+ <SessionExpiryInSeconds>900</SessionExpiryInSeconds>

+In the table below, any item marked as fixed means that the proper behavior can be found on the SCIM job. We have worked to ensure backwards compatibility for the changes we have made. We recommend using the new behavior for any new implementations and updating existing implementations. Please note that the customappSSO behavior that was the default prior to December 2018 is not supported anymore.

+> For the changes made in 2018, it is possible to revert back to the customappsso behavior. For the changes made since 2018, you can use the URLs to revert back to the older behavior. We have worked to ensure backwards compatibility for the changes we have made by allowing you to revert back to the old jobID or by using a flag. However, as previously mentioned, we do not recommend implementing old behavior as it is not supported anymore. We recommend using the new behavior for any new implementations and updating existing implementations.

+For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true ).

+>Set the domain setting [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true) to `enforceMfaByFederatedIdp` (recommended) or **SupportsMFA** to `$True`. The **federatedIdpMfaBehavior** setting overrides **SupportsMFA** when both are set.

+adobe-target: true

+ Permissions Management creates a copy of the query. Both the copy of the query and the original query display in the **Saved Queries** list.

+ Title: View integration information about an authorization system in Permissions Management

+description: View integration information about an authorization system in Permissions Management.

+> Entra Permissions Management is currently in PREVIEW.

+The **Integrations** dashboard in Permissions Management allows you to view all your authorization systems in one place, and to ensure all applications are functioning as one. This information helps improve quality and performance as a whole.

+Refer to the **Integration** subpages in Permissions Management for information about available authorization systems for integration.

+The following authorization systems may be listed in the **Integrations** dashboard, depending on which systems are integrated into the Permissions Management application.

+- **ServiceNow**: Manages digital workflows for enterprise operations, and the Permissions Management integration allows you to request and approve permissions through the ServiceNow ticketing workflow.

+- **Splunk**: Searches, monitors, and analyzes machine-generated data, and the Permissions Management integration enables exporting usage analytics data, alerts, and logs.

+- **HashiCorp Terraform**: Permissions Management enables the generation of least-privilege policies through the Hashi Terraform provider.

+- **Permissions Management API**: The Permissions Management application programming interface (API) provides access to Permissions Management features.

+<>

+<>

+<>

+ Title: Generate and download the Permissions analytics report in Permissions Management

+description: How to generate and download the Permissions analytics report in Permissions Management.

+> Entra Permissions Management is currently in PREVIEW.

+This article describes how to generate and download the **Permissions analytics report** in Permissions Management.

+1. In the Permissions Management home page, select the **Reports** tab, and then select the **Systems Reports** subtab.

+ Title: View system reports in the Reports dashboard in Permissions Management

+description: How to view system reports in the Reports dashboard in Permissions Management.

+> Entra Permissions Management is currently in PREVIEW.

+Permissions Management has various types of system report types available that capture specific sets of data. These reports allow management to:

+Permissions Management offers the following reports for management associated with the authorization systems noted in parenthesis:

+ Title: Permissions Management training videos

+description: Permissions Management training videos.

+# Entra Permissions Management training videos

+To view step-by-step training videos on how to use Permissions Management features, select a link below.

+## Onboard Permissions Management in your organization

+### Enable Permissions Management in your Azure Active Directory (Azure AD) tenant

+To view a video on how to enable Permissions Management in your Azure AD tenant, select [Enable Permissions Management in your Azure AD tenant](https://www.youtube.com/watch?v=-fkfeZyevoo).

+To view a video on how to configure and onboard Amazon Web Services (AWS) accounts in Permissions Management, select [Configure and onboard AWS accounts](https://www.youtube.com/watch?v=R6K21wiWYmE).

+To view a video on how to configure and onboard Google Cloud Platform (GCP) accounts in Permissions Management, select [Configure and onboard GCP accounts](https://www.youtube.com/watch?app=desktop&v=W3epcOaec28).

+- For an overview of Permissions Management, see [What's Permissions Management?](overview.md)

+- For a list of frequently asked questions (FAQs) about Permissions Management, see [FAQs](faqs.md).

+- For information on how to start viewing information about your authorization system in Permissions Management, see [View key statistics and data about your authorization system](ui-dashboard.md).

+ - Policy 2: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block. Learn how to [update extensionAttributes on an Azure AD device object](/graph/api/device-update?view=graph-rest-1.0&tabs=http&preserve-view=true).

+- [Enabling limited access with Exchange Online](/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-worldwide#limit-access-to-exchange-online-from-outlook-on-the-web&preserve-view=true)

+For authentication flows that require a user interaction, MSAL caches the access, refresh, and ID tokens, as well as the `IAccount` object, which represents information about a single account. Learn more about [IAccount](/dotnet/api/microsoft.identity.client.iaccount?view=azure-dotnet&preserve-view=true). For application flows, such as [client credentials](msal-authentication-flows.md#client-credentials), only access tokens are cached, because the `IAccount` object and ID token require a user, and the refresh token is not applicable.

+For .NET 5, target `net5.0-windows10.0.17763.0` (or higher) and not just `net5.0`. Your app will still run on older versions of Windows if you add `<SupportedOSPlatformVersion>7</SupportedOSPlatformVersion>` in the csproj. MSAL will use a browser when WAM isn't available.

+- Enhanced security (your app doesn't have to manage the powerful refresh token)

+- B2C and ADFS authorities aren't supported. MSAL will fall back to a browser.

+- Available on Win10+ and Win Server 2019+. On Mac, Linux, and earlier versions of Windows, MSAL will fall back to a browser.

+Call `.WithBroker(true)`. If a broker isn't present (for example, Win8.1, Mac, or Linux), then MSAL will fall back to a browser. Redirect URI rules apply to the browser.

+WAM redirect URIs don't need to be configured in MSAL, but they must be configured in the app registration.

+It's important to persist MSAL's token cache because MSAL needs to save internal WAM account IDs there. Without it, restarting the app means that `GetAccounts` API will miss some of the accounts. On UWP, MSAL knows where to save the token cache.

+In addition, WAM can list the OS-wide Work and School accounts configured in Windows (for Win32 apps but not for UWP apps). To opt-into this feature, set `ListWindowsWorkAndSchoolAccounts` in `WindowsBrokerOptions` to **true**. You can enable it as below.

+> Microsoft (outlook.com etc.) accounts will not be listed in Win32 nor UWP for privacy reasons.

+- Removes all account information from MSAL's token cache (this includes MSA, that is, personal accounts information copied by MSAL into its cache).

+- WAM's interactive operations require being on the UI thread. MSAL throws a meaningful exception when not on UI thread. This doesn't apply to console apps.

+- WAM isn't able to pre-populate the username field with a login hint, unless a Work and School account with the same username is found in Windows.

+- New accounts are automatically remembered by Windows. Work and School have the option of joining the organization's directory or opting out completely, in which case the account won't appear under "Email & Accounts". Microsoft accounts are automatically added to Windows. Apps can't list these accounts programmatically (but only through the Account Picker).

+### "Either the user canceled the authentication or the WAM Account Picker crashed because the app is running in an elevated process" error message

+One solution is to not run the app as elevated, if possible. Another solution is for the app developer to call `WindowsNativeUtils.InitializeProcessSecurity` method when the app starts up. This will set the security of the processes used by WAM to the same levels. See [this sample app](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/master/tests/devapps/WAM/NetCoreWinFormsWam/Program.cs#L18-L21) for an example. However, note, that this solution isn't guaranteed to succeed to due external factors like the underlying CLR behavior. In that case, an `MsalClientException` will be thrown. For more information, see issue [#2560](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2560).

+Install the [Microsoft Graph Identity Sign-ins module](/powershell/module/microsoft.graph.identity.signins/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Identity.SignIns) and the [Microsoft Graph Users module](/powershell/module/microsoft.graph.users/?view=graph-powershell-beta&preserve-view=true) (Microsoft.Graph.Users).

+adobe-target: true

+This article addresses recovering from soft and hard deletions in your Azure Active Directory (Azure AD) tenant. If you haven't already done so, read [Recoverability best practices](recoverability-overview.md) for foundational knowledge.

+The [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md) contains information on all delete operations performed in your tenant. Export these logs to a security information and event management tool such as [Microsoft Sentinel](../../sentinel/overview.md).

+You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on how to find deleted items by using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0](/graph/api/directory-deleteditems-list?tabs=http).

+### Audit log

+The Audit log always records a "Delete \<object\>" event when an object in the tenant is removed from an active state by either a soft or hard deletion.

+[](./media/recoverability/delete-audit-log.png#lightbox)

+A delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type, it's a hard delete. Track the occurrence of hard-delete events by comparing "Delete \<object\>" events with the type of object that was deleted. Note the events that don't support soft delete. Also note "Hard Delete \<object\>" events.

+| All other objects| Delete "objectType"| Hard deleted |

+> The Audit log doesn't distinguish the group type of a deleted group. Only Microsoft 365 Groups are soft deleted. If you see a Delete group entry, it might be the soft delete of a Microsoft 365 Group or the hard delete of another type of group.

+>

+>*It's important that your documentation of your known good state includes the group type for each group in your organization*. To learn more about documenting your known good state, see [Recoverability best practices](recoverability-overview.md).

+A sudden increase in support tickets about access to a specific object might indicate that a deletion occurred. Because some objects have dependencies, deletion of a group used to access an application, an application itself, or a Conditional Access policy that targets an application can all cause broad sudden impact. If you see a trend like this, check to ensure that none of the objects required for access were deleted.

+When objects such as users, Microsoft 365 Groups, or application registrations are soft deleted, they enter a suspended state in which they aren't available for use by other services. In this state, items retain their properties and can be restored for 30 days. After 30 days, objects in the soft-deleted state are permanently, or hard, deleted.

+> Objects can't be restored from a hard-deleted state. They must be re-created and reconfigured.

+It's important to understand why object deletions occur in your environment so that you can prepare for them. This section outlines frequent scenarios for soft deletion by object class. You might see scenarios that are unique to your organization, so a discovery process is key to preparation.

+Users enter the soft-delete state anytime the user object is deleted by using the Azure portal, Microsoft Graph, or PowerShell.

+* An administrator intentionally deletes a user in the Azure AD portal in response to a request or as part of routine user maintenance.

+* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you might have a script that removes users who haven't signed in for a specified time.

+* A user is moved out of scope for synchronization with Azure AD Connect.

+* A user is removed from an HR system and is deprovisioned via an automated workflow.

+* An administrator intentionally deletes the group, for example, in response to a support request.

+* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you might have a script that deletes groups that haven't been accessed or attested to by the group owner for a specified time.

+* Unintentional deletion of a group owned by non-admins.

+* An administrator intentionally deletes the application, for example, in response to a support request.

+* An automation script in Microsoft Graph or PowerShell triggers the deletion. For example, you might want a process for deleting abandoned applications that are no longer used or managed. In general, create an offboarding process for applications rather than scripting to avoid unintentional deletions.

+| Users (including external users)| *All properties are maintained*, including ObjectID, group memberships, roles, licenses, and application assignments. |

+| Microsoft 365 Groups| *All properties are maintained*, including ObjectID, group memberships, licenses, and application assignments. |

+| Application registration| *All properties are maintained.* (See more information after this table.) |

+When you delete an application, the application registration by default enters the soft-delete state. To understand the relationship between application registrations and service principals, see [Apps and service principals in Azure AD - Microsoft identity platform](/azure/active-directory/develop/app-objects-and-service-principals).

+You can restore soft-deleted items in the Azure portal or with Microsoft Graph.

+You can see soft-deleted users in the Azure portal on the **Users | Deleted users** page.

+

+For more information on how to restore users, see the following documentation:

+* To restore from the Azure portal, see [Restore or permanently remove recently deleted user](active-directory-users-restore.md).

+* To restore by using Microsoft Graph, see [Restore deleted item ΓÇô Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?tabs=http).

+You can see soft-deleted Microsoft 365 Groups in the Azure portal on the **Groups | Deleted groups** page.

+

+For more information on how to restore soft-deleted Microsoft 365 Groups, see the following documentation:

+* To restore from the Azure portal, see [Restore a deleted Microsoft 365 Group](../enterprise-users/groups-restore-deleted.md).

+* To restore by using Microsoft Graph, see [Restore deleted item ΓÇô Microsoft Graph v1.0](/graph/api/directory-deleteditems-restore?tabs=http).

+Applications have two objects: the application registration and the service principal. For more information on the differences between the registration and the service principal, see [Apps and service principals in Azure AD](/azure/active-directory/develop/app-objects-and-service-principals).

+To restore an application from the Azure portal, select **App registrations** > **Deleted applications**. Select the application registration to restore, and then select **Restore app registration**.

+[](./media/recoverability/deletion-restore-application.png#lightbox)

+A hard deletion is the permanent removal of an object from your Azure AD tenant. Objects that don't support soft delete are removed in this way. Similarly, soft-deleted objects are hard deleted after a deletion time of 30 days. The only object types that support a soft delete are:

+> All other item types are hard deleted. When an item is hard deleted, it can't be restored. It must be re-created. Neither administrators nor Microsoft can restore hard-deleted items. Prepare for this situation by ensuring that you have processes and documentation to minimize potential disruption from a hard delete.

+>

+> For information on how to prepare for and document current states, see [Recoverability best practices](recoverability-overview.md).

+Moving from soft to hard delete:

+* An administrator intentionally deletes an object in the soft delete state.

+Directly hard deleted:

+* The object type that was deleted doesn't support soft delete.

+* An administrator chooses to permanently delete an item by using the portal, which typically occurs in response to a request.

+* An automation script triggers the deletion of the object by using Microsoft Graph or PowerShell. Use of an automation script to clean up stale objects isn't uncommon. A robust off-boarding process for objects in your tenant helps you to avoid mistakes that might result in mass deletion of critical objects.

+Hard-deleted items must be re-created and reconfigured. It's best to avoid unwanted hard deletions.

+### Review soft-deleted objects

+Ensure you have a process to frequently review items in the soft-delete state and restore them if appropriate. To do so, you should:

+* Frequently [list deleted items](/graph/api/directory-deleteditems-list?tabs=http).

+* Ensure that you have specific roles or users assigned to evaluate and restore items as appropriate.

+* Develop and test a continuity management plan. For more information, see [Considerations for your Enterprise Business Continuity Management Plan](/compliance/assurance/assurance-developing-your-ebcm-plan).

+For more information on how to avoid unwanted deletions, see the following topics in [Recoverability best practices](recoverability-overview.md):

+Configuration settings in Azure Active Directory (Azure AD) can affect any resource in the Azure AD tenant through targeted or tenant-wide management actions.

+Configurations are any changes in Azure AD that alter the behavior or capabilities of an Azure AD service or feature. For example, when you configure a Conditional Access policy, you alter who can access the targeted applications and under what circumstances.

+You need to understand the configuration items that are important to your organization. The following configurations have a high impact on your security posture.

+### Tenant-wide configurations

+* **External identities**: Global administrators for the tenant identify and control the external identities that can be provisioned in the tenant. They determine:

+ * From which domains external identities can be added.

+* **Named locations**: Global administrators can create named locations, which can then be used to:

+ * Trigger Conditional Access policies like multifactor authentication.

+* **Allowed authentication methods**: Global administrators set the authentication methods allowed for the tenant.

+* **Self-service options**: Global administrators set self-service options like self-service password reset and create Office 365 groups at the tenant level.

+* If named locations are configured, a resource administrator can configure policies that either allow or exclude access from those locations.

+Conditional Access policies are access control configurations that bring together signals to make decisions and enforce organizational policies.

+

+To learn more about Conditional Access policies, see [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md).

+> While configuration alters the behavior or capabilities of an object or policy, not all changes to an object are configuration. You can change the data or attributes associated with an item, like changing a user's address, without affecting the capabilities of that user object.

+## What is misconfiguration?

+Misconfiguration is a configuration of a resource or policy that diverges from your organizational policies or plans and causes unintended or unwanted consequences.

+* Changing how administrators, tenant users, and external users interact with resources in your tenant:

+* Changing the ability of your users to interact with other tenants and external users to interact with your tenant.

+* Causing denial of service, for example, by not allowing customers to access their accounts.

+* An action was carried out with malicious intent by a bad actor.

+* Using Privileged Identity Management (PIM) to ensure that administrators with intent to change must deliberately escalate their privileges to do so. To learn more about PIM, see [What is Privileged Identity Management?](../privileged-identity-management/pim-configure.md).

+While you want to prevent misconfiguration, you can't set the bar for changes so high that it affects the ability of administrators to perform their work efficiently.

+Closely monitor for configuration changes by watching for the following operations in your [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md):

+* Update

+* Set

+* Delete

+The following table includes informative entries in the Audit log you can look for.

+Conditional Access policies are created on the **Conditional Access** page in the Azure portal. Changes to policies are made on the **Conditional Access policy details** page for the policy.

+| Conditional Access| Add, update, or delete Conditional Access policy| User access is granted or blocked when it shouldnΓÇÖt be. |

+| Conditional Access| Add, update, or delete named location| Network locations consumed by the Conditional Access policy aren't configured as intended, which creates gaps in Conditional Access policy conditions. |

+| Authentication method| Update authentication methods policy| Users can use weaker authentication methods or are blocked from a method they should use. |

+User settings changes are made on the Azure AD portal **User settings** page. Password reset changes are made on the **Password reset** page. Changes made on these pages are captured in the Audit log as detailed in the following table.

+| Core directory| Update company settings| Users might or might not be able to register applications, contrary to intent. |

+| Core directory| Set company information| Users might or might not be able to access the Azure AD administration portal, contrary to intent. <br>Sign-in pages don't represent the company brand, with potential damage to reputation. |

+| Core directory| **Activity**: Updated service principal<br>**Target**: 0365 LinkedIn connection| Users might or might not be able to connect their Azure AD account with LinkedIn, contrary to intent. |

+| Self-service group management| Update MyApps feature value| Users might or might not be able to use user features, contrary to intent. |

+| Self-service group management| Update ConvergedUXV2 feature value| Users might or might not be able to use user features, contrary to intent. |

+| Self-service group management| Update MyStaff feature value| Users might or might not be able to use user features, contrary to intent. |

+| Core directory| **Activity**: Update service principal<br>**Target**: Microsoft password reset service| Users are able or unable to reset their password, contrary to intent. <br>Users are required or not required to register for self-service password reset, contrary to intent.<br> Users can reset their password by using methods that are unapproved, for example, by using security questions. |

+You can make changes to these settings on the **External identities** or **External collaboration** settings pages in the Azure AD portal.

+| Core directory| Add, update, or delete a partner to cross-tenant access setting| Users have outbound access to tenants that should be blocked.<br>Users from external tenants who should be blocked have inbound access. |

+| Core directory| Set directory feature on tenant| External users have greater or less visibility of directory objects than intended.<br>External users might or might not invite other external users to your tenant, contrary to intent. |

+| Core directory| Set federation settings on domain| External user invitations might or might not be sent to users in other tenants, contrary to intent. |

+| AuthorizationPolicy| Update authorization policy| External user invitations might or might not be sent to users in other tenants, contrary to intent. |

+| Core directory| Update policy| External user invitations might or might not be sent to users in other tenants, contrary to intent. |

+| Service filter| Activities/portal| Potential impacts |

+| Core directory| Add role definition| Custom role scope is narrower or broader than intended. |

+| PIM| Update role setting| Custom role scope is narrower or broader than intended. |

+| Core directory| Update role definition| Custom role scope is narrower or broader than intended. |

+| Core directory| Delete role definition| Custom roles are missing. |

+| Core directory| Add delegated permission grant| Mobile device management or mobile application management configuration is missing or misconfigured, which leads to the failure of device or application management. |

+Selecting some audit entries in the Audit log will provide you with details on the old and new configuration values. For example, for Conditional Access policy configuration changes, you can see the information in the following screenshot.

+

+Azure Monitor workbooks can help you monitor configuration changes.

+The [Sensitive operations report workbook](../reports-monitoring/workbook-sensitive-operations-report.md) can help identify suspicious application and service principal activity that might indicate a compromise, including:

+* Modified application or service principal credentials or authentication methods.

+* New permissions granted to service principals.

+* Directory role and group membership updates for service principals.

+* Modified federation settings.

+The [Cross-tenant access activity workbook](../reports-monitoring/workbook-cross-tenant-access-activity.md) can help you monitor which applications in external tenants your users are accessing and which applications your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.

+- For foundational information on recoverability, see [Recoverability best practices](recoverability-overview.md).

+- For information on recovering from deletions, see [Recover from deletions](recover-from-deletions.md).

+Unintended deletions and misconfigurations will happen to your tenant. To minimize the impact of these unintended events, you must prepare for their occurrence.

+Recoverability is the preparatory processes and functionality that enable you to return your services to a prior functioning state after an unintended change. Unintended changes include the soft or hard deletion or misconfiguration of applications, groups, users, policies, and other objects in your Azure Active Directory (Azure AD) tenant.

+Recoverability helps your organization be more resilient. Resilience, while related, is different. Resilience is the ability to endure disruption to system components and recover with minimal impact to your business, users, customers, and operations. For more information about how to make your systems more resilient, see [Building resilience into identity and access management with Azure Active Directory](resilience-overview.md).

+This article describes the best practices in preparing for deletions and misconfigurations to minimize the unintended consequences to your organization's business.

+Users, Microsoft 365 Groups, and applications can be soft deleted. Soft-deleted items are sent to the Azure AD recycle bin. While in the recycle bin, items aren't available for use. However, they retain all their properties and can be restored via a Microsoft Graph API call or in the Azure AD portal. Items in the soft-delete state that aren't restored within 30 days are permanently, or hard, deleted.

+

+> All other object types are hard deleted immediately when they're selected for deletion. When an object is hard deleted, it can't be recovered. It must be re-created and reconfigured.

+>

+>For more information on deletions and how to recover from them, see [Recover from deletions](recover-from-deletions.md).

+Misconfigurations are configurations of a resource or policy that diverge from your organizational policies or plans and cause unintended or unwanted consequences. Misconfiguration of tenant-wide settings or Conditional Access policies can seriously affect your security and the public image of your organization. Misconfigurations can:

+* Change how administrators, tenant users, and external users interact with resources in your tenant.

+* Change the ability of your users to interact with other tenants and external users to interact with your tenant.

+* Cause denial of service.

+* Break dependencies among data, systems, and applications.

+For more information on misconfigurations and how to recover from them, see [Recover from misconfigurations](recover-from-misconfigurations.md).

+## Shared responsibility

+Recoverability is a shared responsibility between Microsoft as your cloud service provider and your organization.

+

+Restoring a hard-deleted or misconfigured item is a resource-intensive process. You can minimize the resources needed by planning ahead. Consider having a specific team of admins in charge of restorations.

+Rehearse your restoration process for different object types and the communication that will go out as a result. Be sure to rehearse with test objects, ideally in a test tenant.

+Testing your plan can help you determine the:

+Create a process of predefined communications to make others aware of the issue and timelines for restoration. Include the following points in your restoration communication plan:

+- The types of communications to go out. Consider creating predefined templates.

+- Stakeholders to receive communications. Include the following groups, as applicable:

+ - Affected business owners.

+ - Operational admins who will perform recovery.

+ - Affected users.

+- Define the events that trigger communications, such as:

+ - Initial deletion.

+ - Impact assessment.

+ - Time to resolution.

+ - Restoration.

+Document the state of your tenant and its objects regularly. Then if a hard delete or misconfiguration occurs, you have a roadmap to recovery. The following tools can help you document your current state:

+- [Microsoft Graph APIs](/graph/overview) can be used to export the current state of many Azure AD configurations.

+- [Azure AD Exporter](https://github.com/microsoft/azureadexporter) is a tool you can use to export your configuration settings.

+- [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) is a module of the PowerShell Desired State Configuration framework. You can use it to export configurations for reference and application of the prior state of many settings.

+- [Conditional Access APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) can be used to manage your Conditional Access policies as code.

+You can use Microsoft Graph APIs to export the current state of many Azure AD configurations. The APIs cover most scenarios where reference material about the prior state, or the ability to apply that state from an exported copy, could become vital to keeping your business running.

+Microsoft Graph APIs are highly customizable based on your organizational needs. To implement a solution for backups or reference material requires developers to engineer code to query for, store, and display the data. Many implementations use online code repositories as part of this functionality.

+### Useful APIs for recovery

+| Administrative units| [administrative unit API)](/graph/api/resources/administrativeunit) |

+| Deleted items*| [deletedItems API](/graph/api/resources/directory) |

+*Securely store these configuration exports with access provided to a limited number of admins.

+The [Azure AD Exporter](https://github.com/microsoft/azureadexporter) can provide most of the documentation you need:

+> Settings in the legacy multifactor authentication portal for Application Proxy and federation settings might not be exported with the Azure AD Exporter, or with the Microsoft Graph API.

+The [Microsoft 365 Desired State Configuration](https://github.com/microsoft/Microsoft365DSC/wiki/What-is-Microsoft365DSC) module uses Microsoft Graph and PowerShell to retrieve the state of many of the configurations in Azure AD. This information can be used as reference information or, by using PowerShell Desired State Configuration scripting, to reapply a known good state.

+ Use [Conditional Access Graph APIs](https://github.com/Azure-Samples/azure-ad-conditional-access-apis) to manage policies like code. Automate approvals to promote policies from preproduction environments, backup and restore, monitor change, and plan ahead for emergencies.

+### Map the dependencies among objects

+The deletion of some objects can cause a ripple effect because of dependencies. For example, deletion of a security group used for application assignment would result in users who were members of that group being unable to access the applications to which the group was assigned.

+| Object type| Potential dependencies |

+| Application object| Service principal (enterprise application). <br>Groups assigned to the application. <br>Conditional Access policies affecting the application. |

+| Service principals| Application object. |

+| Conditional Access policies| Users assigned to the policy.<br>Groups assigned to the policy.<br>Service principal (enterprise application) targeted by the policy. |

+| Groups other than Microsoft 365 Groups| Users assigned to the group.<br>Conditional Access policies to which the group is assigned.<br>Applications to which the group is assigned access. |

+The [Azure AD Audit log](../reports-monitoring/concept-audit-logs.md) contains information on all delete and configuration operations performed in your tenant. We recommend that you export these logs to a security information and event management tool such as [Microsoft Sentinel](../../sentinel/overview.md). You can also use Microsoft Graph to audit changes and build a custom solution to monitor differences over time. For more information on finding deleted items by using Microsoft Graph, see [List deleted items - Microsoft Graph v1.0 ](/graph/api/directory-deleteditems-list?tabs=http).

+The Audit log always records a "Delete \<object\>" event when an object in the tenant is removed from an active state, either from active to soft deleted or active to hard deleted.

+A Delete event for applications, users, and Microsoft 365 Groups is a soft delete. For any other object type, it's a hard delete.

+| Object type | Activity in log| Result |

+> The Audit log doesn't distinguish the group type of a deleted group. Only Microsoft 365 Groups are soft deleted. If you see a Delete group entry, it might be the soft delete of a Microsoft 365 Group or the hard delete of another type of group. Your documentation of your known good state should include the group type for each group in your organization.

+For information on monitoring configuration changes, see [Recover from misconfigurations](recover-from-misconfigurations.md).

+Azure Monitor workbooks can help you monitor configuration changes.

+The [Sensitive operations report workbook](../reports-monitoring/workbook-sensitive-operations-report.md) can help identify suspicious application and service principal activity that might indicate a compromise, including:

+- Modified application or service principal credentials or authentication methods.

+- New permissions granted to service principals.

+- Directory role and group membership updates for service principals.

+- Modified federation settings.

+The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing and which applications in your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.

+## Operational security

+Preventing unwanted changes is far less difficult than needing to re-create and reconfigure objects. Include the following tasks in your change management processes to minimize accidents:

+- Use a least privilege model. Ensure that each member of your team has the least privileges necessary to complete their usual tasks. Require a process to escalate privileges for more unusual tasks.

+- Administrative control of an object enables configuration and deletion. Use read-only admin roles, for example, the Global Reader role, for tasks that don't require operations to create, update, or delete (CRUD). When CRUD operations are required, use object-specific roles when possible. For example, User administrators can delete only users, and Application administrators can delete only applications. Use these more limited roles whenever possible, instead of a Global administrator role, which can delete anything, including the tenant.

+- [Use Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md). PIM enables just-in-time escalation of privileges to perform tasks like hard deletion. You can configure PIM to have notifications or approvals for the privilege escalation.

+## Next steps

+- [Recover from deletions](recover-from-deletions.md)

+- [Recover from misconfigurations](recover-from-misconfigurations.md)

+| thumbnailphoto |X |X | |synced only once from Azure AD to Exchange Online after which Exchange Online becomes source of authority for this attribute and any later changes can't be synced from on-premises. See ([KB](https://support.microsoft.com/help/3062745/user-photos-aren-t-synced-from-the-on-premises-environment-to-exchange)) for more.|

+Set the HRD policy using Microsoft Graph. See [homeRealmDiscoveryPolicy](/graph/api/resources/homeRealmDiscoveryPolicy?view=graph-rest-1.0&preserve-view=true) resource type for information on how to create the policy.

+ 

+ | `https://<SUBDOMAIN>.igrafxcloud.com/saml/metadata` |

+ | `https://<SUBDOMAIN>.igrafxdemo.com/saml/metadata` |

+ | `https://<SUBDOMAIN>.igrafxtraining.com/saml/metadata` |

+ | `https://<SUBDOMAIN>.igrafx.com/saml/metadata` |

+ | `https://<SUBDOMAIN>.igrafxcloud.com/` |

+ | `https://<SUBDOMAIN>.igrafxdemo.com/` |

+ | `https://<SUBDOMAIN>.igrafxtraining.com/` |

+ | `https://<SUBDOMAIN>.igrafx.com/` |

+ | `https://<SUBDOMAIN>.igrafxcloud.com/` |

+ | `https://<SUBDOMAIN>.igrafxdemo.com/` |

+ | `https://<SUBDOMAIN>.igrafxtraining.com/` |

+ | `https://<SUBDOMAIN>.igrafx.com/` |

+ 

+ Title: 'Tutorial: Azure AD SSO integration with Rackspace SSO'

+# Tutorial: Azure AD SSO integration with Rackspace SSO

+* Rackspace SSO supports **IDP** initiated SSO.

+2. **[Configure Rackspace SSO](#configure-rackspace-sso)** - to configure the Single Sign-On settings on application side.

+ 

+4. On the **Basic SAML Configuration** section, upload the **Service Provider metadata file** which you can download from the [URL](https://login.rackspace.com/federate/sp.xml) and perform the following steps:

+ 

+ 

+ 

+## Configure Rackspace SSO

+ 1. Create a new Identity Provider.

+ 

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Rackspace SSO for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Rackspace SSO tile in the My Apps, you should be automatically signed in to the Rackspace SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+ 

+Once you configure Rackspace SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+If `IdPAttributeProfile = azure`,the profile sets the NameIDFormat to persistent, among other settings and overrides any other specified attributes defined in the configuration [file](https://docs.rstudio.com/connect/admin/authentication/saml/#the-azure-profile).

+This becomes an issue if you want to create a user ahead of time using the RStudio Connect API and apply permissions prior to the user logging in the first time. The NameIDFormat should be set to emailAddress or some other unique identifier because when it's set to persistent, then the value gets hashed and you don't know what the value is ahead of time. So using the API will not work.

+API for creating user for SAML: https://docs.rstudio.com/connect/api/#post-/v1/users

+So you may want to have this in your configuration file in this situation:

+```

+[SAML]

+NameIDFormat = emailAddress

+UniqueIdAttribute = NameID

+UsernameAttribute = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

+FirstNameAttribute = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

+LastNameAttribute = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

+EmailAttribute = http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailAddress

+```

+1. Log in to [TAP App Security back-end control panel](https://app.tapappsecurity.com/).

+1. Navigate to **Single Sign On > Active Directory**.

+1. Click on the **Integrate Active Directory app** button. Then enter the domain of your organization and click **Save** button.

+ [](media/tap-app-security-provisioning-tutorial/add-domain.png#lightbox)

+1. After entering the domain, a new line in the table appears showing domain name and its status as **initialize**. Click on the gear icon to reveal technical data about TAP app Security server and to complete initialization.

+ [](media/tap-app-security-provisioning-tutorial/initialize.png#lightbox)

+1. Technical data about TAP App Security servers is revealed.You can now copy the **Tenant Url** and **Authorization Token** from this page to be used later on while setting up provisioning in Azure AD.

+ [](media/tap-app-security-provisioning-tutorial/domain-details.png#lightbox)

+[keda-scalers]: https://keda.sh/docs/latest/scalers/

+[keda-event-docs]: https://keda.sh/docs/latest/operate/events/

+ image: mcr.microsoft.com/dotnet/runtime-deps:6.0

+ image: mcr.microsoft.com/dotnet/runtime-deps:6.0

+ image: mcr.microsoft.com/dotnet/runtime-deps:6.0

+ image: mcr.microsoft.com/dotnet/runtime-deps:6.0

+az aks show --resource-group myResourceGroup --name myAKSCluster --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" -o table

+kubectl debug node/aks-fipsnp-12345678-vmss000000 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0

+ kubernetes.azure.com/tls-cert-keyvault-uri: myapp-contoso.vault.azure.net/certificates/keyvault-certificate-name/keyvault-certificate-name-revision

+These annotations in the service manifest would direct Web Application Routing to create an ingress servicing `myapp.contoso.com` connected to the keyvault `myapp-contoso` and will retrieve the `keyvault-certificate-name` with `keyvault-certificate-name-revision`

+Create a file named **samples-web-app-routing.yaml** and copy in the following YAML. On line 29-31, update `<MY_HOSTNAME>` with your DNS host name and `<MY_KEYVAULT_URI>` with the full certficicate vault URI.

+ annotations:

+ kubernetes.azure.com/ingress-host: <MY_HOSTNAME>

+ kubernetes.azure.com/tls-cert-keyvault-uri: <MY_KEYVAULT_URI>

+For architectural guidance, see:

+* **Basic enterprise integration**: [Reference architecture](/azure/architecture/reference-architectures/enterprise-integration/basic-enterprise-integration?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)

+* **API Management landing zone accelerator**: [Reference architecture](/azure/architecture/example-scenario/integration/app-gateway-internal-api-management-function?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) and [design guidance](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/land?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)

+For architectural guidance, see:

+* **API Management landing zone accelerator**: [Reference architecture](/azure/architecture/example-scenario/integration/app-gateway-internal-api-management-function?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) and [design guidance](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/land?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)

+With the release of API version **2022-06-30-preview**, custom template models will add support for **cross page** tabular fields (tables):

+* As a best practice, ensure that your dataset contains a few samples of the expected variations. For example, include samples where the entire table is on a single page and where tables span two or more pages if you expect to see those variations in documents.

+ > [Form Recognizer API v2.1](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm)

+* [🆕 **Invoice model output now includes general document key-value pairs**](concept-invoice.md). Where invoices contain required fields beyond the fields included in the prebuilt model, the general document model supplements the output with key-value pairs. _See_ [key value pairs](concept-invoice.md#key-value-pairs-preview).

+* [🆕 **Invoice language expansion**](concept-invoice.md). The invoice model includes expanded language support. _See_ [supported languages](concept-invoice.md#supported-languages-and-locales).

+* [🆕 **Prebuilt business card**](concept-business-card.md) now includes Japanese language support. _See_ [supported languages](concept-business-card.md#supported-languages-and-locales).

+* [🆕 **Prebuilt ID document model**](concept-id-document.md). The ID document model now extracts DateOfIssue, Height, Weight, EyeColor, HairColor, and DocumentDiscriminator from US driver's licenses. _See_ [field extraction](concept-id-document.md#id-document-preview-field-extraction).

+ Title: Examples of an Azure Attestation token

+description: Examples of Azure Attestation token

+# Examples of an attestation token

+Attestation policy is used to process the attestation evidence and determine whether Azure Attestation will issue an attestation token. Attestation token generation can be controlled with custom policies. Below are some examples of an attestation policy.

+## Sample JWT generated for SGX attestation

+```

+{

+ "alg": "RS256",

+ "jku": "https://tradewinds.us.attest.azure.net/certs",

+ "kid": <self signed certificate reference to perform signature verification of attestation token,

+ "typ": "JWT"

+}.{

+ "aas-ehd": <input enclave held data>,

+ "exp": 1568187398,

+ "iat": 1568158598,

+ "is-debuggable": false,

+ "iss": "https://tradewinds.us.attest.azure.net",

+ "maa-attestationcollateral":

+ {

+ "qeidcertshash": <SHA256 value of QE Identity issuing certs>,

+ "qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,

+ "qeidhash": <SHA256 value of the QE Identity collateral>,

+ "quotehash": <SHA256 value of the evaluated quote>,

+ "tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,

+ "tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,

+ "tcbinfohash": <SHA256 value of the TCB Info collateral>

+ },

+ "maa-ehd": <input enclave held data>,

+ "nbf": 1568158598,

+ "product-id": 4639,

+ "sgx-mrenclave": <SGX enclave mrenclave value>,

+ "sgx-mrsigner": <SGX enclave msrigner value>,

+ "svn": 0,

+ "tee": "sgx"

+ "x-ms-attestation-type": "sgx",

+ "x-ms-policy-hash": <>,

+ "x-ms-sgx-collateral":

+ {

+ "qeidcertshash": <SHA256 value of QE Identity issuing certs>,

+ "qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,

+ "qeidhash": <SHA256 value of the QE Identity collateral>,

+ "quotehash": <SHA256 value of the evaluated quote>,

+ "tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,

+ "tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,

+ "tcbinfohash": <SHA256 value of the TCB Info collateral>

+ },

+ "x-ms-sgx-ehd": <>,

+ "x-ms-sgx-is-debuggable": true,

+ "x-ms-sgx-mrenclave": <SGX enclave mrenclave value>,

+ "x-ms-sgx-mrsigner": <SGX enclave msrigner value>,

+ "x-ms-sgx-product-id": 1,

+ "x-ms-sgx-svn": 1,

+ "x-ms-ver": "1.0",

+ "x-ms-sgx-config-id": "000102030405060708090a0b0c0d8f99000102030405060708090a0b0c860e9a000102030405060708090a0b7d0d0e9b000102030405060708090a740c0d0e9c",

+ "x-ms-sgx-config-svn": 3451,

+ "x-ms-sgx-isv-extended-product-id": "8765432143211234abcdabcdef123456",

+ "x-ms-sgx-isv-family-id": "1234567812344321abcd1234567890ab"

+}.[Signature]

+```

+Some of the claims used above are considered deprecated but are fully supported. It is recommended that all future code and tooling use the non-deprecated claim names. See [claims issued by Azure Attestation](claim-sets.md) for more information.

+The below claims will appear only in the attestation token generated for Intel® Xeon® Scalable processor-based server platforms. The claims will not appear if the SGX enclave is not configured with [Key Separation and Sharing Support](https://github.com/openenclave/openenclave/issues/3054)

+**x-ms-sgx-config-id**

+**x-ms-sgx-config-svn**

+**x-ms-sgx-isv-extended-product-id**

+**x-ms-sgx-isv-family-id**

+## Sample JWT generated for SEV-SNP attestation

+```

+{

+ΓÇ» "exp": 1649970020,

+ΓÇ» "iat": 1649941220,

+ΓÇ» "iss": "https://maasandbox0001.wus.attest.azure.net",

+ΓÇ» "jti": "b65da1dcfbb4698b0bb2323cac664b745a2ff1cffbba55641fd65784aa9474d5",

+ΓÇ» "nbf": 1649941220,

+ΓÇ» "x-ms-attestation-type": "sevsnpvm",

+ΓÇ» "x-ms-compliance-status": "azure-compliant-cvm",

+ΓÇ» "x-ms-policy-hash": "LTPRQQju-FejAwdYihF8YV_c2XWebG9joKvrHKc3bxs",

+ΓÇ» "x-ms-runtime": {

+ΓÇ» ΓÇ» "keys": [

+ΓÇ» ΓÇ» ΓÇ» {

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "e": "AQAB",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "key_ops": ["encrypt"],

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "kid": "HCLTransferKey",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "kty": "RSA",

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» "n": "ur08DccjGGzRo3OIq445n00Q3OthMIbR3SWIzCcicIM_7nPiVF5NBIknk2zdHZN1iiNhIzJezrXSqVT7Ty1Dl4AB5xiAAqxo7xGjFqlL47NA8WbZRMxQtwlsOjZgFxosDNXIt6dMq7ODh4nj6nV2JMScNfRKyr1XFIUK0XkOWvVlSlNZjaAxj8H4pS0yNfNwr1Q94VdSn3LPRuZBHE7VrofHRGSHJraDllfKT0-8oKW8EjpMwv1ME_OgPqPwLyiRzr99moB7uxzjEVDe55D2i2mPrcmT7kSsHwp5O2xKhM68rda6F-IT21JgdhQ6n4HWCicslBmx4oqkI-x5lVsRkQ"

+ΓÇ» ΓÇ» ΓÇ» }

+ΓÇ» ΓÇ» ],

+ΓÇ» ΓÇ» "vm-configuration": {

+ΓÇ» ΓÇ» ΓÇ» "secure-boot": true,

+ΓÇ» ΓÇ» ΓÇ» "secure-boot-template-id": "1734c6e8-3154-4dda-ba5f-a874cc483422",

+ΓÇ» ΓÇ» ΓÇ» "tpm-enabled": true,

+ΓÇ» ΓÇ» ΓÇ» "vmUniqueId": "AE5CBB2A-DC95-4870-A74A-EE4FB33B1A9C"

+ΓÇ» ΓÇ» }

+ΓÇ» },

+ΓÇ» "x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",

+ΓÇ» "x-ms-sevsnpvm-bootloader-svn": 0,

+ΓÇ» "x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",

+ΓÇ» "x-ms-sevsnpvm-guestsvn": 1,

+ΓÇ» "x-ms-sevsnpvm-hostdata": "0000000000000000000000000000000000000000000000000000000000000000",

+ΓÇ» "x-ms-sevsnpvm-idkeydigest": "38ed94f9aab20bc5eb40e89c7cbb03aa1b9efb435892656ade789ccaa0ded82ff18bae0e849c3166351ba1fa7ff620a2",

+ΓÇ» "x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",

+ΓÇ» "x-ms-sevsnpvm-is-debuggable": false,

+ΓÇ» "x-ms-sevsnpvm-launchmeasurement": "04a170f39a3f702472ed0c7ecbda9babfc530e3caac475fdd607ff499177d14c278c5a15ad07ceacd5230ae63d507e9d",

+ΓÇ» "x-ms-sevsnpvm-microcode-svn": 40,

+ΓÇ» "x-ms-sevsnpvm-migration-allowed": false,

+ΓÇ» "x-ms-sevsnpvm-reportdata": "99dd4593a43f4b0f5f10f1856c7326eba309b943251fededc15592e3250ca9e90000000000000000000000000000000000000000000000000000000000000000",

+ΓÇ» "x-ms-sevsnpvm-reportid": "d1d5c2c71596fae601433ecdfb62799de2a785cc08be3b1c8a4e26a381494787",

+ΓÇ» "x-ms-sevsnpvm-smt-allowed": true,

+ΓÇ» "x-ms-sevsnpvm-snpfw-svn": 0,

+ΓÇ» "x-ms-sevsnpvm-tee-svn": 0,

+ΓÇ» "x-ms-sevsnpvm-vmpl": 0,

+ΓÇ» "x-ms-ver": "1.0"

+}

+```

+## Next steps

+- [View examples of an attestation policy](policy-examples.md)

+See [examples of an attestation policy](policy-examples.md)

+See [examples of attestation token](attestation-token-examples.md).

+## Sample custom policy to support multiple SGX enclaves

+```

+version= 1.0;

+authorizationrules

+{

+ [ type=="x-ms-sgx-is-debuggable", value==true ]&&

+ [ type=="x-ms-sgx-mrsigner", value=="mrsigner1"] => permit();

+ [ type=="x-ms-sgx-is-debuggable", value==true ]&&

+ [ type=="x-ms-sgx-mrsigner", value=="mrsigner2"] => permit();

+};

+```

+## Unsigned Policy for an SGX enclave with PolicyFormat=JWT

+```

+eyJhbGciOiJub25lIn0.eyJBdHRlc3RhdGlvblBvbGljeSI6ICJkbVZ5YzJsdmJqMGdNUzR3TzJGMWRHaHZjbWw2WVhScGIyNXlkV3hsYzN0ak9sdDBlWEJsUFQwaUpHbHpMV1JsWW5WbloyRmliR1VpWFNBOVBpQndaWEp0YVhRb0tUdDlPMmx6YzNWaGJtTmxjblZzWlhON1l6cGJkSGx3WlQwOUlpUnBjeTFrWldKMVoyZGhZbXhsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYVhNdFpHVmlkV2RuWVdKc1pTSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE8yTTZXM1I1Y0dVOVBTSWtjMmQ0TFcxeWMybG5ibVZ5SWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzJkNExXMXljMmxuYm1WeUlpd2dkbUZzZFdVOVl5NTJZV3gxWlNrN1l6cGJkSGx3WlQwOUlpUnpaM2d0YlhKbGJtTnNZWFpsSWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzJkNExXMXlaVzVqYkdGMlpTSXNJSFpoYkhWbFBXTXVkbUZzZFdVcE8yTTZXM1I1Y0dVOVBTSWtjSEp2WkhWamRDMXBaQ0pkSUQwLUlHbHpjM1ZsS0hSNWNHVTlJbkJ5YjJSMVkzUXRhV1FpTENCMllXeDFaVDFqTG5aaGJIVmxLVHRqT2x0MGVYQmxQVDBpSkhOMmJpSmRJRDAtSUdsemMzVmxLSFI1Y0dVOUluTjJiaUlzSUhaaGJIVmxQV011ZG1Gc2RXVXBPMk02VzNSNWNHVTlQU0lrZEdWbElsMGdQVDRnYVhOemRXVW9kSGx3WlQwaWRHVmxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdmVHMifQ.

+```

+## Signed Policy for an SGX enclave with PolicyFormat=JWT

+```

+eyJhbGciOiJSU0EyNTYiLCJ4NWMiOlsiTUlJQzFqQ0NBYjZnQXdJQkFnSUlTUUdEOUVGakJcdTAwMkJZd0RRWUpLb1pJaHZjTkFRRUxCUUF3SWpFZ01CNEdBMVVFQXhNWFFYUjBaWE4wWVhScGIyNURaWEowYVdacFkyRjBaVEF3SGhjTk1qQXhNVEl6TVRneU1EVXpXaGNOTWpFeE1USXpNVGd5TURVeldqQWlNU0F3SGdZRFZRUURFeGRCZEhSbGMzUmhkR2x2YmtObGNuUnBabWxqWVhSbE1EQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUpyRWVNSlo3UE01VUJFbThoaUNLRGh6YVA2Y2xYdkhmd0RIUXJ5L3V0L3lHMUFuMGJ3MVU2blNvUEVtY2FyMEc1WmYxTUR4alZOdEF5QjZJWThKLzhaQUd4eFFnVVZsd1dHVmtFelpGWEJVQTdpN1B0NURWQTRWNlx1MDAyQkJnanhTZTBCWVpGYmhOcU5zdHhraUNybjYwVTYwQUU1WFx1MDAyQkE1M1JvZjFUUkNyTXNLbDRQVDRQeXAzUUtNVVlDaW9GU3d6TkFQaU8vTy9cdTAwMkJIcWJIMXprU0taUXh6bm5WUGVyYUFyMXNNWkptRHlyUU8vUFlMTHByMXFxSUY2SmJsbjZEenIzcG5uMXk0Wi9OTzJpdFBxMk5Nalx1MDAyQnE2N1FDblNXOC9xYlpuV3ZTNXh2S1F6QVR5VXFaOG1PSnNtSThUU05rLzBMMlBpeS9NQnlpeDdmMTYxQ2tjRm1LU3kwQ0F3RUFBYU1RTUE0d0RBWURWUjBUQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBZ1ZKVWRCaXRud3ZNdDdvci9UMlo4dEtCUUZsejFVcVVSRlRUTTBBcjY2YWx2Y2l4VWJZR3gxVHlTSk5pbm9XSUJROU9QamdMa1dQMkVRRUtvUnhxN1NidGxqNWE1RUQ2VjRyOHRsejRISjY0N3MyM2V0blJFa2o5dE9Gb3ZNZjhOdFNVeDNGTnBhRUdabDJMUlZHd3dcdTAwMkJsVThQd0gzL2IzUmVCZHRhQTdrZmFWNVx1MDAyQml4ZWRjZFN5S1F1VkFUbXZNSTcxM1A4VlBsNk1XbXNNSnRrVjNYVi9ZTUVzUVx1MDAyQkdZcU1yN2tLWGwxM3lldUVmVTJWVkVRc1ovMXRnb29iZVZLaVFcdTAwMkJUcWIwdTJOZHNcdTAwMkJLamRIdmFNYngyUjh6TDNZdTdpR0pRZnd1aU1tdUxSQlJwSUFxTWxRRktLNmRYOXF6Nk9iT01zUjlpczZ6UDZDdmxGcEV6bzVGUT09Il19.eyJBdHRlc3RhdGlvblBvbGljeSI6ImRtVnljMmx2YmoweExqQTdZWFYwYUc5eWFYcGhkR2x2Ym5KMWJHVnpJSHRqT2x0MGVYQmxQVDBpSkdsekxXUmxZblZuWjJGaWJHVWlYU0FtSmlCYmRtRnNkV1U5UFhSeWRXVmRJRDAtSUdSbGJua29LVHM5UGlCd1pYSnRhWFFvS1R0OU8ybHpjM1ZoYm1ObGNuVnNaWE1nZXlBZ0lDQmpPbHQwZVhCbFBUMGlKR2x6TFdSbFluVm5aMkZpYkdVaVhTQTlQaUJwYzNOMVpTaDBlWEJsUFNKT2IzUkVaV0oxWjJkaFlteGxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdJQ0FnSUdNNlczUjVjR1U5UFNJa2FYTXRaR1ZpZFdkbllXSnNaU0pkSUQwLUlHbHpjM1ZsS0hSNWNHVTlJbWx6TFdSbFluVm5aMkZpYkdVaUxDQjJZV3gxWlQxakxuWmhiSFZsS1RzZ0lDQWdZenBiZEhsd1pUMDlJaVJ6WjNndGJYSnphV2R1WlhJaVhTQTlQaUJwYzNOMVpTaDBlWEJsUFNKelozZ3RiWEp6YVdkdVpYSWlMQ0IyWVd4MVpUMWpMblpoYkhWbEtUc2dJQ0FnWXpwYmRIbHdaVDA5SWlSelozZ3RiWEpsYm1Oc1lYWmxJbDBnUFQ0Z2FYTnpkV1VvZEhsd1pUMGljMmQ0TFcxeVpXNWpiR0YyWlNJc0lIWmhiSFZsUFdNdWRtRnNkV1VwT3lBZ0lDQmpPbHQwZVhCbFBUMGlKSEJ5YjJSMVkzUXRhV1FpWFNBOVBpQnBjM04xWlNoMGVYQmxQU0p3Y205a2RXTjBMV2xrSWl3Z2RtRnNkV1U5WXk1MllXeDFaU2s3SUNBZ0lHTTZXM1I1Y0dVOVBTSWtjM1p1SWwwZ1BUNGdhWE56ZFdVb2RIbHdaVDBpYzNadUlpd2dkbUZzZFdVOVl5NTJZV3gxWlNrN0lDQWdJR002VzNSNWNHVTlQU0lrZEdWbElsMGdQVDRnYVhOemRXVW9kSGx3WlQwaWRHVmxJaXdnZG1Gc2RXVTlZeTUyWVd4MVpTazdmVHMifQ.c0l-xqGDFQ8_kCiQ0_vvmDQYG_u544CYmoiucPNxd9MU8ZXT69UD59UgSuya2yl241NoVXA_0LaMEB2re0JnTbPD_dliJn96HnIOqnxXxRh7rKbu65ECUOMWPXbyKQMZ0I3Wjhgt_XyyhfEiQGfJfGzA95-wm6yWqrmW7dMI7JkczG9ideztnr0bsw5NRsIWBXOjVy7Bg66qooTnODS_OqeQ4iaNsN-xjMElHABUxXhpBt2htbhemDU1X41o8clQgG84aEHCgkE07pR-7IL_Fn2gWuPVC66yxAp00W1ib2L-96q78D9J52HPdeDCSFio2RL7r5lOtz8YkQnjacb6xA

+```

+1. Client collects evidence from an enclave. Evidence is information about the enclave environment and the client library running inside the enclave

+1. The client has an URI which refers to an instance of Azure Attestation. The client sends evidence to Azure Attestation. Exact information submitted to the provider depends on the enclave type

+1. Azure Attestation validates the submitted information and evaluates it against a configured policy. If the verification succeeds, Azure Attestation issues an attestation token and returns it to the client. If this step fails, Azure Attestation reports an error to the client

+1. The client sends the attestation token to relying party. The relying party calls public key metadata endpoint of Azure Attestation to retrieve signing certificates. The relying party then verifies the signature of the attestation token and ensures the enclave trustworthiness

+1. On device/platform boot, various boot loaders and boot services measure events backed by TPM and securely store them as TCG logs. Client collects the TCG logs from the device and TPM quote which acts evidence for attestation

+2. The client authenticates to Azure AD and obtains a access token

+3. The client has an URI which refers to an instance of Azure Attestation. The client sends the evidence and the Azure Active Directory (Azure AD) access token to Azure Attestation. Exact information submitted to the provider depends on the platform

+4. Azure Attestation validates the submitted information and evaluates it against a configured policy. If the verification succeeds, Azure Attestation issues an attestation token and returns it to the client. If this step fails, Azure Attestation reports an error to the client. The communication between the client and attestation service is dictated by the Azure attestation TPM protocol

+5. The client then sends the attestation token to relying party. The relying party calls public key metadata endpoint of Azure Attestation to retrieve signing certificates. The relying party then verifies the signature of the attestation token and ensures the platforms trustworthiness

+* Learn about [Azure Arc-enabled System Center Virtual Machine Manager](system-center-virtual-machine-manager/overview.md)

+* Experience Azure Arc-enabled services by exploring the [Jumpstart proof of concept](https://azurearcjumpstart.io/azure_arc_jumpstart/).

+- `azcmagent show` no longer prints the private link scope ID. You can check if the server is associated with an Azure Arc private link scope by reviewing the machine details in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/servers), [CLI](/cli/azure/connectedmachine?view=azure-cli-latest#az-connectedmachine-show&preserve-view=true), [PowerShell](/powershell/module/az.connectedmachine/get-azconnectedmachine), or [REST API](/rest/api/hybridcompute/machines/get).

+ Title: Create a virtual machine on System Center Virtual Machine Manager using Azure Arc (preview)

+description: This article helps you create a virtual machine using Azure portal (preview).

+ms.

+keywords: "VMM, Arc, Azure"

+# Create a virtual machine on System Center Virtual Machine Manager using Azure Arc (preview)

+Once your administrator has connected an SCVMM management server to Azure, represented VMM resources such as private clouds, VM templates in Azure, and provided you the required permissions on those resources, you'll be able to create a virtual machine in Azure.

+## Prerequisites

+- An Azure subscription and resource group where you have *Arc SCVMM VM Contributor* role.

+- A cloud resource on which you have *Arc SCVMM Private Cloud Resource User* role.

+- A virtual machine template resource on which you have *Arc SCVMM Private Cloud Resource User role*.

+- A virtual network resource on which you have *Arc SCVMM Private Cloud Resource User* role.

+## How to create a VM in Azure portal

+1. Go to Azure portal.

+2. Select **Azure Arc** as the service and then select **Azure Arc virtual machine** from the left blade.

+3. Click **+ Create**, **Create an Azure Arc virtual machine** page opens.

+3. Under **Basics** > **Project details**, select the **Subscription** and **Resource group** where you want to deploy the VM.

+4. Under **Instance details**, provide the following details:

+ - Virtual machine name - Specify the name of the virtual machine.

+ - Custom location - Select the custom location that your administrator has shared with you.

+ - Virtual machine kind ΓÇô Select **System Center Virtual Machine Manager**.

+ - Cloud ΓÇô Select the target VMM private cloud.

+ - Availability set - (Optional) Use availability sets to identify virtual machines that you want VMM to keep on separate hosts for improved continuity of service.

+5. Under **Template details**, provide the following details:

+ - Template ΓÇô Choose the VM template for deployment.

+ - Override template details - Select the checkbox to override the default CPU cores and memory on the VM templates.

+ - Specify computer name for the VM, if the VM template has computer name associated with it.

+6. Under **Administrator account**, provide the following details and click **Next : Disks >**.

+ - Username

+ - Password

+ - Confirm password

+7. Under **Disks**, you can optionally change the disks configured in the template. You can add more disks or update existing disks.

+8. Under **Networking**, you can optionally change the network interfaces configured in the template. You can add Network interface cards (NICs) or update the existing NICs. You can also change the network that this NIC will be attached to provided you have appropriate permissions to the network resource.

+9. Under **Advanced**, enable processor compatibility mode if required.

+10. Under **Tags**, you can optionally add tags to the VM resource.

+ >[!NOTE]

+ > Custom properties defined for the VM in VMM will be synced as tags in Azure.

+11. Under **Review + create**, review all the properties and select **Create**. The VM will be created in a few minutes.

+ Title: Enable SCVMM inventory resources in Azure Arc center (preview)

+description: This article helps you enable SCVMM inventory resources from Azure portal (preview)

+keywords: "VMM, Arc, Azure"

+# Enable SCVMM inventory resources from Azure portal (preview)

+The article describes how you can view SCVMM management servers and enable SCVMM inventory from Azure portal, after connecting to the SCVMM management server.

+## View SCVMM management servers

+You can view all the connected SCVMM management servers under **SCVMM management servers** in Azure Arc center.

+In the inventory view, you can browse the virtual machines (VMs), VMM clouds, VM network, and VM templates.

+Under each inventory, you can select and enable one or more SCVMM resources in Azure to create an Azure resource representing your SCVMM resource.

+You can further use the Azure resource to assign permissions or perform management operations.

+## Enable SCVMM cloud, VM templates and VM networks in Azure

+To enable the SCVMM inventory resources, follow these steps:

+1. From Azure home > **Azure Arc** center, go to **SCVMM management servers (preview)** blade and go to inventory resources blade.

+ :::image type="content" source="media/enable-scvmm-inventory-resources/scvmm-server-blade-inline.png" alt-text="Screenshot of how to go to SCVMM management servers blade." lightbox="media/enable-scvmm-inventory-resources/scvmm-server-blade-expanded.png":::

+1. Select the resource(s) you want to enable and select **Enable in Azure**.

+ :::image type="content" source="media/enable-scvmm-inventory-resources/scvmm-enable-azure-inline.png" alt-text="Screenshot of how to enable in Azure option." lightbox="media/enable-scvmm-inventory-resources/scvmm-enable-azure-expanded.png":::

+1. In **Enable in Azure**, select your **Azure subscription** and **Resource Group** and select **Enable**.

+ :::image type="content" source="media/enable-scvmm-inventory-resources/scvmm-select-sub-resource-inline.png" alt-text="Screenshot of how to select subscription and resource group." lightbox="media/enable-scvmm-inventory-resources/scvmm-select-sub-resource-expanded.png":::

+ The deployment is initiated and it creates a resource in Azure, representing your SCVMM resources. It allows you to manage the access to these resources through the Azure role-based access control (RBAC) granularly.

+ Repeat the above steps for one or more VM networks and VM template resources.

+## Enable existing virtual machines in Azure

+To enable the existing virtual machines in Azure, follow these steps:

+1. From Azure home > **Azure Arc** center, go to **SCVMM management servers (preview)** blade and go to inventory resources blade.

+1. Go to **SCVMM inventory** resource blade, select **Virtual machines** and then select the VMs you want to enable and select **Enable in Azure**.

+ :::image type="content" source="media/enable-scvmm-inventory-resources/scvmm-enable-existing-vm-inline.png" alt-text="Screenshot of how to enable existing virtual machines in Azure." lightbox="media/enable-scvmm-inventory-resources/scvmm-enable-existing-vm-expanded.png":::

+1. Select your **Azure subscription** and **Resource group**.

+1. Select **Enable** to start the deployment of the VM represented in Azure.

+## Next steps

+[Connect virtual machines to Arc](quickstart-connect-system-center-virtual-machine-manager-to-arc.md)

+ Title: Overview of the Azure Connected System Center Virtual Machine Manager (preview)

+description: This article provides a detailed overview of the Azure Arc-enabled System Center Virtual Machine Manager (preview).

+ms.

+keywords: "VMM, Arc, Azure"

+# Overview of Arc-enabled System Center Virtual Machine Manager (preview)

+Azure Arc-enabled System Center Virtual Machine Manager (SCVMM) empowers System Center customers to connect their VMM environment to Azure and perform VM self-service operations from Azure portal. With Azure Arc-enabled SCVMM, you get a consistent management experience across Azure.

+Azure Arc-enabled System Center Virtual Machine Manager allows you to manage your Hybrid environment and perform self-service VM operations through Azure portal. For Microsoft Azure Pack customers, this solution is intended as an alternative to perform VM self-service operations.

+Arc-enabled System Center VMM allows you to:

+- Perform various VM lifecycle operations such as start, stop, pause, delete VMs on VMM managed VMs directly from Azure.

+- Empower developers and application teams to self-serve VM operations on-demand using [Azure role-based access control (RBAC)](/azure/role-based-access-control/overview).

+- Browse your VMM resources (VMs, templates, VM networks, and storage) in Azure, providing you a single pane view for your infrastructure across both environments.

+- Discover and onboard existing SCVMM managed VMs to Azure.

+## How does it work?

+To Arc-enable a System Center VMM management server, deploy [Azure Arc resource bridge](/azure/azure-arc/resource-bridge/overview) (preview) in the VMM environment. Arc resource bridge is a virtual appliance that connects VMM management server to Azure. Azure Arc resource bridge (preview) enables you to represent the SCVMM resources (clouds, VMs, templates etc.) in Azure and do various operations on them.

+## Architecture

+The following image shows the architecture for the Arc-enabled SCVMM:

+### Supported VMM versions

+Azure Arc-enabled SCVMM works with VMM 2016, 2019 and 2022 versions.

+### Supported scenarios

+The following scenarios are supported in Azure Arc-enabled SCVMM (preview):

+- SCVMM administrators can connect a VMM instance to Azure and browse the SCVMM virtual machine inventory in Azure.

+- Administrators can use the Azure portal to browse SCVMM inventory and register SCVMM cloud, virtual machines, VM networks, and VM templates into Azure.

+- Administrators can provide app teams/developers fine-grained permissions on those SCVMM resources through Azure RBAC.

+- App teams can use Azure interfaces (portal, CLI, or REST API) to manage the lifecycle of on-premises VMs they use for deploying their applications (CRUD, Start/Stop/Restart).

+### Supported regions

+Azure Arc-enabled SCVMM (preview) is currently supported in the following regions:

+- East US

+- West Europe

+## Next steps

+[See how to create a Azure Arc VM](create-virtual-machine.md)

+ Title: Quick Start for Azure Arc-enabled System Center Virtual Machine Manager (preview)

+description: In this QuickStart, you will learn how to use the helper script to connect your System Center Virtual Machine Manager management server to Azure Arc (preview).

+# QuickStart: Connect your System Center Virtual Machine Manager management server to Azure Arc (preview)

+Before you can start using the Azure Arc-enabled SCVMM features, you need to connect your VMM management server to Azure Arc.

+This QuickStart shows you how to connect your SCVMM management server to Azure Arc using a helper script. The script deploys a lightweight Azure Arc appliance (called Azure Arc resource bridge) as a virtual machine running in your VMM environment and installs an SCVMM cluster extension on it, to provide a continuous connection between your VMM management server and Azure Arc.

+## Prerequisites

+| **Requirement** | **Details** |

+| | |

+| **Azure** | An Azure subscription <br/><br/> A resource group in the above subscription where you have the *Owner/Contributor* role. |

+| **SCVMM** | You need an SCVMM management server running version 2016 or later.<br/><br/> A private cloud that has at least one cluster with minimum free capacity of 16 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> For dynamic IP allocation to appliance VM, DHCP server is required. For static IP allocation, VMM static IP pool is required. |

+| **SCVMM accounts** | An SCVMM admin account that can perform all administrative actions on all objects that VMM manages. <br/><br/> This will be used for the ongoing operation of Azure Arc-enabled SCVMM as well as the deployment of the Arc Resource bridge VM. |

+| **Workstation** | The workstation will be used to run the helper script.<br/><br/> A Windows/Linux machine that can access both your SCVMM management server and internet, directly or through proxy.<br/><br/> The helper script can be run directly from the VMM server machine as well.<br/><br/> Note that when you execute the script from a Linux machine, the deployment takes a bit longer and you may experience performance issues. |

+## Prepare SCVMM management server

+- Create an SCVMM private cloud if you don't have one. The private cloud should have a reservation of at least 16 GB of RAM and 4 vCPUs. It should also have at least 100 GB of disk space.

+- Ensure that SCVMM administrator account has the appropriate permissions.

+## Download the onboarding script

+1. Go to [Azure portal](https://aka.ms/SCVMM/MgmtServers).

+1. Search and select **Azure Arc**.

+1. In the **Overview** page, select **Add** in **Add your infrastructure for free** or move to the **infrastructure** tab.

+ :::image type="content" source="media/quick-start-connect-scvmm-to-azure/overview-add-infrastructure-inline.png" alt-text="Screenshot of how to select Add your infrastructure for free." lightbox="media/quick-start-connect-scvmm-to-azure/overview-add-infrastructure-expanded.png":::

+1. In the **Platform** section, in **System Center VMM** select **Add**.

+ :::image type="content" source="media/quick-start-connect-scvmm-to-azure/platform-add-system-center-vmm-inline.png" alt-text="Screenshot of how to select System Center V M M platform." lightbox="media/quick-start-connect-scvmm-to-azure/platform-add-system-center-vmm-expanded.png":::

+1. Select **Create new resource bridge** and select **Next**.

+1. Provide a name for **Azure Arc resource bridge**. For example: *contoso-nyc-resourcebridge*.

+1. Select a subscription and resource group where you want to create the resource bridge.

+1. Under **Region**, select an Azure location where you want to store the resource metadata. The currently supported regions are **East US** and **West Europe**.

+1. Provide a name for **Custom location**.

+ This is the name that you'll see when you deploy virtual machines. Name it for the datacenter or the physical location of your datacenter. For example: *contoso-nyc-dc.*

+1. Leave the option **Use the same subscription and resource group as your resource bridge** selected.

+1. Provide a name for your **SCVMM management server instance** in Azure. For example: *contoso-nyc-scvmm.*

+1. Select **Next: Download and run script**.

+1. If your subscription isn't registered with all the required resource providers, select **Register** to proceed to next step.

+1. Based on the operating system of your workstation, download the PowerShell or Bash script and copy it to the workstation.

+1. To see the status of your onboarding after you run the script on your workstation, select **Next:Verification**. The onboarding isn't affected when you close this page.

+## Run the script

+Use the following instructions to run the script, depending on the Operating System of the workstation.

+>[!NOTE]

+>Before running the script, install the latest version of Azure CLI (2.36.0 or later).

+### Windows

+Follow these instructions to run the script on a Windows machine.

+1. Open a new PowerShell window and verify if Azure CLI is successfully installed in the workstation, use the following command:

+ ```azurepowershell-interactive

+ az

+ ```

+1. Navigate to the folder where you've downloaded the PowerShell script:

+ *cd C:\Users\ContosoUser\Downloads*

+1. Run the following command to allow the script to run since it's an unsigned script (if you close the session before you complete all the steps, run this command again for the new session):

+ ```azurepowershell-interactive

+ Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

+ ```

+1. Run the script:

+ ```azurepowershell-interactive

+ ./resource-bridge-onboarding-script.ps1

+ ```

+### Linux

+Follow these instructions to run the script on a Linux machine:

+1. Open the terminal and navigate to the folder, where you've downloaded the Bash script.

+2. Execute the script using the following command:

+ ```sh

+ bash resource-bridge-onboarding-script.sh

+ ```

+## Script runtime

+The script execution will take up to half an hour and you'll be prompted for various details. See the following table for related information:

+| **Parameter** | **Details** |

+| | |

+| **Azure login** | You would be asked to log in to Azure by visiting [this site](https://www.microsoft.com/devicelogin) and pasting the prompted code. |

+| **SCVMM management server FQDN/Address** | FQDN for the VMM server (or an IP address). </br> Provide role name if itΓÇÖs a Highly Available VMM deployment. </br> For example: nyc-scvmm.contoso.com or 10.160.0.1 |

+| **SCVMM Username**</br> (domain\username) | Username for the SCVMM administrator account. The required permissions for the account are listed in the prerequisites above.</br> Example: contoso\contosouser |

+| **SCVMM password** | Password for the SCVMM admin account |

+| **Private cloud selection** | Select the name of the private cloud where the Arc resource bridge VM should be deployed. |

+| **Virtual Network selection** | Select the name of the virtual network to which *Arc resource bridge VM* needs to be connected. This network should allow the appliance to talk to the VMM management server and the Azure endpoints (or internet). |

+| **Static IP pool** | Select the VMM static IP pool that will be used to allot IP address. |

+| **Control Pane IP** | Provide a reserved IP address (a reserved IP address in your DHCP range or a static IP outside of DHCP range but still available on the network). The key thing is this IP address shouldn't be assigned to any other machine on the network. |

+| **Appliance proxy settings** | Type ΓÇÿYΓÇÖ if there's a proxy in your appliance network, else type ΓÇÿNΓÇÖ.|

+| **http** | Address of the HTTP proxy server. |

+| **https** | Address of the HTTPS proxy server.|

+| **NoProxy** | Addresses to be excluded from proxy.|

+|**CertificateFilePath** | For SSL based proxies, provide the path to the certificate. |

+Once the command execution is completed, your setup is complete, and you can try out the capabilities of Azure Arc- enabled SCVMM.

+### Retry command - Windows

+If for any reason, the appliance creation fails, you need to retry it. Run the command with ```-Force``` to clean up and onboard again.

+```powershell-interactive

+ ./resource-bridge-onboarding-script.ps1-Force -Subscription <Subscription> -ResourceGroup <ResourceGroup> -AzLocation <AzLocation> -ApplianceName <ApplianceName> -CustomLocationName <CustomLocationName> -VMMservername <VMMservername>

+```

+### Retry command - Linux

+If for any reason, the appliance creation fails, you need to retry it. Run the command with ```--force``` to clean up and onboard again.

+ ```sh

+ bash resource-bridge-onboarding-script.sh --force

+ ```

+>[!NOTE]

+> - After successful deployment, we recommend to maintain the state of **Arc Resource Bridge VM** as *online*.

+> - Intermittently appliance might become unreachable, when you shut down and restart the VM.

+## Next steps

+[Create a VM](create-virtual-machine.md)

+Use the Azure CLI for creating a new cache with managed identity or updating an existing cache to use managed identity. For more information, see [az redis create](/cli/azure/redis?view=azure-cli-latest.md&preserve-view=true) or [az redis identity](/cli/azure/redis/identity?view=azure-cli-latest&preserve-view=true).

+Use Azure PowerShell for creating a new cache with managed identity or updating an existing cache to use managed identity. For more information, see [New-AzRedisCache](/powershell/module/az.rediscache/new-azrediscache?view=azps-7.1.0&preserve-view=true) or [Set-AzRedisCache](/powershell/module/az.rediscache/set-azrediscache?view=azps-7.1.0&preserve-view=true).

+## Scale-in behaviors

+Event-driven scaling automatically reduces capacity when demand for your functions is reduced. It does this by shutting down worker instances of your function app. Before an instance is shut down, new events stop being sent to the instance. Also, functions that are currently executing are given time to finish executing. This behavior is logged as drain mode. This shut-down period can extend up to 10 minutes for Consumption plan apps and up to 60 minutes for Premium plan apps. Event-driven scaling and this behavior don't apply to Dedicated plan apps.

+The following considerations apply for scale-in behaviors:

+* For Consumption plan function apps running on Windows, only apps created after May 2021 have drain mode behaviors enabled by default.

+* To enable graceful shutdown for functions using the Service Bus trigger, use version 4.2.0 or a later version of the [Service Bus Extension](functions-bindings-service-bus.md).

+|Node 12|30 Apr 2022|TBA|

+| May 2022 | <ul><li>Fixed issue where agent stops functioning due to faulty XPath query. With this version, only query related Windows events will fail, other data types will continue to be collected</li><li>Collection of Windows network troubleshooting logs added to 'CollectAMAlogs.ps1' tool</li></ul> | 1.5.0.0 | Coming soon |

+ms.reviwer: dalek

+* Performance counters are displayed as custom metrics.

+The Azure Monitor OpenTelemetry Exporter is a component that sends traces (and eventually all application telemetry) to Azure Monitor Application Insights. To learn more about OpenTelemetry concepts, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry).

+This article describes how to enable and configure the OpenTelemetry-based Azure Monitor Preview offering. After you finish the instructions in this article, you'll be able to send OpenTelemetry traces to Azure Monitor Application Insights.

+There are several sources that explain the three pillars in detail including the [OpenTelemetry community website](https://opentelemetry.io/docs/concepts/data-collection/), [OpenTelemetry Specifications](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/overview.md), and [Distributed Systems Observability](https://www.oreilly.com/library/view/distributed-systems-observability/9781492033431/ch04.html) by Cindy Sridharan.

+ms.reviwer: cogoodson

+ms.reviwer: casocha

+ms.reviwer: heya

+ms.reviwer: dalek git

+* [Azure NetApp Files datastores for Azure VMware Solution](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md) (Preview)

+ [Azure NetApp Files datastores for Azure VMware Solution](https://azure.microsoft.com/blog/power-your-file-storageintensive-workloads-with-azure-vmware-solution) is now in public preview. This new integration between Azure VMware Solution and Azure NetApp Files will enable you to [create datastores via the Azure VMware Solution resource provider with Azure NetApp Files NFS volumes](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md) and mount the datastores on your private cloud clusters of choice. Along with the integration of Azure disk pools for Azure VMware Solution, this will provide more choice to scale storage needs independently of compute resources. For your storage-intensive workloads running on Azure VMware Solution, the integration with Azure NetApp Files helps to easily scale storage capacity and performance beyond the limits of native vSAN built on top of the AVS nodes and lower your overall total cost of ownership.

+ Regional Coverage: Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central US, East US, France Central, Germany West Central, Japan West, North Central US, North Europe, South Central US, Southeast Asia, Switzerland West, UK South, UK West, West US. Regional coverage will expand as the preview progresses.

+> You can also list your subscriptions and view their IDs programmatically by using [Get-AzSubscription](/powershell/module/az.accounts/get-azsubscription?view=latest&preserve-view=true) (Azure PowerShell) or [az account list](/cli/azure/account?view=azure-cli-latest&preserve-view=true) (Azure CLI).

+| Microsoft.AppConfiguration/configurationStores | [ListKeys](/rest/api/appconfiguration/stable/configuration-stores/list-keys) |

+* [Microsoft.CustomProviders/resourceProviders](/azure/templates/microsoft.customproviders/resourceproviders)

+> | policySetDefinitions | scope of definition | 1-128 display name<br><br>1-64 resource name<br><br>1-64 resource name at management group scope | Display name can contain any characters.<br><br>Resource name can't use:<br>`<>*%&:\?.+/` or control characters. <br><br>Can't end with period or space. |

+| Microsoft.AppConfiguration/configurationStores | [ListKeys](/rest/api/appconfiguration/stable/configuration-stores/list-keys) |

+From SDK version 1.5.0, we're enabling dynamic scale ServiceEndpoints for ASP.NET Core version first. So you don't have to restart app server when you need to add/remove a ServiceEndpoint. As ASP.NET Core is supporting default configuration like `appsettings.json` with `reloadOnChange: true`, you don't need to change a code and it's supported by nature. And if you'd like to add some customized configuration and work with hot-reload, please refer to [this](/aspnet/core/fundamentals/configuration/?view=aspnetcore-3.1&preserve-view=true).

+Azure Video Indexer (formerly Video Analyzer for Media) is a service hosted on Azure. In some architecture cases the service needs to interact with other services in order to index video files (that is, a Storage Account) or when a customer orchestrates indexing jobs against our API endpoint using their own service hosted on Azure (i.e AKS, Web Apps, Logic Apps, Functions). Customers who would like to limit access to their resources on a network level can use [Network Security Groups with Service Tags](/azure/virtual-network/service-tags-overview). A service tag represents a group of IP address prefixes from a given Azure service, in this case Azure Video Indexer. Microsoft manages the address prefixes grouped by the service tag and automatically updates the service tag as addresses change in our backend, minimizing the complexity of frequent updates to network security rules by the customer.

+You can also use Azure CLI to create a new or update an existing NSG rule and add the **AzureVideoAnalyzerForMedia** service tag using the `--source-address-prefixes`. For a full list of CLI commands and parameters see [az network nsg](/cli/azure/network/nsg/rule?view=azure-cli-latest&preserve-view=true)

+ 1. Verify you're registered for both the `CloudSanExperience` and `AnfDatstoreExperience` features.

+## June 7, 2022

+All new Azure VMware Solution private clouds in regions (East US2, Canada Central, North Europe, and Japan East), are now deployed in with VMware vCenter Server version 7.0 Update 3c and ESXi version 7.0 Update 3c.

+Any existing private clouds in the above mentioned regions will also be upgraded to these versions. For more information, please see [VMware ESXi 7.0 Update 3c Release Notes](https://docs.vmware.com/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html) and [VMware vCenter Server 7.0 Update 3c Release Notes](https://docs.vmware.com/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3c-release-notes.html).

+[API reference documentation](/javascript/api/overview/azure/web-pubsub-express-readme?view=azure-node-latest&preserve-view=true) |

+ Title: Tutorial - Create a serverless chat app with Azure Web PubSub service and Azure Static Web Apps

+description: A tutorial about how to use Azure Web PubSub service and Azure Static Web Apps to build a serverless chat application.

+# Tutorial: Create a serverless chat app with Azure Web PubSub service and Azure Static Web Apps

+Azure Web PubSub service helps you build real-time messaging web applications using WebSockets. By using Azure Static Web Apps, you can automatically build and deploy full-stack web apps to Azure from a code repository. In this tutorial, you'll learn how to use Web PubSub service and Static Web Apps to build a serverless, real-time chat room messaging application.

+In this tutorial, you'll learn how to:

+GitHub or Azure Repos provide source control for Static Web Apps. Azure monitors the repo branch you select, and every time there's a code change to the source repo a new build of your web app is automatically run and deployed to Azure. Continuous delivery is provided by GitHub Actions and Azure Pipelines. Static Web Apps detects the new build and presents it to the endpoint user.

+The sample chat room application provided with this tutorial has the following workflow.

+1. When a user signs in to the app, the Azure Functions `login` API will be triggered to generate a Web PubSub service client connection URL.

+1. When the client initializes the connection request to Web PubSub, the service sends a system `connect` event that triggers the Functions `connect` API to authenticate the user.

+1. When a client sends a message to Azure Web PubSub service, the service will respond with a user `message` event and the Functions `message` API will be triggered to broadcast the message to all the connected clients.

+1. The Functions `validate` API is triggered periodically for [CloudEvents Abuse Protection](https://github.com/cloudevents/spec/blob/v1.0/http-webhook.md#4-abuse-protection) when the events in Azure Web PubSub are configured with predefined parameter `{event}`, that is, https://$STATIC_WEB_APP/api/{event}.

+> The Functions APIs `connect` and `message` are triggered when Azure Web PubSub service is configured with these two events.

+* A [GitHub](https://github.com/) account.

+* An [Azure](https://portal.azure.com/) account. If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) before you begin.

+* [Azure CLI](/cli/azure/install-azure-cli) (version 2.29.0 or higher) or [Azure Cloud Shell](../cloud-shell/quickstart.md) to manage Azure resources.

+ Replace the placeholder `<YOUR_AWPS_ACCESS_KEY>` with the value for `primaryConnectionString` from the previous step.

+## Create a repository

+This article uses a GitHub template repository to make it easy for you to get started. The template features a starter app that you will deploy to Azure Static Web Apps.

+1. Go to [https://github.com/Azure/awps-swa-sample/generate](https://github.com/login?return_to=/Azure/awps-swa-sample/generate) to create a new repo for this tutorial.

+1. Select yourself as **Owner** and name your repository **my-awps-swa-app**.

+1. You can create a **Public** or **Private** repo according to your preference. Both work for the tutorial.

+1. Select **Create repository from template**.

+1. Create a new static web app from your repository. When you run this command, the CLI starts a GitHub interactive sign-in. Follow the message to complete authorization.

+1. Go to **https://github.com/login/device**.

+1. Select **Continue**.

+1. Select **Authorize AzureAppServiceCLI**.

+There are two aspects to deploying a static app: The first creates the underlying Azure resources that make up your app. The second is a GitHub Actions workflow that builds and publishes your application.

+ Once the success icon appears, the workflow is complete and you can return to your console window.

+1. Run the following command to query for your website's URL.

+You're very close to complete. The last step is to configure Web PubSub transfer client requests to your function APIs.

+1. Run the following command to configure Web PubSub service events. It maps functions under the `api` folder in your repo to the Web PubSub event handler.

+Now you're ready to play with your website **<YOUR_STATIC_WEB_APP>**. Copy it to browser and select **Continue** to start chatting with your friends.

+In this quickstart, you learned how to run a serverless chat application. Now, you could start to build your own application.

+## UserErrorDBUserAuthFailed

+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Ensure that the credentials stored as part of the secret value in the key vault are valid. Ensure that the specified database user has login access.

+## UserErrorInvalidSecret

+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Ensure that the specified secret name is present in the key vault.

+## UserErrorMissingDBPermissions

+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Grant appropriate permissions to the relevant backup or the database user to perform this operation on the database.

+## UserErrorSecretValueInUnsupportedFormat

+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). However the secret value is not in a format supported by Azure Backup. Check the supported format as documented [here](backup-azure-database-postgresql.md#create-secrets-in-the-key-vault).

+## UserErrorInvalidSecretStore

+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Ensure that the given key vault exists and the backup service is given access as documented [here](backup-azure-database-postgresql-overview.md#set-of-permissions-needed-for-azure-postgresql-database-backup).

+## UserErrorMissingPermissionsOnSecretStore

+The Azure Backup service uses the credentials mentioned in the key-vault to access the database as a database user. The relevant key vault and the secret are [provided during configuration of backup](backup-azure-database-postgresql.md#configure-backup-on-azure-postgresql-databases). Ensure that backup vault's MSI is given access to key vault as documented [here](backup-azure-database-postgresql-overview.md#set-of-permissions-needed-for-azure-postgresql-database-backup).

+## UserErrorSSLDisabled

+SSL needs to be enabled for connections to the server.

+## UserErrorDBNotFound

+Ensure that the database and the relevant server exist.

+## UserErrorDatabaseNameAlreadyInUse

+The name given for the restored database already exists and hence the restore operation failed. Retry the restore operation with a different name.

+## UserErrorServerConnectionClosed

+The operation failed because the server closed the connection unexpectedly. Retry the operation and if the error still persists, please contact Microsoft Support.

+ - Oracle (You'll need an Oracle account for access.)

+4. Select **Certificate permissions**. Select the check box for **Get** to allow CDN permissions to get the certificates.

+5. Select **Secret permissions**. Select the check box for **Get** to allow CDN permissions to get the secrets:

+documentationcenter:

+To specify a blob's `Cache-Control` header by using .NET code, use the [Azure Storage Client Library for .NET](../storage/blobs/storage-quickstart-blobs-dotnet.md) to set the [BlobHttpHeaders.CacheControl](/dotnet/api/azure.storage.blobs.models.blobhttpheaders.cachecontrol?view=azure-dotnet&preserve-view=true) property.

+The [Azure IoT CLI extension](/cli/azure/ext/azure-iot/iot/product?view=azure-cli-latest&preserve-view=true) lets you validate that the device implementation matches the model before you submit the device for certification through the Azure Certified Device portal.

+Install the [Azure CLI](/cli/azure/install-azure-cli) and review the installation instructions to set up the [Azure CLI](/cli/azure/iot?view=azure-cli-latest&preserve-view=true) in your environment.

+To learn more, see [Azure CLI for Azure IoT](/cli/azure/iot/product?view=azure-cli-latest&preserve-view=true).

+| Description | Add CPU pressure up to the specified value on the VM where this fault is injected for the duration of the fault action. The artificial CPU pressure is removed at the end of the duration or if the experiment is canceled. On Windows, the "% Processor Utility" performance counter is used at fault start to determine current CPU percentage and this is subtracted from the pressureLevel defined in the fault so that % Processor Utility will hit approximately the pressureLevel defined in the fault parameters. |

+To test out this feature, try this SDK [Notebook](https://github.com/Azure-Samples/AnomalyDetector/blob/master/ipython-notebook/API%20Sample/Multivariate%20API%20Demo%20Notebook.ipynb). For more instructions on how to run a jupyter notebook, please refer to [Install and Run a Jupyter Notebook](https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/install.html#).

+ * `severity` indicates the relative severity of the anomaly and for normal data it is always 0.

+ * `severity` indicates the relative severity of the anomaly and for abnormal data it is always greater than 0.

+ //more timestamps

+ //more timestamps

+ //more timestamps

+* [Best practices for using the Multivariate Anomaly Detector API](../concepts/best-practices-multivariate.md)

+* [Join us to get more supports!](https://aka.ms/adadvisorsjoin)

+Use this quickstart to create a Cognitive Services resource using [Azure Command-Line Interface (CLI)](/cli/azure/install-azure-cli) commands. After creating the resource, use the keys and endpoint generated for you to authenticate your applications.

+Azure Cognitive Services is a cloud-based service with REST APIs, and client library SDKs available to help developers build cognitive intelligence into applications without having direct artificial intelligence (AI) or data science skills or knowledge. Azure Cognitive Services enables developers to easily add cognitive features into their applications with cognitive solutions that can see, hear, speak, understand, and even begin to reason.

+## Types of Cognitive Services resource

+Before creating a Cognitive Services resource, you must have an Azure resource group to contain the resource. When you create a new resource, you can either create a new resource group, or use an existing one. This article shows how to create a new resource group.

+When creating a new resource, you'll need to know the "kind" of service you want to use, along with the [pricing tier](https://azure.microsoft.com/pricing/details/cognitive-services/) (or sku) you want. You'll use this and other information as parameters when creating the resource.

+To create and subscribe to a new Cognitive Services resource, use the [az cognitiveservices account create](/cli/azure/cognitiveservices/account#az-cognitiveservices-account-create) command. This command adds a new billable resource to the resource group created earlier. When creating your new resource, you'll need to know the "kind" of service you want to use, along with its pricing tier (or sku) and an Azure location:

+Use this quickstart to create a Cognitive Services resource. After you create a Cognitive Service resource in the Azure portal , you'll get an endpoint and a key for authenticating your applications.

+## Types of Cognitive Services resource

+<!--

+-->

+1. Locate the resource group containing the resource to be deleted.

+1. If you want to delete the entire resource group, select the resource group name. On the next page, Select **Delete resource group**, and confirm.

+1. If you want to delete only the Cognitive Service resource, select the resource group to see all the resources within it. On the next page, select the resource that you want to delete, click the ellipsis menu for that row, and select **Delete**.

+| fix problems | `troubleshoot`, `diagnostic`|

+| whiteboard | `white board`, `white canvas` |

+| bluetooth | `blue tooth`, `BT` |

+ "diagnostic",

+ "white board",

+ "white canvas"

+ "blue tooth",

+ "BT"

+- This is not an issue in macOS Chrome nor macOS Safari because the OS will let processes/threads share the camera device.

+### Screen sharing

+#### Closing out of application does not stop it from being shared

+For example, lets say that from Chromium, you screen share the Microsoft Teams application. You then click on the "X" button on the Teams application to close it. The Teams application will not be closed and it will still be running in the background. You will even still see the icon in the bottom right of your desktop bar. Since the Teams application is still running, that means that it is still being screen shared and the remote participant in the call can still see your Teams application being screen shared. In order to stop the application from being screen shared, you will have to right click its icon on the desktop bar and then click on quit. Or you will have to click on "Stop sharing" button on the browser. Or call the sdk's Call.stopScreenSharing() API.

+#### Safari can only do full screen sharing

+Safari only allows to screen share the entire screen. Unlike Chromium, which lets you screen share full screen, specific desktop app, or specific browser tab.

+#### Screen sharing permissions on macOS

+In order to do screen sharing in macOS Safari or macOs Chrome, screen recording permissions must be granted to the browsers in the OS menu: "Systems Preferences" -> "Security & Privacy" -> "Screen Recording".

+If you are looking to build your own Network Diagnostic Tool or to perform deeper integration of this tool into your application, you can levearge [pre-call diagnostic APIs](../voice-video-calling/pre-call-diagnostics.md) for the calling SDK.

+- [Use Pre-Call Diagnostic APIs to build your own tech check](../voice-video-calling/pre-call-diagnostics.md)

+- [Debug your application with Monitoring tool](./real-time-inspection.md)

+The tool can be accessed through an npm package `@azure/communication-monitoring`. The package contains the `CommunicationMonitoring` object that can be attached to a `Call`. Instructions on how to initialize the required `CallClient` and `CallAgent` objects can be found [here](https://docs.microsoft.com/azure/communication-services/how-tos/calling-sdk/manage-calls?pivots=platform-web#initialize-required-objects). `CommunicationMonitoring` also requires an `HTMLDivElement` as part of its constructor on which it will be rendered. The `HTMLDivElement` will dictate the size of the rendered panel.

+ callClient = {INSERT CALL CLIENT OBJECT},

+ callAgent = {INSERT CALL AGENT OBJECT},

+1. Find and select the [SQL Server trigger](/connectors/sql) that you want to use.

+ 1. From the triggers list, select the SQL trigger that you want.

+ This example continues with the trigger named **When an item is created**.

+1. Provide the [information for your connection](#create-connection). When you're done, select **Create**.

+1. After the trigger information box appears, specify the interval and frequency for how often the trigger checks the table.

+ For example, to view the data in this row, you can add other actions that create a file that includes the fields from the returned row, and then send email alerts. To learn about other available actions for this connector, see the [SQL Server managed connector reference](/connectors/sql/).

+1. Find and select the [SQL Server trigger](/connectors/sql) that you want to use.

+ 1. From the triggers list, select the SQL trigger that you want.

+ This example continues with the trigger named **When an item is created**.

+1. Provide the [information for your connection](#create-connection). When you're done, select **Create**.

+1. After the trigger information box appears, specify the interval and frequency for how often the trigger checks the table.

+ For example, to view the data in this row, you can add other actions that create a file that includes the fields from the returned row, and then send email alerts. To learn about other available actions for this connector, see the [SQL Server managed connector reference](/connectors/sql/).

+When you save your workflow, this step automatically publishes your updates to your deployed logic app, which is live in Azure. With only a trigger, your workflow just checks the SQL database based on your specified schedule. You have to [add an action](#add-sql-action) that responds to the trigger.

+1. Find and select the [SQL Server action](/connectors/sql) that you want to use.

+ This example continues with the action named **Get row**.

+ 1. From the actions list, select the SQL Server action that you want.

+ This example uses the **Get row** action, which gets a single record.

+1. Provide the [information for your connection](#create-connection). When you're done, select **Create**.

+1. Find and select the SQL Server action that you want to use.

+1. Provide the [information for your connection](#create-connection). When you're done, select **Create**.

+> Container Apps environments are deployed on a virtual network. This network can be managed or custom (pre-configured by the user beforehand). In either case, the environment has dependencies on services outside of that virtual network. For a list of these dependencies see [Outbound FQDN dependencies](firewall-integration.md#outbound-fqdn-dependencies).

+> Container Apps environments are deployed on a virtual network. This network can be managed or custom (pre-configured by the user beforehand). In either case, the environment has dependencies on services outside of that virtual network. For a list of these dependencies see [Outbound FQDN dependencies](firewall-integration.md#outbound-fqdn-dependencies).

+This article covers the syntax and properties for the YAML file supported by Azure Container Instances to configure a [container group](container-instances-container-groups.md). Use a YAML file to input the group configuration to the [az container create][az-container-create] command in the Azure CLI.

+A YAML file is a convenient way to configure a container group for reproducible deployments. It's a concise alternative to using a [Resource Manager template](/azure/templates/Microsoft.ContainerInstance/2019-12-01/containerGroups) or the Azure Container Instances SDKs to create or update a container group.

+> This reference applies to YAML files for Azure Container Instances REST API version `2021-10-01`.

+## Schema

+```yaml

+apiVersion: '2021-10-01'

+| apiVersion | enum | Yes | **2021-10-01 (latest)**, 2021-09-01, 2021-07-01, 2021-03-01, 2020-11-01, 2019-12-01, 2018-10-01, 2018-09-01, 2018-07-01, 2018-06-01, 2018-04-01 |

+| Name | Type | Required | Value |

+| vaultBaseUrl | string | Yes | The keyvault base url. |

+| keyName | string | Yes | The encryption key name. |

+| keyVersion | string | Yes | The encryption key version. |

+| Name | Type | Required | Value |

+| name | string | Yes | The name for the init container. |

+| properties | object | Yes | The properties for the init container. - [InitContainerPropertiesDefinition object](#initcontainerpropertiesdefinition-object)

+| Name | Type | Required | Value |

+| image | string | No | The image of the init container. |

+| command | array | No | The command to execute within the init container in exec form. - string |

+| environmentVariables | array | No |The environment variables to set in the init container. - [EnvironmentVariable object](#environmentvariable-object)

+| volumeMounts | array | No | The volume mounts available to the init container. - [VolumeMount object](#volumemount-object)

+If you have an Enterprise Agreement, you can [Create and edit budgets with PowerShell](tutorial-acm-create-budgets.md#create-and-edit-budgets-with-powershell). However, we recommend that you use REST APIs to create and edit budgets because CLI commands might not support the latest version of the APIs.

+If you're an EA customer, you can create and edit budgets programmatically using the Azure PowerShell module. However, we recommend that you use REST APIs to create and edit budgets because CLI commands might not support the latest version of the APIs.

+> [!NOTE]

+> Customers with a Microsoft Customer Agreement should use the [Budgets REST API](/rest/api/consumption/budgets/create-or-update) to create budgets programmatically because PowerShell and CLI aren't yet supported.

+> [!NOTE]

+> The Azure Marketplace price list feature in the EA portal is retired. The same feature is available in the Azure portal.

+* An existing Owner of the Enrollment Account can [grant you access](/rest/api/billing/2019-10-01-preview/enrollmentaccountroleassignments/put).

+> - The Enrollment Account information is only visible when the user's role is Account Owner. When a user has multiple roles, the API uses the user's least restrictive role.

+If you have multiple user roles in addition to the Account Owner role, then you must retrieve the account ID from the Azure portal. Then you can use the ID to programmatically create subscriptions.

+For more information, see the Usage details field [Definitions](/rest/api/consumption/usagedetails/list#definitions).

+For information about permissions needed to view and manage reservations, see [Who can manage a reservation by default](view-reservations.md#who-can-manage-a-reservation-by-default).

+**The Reserve Bank of India has issued new directives.**

+On 1 October 2021, automatic payments in India may block some credit card transactions, especially transactions exceeding 5,000 INR. Because of this you may need to make payments manually in the Azure portal. This directive will not affect the total amount you will be charged for your Azure usage.

+[Learn more about the Reserve Bank of India directive; Processing of e-mandate on cards for recurring transactions](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11668&Mode=0)

+[Learn about the Reserve Bank of India directive; Restriction on storage of actual card data ](https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12211)

+This article applies to the **Azure Stack Edge 2205** release, which maps to software version number **2.2.1983.5094**. This software can be applied to your device if you're running at least Azure Stack Edge 2106 (2.2.1636.3457) software.

+|**2.**|HPN VMs | In the previous release, the Standard_F12_HPN could only support one network interface and couldn't be used for Multi-Access Edge Computing (MEC) deployments. This issue is fixed in this release. |

+| SsemUserErrorInvalidKeyVaultUrl<br>(Command-line only) | An invalid key vault URI was used. | Get the correct key vault URI. To get the key vault URI, use [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault?view=azps-7.1.0&preserve-view=true) in PowerShell. |

+To view the alerts, open **Defender for Cloud** in the Azure portal and select **Security alerts**. Under **Threat Protection**, select **Security alerts**. The following screenshot shows an example of the DDoS attack alerts.

+- **Extensive mitigation scale:** all L3/L4 attack vectors can be mitigated, with global capacity, to protect against the largest known DDoS attacks.

+Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources. Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:

+- **Provides hardening recommendations** based on any identified security misconfigurations and weaknesses. Use these security recommendations to strengthen the security posture of your organization's Azure, hybrid, and multicloud resources.

+- [A new name for multicloud security: Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/a-new-name-for-multi-cloud-security-microsoft-defender-for-cloud/ba-p/2943020)

+Learn more from the product manager about [Microsoft Defender for Containers in a multicloud environment](episode-nine.md).

+- [A new name for multicloud security: Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/a-new-name-for-multi-cloud-security-microsoft-defender-for-cloud/ba-p/2943020)

+This solution monitors the growing attack surface of multicloud Kubernetes deployments and tracks the [MITRE ATT&CK® matrix for Containers](https://www.microsoft.com/security/blog/2021/04/29/center-for-threat-informed-defense-teams-up-with-microsoft-partners-to-build-the-attck-for-containers-matrix/), a framework that was developed by the [Center for Threat-Informed Defense](https://mitre-engenuity.org/ctid/) in close partnership with Microsoft and others.

+Microsoft Defender for SQL includes two Microsoft Defender plans that extend Microsoft Defender for Cloud's [data security package](/azure/azure-sql/database/azure-defender-for-sql) to protect your SQL estate regardless of where it is located (Azure, multicloud or Hybrid environments). Microsoft Defender for SQL includes functions that can be used to discover and mitigate potential database vulnerabilities. Defender for SQL can also detect anomalous activities that may be an indication of a threat to your databases.

+To protect SQL databases in hybrid and multicloud environments, Defender for Cloud uses Azure Arc. Azure ARC connects your hybrid and multicloud machines. You can check out the following articles for more information:

+ - Multicloud SQL servers:

+> [Microsoft Defender for Containers in a Multicloud Environment](episode-nine.md)

+**Episode description**: In this episode of Defender for Cloud in the field, Aviv Mor joins Yuri Diogenes to talk about Microsoft Defender for Servers updates, including the new integration with TVM. Aviv explains how this new integration with TVM works, the advantages of this integration, which includes software inventory and easy experience to onboard. Aviv also covers the integration with MDE for Linux and the Defender for Servers support for the new multicloud connector for AWS.

+ Title: Microsoft Defender for Containers in a multicloud environment

+# Microsoft Defender for Containers in a Multicloud Environment

+Maya explains about the new workload protection capabilities related to Containers when they're deployed in a multicloud environment. Maya also demonstrates the onboarding experience in GCP and how to visualize security recommendations across AWS, GCP, and Azure in a single dashboard.

+- [01:12](/shows/mdc-in-the-field/containers-multi-cloud#time=01m12s) - Container protection in a multicloud environment

+**Episode description**: In this episode of Defender for Cloud in the field, Or Serok joins Yuri Diogenes to share the new GCP Connector in Microsoft Defender for Cloud. Or explains the use case scenarios for the new connector and how the new connector works. She demonstrates the onboarding process to connect GCP with Microsoft Defender for Cloud and talks about custom assessment and the CSPM experience for multicloud

+**Episode description**: In this episode Carlos Faria, Microsoft Cybersecurity Consultant joins Yuri to talk about lessons from the field and how customers are using Microsoft Defender for Cloud to improve their security posture and protect their workloads in a multicloud environment.

+- [4:42](/shows/mdc-in-the-field/lessons-from-the-field#time=04m42s) - How a multicloud affects the CSPM lifecycle and how Defender for Cloud fits in?

+**Episode description**: In this episode of Defender for Cloud in the field, Maya Herskovic joins Yuri Diogenes to talk about Microsoft Defender for Containers. Maya explains what's new in Microsoft Defender for Containers, the new capabilities that are available, the new pricing model, and the multicloud coverage. Maya also demonstrates the overall experience of Microsoft Defender for Containers from the recommendations to the alerts that you may receive.

+Similarly, you can use private endpoints for your Azure Digital Twins instance to allow clients located in your virtual network to securely access the instance over Private Link. Configuring a private endpoint for your Azure Digital Twins instance enables you to secure your Azure Digital Twins instance and eliminate public exposure. Additionally, it helps avoid data exfiltration from your [Azure Virtual Network (VNet)](../virtual-network/virtual-networks-overview.md).

+ Title: Enable private access to Azure Digital Twins

+description: Learn how to enable private access to your Azure Digital Twins solutions, using Azure Private Link.

+# Enable private access to Azure Digital Twins using Private Link

+By using Azure Digital Twins together with [Azure Private Link](../private-link/private-link-overview.md), you can enable private endpoints for your Azure Digital Twins instance, to eliminate public exposure and allow clients located in your virtual network to securely access the instance over Private Link. For more information about this security strategy for Azure Digital Twins, see [Private Link with a private endpoint for an Azure Digital Twins instance](concepts-security.md#private-network-access-with-azure-private-link).

+1. View, edit, or delete a private endpoint from an Azure Digital Twins instance.

+1. Disable or enable public network access flags, to restrict API access for an Azure Digital Twins to Private Link connections only.

+

+This article also contains information for deploying Azure Digital Twins with Private Link using an ARM template, and troubleshooting the configuration.

+## Add private endpoints to Azure Digital Twins

+## Manage private endpoints

+## Troubleshoot

+Here are some common issues that might arise when using Private Link with Azure Digital Twins.

+- When migrating to SQL Server on Azure Virtual Machines, SQL Server 2008 and below as target versions are not supported currently.

+- If you are using SQL Server 2012 or SQL Server 2014 you need to store your source database backup files on an Azure Storage Blob Container instead of using the network share option. Store the backup files as page blobs since block blobs are only supported in SQL 2016 and after.

+ Title: 'Tutorial: Create an Azure child DNS zone'

+description: In this tutorial, you learn how to create child DNS zones in Azure portal.

+# Tutorial: Create a new Child DNS zone

+> * Create a child DNS zone via parent DNS zone.

+> * Create a child DNS zone via new DNS zone.

+> * Verify NS Delegation for the new Child DNS zone.

+* An Azure account with an active subscription. If you don't have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* A parent Azure DNS zone. If you don't have one, you can [create a DNS zone](./dns-getstarted-portal.md#create-a-dns-zone).

+In this tutorial, we'll use `contoso.com` as the parent zone and `subdomain.contoso.com` as the child domain name. Replace `contoso.com` with your parent domain name and `subdomain` with your child domain.

+There are two ways you can create your child DNS zone:

+1. Through the parent DNS zone's **Overview** page.

+1. Through the **Create DNS zone** page.

+## Create a child DNS zone via parent DNS zone Overview page

+You'll create a new child DNS zone and delegate it to the parent DNS zone using the **Child Zone** button from parent zone **Overview** page. Using this button, the parent parameters are automatically pre-populated.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the Azure portal, enter *contoso.com* in the search box at the top of the portal and then select **contoso.com** DNS zone from the search results.

+1. In the **Overview** page, select the **+Child zone** button.

+ :::image type="content" source="./media/tutorial-public-dns-zones-child/child-zone-button.png" alt-text="Screenshot of D N S zone showing the child zone button.":::

+1. In the **Create DNS zone**, enter or select this information in the **Basics** tab:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your Azure subscription.|

+ | Resource group | Select an existing resource group for the child zone or create a new one by selecting **Create new**. </br> In this tutorial, the resource group **MyResourceGroup** of the parent DNS zone is selected. |

+ | **Instance details** | |

+ | Name | Enter your child zone name. In this tutorial, *subdomain* is used. Notice that the parent DNS zone name `contoso.com` is automatically added as a suffix to **Name**. |

+ | Resource group location | The resource group location is selected for you if you selected an existing resource group for the child zone. </br> Select the resource group location if you created a new resource group for the child zone. </br> The resource group location doesn't affect your DNS zone service, which is global and not bound to a location. |

+ :::image type="content" source="./media/tutorial-public-dns-zones-child/child-zone-via-overview-page.png" alt-text="Screenshot of Create D N S zone page accessed via the Add child zone button.":::

+ > [!NOTE]

+ > Parent zone information is automatically pre-populated with child zone option box already checked.

+1. Select **Review + create** button.

+1. Select **Create** button. It may take a few minutes to create the child zone.

+## Create a child DNS zone via Create DNS zone

+You'll create a new child DNS zone and delegate it to the parent DNS zone using the **Create DNS zone** page.

+1. On the Azure portal menu or from the **Home** page, select **Create a resource** and then select **Networking**.

+1. Select **DNS zone** and then select the **Create** button.

+1. In **Create DNS zone**, enter or select this information in the **Basics** tab:

+ | Setting | Value |

+ | - | -- |

+ | **Project details** | |

+ | Subscription | Select your Azure subscription.|

+ | Resource group | Select an existing resource group or create a new one by selecting **Create new**. </br> In this tutorial, the resource group **MyResourceGroup** of the parent DNS zone is selected. |

+ | **Instance details** | |

+ | This zone is a child of an existing zone already hosted in Azure DNS | Check this checkbox. |

+ | Parent zone subscription | Select your Azure subscription under which parent DNS zone `contoso.com` was created. |

+ | Parent zone | In the search bar, enter *contoso.com* to load it in dropdown list. Once loaded, select it from dropdown list. |

+ | Name | Enter your child zone name. In this tutorial, *subdomain* is used. Notice that the parent DNS zone name `contoso.com` is automatically added as a suffix to **Name** after you selected parent zone from the previous step. |

+ | Resource group location | The resource group location is selected for you if you selected an existing resource group for the child zone. </br> Select the resource group location if you created a new resource group for the child zone. </br> The resource group location doesn't affect your DNS zone service, which is global and not bound to a location. |

+ :::image type="content" source="./media/tutorial-public-dns-zones-child/child-zone-via-create-dns-zone-page.png" alt-text="Screenshot of Create D N S zone page accessed via the Create button of D N S zone page.":::

+1. Select **Review + create** button.

+1. Select **Create** button. It may take a few minutes to create the zone.

+## Verify the child DNS zone

+After the new child DNS zone `subdomain.contoso.com` created, verify that the delegation configured correctly. You'll need to check that your child zone name server (NS) records are in the parent zone as described below.

+### Retrieve name servers of child DNS zone

+1. In the Azure portal, enter *subdomain.contoso.com* in the search box at the top of the portal and then select **subdomain.contoso.com** DNS zone from the search results.

+1. Retrieve the name servers from the DNS zone **Overview** page. In this example, the zone `subdomain.contoso.com` has been assigned name servers `ns1-05.azure-dns.com.`, `ns2-05.azure-dns.net.`, `ns3-05.azure-dns.org.`, and `ns4-05.azure-dns.info.`:

+ :::image type="content" source="./media/tutorial-public-dns-zones-child/child-zone-name-servers-inline.png" alt-text="Screenshot of child D N S zone Overview page showing its name servers." lightbox="./media/tutorial-public-dns-zones-child/child-zone-name-servers-expanded.png":::

+### Check the NS record set in parent DNS zone

+After retrieving the name servers from the child DNS zone, check that the parent DNS zone `contoso.com` has the NS record set entry for its child zone name servers.

+1. In the Azure portal, enter *contoso.com* in the search box at the top of the portal and then select **contoso.com** DNS zone from the search results.

+1. Check the record sets in **Overview** page of **contoso.com** DNS zone.

+1. You'll find a record set of type **NS** and name **subdomain** created in the parent DNS zone. Compare the name servers in this record set with the ones you retrieved from the **Overview** page of the child DNS zone.

+ :::image type="content" source="./media/tutorial-public-dns-zones-child/parent-zone-name-servers-inline.png" alt-text="Screenshot of child zone name servers validation in the parent D N S zone Overview page." lightbox="./media/tutorial-public-dns-zones-child/parent-zone-name-servers-expanded.png":::

+When no longer needed, you can delete all resources created in this tutorial by following these steps to delete the resource group **MyResourceGroup**:

+1. On the Azure portal menu, select **Resource groups**.

+2. Select the **MyResourceGroup** resource group.

+3. Select **Delete resource group**.

+4. Enter *MyResourceGroup* and select **Delete**.

+#### Prepare your key vault and certificate

+- You must have a key vault account in the same Azure subscription as your front door. Create a key vault account if you don't have one.

+ > [!WARNING]

+ > Azure Front Door currently only supports Key Vault accounts in the same subscription as the Front Door configuration. Choosing a Key Vault under a different subscription than your Front Door will result in a failure.

+- If your key vault has network access restrictions enabled, you must configure your key vault to allow trusted Microsoft services to bypass the firewall.

+- Your key vault must be configured to use the *Key Vault access policy* permission model.

+- If you already have a certificate, you can upload it directly to your key vault. Otherwise, create a new certificate directly through Azure Key Vault from one of the partner certificate authorities (CAs) that Azure Key Vault integrates with. Upload your certificate as a **certificate** object, rather than a **secret**.

+> Front Door doesn't support certificates with elliptic curve (EC) cryptography algorithms. The certificate must have a complete certificate chain with leaf and intermediate certificates, and root CA must be part of the [Microsoft Trusted CA list](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT).

+Register the service principal for Azure Front Door as an app in your Azure Active Directory (Azure AD) by using Azure PowerShell or the Azure CLI.

+> This action requires you to have Global Administrator permissions in Azure AD. The registration only needs to be performed **once per Azure AD tenant**.

+ New-AzADServicePrincipal -ApplicationId 'ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037' -Role Contributor

+ SP_ID=$(az ad sp create --id ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037 --query objectId -o tsv)

+Grant Azure Front Door permission to access the certificates in your Azure Key Vault account.

+1. In your key vault account, select **Access policies**.

+1. Select **Create** to create a new access policy.

+1. In **Secret permissions**, select **Get** to allow Front Door to retrieve the certificate.

+1. In **Certificate permissions**, select **Get** to allow Front Door to retrieve the certificate.

+1. In **Select principal**, search for **ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037**, and select **Microsoft.Azure.Frontdoor**. Select **Next**.

+1. In **Application**, select **Next**.

+1. In **Review + create**, select **Create**.

+> [!NOTE]

+> If your key vault is protected with network access restrictions, make sure to allow trusted Microsoft services to access your key vault.

+Azure Front Door can now access this key vault and the certificates it contains.

+ > In order for the certificate to be automatically rotated to the latest version when a newer version of the certificate is available in your Key Vault, please set the secret version to 'Latest'. If a specific version is selected, you have to re-select the new version manually for certificate rotation. It takes up to 48 hours for the new version of the certificate/secret to be deployed.

+Azure Front Door Classic/Standard/Premium SKUs are available in Microsoft Azure (Commercial) and Azure Front Door Classic SKU is available in Microsoft Azure Government (US).

+The Azure Front Door Private Link feature is region agnostic but for the best latency, you should always pick an Azure region closest to your origin when choosing to enable Azure Front Door Private Link endpoint.

+#### Prepare your key vault and certificate

+- You must have a key vault in the same Azure subscription as your Azure Front Door Standard/Premium profile. Create a key vault if you don't have one.

+ > Azure Front Door currently only supports key vaults in the same subscription as the Front Door profile. Choosing a key vault under a different subscription than your Azure Front Door Standard/Premium profile will result in a failure.

+- If your key vault has network access restrictions enabled, you must configure your key vault to allow trusted Microsoft services to bypass the firewall.

+- Your key vault must be configured to use the *Key Vault access policy* permission model.

+- If you already have a certificate, you can upload it to your key vault. Otherwise, create a new certificate directly through Azure Key Vault from one of the partner certificate authorities (CAs) that Azure Key Vault integrates with. Upload your certificate as a **certificate** object, rather than a **secret**.

+> [!NOTE]

+> Front Door doesn't support certificates with elliptic curve (EC) cryptography algorithms. The certificate must have a complete certificate chain with leaf and intermediate certificates, and root CA must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT).

+Register the service principal for Azure Front Door as an app in your Azure Active Directory (Azure AD) by using Azure PowerShell or the Azure CLI.

+> This action requires you to have Global Administrator permissions in Azure AD. The registration only needs to be performed **once per Azure AD tenant**.

+##### Azure PowerShell

+2. In PowerShell, run the following command:

+ ```azurepowershell-interactive

+ New-AzADServicePrincipal -ApplicationId '205478c0-bd83-4e1b-a9d6-db63a3e1e1c8' -Role Contributor

+ ```

+##### Azure CLI

+1. If need, install [Azure CLI](/cli/azure/install-azure-cli) on your local machine.

+2. In CLI, run the following command:

+ ```azurecli-interactive

+ SP_ID=$(az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8 --query objectId -o tsv)

+ az role assignment create --assignee $SP_ID --role Contributor

+ ```

+Grant Azure Front Door permission to access the certificates in your Azure Key Vault account.

+1. In your key vault account, select **Access policies**.

+1. Select **Add new** or **Create** to create a new access policy.

+1. In **Select principal**, search for **205478c0-bd83-4e1b-a9d6-db63a3e1e1c8**, and select **Microsoft.AzureFrontDoor-Cdn**. Select **Next**.

+1. In **Application**, select **Next**.

+1. In **Review + create**, select **Create**.

+> If your key vault is protected with network access restrictions, make sure to allow trusted Microsoft services to access your key vault.

+Azure Front Door can now access this key vault and the certificates it contains.

+1. On the **Add certificate** page, select the checkbox for the certificate you want to add to Azure Front Door Standard/Premium.

+1. When you select a certificate, you must [select the certificate version](#rotate-own-certificate). If you select **Latest**, Azure Front Door will automatically update whenever the certificate is rotated (renewed). Alternatively, you can select a specific certificate version if you prefer to manage certificate rotation yourself.

+ Leave the version selection as "Latest" and select **Add**.

+ > The common name (CN) of the selected certificate must match the custom domain being added.

+### Azure-managed certificate

+Azure-managed certificates are automatically rotated when your custom domain uses a CNAME record that points to an Azure Front Door standard or premium endpoint.

+Front Door won't automatically rotate certificates in the following scenarios:

+* The custom domain's CNAME record is pointing to other DNS resources.

+* The custom domain points to Azure Front Door through a long chain. For example, if you put Azure Traffic Manager before Azure Front Door, the CNAME chain is `contoso.com` CNAME in `contoso.trafficmanager.net` CNAME in `contoso.z01.azurefd.net`.

+The domain validation state will become *Pending Revalidation* 45 days before the managed certificate expires, or *Rejected* if the managed certificate issuance is rejected by the certificate authority. Refer to [Add a custom domain](how-to-add-custom-domain.md#domain-validation-state) for actions for each of the domain states.

+### <a name="rotate-own-certificate"></a>Use your own certificate

+In order for the certificate to be automatically rotated to the latest version when a newer version of the certificate is available in your key vault, set the secret version to 'Latest'. If a specific version is selected, you have to reselect the new version manually for certificate rotation. It takes up to 24 hours for the new version of the certificate/secret to be automatically deployed.

+Windows

+- Azure VM: `C:\ProgramData\GuestConfig\gc_agent_logs\gc_agent.log`

+- Arc-enabled server: `C:\ProgramData\GuestConfig\arc_policy_logs\gc_agent.log`

+- Your account must be assigned the **Owner** role at the management group or subscription scope. For more information on Azure RBAC permissions in Azure Policy, see [Overview of Azure Policy](../overview.md).

+## Submit interactive PySpark queries

+### Prerequisite for Pyspark interactive

+Note here that Jupyter Extension version (ms-jupyter): v2022.1.1001614873 and Python Extension version (ms-python): v2021.12.1559732655, python 3.6.x and 3.7.x are required for HDInsight interactive PySpark queries.

+Users can perform PySpark interactive in the following ways.

+Azure HDInsight is one of the most popular services among enterprise customers for open-source analytics on Azure.

+If you would like to subscribe on release notes, watch releases on [this GitHub repository](https://github.com/hdinsight/release-notes/releases).

+## Release date: 03/10/2022

+This release applies for HDInsight 4.0. HDInsight release is made available to all regions over several days. The release date here indicates the first region release date. If you don't see below changes, wait for the release being live in your region over several days.

+The OS versions for this release are:

+- HDInsight 4.0: Ubuntu 18.04.5

+## Spark 3.1 is now generally available

+Spark 3.1 is now Generally Available on HDInsight 4.0 release. This release includes

+* Adaptive Query Execution,

+* Convert Sort Merge Join to Broadcast Hash Join,

+* Spark Catalyst Optimizer,

+* Dynamic Partition Pruning,

+* Customers will be able to create new Spark 3.1 clusters and not Spark 3.0 (preview) clusters.

+For more details, see the [Apache Spark 3.1](https://techcommunity.microsoft.com/t5/analytics-on-azure-blog/spark-3-1-is-now-generally-available-on-hdinsight/ba-p/3253679) is now Generally Available on HDInsight - Microsoft Tech Community.

+For a complete list of improvements, see the [Apache Spark 3.1 release notes.](https://spark.apache.org/releases/spark-release-3-1-2.html)

+For more details on migration, see the [migration guide.](https://spark.apache.org/docs/latest/migration-guide.html)

+## Kafka 2.4 is now generally available

+Kafka 2.4.1 is now Generally Available. For more information, please see [Kafka 2.4.1 Release Notes.](http://kafka.apache.org/24/documentation.html)

+Other features include MirrorMaker 2 availability, new metric category AtMinIsr topic partition, Improved broker start-up time by lazy on demand mmap of index files, More consumer metrics to observe user poll behavior.

+## Map Datatype in HWC is now supported in HDInsight 4.0

+This release includes Map Datatype Support for HWC 1.0 (Spark 2.4) Via the spark-shell application, and all other all spark clients that HWC supports. Following improvements are included like any other data types:

+A user can

+* Create a Hive table with any column(s) containing Map datatype, insert data into it and read the results from it.

+* Create an Apache Spark dataframe with Map Type and do batch/stream reads and writes.

+### New regions

+HDInsight has now expanded its geographical presence to two new regions: China East 3 and China North 3.

+### OSS backport changes

+OSS backports that are included in Hive including HWC 1.0 (Spark 2.4) which supports Map data type.

+### Here are the OSS backported Apache JIRAs for this release:

+| Impacted Feature | Apache JIRA |

+||--|

+| Metastore direct sql queries with IN/(NOT IN) should be split based on max parameters allowed by SQL DB | [HIVE-25659](https://issues.apache.org/jira/browse/HIVE-25659) |

+| Upgrade log4j 2.16.0 to 2.17.0 | [HIVE-25825](https://issues.apache.org/jira/browse/HIVE-25825) |

+| Update Flatbuffer version | [HIVE-22827](https://issues.apache.org/jira/browse/HIVE-22827) |

+| Support Map data-type natively in Arrow format | [HIVE-25553](https://issues.apache.org/jira/browse/HIVE-25553) |

+| LLAP external client - Handle nested values when the parent struct is null | [HIVE-25243](https://issues.apache.org/jira/browse/HIVE-25243) |

+| Upgrade arrow version to 0.11.0 | [HIVE-23987](https://issues.apache.org/jira/browse/HIVE-23987) |

+## Deprecation notices

+### Azure Virtual Machine Scale Sets on HDInsight

+HDInsight will no longer use Azure Virtual Machine Scale Sets to provision the clusters, no breaking change is expected. Existing HDInsight clusters on virtual machine scale sets will have no impact, any new clusters on latest images will no longer use Virtual Machine Scale Sets.

+### Scaling of Azure HDInsight HBase workloads will now be supported only using manual scale

+Starting from March 01, 2022, HDInsight will only support manual scale for HBase, there's no impact on running clusters. New HBase clusters won't be able to enable schedule based Autoscaling. For more information on how to  manually scale your HBase cluster, refer our documentation on [Manually scaling Azure HDInsight clusters](./hdinsight-scaling-best-practices.md)

+Starting from January 9 2021, HDInsight will block all customers creating clusters using standand_A8, standand_A9, standand_A10 and standand_A11 VM sizes. Existing clusters will run as is. Consider moving to HDInsight 4.0 to avoid potential system/support interruption.

+HDInsight 3.6 will be end of support. Starting from June 30 2021, customers can't create new HDInsight 3.6 clusters. Existing clusters will run as is without the support from Microsoft. Consider moving to HDInsight 4.0 to avoid potential system/support interruption.

+Starting from November 16 2020, HDInsight will block new customers creating clusters using standand_A8, standand_A9, standand_A10 and standand_A11 VM sizes. Existing customers who have used these VM sizes in the past three months won't be affected. Starting from January 9 2021, HDInsight will block all customers creating clusters using standand_A8, standand_A9, standand_A10 and standand_A11 VM sizes. Existing clusters will run as is. Consider moving to HDInsight 4.0 to avoid potential system/support interruption.

+Starting from November 16 2020, HDInsight will block new customers creating clusters using standand_A8, standand_A9, standand_A10 and standand_A11 VM sizes. Existing customers who have used these VM sizes in the past three months won't be affected. Starting from January 9 2021, HDInsight will block all customers creating clusters using standand_A8, standand_A9, standand_A10 and standand_A11 VM sizes. Existing clusters will run as is. Consider moving to HDInsight 4.0 to avoid potential system/support interruption.

+HDInsight 3.6 will be end of support. Starting from June 30 2021, customers can't create new HDInsight 3.6 clusters. Existing clusters will run as is without the support from Microsoft. Consider moving to HDInsight 4.0 to avoid potential system/support interruption.

+After the **operational** stage, the cluster waits another 60 minutes for the remaining 20% worker nodes. At the end of this 60 minute, the cluster moves to the **running** stage, even if all of worker nodes are still not available. Once a cluster enters the **running** stage, you can use it as normal. Both control plan operations like scaling up/down, and data plan operations like running scripts and jobs are accepted. If some of the requested worker nodes are not available, the cluster will be marked as partial success. You are charged for the nodes that were deployed successfully.

+Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols that provide communications security over a computer network. Learn more about [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0). HDInsight uses TLS 1.2 on public HTTP's endpoints but TLS 1.1 is still supported for backward compatibility.

+Starting from the next release, you will be able to opt in and configure your new HDInsight clusters to only accept TLS 1.2 connections.

+F-series virtual machines(VMs) is a good choice to get started with HDInsight with light processing requirements. At a lower per-hour list price, the F-series are the best value in price-performance in the Azure portfolio based on the Azure Compute Unit (ACU) per vCPU. For more information, see [Selecting the right VM size for your Azure HDInsight cluster](./hdinsight-selecting-vm-size.md).

+- [YARN-6004](https://issues.apache.org/jira/browse/YARN-6004): Refactor TestResourceLocalizationService\#testDownloadingResourcesOnContainer so that it is fewer than 150 lines.

+- [HBASE-18212](https://issues.apache.org/jira/browse/HBASE-18212): In Standalone mode with local filesystem HBase logs Warning message: Failed to invoke 'unbuffer' method in class org.apache.hadoop.fs.FSDataInputStream.

+- [HBASE-18808](https://issues.apache.org/jira/browse/HBASE-18808): Ineffective config check-in BackupLogCleaner\#getDeletableFiles().

+- [*HIVE-17063*](https://issues.apache.org/jira/browse/HIVE-17063): insert overwrite partition onto an external table fails when drop partition first.

+- [*HIVE-18353*](https://issues.apache.org/jira/browse/HIVE-18353): CompactorMR should call jobclient.close() to trigger cleanup.

+- [*HIVE-18331*](https://issues.apache.org/jira/browse/HIVE-18331): Add relogin when TGT expires and some logging/lambda.

+- [STORM-2854](https://issues.apache.org/jira/browse/STORM-2854): Expose IEventLogger to make event log pluggable.

+## Release date: 06/03/2022

+## Release highlights

+**The Hive Warehouse Connector (HWC) on Spark v3.1.2**

+The Hive Warehouse Connector (HWC) allows you to take advantage of the unique features of Hive and Spark to build powerful big-data applications. HWC is currently supported for Spark v2.4 only. This feature adds business value by allowing ACID transactions on Hive Tables using Spark. This feature is useful for customers who use both Hive and Spark in their data estate.

+For more information, see [Apache Spark & Hive - Hive Warehouse Connector - Azure HDInsight | Microsoft Docs](/azure/hdinsight/interactive-query/apache-hive-warehouse-connector)

+## Ambari

+* Scaling and provisioning improvement changes

+* HDI hive is now compatible with OSS version 3.1.2

+HDI Hive 3.1 version is upgraded to OSS Hive 3.1.2. This version has all fixes and features available in open source Hive 3.1.2 version.

+> [!NOTE]

+> **Spark**

+>

+> * If you are using Azure User Interface to create Spark Cluster for HDInsight, you will see from the dropdown list an additional version Spark 3.1.(HDI 5.0) along with the older versions. This version is a renamed version of Spark 3.1.(HDI 4.0). This is only an UI level change, which doesnΓÇÖt impact anything for the existing users and users who are already using the ARM template.

+

+> [!NOTE]

+> **Interactive Query**

+>

+> * If you are creating an Interactive Query Cluster, you will see from the dropdown list an additional version as Interactive Query 3.1 (HDI 5.0).

+> * If you are going to use Spark 3.1 version along with Hive which require ACID support, you need to select this version Interactive Query 3.1 (HDI 5.0).

+

+## TEZ bug fixes

+| Bug Fixes|Apache JIRA|

+|||

+|TezUtils.createConfFromByteString on Configuration larger than 32 MB throws com.google.protobuf.CodedInputStream exception |[TEZ-4142](https://issues.apache.org/jira/browse/TEZ-4142)|

+|TezUtils createByteStringFromConf should use snappy instead of DeflaterOutputStream|[TEZ-4113](https://issues.apache.org/jira/browse/TEZ-4113)|

+## HBase bug fixes

+| Bug Fixes|Apache JIRA|

+|||

+|TableSnapshotInputFormat should use ReadType.STREAM for scanning HFiles |[HBASE-26273](https://issues.apache.org/jira/browse/HBASE-26273)|

+|Add option to disable scanMetrics in TableSnapshotInputFormat |[HBASE-26330](https://issues.apache.org/jira/browse/HBASE-26330)|

+|Fix for ArrayIndexOutOfBoundsException when balancer is executed |[HBASE-22739](https://issues.apache.org/jira/browse/HBASE-22739)|

+## Hive bug fixes

+|Bug Fixes|Apache JIRA|

+|||

+| NPE when inserting data with 'distribute by' clause with dynpart sort optimization|[HIVE-18284](https://issues.apache.org/jira/browse/HIVE-18284)|

+| MSCK REPAIR Command with Partition Filtering Fails While Dropping Partitions|[HIVE-23851](https://issues.apache.org/jira/browse/HIVE-23851)|

+| Wrong exception thrown if capacity<=0|[HIVE-25446](https://issues.apache.org/jira/browse/HIVE-25446)|

+| Support parallel load for HastTables - Interfaces|[HIVE-25583](https://issues.apache.org/jira/browse/HIVE-25583)|

+| Include MultiDelimitSerDe in HiveServer2 By Default|[HIVE-20619](https://issues.apache.org/jira/browse/HIVE-20619)|

+| Remove glassfish.jersey and mssql-jdbc classes from jdbc-standalone jar|[HIVE-22134](https://issues.apache.org/jira/browse/HIVE-22134)|

+| Null pointer exception on running compaction against an MM table.|[HIVE-21280 ](https://issues.apache.org/jira/browse/HIVE-21280)|

+| Hive query with large size via knox fails with Broken pipe Write failed|[HIVE-22231](https://issues.apache.org/jira/browse/HIVE-22231)|

+| Adding ability for user to set bind user|[HIVE-21009](https://issues.apache.org/jira/browse/HIVE-21009)|

+| Implement UDF to interpret date/timestamp using its internal representation and Gregorian-Julian hybrid calendar|[HIVE-22241](https://issues.apache.org/jira/browse/HIVE-22241)|

+| Beeline option to show/not show execution report|[HIVE-22204](https://issues.apache.org/jira/browse/HIVE-22204)|

+| Tez: SplitGenerator tries to look for plan files, which won't exist for Tez|[HIVE-22169 ](https://issues.apache.org/jira/browse/HIVE-22169)|

+| Remove expensive logging from the LLAP cache hotpath|[HIVE-22168](https://issues.apache.org/jira/browse/HIVE-22168)|

+| UDF: FunctionRegistry synchronizes on org.apache.hadoop.hive.ql.udf.UDFType class|[HIVE-22161](https://issues.apache.org/jira/browse/HIVE-22161)|

+| Prevent the creation of query routing appender if property is set to false|[HIVE-22115](https://issues.apache.org/jira/browse/HIVE-22115)|

+| Remove cross-query synchronization for the partition-eval|[HIVE-22106](https://issues.apache.org/jira/browse/HIVE-22106)|

+| Skip setting up hive scratch dir during planning|[HIVE-21182](https://issues.apache.org/jira/browse/HIVE-21182)|

+| Skip creating scratch dirs for tez if RPC is on|[HIVE-21171](https://issues.apache.org/jira/browse/HIVE-21171)|

+| switch Hive UDFs to use Re2J regex engine|[HIVE-19661 ](https://issues.apache.org/jira/browse/HIVE-19661)|

+| Migrated clustered tables using bucketing_version 1 on hive 3 uses bucketing_version 2 for inserts|[HIVE-22429](https://issues.apache.org/jira/browse/HIVE-22429)|

+| Bucketing: Bucketing version 1 is incorrectly partitioning data|[HIVE-21167 ](https://issues.apache.org/jira/browse/HIVE-21167)|

+| Adding ASF License header to the newly added file|[HIVE-22498](https://issues.apache.org/jira/browse/HIVE-22498)|

+| Schema tool enhancements to support mergeCatalog|[HIVE-22498](https://issues.apache.org/jira/browse/HIVE-22498)|

+| Hive with TEZ UNION ALL and UDTF results in data loss|[HIVE-21915](https://issues.apache.org/jira/browse/HIVE-21915)|

+| Split text files even if header/footer exists|[HIVE-21924](https://issues.apache.org/jira/browse/HIVE-21924)|

+| MultiDelimitSerDe returns wrong results in last column when the loaded file has more columns than the once are present in table schema|[HIVE-22360](https://issues.apache.org/jira/browse/HIVE-22360)|

+| LLAP external client - Need to reduce LlapBaseInputFormat#getSplits() footprint|[HIVE-22221](https://issues.apache.org/jira/browse/HIVE-22221)|

+| Column name with reserved keyword is unescaped when query including join on table with mask column is rewritten (Zoltan Matyus via Zoltan Haindrich)|[HIVE-22208](https://issues.apache.org/jira/browse/HIVE-22208)|

+|Prevent LLAP shutdown on AMReporter related RuntimeException|[HIVE-22113](https://issues.apache.org/jira/browse/HIVE-22113)|

+| LLAP status service driver may get stuck with wrong Yarn app ID|[HIVE-21866](https://issues.apache.org/jira/browse/HIVE-21866)|

+| OperationManager.queryIdOperation doesn't properly clean up multiple queryIds|[HIVE-22275](https://issues.apache.org/jira/browse/HIVE-22275)|

+| Bringing a node manager down blocks restart of LLAP service|[HIVE-22219](https://issues.apache.org/jira/browse/HIVE-22219)|

+| StackOverflowError when drop lots of partitions|[HIVE-15956](https://issues.apache.org/jira/browse/HIVE-15956)|

+| Access check is failed when a temporary directory is removed|[HIVE-22273](https://issues.apache.org/jira/browse/HIVE-22273)|

+| Fix wrong results/ArrayOutOfBound exception in left outer map joins on specific boundary conditions|[HIVE-22120](https://issues.apache.org/jira/browse/HIVE-22120)|

+| Remove distribution management tag from pom.xml|[HIVE-19667](https://issues.apache.org/jira/browse/HIVE-19667)|

+| Parsing time can be high if there's deeply nested subqueries|[HIVE-21980](https://issues.apache.org/jira/browse/HIVE-21980)|

+| For ALTER TABLE t SET TBLPROPERTIES ('EXTERNAL'='TRUE'); `TBL_TYPE` attribute changes not reflecting for non-CAPS|[HIVE-20057 ](https://issues.apache.org/jira/browse/HIVE-20057)|

+| JDBC: HiveConnection shades log4j interfaces|[HIVE-18874](https://issues.apache.org/jira/browse/HIVE-18874)|

+| Update repo URLs in poms - branh 3.1 version|[HIVE-21786](https://issues.apache.org/jira/browse/HIVE-21786)|

+| DBInstall tests broken on master and branch-3.1|[HIVE-21758](https://issues.apache.org/jira/browse/HIVE-21758)|

+| Load data into a bucketed table is ignoring partitions specs and loads data into default partition|[HIVE-21564](https://issues.apache.org/jira/browse/HIVE-21564)|

+| Queries with join condition having timestamp or timestamp with local time zone literal throw SemanticException|[HIVE-21613](https://issues.apache.org/jira/browse/HIVE-21613)|

+| Analyze compute stats for column leave behind staging dir on HDFS|[HIVE-21342](https://issues.apache.org/jira/browse/HIVE-21342)|

+| Incompatible change in Hive bucket computation|[HIVE-21376](https://issues.apache.org/jira/browse/HIVE-21376)|

+| Provide a fallback authorizer when no other authorizer is in use|[HIVE-20420](https://issues.apache.org/jira/browse/HIVE-20420)|

+| Some alterPartitions invocations throw 'NumberFormatException: null'|[HIVE-18767](https://issues.apache.org/jira/browse/HIVE-18767)|

+| HiveServer2: Preauthenticated subject for http transport isn't retained for entire duration of http communication in some cases|[HIVE-20555](https://issues.apache.org/jira/browse/HIVE-20555)|

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+Azure API for FHIR, as a managed service, allows customers to persist with Fast Healthcare Interoperability Resources (FHIR&#174;) compliant healthcare data and exchange it securely through the service API. To accommodate different transaction workloads, customers can use manual scale or autoscale.

+By default, Azure API for FHIR is set to manual scale. This option works well when the transaction workloads are known and consistent. Customers can adjust the throughput `RU/s` through the portal up to 10,000 and submit a request to increase the limit.

+## Next steps

+In this document, you learned about the autoscale feature for Azure API for FHIR. For an overview about Azure API for FHIR, see

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+When you're working with healthcare data, it's important to ensure that the data is secure, and it can't be accessed by unauthorized users or applications. FHIR servers use [OAuth 2.0](https://oauth.net/2/) to ensure this data security. [Azure API for FHIR](https://azure.microsoft.com/services/azure-api-for-fhir/) is secured using [Azure Active Directory](../../active-directory/index.yml), which is an example of an OAuth 2.0 identity provider. This article provides an overview of FHIR server authorization and the steps needed to obtain a token to access a FHIR server. While these steps apply to any FHIR server and any identity provider, we'll walk through Azure API for FHIR as the FHIR server and Azure Active Directory (Azure AD) as our identity provider in this article.

+For example like when you use [authorization code flow](../../active-directory/azuread-dev/v1-protocols-oauth-code.md), accessing a FHIR server goes through the following four steps:

+1. The client makes a request to Azure API for FHIR, for example `GET /Patient`, to search all patients. When the client makes the request, it includes the access token in an HTTP request header, for example `Authorization: Bearer eyJ0e...`, where `eyJ0e...` represents the Base64 encoded access token.

+1. Azure API for FHIR validates that the token contains appropriate claims (properties in the token). If everything checks out, it will complete the request and return a FHIR bundle with results to the client.

+It's important to note that Azure API for FHIR isn't involved in validating user credentials and it doesn't issue the token. The authentication and token creation is done by Azure AD. Azure API for FHIR simply validates that the token is signed correctly (it's authentic) and that it has appropriate claims.

+Development of Fast Healthcare Interoperability Resources (FHIR&#174;) applications often involves debugging access issues. If a client is denied access to Azure API for FHIR, it's useful to understand the structure of the access token and how it can be decoded to inspect the contents (the claims) of the token.

+There are other variations (for example due to flow) for obtaining a token. Refer to the [Azure AD documentation](../../active-directory/index.yml) for details. When you use Azure API for FHIR, there are some shortcuts for obtaining an access token (such as for debugging purposes) [using the Azure CLI](get-healthcare-apis-access-token-cli.md).

+In this document, you learned some of the basic concepts involved in securing access to the Azure API for FHIR using Azure AD. For information about how to deploy the Azure API for FHIR service, see

+>[Deploy Azure API for FHIR](fhir-paas-portal-quickstart.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+The first step in the token validation is to verify that the token was issued by the correct identity provider and that it hasn't been modified. The FHIR server will be configured to use a specific identity provider known as the authority `Authority`. The FHIR server will retrieve information about the identity provider from the `/.well-known/openid-configuration` endpoint. When you use Azure Active Directory (Azure AD), the full URL is:

+When you use Azure API for FHIR, the server will validate:

+We recommend that the FHIR service be [configured to use Azure RBAC](configure-azure-rbac.md) to manage data plane role assignments. However, you can also [configure local RBAC](configure-local-rbac.md) if your FHIR service uses an external or secondary Azure AD tenant.

+A FHIR server may also validate that an access token has the scopes (in token claim `scp`) to access the part of the FHIR API that a client is trying to access. Currently, Azure API for FHIR and the FHIR server for Azure don't validate token scopes.

+Now that you know how to walk through token validation, you can complete the tutorial to create a JavaScript application and read Fast Healthcare Interoperability Resources (FHIR&#174;) data.

+>[Web application tutorial](tutorial-web-app-fhir-server.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Configure Private Link](configure-private-link.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+Azure API for FHIR will only allow authorized users to access the FHIR API. You can configure authorized users through two different mechanisms. The primary and recommended way to configure access control is using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/index.yml), which is accessible through the **Access control (IAM)** blade. Azure RBAC only works if you want to secure data plane access using the Azure Active Directory tenant associated with your subscription. If you wish to use a different tenant, the Azure API for FHIR offers a local FHIR data plane access control mechanism. The configuration options aren't as rich when using the local RBAC mechanism. For details, choose one of the following options:

+>[Deploy JavaScript application](tutorial-web-app-fhir-server.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[DaVinci Drug Formulary](davinci-drug-formulary-tutorial.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+In August 2020, CMS detailed how organizations can meet the mandate. To ensure that data can be exchanged securely and in a standardized manner, CMS identified Fast Healthcare Interoperability Resources (FHIR&#174;) version release 4 (R4) as the foundational standard required for the data exchange.

+* **Payer-to-Payer Data Exchange (Originally required Jan 1, 2022 - [Currently Delayed](https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index))** ΓÇô CMS-regulated payers are required to exchange certain patient clinical data at the patientΓÇÖs request with other payers. While there's no requirement to follow any kind of standard, applying FHIR&#174; to exchange this data is encouraged.

+>[CARIN Implementation Guide for Blue Button](carin-implementation-guide-blue-button-tutorial.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+Azure API for FHIR supports [cross-origin resource sharing (CORS)](https://wikipedia.org/wiki/Cross-Origin_Resource_Sharing). CORS allows you to configure settings so that applications from one domain (origin) can access resources from a different domain, known as a cross-domain request.

+In this article, you learned how to configure cross-origin resource sharing in Azure API for FHIR. For more information about deploying Azure API for FHIR, see

+>[Deploy Azure API for FHIR](fhir-paas-portal-quickstart.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Deploy Azure API for FHIR](fhir-paas-portal-quickstart.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Additional Settings](azure-api-for-fhir-additional-settings.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Exporting de-identified data](de-identified-export.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+In Azure, this is typically accomplished using an encryption key in the customer's Azure Key Vault. Azure SQL, Azure Storage, and Cosmos DB are some examples that provide this capability today. Azure API for FHIR leverages this support from Cosmos DB. When you create an account, you'll have the option to specify an Azure Key Vault key URI. This key will be passed on to Cosmos DB when the DB account is provisioned. When a Fast Healthcare Interoperability Resources (FHIR&#174;) request is made, Cosmos DB fetches your key and uses it to encrypt/decrypt the data.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+statement](https://touchstone.aegis.net/touchstone/testdefinitions?selectedTestGrp=/FHIRSandbox/DaVinci/FHIR4-0-1-Test/PDEX/Formulary/00-Capability&activeOnly=false&contentEntry=TEST_SCRIPTS). If you run this test without any updates, the test will fail due to missing search parameters and missing profiles.

+>[Da Vinci PDex](davinci-pdex-tutorial.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Da Vinci Plan Net](davinci-plan-net.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Export data](export-data.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+> [!IMPORTANT]

+> As of September 2022, the IoT Connector feature within Azure API for FHIR will be retired and replaced with the [MedTech service](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md) for enhanced service quality and functionality.

+>

+> All new users are directed to deploy and use the MedTech service feature within the Azure Health Data Services. For more information about the MedTech service, see [What is the MedTech service?](../../healthcare-apis/iot/iot-connector-overview.md).

+*In the Azure portal, Azure IoT Connector for FHIR is referred to as IoT Connector (preview). FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+Azure API for FHIR is a fully managed service, based on Fast Healthcare Interoperability Resources (FHIR®). To meet business and compliance requirements you can use the disaster recovery (DR) feature for Azure API for FHIR.

+By default, Azure API for FHIR offers data protection through backup and restore. When the disaster recovery feature is enabled, data replication begins. A data replica is automatically created and synchronized in the secondary Azure region. The initial data replication can take a few minutes to a few hours, or longer, depending on the amount of data. The secondary data replica is a replication of the primary data. It's used directly to recover the service, and it helps speed up the recovery process.

+Your access to Azure API for FHIR will be maintained if the key vault hosting the managed key in your subscription is accessible. There's a possible temporary downtime as Key Vault can take up to 20 minutes to re-establish its connection. For more information, see [Azure Key Vault availability and redundancy](../../key-vault/general/disaster-recovery-guidance.md).

+In this article, you've learned how DR for Azure API for FHIR works and how to enable it. To learn about Azure API for FHIR's other supported features, see

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Configure Private Link](configure-private-link.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Export de-identified data](de-identified-export.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+Based on your setup, refer to the how-to-guides to register your applications:

+After you've registered your applications, you can deploy Azure API for FHIR.

+>[Deploy Azure API for FHIR](fhir-paas-portal-quickstart.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[What is Azure API for FHIR?](overview.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Configure Private Link](configure-private-link.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Configure Private Link](configure-private-link.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Configure Private Link](configure-private-link.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Frequently asked questions about Azure API for FHIR](fhir-faq.yml)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+The Fast Healthcare Interoperability Resources (FHIR&#174;) specification defines a set of search parameters for all resources and search parameters that are specific to a resource(s). However, there are scenarios where you might want to search against an element in a resource that isnΓÇÖt defined by the FHIR specification as a standard search parameter. This article describes how you can define your own [search parameters](https://www.hl7.org/fhir/searchparameter.html) to be used in the Azure API for FHIR.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+> [!IMPORTANT]

+> As of September 2022, the IoT Connector feature within Azure API for FHIR will be retired and replaced with the [MedTech service](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md) for enhanced service quality and functionality.

+>

+> All new users are directed to deploy and use the MedTech service feature within the Azure Health Data Services. For more information about the MedTech service, see [What is the MedTech service?](../../healthcare-apis/iot/iot-connector-overview.md).

+*In the Azure portal, Azure IoT Connector for FHIR is referred to as IoT Connector (preview). FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+> [!IMPORTANT]

+> As of September 2022, the IoT Connector feature within Azure API for FHIR will be retired and replaced with the [MedTech service](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md) for enhanced service quality and functionality.

+>

+> All new users are directed to deploy and use the MedTech service feature within the Azure Health Data Services. For more information about the MedTech service, see [What is the MedTech service?](../../healthcare-apis/iot/iot-connector-overview.md).

+*In the Azure portal, Azure IoT Connector for FHIR is referred to as IoT Connector (preview). FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+> [!IMPORTANT]

+> As of September 2022, the IoT Connector feature within Azure API for FHIR will be retired and replaced with the [MedTech service](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md) for enhanced service quality and functionality.

+>

+> All new users are directed to deploy and use the MedTech service feature within the Azure Health Data Services. For more information about the MedTech service, see [What is the MedTech service?](../../healthcare-apis/iot/iot-connector-overview.md).

+*In the Azure portal, Azure IoT Connector for FHIR is referred to as IoT Connector (preview). FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+> [!IMPORTANT]

+> As of September 2022, the IoT Connector feature within Azure API for FHIR will be retired and replaced with the [MedTech service](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md) for enhanced service quality and functionality.

+>

+> All new users are directed to deploy and use the MedTech service feature within the Azure Health Data Services. For more information about the MedTech service, see [What is the MedTech service?](../../healthcare-apis/iot/iot-connector-overview.md).

+*In the Azure portal, Azure IoT Connector for FHIR is referred to as IoT Connector (preview). FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+> [!IMPORTANT]

+> As of September 2022, the IoT Connector feature within Azure API for FHIR will be retired and replaced with the [MedTech service](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md) for enhanced service quality and functionality.

+>

+> All new users are directed to deploy and use the MedTech service feature within the Azure Health Data Services. For more information about the MedTech service, see [What is the MedTech service?](../../healthcare-apis/iot/iot-connector-overview.md).

+*In the Azure portal, Azure IoT connector for FHIR is referred to as IoT connector (preview). FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+# Display and configure IoT Connector for FHIR (preview) metrics

+> [!IMPORTANT]

+> As of September 2022, the IoT Connector feature within Azure API for FHIR will be retired and replaced with the [MedTech service](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md) for enhanced service quality and functionality.

+>

+> All new users are directed to deploy and use the MedTech service feature within the Azure Health Data Services. For more information about the MedTech service, see [What is the MedTech service?](../../healthcare-apis/iot/iot-connector-overview.md).

+*In the Azure portal, Azure IoT Connector for FHIR is referred to as IoT Connector (preview). FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+> [!IMPORTANT]

+> As of September 2022, the IoT Connector feature within Azure API for FHIR will be retired and replaced with the [MedTech service](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md) for enhanced service quality and functionality.

+>

+> All new users are directed to deploy and use the MedTech service feature within the Azure Health Data Services. For more information about the MedTech service, see [What is the MedTech service?](../../healthcare-apis/iot/iot-connector-overview.md).

+*In the Azure portal, Azure IoT Connector for FHIR is referred to as IoT Connector (preview). FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+The Fast Healthcare Interoperability Resources (FHIR&#174;) specification defines the fundamentals of search for FHIR resources. This article will guide you through some key aspects to searching resources in FHIR. For complete details about searching FHIR resources, refer to [Search](https://www.hl7.org/fhir/search.html) in the HL7 FHIR Specification. Throughout this article, we'll give examples of search syntax. Each search will be against your FHIR server, which typically has a URL of `https://<FHIRSERVERNAME>.azurewebsites.net`. In the examples, we'll use the placeholder {{FHIR_URL}} for this URL.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+# What is Azure API for FHIR?

+> [!IMPORTANT]

+> As of September 2022, the IoT Connector feature within Azure API for FHIR will be retired and replaced with the [MedTech service](../../healthcare-apis/iot/deploy-iot-connector-in-azure.md) for enhanced service quality and functionality.

+>

+> All new users are directed to deploy and use the MedTech service feature within the Azure Health Data Services. For more information about the MedTech service, see [What is the MedTech service?](../../healthcare-apis/iot/iot-connector-overview.md).

+To start working with Azure API for FHIR, follow the 5-minute quickstart to deploy the Azure API for FHIR.

+To try out the Azure IoT Connector for FHIR feature and check out the quickstart to deploy Azure IoT Connector for FHIR using the Azure portal.

+*In the Azure portal, Azure IoT Connector for FHIR is referred to as IoT Connector (preview). FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+-

+- FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[FHIR REST API capabilities for Azure API for FHIR](fhir-rest-api-capabilities.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+In this article, you've learned how to register a public client application in Azure AD. Next, test access to your FHIR Server using Postman.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+In this article, you'll learn how to register a resource (or API) application in Azure Active Directory (Azure AD). A resource application is an Azure AD representation of the FHIR server API itself and client applications can request access to the resource when authenticating. The resource application is also known as the *audience* in OAuth parlance.

+If you're using the Azure API for FHIR, a resource application is automatically created when you deploy the service. As long as you're using the Azure API for FHIR in the same Azure AD tenant as you're deploying your application, you can skip this how-to-guide and instead deploy your Azure API for FHIR to get started.

+If you're using a different Azure AD tenant (not associated with your subscription), you can import the Azure API for FHIR resource application into your tenant with

+In this article, you've learned how to register a resource application in Azure AD. Next, register your confidential client application.

+>[Register Confidential Client Application](register-confidential-azure-ad-client-app.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+Below are some examples of using Fast Healthcare Interoperability Resources (FHIR&#174;) search operations, including search parameters and modifiers, chain and reverse chain search, composite search, viewing the next entry set for search results, and searching with a `POST` request. For more information about search, see [Overview of FHIR Search](overview-of-search.md).

+In this article, you learned about how to search using different search parameters, modifiers, and FHIR search tools. For more information about FHIR Search, see

+>[Overview of FHIR Search](overview-of-search.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+In this article, you learned about the Azure Policy Regulatory Compliance controls for Azure API for FHIR. For more information, see

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+HL7 Fast Healthcare Interoperability Resources (FHIR&#174;) defines a standard and interoperable way to store and exchange healthcare data. Even within the base FHIR specification, it can be helpful to define other rules or extensions based on the context that FHIR is being used. For such context-specific uses of FHIR, **FHIR profiles** are used for the extra layer of specifications.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[DaVinci PDex](../fhir/davinci-pdex-tutorial.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+Now that you have your Azure API for FHIR deployed, you're ready to register a public client application. For more information, see

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Configure Private Link](configure-private-link.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+[SMART on FHIR](https://docs.smarthealthit.org/) is a set of open specifications to integrate partner applications with FHIR servers and electronic medical records systems that have Fast Healthcare Interoperability Resources (FHIR&#174;) interfaces. One of the main purposes of the specifications is to describe how an application should discover authentication endpoints for an FHIR server and start an authentication sequence.

+This tutorial describes how to use the proxy to enable SMART on FHIR applications with Azure API for FHIR.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+`$validate` is an operation in Fast Healthcare Interoperability Resources (FHIR&#174;) that allows you to ensure that a FHIR resource conforms to the base resource requirements or a specified profile. This is a valuable operation to ensure that the data in Azure API for FHIR has the expected attributes and values.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Using DICOMweb&trade;Standard APIs with DICOM service](dicomweb-standard-apis-with-dicom-services.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+To get started using the DICOM service, see

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[DICOM cast overview](dicom-cast-overview.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[DaVinci Drug Formulary](davinci-drug-formulary-tutorial.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[CARIN Implementation Guide for Blue Button](carin-implementation-guide-blue-button-tutorial.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[CARIN Implementation Guide for Blue Button&#174;](carin-implementation-guide-blue-button-tutorial.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Copy data from FHIR service to Azure Synapse Analytics](copy-to-synapse.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Exporting de-identified data](./de-identified-export.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Da Vinci PDex](davinci-pdex-tutorial.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[Da Vinci Plan Net](davinci-plan-net.md)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+>[FAQs about Azure API for FHIR](../azure-api-for-fhir/fhir-faq.yml)

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

+FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.