is delayed, here is what you should do.

-1. In Privileged Identity Management, verify that you are listed as the member of the role.

-In Privileged Identity Management (PIM) for groups in Azure Active Directory (Azure AD), part of Microsoft Entra, role settings define membership or ownership assignment properties: MFA and approval requirements for activation, assignment maximum duration, notification settings, etc. Use the following steps to configure role settings and set up the approval workflow to specify who can approve or deny requests to elevate privilege.

-You will need group management permissions to manage settings. For role-assignable groups, you need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group. For non-role assignable groups, you need to have Global Administrator, Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not Administrative Unit level).

-> Other roles with permissions to manage groups (such as Exchange Administrators for non-role-assignable M365 groups) and administrators with assignments scoped at administrative unit level can manage groups through Groups API/UX and override changes made in Azure AD PIM.

-Role settings are defined per role per group: all assignments for the same role (member or owner) for the same group follow same role settings. Role settings of one group are independent from role settings of another group. Role settings for one role (member) are independent from role settings for another role (owner).

-Follow these steps to open the settings for a group role.

-1. Select **Azure AD Privileged Identity Management -> Groups**.

-1. Select the group that you want to configure role settings for.

-1. Select the role you need to configure role settings for ΓÇô **Member** or **Owner**.

- :::image type="content" source="media/pim-for-groups/pim-group-17.png" alt-text="Screenshot of where to select the role you need to configure role settings for." lightbox="media/pim-for-groups/pim-group-17.png":::

-1. Select **Edit** to update role settings.

- :::image type="content" source="media/pim-for-groups/pim-group-18.png" alt-text="Screenshot of where to select Edit to update role settings." lightbox="media/pim-for-groups/pim-group-18.png":::

-1. Once finished, select **Update**.

-### On activation, require multi-factor authentication

-You can require users who are eligible for a role to prove who they are using Azure AD Multi-Factor Authentication before they can activate. Multi-factor authentication helps safeguard access to data and applications, providing another layer of security by using a second form of authentication.

-> [!NOTE]

-> User may not be prompted for multi-factor authentication if they authenticated with strong credentials, or provided multi-factor authentication earlier in this session. If your goal is to ensure that users have to provide authentication during activation, you can use [On activation, require Azure AD Conditional Access authentication context](pim-how-to-change-default-settings.md#on-activation-require-azure-ad-conditional-access-authentication-context) together with [Authentication Strengths](../authentication/concept-authentication-strengths.md) to require users to authenticate during activation using methods different from the one they used to sign-in to the machine. For example, if users sign-in to the machine using Windows Hello for Business, you can use ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥ and Authentication Strengths to require users to do Passwordless sign-in with Microsoft Authenticator when they activate the role. After the user provides Passwordless sign-in with Microsoft Authenticator once in this example, they'll be able to do their next activation in this session without additional authentication because Passwordless sign-in with Microsoft Authenticator will already be part of their token.

->

-> It's recommended to enable Azure AD Multi-Factor Authentication for all users. For more information, see [Plan an Azure Active Directory Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).

-### On activation, require Azure AD Conditional Access authentication context

-You can require users who are eligible for a role to satisfy Conditional Access policy requirements: use specific authentication method enforced through Authentication Strengths, elevate the role from Intune compliant device, comply with Terms of Use, and more.

-To enforce this requirement, you need to:

-1. Create Conditional Access authentication context.

-1. Configure Conditional Access policy that would enforce requirements for this authentication context.

- > [!NOTE]

- > The scope of the Conditional Access policy should include all or eligible users for group membership/ownership. Do not create a Conditional Access policy scoped to authentication context and group at the same time because during activation a user does not have group membership yet, and the Conditional Access policy would not apply.

-1. Configure authentication context in PIM settings for the role.

-> [!NOTE]

-> If PIM settings have ΓÇ£**On activation, require Azure AD Conditional Access authentication context**ΓÇ¥ configured, Conditional Access policies define what conditions user needs to meet in order to satisfy the access requirements. This means that security principals with permissions to manage Conditional Access policies such as Conditional Access Administrators or Security Administrators may change requirements, remove them, or block eligible users from activating their group membership/ownership. Security principals that can manage Conditional Access policies should be considered highly privileged and protected accordingly.

-> [!NOTE]

-> We recommend creating and enabling Conditional Access policy for the authentication context before the authentication context is configured in PIM settings. As a backup protection mechanism, if there are no Conditional Access policies in the tenant that target authentication context configured in PIM settings, during group membership/ownership activation, Azure AD Multi-Factor Authentication is required as the [On activation, require multi-factor authentication](groups-role-settings.md#on-activation-require-multi-factor-authentication) setting would be set. This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy is created, due to a configuration mistake. This backup protection mechanism will not be triggered if the Conditional Access policy is turned off, in report-only mode, or has eligible users excluded from the policy.

-> [!NOTE]

-> **ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥** setting defines authentication context, requirements for which users will need to satisfy when they activate group membership/ownership. After group membership/ownership is activated, this does not prevent users from using another browsing session, device, location, etc. to use group membership/ownership. For example, user may use Intune compliant device to activate group membership/ownership, then after the role is activated, sign-in to the same user account from another device that is not Intune compliant, and use previously activated group ownership/membership from there. To protect from this situation, you may scope Conditional Access policies enforcing certain requirements to eligible users directly. For example, you can require users eligible to certain group membership/ownership to always use Intune compliant devices.

-To learn more about Conditional Access authentication context, see [Conditional Access: Cloud apps, actions, and authentication context](../conditional-access/concept-conditional-access-cloud-apps.md#authentication-context).

-You can require that users enter a business justification when they activate the eligible assignment.

-You can require that users enter a support ticket when they activate the eligible assignment. This is information only field and correlation with information in any ticketing system isn't enforced.

-You can require approval for activation of eligible assignment. Approver doesnΓÇÖt have to be group member or owner. When using this option, you have to select at least one approver (we recommend selecting at least two approvers), there are no default approvers.

-You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.

-You can choose one of these **eligible** assignment duration options:

-| | Description |

-| **Allow permanent eligible assignment** | Resource administrators can assign permanent eligible assignment. |

-| **Expire eligible assignment after** | Resource administrators can require that all eligible assignments have a specified start and end date. |

-And, you can choose one of these **active** assignment duration options:

-| | Description |

-| **Allow permanent active assignment** | Resource administrators can assign permanent active assignment. |

-| **Expire active assignment after** | Resource administrators can require that all active assignments have a specified start and end date. |

-> [!NOTE]

-> All assignments that have a specified end date can be renewed by resource administrators. Also, users can initiate self-service requests to [extend or renew role assignments](pim-resource-roles-renew-extend.md).

-### Require multi-factor authentication on active assignment

-You can require that administrator or group owner provides multi-factor authentication when they create an active (as opposed to eligible) assignment. Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.

-Administrator or group owner may not be prompted for multi-factor authentication if they authenticated with strong credential or provided multi-factor authentication earlier in this session.

-In the **Notifications** tab on the role settings page, Privileged Identity Management enables granular control over who receives notifications and which notifications they receive.

-## Manage role settings using Microsoft Graph

-To manage role settings for groups using PIM APIs in Microsoft Graph, use the [unifiedRoleManagementPolicy resource type and its related methods](/graph/api/resources/unifiedrolemanagementpolicy).

-In Microsoft Graph, role settings are referred to as rules and they're assigned to groups through container policies. You can retrieve all policies that are scoped to a group and for each policy, retrieve the associated collection of rules by using an `$expand` query parameter. The syntax for the request is as follows:

-For more information about managing role settings through PIM APIs in Microsoft Graph, see [Role settings and PIM](/graph/api/resources/privilegedidentitymanagement-for-groups-api-overview#policy-settings-in-pim-for-groups). For examples of updating rules, see [Update rules in PIM using Microsoft Graph](/graph/how-to-pim-update-rules).

-In Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, role settings define role assignment properties: MFA and approval requirements for activation, assignment maximum duration, notification settings, and more. Use the following steps to configure role settings and set up the approval workflow to specify who can approve or deny requests to elevate privilege.

-You need to have Global Administrator or Privileged Role Administrator role to manage PIM role settings for Azure AD Role. Role settings are defined per role: all assignments for the same role follow the same role settings. Role settings of one role are independent from role settings of another role.

-PIM role settings are also known as ΓÇ£PIM PoliciesΓÇ¥.

-Follow these steps to open the settings for an Azure AD role.

-1. [Sign in to the Azure portal](https://portal.azure.com/)

-1. Select **Azure AD Privileged Identity Management -> Azure AD Roles -> Roles**. On this page you can see list of Azure AD roles available in the tenant, including built-in and custom roles.

- :::image type="content" source="media/pim-how-to-change-default-settings/role-settings.png" alt-text="Screenshot of the list of Azure AD roles available in the tenant, including built-in and custom roles." lightbox="media/pim-how-to-change-default-settings/role-settings.png":::

-1. Select **Role settings**. On the Role settings page you can view current PIM role settings for the selected role.

- :::image type="content" source="media/pim-how-to-change-default-settings/role-settings-edit.png" alt-text="Screenshot of the role settings page with options to update assignment and activation settings." lightbox="media/pim-how-to-change-default-settings/role-settings-edit.png":::

-1. Select Edit to update role settings.

-1. Once finished, select Update.

-## Role settings

-### On activation, require multi-factor authentication

-You can require users who are eligible for a role to prove who they are using Azure AD Multi-Factor Authentication before they can activate. Multi-factor authentication helps safeguard access to data and applications, providing another layer of security by using a second form of authentication.

-> [!NOTE]

-> User may not be prompted for multi-factor authentication if they authenticated with strong credentials, or provided multi-factor authentication earlier in this session. If your goal is to ensure that users have to provide authentication during activation, you can use [On activation, require Azure AD Conditional Access authentication context](pim-how-to-change-default-settings.md#on-activation-require-azure-ad-conditional-access-authentication-context) together with [Authentication Strengths](../authentication/concept-authentication-strengths.md) to require users to authenticate during activation using methods different from the one they used to sign-in to the machine. For example, if users sign-in to the machine using Windows Hello for Business, you can use ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥ and Authentication Strengths to require users to do Passwordless sign-in with Microsoft Authenticator when they activate the role. After the user provides Passwordless sign-in with Microsoft Authenticator once in this example, they'll be able to do their next activation in this session without additional authentication because Passwordless sign-in with Microsoft Authenticator will already be part of their token.

->

-> It's recommended to enable Azure AD Multi-Factor Authentication for all users. For more information, see [Plan an Azure Active Directory Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).

-### On activation, require Azure AD Conditional Access authentication context

-You can require users who are eligible for a role to satisfy Conditional Access policy requirements: use specific authentication method enforced through Authentication Strengths, elevate the role from Intune compliant device, comply with Terms of Use, and more.

-To enforce this requirement, you need to:

-1. Create Conditional Access authentication context.

-1. Configure Conditional Access policy that would enforce requirements for this authentication context.

- > [!NOTE]

- > The scope of the Conditional Access policy should include all or eligible users for a role. Do not create a Conditional Access policy scoped to authentication context and directory role at the same time because during activation the user does not have a role yet, and the Conditional Access policy would not apply. See the note at the end of this section about a situation when you may need two Conditional Access policies, one scoped to the authentication context, and another scoped to the role.

-1. Configure authentication context in PIM settings for the role.

-> [!NOTE]

-> If PIM settings have **ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥** configured, the Conditional Access policies define conditions a user needs to meet to satisfy the access requirements. This means that security principals with permissions to manage Conditional Access policies such as Conditional Access Administrators or Security Administrators may change requirements, remove them, or block eligible users from activating the role. Security principals that can manage the Conditional Access policies should be considered highly privileged and protected accordingly.

-> [!NOTE]

-> We recommend creating and enabling a Conditional Access policy for the authentication context before authentication context is configured in PIM settings. As a backup protection mechanism, if there are no Conditional Access policies in the tenant that target authentication context configured in PIM settings, during PIM role activation, Azure AD Multi-Factor Authentication is required as the [On activation, require multi-factor authentication](pim-how-to-change-default-settings.md#on-activation-require-multi-factor-authentication) setting would be set. This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy is created, due to a configuration mistake. This backup protection mechanism won't be triggered if the Conditional Access policy is turned off, in report-only mode, or has eligible user excluded from the policy.

-> [!NOTE]

-> **ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥** setting defines authentication context, requirements for which the user will need to satisfy when they activate the role. After the role is activated, this does not prevent users from using another browsing session, device, location, etc. to use permissions. For example, users may use an Intune compliant device to activate the role, then after the role is activated sign-in to the same user account from another device that is not Intune compliant, and use the previously activated role from there.

-> To protect from this situation, create two Conditional Access policies:

->1. The first Conditional Access policy targeted to authentication context. It should have ΓÇ£*All users*ΓÇ¥ or eligible users in its scope. This policy will specify requirements the user needs to meet to activate the role.

->1. The second Conditional Access policy targeted to directory roles. This policy will specify requirements users need to meet to sign-in with directory role activated.

->

->Both policies can enforce the same, or different, requirements depending on your needs.

->

->Another option is to scope Conditional Access policies enforcing certain requirements to eligible users directly. For example you can require users eligible for certain roles to always use Intune compliant devices.

-To learn more about Conditional Access authentication context, see [Conditional Access: Cloud apps, actions, and authentication context](../conditional-access/concept-conditional-access-cloud-apps.md#authentication-context).

-You can require users to enter a support ticket number when they activate the eligible assignment. This is information-only field and correlation with information in any ticketing system is not enforced.

-You can require approval for activation of eligible assignment. Approver doesnΓÇÖt have to have any roles. When using this option, you have to select at least one approver (we recommend to select at least two approvers), there are no default approvers.

-You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.

-You can choose one of these **eligible** assignment duration options:

-| Allow permanent eligible assignment | Resource administrators can assign permanent eligible assignment. |

-And, you can choose one of these **active** assignment duration options:

-| Allow permanent active assignment | Resource administrators can assign permanent active assignment. |

-> [!NOTE]

-> All assignments that have a specified end date can be renewed by Global admins and Privileged role admins. Also, users can initiate self-service requests to [extend or renew role assignments](pim-resource-roles-renew-extend.md).

-### Require multi-factor authentication on active assignment

-You can require that administrator provides multi-factor authentication when they create an active (as opposed to eligible) assignment. Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.

-Administrator may not be prompted for multi-factor authentication if they authenticated with strong credential or provided multi-factor authentication earlier in this session.

-In the **Notifications** tab on the role settings page, Privileged Identity Management enables granular control over who receives notifications and which notifications they receive.

-You can turn off specific emails by clearing the default recipient check box and deleting any other recipients.

-You can turn off emails sent to default recipients by clearing the default recipient check box. You can then add other email addresses as recipients. If you want to add more than one email address, separate them using a semicolon (;).

-You can send emails to both default recipient and another recipient by selecting the default recipient checkbox and adding email addresses for other recipients.

-For each type of email, you can select the check box to receive critical emails only. What this means is that Privileged Identity Management will continue to send emails to the specified recipients only when the email requires an immediate action. For example, emails asking users to extend their role assignment will not be triggered while emails requiring admins to approve an extension request will be triggered.

-## Manage role settings using Microsoft Graph

-To manage settings for Azure AD roles using PIM APIs in Microsoft Graph, use the [unifiedRoleManagementPolicy resource type and related methods](/graph/api/resources/unifiedrolemanagementpolicy).

-In Microsoft Graph, role settings are referred to as rules and they're assigned to Azure AD roles through container policies. Each Azure AD role is assigned a specific policy object. You can retrieve all policies that are scoped to Azure AD roles and for each policy, retrieve the associated collection of rules by using an `$expand` query parameter. The syntax for the request is as follows:

-For more information about managing role settings through PIM APIs in Microsoft Graph, see [Role settings and PIM](/graph/api/resources/privilegedidentitymanagementv3-overview#role-settings-and-pim). For examples of updating rules, see [Update rules in PIM using Microsoft Graph](/graph/how-to-pim-update-rules).

-In Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, role settings define role assignment properties: MFA and approval requirements for activation, assignment maximum duration, notification settings, and more. Use the following steps to configure role settings and set up the approval workflow to specify who can approve or deny requests to elevate privilege.

-You need to have Owner or User Access Administrator role to manage PIM role settings for the resource. Role settings are defined per role and per resource: all assignments for the same role follow the same role settings. Role settings of one role are independent from role settings of another role. Role settings of one resource are independent from role settings of another resource, and role settings configured on a higher level, such as "Subscription" for example, aren't inherited on a lower level, such as "Resource Group" for example.

-PIM role settings are also known as ΓÇ£PIM PoliciesΓÇ¥.

-Follow these steps to open the settings for an Azure resource role.

-1. [Sign in to the Azure portal](https://portal.azure.com/)

-1. Select **Azure AD Privileged Identity Management -> Azure Resources**. On this page you can see list of Azure resources discovered in PIM. Use Resource type filter to select all required resource types.

- :::image type="content" source="media/pim-resource-roles-configure-role-settings/resources-list.png" alt-text="Screenshot of the list of Azure resources discovered in PIM." lightbox="media/pim-resource-roles-configure-role-settings/resources-list.png":::

-1. Select the resource that you need to configure PIM role settings for.

-1. Select **Settings**. View list of PIM policies for a selected resource.

- :::image type="content" source="media/pim-resource-roles-configure-role-settings/resources-role-settings.png" alt-text="Screenshot of the list of PIM policies for a selected resource." lightbox="media/pim-resource-roles-configure-role-settings/resources-role-settings.png":::

-1. Select Edit to update role settings.

-1. Once finished, select Update.

-## Role settings

-Use the **Activation maximum duration** slider to set the maximum time, in hours, that an activation request for a role assignment remains active before it expires. This value can be from one to 24 hours.

-### On activation, require multi-factor authentication

-You can require users who are eligible for a role to prove who they are using Azure AD Multi-Factor Authentication before they can activate. Multi-factor authentication helps safeguard access to data and applications, providing another layer of security by using a second form of authentication.

-> [!NOTE]

-> User may not be prompted for multi-factor authentication if they authenticated with strong credentials, or provided multi-factor authentication earlier in this session. If your goal is to ensure that users have to provide authentication during activation, you can use [On activation, require Azure AD Conditional Access authentication context](pim-how-to-change-default-settings.md#on-activation-require-azure-ad-conditional-access-authentication-context) together with [Authentication Strengths](../authentication/concept-authentication-strengths.md) to require users to authenticate during activation using methods different from the one they used to sign-in to the machine. For example, if users sign-in to the machine using Windows Hello for Business, you can use ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥ and Authentication Strengths to require users to do Passwordless sign-in with Microsoft Authenticator when they activate the role. After the user provides Passwordless sign-in with Microsoft Authenticator once in this example, they'll be able to do their next activation in this session without additional authentication because Passwordless sign-in with Microsoft Authenticator will already be part of their token.

->

-> It's recommended to enable Azure AD Multi-Factor Authentication for all users. For more information, see [Plan an Azure Active Directory Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).

-### On activation, require Azure AD Conditional Access authentication context

-You can require users who are eligible for a role to satisfy Conditional Access policy requirements: use specific authentication method enforced through Authentication Strengths, elevate the role from Intune compliant device, comply with Terms of Use, and more.

-To enforce this requirement, you need to:

-1. Create Conditional Access authentication context.

-1. Configure Conditional Access policy that would enforce requirements for this authentication context.

-1. Configure authentication context in PIM settings for the role.

-> [!NOTE]

-> If PIM settings have **ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥** configured, the Conditional Access policies define conditions a user needs to meet to satisfy the access requirements. This means that security principals with permissions to manage Conditional Access policies such as Conditional Access Administrators or Security Administrators may change requirements, remove them, or block eligible users from activating the role. Security principals that can manage the Conditional Access policies should be considered highly privileged and protected accordingly.

-> [!NOTE]

-> We recommend creating and enabling a Conditional Access policy for the authentication context before the authentication context is configured in PIM settings. As a backup protection mechanism, if there are no Conditional Access policies in the tenant that target authentication context configured in PIM settings, during PIM role activation, Azure AD Multi-Factor Authentication is required as the [On activation, require multi-factor authentication](pim-resource-roles-configure-role-settings.md#on-activation-require-multi-factor-authentication) setting would be set. This backup protection mechanism is designed to solely protect from a scenario when PIM settings were updated before the Conditional Access policy is created, due to a configuration mistake. This backup protection mechanism won't be triggered if the Conditional Access policy is turned off, in report-only mode, or has eligible user excluded from the policy.

-> [!NOTE]

-> **ΓÇ£On activation, require Azure AD Conditional Access authentication contextΓÇ¥** setting defines authentication context, requirements for which users will need to satisfy when they activate the role. After the role is activated, this does not prevent user from using another browsing session, device, location, etc. to use permissions. For example, users may use an Intune compliant device to activate the role, then after the role is activated sign-in to the same user account from another device that is not Intune compliant, and use the previously activated role from there. To protect from this situation, you may scope Conditional Access policies enforcing certain requirements to eligible users directly. For example you can require users eligible for certain roles to always use Intune compliant devices.

-To learn more about Conditional Access authentication context, see [Conditional Access: Cloud apps, actions, and authentication context](../conditional-access/concept-conditional-access-cloud-apps.md#authentication-context).

-You can require users to enter a support ticket number when they activate the eligible assignment. This is information-only field and correlation with information in any ticketing system is not enforced.

-You can require approval for activation of eligible assignment. Approver doesnΓÇÖt have to have any roles. When using this option, you have to select at least one approver (we recommend to select at least two approvers), there are no default approvers.

-You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.

-You can choose one of these **eligible** assignment duration options:

-| Allow permanent eligible assignment | Resource administrators can assign permanent eligible assignment. |

-And, you can choose one of these **active** assignment duration options:

-| Allow permanent active assignment | Resource administrators can assign permanent active assignment. |

-> [!NOTE]

-> All assignments that have a specified end date can be renewed by Global admins and Privileged role admins. Also, users can initiate self-service requests to [extend or renew role assignments](pim-resource-roles-renew-extend.md).

-### Require multi-factor authentication on active assignment

-You can require that administrator provides multi-factor authentication when they create an active (as opposed to eligible) assignment. Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.

-Administrator may not be prompted for multi-factor authentication if they authenticated with strong credential or provided multi-factor authentication earlier in this session.

-In the **Notifications** tab on the role settings page, Privileged Identity Management enables granular control over who receives notifications and which notifications they receive.

-You can turn off specific emails by clearing the default recipient check box and deleting any other recipients.

-You can turn off emails sent to default recipients by clearing the default recipient check box. You can then add other email addresses as recipients. If you want to add more than one email address, separate them using a semicolon (;).

-You can send emails to both default recipient and another recipient by selecting the default recipient checkbox and adding email addresses for other recipients.

-For each type of email, you can select the check box to receive critical emails only. What this means is that Privileged Identity Management will continue to send emails to the specified recipients only when the email requires an immediate action. For example, emails asking users to extend their role assignment will not be triggered while emails requiring admins to approve an extension request will be triggered.

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide&preserve-view=true).

- `https://<YOUR-GITHUB-AE-HOSTNAME>`

- `https://<YOUR-GITHUB-AE-HOSTNAME>/saml/consume`

- `https://<YOUR-GITHUB-AE-HOSTNAME>/sso`

-1. Click on **Select groups** and search for the **Group** you want to include this claim, where its members should be administrators for GHAE.

-* Click on **Test this application** in Azure portal. This will redirect to GitHub Enterprise Server Sign on URL where you can initiate the login flow.

-You can also use Microsoft My Apps to test the application in any mode. When you click the GitHub Enterprise Server tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the GitHub Enterprise Server for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

- i. In **SAML user email attribute** text box, enter the value `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`.

-* Once you configure SonarQube, you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-> [!IMPORTANT]

-> For ease of search and readability the OS settings are displayed in this document by their name but should be added to the configuration json file or AKS API using [camelCase capitalization convention](/dotnet/standard/design-guidelines/capitalization-conventions).

-| | SLB | Managed NATGateway | BYO NATGateway | userDefinedNATGateway |

-|-|--|--|-|--|

-| SLB | N/A | Supported | Not Supported | Not Supported |

-| Managed NATGateway | Supported | N/A | Not Supported | Not Supported |

-| BYO NATGateway | Supported | Not Supported | N/A | Not Supported |

-| User Defined NATGateway | Supported | Not Supported | Supported | N/A |

-| | SLB | Managed NATGateway | BYO NATGateway | userDefinedNATGateway |

-|-||--|-|--|

-| SLB | N/A | Supported | Supported | Supported |

-| Managed NATGateway | Supported | N/A | Not Supported | Not Supported |

-| BYO NATGateway | Supported | Not Supported | N/A | Supported |

-| User Defined NATGateway | Not Supported | Not Supported | Not Supported | N/A |

- ```azurecli

- # Install aks-preview extension

- az extension add --name aks-preview

- # Update aks-preview extension

- az extension update --name aks-preview

- ```

- ```azurecli-interactive

- az feature register --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"

- ```

- ```azurecli-interactive

- az feature show --namespace "Microsoft.ContainerService" --name "AKS-OutBoundTypeMigrationPreview"

- ```

- ```azurecli-interactive

- az provider register --namespace Microsoft.ContainerService

- ```

- ```azurecli-interactive

- az aks update -g <resourceGroup> -n <clusterName> --outbound-type <loadBalancer|managedNATGateway|userAssignedNATGateway>

- ```

-You need the Azure CLI version 2.32.0 or later installed and configured. Run `az --version` to find the version. For more information about installing or upgrading the Azure CLI, see [Install Azure CLI][install-azure-cli].

-FIPS-enabled node pools have the following limitations:

-* FIPS-enabled node pools require Kubernetes version 1.19 and greater.

-* To update the underlying packages or modules used for FIPS, you must use [Node Image Upgrade][node-image-upgrade].

-* Container images on the FIPS nodes haven't been assessed for FIPS compliance.

->

-> FIPS-enabled node images may have different version numbers, such as kernel version, than images that are not FIPS-enabled. Also, the update cycle for FIPS-enabled node pools and node images may differ from node pools and images that are not FIPS-enabled.

-To create a FIPS-enabled Linux node pool, use the [az aks nodepool add][az-aks-nodepool-add] command with the `--enable-fips-image` parameter when creating a node pool.

-```azurecli-interactive

-az aks nodepool add \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name fipsnp \

- --enable-fips-image

-```

-> [!NOTE]

-> You can also use the `--enable-fips-image` parameter with [az aks create][az-aks-create] when creating a cluster to enable FIPS on the default node pool. When adding node pools to a cluster created in this way, you still must use the `--enable-fips-image` parameter when adding node pools to create a FIPS-enabled node pool.

-To verify your node pool is FIPS-enabled, use [az aks show][az-aks-show] to check the *enableFIPS* value in *agentPoolProfiles*.

-```azurecli-interactive

-az aks show \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" \

- -o table

-```

-The following example output shows the *fipsnp* node pool is FIPS-enabled and *nodepool1* isn't.

-```output

-Name enableFips

-

-fipsnp True

-nodepool1 False

-```

-You can also verify deployments have access to the FIPS cryptographic libraries using `kubectl debug` on a node in the FIPS-enabled node pool. Use `kubectl get nodes` to list the nodes:

-```output

-$ kubectl get nodes

-NAME STATUS ROLES AGE VERSION

-aks-fipsnp-12345678-vmss000000 Ready agent 6m4s v1.19.9

-aks-fipsnp-12345678-vmss000001 Ready agent 5m21s v1.19.9

-aks-fipsnp-12345678-vmss000002 Ready agent 6m8s v1.19.9

-aks-nodepool1-12345678-vmss000000 Ready agent 34m v1.19.9

-```

-In the above example, the nodes starting with `aks-fipsnp` are part of the FIPS-enabled node pool. Use `kubectl debug` to run a deployment with an interactive session on one of those nodes in the FIPS-enabled node pool.

-```azurecli-interactive

-kubectl debug node/aks-fipsnp-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0

-```

-From the interactive session, you can verify the FIPS cryptographic libraries are enabled:

-```output

-root@aks-fipsnp-12345678-vmss000000:/# cat /proc/sys/crypto/fips_enabled

-1

-```

-FIPS-enabled node pools also have a *kubernetes.azure.com/fips_enabled=true* label, which can be used by deployments to target those node pools.

-## Create a FIPS-enabled Windows node pool

-To create a FIPS-enabled Windows node pool, use the [az aks nodepool add][az-aks-nodepool-add] command with the `--enable-fips-image` parameter when creating a node pool. Unlike Linux-based node pools, Windows node pools share the same image set.

-```azurecli-interactive

-az aks nodepool add \

- --resource-group myResourceGroup \

- --cluster-name myAKSCluster \

- --name fipsnp \

- --enable-fips-image \

- --os-type Windows

-```

-To verify your node pool is FIPS-enabled, use [az aks show][az-aks-show] to check the *enableFIPS* value in *agentPoolProfiles*.

-```azurecli-interactive

-az aks show \

- --resource-group myResourceGroup \

- --name myAKSCluster \

- --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" \

- -o table

-```

-To verify Windows node pools have access to the FIPS cryptographic libraries, [create an RDP connection to a Windows node][aks-rdp] in a FIPS-enabled node pool and check the registry.

-1. From the **Run** application, enter `regedit`.

-1. Look for `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy` in the registry.

-1. If `Enabled` is set to 1, then FIPS is enabled.

-FIPS-enabled node pools also have a *kubernetes.azure.com/fips_enabled=true* label, which can be used by deployments to target those node pools.

-[node-image-upgrade]: node-image-upgrade.md

-To run an AKS cluster that supports node pools for Windows Server containers, your cluster needs to use a network policy that uses [Azure CNI][azure-cni-about] (advanced) network plugin. For more detailed information to help plan out the required subnet ranges and network considerations, see [configure Azure CNI networking][use-advanced-networking]. Use the [az aks create][az-aks-create] command to create an AKS cluster named *myAKSCluster*. This command will create the necessary network resources if they don't exist.

-[azure-cni-about]: ../concepts-network.md#azure-cni-advanced-networking

-[use-advanced-networking]: ../configure-azure-cni.md

-1. Use the following example to create a yaml file named **`ama-cilium-configmap.yaml`**. Copy the code in the example into the file created.

- - job_name: "cilium-pods"

- - role: pod

- - source_labels: [__meta_kubernetes_pod_container_name]

- regex: cilium(.*)

- - source_labels:

- [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]

- - source_labels: [__meta_kubernetes_pod_node_name]

- - source_labels: [__meta_kubernetes_pod_label_k8s_app]

- action: keep

- regex: cilium

- - source_labels: [__meta_kubernetes_pod_name]

- - source_labels: [__name__]

- kubectl create configmap ama-metrics-prometheus-config-node \

- --from-file=./ama-cilium-configmap.yaml \

- --name kube-system

- k port-forward $(k get po -l dsName=ama-metrics-node -oname | head -n 1) 9090:9090

-To create an interactive shell connection to a Linux node, use the `kubectl debug` command to run a privileged container on your node. To list your nodes, use the `kubectl get nodes` command:

-```bash

-kubectl get nodes -o wide

-```

-The following example resembles output from the command:

-```output

-NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME

-aks-nodepool1-12345678-vmss000000 Ready agent 13m v1.19.9 10.240.0.4 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure

-aks-nodepool1-12345678-vmss000001 Ready agent 13m v1.19.9 10.240.0.35 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure

-aksnpwin000000 Ready agent 87s v1.19.9 10.240.0.67 <none> Windows Server 2019 Datacenter 10.0.17763.1935 docker://19.3.1

-```

-Use the `kubectl debug` command to run a container image on the node to connect to it. The following command starts a privileged container on your node and connects to it.

-```bash

-kubectl debug node/aks-nodepool1-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0

-```

-The following example resembles output from the command:

-```output

-Creating debugging pod node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx with container debugger on node aks-nodepool1-12345678-vmss000000.

-If you don't see a command prompt, try pressing enter.

-root@aks-nodepool1-12345678-vmss000000:/#

-```

-This privileged container gives access to the node.

-> [!NOTE]

-> You can interact with the node session by running `chroot /host` from the privileged container.

-When done, `exit` the interactive shell session. After the interactive container session closes, delete the pod used for access with `kubectl delete pod`.

-kubectl delete pod node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx

-Open a new terminal window and use the `kubectl get pods` command to get the name of the pod started by `kubectl debug`.

-```bash

-kubectl get pods

-```

-The following example resembles output from the command:

-```output

-NAME READY STATUS RESTARTS AGE

-node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx 1/1 Running 0 21s

-```

-In the above example, *node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx* is the name of the pod started by `kubectl debug`.

-Use the `kubectl port-forward` command to open a connection to the deployed pod:

-```bash

-kubectl port-forward node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx 2022:22

-```

-The following example resembles output from the command:

-```output

-Forwarding from 127.0.0.1:2022 -> 22

-Forwarding from [::1]:2022 -> 22

-```

-The above example begins forwarding network traffic from port 2022 on your development computer to port 22 on the deployed pod. When using `kubectl port-forward` to open a connection and forward network traffic, the connection remains open until you stop the `kubectl port-forward` command.

-Open a new terminal and run the command `kubectl get nodes` to show the internal IP address of the Windows Server node:

-```bash

-kubectl get nodes -o wide

-```

-The following example resembles output from the command:

-```output

-NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME

-aks-nodepool1-12345678-vmss000000 Ready agent 13m v1.19.9 10.240.0.4 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure

-aks-nodepool1-12345678-vmss000001 Ready agent 13m v1.19.9 10.240.0.35 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure

-aksnpwin000000 Ready agent 87s v1.19.9 10.240.0.67 <none> Windows Server 2019 Datacenter 10.0.17763.1935 docker://19.3.1

-```

-In the above example, *10.240.0.67* is the internal IP address of the Windows Server node.

-Create an SSH connection to the Windows Server node using the internal IP address, and connect to port 22 through port 2022 on your development computer. The default username for AKS nodes is *azureuser*. Accept the prompt to continue with the connection. You're then provided with the bash prompt of your Windows Server node:

-```bash

-ssh -o 'ProxyCommand ssh -p 2022 -W %h:%p azureuser@127.0.0.1' azureuser@10.240.0.67

-```

-The following example resembles output from the command:

-```output

-The authenticity of host '10.240.0.67 (10.240.0.67)' can't be established.

-ECDSA key fingerprint is SHA256:1234567890abcdefghijklmnopqrstuvwxyzABCDEFG.

-Are you sure you want to continue connecting (yes/no)? yes

-[...]

-Microsoft Windows [Version 10.0.17763.1935]

-(c) 2018 Microsoft Corporation. All rights reserved.

-azureuser@aksnpwin000000 C:\Users\azureuser>

-```

-> [!NOTE]

-> If you prefer to use password authentication, include the parameter `-o PreferredAuthentications=password`. For example:

->

-> ```console

-> ssh -o 'ProxyCommand ssh -p 2022 -W %h:%p azureuser@127.0.0.1' -o PreferredAuthentications=password azureuser@10.240.0.67

-> ```

-If you didn't create your AKS cluster using the Azure CLI and the `--generate-ssh-keys` parameter, you'll use a password instead of an SSH key to create the SSH connection. To do this with Azure CLI, use the following steps:

-7. Open a third terminal to get the `INTERNAL-IP` of the affected node to initiate the SSH connection. You can get this with `kubectl get nodes -o wide`. Once you have it, use the following command to connect.

-kubectl delete pod node-debugger-aks-nodepool1-12345678-vmss000000-bkmmx

-## Update SSH key on an existing AKS cluster (preview)

-* Before you start, ensure the Azure CLI is installed and configured. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-* The aks-preview extension version 0.5.111 or later. To learn how to install an Azure extension, see [How to install extensions][how-to-install-azure-extensions].

-Use the [az aks update][az-aks-update] command to update the SSH key on the cluster. This operation updates the key on all node pools. You can either specify the key or a key file using the `--ssh-key-value` argument.

-Examples:

-In the following example, you can specify the new SSH key value for the `--ssh-key-value` argument.

-```azurecli

-az aks update --name myAKSCluster --resource-group MyResourceGroup --ssh-key-value 'ssh-rsa AAAAB3Nza-xxx'

-```

-In the following example, you specify a SSH key file.

-```azurecli

-az aks update --name myAKSCluster --resource-group MyResourceGroup --ssh-key-value .ssh/id_rsa.pub

-```

-> During this operation, all virtual machine scale set instances are upgraded and re-imaged to use the new SSH key.

-

-[Node Problem Detector (NPD)](https://github.com/kubernetes/node-problem-detector) is a Kubernetes add-on that detects node-related problems and reports on them. It runs as a systemd serviced on each node in the cluster and collects various metrics and system information, such as CPU usage, disk usage, and network connectivity. When it detects a problem, it generates an Events and/or Node Conditions. NPD is used in AKS (Azure Kubernetes Service) to monitor and manage nodes in a Kubernetes cluster running on the Azure cloud platform. NPD is enabled by default as part of the AKS Linux Extension.

-## Node Conditions

-| Azure Monitor logs and metrics | No | Yes | Yes | Yes | Yes |

-| [Metrics in Azure Monitor](api-management-howto-use-azure-monitor.md#view-metrics-of-your-apis) | ✔️ | ❌ | ✔️ |

-| [Request logs in Azure Monitor](api-management-howto-use-azure-monitor.md#resource-logs) | Γ£ö∩╕Å | Γ¥î | Γ¥î¹ |

-Resource logs provide rich information about operations and errors that are important for auditing and troubleshooting purposes. Resource logs differ from activity logs. The activity log provides insights into the operations run on your Azure resources. Resource logs provide insight into operations that your resource ran.

-| Number of payload bytes to log | integer | Specifies the number of initial bytes of the body that are logged for requests and responses. Default: 0 |

-More information about this threat: [API1:2019 Broken Object Level Authorization](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa1-broken-object-level-authorization.md)

-More information about this threat: [API2:2019 Broken User Authentication](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa2-broken-user-authentication.md)

-More information about this threat: [API3:2019 Excessive Data Exposure](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa3-excessive-data-exposure.md)

-More information about this threat: [API4:2019 Lack of resources and rate limiting](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md)

-More information about this threat: [API5:2019 Broken function level authorization](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa5-broken-function-level-authorization.md)

-More information about this threat: [API6:2019 Mass assignment](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)

-More information about this threat: [API7:2019 Security misconfiguration](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa7-security-misconfiguration.md)

-More information about this threat: [API8:2019 Injection](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa8-injection.md)

-More information about this threat: [API9:2019 Improper assets management](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa9-improper-assets-management.md)

-More information about this threat: [API10:2019 Insufficient logging and monitoring](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xaa-insufficient-logging-monitoring.md)

- ΓÇ» ΓÇ» ΓÇ» ΓÇ» {% JSONArray For person in body.results %}

-The following example resolves a GraphQL mutation using a T-SQL INSERT statement to insert a row an Azure SQL database. The connection to the database uses the API Management instance's system-assigned managed identity. The identity must be [configured](#configure-managed-identity-integration-with-azure-sql) to access the Azure SQL

-ΓÇ» <request>

-* Apps that you configure with private endpoints are only accessible through private endpoint from clients in subnets that are configured with the `Microsoft.Web` service endpoint.

-Install-Package Microsoft.Identity.Web.MicrosoftGraph

-In the *Startup.cs* file, the ```AddMicrosoftIdentityWebApp``` method adds Microsoft.Identity.Web to your web app. The ```AddMicrosoftGraph``` method adds Microsoft Graph support.

- services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

- .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))

- .EnableTokenAcquisitionToCallDownstreamApi()

- .AddMicrosoftGraph(Configuration.GetSection("Graph"))

- .AddInMemoryTokenCaches();

- services.AddRazorPages();

- "Domain": "fourthcoffeetest.onmicrosoft.com",

- "TenantId": "[tenant-id]",

- "ClientId": "[client-id]",

- // To call an API

- "ClientSecret": "[secret-from-portal]", // Not required by this scenario

- "Graph": {

- "BaseUrl": "https://graph.microsoft.com/v1.0",

- "Scopes": "user.read"

-[AuthorizeForScopes(Scopes = new[] { "user.read" })]

- var user = await _graphServiceClient.Me.Request().GetAsync();

- using (var photoStream = await _graphServiceClient.Me.Photo.Content.Request().GetAsync())

-This article helps you troubleshoot intermittent connection errors and related performance issues in [Azure App Service](./overview.md). This topic will provide more information on, and troubleshooting methodologies for, exhaustion of source network address translation (SNAT) ports. If you require more help at any point in this article, contact the Azure experts at the [MSDN Azure and the Stack Overflow forums](https://azure.microsoft.com/support/forums/). Alternatively, file an Azure support incident. Go to the [Azure Support site](https://azure.microsoft.com/support/options/) and select **Get Support**.

-* Could not connect to external endpoints (like SQLDB, Service Fabric, other App services etc.)

-* TCP Connections: There is a limit on the number of outbound connections that can be made. The limit on outbound connections is associated with the size of the worker used.

-* SNAT ports: [Outbound connections in Azure](../load-balancer/load-balancer-outbound-connections.md) describes SNAT port restrictions and how they affect outbound connections. Azure uses source network address translation (SNAT) and Load Balancers (not exposed to customers) to communicate with public IP addresses. Each instance on Azure App service is initially given a pre-allocated number of **128** SNAT ports. The SNAT port limit affects opening connections to the same address and port combination. If your app creates connections to a mix of address and port combinations, you will not use up your SNAT ports. The SNAT ports are used up when you have repeated calls to the same address and port combination. Once a port has been released, the port is available for reuse as needed. The Azure Network load balancer reclaims SNAT port from closed connections only after waiting for 4 minutes.

-When applications or functions rapidly open a new connection, they can quickly exhaust their pre-allocated quota of the 128 ports. They are then blocked until a new SNAT port becomes available, either through dynamically allocating additional SNAT ports, or through reuse of a reclaimed SNAT port. If your app runs out of SNAT ports, it will have intermittent outbound connectivity issues.

-Avoiding the SNAT port problem means avoiding the creation of new connections repetitively to the same host and port. Connection pools are one of the more obvious ways to solve that problem.

-If your destination is an Azure service that supports service endpoints, you can avoid SNAT port exhaustion issues by using [regional VNet Integration](./overview-vnet-integration.md) and service endpoints or private endpoints. When you use regional VNet Integration and place service endpoints on the integration subnet, your app outbound traffic to those services will not have outbound SNAT port restrictions. Likewise, if you use regional VNet Integration and private endpoints, you will not have any outbound SNAT port issues to that destination.

-* For implementing pooling with entity framework applications, review [DbContext pooling](/ef/core/what-is-new/ef-core-2.0#dbcontext-pooling).

-Here is a collection of links for implementing Connection pooling by different solution stack.

-By default, connections for NodeJS are not kept alive. Below are the popular databases and packages for connection pooling which contain examples for how to implement them.

-Although PHP does not support connection pooling, you can try using persistent database connections to your back-end server.

-* For additional pointers and examples on managing connections in Azure functions, review [Manage connections in Azure Functions](../azure-functions/manage-connections.md).

-* For additional guidance and examples, review [Retry pattern](/azure/architecture/patterns/retry).

-### Additional guidance specific to App Service:

-* Consider moving to [App Service Environment (ASE)](./environment/using-an-ase.md), where you are allotted a single outbound IP address, and the limits for connections and SNAT ports are much higher. In an ASE, the number of SNAT ports per instance is based on the [Azure load balancer preallocation table](../load-balancer/load-balancer-outbound-connections.md#snatporttable) - so for example an ASE with 1-50 worker instances has 1024 preallocated ports per instance, while an ASE with 51-100 worker instances has 512 preallocated ports per instance.

-Knowing the two types of outbound connection limits, and what your app does, should make it easier to troubleshoot. If you know that your app makes many calls to the same storage account, you might suspect a SNAT limit. If your app creates a great many calls to endpoints all over the internet, you would suspect you are reaching the VM limit.

-If you do not know the application behavior enough to determine the cause quickly, there are some tools and techniques available in App Service to help with that determination.

-If you do need it, you can still open a support ticket and the support engineer will get the metric from back-end for you.

-Since SNAT port usage is not available as a metric, it is not possible to either autoscale based on SNAT port usage, or to configure auto scale based on SNAT ports allocation metric.

-TCP connections and SNAT ports are not directly related. A TCP connections usage detector is included in the Diagnose and Solve Problems blade of any App Service site. Search for the phrase "TCP connections" to find it.

-* Existing TCP sessions will fail when new outbound TCP sessions are added from Azure App Service source port. You can either use a single IP or reconfigure backend pool members to avoid conflicts.

-If SNAT ports are exhausted, where WebJobs are unable to connect to SQL Database, there is no metric to show how many connections are opened by each individual web application process. To find the problematic WebJob, move several WebJobs out to another App Service plan to see if the situation improves, or if an issue remains in one of the plans. Repeat the process until you find the problematic WebJob.

- "dataCollectionRuleName": {

- "type": "string",

- "metadata": {

- "description": "Specifies the name of the data collection rule to create."

- "defaultValue": "Microsoft-CT-DCR"

- },

- "workspaceResourceId": {

- "type": "string",

- "metadata": {

- "description": "Specifies the Azure resource ID of the Log Analytics workspace to use to store change tracking data."

- }

- {

- "type": "microsoft.resources/deployments",

- "name": "get-workspace-region",

- "apiVersion": "2020-08-01",

- "properties": {

- "mode": "Incremental",

- "template": {

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "resources": [],

- "outputs": {

- "workspaceLocation": {

- "type": "string",

- "value": "[reference(parameters('workspaceResourceId'), '2020-08-01', 'Full').location]"

- }

- }

- }

- },

- {

- "type": "microsoft.resources/deployments",

- "name": "CtDcr-Deployment",

- "apiVersion": "2020-08-01",

- "properties": {

- "mode": "Incremental",

- "parameters": {

- "workspaceRegion": {

- "value": "[reference('get-workspace-region').outputs.workspaceLocation.value]"

- },

- "template": {

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "workspaceRegion": {

- "type": "string"

- }

- },

- "resources": [

- {

- "type": "Microsoft.Insights/dataCollectionRules",

- "apiVersion": "2021-04-01",

- "name": "[parameters('dataCollectionRuleName')]",

- "location": "[[parameters('workspaceRegion')]",

- "properties": {

- "description": "Data collection rule for CT.",

- "dataSources": {

- "extensions": [

- {

- "streams": [

- "Microsoft-ConfigurationChange"

- ],

- "extensionName": "ChangeTracking-Windows",

- "extensionSettings": {

- "enableFiles": true,

- "enableSoftware": true,

- "enableRegistry": true,

- "enableServices": false,

- "enableInventory": true,

- "registrySettings": {

- "registryCollectionFrequency": 3000,

- "registryInfo": [

- {

- "name": "Registry_1",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup",

- "valueName": ""

- },

- {

- "name": "Registry_2",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown",

- "valueName": ""

- },

- {

- "name": "Registry_3",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",

- "valueName": ""

- },

- {

- "name": "Registry_4",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components",

- "valueName": ""

- },

- {

- "name": "Registry_5",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\ShellEx\\ContextMenuHandlers",

- "valueName": ""

- },

- {

- "name": "Registry_6",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers",

- "valueName": ""

- },

- {

- "name": "Registry_7",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Classes\\Directory\\Shellex\\CopyHookHandlers",

- "valueName": ""

- },

- {

- "name": "Registry_8",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",

- "valueName": ""

- },

- {

- "name": "Registry_9",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers",

- "valueName": ""

- },

- {

- "name": "Registry_10",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",

- "valueName": ""

- },

- {

- "name": "Registry_11",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects",

- "valueName": ""

- },

- {

- "name": "Registry_12",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions",

- "valueName": ""

- },

- {

- "name": "Registry_13",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Internet Explorer\\Extensions",

- "valueName": ""

- },

- {

- "name": "Registry_14",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",

- "valueName": ""

- },

- {

- "name": "Registry_15",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32",

- "valueName": ""

- },

- {

- "name": "Registry_16",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls",

- "valueName": ""

- },

- {

- "name": "Registry_17",

- "groupTag": "Recommended",

- "enabled": false,

- "recurse": true,

- "description": "",

- "keyName": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify",

- "valueName": ""

- }

- ]

- },

- "fileSettings": {

- "fileCollectionFrequency": 2700

- },

- "softwareSettings": {

- "softwareCollectionFrequency": 1800

- },

- "inventorySettings": {

- "inventoryCollectionFrequency": 36000

- },

- "servicesSettings": {

- "serviceCollectionFrequency": 1800

- }

- },

- "name": "CTDataSource-Windows"

- },

- {

- "streams": [

- "Microsoft-ConfigurationChange"

- ],

- "extensionName": "ChangeTracking-Linux",

- "extensionSettings": {

- "enableFiles": true,

- "enableSoftware": true,

- "enableRegistry": false,

- "enableServices": false,

- "enableInventory": true,

- "fileSettings": {

- "fileCollectionFrequency": 900,

- "fileInfo": [

- {

- "name": "ChangeTrackingLinuxPath_default",

- "enabled": true,

- "destinationPath": "/etc/*.conf",

- "useSudo": true,

- "recurse": true,

- "maxContentsReturnable": 5000000,

- "pathType": "File",

- "type": "File",

- "links": "Follow",

- "maxOutputSize": 500000,

- "groupTag": "Recommended"

- }

- ]

- },

- "softwareSettings": {

- "softwareCollectionFrequency": 300

- },

- "inventorySettings": {

- "inventoryCollectionFrequency": 36000

- },

- "servicesSettings": {

- "serviceCollectionFrequency": 1800

- }

- "name": "CTDataSource-Linux"

- }

- },

- "destinations": {

- "logAnalytics": [

- {

- "workspaceResourceId": "[parameters('workspaceResourceId')]",

- "name": "Microsoft-CT-Dest"

- }

- ]

- },

- "dataFlows": [

- {

- "streams": [

- "Microsoft-ConfigurationChange"

- ],

- "destinations": [

- "Microsoft-CT-Dest"

- ]

- }

- ]

- }

- ]

- }

- }

-To deploy applications using GitOps with Flux v2, you need the following:

-* An Azure Arc-enabled Kubernetes connected cluster that's up and running. Starting with [`microsoft.flux` version 1.7.0](extensions-release.md#170-march-2023), ARM64-based clusters are supported.

- Registration is an asynchronous process and should finish within ten minutes. To monitor the registration process, use the following command:

-* An Azure Arc-enabled Kubernetes connected cluster that's up and running. Starting with [`microsoft.flux` version 1.7.0](extensions-release.md#170-march-2023), ARM64-based clusters are supported.

-Use the `k8s-configuration` Azure CLI extension (or the Azure portal) to enable GitOps in an AKS or Arc-enabled Kubernetes cluster. For a demonstration, use the public [gitops-flux2-kustomize-helm-mt](https://github.com/Azure/gitops-flux2-kustomize-helm-mt) repository.

-The following example applies a Flux configuration to a cluster, using the following values and settings:

-* The scope of the configuration is `cluster`. This gives the operators permissions to make changes throughout cluster. To use `namespace` scope with this tutorial, [see the changes needed](conceptual-gitops-flux2.md#multi-tenancy).

-* Set `prune=true` on both kustomizations. This setting ensures that the objects that Flux deployed to the cluster will be cleaned up if they're removed from the repository or if the Flux configuration or kustomizations are deleted.

-When working with AKS clusters, one of the authentication options to use is kubelet identity. By default, AKS creates its own kubelet identity in the managed resource group. If you prefer, you can use a [pre-created kubelet managed identity](../../aks/use-managed-identity.md#use-a-pre-created-kubelet-managed-identity). To do so, add the parameter `--config useKubeletIdentity=true` at the time of Flux extension installation.

-For more information on OpenShift guidance for onboarding Flux, refer to the [Flux documentation](https://fluxcd.io/docs/use-cases/openshift/#openshift-setup).

-Follow these steps to apply a sample Flux configuration to a cluster. As part of this process, Azure will install the `microsoft.flux` extension on the cluster, if it hasn't already been installed due to a previous deployment.

-1. In the **Kustomizations** section, you will create two kustomizations: `infrastructure` and `staging`. These are Flux resources, each associated with a path in the repository, representing the set of manifests that Flux should reconcile to the cluster.

-For usage details, see the following:

-For usage details, see the following:

-By using this annotation, the HelmRelease that is deployed will be patched with the reference to the configured source. Currently, only `GitRepository` source is supported.

-The command below deletes both the `fluxConfigurations` resource in Azure and the Flux configuration objects in the cluster. Because the Flux configuration was originally created with the `prune=true` parameter for the kustomization, all of the objects created in the cluster based on manifests in the Git repository will be removed when the Flux configuration is removed. However, this command does not remove the Flux extension itself.

-When you delete a Flux configuration, all of the Flux configuration objects in the cluster will also be deleted. However, this action does not delete the `microsoft.flux` extension itself.

-The IP address prefix (subnet) where Arc resource bridge will be deployed requires a minimum prefix of /29. The IP address prefix must have enough available IP addresses for the gateway IP, control plane IP, appliance VM IP, and reserved appliance VM IP.

-Consult your system or network administrator to obtain the IP address prefix in CIDR notation. An IP Subnet CIDR calculator may be used to obtain this value.

-The appliance VM hosts a management Kubernetes cluster. The kubeconfig is a low-privilege Kubernetes configuration file that is used to maintain the appliance VM. By default, it's generated in the current CLI directory when the `deploy` command completes. The kubeconfig should be saved in a secure location to the management machine, because it's required for maintaining the appliance VM.

-[Azure portal]: https://portal.azure.com

-> [Getting started with Azure Functions](./functions-get-started.md)

-Each function app has a single inbound IP address. To find that IP address:

-# [Azure Portal](#tab/portal)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Navigate to the function app.

-3. Under **Settings**, select **Properties**. The inbound IP address appears under **Virtual IP address**.

-# [Azure CLI](#tab/azurecli)

-Use the `nslookup` utility from your local client computer:

-# [Azure PowerShell](#tab/azure-powershell)

-Use the `nslookup` utility from your local client computer:

-```powershell

-nslookup <APP_NAME>.azurewebsites.net

-```

-|[UDRI - SSG](https://udayton.edu/udri/_resources/docs/ssg_v8.pdf)|

-> [Azure Linux Container Host tutorial](./tutorial-azure-linux-create-cluster.md)

-1. Create an authentication pipeline. The pipeline must be created before you can initialize a service URL client endpoint. Use your own Azure Maps account key or Azure Active Directory (Azure AD) credentials to authenticate an Azure Maps Search service client. In this example, the Search service URL client will be created.

- For more information, see [Authentication with Azure Maps](azure-maps-authentication.md).

-The Azure Maps Web SDK supports the Azure Government cloud. All JavaScript and CSS URLs used to access the Azure Maps Web SDK remain the same, however the following tasks will need to be done to connect to the Azure Government cloud version of the Azure Maps platform.

-When using the services module, the domain for the services needs to be set when creating an instance of an API URL endpoint. For example, the following code creates an instance of the `SearchURL` class and points the domain to the Azure Government cloud.

-Click the points on the map in the CodePen. There is a point on the map for each of the following popup templates: String template, PropertyInfo template, and Multiple content template. There are also three points to show how templates render using the defaulting settings.

-Similar to reusing popup, you can reuse popup templates. This approach is useful when you only want to show one popup template at a time, for multiple points. By reusing the popup template, the number of DOM elements created by the application is reduced, which then improves your application performance. The following sample uses the same popup template for three points. If you click on any of them, a popup will be displayed with the content for that point feature.

-|[Prometheus alerts (preview)](alerts-types.md#prometheus-alerts-preview)|Prometheus alerts are used for alerting on the performance and health of Kubernetes clusters, including Azure Kubernetes Service (AKS). The alert rules are based on PromQL, which is an open-source query language.|

-## Prometheus alerts (preview)

-Prometheus alerts are based on metric values stored in [Azure Monitor managed services for Prometheus](../essentials/prometheus-metrics-overview.md). They fire when the result of a PromQL query resolves to true. Prometheus alerts are displayed and managed like other alert types when they fire, but they're configured with a Prometheus rule group. For more information, see [Rule groups in Azure Monitor managed service for Prometheus](../essentials/prometheus-rule-groups.md).

-**ASP.NET apps**

-In the web app initializer, such as Global.asax.cs:

-**ASP.NET Core apps**

-> [!NOTE]

-> Adding an initializer by using `ApplicationInsights.config` or `TelemetryConfiguration.Active` isn't valid for ASP.NET Core applications.

-For [ASP.NET Core](asp-net-core.md#add-telemetryinitializers) applications, adding a new telemetry initializer is done by adding it to the Dependency Injection container, as shown here. This step is done in the `ConfigureServices` method of your `Startup.cs` class.

-```csharp

-using Microsoft.ApplicationInsights.Extensibility;

-public void ConfigureServices(IServiceCollection services)

-{

- services.AddSingleton<ITelemetryInitializer, MyTelemetryInitializer>();

-}

-```

-| [Prometheus rules](#prometheus-alert-rules) | Alert rules that use metrics stored in [Azure Monitor managed service for Prometheus (preview)](../essentials/prometheus-metrics-overview.md). There are two sets of Prometheus alert rules that you can choose to enable.<br><br>- *Community alerts* are handpicked alert rules from the Prometheus community. Use this set of alert rules if you don't have any other alert rules enabled.<br>- *Recommended alerts* are the equivalent of the custom metric alert rules. Use this set if you're migrating from custom metrics to Prometheus metrics and want to retain identical functionality.

-[Prometheus alert rules](../alerts/alerts-types.md#prometheus-alerts-preview) use metric data from your Kubernetes cluster sent to [Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md).

-description: How to authenticate requests and use the Azure Monitor REST API to retrieve available metric definitions and metric values.

-## Retrieve a token

-### Retrieve the resource ID

-Using the REST API requires the resource ID of the target Azure resource.

-Resource IDs follow the following pattern:

-`/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/<provider>/<resource name>/`

-For example

-* **Azure IoT Hub**: /subscriptions/\<subscription-id>/resourceGroups/\<resource-group-name>/providers/Microsoft.Devices/IotHubs/\<iot-hub-name>

-* **Elastic SQL pool**: /subscriptions/\<subscription-id>/resourceGroups/\<resource-group-name>/providers/Microsoft.Sql/servers/\<pool-db>/elasticpools/\<sql-pool-name>

-* **Azure SQL Database (v12)**: /subscriptions/\<subscription-id>/resourceGroups/\<resource-group-name>/providers/Microsoft.Sql/servers/\<server-name>/databases/\<database-name>

-* **Azure Service Bus**: /subscriptions/\<subscription-id>/resourceGroups/\<resource-group-name>/providers/Microsoft.ServiceBus/\<namespace>/\<servicebus-name>

-* **Azure Virtual Machine Scale Sets**: /subscriptions/\<subscription-id>/resourceGroups/\<resource-group-name>/providers/Microsoft.Compute/virtualMachineScaleSets/\<vm-name>

-* **Azure Virtual Machines**: /subscriptions/\<subscription-id>/resourceGroups/\<resource-group-name>/providers/Microsoft.Compute/virtualMachines/\<vm-name>

-* **Azure Event Hubs**: /subscriptions/\<subscription-id>/resourceGroups/\<resource-group-name>/providers/Microsoft.EventHub/namespaces/\<eventhub-namespace>

-Use the Azure portal, PowerShell or the Azure CLI to find the resource ID.

-### [Azure portal](#tab/portal)

-To find the resourceID in the portal, from the resource's overview page, select **JSON view**

-The Resource JSON page is displayed. The resource ID can be copied using the icon on the right of the ID

-### [PowerShell](#tab/powershell)

-The resource ID can be retrieved by using Azure PowerShell cmdlets too. For example, to obtain the resource ID for an Azure logic app, execute the `Get-AzureLogicApp` cmdlet, as in the following example:

-```powershell

-Get-AzLogicApp -ResourceGroupName azmon-rest-api-walkthrough -Name contosotweets

-The result should be similar to the following example:

-```output

-Id : /subscriptions/12345678-abcd-98765432-abcdef012345/resourceGroups/azmon-rest-api-walkthrough/providers/Microsoft.Logic/workflows/ContosoTweets

-Name : ContosoTweets

-Type : Microsoft.Logic/workflows

-Location : centralus

-ChangedTime : 8/21/2017 6:58:57 PM

-CreatedTime : 8/18/2017 7:54:21 PM

-AccessEndpoint : https://prod-08.centralus.logic.azure.com:443/workflows/f3a91b352fcc47e6bff989b85446c5db

-State : Enabled

-Definition : {$schema, contentVersion, parameters, triggers...}

-Parameters : {[$connections, Microsoft.Azure.Management.Logic.Models.WorkflowParameter]}

-SkuName :

-AppServicePlan :

-PlanType :

-PlanId :

-Version : 08586982649483762729

-### [Azure CLI](#tab/cli)

-To retrieve the resource ID for an Azure Storage account by using the Azure CLI, execute the `az storage account show` command, as shown in the following example:

-```azurecli

-az storage account show -g azmon-rest-api-walkthrough -n azmonstorage001

-The result should be similar to the following example:

-```json

- "accessTier": null,

- "creationTime": "2023-08-18T19:58:41.840552+00:00",

- "customDomain": null,

- "enableHttpsTrafficOnly": false,

- "encryption": null,

- "id": "/subscriptions/12345678-abcd-98765432-abcdef012345/resourceGroups/azmon-rest-api-walkthrough/providers/Microsoft.Storage/storageAccounts/azmonstorage001",

- "identity": null,

- "kind": "Storage",

- "lastGeoFailoverTime": null,

- "location": "centralus",

- "name": "azmonstorage001",

- "networkAcls": null,

- "primaryEndpoints": {

- "blob": "https://azmonstorage001.blob.core.windows.net/",

- "file": "https://azmonstorage001.file.core.windows.net/",

- "queue": "https://azmonstorage001.queue.core.windows.net/",

- "table": "https://azmonstorage001.table.core.windows.net/"

- },

- "primaryLocation": "centralus",

- "provisioningState": "Succeeded",

- "resourceGroup": "azmon-rest-api-walkthrough",

- "secondaryEndpoints": null,

- "secondaryLocation": "eastus2",

- "sku": {

- "name": "Standard_GRS",

- "tier": "Standard"

- },

- "statusOfPrimary": "available",

- "statusOfSecondary": "available",

- "tags": {},

- "type": "Microsoft.Storage/storageAccounts"

-> [!NOTE]

-> Azure logic apps aren't yet available via the Azure CLI. For this reason, an Azure Storage account is shown in the preceding example.

->

-If one of these statuses is returned, resend the request.

- These tables currently support Basic logs:

-

- | Service | Table |

- |:|:|

- | Active Directory | [AADDomainServicesDNSAuditsGeneral](/azure/azure-monitor/reference/tables/AADDomainServicesDNSAuditsGeneral)<br> [AADDomainServicesDNSAuditsDynamicUpdates](/azure/azure-monitor/reference/tables/AADDomainServicesDNSAuditsDynamicUpdates) |

- | API Management | [ApiManagementGatewayLogs](/azure/azure-monitor/reference/tables/ApiManagementGatewayLogs)<br>[ApiManagementWebSocketConnectionLogs](/azure/azure-monitor/reference/tables/ApiManagementWebSocketConnectionLogs) |

- | Application Insights | [AppTraces](/azure/azure-monitor/reference/tables/apptraces) |

- | Chaos Experiments | [ChaosStudioExperimentEventLogs](/azure/azure-monitor/reference/tables/ChaosStudioExperimentEventLogs) |

- | Cloud HSM | [CHSMManagementAuditLogs](/azure/azure-monitor/reference/tables/CHSMManagementAuditLogs) |

- | Container Apps | [ContainerAppConsoleLogs](/azure/azure-monitor/reference/tables/containerappconsoleLogs) |

- | Container Insights | [ContainerLogV2](/azure/azure-monitor/reference/tables/containerlogv2) |

- | Container Apps Environments | [AppEnvSpringAppConsoleLogs](/azure/azure-monitor/reference/tables/AppEnvSpringAppConsoleLogs) |

- | Communication Services | [ACSCallAutomationIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallAutomationIncomingOperations)<br>[ACSCallAutomationMediaSummary](/azure/azure-monitor/reference/tables/ACSCallAutomationMediaSummary)<br>[ACSCallRecordingIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallRecordingIncomingOperations)<br>[ACSCallRecordingSummary](/azure/azure-monitor/reference/tables/ACSCallRecordingSummary)<br>[ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations) |

- | Confidential Ledgers | [CCFApplicationLogs](/azure/azure-monitor/reference/tables/CCFApplicationLogs) |

- | Custom log tables | All custom tables created with or migrated to the [data collection rule (DCR)-based logs ingestion API.](logs-ingestion-api-overview.md) |

- | Data Manager for Energy | [OEPDataplaneLogs](/azure/azure-monitor/reference/tables/OEPDataplaneLogs) |

- | Dedicated SQL Pool | [SynapseSqlPoolSqlRequests](/azure/azure-monitor/reference/tables/synapsesqlpoolsqlrequests)<br>[SynapseSqlPoolRequestSteps](/azure/azure-monitor/reference/tables/synapsesqlpoolrequeststeps)<br>[SynapseSqlPoolExecRequests](/azure/azure-monitor/reference/tables/synapsesqlpoolexecrequests)<br>[SynapseSqlPoolDmsWorkers](/azure/azure-monitor/reference/tables/synapsesqlpooldmsworkers)<br>[SynapseSqlPoolWaits](/azure/azure-monitor/reference/tables/synapsesqlpoolwaits) |

- | Dev Center | [DevCenterDiagnosticLogs](/azure/azure-monitor/reference/tables/DevCenterDiagnosticLogs) |

- | Data Transfer | [DataTransferOperations](/azure/azure-monitor/reference/tables/DataTransferOperations) |

- | Event Hubs | [AZMSArchiveLogs](/azure/azure-monitor/reference/tables/AZMSArchiveLogs)<br>[AZMSAutoscaleLogs](/azure/azure-monitor/reference/tables/AZMSAutoscaleLogs)<br>[AZMSCustomerManagedKeyUserLogs](/azure/azure-monitor/reference/tables/AZMSCustomerManagedKeyUserLogs)<br>[AZMSKafkaCoordinatorLogs](/azure/azure-monitor/reference/tables/AZMSKafkaCoordinatorLogs)<br>[AZMSKafkaUserErrorLogs](/azure/azure-monitor/reference/tables/AZMSKafkaUserErrorLogs) |

- | Firewalls | [AZFWFlowTrace](/azure/azure-monitor/reference/tables/AZFWFlowTrace) |

- | Health Care APIs | [AHDSMedTechDiagnosticLogs](/azure/azure-monitor/reference/tables/AHDSMedTechDiagnosticLogs)<br>[AHDSDicomDiagnosticLogs](/azure/azure-monitor/reference/tables/AHDSDicomDiagnosticLogs)<br>[AHDSDicomAuditLogs](/azure/azure-monitor/reference/tables/AHDSDicomAuditLogs) |

- | Key Vault | [AZKVAuditLogs](/azure/azure-monitor/reference/tables/AZKVAuditLogs)<br>[AZKVPolicyEvaluationDetailsLogs](/azure/azure-monitor/reference/tables/AZKVPolicyEvaluationDetailsLogs) |

- | Kubernetes services | [AKSAudit](/azure/azure-monitor/reference/tables/AKSAudit)<br>[AKSAuditAdmin](/azure/azure-monitor/reference/tables/AKSAuditAdmin)<br>[AKSControlPlane](/azure/azure-monitor/reference/tables/AKSControlPlane) |

- | Media Services | [AMSLiveEventOperations](/azure/azure-monitor/reference/tables/AMSLiveEventOperations)<br>[AMSKeyDeliveryRequests](/azure/azure-monitor/reference/tables/AMSKeyDeliveryRequests)<br>[AMSMediaAccountHealth](/azure/azure-monitor/reference/tables/AMSMediaAccountHealth)<br>[AMSStreamingEndpointRequests](/azure/azure-monitor/reference/tables/AMSStreamingEndpointRequests) |

- | Redis Cache Enterprise | [REDConnectionEvents](/azure/azure-monitor/reference/tables/REDConnectionEvents) |

- | Relays | [AZMSHybridConnectionsEvents](/azure/azure-monitor/reference/tables/AZMSHybridConnectionsEvents) |

- | Service Bus | [AZMSApplicationMetricLogs](/azure/azure-monitor/reference/tables/AZMSApplicationMetricLogs)<br>[AZMSOperationalLogs](/azure/azure-monitor/reference/tables/AZMSOperationalLogs)<br>[AZMSRunTimeAuditLogs](/azure/azure-monitor/reference/tables/AZMSRunTimeAuditLogs)<br>[AZMSVNetConnectionEvents](/azure/azure-monitor/reference/tables/AZMSVNetConnectionEvents) |

- | Sphere | [ASCAuditLogs](/azure/azure-monitor/reference/tables/ASCAuditLogs)<br>[ASCDeviceEvents](/azure/azure-monitor/reference/tables/ASCDeviceEvents) |

- | Storage | [StorageBlobLogs](/azure/azure-monitor/reference/tables/StorageBlobLogs)<br>[StorageFileLogs](/azure/azure-monitor/reference/tables/StorageFileLogs)<br>[StorageQueueLogs](/azure/azure-monitor/reference/tables/StorageQueueLogs)<br>[StorageTableLogs](/azure/azure-monitor/reference/tables/StorageTableLogs) |

- | Synapse | [SynapseSqlPoolExecRequests](/azure/azure-monitor/reference/tables/SynapseSqlPoolExecRequests)<br>[SynapseSqlPoolRequestSteps](/azure/azure-monitor/reference/tables/SynapseSqlPoolRequestSteps)<br>[SynapseSqlPoolDmsWorkers](/azure/azure-monitor/reference/tables/SynapseSqlPoolDmsWorkers)<br>[SynapseSqlPoolWaits](/azure/azure-monitor/reference/tables/SynapseSqlPoolWaits) |

- | Storage Mover | [StorageMoverJobRunLogs](/azure/azure-monitor/reference/tables/StorageMoverJobRunLogs)<br>[StorageMoverCopyLogsFailed](/azure/azure-monitor/reference/tables/StorageMoverCopyLogsFailed)<br>[StorageMoverCopyLogsTransferred](/azure/azure-monitor/reference/tables/StorageMoverCopyLogsTransferred)<br> |

- | Virtual Network Manager | [AVNMNetworkGroupMembershipChange](/azure/azure-monitor/reference/tables/AVNMNetworkGroupMembershipChange) |

-

-> [!NOTE]

-> Tables created with the [Data Collector API](data-collector-api.md) don't support Basic logs.

-By default, two data types, `Usage` and `AzureActivity`, keep data for at least 90 days at no charge. When you increase the workspace retention to more than 90 days, you also increase the retention of these data types. You'll be charged for retaining this data beyond the 90-day period. These tables are also free from data ingestion charges.

-* Availability zone volume placement enhancement - [Populate existing volumes](manage-availability-zone-volume-placement.md#populate-an-existing-volume-with-availability-zone-information) (preview)

-To publish your application, you need to first import your publish settings by using the [Import-AzurePublishSettingsFile](/powershell/module/servicemanagement/azure.service/import-azurepublishsettingsfile) cmdlet. Then you can publish your application by using the [Publish-AzureServiceProject](/powershell/module/servicemanagement/azure.service/publish-azureserviceproject) cmdlet. For information about signing in, see [How to install and configure Azure PowerShell](/powershell/azure/).

-[sqlncli.msi x64 installer]: https://go.microsoft.com/fwlink/?LinkID=239648

-> Background removal is only available in the following Azure regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

-Visual features 'Captions' and 'DenseCaptions' are only supported in the following Azure regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

-> These APIs are only available in the following geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

-* Once you have your Azure subscription, <a href="https://portal.azure.com/#create/Microsoft.CognitiveServicesComputerVision" title="Create a Computer Vision resource" target="_blank">create a Computer Vision resource </a> in the Azure portal to get your key and endpoint. Be sure to create it in one of the permitted geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

-|Language | Language code | Categories | Tags | Description | Adult | Brands | Color | Faces | ImageType | Objects | Celebrities | Landmarks |

-|:|::|:-:|::|::|::|::|::|::|::|::|::|::|

-|Arabic |`ar`| | ✅| |||||| |||

-|Azeri (Azerbaijani) |`az`| | ✅| |||||| |||

-|Bulgarian |`bg`| | ✅| |||||| |||

-|Bosnian Latin |`bs`| | ✅| |||||| |||

-|Catalan |`ca`| | ✅| |||||| |||

-|Czech |`cs`| | ✅| |||||| |||

-|Welsh |`cy`| | ✅| |||||| |||

-|Danish |`da`| | ✅| |||||| |||

-|German |`de`| | ✅| |||||| |||

-|Greek |`el`| | ✅| |||||| |||

-|English |`en`|✅ | ✅| ✅|✅|✅|✅|✅|✅|✅|✅|✅|

-|Spanish |`es`|✅ | ✅| ✅|||||| |✅|✅|

-|Estonian |`et`| | ✅| |||||| |||

-|Basque |`eu`| | ✅| |||||| |||

-|Finnish |`fi`| | ✅| |||||| |||

-|French |`fr`| | ✅| |||||| |||

-|Irish |`ga`| | ✅| |||||| |||

-|Galician |`gl`| | ✅| |||||| |||

-|Hebrew |`he`| | ✅| |||||| |||

-|Hindi |`hi`| | ✅| |||||| |||

-|Croatian |`hr`| | ✅| |||||| |||

-|Hungarian |`hu`| | ✅| |||||| |||

-|Indonesian |`id`| | ✅| |||||| |||

-|Italian |`it`| | ✅| |||||| |||

-|Japanese |`ja`|✅ | ✅| ✅|||||| |✅|✅|

-|Kazakh |`kk`| | ✅| |||||| |||

-|Korean |`ko`| | ✅| |||||| |||

-|Lithuanian |`lt`| | ✅| |||||| |||

-|Latvian |`lv`| | ✅| |||||| |||

-|Macedonian |`mk`| | ✅| |||||| |||

-|Malay Malaysia |`ms`| | ✅| |||||| |||

-|Norwegian (Bokmal) |`nb`| | ✅| |||||| |||

-|Dutch |`nl`| | ✅| |||||| |||

-|Polish |`pl`| | ✅| |||||| |||

-|Dari |`prs`| | ✅| |||||| |||

-| Portuguese-Brazil|`pt-BR`| | ✅| |||||| |||

-| Portuguese-Portugal |`pt`|✅ | ✅| ✅|||||| |✅|✅|

-| Portuguese-Portugal |`pt-PT`| | ✅| |||||| |||

-|Romanian |`ro`| | ✅| |||||| |||

-|Russian |`ru`| | ✅| |||||| |||

-|Slovak |`sk`| | ✅| |||||| |||

-|Slovenian |`sl`| | ✅| |||||| |||

-|Serbian - Cyrillic RS |`sr-Cryl`| | ✅| |||||| |||

-|Serbian - Latin RS |`sr-Latn`| | ✅| |||||| |||

-|Swedish |`sv`| | ✅| |||||| |||

-|Thai |`th`| | ✅| |||||| |||

-|Turkish |`tr`| | ✅| |||||| |||

-|Ukrainian |`uk`| | ✅| |||||| |||

-|Vietnamese |`vi`| | ✅| |||||| |||

-|Chinese Simplified |`zh`|✅ | ✅| ✅|||||| |✅|✅|

-|Chinese Simplified |`zh-Hans`| | ✅| |||||| |||

-|Chinese Traditional |`zh-Hant`| | ✅| |||||| |||

-|**Generate image captions** | Generate a caption of an image in human-readable language, using complete sentences. Computer Vision's algorithms generate captions based on the objects identified in the image. <br/><br/>The version 4.0 image captioning model is a more advanced implementation and works with a wider range of input images. It is only available in the following geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia. <br/><br/>Version 4.0 also lets you use dense captioning, which generates detailed captions for individual objects that are found in the image. The API returns the bounding box coordinates (in pixels) of each object found in the image, plus a caption. You can use this functionality to generate descriptions of separate parts of an image.<br/><br/>:::image type="content" source="Images/description.png" alt-text="Photo of cows with a simple description on the right.":::| [Generate image captions (v3.2)](concept-describing-images.md)<br/>[(v4.0 preview)](concept-describe-images-40.md)|

-|**Get the area of interest / smart crop** |Analyze the contents of an image to return the coordinates of the *area of interest* that matches a specified aspect ratio. Computer Vision returns the bounding box coordinates of the region, so the calling application can modify the original image as desired. <br/><br/>The version 4.0 smart cropping model is a more advanced implementation and works with a wider range of input images. It is only available in the following geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia. | [Generate a thumbnail (v3.2)](concept-generating-thumbnails.md)<br/>[(v4.0 preview)](concept-generate-thumbnails-40.md)|

-These APIs are only available in the following geographic regions: East US, France Central, Korea Central, North Europe, Southeast Asia, West Europe, West US, East Asia.

-|Arabic|`ar`|No|No|

-3. Select **Review + Create** at the bottom of the page. Review the information, and select **Create**.

-4. See the following documentation for steps on downloading and configuring the container for disconnected usage:

- * [Computer Vision - Read](../computer-vision/computer-vision-how-to-install-containers.md#run-the-container-disconnected-from-the-internet)

- * [Language Understanding (LUIS)](../LUIS/luis-container-howto.md#run-the-container-disconnected-from-the-internet)

- * [Text Translation (Standard)](../translator/containers/translator-disconnected-containers.md)

- * [Form recognizer](../../applied-ai-services/form-recognizer/containers/form-recognizer-disconnected-containers.md)

- **Speech service**

- * [Speech to text](../speech-service/speech-container-stt.md?tabs=disconnected#run-the-container-with-docker-run)

- * [Custom Speech to text](../speech-service/speech-container-cstt.md?tabs=disconnected#run-the-container-with-docker-run)

- * [Neural Text to speech](../speech-service/speech-container-ntts.md?tabs=disconnected#run-the-container-with-docker-run)

- **Language service**

- * [Sentiment Analysis](../language-service/sentiment-opinion-mining/how-to/use-containers.md#run-the-container-disconnected-from-the-internet)

- * [Key Phrase Extraction](../language-service/key-phrase-extraction/how-to/use-containers.md#run-the-container-disconnected-from-the-internet)

- * [Language Detection](../language-service/language-detection/how-to/use-containers.md#run-the-container-disconnected-from-the-internet)

-| [DALL-E](#dall-e-models) | A series of models that can generate original images from natural language. |

-### DALL-E models

-* For more examples, check out the [Azure OpenAI Samples GitHub repository](https://aka.ms/AOAICodeSamples)

-| Virtual network support & private link support | Yes |

-Azure Communication Services currently provides metrics for all ACS primitives. [Azure Metrics Explorer](../../../../azure-monitor\essentials\metrics-getting-started.md) can be used to plot your own charts, investigate abnormalities in your metric values, and understand your API traffic by using the metrics data that call automation requests emit.

-# SMS metrics overview

-Azure Communication Services currently provides metrics for all ACS primitives. [Azure Metrics Explorer](../../../azure-monitor\essentials\metrics-getting-started.md) can be used to plot your own charts, investigate abnormalities in your metric values, and understand your API traffic by using the metrics data that Chat and SMS requests emit.

-[Troubleshoot direct routing connectivity](./troubleshoot-tls-certificate-sip-options.md)

-[Troubleshoot outbound calling](./troubleshoot-outbound-calls.md)

-1. Navigate to your Azure Communications Gateway resource and select **Properties**. Find the field named **Domain name**. This name is your deployment's domain name.

- "revisionName": "<APP_NAME>--c6f1515",

- "revisionName": "<APP_NAME>--fb699ef",

- }

-The following regions support workload profiles during preview:

-> [Manage workload profiles with the CLI](workload-profiles-manage-cli.md)

- Use the following command to configure trust policy. Upon successful execution of the command, one trust policy named `wabbit-networks-images` is created. This trust policy applies to all the artifacts stored in repositories defined in `$REGISTRY/$REPO`. The trust identity that user trusts has the x509 subject `$CERT_SUBJECT` from previous step, and stored under trust store named `$STORE_NAME` of type `$STORE_TYPE`. See [Trust store and trust policy specification](https://notaryproject.dev/docs/concepts/trust-store-trust-policy-specification/) for details.

-* See the [Resource Manager template reference](/azure/templates/microsoft.containerregistry/registries) for Azure Container Registry.

-description: Learn about how the Absolute(ABS) SQL system function in Azure Cosmos DB returns the positive value of the specified numeric expression

-# ABS (Azure Cosmos DB)

- Returns the absolute (positive) value of the specified numeric expression.

-ABS (<numeric_expr>)

-

-*numeric_expr*

- Is a numeric expression.

- Returns a numeric expression.

- The following example shows the results of using the `ABS` function on three different numbers.

-SELECT ABS(-1) AS abs1, ABS(0) AS abs2, ABS(1) AS abs3

- Here is the result set.

-

-[{abs1: 1, abs2: 0, abs3: 1}]

-This system function will benefit from a [range index](../../index-policy.md#includeexclude-strategy).

-description: Learn about how the Array Contains SQL system function in Azure Cosmos DB returns a Boolean indicating whether the array contains the specified value

-# ARRAY_CONTAINS (Azure Cosmos DB)

-Returns a Boolean indicating whether the array contains the specified value. You can check for a partial or full match of an object by using a boolean expression within the command.

-ARRAY_CONTAINS (<arr_expr>, <expr> [, bool_expr])

-*arr_expr*

- Is the array expression to be searched.

-

-*expr*

- Is the expression to be found.

-*bool_expr*

- Is a boolean expression. If it evaluates to 'true' and if the specified search value is an object, the command checks for a partial match (the search object is a subset of one of the objects). If it evaluates to 'false', the command checks for a full match of all objects within the array. The default value if not specified is false.

- Returns a Boolean value.

- The following example how to check for membership in an array using `ARRAY_CONTAINS`.

-SELECT

- ARRAY_CONTAINS(["apples", "strawberries", "bananas"], "apples") AS b1,

- ARRAY_CONTAINS(["apples", "strawberries", "bananas"], "mangoes") AS b2

-```

-

- Here is the result set.

-

-```json

-[{"b1": true, "b2": false}]

-```

-The following example how to check for a partial match of a JSON in an array using ARRAY_CONTAINS.

-

-```sql

-SELECT

- ARRAY_CONTAINS([{"name": "apples", "fresh": true}, {"name": "strawberries", "fresh": true}], {"name": "apples"}, true) AS b1,

- ARRAY_CONTAINS([{"name": "apples", "fresh": true}, {"name": "strawberries", "fresh": true}], {"name": "apples"}) AS b2,

- ARRAY_CONTAINS([{"name": "apples", "fresh": true}, {"name": "strawberries", "fresh": true}], {"name": "mangoes"}, true) AS b3

-```

-

- Here is the result set.

-[{

- "b1": true,

- "b2": false,

- "b3": false

-}]

-This system function will benefit from a [range index](../../index-policy.md#includeexclude-strategy).

-description: Learn about how the array functions let you perform operations on arrays in Azure Cosmos DB

-# Array functions (Azure Cosmos DB)

-The array functions let you perform operations on arrays in Azure Cosmos DB.

-## Functions

-The following scalar functions perform an operation on an array input value and return numeric, boolean or array value:

-* [ARRAY_CONCAT](array-concat.md)

-* [ARRAY_CONTAINS](array-contains.md)

-* [ARRAY_LENGTH](array-length.md)

-* [ARRAY_SLICE](array-slice.md)

-

-

-## Next steps

-description: Learn about how the Array length SQL system function in Azure Cosmos DB returns the number of elements of the specified array expression

-# ARRAY_LENGTH (Azure Cosmos DB)

- Returns the number of elements of the specified array expression.

-ARRAY_LENGTH(<arr_expr>)

-

-

-*arr_expr*

- Is an array expression.

-

-

- Returns a numeric expression.

-

- The following example how to get the length of an array using `ARRAY_LENGTH`.

-

-SELECT ARRAY_LENGTH(["apples", "strawberries", "bananas"]) AS len

-```

-

- Here is the result set.

-

-[{"len": 3}]

-

-This system function will not utilize the index.

-description: Learn about how the Array slice SQL system function in Azure Cosmos DB returns part of an array expression

-# ARRAY_SLICE (Azure Cosmos DB)

- Returns part of an array expression.

-ARRAY_SLICE (<arr_expr>, <num_expr> [, <num_expr>])

-

-*arr_expr*

- Is any array expression.

-

-*num_expr*

- Zero-based numeric index at which to begin the array. Negative values may be used to specify the starting index relative to the last element of the array i.e. -1 references the last element in the array.

-*num_expr*

- Optional numeric expression that sets the maximum number of elements in the resulting array.

-

- Returns an array expression.

-

- The following example shows how to get different slices of an array using `ARRAY_SLICE`.

-SELECT

- ARRAY_SLICE(["apples", "strawberries", "bananas"], 1) AS s1,

- ARRAY_SLICE(["apples", "strawberries", "bananas"], 1, 1) AS s2,

- ARRAY_SLICE(["apples", "strawberries", "bananas"], -2, 1) AS s3,

- ARRAY_SLICE(["apples", "strawberries", "bananas"], -2, 2) AS s4,

- ARRAY_SLICE(["apples", "strawberries", "bananas"], 1, 0) AS s5,

- ARRAY_SLICE(["apples", "strawberries", "bananas"], 1, 1000) AS s6,

- ARRAY_SLICE(["apples", "strawberries", "bananas"], 1, -100) AS s7

-

-```

-

- Here is the result set.

-

-[{

- "s1": ["strawberries", "bananas"],

- "s2": ["strawberries"],

- "s3": ["strawberries"],

- "s4": ["strawberries", "bananas"],

- "s5": [],

- "s6": ["strawberries", "bananas"],

- "s7": []

-}]

-This system function will not utilize the index.

-description: Learn about how the CEILING SQL system function in Azure Cosmos DB returns the smallest integer value greater than, or equal to, the specified numeric expression.

-# CEILING (Azure Cosmos DB)

- Returns the smallest integer value greater than, or equal to, the specified numeric expression.

-CEILING (<numeric_expr>)

-```

-

-

-*numeric_expr*

- Is a numeric expression.

-

-

- Returns a numeric expression.

-

- The following example shows positive numeric, negative, and zero values with the `CEILING` function.

-

-SELECT CEILING(123.45) AS c1, CEILING(-123.45) AS c2, CEILING(0.0) AS c3

-```

-

- Here is the result set.

-

-[{c1: 124, c2: -123, c3: 0}]

-```

-This system function will benefit from a [range index](../../index-policy.md#includeexclude-strategy).

- Optional value for ignoring case. When set to true, CONTAINS will do a case-insensitive search. When unspecified, this value is false.

- The following example checks if "abc" contains "ab" and if "abc" contains "A".

- Here is the result set.

-Learn about [how this string system function uses the index](string-functions.md).

-description: Learn about how the Cosine (COS) SQL system function in Azure Cosmos DB returns the trigonometric cosine of the specified angle, in radians, in the specified expression

-# COS (Azure Cosmos DB)

- Returns the trigonometric cosine of the specified angle, in radians, in the specified expression.

-

-

-*numeric_expr*

- Is a numeric expression.

-

-

- Returns a numeric expression.

-

- The following example calculates the `COS` of the specified angle.

-SELECT COS(14.78) AS cos

-

- Here is the result set.

-

-[{"cos": -0.59946542619465426}]

-This system function will not utilize the index.

-description: Learn about how the Cotangent(COT) SQL system function in Azure Cosmos DB returns the trigonometric cotangent of the specified angle, in radians, in the specified numeric expression

-# COT (Azure Cosmos DB)

- Returns the trigonometric cotangent of the specified angle, in radians, in the specified numeric expression.

-

-*numeric_expr*

- Is a numeric expression.

- Returns a numeric expression.

- The following example calculates the `COT` of the specified angle.

-SELECT COT(124.1332) AS cot

- Here is the result set.

-

-[{"cot": -0.040311998371148884}]

-This system function will not utilize the index.

-description: Learn about date and time SQL system functions in Azure Cosmos DB to perform DateTime and timestamp operations.

-# Date and time functions (Azure Cosmos DB)

-The date and time functions let you perform DateTime and timestamp operations in Azure Cosmos DB.

-## Functions to obtain the date and time

-The following scalar functions allow you to get the current UTC date and time in three forms: a string which conforms to the ISO 8601 format,

-a numeric timestamp whose value is the number of milliseconds which have elapsed since the Unix epoch,

-or numeric ticks whose value is the number of 100 nanosecond ticks which have elapsed since the Unix epoch:

-* [GetCurrentDateTime](getcurrentdatetime.md)

-* [GetCurrentTimestamp](getcurrenttimestamp.md)

-* [GetCurrentTicks](getcurrentticks.md)

-## Functions to work with DateTime values

-The following functions allow you to easily manipulate DateTime, timestamp, and tick values:

-* [DateTimeAdd](datetimeadd.md)

-* [DateTimeBin](datetimebin.md)

-* [DateTimeDiff](datetimediff.md)

-* [DateTimeFromParts](datetimefromparts.md)

-* [DateTimePart](datetimepart.md)

-* [DateTimeToTicks](datetimetoticks.md)

-* [DateTimeToTimestamp](datetimetotimestamp.md)

-* [TicksToDateTime](tickstodatetime.md)

-* [TimestampToDateTime](timestamptodatetime.md)

-## Next steps

-description: Learn about the ENDSWITH SQL system function in Azure Cosmos DB to return a Boolean indicating whether the first string expression ends with the second

-# ENDSWITH (Azure Cosmos DB)

-Returns a Boolean indicating whether the first string expression ends with the second.

-ENDSWITH(<str_expr1>, <str_expr2> [, <bool_expr>])

-*str_expr1*

- Is a string expression.

-

-*str_expr2*

- Is a string expression to be compared to the end of *str_expr1*.

-*bool_expr*

- Optional value for ignoring case. When set to true, ENDSWITH will do a case-insensitive search. When unspecified, this value is false.

- Returns a Boolean expression.

-The following example checks if the string "abc" ends with "b" and "bC".

-SELECT ENDSWITH("abc", "b", false) AS e1, ENDSWITH("abc", "bC", false) AS e2, ENDSWITH("abc", "bC", true) AS e3

- Here is the result set.

-

- {

- "e1": false,

- "e2": false,

- "e3": true

- }

-Learn about [how this string system function uses the index](string-functions.md).

-description: Learn about the FLOOR SQL system function in Azure Cosmos DB to return the largest integer less than or equal to the specified numeric expression

-# FLOOR (Azure Cosmos DB)

- Returns the largest integer less than or equal to the specified numeric expression.

-FLOOR (<numeric_expr>)

-```

-

-

-*numeric_expr*

- Is a numeric expression.

-

-

- Returns a numeric expression.

-

- The following example shows positive numeric, negative, and zero values with the `FLOOR` function.

-

-SELECT FLOOR(123.45) AS fl1, FLOOR(-123.45) AS fl2, FLOOR(0.0) AS fl3

-```

-

- Here is the result set.

-

-[{fl1: 123, fl2: -124, fl3: 0}]

-This system function will benefit from a [range index](../../index-policy.md#includeexclude-strategy).

-This article will cover how to query geospatial data in Azure Cosmos DB using SQL and LINQ. Currently storing and accessing geospatial data is supported by Azure Cosmos DB for NoSQL accounts only. Azure Cosmos DB supports the following Open Geospatial Consortium (OGC) built-in functions for geospatial querying. For more information on the complete set of built-in functions in the SQL language, see [Query System Functions in Azure Cosmos DB](system-functions.md).

-description: Learn about SQL system function IS_ARRAY in Azure Cosmos DB.

-# IS_ARRAY (Azure Cosmos DB)

- Returns a Boolean value indicating if the type of the specified expression is an array.

-

-*expr*

- Is any expression.

- Returns a Boolean expression.

- The following example checks objects of JSON Boolean, number, string, null, object, array, and undefined types using the `IS_ARRAY` function.

-SELECT

- IS_ARRAY(true) AS isArray1,

- IS_ARRAY(1) AS isArray2,

- IS_ARRAY("value") AS isArray3,

- IS_ARRAY(null) AS isArray4,

- IS_ARRAY({prop: "value"}) AS isArray5,

- IS_ARRAY([1, 2, 3]) AS isArray6,

- IS_ARRAY({prop: "value"}.prop2) AS isArray7

- Here is the result set.

-

-[{"isArray1":false,"isArray2":false,"isArray3":false,"isArray4":false,"isArray5":false,"isArray6":true,"isArray7":false}]

-This system function will benefit from a [range index](../../index-policy.md#includeexclude-strategy).

-description: Learn about SQL system function IS_BOOL in Azure Cosmos DB.

-# IS_BOOL (Azure Cosmos DB)

- Returns a Boolean value indicating if the type of the specified expression is a Boolean.

-

-*expr*

- Is any expression.

- Returns a Boolean expression.

- The following example checks objects of JSON Boolean, number, string, null, object, array, and undefined types using the `IS_BOOL` function.

-