-> If you enable Go-Local add-on , the 50,000 free MAUs per month given by your AD B2C subscription doesn't apply for Go-Local add-on . You'll incur a charge per MAU, on the Go-Local add-on from the first MAU. However, you'll continue to enjoy free 50,000 MAUs per month on the other features available on your Azure AD B2C [Premium P1 or P2 pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/).

-| [Go-Local add-on](data-residency.md#go-local-add-on) | Preview | Azure AD B2C's [Go-Local add-on](data-residency.md#go-local-add-on) enables you to create Azure AD B2C tenant within the country/region you choose when you [create your Azure AD B2C](tutorial-create-tenant.md). |

-*Go-Local* refers to MicrosoftΓÇÖs commitment to allow some customers to configure some services to store their data at rest in the Geo of the customerΓÇÖs choice, typically a country/region. Go-Local is as way fulfilling corporate policies and compliance requirements. You choose the country/region where you want to store your data when you [create your Azure AD B2C](tutorial-create-tenant.md).

-The Go-Local add-on is a paid add-on, but it's optional. If you choose to use it, you'll incur an extra charge in addition to your Azure AD B2C Premium P1 or P2 licenses. See more information in [Billing model](billing.md).

-|If you're in | What to do |

-|-||

-| Australia | If you've an existing Azure AD B2C tenant that you created since **April 2021**, then your data is resident in Australia. You need to opt in to start using Go-Local add-on. <br> If you're creating a new Azure AD B2C tenant, you can enable Go-Local add-on when you create it.|

-| Japan | You can enable Go-Local add-on when you create a new Azure AD B2C tenant. |

->If you're unable to create Azure AD B2C tenant, [review your user settings page](tenant-management-check-tenant-creation-permission.md) to ensure that tenant creation isn't switched off. If tenant creation is switched on, ask your _Global Administrator_ to assign you a _Tenant Creator_ role.

-When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and accountabilities.

-We recommend that the initial configuration of automatic user provisioning is in a test environment with a small subset of users before scaling it to all users in production. See [best practices](../fundamentals/active-directory-deployment-plans.md#best-practices-for-a-pilot) for running a pilot.

-When technology projects fail, they typically do so owing to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md). Also make sure that stakeholder roles in the project are well understood. Document the stakeholders and their project input and accountabilities.

-Run the initial configuration in a [pilot environment](../fundamentals/active-directory-deployment-plans.md#best-practices-for-a-pilot) before you scale it to all users in production.

-|Microsoft Authenticator phone sign-in | &#x2705; | &#x2705; |

-When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that stakeholder roles in the project are well understood.

-When you deploy passwordless authentication, you should first enable one or more pilot groups. You can create groups specifically for this purpose. Add the users who will participate in the pilot to the groups. Then, enable new passwordless authentication methods for the selected groups. See [best practices for a pilot](../fundamentals/active-directory-deployment-plans.md).

-* [Deploy other identity features](../fundamentals/active-directory-deployment-plans.md)

-[Deploy other identity features](../fundamentals/active-directory-deployment-plans.md)

-When technology projects fail, they typically do so due to mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you are engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and accountabilities.

-We recommend that the initial configuration of SSPR is in a test environment. Start with a pilot group by enabling SSPR for a subset of users in your organization. See [Best practices for a pilot](../fundamentals/active-directory-deployment-plans.md).

-claims=%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22c1%22%7D%7D%7D

-```json

-When technology projects fail, they typically do because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders,](../fundamentals/active-directory-deployment-plans.md) and that stakeholder roles in the project are well understood.

-We recommend that the initial configuration of your integration method is in a test environment, or with a small group of test devices. See [Best practices for a pilot](../fundamentals/active-directory-deployment-plans.md).

-| [Mobile Device Management (MDM) ](/windows/client-management/mdm/azure-active-directory-integration-with-mdm) <br>Example: Microsoft Intune |  |  |  |

- /*

- * Copyright (c) Microsoft Corporation. All rights reserved.

- * Licensed under the MIT License.

- */

- * Configuration object to be passed to MSAL instance on creation.

- * For a full list of MSAL.js configuration parameters, visit:

- * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md

- */

- authority: 'https://Enter_the_Tenant_Name_Here.ciamlogin.com/', // Replace "Enter_the_Tenant_Name_Here" with your tenant name

- * Scopes you add here will be prompted for user consent during sign-in.

- * By default, MSAL.js will add OIDC scopes (openid, profile, email) to any login request.

- * For more information about OIDC scopes, visit:

- * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes

- */

- extraQueryParameters: {

- dc: "ESTS-PUB-EUS-AZ1-FD000-TEST1"

- }

-description: Learn how to manage branding resources in an Azure AD for customers tenant by calling the Microsoft Graph API. You use an application identity to automate the process.

-#Customer intent: As a dev, devops, I want to learn how to use the Microsoft Graph to manage operations in my Azure AD customer tenant.

-# Manage Azure Active Directory for customers company branding with the Microsoft Graph API

-Using the Microsoft Graph API allows you to manage resources in your Azure Active Directory (AD) for customers directory. The following Microsoft Graph API operations are supported for the management of resources related to branding. Each link in the following sections targets the corresponding page within the Microsoft Graph API reference for that operation.

-> [!NOTE]

-> You can also programmatically create an Azure AD for customers directory itself, along with the corresponding Azure resource linked to an Azure subscription. This functionality isn't exposed through the Microsoft Graph API, but through the Azure REST API. For more information, see [Directory Tenants - Create Or Update](/rest/api/azurestack/directory-tenants/create-or-update).

-## Company branding

-Customers can customize look and feel of sign-in pages which appear when users sign in to tenant-specific apps. Developers can also read the company's branding information and customize their app experience to tailor it specifically for the signed-in user using their company's branding.

-You can't change your original configuration's default language. However, companies can add different branding based on locale. For language-specific branding, see the organizationalBrandingLocalization object.

-## Company branding - localization

-Resource that supports managing language-specific branding. While you can't change your original configuration's language, this resource allows you to create a new configuration for a different language.

-## How to programmatically manage Microsoft Graph

-When you want to manage Microsoft Graph, you can either do it as the application using the application permissions, or you can use delegated permissions. For delegated permissions, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource. Application permissions are used by apps that do not require a signed in user present and thus require application permissions. Because of this, only administrators can consent to application permissions.

-> [!NOTE]

-> Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph API.

-## Next steps

-description: Learn how to manage custom extension resources in an Azure AD for customers tenant by calling the Microsoft Graph API and using an application identity to automate the process.

-#Customer intent: As a dev, devops, I want to learn how to use the Microsoft Graph to manage custom extension operations in my Azure AD customer tenant.

-# Manage Azure Active Directory (AD) for customers custom extension resources with Microsoft Graph

-Using the Microsoft Graph API allows you to manage resources in your Azure AD for customers directory. The following Microsoft Graph API operations are supported for the management of resources related to custom extensions. Each link in the following sections targets the corresponding page within the Microsoft Graph API reference for that operation.

-> [!NOTE]

-> You can also programmatically create an Azure AD for customers directory itself, along with the corresponding Azure resource linked to an Azure subscription. This functionality isn't exposed through the Microsoft Graph API, but through the Azure REST API. For more information, see [Directory Tenants - Create Or Update](/rest/api/azurestack/directory-tenants/create-or-update).

-## Custom authentication extensions (Preview)

-Custom authentication extensions define interactions with external systems during a user authentication session. This is an abstract type that's inherited by the onTokenIssuanceStartCustomExtension derived type.

-## How to programmatically manage Microsoft Graph

-When you want to manage Microsoft Graph, you can either do it as the application using the application permissions, or you can use delegated permissions. For delegated permissions, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource. Application permissions are used by apps that do not require a signed in user present and thus require application permissions. Because of this, only administrators can consent to application permissions.

-> [!NOTE]

-> Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph API.

-## Next steps

-description: Learn how to manage user flow resources in an Azure AD for customers tenant by calling the Microsoft Graph API and using an application identity to automate the process.

-#Customer intent: As a dev, devops, I want to learn how to use the Microsoft Graph to manage user flow operations in my Azure AD customer tenant.

-# Manage Azure Active Directory for customers user flow resources with Microsoft Graph

-Using the Microsoft Graph API allows you to manage resources in your Azure Active Directory (AD) for customers directory. The following Microsoft Graph API operations are supported for the management of resources related to user flows. Each link in the following sections targets the corresponding page within the Microsoft Graph API reference for that operation.

-> [!NOTE]

-> You can also programmatically create an Azure AD for customers directory itself, along with the corresponding Azure resource linked to an Azure subscription. This functionality isn't exposed through the Microsoft Graph API, but through the Azure REST API. For more information, see [Directory Tenants - Create Or Update](/rest/api/azurestack/directory-tenants/create-or-update).

-## User flows (Preview)

-User flows are used to enable a self-service sign-up experience for users within an Azure AD customer tenant. User flows define the experience the end user sees while signing up, including which identity providers they can use to authenticate, along with which attributes are collected as part of the sign-up process. The sign-up experience for an application is defined by a user flow, and multiple applications can use the same user flow.

-Configure pre-built policies for sign-up, sign-in, combined sign-up and sign-in, password reset, and profile update.

-## Identity providers (Preview)

-Get the identity providers that are defined for an external identities self-service sign-up user flow that's represented by an externalUsersSelfServiceSignupEventsFlow object type.

-## Attributes (Preview)

-## How to programmatically manage Microsoft Graph

-When you want to manage Microsoft Graph, you can either do it as the application using the application permissions, or you can use delegated permissions. For delegated permissions, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource. Application permissions are used by apps that do not require a signed in user present and thus require application permissions. Because of this, only administrators can consent to application permissions.

-> [!NOTE]

-> Delegated permissions for users signing in through user flows or custom policies cannot be used against delegated permissions for Microsoft Graph API.

-## Next steps

-Learn more: [Include the right stakeholders](active-directory-deployment-plans.md)

-* [Integrate F5 BIG-IP with Azure AD](../manage-apps/f5-aad-integration.md)

-Refer to the [Azure AD deployment plans](active-directory-deployment-plans.md) for implementation details on any capabilities you haven't deployed.

-* [Introduction to delegated administration and isolated environments](secure-with-azure-ad-introduction.md)

-* [Best practices](secure-with-azure-ad-best-practices.md)

-* [Introduction to delegated administration and isolated environments](secure-with-azure-ad-introduction.md)

-* [Best practices](secure-with-azure-ad-best-practices.md)

-* [Introduction to delegated administration and isolated environments](secure-with-azure-ad-introduction.md)

-* [Best practices](secure-with-azure-ad-best-practices.md)

-| **Restrict non-admin users from reading BitLocker key(s) for their owned devices** | Setting this option to **Yes** restricts users from being able to self-service recover BitLocker key(s) for their owned devices. Setting this option to **No** allows users to recover their BitLocker key(s). |

-When technology projects fail, they typically do so because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that project roles are clear.

-For more information, see [Best practices for a pilot](../fundamentals/active-directory-deployment-plans.md).

-1. To add a Verified ID requirement to the access package, select on **Add issuer** in the **Required Verified IDs** section. If you don't have the Verified ID service set up in your tenant, navigate to the **Verified ID** section of the Azure portal.

-1. Search for an issuer in the dropdown and select the credential type you want users to present when requesting access.

- > [!NOTE]

- > If you select multiple issuers / credential types, users requesting access will be required to present **all** of the credential types you have included in this policy. To give users the option of presenting one of many credential types, please include each acceptable option in a separate policy.

-## Set up group writeback in entitlement management

-To set up group writeback for Microsoft 365 groups in access packages, you must complete the following prerequisites:

-

-Using group writeback, you can now sync Microsoft 365 groups that are part of access packages to on-premises Active Directory. To sync the groups, follow the steps below:

-1. Create an Azure Active Directory Microsoft 365 group.

-1. Set the group to be written back to on-premises Active Directory. For instructions, see [Group writeback in the Azure portal](../enterprise-users/groups-write-back-portal.md).

-1. Add the group to an access package as a resource role. See [Create a new access package](entitlement-management-access-package-create.md#resource-roles) for guidance.

-1. Assign the user to the access package. See [View, add, and remove assignments for an access package](entitlement-management-access-package-assignments.md#directly-assign-a-user) for instructions to directly assign a user.

-1. After you've assigned a user to the access package, confirm that the user is now a member of the on-premises group once Azure AD Connect Sync cycle completes:

- 1. View the member property of the group in the on-premises OU OR

- 1. Review the member Of on the user object.

-> [!NOTE]

-> Azure AD Connect's default sync cycle schedule is every 30 minutes. You may need to wait until the next cycle occurs to see results on-premises or choose to run the sync cycle manually to see results sooner.

-For more information on deployment plans, see [Azure AD deployment plans](../fundamentals/active-directory-deployment-plans.md)

-When technology projects fail, they typically do so because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that project roles are clear.

-For more information, see [Best practices for a pilot.](../fundamentals/active-directory-deployment-plans.md).

-If you're thinking about migrating from federated to cloud authentication, learn more about [changing the sign-in method](plan-connect-user-signin.md). To help you plan and implement the migration, use [these project deployment plans](../../fundamentals/active-directory-deployment-plans.md), or consider using the new [Staged Rollout](how-to-connect-staged-rollout.md) feature to migrate federated users to using cloud authentication in a staged approach.

-* Must have less than 50,000 members. This count is the number of members in the on-premises group.

- * If the number of members grow from when it was initially created, then when it reaches 50,000 members it stops synchronizing until the membership count is lower than 50,000 again.

- * Note: The 50,000 membership count is also enforced by Azure AD. You are not able to synchronize groups with more members even if you modify or remove this rule.

- > - If you have an outgoing HTTP proxy, make sure that the URL `autologon.microsoftazuread-sso.com` is on your allowlist. You should specify this URL explicitly because the wildcard might not be accepted.

-Learn more: [Azure Active Directory deployment plans](../../fundamentals/active-directory-deployment-plans.md)

-When technology projects fail, it's typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../../fundamentals/active-directory-deployment-plans.md) and that stakeholder roles in the project are well understood.

-### Domain Controller logs

-If audit logging is enabled, additional information can be found in the security logs of your Domain Controllers. A simple way to query sign-in requests sent by Pass-through Authentication Agents is as follows:

-* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

-* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

-* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

-To learn more about benefits, see [Integrate F5 BIG-IP with Azure Active Directory](./f5-aad-integration.md).

- ```New-ADUser -Name "F5 BIG-IP Delegation Account" UserPrincipalName host/f5-big-ip.contoso.com@contoso.com SamAccountName "f5-big-ip" -PasswordNeverExpires $true Enabled $true -AccountPassword (Read-Host -AsSecureString "Account Password") ```

- ```Set-AdUser -Identity f5-big-ip -ServicePrincipalNames @Add="host/f5-big-ip.contoso.com"} ```

- ```Get-ADUser -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

- ```Get-ADUser -identity <name_of_account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

- ```Set-AdUser -Identity web_svc_account -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ```

- ```Set-ADComputer -Identity APP-VM-01 -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ```

- ```Get-ADUser -Identity f5-big-ip | Set-ADAccountControl -TrustedToAuthForDelegation $true ```

- ```Set-ADUser -Identity f5-big-ip -Add @{'msDS-AllowedToDelegateTo'=@('HTTP/myexpenses.contoso.com')} ```

-description: Learn to implement secure hybrid access (SHA) with Single Sign-on to Kerberos applications using F5ΓÇÖs BIG-IP Easy Button guided configuration.

-To learn more about benefits, see the article on [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md).

-Prior BIG-IP experience isnΓÇÖt necessary, but you need:

- * F5 BIG-IP® Best bundle

- * F5 BIG-IP APM add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

-The optional **Security Settings** specify whether Azure AD encrypts issued SAML assertions. Encrypting assertions between Azure AD and the BIG-IP APM provides more assurance the content tokens canΓÇÖt be intercepted, and personal or corporate data can't be compromised.

-3. From the **Assertion Decryption Private Key** list, select **Create New**.

- 

-4. Select **OK**. The **Import SSL Certificate and Keys** dialog appears.

-5. Select **PKCS 12 (IIS)** to import your certificate and private key.

-6. After provisioning, close the browser tab to return to the main tab.

- 

-7. Check **Enable Encrypted Assertion**.

-8. If you enabled encryption, select your certificate from the **Assertion Decryption Private Key** list. This private key is for the certificate that BIG-IP APM uses to decrypt Azure AD assertions.

-9. If you enabled encryption, select your certificate from the **Assertion Decryption Certificate** list. BIG-IP uploads this certificate to Azure AD to encrypt the issued SAML assertions.

- 

-1. From the **Available Policies** list, select a policy.

-2. Select the **right arrow** and move it to the **Selected Policies** list.

-What isnΓÇÖt covered is Single Log Out (SLO) functionality, which ensures sessions between the IdP, the BIG-IP, and the user agent terminate when a user signs out. When the Easy Button instantiates a SAML application in your Azure AD tenant, it populates the sign-out URL with the APM SLO endpoint. An IdP-initiated sign out from the Azure AD MyApps portal terminates the session between the BIG-IP and a client.

-If the BIG-IP webtop portal accesses published applications, then a sign out is processed by the APM to call the Azure AD sign-out endpoint. But consider a scenario when the BIG-IP webtop portal isnΓÇÖt used, then the user can't instruct the APM to sign out. Even if the user signs out of the application, the BIG-IP is oblivious. Therefore, consider SP-initiated sign out to ensure sessions terminate securely. You can add an SLO function to your application Sign-out button, so it redirects your client to the Azure AD SAML, or the BIG-IP sign out endpoint.

-The BIG-IP doesnΓÇÖt support group Managed Service Accounts (gMSA), therefore create a standard user account for the APM service account.

- ```New-ADUser -Name "F5 BIG-IP Delegation Account" -UserPrincipalName host/f5-big-ip.contoso.com@contoso.com -SamAccountName "f5-big-ip" -PasswordNeverExpires $true -Enabled $true -AccountPassword (Read-Host -AsSecureString "Account Password") ```

- ```Set-AdUser -Identity f5-big-ip -ServicePrincipalNames @{Add="host/f5-big-ip.contoso.com"} ```

- ```Get-ADUser -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

- ```Get-ADUser -identity <name_of _account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

- ```Set-AdUser -Identity web_svc_account -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ```

- ```Set-ADComputer -Identity APP-VM-01 -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ```

- ```Get-ADUser -Identity f5-big-ip | Set-ADAccountControl -TrustedToAuthForDelegation $true ```

-2. The APM service account needs to know the target SPN itΓÇÖs trusted to delegate to, or which service for which it's allowed to request a Kerberos ticket. Set target SPN to the service account running your web application.

- ```Set-ADUser -Identity f5-big-ip -Add @{'msDS-AllowedToDelegateTo'=@('HTTP/myexpenses.contoso.com')} ```

- ```$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com ```

- ```Set-ADUser -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount $big-ip ```

- ```Get-ADUser web_svc_account -Properties PrincipalsAllowedToDelegateToAccount ```

- ```$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com ```

- ```Set-ADComputer -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount $big-ip ```

- ```Get-ADComputer web_svc_account -Properties PrincipalsAllowedToDelegateToAccount ```

-To learn about more benefits, see [F5 BIG-IP and Azure AD integration](./f5-aad-integration.md).

- ```ldapsearch -xLLL -H 'ldap://192.168.0.58' -b "CN=partners,dc=contoso,dc=lds" -s sub -D "CN=f5-apm,CN=partners,DC=contoso,DC=lds" -w 'P@55w0rd!' "(cn=testuser)" ```

-* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

-```ldapsearch -xLLL -H 'ldap://192.168.0.58' -b "CN=oraclef5,dc=contoso,dc=lds" -s sub -D "CN=f5-apm,CN=partners,DC=contoso,DC=lds" -w 'P@55w0rd!' "(cn=testuser)" ```

-* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

-* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

- * F5 BIG-IP® Best bundle

- * F5 BIG-IP APM add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

- 

-When the BIG-IP webtop portal accesses published applications, the APM processes a sign out to call the Azure AD sign-out endpoint. If the BIG-IP webtop portal isnΓÇÖt used, the user can't instruct the APM to sign out. If the user signs out of the application, the BIG-IP is oblivious. SP-initiated sign out needs secure session termination. Add an SLO function to your application **Sign out** button, to redirect your client to the Azure AD SAML or BIG-IP sign out endpoint. The SAML sign out endpoint URL for your tenant in **App Registrations > Endpoints**.

-1. Sign into the Oracle console with admin permissions.

- 

- 

-9. Navigate to **People Tools** > **Web Profile**.

-10. Select the web profile.

-11. On **Security** tab, in **Public Users**, select **Allow Public Access**.

-12. For **User ID**, enter **OAMPSFT**.

-13. Enter the **Password**.

- 

-14. Leave the Peoplesoft console.

-15. Start **PeopleTools Application Designer**.

-16. Right-click the **LDAPAUTH** field.

-17. Select **View PeopleCode**.

- 

-18. The **LDAPAUTH** code windows opens.

-19. Locate the **OAMSSO_AUTHENTICATION** function.

-21. Save the record.

-22. Navigate to **PeopleTools > Security.

-23. Select **Security Objects**.

-24. Select **Sign on PeopleCode**.

-25. Enable **OAMSSO_AUTHENTICATION**.

-1. Obtain the PeopleSoft portal sign-out URL.

-2. Open the portal with a web browser.

-3. Enable the debug tools.

-4. Locate the element with the **PT_LOGOUT_MENU** ID.

-5. Save the URL path with the query parameters. In this example: `/psp/ps/?cmd=logout`.

- 

-1. Navigate to **Local Traffic > iRules List.

-2. Select **Create**.

-3. Enter a rule **Name**.

-4. Enter the following command lines.

- ```when HTTP_REQUEST {switch -glob -- [HTTP::uri] { "/psp/ps/?cmd=logout" {HTTP::redirect "/my.logout.php3" }}} ```

- 

-3. From the top navigation bar, select **Virtual Server**.

-4. For **Advanced Settings**, select **On*.

- 

-4. Scroll to the bottom.

-5. Under **Common**, add the iRule you created.

- 

-5. Select **Save**.

-6. Select **Next**.

-7. Continue to configure settings.

-Redirect user requests from the root (ΓÇ£/ΓÇ¥) to the external PeopleSoft portal, usually located in: ΓÇ£/psc/ps/EXTERNAL/HRMS/c/NUI_FRAMEWORK.PT_LANDINGPAGE.GBLΓÇ¥

-1. Navigate to **Local Traffic > iRule**.

-2. Select **iRule_PeopleSoft**.

-3. Add the following command lines.

-4. Assign the iRule to the BIG-IP Virtual Server.

- 

-1. Navigate to **Access Policy > Overview.

-If a BIG-IP error appears after Azure AD preauthentication, itΓÇÖs possible the issue relates to Azure AD to BIG-IP SSO.

-* [Integrate F5 BIG-IP with Azure AD](./f5-aad-integration.md)

-VM deployment and base system configurations take approximately 30 minutes, then BIG-IP is to implement SHA scenarios in [Integrate F5 BIG-IP with Azure Active Directory](f5-aad-integration.md).

-* See also, [scenario-based guidance](f5-aad-integration.md)

-Select a [deployment scenario](f5-aad-integration.md) and start your implementation.

-Many [deployment plans](../fundamentals/active-directory-deployment-plans.md) are available for your use, and weΓÇÖre always making more!

-| [Other deployment plans](../fundamentals/active-directory-deployment-plans.md) | Find more deployment plans for deploying features such as Azure AD multi-factor authentication, Conditional Access, user provisioning, seamless SSO, self-service password reset, and more! |

-# Integrating Azure Active Directory with applications getting started guide

-For in-depth information, you can download Azure Active Directory deployment plans from [GitHub](../fundamentals/active-directory-deployment-plans.md). For gallery applications, you can download deployment plans for single sign-on, Conditional Access, and user provisioning through the [Azure portal](https://portal.azure.com).

- * [Tutorial: Azure AD SSO integration with Citrix ADC SAML Connector for Azure AD (Kerberos-based authentication)](./f5-aad-integration.md)

- * [Tutorial: Configure F5 BIG-IP SSL-VPN for Azure AD SSO](./f5-aad-password-less-vpn.md)

-|F5, Inc.|[Integrate F5 BIG-IP with Azure AD](f5-aad-integration.md)</br>[Tutorial: Configure F5 BIG-IP SSL-VPN for Azure AD SSO](f5-aad-password-less-vpn.md)|

-## February 2023

-### Updated articles

-[Manage custom security attributes for an application (Preview)](custom-security-attributes-apps.md)

-When technology projects fail, itΓÇÖs typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that youΓÇÖre engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md) and that stakeholder roles in the project are well understood.

-At each stage of your deployment ensure that you are evaluating that the results are as expected. See [best practices for a pilot](../fundamentals/active-directory-deployment-plans.md#best-practices-for-a-pilot).

-* [Deploy other identity features](../fundamentals/active-directory-deployment-plans.md)

- - *Success:* One or more CA policies applied to the user and application (but not necessarily the other conditions) during sign-in.

- - *Failure:* The sign-in satisfied the user and application condition of at least one CA policy and grant controls are either not satisfied or set to block access.

-When technology projects fail, they typically do so due to mismatched expectations on effect, outcomes, and responsibilities. To avoid these pitfalls, [ensure that you're engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md). Also ensure that stakeholder roles in the project are well understood by documenting the stakeholders and their project input and responsibilities.

-Successful projects align expectations, outcomes, and responsibilities. See, [Azure Active Directory deployment plans](../fundamentals/active-directory-deployment-plans.md). Document and communicate stakeholder roles that require input and accountability.

- > [!NOTE]

- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [F5 Client support team](https://support.f5.com/csp/knowledge-center/software/BIG-IP?module=BIG-IP%20APM45) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- 

- 

- 

- ΓÇó Username Source

- ΓÇó User Realm Source

-| eb46b6b6.session.saml.last.assertionIssueInstant | `<ID>` |

-description: Learn to implement SHA with header-based SSO to Oracle Enterprise Business Suite using F5ΓÇÖs BIG-IP Easy Button guided configuration

-# Tutorial: Configure F5ΓÇÖs BIG-IP Easy Button for SSO to Oracle Enterprise Business Suite

-In this article, learn to secure Oracle Enterprise Business Suite (EBS) using Azure Active Directory (Azure AD), through F5ΓÇÖs BIG-IP Easy Button guided configuration.

-To learn about all the benefits, see the article on [F5 BIG-IP and Azure AD integration](../manage-apps/f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).

-Prior BIG-IP experience isnΓÇÖt necessary, but you need:

- * F5 BIG-IP® Best bundle

- * F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license

- * F5 BIG-IP Access Policy Manager™ (APM) add-on license on an existing BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

-There are many methods to configure BIG-IP for this scenario, including two template-based options and an advanced configuration. This tutorial covers the latest Guided Configuration 16.1 offering an Easy button template. With the Easy Button, admins no longer go back and forth between Azure AD and a BIG-IP to enable services for SHA. The deployment and policy management is handled directly between the APMΓÇÖs Guided Configuration wizard and Microsoft Graph. This rich integration between BIG-IP APM and Azure AD ensures that applications can quickly, easily support identity federation, SSO, and Azure AD Conditional Access, reducing administrative overhead.

- Next, under optional **Security Settings** specify whether Azure AD should encrypt issued SAML assertions. Encrypting assertions between Azure AD and the BIG-IP APM provides assurance that the content tokens canΓÇÖt be intercepted, and personal or corporate data be compromised.

-4. Enter the certificateΓÇÖs password in **Signing Key Passphrase**

-What isnΓÇÖt covered here however is Single Log-Out (SLO) functionality, which ensures all sessions between the IdP, the BIG-IP, and the user agent are terminated as users sign off. When the Easy Button instantiates a SAML application in your Azure AD tenant, it also populates the Logout Url with the APMΓÇÖs SLO endpoint. That way IdP initiated sign-outs from the Azure AD MyApps portal also terminate the session between the BIG-IP and a client.

-If the BIG-IP webtop portal is used to access published applications then a sign-out from there would be processed by the APM to also call the Azure AD sign-out endpoint. But consider a scenario where the BIG-IP webtop portal isnΓÇÖt used, then the user has no way of instructing the APM to sign out. Even if the user signs-out of the application itself, the BIG-IP is technically oblivious to this. So for this reason, SP initiated sign-out needs careful consideration to ensure sessions are securely terminated when no longer required. One way of achieving this would be to add an SLO function to your applications sign out button, so that it can redirect your client to either the Azure AD SAML or BIG-IP sign-out endpoint. The URL for SAML sign-out endpoint for your tenant can be found in **App Registrations > Endpoints**.

-This last step provides a breakdown of your configurations. Select **Deploy** to commit all settings and verify that the application now exists in your tenants list of ΓÇÿEnterprise applications.

-From a browser, connect to the **Oracle EBS applicationΓÇÖs external URL** or select the applicationΓÇÖs icon in the [Microsoft MyApps portal](https://myapps.microsoft.com/). After authenticating to Azure AD, youΓÇÖll be redirected to the BIG-IP virtual server for the application and automatically signed in through SSO.

-There may be cases where the Guided Configuration templates lack the flexibility to achieve more specific requirements. For those scenarios, see [Advanced Configuration for headers-based SSO](../manage-apps/f5-big-ip-header-advanced.md). Alternatively, the BIG-IP gives the option to disable **Guided ConfigurationΓÇÖs strict management mode**. This allows you to manually tweak your configurations, even though bulk of your configurations are automated through the wizard-based templates.

-You can navigate to **Access > Guided Configuration** and select the **small padlock icon** on the far right of the row for your applicationsΓÇÖ configs.

-If you see a BIG-IP branded error immediately after successful Azure AD pre-authentication, itΓÇÖs possible the issue relates to SSO from Azure AD to the BIG-IP.

-If you donΓÇÖt see a BIG-IP error page, then the issue is probably more related to the backend request or SSO from the BIG-IP to the application.

-```ldapsearch -xLLL -H 'ldap://192.168.0.58' -b "CN=oraclef5,dc=contoso,dc=lds" -s sub -D "CN=f5-apm,CN=partners,DC=contoso,DC=lds" -w 'P@55w0rd!' "(cn=testuser)" ```

-For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this [F5 knowledge article on LDAP Query](https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-authentication-methods/ldap-query.html).

-To learn about all the benefits, see the article on [F5 BIG-IP and Azure AD integration](../manage-apps/f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).

-To learn about all the benefits, see the article on [F5 BIG-IP and Azure AD integration](../manage-apps/f5-aad-integration.md) and [what is application access and single sign-on with Azure AD](/azure/active-directory/active-directory-appssoaccess-whatis).

-* [Introduction to delegated administration and isolated environments](../fundamentals/secure-with-azure-ad-introduction.md)

-|**7.1.2** Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.|Integrate access to CDE applications with Azure AD for authentication and authorization. </br> - Assign users roles to applications or with group membership </br> - Use Microsoft Graph to list application assignments </br> - Use Azure AD audit logs to track assignment changes. </br> [List appRoleAssignments granted to a user](/graph/api/user-list-approleassignments?view=graph-rest-1.0&tabs=http&preserve-view=true) </br> [Get-MgServicePrincipalAppRoleAssignedTo](/powershell/module/microsoft.graph.applications/get-mgserviceprincipalapproleassignedto?view=graph-powershell-1.0&preserve-view=true) </br></br> **Privileged access** </br> Use Azure AD audit logs to track directory role assignments. Administrator roles relevant to this PCI requirement: </br> - Global </br> - Application </br> - Authentication </br> - Authentication Policy </br> - Hybrid Identity </br> To implement least privilege access, use Azure AD to create custom directory roles. </br> If you build portions of CDE in Azure, document privileged role assignments such as Owner, Contributor, user Access Administrator, etc., and subscription custom roles where CDE resources are deployed. </br> Microsoft recommends you enable Just-In-Time (JIT) access to roles using Privileged Identity Management (PIM). PIM enables JIT access to Azure AD security groups for scenarios when group membership represents privileged access to CDE applications or resources. [Azure AD built-in roles](../roles/permissions-reference.md) </br> [Azure AD Identity and access management operations reference guide](../fundamentals/active-directory-ops-guide-iam.md) </br> [Create and assign a custom role in Azure Active Directory](../roles/custom-create.md) </br> [Securing privileged access for hybrid and cloud deployments in Azure AD](../roles/security-planning.md) </br> [What is Azure AD Privileged Identity Management?](../privileged-identity-management/pim-configure.md) </br> [Best practices for all isolation architectures]() </br> [PIM for Groups](../fundamentals/secure-with-azure-ad-best-practices.md)|

-# Integrate Azure Active Directory with Azure Kubernetes Service using the Azure CLI (legacy)

-> **The feature described in this document, Azure AD Integration (legacy), will be deprecated on June 1st, 2023. At that time, no new clusters can be created with Azure AD Integration (legacy). All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from August 1st, 2023.

-For the complete sample script used in this article, see [Azure CLI samples - AKS integration with Azure AD][complete-script].

-## The following limitations apply:

-Importing the ingress TLS certificate to the cluster can be accomplished using one of two methods:

-```bash

-export CERT_NAME=aks-ingress-cert

-openssl req -x509 -nodes -days 365 -newkey rsa:2048 \

- -out aks-ingress-tls.crt \

- -keyout aks-ingress-tls.key \

- -subj "/CN=demo.azure.com/O=aks-ingress-tls"

-```

-```bash

-export AKV_NAME="[YOUR AKV NAME]"

-openssl pkcs12 -export -in aks-ingress-tls.crt -inkey aks-ingress-tls.key -out $CERT_NAME.pfx

-# skip Password prompt

-```

-```azurecli-interactive

-az keyvault certificate import --vault-name $AKV_NAME -n $CERT_NAME -f $CERT_NAME.pfx

-```

-First, create a new namespace:

-```bash

-export NAMESPACE=ingress-basic

-```

-```azurecli-interactive

-kubectl create namespace $NAMESPACE

-```

-Select a [method to provide an access identity][csi-ss-identity-access] and configure your SecretProviderClass YAML accordingly. Additionally:

-See the following example of what your SecretProviderClass might look like:

-```yml

-apiVersion: secrets-store.csi.x-k8s.io/v1

-kind: SecretProviderClass

-metadata:

- name: azure-tls

-spec:

- provider: azure

- secretObjects: # secretObjects defines the desired state of synced K8s secret objects

- - secretName: ingress-tls-csi

- type: kubernetes.io/tls

- data:

- - objectName: $CERT_NAME

- key: tls.key

- - objectName: $CERT_NAME

- key: tls.crt

- parameters:

- usePodIdentity: "false"

- useVMManagedIdentity: "true"

- userAssignedIdentityID: <client id>

- keyvaultName: $AKV_NAME # the name of the AKV instance

- objects: |

- array:

- - |

- objectName: $CERT_NAME

- objectType: secret

- tenantId: $TENANT_ID # the tenant ID of the AKV instance

-```

-Apply the SecretProviderClass to your Kubernetes cluster:

-```bash

-kubectl apply -f secretProviderClass.yaml -n $NAMESPACE

-```

-```bash

-helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

-helm repo update

-```

-As mentioned above, depending on your scenario, you can choose to bind the certificate to either the application or to the ingress controller. Follow the below instructions according to your selection:

-The applicationΓÇÖs deployment will reference the Secrets Store CSI Driver's Azure Key Vault provider.

-```bash

-helm install ingress-nginx/ingress-nginx --generate-name \

- --namespace $NAMESPACE \

- --set controller.replicaCount=2 \

- --set controller.nodeSelector."kubernetes\.io/os"=linux \

- --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \

- --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux

-```

-The ingress controllerΓÇÖs deployment will reference the Secrets Store CSI Driver's Azure Key Vault provider.

-> [!NOTE]

-> If not using Azure Active Directory (Azure AD) pod-managed identity as your method of access, remove the line with `--set controller.podLabels.aadpodidbinding=$AAD_POD_IDENTITY_NAME`

-```bash

-helm install ingress-nginx/ingress-nginx --generate-name \

- --namespace $NAMESPACE \

- --set controller.replicaCount=2 \

- --set controller.nodeSelector."kubernetes\.io/os"=linux \

- --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \

- --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \

- --set controller.podLabels.aadpodidbinding=$AAD_POD_IDENTITY_NAME \

- -f - <<EOF

-controller:

- extraVolumes:

- - name: secrets-store-inline

- csi:

- driver: secrets-store.csi.k8s.io

- readOnly: true

- volumeAttributes:

- secretProviderClass: "azure-tls"

- extraVolumeMounts:

- - name: secrets-store-inline

- mountPath: "/mnt/secrets-store"

- readOnly: true

-EOF

-```

-Verify the Kubernetes secret has been created:

-```bash

-kubectl get secret -n $NAMESPACE

-NAME TYPE DATA AGE

-ingress-tls-csi kubernetes.io/tls 2 1m34s

-```

-Again, depending on your scenario, the instructions will change slightly. Follow the instructions corresponding to the scenario you've selected so far:

-Create a file named `aks-helloworld-one.yaml` with the following content:

-```yml

-apiVersion: apps/v1

-kind: Deployment

-metadata:

- name: aks-helloworld-one

-spec:

- replicas: 1

- selector:

- matchLabels:

- app: aks-helloworld-one

- template:

- labels:

- containers:

- - name: aks-helloworld-one

- image: mcr.microsoft.com/azuredocs/aks-helloworld:v1

- ports:

- - containerPort: 80

- env:

- - name: TITLE

- value: "Welcome to Azure Kubernetes Service (AKS)"

- volumeMounts:

- - name: secrets-store-inline

- mountPath: "/mnt/secrets-store"

- readOnly: true

- volumes:

- - name: secrets-store-inline

- csi:

- driver: secrets-store.csi.k8s.io

- readOnly: true

- volumeAttributes:

- secretProviderClass: "azure-tls"

-apiVersion: v1

-kind: Service

-metadata:

- name: aks-helloworld-one

-spec:

- type: ClusterIP

- ports:

- - port: 80

- selector:

- app: aks-helloworld-one

-```

-Create a file named `aks-helloworld-two.yaml` with the following content:

-```yml

-apiVersion: apps/v1

-kind: Deployment

-metadata:

- name: aks-helloworld-two

-spec:

- replicas: 1

- selector:

- matchLabels:

- app: aks-helloworld-two

- template:

- labels:

- app: aks-helloworld-two

- containers:

- - name: aks-helloworld-two

- image: mcr.microsoft.com/azuredocs/aks-helloworld:v1

- ports:

- - containerPort: 80

- env:

- - name: TITLE

- value: "AKS Ingress Demo"

- volumeMounts:

- - name: secrets-store-inline

- mountPath: "/mnt/secrets-store"

- readOnly: true

- volumes:

- - name: secrets-store-inline

- csi:

- driver: secrets-store.csi.k8s.io

- readOnly: true

- volumeAttributes:

- secretProviderClass: "azure-tls"

-apiVersion: v1

-kind: Service

-metadata:

- name: aks-helloworld-two

-spec:

- type: ClusterIP

- ports:

- - port: 80

- selector:

- app: aks-helloworld-two

-```

-And apply them to your cluster:

-```bash

-kubectl apply -f aks-helloworld-one.yaml -n $NAMESPACE

-kubectl apply -f aks-helloworld-two.yaml -n $NAMESPACE

-```

-Verify the Kubernetes secret has been created:

-```bash

-kubectl get secret -n $NAMESPACE

-NAME TYPE DATA AGE

-ingress-tls-csi kubernetes.io/tls 2 1m34s

-```

-Create a file named `aks-helloworld-one.yaml` with the following content:

-```yml

-apiVersion: apps/v1

-kind: Deployment

-metadata:

- name: aks-helloworld-one

-spec:

- replicas: 1

- selector:

- matchLabels:

- app: aks-helloworld-one

- template:

- labels:

- containers:

- - name: aks-helloworld-one

- image: mcr.microsoft.com/azuredocs/aks-helloworld:v1

- ports:

- - containerPort: 80

- env:

- - name: TITLE

- value: "Welcome to Azure Kubernetes Service (AKS)"

-apiVersion: v1

-kind: Service

-metadata:

- name: aks-helloworld-one

-spec:

- type: ClusterIP

- ports:

- - port: 80

- selector:

- app: aks-helloworld-one

-```

-Create a file named `aks-helloworld-two.yaml` with the following content:

-```yml

-apiVersion: apps/v1

-kind: Deployment

-metadata:

- name: aks-helloworld-two

-spec:

- replicas: 1

- selector:

- matchLabels:

- app: aks-helloworld-two

- template:

- labels:

- app: aks-helloworld-two

- containers:

- - name: aks-helloworld-two

- image: mcr.microsoft.com/azuredocs/aks-helloworld:v1

- ports:

- - containerPort: 80

- env:

- - name: TITLE

- value: "AKS Ingress Demo"

-apiVersion: v1

-kind: Service

-metadata:

- name: aks-helloworld-two

-spec:

- type: ClusterIP

- ports:

- - port: 80

- selector:

- app: aks-helloworld-two

-```

-And apply them to your cluster:

-```bash

-kubectl apply -f aks-helloworld-one.yaml -n $NAMESPACE

-kubectl apply -f aks-helloworld-two.yaml -n $NAMESPACE

-```

-Finally, we can deploy a Kubernetes ingress resource referencing our secret. Create a file name `hello-world-ingress.yaml` with the following content:

-```yml

-apiVersion: networking.k8s.io/v1

-kind: Ingress

-metadata:

- name: ingress-tls

- annotations:

- nginx.ingress.kubernetes.io/rewrite-target: /$2

-spec:

- ingressClassName: nginx

- tls:

- - hosts:

- - demo.azure.com

- secretName: ingress-tls-csi

- rules:

- - host: demo.azure.com

- http:

- paths:

- - path: /hello-world-one(/|$)(.*)

- pathType: Prefix

- backend:

- service:

- name: aks-helloworld-one

- port:

- number: 80

- - path: /hello-world-two(/|$)(.*)

- pathType: Prefix

- backend:

- service:

- name: aks-helloworld-two

- port:

- number: 80

- - path: /(.*)

- pathType: Prefix

- backend:

- service:

- name: aks-helloworld-one

- port:

- number: 80

-```

-Make note of the `tls` section referencing the secret we've created earlier, and apply the file to your cluster:

-```bash

-kubectl apply -f hello-world-ingress.yaml -n $NAMESPACE

-```

-Use `kubectl get service` to obtain the external IP address for the ingress controller.

-```bash

-kubectl get service --namespace $NAMESPACE --selector app.kubernetes.io/name=ingress-nginx

-NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

-nginx-ingress-1588032400-controller LoadBalancer 10.0.255.157 EXTERNAL_IP 80:31293/TCP,443:31265/TCP 19m

-nginx-ingress-1588032400-default-backend ClusterIP 10.0.223.214 <none> 80/TCP 19m

-```

-Use `curl` to verify your ingress has been properly configured with TLS. Be sure to use the external IP you've obtained from the previous step:

-```bash

-curl -v -k --resolve demo.azure.com:443:EXTERNAL_IP https://demo.azure.com

-```

-No additional path was provided with the address, so the ingress controller defaults to the */* route. The first demo application is returned, as shown in the following condensed example output:

-```console

-[...]

-<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

-<head>

- <link rel="stylesheet" type="text/css" href="/static/default.css">

- <title>Welcome to Azure Kubernetes Service (AKS)</title>

-[...]

-```

-The *-v* parameter in our `curl` command outputs verbose information, including the TLS certificate received. Half-way through your curl output, you can verify that your own TLS certificate was used. The *-k* parameter continues loading the page even though we're using a self-signed certificate. The following example shows that the *issuer: CN=demo.azure.com; O=aks-ingress-tls* certificate was used:

-```

-[...]

-* Server certificate:

-* subject: CN=demo.azure.com; O=aks-ingress-tls

-* start date: Oct 22 22:13:54 2021 GMT

-* expire date: Oct 22 22:13:54 2022 GMT

-* issuer: CN=demo.azure.com; O=aks-ingress-tls

-* SSL certificate verify result: self signed certificate (18), continuing anyway.

-[...]

-```

-Now add */hello-world-two* path to the address, such as `https://demo.azure.com/hello-world-two`. The second demo application with the custom title is returned, as shown in the following condensed example output:

-```

-curl -v -k --resolve demo.azure.com:443:EXTERNAL_IP https://demo.azure.com/hello-world-two

-[...]

-<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

-<head>

- <link rel="stylesheet" type="text/css" href="/static/default.css">

- <title>AKS Ingress Demo</title>

-[...]

-```

-AKS patches CVEs that have a "vendor fix" every week. CVEs without a fix are waiting on a "vendor fix" before it can be remediated. The AKS images will get automatically updated inside of 30 days. We recommend you apply an updated Node Image on a regular cadence to ensure that latest patched images and OS patches are all applied and current. You can do this using one of the following methods:

-## What is the size limit on a container image in AKS?

-AKS does not set a limit on the container image size. However, it is important to understand that the larger the image, the higher the memory demand. A larger size could potentially exceed resource limits or the overall available memory of worker nodes. By default, memory for VM size Standard_DS2_v2 for an AKS cluster is set to 7 GiB.

-For Windows Server nodes, Windows Update does not automatically run and apply the latest updates. On a regular schedule around the Windows Update release cycle and your own validation process, you should perform an upgrade on the cluster and the Windows Server node pool(s) in your AKS cluster. This upgrade process creates nodes that run the latest Windows Server image and patches, then removes the older nodes. For more information on this process, see [Upgrade a node pool in AKS][nodepool-upgrade].

-### Are there security threats targeting AKS that customers should be aware of?

-Microsoft provides guidance for other actions you can take to secure your workloads through services like [Microsoft Defender for Containers](../defender-for-cloud/defender-for-containers-introduction.md?tabs=defender-for-container-arch-aks). The following security threat is related to AKS and Kubernetes that customers should be aware of:

-* [New large-scale campaign targets Kubeflow](https://techcommunity.microsoft.com/t5/azure-security-center/new-large-scale-campaign-targets-kubeflow/ba-p/2425750) - June 8, 2021

-AKS builds upon many Azure infrastructure resources, including Virtual Machine Scale Sets, virtual networks, and managed disks, which enables you to apply many of the core capabilities of the Azure platform within the managed Kubernetes environment provided by AKS. For example, most Azure virtual machine types can be used directly with AKS and Azure Reservations can be used to receive discounts on those resources automatically.

-2. The second resource group, known as the *node resource group*, contains all of the infrastructure resources associated with the cluster. These resources include the Kubernetes node VMs, virtual networking, and storage. By default, the node resource group has a name like *MC_myResourceGroup_myAKSCluster_eastus*. AKS automatically deletes the node resource group whenever the cluster is deleted, so it should only be used for resources that share the cluster's lifecycle.

-Yes. By default, AKS will name the node resource group *MC_resourcegroupname_clustername_location*, but you can also provide your own name.

-To specify your own resource group name, install the [aks-preview][aks-preview-cli] Azure CLI extension version *0.3.2* or later. When you create an AKS cluster by using the [`az aks create`][az-aks-create] command, use the `--node-resource-group` parameter and specify a name for the resource group. If you [use an Azure Resource Manager template][aks-rm-template] to deploy an AKS cluster, you can define the resource group name by using the *nodeResourceGroup* property.

-* The secondary resource group is automatically created by the Azure resource provider in your own subscription.

-* You can specify a custom resource group name only when you're creating the cluster.

-* Specify an existing resource group for the node resource group.

-* Specify a different subscription for the node resource group.

-* Change the node resource group name after the cluster has been created.

-* Specify names for the managed resources within the node resource group.

-* Modify or delete Azure-created tags of managed resources within the node resource group. (See additional information in the next section.)

-If you modify or delete Azure-created tags and other resource properties in the node resource group, you could get unexpected results, such as scaling and upgrading errors. AKS allows you to create and modify custom tags created by end users, and you can add those tags when [creating a node pool](use-multiple-node-pools.md#specify-a-taint-label-or-tag-for-a-node-pool). You might want to create or modify custom tags, for example, to assign a business unit or cost center. Another option is to create Azure Policies with a scope on the managed resource group.

-Yes, you may use admission controller webhooks on AKS. It's recommended you exclude internal AKS namespaces, which are marked with the **control-plane label.** For example:

-The Free pricing tier doesn't have an associated Service Level *Agreement*, but has a Service Level *Objective* of 99.5%. Transient connectivity issues are observed if there was an upgrade, unhealthy underlay nodes, platform maintenance, or an application overwhelms the API Server with requests, etc. For mission-critical and production workloads, or if your workload doesn't tolerate API Server restarts, we recommend using the Standard tier, which includes Uptime SLA.

-AKS agent nodes are billed as standard Azure virtual machines. If you've purchased [Azure reservations][reservation-discounts] for the VM size that you're using in AKS, those discounts are automatically applied.

-Most clusters are deleted upon user request; in some cases, especially where customers are bringing their own Resource Group, or doing cross-RG tasks deletion can take more time or fail. If you have an issue with deletes, double-check that you do not have locks on the RG, that any resources outside of the RG are disassociated from the RG, and so on.

-No, you're unable to restore your cluster after deleting it. When you delete your cluster, the associated resource group and all its resources will also be deleted. If you want to keep any of your resources, move them to another resource group before deleting your cluster. If you have the **Owner** or **User Access Administrator** built-in role, you can lock Azure resources to protect them from accidental deletions and modifications. For more information, see [Lock your resources to protect your infrastructure][lock-azure-resources].

-Platform support is a reduced support plan for unsupported "N-3" version clusters. Platform support only includes Azure infrastructure support. Platform support does not include anything related to Kubernetes functionality and components, cluster or node pool creation, hotfixes, bug fixes, security patches, retired components, etc. See [platform support policy][supported-kubernetes-versions] for additional restrictions.

-AKS relies on the releases and patches from [Kubernetes](https://kubernetes.io/releases/), which is an Open Source project that only supports a sliding window of 3 minor versions. AKS can only guarantee [full support](./supported-kubernetes-versions.md#kubernetes-version-support-policy) while those versions are being serviced upstream. Since there's no more patches being produced upstream, AKS can either leave those versions unpatched or fork. Due to this limitation, platform support will not support anything from relying on kubernetes upstream.

-## Will AKS automatically upgrade my unsupported clusters?

-AKS will initiate auto-upgrades for unsupported clusters. When a cluster in an n-3 version (where n is the latest supported AKS GA minor version) is about to drop to n-4, AKS will automatically upgrade the cluster to n-2 to remain in an AKS support [policy][supported-kubernetes-versions]. Automatically upgrading a platform supported cluster to a supported version is enabled by default.

-For example, kubernetes v1.25 will be upgraded to v1.26 during the v1.29 GA release. To minimize disruptions, set up [maintenance windows][planned-maintenance]. See [auto-upgrade][auto-upgrade-cluster] for details on automatic upgrade channels.

-You can, but we don't recommend it. Upgrades should be performed when the state of the cluster is known and healthy.

-No, delete/remove any nodes in a failed state or otherwise removed from the cluster prior to upgrading.

-Most commonly, this is caused by users having one or more Network Security Groups (NSGs) still in use and associated with the cluster. Remove them and attempt the delete again.

-Confirm your service principal hasn't expired. See: [AKS service principal](./kubernetes-service-principal.md) and [AKS update credentials](./update-credentials.md).

-Confirm your service principal hasn't expired. See: [AKS service principal](./kubernetes-service-principal.md) and [AKS update credentials](./update-credentials.md).

-No, scale operations by using the Virtual Machine Scale Set APIs aren't supported. You can use the AKS API to scale to zero non-system node pools or [stop your cluster](start-stop-cluster.md) instead.

-While AKS has resilience mechanisms to withstand such a config and recover from it, this isn't a supported configuration. [Stop your cluster](start-stop-cluster.md) instead.

-Starting with version 1.2.0, Azure CNI sets Transparent mode as default for single tenancy Linux CNI deployments. Transparent mode is replacing bridge mode. In this section, we will discuss more about the differences about both modes and what are the benefits/limitation for using Transparent mode in Azure CNI.

-As the name suggests, bridge mode Azure CNI, in a "just in time" fashion, will create an L2 bridge named "azure0". All the host side pod `veth` pair interfaces will be connected to this bridge. So Pod-Pod intra VM communication and the remaining traffic goes through this bridge. The bridge in question is a layer 2 virtual device that on its own cannot receive or transmit anything unless you bind one or more real devices to it. For this reason, eth0 of the Linux VM has to be converted into a subordinate to "azure0" bridge. This creates a complex network topology within the Linux VM and as a symptom CNI had to take care of other networking functions like DNS server update and so on.

-The following example shows what the ip route setup looks like in Bridge mode. Regardless of how many pods the node has, there will only ever be two routes. The first one saying, all traffic excluding local on azure0 will go to the default gateway of the subnet through the interface with ip "src 10.240.0.4" (which is Node primary IP) and the second one saying "10.20.x.x" Pod space to kernel for kernel to decide.

-Transparent mode takes a straight forward approach to setting up Linux networking. In this mode, Azure CNI won't change any properties of eth0 interface in the Linux VM. This minimal approach of changing the Linux networking properties helps reduce complex corner case issues that clusters could face with Bridge mode. In Transparent Mode, Azure CNI will create and add host-side pod `veth` pair interfaces that will be added to the host network. Intra VM Pod-to-Pod communication is through ip routes that the CNI will add. Essentially Pod-to-Pod communication is over layer 3 and pod traffic is routed by L3 routing rules.

-The following example shows a ip route setup of transparent mode. Each Pod's interface will get a static route attached so that traffic with dest IP as the Pod will be sent directly to the Pod's host side `veth` pair interface.

-### Benefits of transparent mode

-## How to avoid permission ownership setting slow issues when the volume has a lot of files?

-Traditionally if your pod is running as a non-root user (which you should), you must specify a `fsGroup` inside the podΓÇÖs security context so that the volume can be readable and writable by the Pod. This requirement is covered in more detail in [here](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).

-But one side-effect of setting `fsGroup` is that, each time a volume is mounted, Kubernetes must recursively `chown()` and `chmod()` all the files and directories inside the volume - with a few exceptions noted below. This happens even if group ownership of the volume already matches the requested `fsGroup`, and can be expensive for larger volumes with lots of small files, which causes pod startup to take a long time. This scenario has been a known problem before v1.20, and the workaround is setting the Pod run as root:

-Any patch, including security patches, is automatically applied to the AKS cluster. Anything bigger than a patch, like major or minor version changes (which can have breaking changes to your deployed objects), is updated when you update your cluster if a new release is available. You can find when a new release is available by visiting the [AKS release notes](https://github.com/Azure/AKS/releases).

-## What is the purpose of the AKS Linux Extension I see installed on my Linux VMSS instances?

-The AKS Linux Extension is an Azure VM extension whose purpose is to install and configure monitoring tools on Kubernetes worker nodes. The extension is installed on all new and existing Linux nodes. It configures the following monitoring tools:

-These tools assist in providing observability around many node health related problems such as:

-The extension **does not** require any additional outbound access to any URLs, IP addresses, or ports beyond the [documented AKS egress requirements](./limit-egress-traffic.md). It does not require any special permissions granted in Azure. It uses kubeconfig to connect to the API server to send the monitoring data collected.

-[aks-cluster-autoscale]: ./cluster-autoscaler.md

-[aks-advanced-networking]: ./configure-azure-cni.md

-[aks-rbac-aad]: ./azure-ad-integration-cli.md

-[node-updates-kured]: node-updates-kured.md

-[aks-cluster-autoscaler]: cluster-autoscaler.md

-[aks-windows-cli]: windows-container-cli.md

-[availability-zones]: ./availability-zones.md

-[auto-scaler]: https://github.com/kubernetes/autoscaler

-[private-clusters-github-issue]: https://github.com/Azure/AKS/issues/948

-[csi-driver]: https://github.com/Azure/secrets-store-csi-driver-provider-azure

-[vm-sla]: https://azure.microsoft.com/support/legal/sla/virtual-machines/

-1. Select **Containers** > **Kubernetes Service**.

- * Select or create an Azure **Resource group**, such as *myResourceGroup*.

- * Ensure the **Preset configuration** is *Standard ($$)*. For more details on preset configurations, see [Cluster configuration presets in the Azure portal][preset-config].

- * Select **99.5%** for **API server availability**.

-1. Keep the default **Node pools** options. At the bottom of the screen, click **Next: Access**.

- - The default value for **Resource identity** is **System-assigned managed identity**. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. For more details about managed identities, see [What are managed identities for Azure resources?](../../active-directory/managed-identities-azure-resources/overview.md).

- By default, *Basic* networking is used, and [Container insights](../../azure-monitor/containers/container-insights-overview.md) is enabled.

-1. Keep the default **Networking** options. At the bottom of the screen, click **Next: Integrations**.

-1. On the **Integrations** page, if you want to enable the [recommended out-of-the-box alerts](../../azure-monitor/alerts/alerts-overview.md#recommended-alert-rules) for AKS clusters, select **Enable recommended alert rules**. You can see the list of alerts that are automatically enabled if you select this option.

-1. Click **Review + create**. When you navigate to the **Review + create** tab, Azure runs validation on the settings that you have chosen. If validation passes, you can proceed to create the AKS cluster by selecting **Create**. If validation fails, then it indicates which settings need to be modified.

- :::image type="content" source="media/quick-kubernetes-deploy-portal/aks-portal-dashboard.png" alt-text="Screenshot of AKS dashboard in the Azure portal.":::

- NAME STATUS ROLES AGE VERSION

- aks-agentpool-12345678-vmss000000 Ready agent 23m v1.19.11

- aks-agentpool-12345678-vmss000001 Ready agent 24m v1.19.11

-> kubectl apply -f https://github.com/kubernetes-sigs metrics-server/releases/download/v0.3.6/components.yaml

-After updating your cluster, the control plane and pods use the managed identity. kubelet continues using a service principal until you upgrade your agentpool. You can use the `az aks nodepool upgrade --node-image-only` command on your nodes to update to a managed identity. A node pool upgrade causes downtime for your AKS cluster as the nodes in the node pools are cordoned/drained and reimaged.

-> * If your cluster was using `--attach-acr` to pull from images from Azure Container Registry, you need to run the `az aks update --attach-acr <ACR resource ID>` command after updating your cluster to let the newly-created kubelet used for managed identity get the permission to pull from ACR. Otherwise, you won't be able to pull from ACR after the update.

-> If your cluster was using `--attach-acr` to pull from images from Azure Container Registry, you need to run the `az aks update --attach-acr <ACR Resource ID>` command after updating your cluster to let the newly-created kubelet used for managed identity get the permission to pull from ACR. Otherwise, you won't be able to pull from ACR after the upgrade.

-> Custom metrics are a preview feature of Azure Monitor and subject to limitations.

-Enabling [zone redundancy](../reliability/migrate-api-mgt.md) for an API Management instance in a supported region provides redundancy for all [service components](api-management-key-concepts.md#api-management-components): gateway, management plane, and developer portal. Azure automatically replicates all service components across the zones that you select.

-1. Walk through the steps of the wizard by first selecting **GitHub** as the location of your source code.

-1. You might be redirected to GitHub to sign in. If so, enter your GitHub credentials.

-1. When the **Configure** tab appears, select **ASP.NET Core**.

-This article uses Health check in the Azure portal to monitor App Service instances. Health check increases your application's availability by rerouting requests away from unhealthy instances, and replacing instances if they remain unhealthy. Your [App Service plan](./overview-hosting-plans.md) should be scaled to two or more instances to fully utilize Health check. The Health check path should check critical components of your application. For example, if your application depends on a database and a messaging system, the Health check endpoint should connect to those components. If the application can't connect to a critical component, then the path should return a 500-level response code to indicate the app is unhealthy. Also, if the path does not return a response within 1 minute the health check ping is considered unhealthy.

-## Enable Health Check

-![Health check navigation in Azure Portal][3]

-### Does Health Check work on App Service Environments?

-> [!NOTE]

-> To find the managed identity for your web app or slot app in the Azure portal, under **Enterprise applications**, look in the **User settings** section. Usually, the slot name is similar to `<app name>/slots/<slot name>`.

-## How App Service prevents subdomain takeovers

-Upon deletion of an App Service app or App Service Environment (ASE), the corresponding DNS is reserved. During the reservation period, reuse of the DNS is forbidden except for subscriptions belonging to tenant of the subscription originally owning the DNS.

-After the reservation expires, the DNS is free to be claimed by any subscription. By Name Reservation Service, the customer is afforded some time to either clean-up any associations/pointers to said DNS or reclaim the DNS in Azure. The DNS name being reserved for web apps can be derived by appending 'azurewebsites.net' and for ASE can be derived by appending 'appserviceenvironment.net'. Name Reservation Service is enabled by default on Azure App Service and doesn't require more configuration.

-Subscription 'A' and subscription 'B' are the only subscriptions belonging to tenant 'AB'. Subscription 'A' contains an App Service app 'test' with DNS name 'test'.azurewebsites.net'. Upon deletion of the app, a reservation is taken on DNS name 'test.azurewebsites.net'.

-During the reservation period, only subscription 'A' or subscription 'B' will be able to claim the DNS name 'test.azurewebsites.net' by creating a web app named 'test'. No other subscriptions will be allowed to claim it. After the reservation period is complete, any subscription in Azure can now claim 'test.azurewebsites.net'.

-To get a domain verification ID, see the [Map a custom domain tutorial](app-service-web-tutorial-custom-domain.md)

-# Configure Azure Application Gateway Private Link (preview)

-> [!IMPORTANT]

-> Azure Application Gateway Private Link is currently in [public preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-To enable Private Link Configuration, a subnet, different from the Application Gateway subnet, is required for the private link IP configuration. Private Link must use a subnet that doesn't contain any Application Gateways. Subnet sizing can be determined by the number of connections required for your deployment. Each IP address allocated to this subnet ensures 64-K concurrent TCP connections that can be established via Private Link at single point in time. Allocate more IP addresses to allow more connections via Private Link. For example: `n * 64K`; where `n` is the number of IP addresses being provisioned.

-The following steps can be completed to create a new subnet:

-1. Within your **Application Gateways** properties blade, obtain and make a note of the **Resource ID**, you will require this if setting up a Private Endpoint within a different Azure AD tenant

-A private endpoint is a network interface that uses a private IP address from the virtual network containing clients wishing to connect to your Application Gateway. Each of the clients will use the private IP address of the Private Endpoint to tunnel traffic to the Application Gateway. To create a private endpoint, complete the following steps:

-To configure Private link on an existing Application Gateway via Azure PowerShell, the following commands can be referenced:

-A list of all Azure PowerShell references for Private Link Configuration on Application Gateway can be found here:

-To configure Private link on an existing Application Gateway via Azure CLI, the following commands can be referenced:

-A list of all Azure CLI references for Private Link Configuration on Application Gateway can be found here: [Azure CLI CLI - Private Link](/cli/azure/network/application-gateway/private-link)

-# Application Gateway Private Link (preview)

-Private Link for Application Gateway allows you to connect workloads over a private connection spanning across VNets and subscriptions. When configured, a private endpoint will be placed into a defined virtual network's subnet, providing a private IP address for clients looking to communicate to the gateway. For a list of other PaaS services that support Private Link functionality, see [What is Azure Private Link?](../private-link/private-link-overview.md).

-> [!IMPORTANT]

-> Azure Application Gateway Private Link is currently in [public preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

- A Private link configuration can be associated with an Application Gateway Frontend IP address, which can then be used to establish a connection using a Private Endpoint. If there's no association to an Application Gateway frontend IP address, then the Private Link feature won't be enabled.

- An Azure network resource that allocates a private IP address in your VNet address space. It's used to connect to the Application Gateway via the private IP address similar to many other Azure Services like Storage, KeyVault, etc., that provide private link access.

- A connection on Application Gateway originated by Private Endpoints. You can auto-approve, manually approve, or reject connections to grant or deny access.

-* [🆕 Choose a Form Recognizer model](choose-model-feature.md?view=form-recog-3.0.0&preserve-view=true) is now a standalone that provides guidance for choosing the best Form Recognizer solution for your projects and workflows.

-* **Form Recognizer v2.1-preview.1 has been released and includes the following features:

- az provider register --namespace Microsoft.ExtendedLocation ΓÇôwait

- az provider register --namespace Microsoft.ResourceConnector ΓÇôwait

-description: This article provides a detailed overview of the Azure Arc-enabled servers agent available, which supports monitoring virtual machines hosted in hybrid environments.

-* Before you deploy the Azure Arc-enabled servers agent and integrate with other Azure management and monitoring services, review the [Planning and deployment guide](plan-at-scale-deployment.md).

-# Archive for What's new with Azure Arc-enabled servers agent

-The primary [What's new in Azure Arc-enabled servers agent?](agent-release-notes.md) article contains updates for the last six months, while this article contains all the older information.

-description: This article has release notes for Azure Arc-enabled servers agent. For many of the summarized issues, there are links to more details.

-# What's new with Azure Arc-enabled servers agent

-This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [archive for What's new with Azure Arc-enabled servers agent](agent-release-notes-archive.md).

-Instructs the agent to continue onboarding even if the network check for required endpoints fails. You should only use this option if you're sure that the network check results are incorrect. In most cases, a failed network check indicates that the Arc agent won't function correctly on the server.

-Unless otherwise specified, the command syntax and flags represent available options in the most recent release of the Azure Connected Machine agent. For more information, see [What's new with the Azure Arc-enabled servers agent](agent-release-notes.md).

- definition (if you have enabled the Arc-enabled servers agent on a Windows-based machine). For a Linux-based machine, find the corresponding _\[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines_ policy definition. Click on that policy and click **Select**.

-* Before you deploy the Azure Arc-enabled servers agent and integrate with other Azure management and monitoring services, review the [Planning and deployment guide](plan-at-scale-deployment.md).

-1. Remove any VM extensions deployed to the Azure VM, such as the Log Analytics agent. While Azure Arc-enabled servers support many of the same extensions as Azure VMs, the Azure Arc-enabled servers agent can't manage VM extensions already deployed to the VM.

-4. Install and configure the Azure Arc-enabled servers agent.

- The VM is now ready for you to begin evaluating Azure Arc-enabled servers. To install and configure the Azure Arc-enabled servers agent, see [Connect hybrid machines using the Azure portal](onboard-portal.md) and follow the steps to generate an installation script and install using the scripted method.

-* When you have finished testing, [uninstall the Azure Arc-enabled servers agent](manage-agent.md#uninstall-the-agent).

-* Before you deploy the Azure Arc-enabled servers agent and integrate with other Azure management and monitoring services, review the [Planning and deployment guide](plan-at-scale-deployment.md).* To resolve problems, review the [agent connection issues troubleshooting guide](troubleshoot-agent-onboard.md).

-* Delete the Azure Arc-enabled server resource identity from Azure and remove the Azure Arc-enabled server agent.

-# Troubleshoot Azure Arc-enabled servers agent connection issues

-Use the following table to identify and resolve issues when configuring the Azure Arc-enabled servers agent. You will need the `AZCM0000` ("0000" can be any four digit number) error code printed to the console or script output.

-| AZCM0026 | There is an error in network configuration or some critical services are temporarily unavailable | Check if the required endpoints are reachable (for example, hostnames are resolvable, endpoints are not blocked). If the network is configured for Private Link Scope, a Private Link Scope resource ID must be provided for onboarding using the `--private-link-scope` parameter. |

-| AZCM0061<br>AZCM0064<br>AZCM0065<br>AZCM0066<br>AZCM0070<br> | The agent service is not responding or unavailable | Verify the command is run in an elevated user context (administrator/root). Ensure that the HIMDS service is running (start or restart HIMDS as needed) then try the command again. |

-| AZCM0101 | The command was not parsed successfully | Run `azcmagent <command> --help` to review the command syntax. |

-| AZCM0102 | An error occurred while retrieving the computer hostname | Retry the command and specify a resource name (with parameter --resource-name or ΓÇôn). Use only alphanumeric characters, hyphens and/or underscores; note that resource name cannot end with a hyphen or underscore. |

-_Commands_ allow you to control which specific commands can be executed by a particular Redis user.

-Accelerating your path to the US Federal Risk and Authorization Management Program (FedRAMP) compliance in Azure is a focused program that provides learning resources and implementation tools. The goal of the program is education and support during the scoping and implementation of your project. Moreover, Microsoft works with key assessment and automation partners to share reference architectures and solutions that can help you meet your compliance needs.

-Once you have the credentials described previously, navigate to [Partner Center for Microsoft US Government Cloud](/partner-center/partner-center-for-microsoft-us-govt-cloud) to apply for the CSP Government reseller program. It takes 5-6 days to process the application, and, once approved, you should receive an email to log in to [Partner Center](https://partner.microsoft.com/dashboard/home) to accept the Terms and Conditions. For more information, see [Partner Center documentation](/partner-center/overview).

-description: Microsoft's Transparency Notes for Trial Matcher are intended to help you understand how our AI technology works.

-# Transparency Note for Trial Matcher

-An AI system includes not only the technology, but also the people who use it, the people who will be affected by it, and the environment in which it's deployed. Creating a system that is fit for its intended purpose requires an understanding of how the technology works, its capabilities and limitations, and how to achieve the best performance.

-Microsoft's Transparency Notes are intended to help you understand how our AI technology works, the choices system owners can make that influence system performance and behavior, and the importance of thinking about the whole system, including the technology, the people, and the environment. They are also part of a broader effort at Microsoft to put our AI principles into practice. To find out more, see [Microsoft AI principles](https://www.microsoft.com/ai/responsible-ai).

-## Example use cases for the Trial Matcher

-**Use case** | **Description**

-Assisted annotation and curation | Support solutions for clinical data annotation and curation. For example: to support clinical coding, digitization of data that was manually created, automation of registry reporting.

-Decision support | Enable solutions that provide information that can assist a human in their work or support a decision made by a human.

-## Considerations when choosing a use case

-Given the sensitive nature of health-related data, it's important to consider your use cases carefully. In all cases, a human should be making decisions, assisted by the information the system returns and there should be a way to review the source data and correct errors.

-## Don't use

- - **Don't use for scenarios that use this service as a medical device, clinical support, or diagnostic tools to be used in the diagnosis, cure, mitigation, treatment or prevention of disease or other conditions without a human intervention.** A qualified medical professional should always do due diligence and verify the source data regarding patient care decisions.

-Below is the complete running code sample of the functionality above:

-<br/>

-Below is the complete running code sample of the functionality above:

-<br/>

-The following code gets the rendering layers from the drawing manager and modifies their options to change rendering style for drawing. In this case, points will be rendered with a blue marker icon. Lines will be red and four pixels wide. Polygons will have a green fill color and an orange outline. It then changes the styles of the drag handles to be square icons.

-//Update the style of the drag handles that appear when editting.

- //Secondary drag hanle that represents mid-point coordinates that users can grab to add new cooridnates in the middle of segments.

-Below is the complete running code sample of the functionality above:

-<br/>

-> When in edit mode, shapes can be rotated. Rotation is supported from MultiPoint, LineString, MultiLineString, Polygon, MultiPolygon, and Rectangle geometries. Point and Circle geometries can not be rotated.

-curl --location --request POST 'https://login.microsoftonline.com/a1234bcd-5849-4a5d-a2eb-5267eae1bbc7/oauth2/token' \

- "access_token": ""eyJ0eXAiOiJKV1QiLCJ.....Ax"

- | Chaos Experiments | [AppTraces](/azure/azure-monitor/reference/tables/ChaosStudioExperimentEventLogs) |

-# Use queries in Azure Monitor Log Analytics

-When you open Log Analytics, you have access to existing log queries. You can either run these queries without modification or use them as a starting point for your own queries. The available queries include examples provided by Azure Monitor and queries saved by your organization. This article describes the queries that are available and how you can discover and use them.

-### Group by

-### Filter

-### Combine group by and filter

-| [ACRConnectedClientList](/azure/azure-monitor/reference/tables/acrconnectedclientlist) | |

-| [ACRConnectedClientList](/azure/azure-monitor/reference/tables/acrconnectedclientlist) | |

-| [AgriFoodApplicationAuditLogs](/azure/azure-monitor/reference/tables/agrifoodapplicationauditlogs) | |

-| [AgriFoodFarmManagementLogs](/azure/azure-monitor/reference/tables/agrifoodfarmmanagementlogs) | |

-| [Event](/azure/azure-monitor/reference/tables/event) | Partial support . Data arriving from Log Analytics agent (MMA) or Azure Monitor Agent (AMA) is fully supported. Data arriving from Diagnostics Extension is collected through Azure storage. This path isnΓÇÖt supported. |

-| [HDInsightRangerAuditLogs](/azure/azure-monitor/reference/tables/hdinsightrangerauditlogs) | |

-*.login.microsoftonline.com

-*.login.live.com

-*.management.azure.com

-metadata description = {

- description: 'Creates a storage account and a web app'

-}

-The following operation is destructive and can't be undone. All backup data and backup items associated with the protected server will be permanently deleted. Proceed with caution.

-**Recommendation**: Ensure that you've selected one of the supported regions to move Backup vaults. See [Supported regions](#supported-regions

-You can also deploy Bastion by using the following other methods:

-If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-> [!NOTE]

-> The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

->

-You can create a VM using the [Quickstart: Create a VM using PowerShell](../virtual-machines/windows/quick-create-powershell.md) or [Quickstart: Create a VM using the portal](../virtual-machines/windows/quick-create-portal.md) articles. Be sure you deploy the VM to the virtual network to which you deployed Bastion. The VM you create in this section isn't a part of the Bastion configuration and doesn't become a bastion host. You connect to this VM later in this tutorial via Bastion.

- [!INCLUDE [Pricing](../../includes/bastion-pricing.md)]

-* **An Azure account with an active subscription**. If you don't have one, [create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

->[Create an RDP connection to a Windows VM using Azure Bastion](../bastion/bastion-connect-vm-rdp-windows.md)

-In this quickstart, you'll learn how to deploy Azure Bastion with default settings to your virtual network using the Azure portal. After Bastion is deployed, you can connect (SSH/RDP) to virtual machines in the virtual network via Bastion using the private IP address of the VM. When you connect to a VM, it doesn't need a public IP address, client software, agent, or a special configuration. Azure Bastion is a PaaS service that's maintained for you, not a bastion host that you install on one of your VMs and maintain yourself. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)

-The following steps walk you through how to deploy Bastion from your VM resource using the Azure portal. When you deploy using default settings, the settings are based on the virtual network to which Bastion will be deployed. After deploying Bastion, you'll then connect to your VM using RDP/SSH connectivity and the VM's private IP address. If your VM has a public IP address that you don't need for anything else, you can remove it. While the steps in this quickstart help you deploy Bastion from your VM resource, you can deploy Bastion from a virtual network resource instead. The steps are similar, except you start from the virtual network resource instead of the VM resource.

-## <a name="prereq"></a>Prerequisites

-* **An Azure account with an active subscription**. If you don't have one, [create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

- When you deploy Bastion using default values, the values are pulled from the VNet in which your VM resides. This VM doesn't become a part of the Bastion deployment itself, but you do connect to it later in the exercise.

-If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

- > [!IMPORTANT]

- > For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of [host scaling](./configure-host-scaling.md) in the future.

- >

-1. Once validation passes, you can deploy Bastion. Select **Create**. You'll see a message letting you know that your deployment is in process. Status will display on this page as the resources are created. It takes about 10 minutes for the Bastion resource to be created and deployed.

-If you donΓÇÖt have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

- > [!IMPORTANT]

- > For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of [host scaling](./configure-host-scaling.md) in the future.

- >

-1. Once validation passes, you can deploy Bastion. Select **Create**. You'll see a message letting you know that your deployment is in process. Status will display on this page as the resources are created. It takes about 10 minutes for the Bastion resource to be created and deployed.

-| Max # categories | 2,000 | 1,000 |

-### SpeechRecognizer, SpeechSynthesizer, IntentRecognizer, ConversationTranscriber, and SourceLanguageRecognizer

-For ```SpeechRecognizer```, ```SpeechSynthesizer```, ```IntentRecognizer```, ```ConversationTranscriber```, and ```SourceLanguageRecognizer``` objects, build the authorization token from the resource ID and the Azure AD access token and then use it to create a ```SpeechConfig``` object.

-The best way to start exploring completions is through our playground in [Azure OpenAI Studio](https://oai.azure.com). It's a simple text box where you can submit a prompt to generate a completion. You can start with a simple example like the following:

-Here are a few examples of using Codex that can be tested in [Azure OpenAI Studio's](https://oai.azure.com) playground with a deployment of a Codex series model, such as `code-davinci-002`.

-Azure OpenAI Service provides REST API access to OpenAI's powerful language models including the GPT-3, Codex and Embeddings model series. In addition, the new GPT-4 and ChatGPT (gpt-35-turbo) model series have now reached general availability. These models can be easily adapted to your specific task including but not limited to content generation, summarization, semantic search, and natural language to code translation. Users can access the service through REST APIs, Python SDK, or our web-based interface in the Azure OpenAI Studio.

-| UI experience | **Azure Portal** for account & resource management, <br> **Azure OpenAI Service Studio** for model exploration and fine tuning |

-### Prompts & Completions

-| Requests per minute per model* | Davinci-models (002 and later): 120 <br> ChatGPT model: 300 <br> GPT-4 models: 18 <br> All other models: 300 |

-| Tokens per minute per model* | Davinci-models (002 and later): 40,000 <br> ChatGPT model: 120,000 <br> GPT-4 8k model: 10,000 <br> GPT-4 32k model: 32,000 <br> All other models: 120,000 |

-Learn more about the [underlying models that power Azure OpenAI](./concepts/models.md).

-| `ENDPOINT` | This value can be found in the **Keys & Endpoint** section when examining your resource from the Azure portal. Alternatively, you can find the value in **Azure OpenAI Studio** > **Playground** > **Code View**. An example endpoint is: `https://docs-test-001.openai.azure.com`.|

-# Custom domain names and managed certificates in Azure Container Apps (preview)