+> [!NOTE]

+> OATH verification codes generated by Authenticator aren't supported for certificate-based authentication.

+Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Authenticator app, configured for use at any time.

+When using a mobile app as a method for password reset, like the Microsoft Authenticator app, the following considerations apply if an organization has not [migrated to the centralized Authentication methods policy](how-to-authentication-methods-manage.md):

+Users can register their mobile app at [https://aka.ms/mfasetup](https://aka.ms/mfasetup), or in the combined security info registration at [https://aka.ms/setupsecurityinfo](https://aka.ms/setupsecurityinfo).

+> If The Authenticator app can't be selected as the only authentication method when only one method is required. Similarly, the Authenticator app and only one additional method cannot be selected when requiring two methods.

+Azure Active Directory allows [FIDO2 security keys](./concept-authentication-passwordless.md#fido2-security-keys) to be used as a passwordless device. The availability of FIDO2 authentication for Microsoft accounts was [announced in 2018](https://techcommunity.microsoft.com/t5/identity-standards-blog/all-about-fido2-ctap2-and-webauthn/ba-p/288910), and it became [generally available](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/passwordless-authentication-is-now-generally-available/ba-p/1994700) in March 2021. The following diagram shows which browsers and operating system combinations support passwordless authentication using FIDO2 authentication keys with Azure Active Directory. Azure AD currently supports only hardware FIDO2 keys and does not support passkeys for any platform.

+ Title: Configure AWS IAM Identity Center as an identity provider

+description: How to configure AWS IAM Identity Center as an identity provider.

+# Configure AWS IAM Identity Center as an identity provider

+If you're an Amazon Web Services (AWS) customer who uses the AWS IAM Identity Center, you can configure the Identity Center as an identity provider in Permissions Management. Configuring your AWS IAM Identity Center information allows you to receive more accurate data for your identities in Permissions Management.

+> [!NOTE]

+> Configuring AWS IAM Identity Center as an identity provider is an optional step. By configuring identity provider information, Permissions Management can read user and role access configured at AWS IAM Identity Center. Admins can see the augmented view of assigned permissions to the identities. You can return to these steps to configure an IdP at any time.

+## How to configure AWS IAM Identity Center as an identity provider

+1. If the **Data Collectors** dashboard isn't displayed when Permissions Management launches, select **Settings** (gear icon), and then select the **Data Collectors** subtab.

+2. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**. If a Data Collector already exists in your AWS account and you want to add AWS IAM integration, do the following:

+ - Select the Data Collector for which you want to configure AWS IAM.

+ - Click on the ellipsis next to theΓÇ»**Authorization Systems Status**.

+ - SelectΓÇ»**Integrate Identity Provider**.

+3. On the **Integrate Identity provider (IdP)** page, select the box for **AWS IAM Identity Center**.

+4. Fill in the following fields:

+ - The **AWS IAM Identity Center Region**. Specify the region where AWS IAM Identity Center is installed. All data configured in the IAM Identity Center

+ is stored in the Region where the IAM Identity Center is installed.

+ - Your **AWS Management Account ID**

+ - Your **AWS Management Account Role**

+5. SelectΓÇ»**Launch Management Account Template**. The template opens in a new window.

+6. If the Management Account stack is created with the Cloud Formation Template as part of the previous onboarding steps, update the stack by running ``EnableSSO`` as true. This creates a new stack when running the Management Account Template.

+The template execution attaches the AWS managed policy ``AWSSSOReadOnly`` and the newly created custom policy ``SSOPolicy`` to the AWS IAM role that allows Microsoft Entra Permissions Management to collect organizational information. The following details are requested in the template. All fields are pre-populated, and you can edit the data as you need:

+- **Stack name** ΓÇô This is the name of the AWS stack for creating the required AWS resources for Permissions Management to collect organizational information. The default value is ``mciem-org-<tenant-id>``.

+- **CFT Parameters**

+ - **OIDC Provider Role Name** ΓÇô Name of the IAM Role OIDC Provider that can assume the role. The default value is the OIDC account role (as entered in Permissions Management).

+ - **Org Account Role Name** - Name of the IAM Role. The default value is pre-populated with the Management account role name (as entered in Microsoft Entra PM).

+ - **true** ΓÇô Enables AWS SSO. The default value is ``true`` when the template is launched from the Configure Identity Provider (IdP) page, otherwise the default is ``false``.

+ - **OIDC Provider Account ID** ΓÇô The Account ID where the OIDC Provider is created. The default value is the OIDC Provider Account ID (as entered in Permissions Management).

+ - **Tenant ID** ΓÇô ID of the tenant where the application is created. The default value is ``tenant-id`` (the configured tenant).

+7. Click **Next** to review and confirm the information you've entered.

+8. Click **Verify Now & Save**.

+## Next steps

+- For information on how to attach and detach permissions AWS identities, see [Attach and detach policies for AWS identities](how-to-attach-detach-permissions.md).

+ Title: Tokens and claims overview

+# Tokens and claims overview

+A centralized identity provider is especially useful for apps that have worldwide users who don't necessarily sign in from the enterprise's network. The Microsoft identity platform authenticates users and provides security tokens, such as access tokens, refresh tokens, and ID tokens. Security tokens allow a client application to access protected resources on a resource server.

+ - **Access token** - An access token is a security token issued by an authorization server as part of an OAuth 2.0 flow. It contains information about the user and the resource for which the token is intended. The information can be used to access web APIs and other protected resources. Resources validate access tokens to grant access to a client application. For more information, see [Access tokens in the Microsoft identity platform](access-tokens.md).

+- **Refresh token** - Because access tokens are valid for only a short period of time, authorization servers sometimes issue a refresh token at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. For more information, see [Refresh tokens in the Microsoft identity platform](refresh-tokens.md).

+- **ID token** - ID tokens are sent to the client application as part of an OpenID Connect flow. They can be sent alongside or instead of an access token. ID tokens are used by the client to authenticate the user. To learn more about how the Microsoft identity platform issues ID tokens, see [ID tokens in the Microsoft identity platform](id-tokens.md).

+Many enterprise applications use SAML to authenticate users. For information on SAML assertions, see [SAML token reference](reference-saml-tokens.md).

+## Validate tokens

+It's up to the application for which the token was generated, the web app that signed in the user, or the web API being called to validate the token. The authorization server signs the token with a private key. The authorization server publishes the corresponding public key. To validate a token, the app verifies the signature by using the authorization server public key to validate that the signature was created using the private key.

+Tokens are valid for only a limited amount of time, so the authorization server frequently provides a pair of tokens. An access token is provided, which accesses the application or protected resource. A refresh token is provided, which is used to refresh the access token when the access token is close to expiring.

+Access tokens are passed to a web API as the bearer token in the `Authorization` header. An app can provide a refresh token to the authorization server. If the user access to the app wasn't revoked, it receives a new access token and a new refresh token. When the authorization server receives the refresh token, it issues another access token only if the user is still authorized.

+A claim provides assertions about one entity, such as a client application or resource owner, to another entity, such as a resource server. A claim might also be referred to as a JWT claim or a JSON Web Token claim.

+Claims are name or value pairs that relay facts about the token subject. For example, a claim might contain facts about the security principal that the authorization server authenticated. The claims present in a specific token depend on many things, such as the type of token, the type of credential used to authenticate the subject, and the application configuration.

+Applications can use claims for the following various tasks:

+* Validate the token

+* Identify the token subject's tenant

+* Display user information

+* Determine the subject's authorization

+A claim consists of key-value pairs that provide the following types of information:

+* Security token server that generated the token

+* Date when the token was generated

+* Subject (like the user, but not daemons)

+* Audience, which is the app for which the token was generated

+* App (the client) that asked for the token

+## Authorization flows and authentication codes

+Depending on how your client is built, it can use one or several of the authentication flows supported by the Microsoft identity platform. The supported flows can produce various tokens and authorization codes and require different tokens to make them work. The following table provides an overview.

+| Flow | Requires | ID token | Access token | Refresh token | Authorization code |

+||-|-|--||--|

+| [Authorization code flow](v2-oauth2-auth-code-flow.md) | | x | x | x | x |

+| [Implicit flow](v2-oauth2-implicit-grant-flow.md) | | x | x | | |

+| [Hybrid OIDC flow](v2-protocols-oidc.md#protocol-diagram-access-token-acquisition)| | x | | | x |

+| [Refresh token redemption](v2-oauth2-auth-code-flow.md#refresh-the-access-token) | Refresh token | x | x | x | |

+| [On-behalf-of flow](v2-oauth2-on-behalf-of-flow.md) | Access token | x | x| x | |

+| [Client credentials](v2-oauth2-client-creds-grant-flow.md) | | | x (App only) | | |

+Tokens issued using the implicit flow have a length limitation because they're passed back to the browser using the URL, where `response_mode` is `query` or `fragment`. Some browsers have a limit on the size of the URL that can be put in the browser bar and fail when it's too long. As a result, these tokens don't have `groups` or `wids` claims.

+## See also

+* [OAuth 2.0](active-directory-v2-protocols.md)

+* [OpenID Connect](v2-protocols-oidc.md)

+## Next steps

+1. Open a new private browser, and enter the application URI into the browser, `http://localhost:3000/`.

+- [Sign in users in your own ASP.NET web application by using an Azure AD for customers tenant](how-to-web-app-dotnet-sign-in-prepare-app.md)

+ authority: 'https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/', // Replace the placeholder with your tenant subdomain

+ // export const silentRequest = {

+ // scopes: ["openid", "profile"],

+ // loginHint: "example@domain.net"

+ // };

+ - In **Authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is *caseyjensen@onmicrosoft.com*, the value you should enter is *casyjensen*.

+* [Azure resource management fundamentals](secure-resource-management.md)

+* [Resource isolation in a single tenant](secure-single-tenant.md)

+* [Resource isolation with multiple tenants](secure-multiple-tenants.md)

+* [Azure resource management fundamentals](secure-resource-management.md)

+* [Resource isolation in a single tenant](secure-single-tenant.md)

+* [Resource isolation with multiple tenants](secure-multiple-tenants.md)

+* [Azure resource management fundamentals](secure-resource-management.md)

+* [Resource isolation in a single tenant](secure-single-tenant.md)

+* [Resource isolation with multiple tenants](secure-multiple-tenants.md)

+ Title: Resource isolation with multiple tenants to secure with Azure Active Directory

+description: Introduction to resource isolation with multiple tenants in Azure Active Directory.

+# Resource isolation with multiple tenants

+There are specific scenarios when delegating administration in a single tenant boundary doesn't meet your needs. In this section, there are requirements that may drive you to create a multi-tenant architecture. Multi-tenant organizations might span two or more Azure AD tenants. This can result in unique cross-tenant collaboration and management requirements. Multi-tenant architectures increase management overhead and complexity and should be used with caution. We recommend using a single tenant if your needs can be met with that architecture. For more detailed information, see [Multi-tenant user management](multi-tenant-user-management-introduction.md).

+A separate tenant creates a new boundary, and therefore decoupled management of Azure AD directory roles, directory objects, conditional access policies, Azure resource groups, Azure management groups, and other controls as described in previous sections.

+A separate tenant is useful for an organization's IT department to validate tenant-wide changes in Microsoft services such as, Intune, Azure AD Connect, or a hybrid authentication configuration while protecting an organization's users and resources. This includes testing service configurations that might have tenant-wide effects and can't be scoped to a subset of users in the production tenant.

+Deploying a non-production environment in a separate tenant might be necessary during development of custom applications that can change data of production user objects with MS Graph or similar APIs (for example, applications that are granted Directory.ReadWrite.All, or similar wide scope).

+>[!Note]

+>Azure AD Connect synchronization to multiple tenants, which might be useful when deploying a non-production environment in a separate tenant. For more information, see [Azure AD Connect: Supported topologies](../hybrid/plan-connect-topologies.md).

+## Outcomes

+In addition to the outcomes achieved with a single tenant architecture as described previously, organizations can fully decouple the resource and tenant interactions:

+### Resource separation

+* **Visibility** - Resources in a separate tenant can't be discovered or enumerated by users and administrators in other tenants. Similarly, usage reports and audit logs are contained within the new tenant boundary. This separation of visibility allows organizations to manage resources needed for confidential projects.

+* **Object footprint** - Applications that write to Azure AD and/or other Microsoft Online services through Microsoft Graph or other management interfaces can operate in a separate object space. This enables development teams to perform tests during the software development lifecycle without affecting other tenants.

+* **Quotas** - Consumption of tenant-wide [Azure Quotas and Limits](../../azure-resource-manager/management/azure-subscription-service-limits.md) is separated from that of the other tenants.

+### Configuration separation

+A new tenant provides a separate set of tenant-wide settings that can accommodate resources and trusting applications that have requirements that need different configurations at the tenant level. Additionally, a new tenant provides a new set of Microsoft Online services such as Office 365.

+### Administrative separation

+A new tenant boundary involves a separate set of Azure AD directory roles, which enables you to configure different sets of administrators.

+## Common usage

+The following diagram illustrates a common usage for resource isolation in multiple tenants: a pre-production or "sandbox" environment that requires more separation than can be achieved with delegated administration in a single tenant.

+ 

+Contoso is an organization that augmented their corporate tenant architecture with a pre-production tenant called ContosoSandbox.com. The sandbox tenant is used to support ongoing development of enterprise solutions that write to Azure AD and Microsoft 365 using Microsoft Graph. These solutions are deployed in the corporate tenant.

+The sandbox tenant is brought online to prevent those applications under development from impacting production systems either directly or indirectly, by consuming tenant resources and affecting quotas, or throttling.

+Developers require access to the sandbox tenant during the development lifecycle, ideally with self-service access requiring additional permissions that are restricted in the production environment. Examples of these additional permissions might include creating, deleting, and updating user accounts, registering applications, provisioning and deprovisioning Azure resources, and changes to policies or overall configuration of the environment.

+In this example, Contoso uses [Azure AD B2B Collaboration](../external-identities/what-is-b2b.md) to provision users from the corporate tenant to enable users that can manage and access resources in applications in the sandbox tenant without managing multiple credentials. This capability is primarily oriented to cross-organization collaboration scenarios. However, enterprises with multiple tenants like Contoso can use this capability to avoid additional credential lifecycle administration and user experience complexities.

+Use [External Identities cross-tenant access](../external-identities/cross-tenant-access-settings-b2b-collaboration.md) settings to manage how you collaborate with other Azure AD organizations through B2B collaboration. These settings determine both the level of inbound access users in external Azure AD organizations have to your resources, and the level of outbound access your users have to external organizations. They also let you trust multifactor authentication (MFA) and device claims ([compliant claims and hybrid Azure AD joined claims](../conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Azure AD organizations. For details and planning considerations, see [Cross-tenant access in Azure AD External Identities](../external-identities/cross-tenant-access-overview.md).

+Another approach could have been to utilize the capabilities of Azure AD Connect to sync the same on-premises Azure AD credentials to multiple tenants, keeping the same password but differentiating on the users UPN domain.

+## Multi-tenant resource isolation

+With a new tenant, you have a separate set of administrators. Organizations can choose to use corporate identities through [Azure AD B2B collaboration](../external-identities/what-is-b2b.md). Similarly, organizations can implement [Azure Lighthouse](../../lighthouse/overview.md) for cross-tenant management of Azure resources so that non-production Azure subscriptions are managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Microsoft Intune. For Managed Service Providers (MSPs), [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide&preserve-view=true) is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

+This will allow users to continue to use their corporate credentials, while achieving the benefits of separation.

+Azure AD B2B collaboration in sandbox tenants should be configured to allow only identities from the corporate environment to be onboarded using Azure B2B [allow/deny lists](../external-identities/allow-deny-list.md). For tenants that you do want to allow for B2B consider using External Identities cross-tenant access settings for cross tenant multifactor authentication\Device trust.

+>[!IMPORTANT]

+>Multi-tenant architectures with external identity access enabled provide only resource isolation, but don't enable identity isolation. Resource isolation using Azure AD B2B collaboration and Azure Lighthouse don't mitigate risks related to identities.

+If the sandbox environment shares identities with the corporate environment, the following scenarios are applicable to the sandbox tenant:

+* A malicious actor that compromises a user, a device, or hybrid infrastructure in the corporate tenant, and is invited into the sandbox tenant, might gain access to the sandbox tenant's apps and resources.

+* An operational error (for example, user account deletion or credential revocation) in the corporate tenant might affect the access of an invited user into the sandbox tenant.

+You must do the risk analysis and potentially consider identity isolation through multiple tenants for business-critical resources that require a highly defensive approach. Azure Privileged Identity Management can help mitigate some of the risks by imposing extra security for accessing business critical tenants and resources.

+### Directory objects

+The tenant you use to isolate resources may contain the same types of objects, Azure resources, and trusting applications as your primary tenant. You may need to provision the following object types:

+**Users and groups**: Identities needed by solution engineering teams, such as:

+* Sandbox environment administrators.

+* Technical owners of applications.

+* Line-of-business application developers.

+* Test end-user accounts.

+These identities might be provisioned for:

+* Employees who come with their corporate account through [Azure AD B2B collaboration](../external-identities/what-is-b2b.md).

+* Employees who need local accounts for administration, emergency administrative access, or other technical reasons.

+Customers who have or require non-production Active Directory on-premises can also synchronize their on-premises identities to the sandbox tenant if needed by the underlying resources and applications.

+**Devices**: The non-production tenant contains a reduced number of devices to the extent that are needed in the solution engineering cycle:

+* Administration workstations

+* Non-production computers and mobile devices needed for development, testing, and documentation

+### Applications

+Azure AD integrated applications: Application objects and service principals for:

+* Test instances of the applications that are deployed in production (for example, applications that write to Azure AD and Microsoft online services).

+* Infrastructure services to manage and maintain the non-production tenant, potentially a subset of the solutions available in the corporate tenant.

+Microsoft Online

+* Typically, the team that owns the Microsoft Online Services in production should be the one owning the non-production instance of those services.

+* Administrators of non-production test environments shouldn't be provisioning Microsoft Online Services unless those services are specifically being tested. This avoids inappropriate use of Microsoft services, for example setting up production SharePoint sites in a test environment.

+* Similarly, provisioning of Microsoft Online services that can be initiated by end users (also known as ad-hoc subscriptions) should be locked down. For more information, see [What is self-service sign-up for Azure Active Directory?](../enterprise-users/directory-self-service-signup.md).

+* Generally, all non-essential license features should be disabled for the tenant using group-based licensing. This should be done by the same team that manages licenses in the production tenant, to avoid misconfiguration by developers who might not know the effect of enabling licensed features.

+### Azure resources

+Any Azure resources needed by trusting applications may also be deployed. For example, databases, virtual machines, containers, Azure functions, etc. For your sandbox environment, you must weigh the cost savings of using less-expensive SKUs for products and services with the less security features available.

+The RBAC model for access control should still be employed in a non-production environment in case changes are replicated to production after tests have concluded. Failure to do so allows security flaws in the non-production environment to propagate to your production tenant.

+## Resource and identity isolation with multiple tenants

+### Isolation outcomes

+There are limited situations where resource isolation can't meet your requirements. You can isolate both resources and identities in a multi-tenant architecture by disabling all cross-tenant collaboration capabilities and effectively building a separate identity boundary. This approach is a defense against operational errors and compromise of user identities, devices, or hybrid infrastructure in corporate tenants.

+### Isolation common usage

+A separate identity boundary is typically used for business-critical applications and resources such as customer-facing services. In this scenario, Fabrikam has decided to create a separate tenant for their customer-facing SaaS product to avoid the risk of employee identity compromise affecting their SaaS customers. The following diagram illustrates this architecture:

+The FabrikamSaaS tenant contains the environments used for applications that are offered to customers as part of Fabrikam's business model.

+### Isolation of directory objects

+The directory objects in FabrikamSaas are as follows:

+Users and groups: Identities needed by solution IT teams, customer support staff, or other necessary personnel are created within the SaaS tenant. To preserve isolation, only local accounts are used, and Azure AD B2B collaboration isn't enabled.

+Azure AD B2C directory objects: If the tenant environments are accessed by customers, it may contain an Azure AD B2C tenant and its associated identity objects. Subscriptions that hold these directories are good candidates for an isolated consumer-facing environment.

+Devices: This tenant contains a reduced number of devices; only those that are needed to run customer-facing solutions:

+* Secure administration workstations.

+* Support personnel workstations (this can include engineers who are "on call" as described above).

+### Isolation of applications

+**Azure AD integrated applications**: Application objects and service principals for:

+* Production applications (for example, multi-tenant application definitions).

+* Infrastructure services to manage and maintain the customer-facing environment.

+**Azure Resources**: Hosts the IaaS, PaaS and SaaS resources of the customer-facing production instances.

+## Next steps

+* [Introduction to delegated administration and isolated environments](secure-introduction.md)

+* [Azure AD fundamentals](secure-with-azure-ad-fundamentals.md)

+* [Azure resource management fundamentals](secure-resource-management.md)

+* [Resource isolation in a single tenant](secure-single-tenant.md)

+* [Best practices](secure-best-practices.md)

+ Title: Resource management fundamentals in Azure Active Directory

+description: Introduction to resource management in Azure Active Directory.

+# Azure resource management fundamentals

+It's important to understand the structure and terms that are specific to Azure resources. The following image shows an example of the four levels of scope that are provided by Azure:

+

+## Terminology

+The following are some of the terms you should be familiar with:

+**Resource** - A manageable item that is available through Azure. Virtual machines, storage accounts, web apps, databases, and virtual networks are examples of resources.

+**Resource group** - A container that holds related resources for an Azure solution such as a collection of virtual machines, associated VNets, and load balancers that require management by specific teams. The [resource group](../../azure-resource-manager/management/overview.md) includes those resources that you want to manage as a group. You decide which resources belong in a resource group based on what makes the most sense for your organization. Resource groups can also be used to help with life-cycle management by deleting all resources that have the same lifespan at one time. This approach also provides security benefit by leaving no fragments that might be exploited.

+**Subscription** - From an organizational hierarchy perspective, a subscription is a billing and management container of resources and resource groups. An Azure subscription has a trust relationship with Azure AD. A subscription trusts Azure AD to authenticate users, services, and devices.

+>[!Note]

+>A subscription may trust only one Azure AD tenant. However, each tenant may trust multiple subscriptions and subscriptions can be moved between tenants.

+**Management group** - [Azure management groups](../../governance/management-groups/overview.md) provide a hierarchical method of applying policies and compliance at different scopes above subscriptions. It can be at the tenant root management group (highest scope) or at lower levels in the hierarchy. You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group. Note, policy definitions can be applied to a management group or subscription.

+**Resource provider** - A service that supplies Azure resources. For example, a common [resource provider](../../azure-resource-manager/management/resource-providers-and-types.md) is Microsoft. Compute, which supplies the virtual machine resource. Microsoft. Storage is another common resource provider.

+**Resource Manager template** - A JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a resource group, subscription, tenant, or management group. The template can be used to deploy the resources consistently and repeatedly. See [Template deployment overview](../../azure-resource-manager/templates/overview.md). Additionally, the [Bicep language](../../azure-resource-manager/bicep/overview.md) can be used instead of JSON.

+## Azure Resource Management Model

+Each Azure subscription is associated with controls used by [Azure Resource Manager](../../azure-resource-manager/management/overview.md) (ARM). Resource Manager is the deployment and management service for Azure, it has a trust relationship with Azure AD for identity management for organizations, and the Microsoft Account (MSA) for individuals. Resource Manager provides a management layer that enables you to create, update, and delete resources in your Azure subscription. You use management features like access control, locks, and tags, to secure and organize your resources after deployment.

+>[!NOTE]

+>Prior to ARM, there was another deployment model named Azure Service Manager (ASM) or "classic". To learn more, see [Azure Resource Manager vs. classic deployment](../../azure-resource-manager/management/deployment-models.md). Managing environments with the ASM model is out of scope of this content.

+Azure Resource Manager is the front-end service, which hosts the REST APIs used by PowerShell, the Azure portal, or other clients to manage resources. When a client makes a request to manage a specific resource, Resource Manager proxies the request to the resource provider to complete the request. For example, if a client makes a request to manage a virtual machine resource, Resource Manager proxies the request to the Microsoft. Compute resource provider. Resource Manager requires the client to specify an identifier for both the subscription and the resource group to manage the virtual machine resource.

+Before any resource management request can be executed by Resource Manager, a set of controls is checked.

+* **Valid user check** - The user requesting to manage the resource must have an account in the Azure AD tenant associated with the subscription of the managed resource.

+* **User permission check** - Permissions are assigned to users using [role-based access control (RBAC)](../../role-based-access-control/overview.md). An RBAC role specifies a set of permissions a user may take on a specific resource. RBAC helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

+* **Azure policy check** - [Azure policies](../../governance/policy/overview.md) specify the operations allowed or explicitly denied for a specific resource. For example, a policy can specify that users are only allowed (or not allowed) to deploy a specific type of virtual machine.

+The following diagram summarizes the resource model we just described.

+

+**Azure Lighthouse** - [Azure Lighthouse](../../lighthouse/overview.md) enables resource management across tenants. Organizations can delegate roles at the subscription or resource group level to identities in another tenant.

+Subscriptions that enable [delegated resource management](../../lighthouse/concepts/azure-delegated-resource-management.md) with Azure Lighthouse have attributes that indicate the tenant IDs that can manage subscriptions or resource groups, and mapping between the built-in RBAC role in the resource tenant to identities in the service provider tenant. At runtime, Azure Resource Manager will consume these attributes to authorize tokens coming from the service provider tenant.

+It's worth noting that Azure Lighthouse itself is modeled as an Azure resource provider, which means that aspects of the delegation across a tenant can be targeted through Azure Policies.

+**Microsoft 365 Lighthouse** - [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide&preserve-view=true) is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

+## Azure resource management with Azure AD

+Now that you have a better understanding of the resource management model in Azure, let's briefly examine some of the capabilities of Azure AD that can provide identity and access management for Azure resources.

+### Billing

+Billing is important to resource management because some billing roles interact with or can manage resources. Billing works differently depending on the type of agreement that you have with Microsoft.

+#### Azure Enterprise Agreements

+Azure Enterprise Agreement (Azure EA) customers are onboarded to the Azure EA Portal upon execution of their commercial contract with Microsoft. Upon onboarding, an identity is associated to a "root" Enterprise Administrator billing role. The portal provides a hierarchy of management functions:

+* Departments help you segment costs into logical groupings and enable you to set a budget or quota at the department level.

+* Accounts are used to further segment departments. You can use accounts to manage subscriptions and to access reports.

+The EA portal can authorize Microsoft Accounts (MSA) or Azure AD accounts (identified in the portal as "Work or School Accounts"). Identities with the role of "Account Owner" in the EA portal can create Azure subscriptions.

+#### Enterprise billing and Azure AD tenants

+When an Account Owner creates an Azure subscription within an enterprise agreement, the identity and access management of the subscription is configured as follows:

+* The Azure subscription is associated with the same Azure AD tenant of the Account Owner.

+* The account owner who created the subscription will be assigned the Service Administrator and Account Administrator roles. (The Azure EA Portal assigns Azure Service Manager (ASM) or "classic" roles to manage subscriptions. To learn more, see [Azure Resource Manager vs. classic deployment](../../azure-resource-manager/management/deployment-models.md).)

+An enterprise agreement can be configured to support multiple tenants by setting the authentication type of "Work or school account cross-tenant" in the Azure EA Portal. Given the above, organizations can set multiple accounts for each tenant, and multiple subscriptions for each account, as shown in the diagram below.

+

+It's important to note that the default configuration described above grants the Azure EA Account Owner privileges to manage the resources in any subscriptions they created. For subscriptions holding production workloads, consider decoupling billing and resource management by changing the service administrator of the subscription right after creation.

+ To further decouple and prevent the account owner from regaining service administrator access to the subscription, the subscription's tenant can be [changed](../fundamentals/active-directory-how-subscriptions-associated-directory.md) after creation. If the account owner doesn't have a user object in the Azure AD tenant the subscription is moved to, they can't regain the service owner role.

+To learn more, visit [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+### Microsoft Customer Agreement

+Customers enrolled with a [Microsoft Customer Agreement](../../cost-management-billing/understand/mca-overview.md) (MCA) have a different billing management system with its own roles.

+A [billing account](../../cost-management-billing/manage/understand-mca-roles.md) for the Microsoft Customer Agreement contains one or more [billing profiles](../../cost-management-billing/manage/understand-mca-roles.md) that allow managing invoices and payment methods. Each billing profile contains one or more [invoice sections](../../cost-management-billing/manage/understand-mca-roles.md) to organize costs on the billing profile's invoice.

+In a Microsoft Customer Agreement, billing roles come from a single Azure AD tenant. To provision subscriptions for multiple tenants, the subscriptions must be initially created in the same Azure AD Tenant as the MCA, and then changed. In the diagram below, the subscriptions for the Corporate IT pre-production environment were moved to the ContosoSandbox tenant after creation.

+ 

+## RBAC and role assignments in Azure

+In the Azure AD Fundamentals section, you learned Azure RBAC is the authorization system that provides fine-grained access management to Azure resources, and includes many [built-in roles](../../role-based-access-control/built-in-roles.md). You can create [custom roles](../../role-based-access-control/custom-roles.md), and assign roles at different scopes. Permissions are enforced by assigning RBAC roles to objects requesting access to Azure resources.

+Azure AD roles operate on concepts like [Azure role-based access control](../../role-based-access-control/overview.md). The [difference between these two role-based access control systems](../../role-based-access-control/rbac-and-directory-admin-roles.md) is that Azure RBAC uses Azure Resource Management to control access to Azure resources such as virtual machines or storage, and Azure AD roles control access to Azure AD, applications, and Microsoft services such as Office 365.

+Both Azure AD roles and Azure RBAC roles integrate with Azure AD Privileged Identity Management to enable just-in-time activation policies such as approval workflow and MFA.

+## ABAC and role assignments in Azure

+[Attribute-based access control (ABAC)](../../role-based-access-control/conditions-overview.md) is an authorization system that defines access based on attributes associated with security principals, resources, and environment. With ABAC, you can grant a security principal access to a resource based on attributes. Azure ABAC refers to the implementation of ABAC for Azure.

+Azure ABAC builds on Azure RBAC by adding role assignment conditions based on attributes in the context of specific actions. A role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. A condition filters down permissions granted as a part of the role definition and role assignment. For example, you can add a condition that requires an object to have a specific tag to read the object. You can't explicitly deny access to specific resources using conditions.

+## Conditional Access

+Azure AD [Conditional Access](../../role-based-access-control/conditional-access-azure-management.md) (CA) can be used to manage access to Azure management endpoints. CA policies can be applied to the Microsoft Azure Management cloud app to protect the Azure resource management endpoints such as:

+* Azure Resource Manager Provider (services)

+* Azure Resource Manager APIs

+* Azure PowerShell

+* Azure CLI

+* Azure portal

+

+For example, an administrator may configure a Conditional Access policy, which allows a user to sign into the Azure portal only from approved locations, and also requires either multifactor authentication (MFA) or a hybrid Azure AD domain-joined device.

+## Azure Managed Identities

+A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. Keeping the credentials secure is an important task. Ideally, the credentials never appear on developer workstations and aren't checked into source control. [Managed identities for Azure resources](../managed-identities-azure-resources/overview.md) provide Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication without any credentials in your code.

+There are two types of managed identities:

+* A system-assigned managed identity is enabled directly on an Azure resource. When the resource is enabled, Azure creates an identity for the resource in the associated subscription's trusted Azure AD tenant. After the identity is created, the credentials are provisioned onto the resource. The lifecycle of a system-assigned identity is directly tied to the Azure resource. If the resource is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.

+* A user-assigned managed identity is created as a standalone Azure resource. Azure creates an identity in the Azure AD tenant that's trusted by the subscription with which the resource is associated. After the identity is created, the identity can be assigned to one or more Azure resources. The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure resources to which it's assigned.

+Internally, managed identities are service principals of a special type, to only be used by specific Azure resources. When the managed identity is deleted, the corresponding service principal is automatically removed. Noe that authorization of Graph API permissions can only be done by PowerShell, so not all features of Managed Identity are accessible via the Portal UI.

+## Azure Active Directory Domain Services

+Azure Active Directory Domain Services (Azure AD DS) provides a managed domain to facilitate authentication for Azure workloads using legacy protocols. Supported servers are moved from an on-premises AD DS forest and joined to an Azure AD DS managed domain and continue to use legacy protocols for authentication (for example, Kerberos authentication).

+## Azure AD B2C directories and Azure

+An Azure AD B2C tenant is linked to an Azure subscription for billing and communication purposes. Azure AD B2C tenants have a self-contained role structure in the directory, which is independent from the Azure RBAC privileged roles of the Azure subscription.

+When the Azure AD B2C tenant is initially provisioned, the user creating the B2C tenant must have contributor or owner permissions in the subscription. Upon creation, that user becomes the first Azure AD B2C tenant global administrator and they can later create other accounts and assign them to directory roles.

+It's important to note that the owners and contributors of the linked Azure AD subscription can remove the link between the subscription and the directory, which will affect the ongoing billing of the Azure AD B2C usage.

+## Identity considerations for IaaS solutions in Azure

+This scenario covers identity isolation requirements that organizations have for Infrastructure-as-a-Service (IaaS) workloads.

+There are three key options regarding isolation management of IaaS workloads:

+* Virtual machines joined to stand-alone Active Directory Domain Services (AD DS)

+* Azure Active Directory Domain Services (Azure AD DS) joined virtual machines

+* Sign-in to virtual machines in Azure using Azure AD authentication

+A key concept to address with the first two options is that there are two identity realms that are involved in these scenarios.

+* When you sign in to an Azure Windows Server VM via remote desktop protocol (RDP), you're generally logging on to the server using your domain credentials, which performs a Kerberos authentication against an on-premises AD DS domain controller or Azure AD DS. Alternatively, if the server isn't domain-joined then a local account can be used to sign in to the virtual machines.

+* When you sign into the Azure portal to create or manage a VM, you're authenticating against Azure AD (potentially using the same credentials if you've synchronized the correct accounts), and this could result in an authentication against your domain controllers should you be using Active Directory Federation Services (AD FS) or PassThrough Authentication.

+### Virtual machines joined to standalone Active Directory Domain Services

+AD DS is the Windows Server based directory service that organizations have largely adopted for on-premises identity services. AD DS can be deployed when a requirement exists to deploy IaaS workloads to Azure that require identity isolation from AD DS administrators and users in another forest.

+

+The following considerations need to be made in this scenario:

+AD DS domain controllers: a minimum of two AD DS domain controllers must be deployed to ensure that authentication services are highly available and performant. For more information, see [AD DS Design and Planning](/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning).

+**AD DS Design and Planning** - A new AD DS forest must be created with the following services configured correctly:

+* **AD DS Domain Name Services (DNS)** - AD DS DNS must be configured for the relevant zones within AD DS to ensure that name resolution operates correctly for servers and applications.

+* **AD DS Sites and Services** - These services must be configured to ensure that applications have low latency and performant access to domain controllers. The relevant virtual networks, subnets, and data center locations that servers are located in should be configured in sites and services.

+* **AD DS FSMOs** - The Flexible Single Master Operation (FSMO) roles that are required should be reviewed and assigned to the appropriate AD DS domain controllers.

+* **AD DS Domain Join** - All servers (excluding "jumpboxes") that require AD DS for authentication, configuration and management need to be joined to the isolated forest.

+* **AD DS Group Policy (GPO)** - AD DS GPOs must be configured to ensure that the configuration meets the security requirements, and that the configuration is standardized across the forest and domain-joined machines.

+* **AD DS Organizational Units (OU)** - AD DS OUs must be defined to ensure grouping of AD DS resources into logical management and configuration silos for purposes of administration and application of configuration.

+* **Role-based access control** - RBAC must be defined for administration and access to resources joined to this forest. This includes:

+ * **AD DS Groups** - Groups must be created to apply appropriate permissions for users to AD DS resources.

+ * **Administration accounts** - As mentioned at the start of this section there are two administration accounts required to manage this solution.

+ * An AD DS administration account with the least privileged access required to perform the administration required in AD DS and domain-joined servers.

+ * An Azure AD administration account for Azure portal access to connect, manage, and configure virtual machines, VNets, network security groups and other required Azure resources.

+ * **AD DS user accounts** - Relevant user accounts need to be provisioned and added to correct groups to allow user access to applications hosted by this solution.

+**Virtual networks (VNets)** - Configuration guidance

+* **AD DS domain controller IP address** - The domain controllers shouldn't be configured with static IP addresses within the operating system. The IP addresses should be reserved on the Azure VNet to ensure they always stay the same and DC should be configured to use DHCP.

+* **VNet DNS Server** - DNS servers must be configured on VNets that are part of this isolated solution to point to the domain controllers. This is required to ensure that applications and servers can resolve the required AD DS services or other services joined to the AD DS forest.

+* **Network security groups (NSGs)** - The domain controllers should be located on their own VNet or subnet with NSGs defined to only allow access to domain controllers from required servers (for example, domain-joined machines or jumpboxes). Jumpboxes should be added to an application security group (ASG) to simplify NSG creation and administration.

+**Challenges**: The list below highlights key challenges with using this option for identity isolation:

+* An additional AD DS Forest to administer, manage and monitor resulting in more work for the IT team to perform.

+* Further infrastructure may be required for management of patching and software deployments. Organizations should consider deploying Azure Update Management, Group Policy (GPO) or System Center Configuration Manager (SCCM) to manage these servers.

+* Additional credentials for users to remember and use to access resources.

+>[!IMPORTANT]

+>For this isolated model, it is assumed that there is no connectivity to or from the domain controllers from the customer's corporate network and that there are no trusts configured with other forests. A jumpbox or management server should be created to allow a point from which the AD DS domain controllers can be managed and administered.

+### Azure Active Directory Domain Services joined virtual machines

+When a requirement exists to deploy IaaS workloads to Azure that require identity isolation from AD DS administrators and users in another forest, then an Azure AD Domain Services (Azure AD DS) managed domain can be deployed. Azure AD DS is a service that provides a managed domain to facilitate authentication for Azure workloads using legacy protocols. This provides an isolated domain without the technical complexities of building and managing your own AD DS. The following considerations need to be made.

+

+**Azure AD DS managed domain** - Only one Azure AD DS managed domain can be deployed per Azure AD tenant and this is bound to a single VNet. It's recommended that this VNet forms the "hub" for Azure AD DS authentication. From this hub, "spokes" can be created and linked to allow legacy authentication for servers and applications. The spokes are additional VNets on which Azure AD DS joined servers are located and are linked to the hub using Azure network gateways or VNet peering.

+**Managed domain location** - A location must be set when deploying an Azure AD DS managed domain. The location is a physical region (data center) where the managed domain is deployed. It's recommended you:

+* Consider a location that is geographically closed to the servers and applications that require Azure AD DS services.

+* Consider regions that provide Availability Zones capabilities for high availability requirements. For more information, see [Regions and Availability Zones in Azure](../../reliability/availability-zones-service-support.md).

+**Object provisioning** - Azure AD DS synchronizes identities from the Azure AD that is associated with the subscription that Azure AD DS is deployed into. It's also worth noting that if the associated Azure AD has synchronization set up with Azure AD Connect (user forest scenario) then the life cycle of these identities can also be reflected in Azure AD DS. This service has two modes that can be used for provisioning user and group objects from Azure AD.

+* **All**: All users and groups are synchronized from Azure AD into Azure AD DS.

+* **Scoped**: Only users in scope of a group(s) are synchronized from Azure AD into Azure AD DS.

+When you first deploy Azure AD DS, an automatic one-way synchronization is configured to replicate the objects from Azure AD. This one-way synchronization continues to run in the background to keep the Azure AD DS managed domain up to date with any changes from Azure AD. No synchronization occurs from Azure AD DS back to Azure AD. For more information, see [How objects and credentials are synchronized in an Azure AD Domain Services managed domain](../../active-directory-domain-services/synchronization.md).

+It's worth noting that if you need to change the type of synchronization from All to Scoped (or vice versa), then the Azure AD DS managed domain will need to be deleted, recreated and configured. In addition, organizations should consider the use of "scoped" provisioning to reduce the identities to only those that need access to Azure AD DS resources as a good practice.

+**Group Policy Objects (GPO)** - To configure GPO in an Azure AD DS managed domain you must use Group Policy Management tools on a server that has been domain joined to the Azure AD DS managed domain. For more information, see [Administer Group Policy in an Azure AD Domain Services managed domain](../../active-directory-domain-services/manage-group-policy.md).

+**Secure LDAP** - Azure AD DS provides a secure LDAP service that can be used by applications that require it. This setting is disabled by default and to enable secure LDAP a certificate needs to be uploaded, in addition, the NSG that secures the VNet that Azure AD DS is deployed on to must allow port 636 connectivity to the Azure AD DS managed domains. For more information, see [Configure secure LDAP for an Azure Active Directory Domain Services managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md).

+**Administration** - To perform administration duties on Azure AD DS (for example, domain join machines or edit GPO), the account used for this task needs to be part of the Azure AD DC Administrators group. Accounts that are members of this group can't directly sign-in to domain controllers to perform management tasks. Instead, you create a management VM that is joined to the Azure AD DS managed domain, then install your regular AD DS management tools. For more information, see [Management concepts for user accounts, passwords, and administration in Azure Active Directory Domain Services](../../active-directory-domain-services/administration-concepts.md).

+**Password hashes** - For authentication with Azure AD DS to work, password hashes for all users need to be in a format that is suitable for NT LAN Manager (NTLM) and Kerberos authentication. To ensure authentication with Azure AD DS works as expected, the following prerequisites need to be performed.

+* **Users synchronized with Azure AD Connect (from AD DS)** - The legacy password hashes need to be synchronized from on-premises AD DS to Azure AD.

+* **Users created in Azure AD** - Need to reset their password for the correct hashes to be generated for usage with Azure AD DS. For more information, see [Enable synchronization of password hashes](../../active-directory-domain-services/tutorial-configure-password-hash-sync.md).

+**Network** - Azure AD DS is deployed on to an Azure VNet so considerations need to be made to ensure that servers and applications are secured and can access the managed domain correctly. For more information, see [Virtual network design considerations and configuration options for Azure AD Domain Services](../../active-directory-domain-services/network-considerations.md).

+* Azure AD DS must be deployed in its own subnet: Don't use an existing subnet or a gateway subnet.

+* **A network security group (NSG)** - is created during the deployment of an Azure AD DS managed domain. This network security group contains the required rules for correct service communication. Don't create or use an existing network security group with your own custom rules.

+* **Azure AD DS requires 3-5 IP addresses** - Make sure that your subnet IP address range can provide this number of addresses. Restricting the available IP addresses can prevent Azure AD DS from maintaining two domain controllers.

+* **VNet DNS Server** - As previously discussed about the "hub and spoke" model, it's important to have DNS configured correctly on the VNets to ensure that servers joined to the Azure AD DS managed domain have the correct DNS settings to resolve the Azure AD DS managed domain. Each VNet has a DNS server entry that is passed to servers as they obtain an IP address and these DNS entries need to be the IP addresses of the Azure AD DS managed domain. For more information, see [Update DNS settings for the Azure virtual network](../../active-directory-domain-services/tutorial-create-instance.md).

+**Challenges** - The following list highlights key challenges with using this option for Identity Isolation.

+* Some Azure AD DS configuration can only be administered from an Azure AD DS joined server.

+* Only one Azure AD DS managed domain can be deployed per Azure AD tenant. As we describe in this section the hub and spoke model is recommended to provide Azure AD DS authentication to services on other VNets.

+* Further infrastructure maybe required for management of patching and software deployments. Organizations should consider deploying Azure Update Management, Group Policy (GPO) or System Center Configuration Manager (SCCM) to manage these servers.

+For this isolated model, it's assumed that there's no connectivity to the VNet that hosts the Azure AD DS managed domain from the customer's corporate network and that there are no trusts configured with other forests. A jumpbox or management server should be created to allow a point from which the Azure AD DS can be managed and administered.

+### Sign into virtual machines in Azure using Azure Active Directory authentication

+When a requirement exists to deploy IaaS workloads to Azure that require identity isolation, then the final option is to use Azure AD for logon to servers in this scenario. This provides the ability to make Azure AD the identity realm for authentication purposes and identity isolation can be achieved by provisioning the servers into the relevant subscription, which is linked to the required Azure AD tenant. The following considerations need to be made.

+

+**Supported operating systems**: Signing into virtual machines in Azure using Azure AD authentication is currently supported in Windows and Linux. For more specifics on supported operating systems, refer to the documentation for [Windows](../devices/howto-vm-sign-in-azure-ad-windows.md) and [Linux](../devices/howto-vm-sign-in-azure-ad-linux.md).

+**Credentials**: One of the key benefits of signing into virtual machines in Azure using Azure AD authentication is the ability to use the same federated or managed Azure AD credentials that you normally use for access to Azure AD services for sign-in to the virtual machine.

+>[!NOTE]

+>The Azure AD tenant that is used for sign-in in this scenario is the Azure AD tenant that is associated with the subscription that the virtual machine has been provisioned into. This Azure AD tenant can be one that has identities synchronized from on-premises AD DS. Organizations should make an informed choice that aligns with their isolation principals when choosing which subscription and Azure AD tenant they wish to use for sign-in to these servers.

+**Network Requirements**: These virtual machines will need to access Azure AD for authentication so you must ensure that the virtual machines network configuration permits outbound access to Azure AD endpoints on 443. See the documentation for [Windows](../devices/howto-vm-sign-in-azure-ad-windows.md) and [Linux](../devices/howto-vm-sign-in-azure-ad-linux.md) for more information.

+**Role-based Access Control (RBAC)**: Two RBAC roles are available to provide the appropriate level of access to these virtual machines. These RBAC roles can be configured via the Azure portal or via the Azure Cloud Shell Experience. For more information, see [Configure role assignments for the VM](../devices/howto-vm-sign-in-azure-ad-windows.md).

+* **Virtual machine administrator logon**: Users with this role assigned to them can log into an Azure virtual machine with administrator privileges.

+* **Virtual machine user logon**: Users with this role assigned to them can log into an Azure virtual machine with regular user privileges.

+Conditional Access: A key benefit of using Azure AD for signing into Azure virtual machines is the ability to enforce Conditional Access as part of the sign-in process. This provides the ability for organizations to require conditions to be met before allowing access to the virtual machine and to use multifactor authentication to provide strong authentication. For more information, see [Using Conditional Access](../devices/howto-vm-sign-in-azure-ad-windows.md).

+>[!NOTE]

+>Remote connection to virtual machines joined to Azure AD is only allowed from Windows 10, Windows 11, and Cloud PC PCs that are Azure AD joined or hybrid Azure AD joined to the same directory as the virtual machine.

+**Challenges**: The list below highlights key challenges with using this option for identity isolation.

+* No central management or configuration of servers. For example, there's no Group Policy that can be applied to a group of servers. Organizations should consider deploying [Update Management in Azure](../../automation/update-management/overview.md) to manage patching and updates of these servers.

+* Not suitable for multi-tiered applications that have requirements to authenticate with on-premises mechanisms such as Windows Integrated Authentication across these servers or services. If this is a requirement for the organization, then it's recommended that you explore the Standalone Active Directory Domain Services, or the Azure Active Directory Domain Services scenarios described in this section.

+For this isolated model, it's assumed that there's no connectivity to the VNet that hosts the virtual machines from the customer's corporate network. A jumpbox or management server should be created to allow a point from which these servers can be managed and administered.

+## Next steps

+* [Introduction to delegated administration and isolated environments](secure-introduction.md)

+* [Azure AD fundamentals](secure-with-azure-ad-fundamentals.md)

+* [Resource isolation in a single tenant](secure-single-tenant.md)

+* [Resource isolation with multiple tenants](secure-multiple-tenants.md)

+* [Best practices](secure-best-practices.md)

+ Title: Resource isolation in a single tenant to secure with Azure Active Directory

+description: Introduction to resource isolation in a single tenant in Azure Active Directory.

+# Resource isolation in a single tenant

+Many separation scenarios can be achieved within a single tenant. If possible, we recommend that you delegate administration to separate environments within a single tenant to provide the best productivity and collaboration experience for your organization.

+## Outcomes

+**Resource separation** - With Azure AD directory roles, security groups, conditional access policies, Azure resource groups, Azure management groups, administrative units (AU's), and other controls, you can restrict resource access to specific users, groups, and service principals. Resources can be managed by separate administrators, and have separate users, permissions, and access requirements.

+If a set of resources require unique tenant-wide settings, or there's minimal risk tolerance for unauthorized access by tenant members, or critical impact could be caused by configuration changes, you must achieve isolation in multiple tenants.

+**Configuration separation** - In some cases, resources such as applications have dependencies on tenant-wide configurations like authentication methods or [named locations](../conditional-access/location-condition.md#named-locations). You should consider these dependencies when isolating resources. Global administrators can configure the resource settings and tenant-wide settings that affect resources.

+If a set of resources require unique tenant-wide settings, or the tenant's settings must be administered by a different entity, you must achieve isolation with multiple tenants.

+**Administrative separation** - With Azure AD delegated administration, you can segregate the administration of resources such as applications and APIs, users and groups, resource groups, and conditional access policies.

+Global administrators can discover and obtain full access to any trusting resources. You can set up auditing and alerts to know when an administrator changes a resource if they're authenticated.

+You can also use administrative units (AU) in Azure AD to provide some level of administrative separation. Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the [Helpdesk Administrator](../roles/permissions-reference.md) role to regional support specialists, so they can manage users only in the region that they support.

+

+Administrative Units can be used to separate [user, groups and device objects](../roles/administrative-units.md). Assignments of those units can be managed by [dynamic membership rules](../roles/admin-units-members-dynamic.md).

+By using Privileged Identity Management (PIM) you can define who in your organization is the best person to approve the request for highly privileged roles. For example, admins requiring global administrator access to make tenant-wide changes.

+>[!NOTE]

+>Using PIM requires and Azure AD P2 license per human.

+If you must ensure that global administrators are unable to manage a specific resource, you must isolate that resource in a separate tenant with separate global administrators. This can be especially important for backups, see [multi-user authorization guidance](../../backup/multi-user-authorization.md) for examples of this.

+## Common usage

+One of the most common uses for multiple environments in a single tenant is to segregate production from nonproduction resources. Within a single tenant, development teams and application owners can create and manage a separate environment with test apps, test users and groups, and test policies for those objects; similarly, they can create nonproduction instances of Azure resources and trusted apps.

+The following diagram illustrates the nonproduction environments and the production environment.

+

+In this diagram, there are nonproduction Azure resources and nonproduction instances Azure AD integrated applications with equivalent nonproduction directory objects. In this example, the nonproduction resources in the directory are used for testing purposes.

+>[!NOTE]

+>You cannot have more than one Microsoft 365 environment in a single Azure AD tenant. However, you can have multiple Dynamics 365 environments in a single Azure AD tenant.

+Another scenario for isolation within a single tenant could be separation between locations, subsidiary or implementation of tiered administration (according to the "[Enterprise Access Model](/security/compass/privileged-access-access-model)").

+Azure RBAC role assignments allow scoped administration of Azure resources. Similarly, Azure AD allows granular management of Azure AD trusting applications through multiple capabilities such as conditional access, user and group filtering, administrative unit assignments and application assignments.

+If you must ensure full isolation (including staging of organization-level configuration) of Microsoft 365 services, you need to choose a [multiple tenant isolation](../../backup/multi-user-authorization.md).

+## Scoped management in a single tenant

+### Scoped management for Azure resources

+Azure RBAC allows you to design an administration model with granular scopes and surface area. Consider the management hierarchy in the following example:

+>[!NOTE]

+>There are multiple ways to define the management hierarchy based on an organization's individual requirements, constraints, and goals. For more information, consult the Cloud Adoption Framework guidance on how to [Organize Azure Resources](/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources)).

+

+* **Management group** - You can assign roles to specific management groups so that they don't impact any other management groups. In the scenario above, the HR team can define an Azure Policy to audit the regions where resources are deployed across all HR subscriptions.

+* **Subscription** - You can assign roles to a specific subscription to prevent it from impacting any other resource groups. In the example above, the HR team can assign the Reader role for the Benefits subscription, without reading any other HR subscription, or a subscription from any other team.

+* **Resource group** - You can assign roles to specific resource groups so that they don't impact any other resource groups. In the example above, the Benefits engineering team can assign the Contributor role to the test lead so they can manage the test DB and the test web app, or to add more resources.

+* **Individual resources** - You can assign roles to specific resources so that they don't impact any other resources. In the example above, the Benefits engineering team can assign a data analyst the Cosmos DB Account Reader role just for the test instance of the Azure Cosmos DB database, without interfering with the test web app or any production resource.

+For more information, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md) and [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md).

+This is a hierarchical structure, so the higher up in the hierarchy, the more scope, visibility, and impact there's to lower levels. Top-level scopes affect all Azure resources in the Azure AD tenant boundary. This also means that permissions can be applied at multiple levels. The risk this introduces is that assigning roles higher up the hierarchy could provide more access lower down the scope than intended. [Microsoft Entra](https://www.microsoft.com/security/business/identity-access/microsoft-entra-permissions-management) (formally CloudKnox) is a Microsoft product that provides visibility and remediation to help reduce the risk. A few details are as follows:

+* The root management group defines Azure Policies and RBAC role assignments that will be applied to all subscriptions and resources.

+* Global Administrators can [elevate access](https://aka.ms/AzureADSecuredAzure/12a) to all subscriptions and management groups.

+Both top-level scopes should be strictly monitored. It's important to plan for other dimensions of resource isolation such as networking. For general guidance on Azure networking, see [Azure best practices for network security](../../security/fundamentals/network-best-practices.md). Infrastructure as a Service (IaaS) workloads have special scenarios where both identity and resource isolation need to be part of the overall design and strategy.

+Consider isolating sensitive or test resources according to [Azure landing zone conceptual architecture](/azure/cloud-adoption-framework/ready/landing-zone/). For example, Identity subscription should be assigned to separated management group and all subscriptions for development purposes could be separated in "Sandbox" management group. More details can be found in the [Enterprise-Scale documentation](/azure/cloud-adoption-framework/ready/enterprise-scale/faq). Separation for testing purposes within a single tenant is also considered in the [management group hierarchy of the reference architecture](/azure/cloud-adoption-framework/ready/enterprise-scale/testing-approach).

+### Scoped management for Azure AD trusting applications

+The pattern to scope management of Azure AD trusting applications is outlined in the following section.

+Azure AD supports configuring multiple instances of custom and SaaS apps, but not most Microsoft services, against the same directory with [independent user assignments](../manage-apps/assign-user-or-group-access-portal.md). The above example contains both a production and a test version of the travel app. You can deploy preproduction versions against the corporate tenant to achieve app-specific configuration and policy separation that enables workload owners to perform testing with their corporate credentials. Nonproduction directory objects such as test users and test groups are associated to the nonproduction application with separate [ownership](https://aka.ms/AzureADSecuredAzure/14a) of those objects.

+There are tenant-wide aspects that affect all trusting applications in the Azure AD tenant boundary including:

+* Global Administrators can manage all tenant-wide settings.

+* Other [directory roles](https://aka.ms/AzureADSecuredAzure/14b) such as User Administrator, Administrator, and Conditional Access Administrators can manage tenant-wide configuration within the scope of the role.

+Configuration settings such authentication methods allowed, hybrid configurations, B2B collaboration allow-listing of domains, and named locations are tenant wide.

+>[!Note]

+>Microsoft Graph API Permissions and consent permissions cannot be scoped to a group or members of Administrative Units. Those permissions will be assigned on directory-level, only resource-specific consent allows scope on resource-level (currently limited to [Microsoft Teams Chat permissions](/microsoftteams/platform/graph-api/rsc/resource-specific-consent))

+>[!IMPORTANT]

+>The lifecycle of Microsoft SaaS services such as Office 365, Microsoft Dynamics, and Microsoft Exchange are bound to the Azure AD tenant. As a result, multiple instances of these services necessarily require multiple Azure AD tenants. Check the documentation for individual services to learn more about specific management scoping capabilities.

+## Next steps

+* [Introduction to delegated administration and isolated environments](secure-introduction.md)

+* [Azure AD fundamentals](secure-with-azure-ad-fundamentals.md)

+* [Azure resource management fundamentals](secure-resource-management.md)

+* [Resource isolation with multiple tenants](secure-multiple-tenants.md)

+* [Best practices](secure-best-practices.md)

+ * [Tutorial: Configure Secure Hybrid Access with Azure AD and Silverfort](./silverfort-integration.md)

+|Silverfort|[Tutorial: Configure Secure Hybrid Access with Azure AD and Silverfort](silverfort-integration.md)|

+ Title: Secure hybrid access with Azure AD and Silverfort

+description: In this tutorial, learn how to integrate Silverfort with Azure AD for secure hybrid access

+# Tutorial: Configure Secure Hybrid Access with Azure Active Directory and Silverfort

+[Silverfort](https://www.silverfort.com/) uses agent-less and proxy-less technology to connect your assets on-premises and in the cloud to Azure Active Directory (Azure AD). This solution enables organizations to apply identity protection, visibility, and user experience across environments in Azure AD. It enables universal risk-based monitoring and assessment of authentication activity for on-premises and cloud environments, and helps to prevent threats.

+In this tutorial, learn how to integrate your on-premises Silverfort implementation with Azure AD.

+Learn more: [Hybrid Azure AD joined devices](../devices/concept-azure-ad-join-hybrid.md).

+Silverfort connects assets with Azure AD. These bridged assets appear as regular applications in Azure AD and can be protected with [Conditional Access](../conditional-access/overview.md), single-sign-on (SSO), multi-factor authentication (MFA), auditing and more. Use Silverfort to connect assets including:

+- Legacy and homegrown applications

+- Remote desktop and Secure Shell (SSH)

+- Command-line tools and other admin access

+- File shares and databases

+- Infrastructure and industrial systems

+Silverfort integrates your corporate assets and third-party Identity and Access Management (IAM) platforms. This includes Active Directory, Active Directory Federation Services (ADFS), and Remote Authentication Dial-In User Service (RADIUS) on Azure AD, including hybrid and multicloud environments.

+Use this tutorial to configure and test the Silverfort Azure AD bridge in your Azure AD tenant to communicate with your Silverfort implementation. After configuration, you can create Silverfort authentication policies that bridge authentication requests from identity sources to Azure AD for SSO. After an application is bridged, you can manage it in Azure AD.

+## Silverfort with Azure AD authentication architecture

+The following diagram shows the authentication architecture orchestrated by Silverfort, in a hybrid environment.

+

+### User flow

+1. User sends authentication request to the original Identity Provider (IdP) through protocols such as Kerberos, SAML, NTLM, OIDC, and LDAP(s)

+2. The response is routed as-is to Silverfort for validation to check authentication state

+3. Silverfort provides visibility, discovery, and a bridge to Azure AD

+4. If the application is bridged, the authentication decision passes to Azure AD. Azure AD evaluates Conditional Access policies and validates authentication.

+5. The authentication state response goes as-is from Silverfort to the IdP

+6. IdP grants or denies access to the resource

+7. User is notified if access request is granted or denied

+## Prerequisites

+You need Silverfort deployed in your tenant or infrastructure to perform this tutorial. To deploy Silverfort in your tenant or infrastructure, go to silverfort.com [Silverfort](https://www.silverfort.com/) to install the Silverfort desktop app on your workstations.

+Set up Silverfort Azure AD Adapter in your Azure AD tenant:

+- An Azure account with an active subscription

+ - You can create an [Azure free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)

+- One of the following roles in your Azure account:

+ - Global Administrator

+ - Cloud Application Administrator

+ - Application Administrator

+ - Service Principal Owner

+- The Silverfort Azure AD Adapter application in the Azure AD gallery is pre-configured to support SSO. From the gallery, add the Silverfort Azure AD Adapter to your tenant as an Enterprise application.

+## Configure Silverfort and create a policy

+1. From a browser, sign in to the Silverfort admin console.

+2. In the main menu, navigate to **Settings** and then scroll to **Azure AD Bridge Connector** in the General section.

+3. Confirm your tenant ID, and then select **Authorize**.

+4. Select **Save Changes**.

+5. On the **Permissions requested** dialog, select **Accept**.

+ 

+ 

+6. A Registration Completed message appears in a new tab. Close this tab.

+ 

+7. On the **Settings** page, select **Save Changes**.

+ 

+8. Sign in to your Azure AD console. In the left pane, select **Enterprise applications**. The **Silverfort Azure AD Adapter** application appears as registered.

+ 

+9. In the Silverfort admin console, navigate to the **Policies** page and select **Create Policy**. The **New Policy** dialog appears.

+10. Enter a **Policy Name**, the application name to be created in Azure. For example, if adding multiple servers or applications for this policy, name it to reflect the resources covered by the policy. In the example, we create a policy for the SL-APP1 server.

+ 

+11. Select the **Auth Type**, and **Protocol**.

+12. In the **Users and Groups** field, select the **edit** icon to configure users affected by the policy. These users' authentication bridges to Azure AD.

+ 

+13. Search and select users, groups, or Organization Units (OUs).

+ 

+14. Selected users appear in the **SELECTED** box.

+ 

+15. Select the **Source** for which the policy will apply. In this example, **All Devices** is selected.

+ 

+16. Set the **Destination** to SL-App1. Optional: You can select the **edit** button to change or add more resources, or groups of resources.

+ 

+17. For Action, select **AZURE AD BRIDGE**.

+ 

+18. Select **Save**. You're prompted to turn on the policy.

+ 

+19. In the Azure AD Bridge section, the policy appears on the Policies page.

+ 

+20. Return to the Azure AD console, and navigate to **Enterprise applications**. The new Silverfort application appears. You can include this application in Conditional Access policies.

+Learn more: [Tutorial: Secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json%23create-a-conditional-access-policy).

+## Next steps

+- [Silverfort Azure AD adapter](https://azuremarketplace.microsoft.com/marketplace/apps/aad.silverfortazureadadapter?tab=overview)

+- [Silverfort resources](https://www.silverfort.com/resources/)

+- [Silverfort, company contact](https://www.silverfort.com/company/contact/)

+ |userName|String|&check;|&check;

+ |active|Boolean||

+ |name.formatted|String||

+ |title|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String||

+ |members|Reference||

+* 11/06/2021 - Dropped support for **externalId, name.givenName and name.familyName**. Added support for **preferredLanguage , title and urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department**. Enabled **Group Provisioning**.

+* 05/23/2023 - Dropped support for **preferredLanguage** Added support for **urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager**.

+ Title: Azure Active Directory SSO integration with Circus Street

+description: Learn how to configure single sign-on between Azure Active Directory and Circus Street.

+# Azure Active Directory SSO integration with Circus Street

+In this article, you'll learn how to integrate Circus Street with Azure Active Directory (Azure AD). Circus Street is a global leader in providing digital training including e-commerce, data analytics and digital marketing to organizations through its proprietary platform.

+When you integrate Circus Street with Azure AD, you can:

+* Use Azure AD to control who has access to Circus Street.

+* Enable your users to be automatically signed-in to Circus Street with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Circus Street in a test environment. Circus Street supports **SP** and **IDP** initiated single sign-on.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with Circus Street, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Circus Street single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Circus Street application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Circus Street from the Azure AD gallery

+Add Circus Street from the Azure AD application gallery to configure single sign-on with Circus Street. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Circus Street** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already preintegrated with Azure.

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<CustomerSubDomainName>.circusstreet.com`

+ > [!NOTE]

+ > This value is not real. Update this value with the actual Sign on URL. Contact [Circus Street support team](mailto:support@circusstreet.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Circus Street application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Circus Street application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | first name | user.givenname |

+ | last name | user.surname |

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Circus Street** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Circus Street SSO

+To configure single sign-on on **Circus Street** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Circus Street support team](mailto:support@circusstreet.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Circus Street test user

+In this section, contact [Circus Street support team](mailto:support@circusstreet.com) to add the users in the Circus Street platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Circus Street Sign-on URL where you can initiate the login flow.

+* Go to Circus Street Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Circus Street for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Circus Street tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Circus Street for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Circus Street you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).

+* Active contract with Humbol including SCIM API usage with Humbol Inc.

+1. As Humbol Admin login to your [Humbol](https://my.humbol.app/login) organization.

+1. Go to organization's API [settings page](https://my.humbol.app/settings#apis).

+ 1. On this page you can find the organization SCIM API url. Copy it.

+ 1. Create SCIM API token and copy the value.

+ > [!NOTE]

+ > The token value is not saved anywhere on the Humbol service, so if you lose it, you should create a new one and remove old one.

+ |addresses[type eq "work"].locality|String||

+ |addresses[type eq "work"].region|String||

+ |addresses[type eq "work"].country|String||

+ |roles[primary eq "True"].value|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String||

+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String||

+ > [!NOTE]

+ > * If you include `roles[primary eq "True"].value` every user must have precisely one role.

+ > * Another option is to remove the role attribute mapping and manage Humbol user roles inside the Humbol application.

+

+ Title: Azure Active Directory SSO integration with Krisp Technologies

+description: Learn how to configure single sign-on between Azure Active Directory and Krisp Technologies.

+# Azure Active Directory SSO integration with Krisp Technologies

+In this article, you'll learn how to integrate Krisp Technologies with Azure Active Directory (Azure AD). KrispΓÇÖs Voice Productivity AI improves voice communication by removing background noise, clarifying accents, and call transcripts. When you integrate Krisp Technologies with Azure AD, you can:

+* Control in Azure AD who has access to Krisp Technologies.

+* Enable your users to be automatically signed-in to Krisp Technologies with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Krisp Technologies in a test environment. Krisp Technologies supports **SP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with Krisp Technologies, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Krisp Technologies single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Krisp Technologies application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Krisp Technologies from the Azure AD gallery

+Add Krisp Technologies from the Azure AD application gallery to configure single sign-on with Krisp Technologies. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Krisp Technologies** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `<TEAM_SLUG_ID>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://api.krisp.ai/v2/auth/sso/saml/<ID>`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://account.krisp.ai/sso/<ID>`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Krisp Technologies support team](mailto:support@krisp.ai) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Krisp Technologies application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Krisp Technologies application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Krisp Technologies** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Krisp Technologies SSO

+To configure single sign-on on **Krisp Technologies** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Krisp Technologies support team](mailto:support@krisp.ai). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Krisp Technologies test user

+In this section, a user called B.Simon is created in Krisp Technologies. Krisp Technologies supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Krisp Technologies, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Krisp Technologies Sign-on URL where you can initiate the login flow.

+* Go to Krisp Technologies Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Krisp Technologies tile in the My Apps, this will redirect to Krisp Technologies Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Krisp Technologies you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Configure OpenForms for automatic user provisioning with Azure Active Directory'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to OpenForms.

+writer: twimmers

+ms.assetid: 8a9a7be2-9e2f-4da5-9619-1382b6e17a4a

+# Tutorial: Configure OpenForms for automatic user provisioning

+This tutorial describes the steps you need to perform in both OpenForms and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [OpenForms](https://granicus.com/solution/govservice/openforms) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Supported capabilities

+> [!div class="checklist"]

+> * Create users in OpenForms.

+> * Remove users in OpenForms when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and OpenForms.

+> * Provision groups and group memberships in OpenForms.

+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to OpenForms (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A user account in OpenForms with Admin permissions.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and OpenForms](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure OpenForms to support provisioning with Azure AD

+Contact OpenForms support to configure OpenForms to support provisioning with Azure AD.

+## Step 3. Add OpenForms from the Azure AD application gallery

+Add OpenForms from the Azure AD application gallery to start managing provisioning to OpenForms. If you have previously setup OpenForms for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to OpenForms

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for OpenForms in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **OpenForms**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your OpenForms Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to OpenForms. If the connection fails, ensure your OpenForms account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to OpenForms**.

+1. Review the user attributes that are synchronized from Azure AD to OpenForms in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in OpenForms for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the OpenForms API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by OpenForms|

+ |||||

+ |userName|String|&check;|&check;

+ |active|Boolean||&check;

+ |emails[type eq "work"].value|String||

+ |name.givenName|String||&check;

+ |name.familyName|String||&check;

+ |externalId|String||&check;

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to OpenForms**.

+1. Review the group attributes that are synchronized from Azure AD to OpenForms in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in OpenForms for update operations. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by OpenForms|

+ |||||

+ |displayName|String|&check;|&check;

+ |externalId|String||&check;

+ |members|Reference||

+

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for OpenForms, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to OpenForms by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ Title: Azure Active Directory SSO integration with Scilife Azure AD SSO

+description: Learn how to configure single sign-on between Azure Active Directory and Scilife Azure AD SSO.

+# Azure Active Directory SSO integration with Scilife Azure AD SSO

+In this article, you'll learn how to integrate Scilife Azure AD SSO with Azure Active Directory (Azure AD). With the help of this application SSO integration is made simple and hassle free as most of the configuration will take place on its own with minimalist efforts. When you integrate Scilife Azure AD SSO with Azure AD, you can:

+* Control in Azure AD who has access to Scilife Azure AD SSO.

+* Enable your users to be automatically signed-in to Scilife Azure AD SSO with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Scilife Azure AD SSO in a test environment. Scilife Azure AD SSO supports **SP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with Scilife Azure AD SSO, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Scilife Azure AD SSO single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Scilife Azure AD SSO application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Scilife Azure AD SSO from the Azure AD gallery

+Add Scilife Azure AD SSO from the Azure AD application gallery to configure single sign-on with Scilife Azure AD SSO. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Scilife Azure AD SSO** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using one of the following patterns:

+ | **Identifier** |

+ |--|

+ | `https://ldap-Environment.scilife.io/simplesaml/module.php/saml/sp/metadata.php/<CustomerUrlPrefix>-<Environment>-sp` |

+ | `https://ldap.scilife.io/simplesaml/module.php/saml/sp/metadata.php/<CustomerUrlPrefix>-sp` |

+ b. In the **Reply URL** textbox, type a URL using one of the following patterns:

+ | **Reply URL** |

+ ||

+ | `https://<CustomerUrlPrefix>.scilife.io/<languageCode>/login` |

+ | `https://ldap.scilife.io/simplesaml/module.php/saml/sp/metadata.php/<CustomerUrlPrefix>-sp` |

+ | `https://ldap.scilife.io/simplesaml/module.php/saml/sp/saml2-acs.php/<CustomerUrlPrefix>-sp` |

+ | `https://<CustomerUrlPrefix>-<Environment>.scilife.io/<languageCode>/login` |

+ | `https://ldap-<Environment>.scilife.io/simplesaml/module.php/saml/sp/metadata.php/<CustomerUrlPrefix>-<Environment>-sp` |

+ | `https://ldap-<Environment>.scilife.io/simplesaml/module.php/saml/sp/saml2-acs.php/<CustomerUrlPrefix>-<Environment>-sp` |

+ c. In the **Sign on URL** textbox, type a URL using one of the following patterns:

+ | **Sign on URL** |

+ |--|

+ | `https://<CustomerUrlPrefix>.scilife.io/<languageCode>/login` |

+ | `https://<CustomerUrlPrefix>-<Environment>.scilife.io/<languageCode>/login` |

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Scilife Azure AD SSO support team](mailto:support@scilife.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Scilife Azure AD SSO application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Scilife Azure AD SSO application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | firstname | user.givenname |

+ | lastname | user.surname |

+ | ldap_user_id | user.userprincipalname |

+ | mobile | user.mobilephone |

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Scilife Azure AD SSO** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Scilife Azure AD SSO

+1. Log in to your Scilife Azure AD SSO company site as an administrator.

+1. Go to **Manage** > **Active Directory Settings** and perform the following steps:

+ 

+ 1. Enable **Configure Active Directory**.

+ 1. Select **AD Azure** type from the drop-down.

+ 1. Download the **Federation Metadata XML file** from the Azure portal and **Upload MetadataXML** file by clicking on **Choose file**.

+ 1. Click **Parse Metadata**.

+1. Enter **Tenant ID**, **Application ID** and **Client ID** in the following fields.

+

+ 

+1. Copy **AD TRUST URL**, paste this value into the **Identifier (Entity ID)** text box in the **Basic SAML Configuration** section in the Azure portal.

+1. Copy **AD CONSUMER SERVICE URL**, paste this value into the **Reply URL (Assertion Consumer Service URL)** text box in the **Basic SAML Configuration** section in the Azure portal.

+ 

+1. Click **Save Configuration**.

+### Create Scilife Azure AD SSO test user

+In this section, a user called B.Simon is created in Scilife Azure AD SSO. Scilife Azure AD SSO supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Scilife Azure AD SSO, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Scilife Azure AD SSO Sign-on URL where you can initiate the login flow.

+* Go to Scilife Azure AD SSO Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Scilife Azure AD SSO tile in the My Apps, this will redirect to Scilife Azure AD SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Scilife Azure AD SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ > [!NOTE]

+ > Schema Discovery feature is enabled for this application.

+

+ > [!NOTE]

+ > Schema Discovery feature is enabled for this application.

+## Change log

+* 05/04/2023 - Added support for **Schema Discovery**.

+ > [!NOTE]

+ > Schema Discovery feature is enabled for this application.

+ > [!NOTE]

+ > Schema Discovery feature is enabled for this application.

+## Change log

+* 05/04/2023 - Added support for **Schema Discovery**.

+1. Sign in to the Azure portal using a Microsoft work or school account.

+1. Select **Zero Networks** from results panel and select **Create** to add the app. Wait a few seconds while the app is added to your tenant.

+1. In the Azure portal, go back to **Azure Active Directory**, click **Enterprise Applications** select the **Zero Networks** application, in the **Manage** section select **Single sign-on**.

+ a. In the **Identifier (Entity ID)** text box, type the URL:

+ `https://portal.zeronetworks.com/api/v1/sso/azure/metadata`

+

+ b. In the **Reply URL (Assertion Consumer Service URL)** text box, type the URL:

+ `https://portal.zeronetworks.com/api/v1/sso/azure/acs`

+

+ c. In the **Sign on URL** text box, type the URL:

+ `https://portal.zeronetworks.com/#/login`

+1. On the **Set up single sign-on with SAML** page, in the **SAML Certificates** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+* You can use Microsoft My Apps. When you click the Zero Networks tile in the My Apps, this will redirect to Zero Networks Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+|**6.5.3** Preproduction environments are separated from production environments and the separation is enforced with access controls.|Approaches to separate preproduction and production environments, based on organizational requirements. [Resource isolation in a single tenant](../fundamentals/secure-single-tenant.md) </br> [Resource isolation with multiple tenants](../fundamentals/secure-multiple-tenants.md)|

+* **SSH RSA Public Key**: Copy and paste the public part of your SSH key pair (by default, the contents of the `~/.ssh/id_rsa.pub` file).

+ > [!IMPORTANT]

+ > Adding the `loadBalancerIP` property to the load balancer YAML manifest is deprecating following [upstream Kubernetes](https://github.com/kubernetes/kubernetes/pull/107235). While current usage remains the same and existing services are expected to work without modification, we **highly recommend setting service annotations** instead. To set service annotations, you can use `service.beta.kubernetes.io/azure-load-balancer-ipv4` for an IPv4 address and `service.beta.kubernetes.io/azure-load-balancer-ipv6` for an IPv6 address.

+ ```console

+ kubectl apply -f load-balancer-service.yaml

+ ```

+Run the following command in the [Cloud Shell](https://shell.azure.com) to set the Ruby version to 2.7:

+az webapp config set --resource-group <resource-group-name> --name <app-name> --linux-fx-version "RUBY:2.7"

+> Your Ruby version is 2.7.3, but your Gemfile specified 2.3.1

+> It means that the Ruby version configured in your project is different than the version that's installed in the container you're running (`2.7.3` in the example above). In the example above, check both *Gemfile* and *.ruby-version* and verify that the Ruby version is not set, or is set to the version that's installed in the container you're running (`2.7.3` in the example above).

+If the ConfigMap is not created, run the following command to get the data retrieval status.

+## Next steps

+* Ran the application with configuration from your App Configuration store without changing your application code.

+To learn more about the Azure App Configuration Kubernetes Provider, see [Azure App Configuration Kubernetes Provider reference](./reference-kubernetes-provider.md).

+| TKGm 2.2 | 1.25.7 | 1.19.0_2023-05-09 | 16.0.937.6223 | 14.5 (Ubuntu 20.04)

+| TKGm 2.1.0 | 1.24.9 | 1.15.0_2023-01-10 | 16.0.816.19223 | 14.5 (Ubuntu 20.04)

+| TKGm 1.6.0 | 1.23.8 | 1.11.0_2022-09-13 | 16.0.312.4243 | 12.3 (Ubuntu 12.3-1)

+| TKGm 1.5.3 | 1.22.8 | 1.9.0_2022-07-12 | 16.0.312.4243 | 12.3 (Ubuntu 12.3-1)|

+| VMware | [Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid) | TKGm 2.2; upstream K8s v1.25.7+vmware.2 <br> TKG 2.1.0; upstream K8s v1.24.9+vmware.1 <br> TKGm 1.6.0; upstream K8s v1.23.8+vmware.2 <br>TKGm 1.5.3; upstream K8s v1.22.8+vmware.1 <br>TKGm 1.4.0; upstream K8s v1.21.2+vmware.1 <br>TKGm 1.3.1; upstream K8s v1.20.5+vmware.2 <br>TKGm 1.2.1; upstream K8s v1.19.3+vmware.1 |

+The preferred package format for the distribution (`.rpm` or `.deb`) that's hosted in the Microsoft [package repository](https://packages.microsoft.com/) provides the Connected Machine agent for Linux. The shell script bundle [Install_linux_azcmagent.sh](https://aka.ms/azcmagent) installs and configures the agent.

+description: In this Azure Linux Container Host for AKS tutorial, you learn how to add an Azure Linux node pool to your existing cluster.

+In this tutorial, part two of five, you learn how to:

+>

+In later tutorials, you learn how to migrate nodes to Azure Linux and enable telemetry to monitor your clusters.

+* In the previous tutorial, you created and deployed an Azure Linux Container Host cluster. If you haven't done these steps and would like to follow along, start with [Tutorial 1: Create a cluster with the Azure Linux Container Host for AKS](./tutorial-azure-linux-create-cluster.md).

+* You need the latest version of Azure CLI. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

+To add an Azure Linux node pool into your existing cluster, use the `az aks nodepool add` command and specify `--os-sku AzureLinux`. The following example creates a node pool named *ALnodepool* that runs three nodes in the *testAzureLinuxCluster* cluster in the *testAzureLinuxResourceGroup* resource group:

+ --name ALnodepool \

+ --node-count 3 \

+> The name of a node pool must start with a lowercase letter and can only contain alphanumeric characters. For Linux node pools the length must be between one and 12 characters.

+In this tutorial, you added an Azure Linux node pool to your existing cluster. You learned how to:

+>

+In the next tutorial, you learn how to migrate existing nodes to Azure Linux.

+> [Migrating to Azure Linux](./tutorial-azure-linux-migration.md)

+description: Learn how to create a heat map and customize heat map layers using the Azure Maps Web SDK.

+The [Simple Heat Map Layer] sample demonstrates how to create a simple heat map from a data set of point features.

+<!

+>

+The [Heat Map Layer Options] sample shows how the different options of the heat map layer that affects rendering.

+<!

+>

+The [Consistent zoomable Heat Map] sample shows how to create a heat map where the radius of each data point covers the same physical area on the ground, creating a more consistent user experience when zooming the map. The heat map in this sample scales consistently between zoom levels 10 and 22. Each zoom level of the map has twice as many pixels vertically and horizontally as the previous zoom level. Doubling the radius with each zoom level creates a heat map that looks consistent across all zoom levels.

+<!

+>

+The `zoom` expression can only be used in `step` and `interpolate` expressions. The following expression can be used to approximate a radius in meters. This expression uses a placeholder `radiusMeters`, which you should replace with your desired radius. This expression calculates the approximate pixel radius for a zoom level at the equator for zoom levels 0 and 24, and uses an `exponential interpolation` expression to scale between these values the same way the tiling system in the map works.

+[Simple Heat Map Layer]: https://samples.azuremaps.com/?search=heat%20map%20layer&sample=simple-heat-map-layer

+[Heat Map Layer Options]: https://samples.azuremaps.com/?search=heat%20map%20layer&sample=heat-map-layer-options

+[Consistent zoomable Heat Map]: https://samples.azuremaps.com/?search=zoom&sample=consistent-zoomable-heat-map

+* JPEG

+* PNG

+* BMP

+* GIF (no animations)

+For a fully functional sample that shows how to overlay an image of a map of Newark New Jersey from 1922 as an Image layer, see [Simple Image Layer] in the [Azure Maps Samples].

+<!--

+-->

+For a fully functional sample that shows how to use a KML Ground Overlay as Image Layer, see [KML Ground Overlay as Image Layer] in the [Azure Maps Samples].

+<!--

+-->

+The image layer has many styling options. For a fully functional sample that shows how the different options of the image layer affect rendering, see [Image Layer Options] in the [Azure Maps Samples].

+<!--

+-->

+[Simple Image Layer]: https://samples.azuremaps.com/?search=image%20layer&sample=simple-image-layer

+[Azure Maps Samples]: https://samples.azuremaps.com

+[KML Ground Overlay as Image Layer]: https://samples.azuremaps.com/?search=KML&sample=kml-ground-overlay-as-image-layer

+[Image Layer Options]: https://samples.azuremaps.com/?search=image%20layer&sample=image-layer-options

+| Windows 11 Client and Pro | X², ³ | | |

+| Windows 11 Enterprise<br>(including multi-session) | X¹ | | |

+ - The signal or data from the resource.

+### Select a scope for the alert rule

+### Set the conditions for the alert rule

+ :::image type="content" source="media/alerts-create-new-alert-rule/alerts-popular-signals.png" alt-text="Screenshot that shows popular signals when creating an alert rule.":::

+ #### [Metric alert](#tab/metric)

+ #### [Log alert](#tab/log)

+ 1. (Optional) If you're querying an ADX cluster, Log Analytics can't automatically identify the column with the event timestamp, so we recommend that you add a time range filter to the query. For example:

+ #### [Activity log alert](#tab/activity-log)

+ #### [Resource Health alert](#tab/resource-health)

+ #### [Service Health alert](#tab/service-health)

+### Set the actions for the alert rule

+ This example creates an "Additional Details" tag with data regarding the "window start time" and "window end time".

+ This example adds the data regarding the reason of resolving or firing the alert.

+### Set the details for the alert rule

+ #### [Metric alert](#tab/metric)

+ #### [Log alert](#tab/log)

+ #### [Activity log alert](#tab/activity-log)

+ #### [Resource Health alert](#tab/resource-health)

+ #### [Service Health alert](#tab/service-health)

+### Finish creating the alert rule

+ #### [Metric alert](#tab/metric)

+ #### [Log alert](#tab/log)

+ #### [Activity log alert](#tab/activity-log)

+ #### [Resource Health alert](#tab/resource-health)

+ #### [Service Health alert](#tab/service-health)

+|subStatus |Usually, this field is the HTTP status code of the corresponding REST call. This field can also include other strings describing a substatus. Examples of HTTP status codes include `OK` (HTTP Status Code: 200), `No Content` (HTTP Status Code: 204), and `Service Unavailable` (HTTP Status Code: 503), among many others. |

+The following sections show how to set the Application Insights Java agent path for different application servers. You can find the configuration options [here](./java-standalone-config.md).

+Set Resource attributes using the `OTEL_RESOURCE_ATTRIBUTES` and/or `OTEL_SERVICE_NAME` environment variables. `OTEL_RESOURCE_ATTRIBUTES` takes series of comma-separated key-value pairs. For example, to set the Cloud Role Name to "my-namespace.my-helloworld-service" and set Cloud Role Instance to "my-instance", you can set `OTEL_RESOURCE_ATTRIBUTES` and `OTEL_SERVICE_NAME` as such:

+export OTEL_SERVICE_NAME="my-helloworld-service"

+If you do not set the `service.namespace` Resource attribute, you can alternatively set the Cloud Role Name with only the OTEL_SERVICE_NAME environment variable or the `service.name` Resource attribute. For example, to set the Cloud Role Name to "my-helloworld-service" and set Cloud Role Instance to "my-instance", you can set `OTEL_RESOURCE_ATTRIBUTES` and `OTEL_SERVICE_NAME` as such:

+export OTEL_SERVICE_NAME="my-helloworld-service"

+# Analyze and visualize monitoring data

+The [out-of-the-box Grafana Azure alerts dashboard](https://grafana.com/grafana/dashboards/15128-azure-alert-consumption/) allows you to view and consume Azure monitor alerts for Azure Monitor, your Azure datasources, and Azure Monitor managed service for Prometheus.

+ - For more information on define Azure Monitor alerts, see [Create a new alert rule](alerts/alerts-create-new-alert-rule.md).

+ - For Azure Monitor managed service for Prometheus, define your alerts using [Prometheus alert rules](alerts/prometheus-alerts.md) that are created as part of a [Prometheus rule group](essentials/prometheus-rule-groups.md), applied on the Azure Monitor workspace.

+|Visualization tool|Benefits|Recommended uses|

+||||

+|[Azure Workbooks](./visualize/workbooks-overview.md)|Native Azure dashboarding platform |Use as a tool for engineering and technical teams to visualize and investigate scenarios. |

+| |Autorefresh |Use as a reporting tool for App developers, Cloud engineers, and other technical personnel|

+| |Out-of-the-box and public GitHub templates and reports | |

+| |Parameters allow dynamic real time updates | |

+| |Can provide high-level summaries that allow you to select any item for more in-depth data using the selected value in the query| |

+| |Can query more sources than other visualizations| |

+| |Fully customizable | |

+| |Designed for collaborating and troubleshooting | |

+|[Azure dashboards](../azure-portal/azure-portal-dashboards.md)|Native Azure dashboarding platform |For Azure/Arc exclusive environments |

+| |No added cost | |

+| |Supports at scale deployments | |

+| |Can combine a metrics graph and the results of a log query with operational data for related services | |

+| |Share a dashboard with service owners through integration with [Azure role-based access control](../role-based-access-control/overview.md) | |

+|[Azure Managed Grafana](../managed-grafan)|Multi-platform, multicloud single pane of glass visualizations |For users without Azure access |

+| |Seamless integration with Azure |Use for external visualization experiences, especially for RAG type dashboards in SOC and NOC environments |

+| |Can combine time-series and event data in a single visualization panel |Cloud Native CNCF monitoring |

+| |Can create dynamic dashboards based on user selection of dynamic variables |Multicloud environments |

+| |Prometheus support|Overall Statuses, Up/Down, and high level trend reports for management or executive level users |

+| |Integrates with third party monitoring tools|Use to show status of environments, apps, security, and network for continuous display in Network Operations Center (NOC) dashboards |

+| |Out-of-the-box plugins from most monitoring tools and platforms | |

+| |Dashboard templates with focus on operations | |

+| |Can create a dashboard from a community-created and community-supported template | |

+| |Can create a vendor-agnostic business continuity and disaster scenario that runs on any cloud provider or on-premises | |

+|[Power BI](https://powerbi.microsoft.com/documentation/powerbi-service-get-started/)|Rich visualizations |Use for external visualizations aimed at management and executive levels |

+| |Supports BI analytics with extensive slicing and dicing |Use to help design business centric KPI dashboards for long term trends |

+| |Integrate data from multiple data sources| |

+| |Results cached in a cube for better performance| |

+| |Extensive interactivity, including zoom-in and cross-filtering| |

+| |Share easily throughout your organization| |

+To enable [managed identity authentication](container-insights-onboard.md#authentication):

+To enable [managed identity authentication](container-insights-onboard.md#authentication):

+- When you enable managed identity authentication, a data collection rule is created with the name *MSCI-\<cluster-region\>-<\cluster-name\>*. Currently, this name can't be modified.

+To use [managed identity authentication](container-insights-onboard.md#authentication), add the `configuration-settings` parameter as in the following:

+5. To use managed identity authentication, select the *Use managed identity* checkbox.

+5. To use managed identity authentication, select the *Use managed identity* checkbox.

+## Migrate to managed identity authentication

+Use the flowing guidance to migrate an existing extension instance to managed identity authentication.

+Container insights defaults to managed identity authentication. This secure and simplified authentication model has a monitoring agent that uses the cluster's managed identity to send data to Azure Monitor. It replaces the existing legacy certificate-based local authentication and removes the requirement of adding a *Monitoring Metrics Publisher* role to the cluster.

+For more information on creating a service principal using Azure CLI, see [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).

+resource vmName_omsOnboarding 'Microsoft.Compute/virtualMachines/extensions@2023-03-01' = if (!empty(logAnalytics)) {

+Assign the **Contributor** role to the **Appliance Resource Provider** user at the key vault scope. The **Contributor** role is a _privileged administrator role_ for the role assignment. For detailed steps, go to [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+1. [Create a new Backup vault](backup-vault-overview.md#create-backup-vault) or choose an existing Backup vault, and then enable Cross Region Restore by going to **Properties** > **Cross Region Restore (Preview)**, and choose **Enable**.

+1. Go to the Backup vaultΓÇÖs **Overview** pane, and then [configure a backup for PostgreSQL database](backup-azure-database-postgresql.md).

+1. Once the backup is complete in the primary region, it can take up to *12 hours* for the recovery point in the primary region to get replicated to the secondary region.

+ To check the availability of recovery point in the secondary region, go to the **Backup center** > **Backup Instances** > **Filter to Azure Database for PostgreSQL servers**, filter **Instance Region** as *Secondary Region*, and then select the required Backup Instance.

+1. The recovery points available in the secondary region are now listed.

+ Choose **Restore to secondary region**.

+1. Select **Restore to secondary region** to review the target region selected, and then select the appropriate recovery point and restore parameters.

+1. Once the restore starts, you can monitor the completion of the restore operation under **Backup Jobs** of the Backup vault by filtering **Jobs workload type** to *Azure Database for PostgreSQL servers* and **Instance Region** to *Secondary Region*.

+## Before beginning

+Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your [MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details) or sign up for a [free account](https://azure.microsoft.com/pricing/free-trial).

+### PowerShell

+### Example values

+1. Create a resource group, a virtual network, and a front end subnet to which you'll deploy the VMs that you'll connect to via Bastion. If you're running PowerShell locally, open your PowerShell console with elevated privileges and connect to Azure using the `Connect-AzAccount` command.

+ New-AzResourceGroup -Name TestRG1 -Location EastUS `

+ $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name FrontEnd `

+ -AddressPrefix "10.1.0.0/24" `

+ $virtualNetwork = New-AzVirtualNetwork `

+ -Name TestVNet1 -ResourceGroupName TestRG1 `

+ -Location EastUS -AddressPrefix "10.1.0.0/16" `

+ -Subnet $frontendSubnet `

+ $virtualNetwork | Set-AzVirtualNetwork

+1. Configure and set the Azure Bastion subnet for your virtual network. This subnet is reserved exclusively for Azure Bastion resources. You must create this subnet using the name value **AzureBastionSubnet**. This value lets Azure know which subnet to deploy the Bastion resources to. The example in the following section helps you add an Azure Bastion subnet to an existing VNet.

+ Set the variable.

+ $vnet = Get-AzVirtualNetwork -Name "TestVNet1" -ResourceGroupName "TestRG1"

+ Add the subnet.

+ Add-AzVirtualNetworkSubnetConfig `

+ -Name "AzureBastionSubnet" -VirtualNetwork $vnet `

+ -AddressPrefix "10.1.1.0/26" | Set-AzVirtualNetwork

+1. Create a public IP address for Azure Bastion. The public IP is the public IP address of the Bastion resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource you're creating.

+ $publicip = New-AzPublicIpAddress -ResourceGroupName "TestRG1" `

+ -name "VNet1-ip" -location "EastUS" `

+ -AllocationMethod Static -Sku Standard

+1. Create a new Azure Bastion resource in the AzureBastionSubnet using the [New-AzBastion](/powershell/module/az.network/new-azbastion) command. The following example uses the **Basic SKU**. However, you can also deploy Bastion using the Standard SKU by changing the -Sku value to "Standard". The Standard SKU lets you configure more Bastion features and connect to VMs using more connection types. For more information, see [Bastion SKUs](configuration-settings.md#skus).

+ New-AzBastion -ResourceGroupName "TestRG1" -Name "VNet1-bastion" `

+ -PublicIpAddressRgName "TestRG1" -PublicIpAddressName "VNet1-ip" `

+ -VirtualNetworkRgName "TestRG1" -VirtualNetworkName "TestVNet1" `

+ -Sku "Basic"

+You can create a VM using the [Quickstart: Create a VM using PowerShell](../virtual-machines/windows/quick-create-powershell.md) or [Quickstart: Create a VM using the portal](../virtual-machines/windows/quick-create-portal.md) articles. Be sure you deploy the VM to the same virtual network to which you deployed Bastion. The VM you create in this section isn't a part of the Bastion configuration and doesn't become a bastion host. You connect to this VM later in this tutorial via Bastion.

+You can use the [Connection steps](#steps) in the following section to connect to your VM. You can also use any of the following articles to connect to a VM. Some connection types require the Bastion [Standard SKU](configuration-settings.md#skus).

+>[!NOTE]

+> You don't need to crop an image for text lines. Send the whole image to Read API and it will recognize all texts.

+In this article, you learn how to evaluate pronunciation with speech to text through the Speech SDK. To [get pronunciation assessment results](#get-pronunciation-assessment-results), you apply the `PronunciationAssessmentConfig` settings to a `SpeechRecognizer` object.

+> Usage of pronunciation assessment costs the same as standard Speech to text, whether pay-as-you-go or commitment tier [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services). If you [purchase a commitment tier](../commitment-tier.md) for standard Speech to text, the spend for pronunciation assessment goes towards meeting the commitment.

+> The syllable group, phoneme name, and spoken phoneme of pronunciation assessment are currently only available for the en-US locale. For information about availability of pronunciation assessment, see [supported languages](language-support.md?tabs=pronunciation-assessment) and [available regions](regions.md#speech-service).

+> [!NOTE]

+> Pronunciation assessment is not available with the Speech SDK for Go. You can read about the concepts in this guide, but you must select another programming language for implementation details.

+This table lists some of the key configuration parameters for pronunciation assessment.

+| Parameter | Description |

+|--|-|

+| `ReferenceText` | The text that the pronunciation is evaluated against. |

+| `GradingSystem` | The point system for score calibration. The `FivePoint` system gives a 0-5 floating point score, and `HundredMark` gives a 0-100 floating point score. Default: `FivePoint`. |

+| `Granularity` | Determines the lowest level of evaluation granularity. Scores for levels greater than or equal to the minimal value are returned. Accepted values are `Phoneme`, which shows the score on the full text, word, syllable, and phoneme level, `Syllable`, which shows the score on the full text, word, and syllable level, `Word`, which shows the score on the full text and word level, or `FullText`, which shows the score on the full text level only. The provided full reference text can be a word, sentence, or paragraph, and it depends on your input reference text. Default: `Phoneme`.|

+| `EnableMiscue` | Enables miscue calculation when the pronounced words are compared to the reference text. If this value is `True`, the `ErrorType` result value can be set to `Omission` or `Insertion` based on the comparison. Accepted values are `False` and `True`. Default: `False`. To enable miscue calculation, set the `EnableMiscue` to `True`. You can refer to the code snippet below the table.|

+| `ScenarioId` | A GUID indicating a customized point system. |

+For the `en-US` locale, the phoneme name is provided together with the score, to help identify which phonemes were pronounced accurately or inaccurately. For other locales, you can only get the phoneme score.

+To request IPA phonemes, set the phoneme alphabet to `"IPA"`. If you don't specify the alphabet, the phonemes are in SAPI format by default.

+In the `SpeechRecognizer`, you can specify the language that you're learning or practicing improving pronunciation. The default locale is `en-US` if not otherwise specified.

+> [!TIP]

+> If you aren't sure which locale to set when a language has multiple locales (such as Spanish), try each locale (such as `es-ES` and `es-MX`) separately. Evaluate the results to determine which locale scores higher for your specific scenario.

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/csharp/sharedcontent/console/speech_recognition_samples.cs#LL1086C13-L1086C98).

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/cpp/windows/console/samples/speech_recognition_samples.cpp#L624).

+```

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/js/node/pronunciationAssessmentContinue.js#LL37C4-L37C52).

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/python/console/speech_sample.py#LL937C1-L937C1).

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/objective-c/ios/speech-samples/speech-samples/ViewController.m#L862).

+To learn how to specify the learning language for pronunciation assessment in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/swift/ios/speech-samples/speech-samples/ViewController.swift#L224).

+- You can use the `Offset` and `Duration` values to align syllables with their corresponding phonemes. For example, the starting offset (11700000) of the second syllable ("loʊ") aligns with the third phoneme ("l"). The offset represents the time at which the recognized speech begins in the audio stream, and it's measured in 100-nanosecond units. To learn more about `Offset` and `Duration`, see [response properties](rest-speech-to-text-short.md#response-properties).

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/python/console/speech_sample.py#L915).

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/objective-c/ios/speech-samples/speech-samples/ViewController.m#L831).

+For how to use Pronunciation Assessment in streaming mode in your own application, see [sample code](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/swift/ios/speech-samples/speech-samples/ViewController.swift#L191).

+The table in this section summarizes the locales and voices supported for Text to speech. Please see the table footnotes for more details.

+- The English (United Kingdom) voice `en-GB-MiaNeural` retired on October 30, 2021. All service requests to `en-GB-MiaNeural` will be redirected to `en-GB-SoniaNeural` automatically as of October 30, 2021. If you're using container Neural TTS, [download](speech-container-ntts.md#get-the-container-image-with-docker-pull) and deploy the latest version. All requests with previous versions won't succeed starting from October 30, 2021.

+The table in this section summarizes the locales supported for Pronunciation assessment, and each language is available on all [Speech to text regions](regions.md#speech-service). You should specify the language that you're learning or practicing to improve pronunciation. The default language is set as `en-US`. If you know your target learning language, set the locale accordingly. For example, if you're learning British English, you should specify the language as `en-GB`. If you're teaching a broader language, such as Spanish, and are uncertain about which locale to select, you can run various accent models (`es-ES`, `es-MX`) to determine the one that achieves the highest score to suit your specific scenario.

+* Speech SDK 1.29.0 was released in June 2023.

+Managed identities for Azure resources are service principals that create an Azure Active Directory (Azure AD) identity and specific permissions for Azure managed resources. Managed identities are a safer way to grant access to storage data and replace the requirement for you to include shared access signature tokens (SAS) with your [source and target URLs](#post-request-body).

+* You can use managed identities to grant access to any resource that supports Azure AD authentication, including your own applications.

+>

+Azure OpenAI is available in multiple regions. Since subscription keys are region bound, when a customer acquires a key, they select the region in which their deployments will reside and from then on, all operations stay associated with that Azure server region.

+The recovery from regional failures for this usage type can be performed instantaneously and at a very low cost. This does however, require custom development of this functionality on the client side of your application.

+curl https://mykeyvault.vault.azure.net/secrets/SampleSecret/?api-version=7.4 -H "Authorization: Bearer $TOKEN"

+Historically, containers have offered application dependency isolation and resource governance but haven't been considered sufficiently hardened for hostile multi-tenant usage. Azure Container Instances guarantees your application is as isolated in a container as it would be in a VM.

+Azure Container Instances can schedule both Windows and Linux containers with the same API. You can specify your OS type preference when you create your [container groups](container-instances-container-groups.md).

+Confidential containers on ACI enable you to run containers in a trusted execution environment (TEE) that provides hardware-based confidentiality and integrity protections for your container workloads. Confidential containers on ACI can protect data-in-use and encrypts data being processed in memory. Confidential containers on ACI are supported as a SKU that you can select when deploying your workload. For more information, see [confidential container groups](./container-instances-confidential-overview.md).

+Container Images can't be larger than 15 GB, any images above this size may cause unexpected behavior: [How large can my container image be?](./container-instances-faq.yml)

+ACI doesn't allow [privileged container operations](./container-instances-faq.yml). We advise you to not depend on using the root directory for your scenario

+> Some regions don't support availability zones (denoted by a 'N/A' in the table), and some regions have availability zones, but ACI doesn't currently leverage the capability (denoted by an 'N' in the table). For more information, see [Azure regions with availability zones][az-region-support].

+| Region | Max CPU | Max memory (GB) | VNET max CPU | VNET max memory (GB) | Storage (GB) | GPU SKUs (preview) | Availability Zone support | Confidential SKU (preview) |

+| -- | :: | :: | :-: | :--: | :-: | :-: | :-: | :-: | :-: |

+| Canada Central | 4 | 16 | 4 | 16 | 50 | N/A | N | N |

+| Central US | 4 | 16 | 4 | 16 | 50 | N/A | Y | N |

+| UAE North | 4 | 16 | 4 | 16 | 50 | N/A | N | N |

+| UK South | 4 | 16 | 4 | 16 | 50 | N/A | Y | N |

+Let the team know if you'd like to see more regions or increased resource availability at [aka.ms/aci/feedback](https://aka.ms/aci/feedback).

+> [!NOTE]

+> The *Partial document update* operation is based on the [JSON Patch RFC](https://www.rfc-editor.org/rfc/rfc6902#appendix-A.14). Property names in paths need to escape the `~` and `/` characters as `~0` and `~1`, respectively.

+Azure Cosmos DB for PostgreSQL allows you to set a preferred availability zone for cluster. Usually the reason for it is to put cluster nodes in the same availability zone where the application and the rest of the application stack components are.

+If [high availability](./concepts-high-availability.md) is enabled for the cluster, and a node [fails

+* Learn about [high availability fundamentals](./concepts-high-availability.md)

+for better latency between the nodes. The preferred availability zone allows you to put all cluster nodes in the same availability zone where the application is deployed. This proximity could improve performance further by decreasing app-database latency. The standby nodes are provisioned into

+another availability zone. The Azure portal

+zone of each primary node in a cluster.

+promoted coordinator is accessible with the same connection string.

+ a failover to standby was initiated. This state transitions into

+ state transitions into **Replication in progress**.

+ standby, synchronous replication is enabled between the primary and

+ standby nodes, and the nodes' state transitions back to **Healthy**.

+- Learn how to [enable high availability](howto-high-availability.md) in a cluster

+gets a standby. If the original node becomes unhealthy, its standby is

+Enabling HA is possible during cluster creation on **Scale** page. Once cluster is provisioned, set Set **Enable high availability (HA)** checkbox in the **High availability** tab for your cluster in the Azure portal.

+time as the cluster provisions standby nodes and streams data to them.

+The **Overview** tab for the cluster lists all nodes along with a **High availability** column indicating whether HA is successfully enabled for each node and **Availability zone** column that shows actual availability zone for each primary cluster node.

+ Title: Configure cluster - Azure Cosmos DB for PostgreSQL

+description: Adjust cluster CPU/memory and disk resources to deal with increased load or enable HA for improved availability.

+To change the vCores for all worker nodes, on the **Scale** screen, select a new value under **Compute per node**. To adjust the coordinator's vCores, expand **Coordinator** and select a new value under **Coordinator compute**.

+## Choose preferred availability zone

+You can choose preferred [availability zone](./concepts-cluster.md#node-availability-zone) for nodes if your cluster is in an Azure region that supports availability zones. If you select preferred availability zone during cluster provisioning, Azure Cosmos DB for PostgreSQL provisions all cluster nodes into selected availability zone. If you select or change preferred availability zone after provisioning, all cluster nodes are moved to the new preferred availability zone during next [scheduled maintenance](./concepts-maintenance.md).

+To select preferred availability zone for all cluster nodes, on the **Scale** screen, specify a zone in **Preferred availability zone** list. To let Azure Cosmos DB for PostgreSQL service select an availability zone for cluster, choose 'No preference'.

+* General availability: Preferred availability zone (AZ) selection is now enabled in [all Azure Cosmos DB for PostgreSQL regions](./resources-regions.md) that support AZs.

+ * Learn about [cluster node availability zones](./concepts-cluster.md#node-availability-zone) and [how to set preferred availability zone](./howto-scale-grow.md#choose-preferred-availability-zone).

+* General availability: Cluster compute [start / stop functionality](./concepts-compute-start-stop.md) is now supported across all configurations.

+If `--enable-public-network` is not set, restored account is accessible from public network. Please ensure to pass `False` to the `--enable-public-network` option to prevent public network access for restored account.

+ Title: Vercel integration with Azure Cosmos DB

+description: Integrate web applications using the Vercel platform with Azure Cosmos DB for NOSQL or MongoDB as a data source.

+# Vercel Integration with Azure Cosmos DB

+Vercel offers a user-friendly and robust platform for web application development and deployment. This new integration improves productivity as developers can now easily create Vercel applications with a backend database already configured. This Integration helps developers transform their creative ideas into reality in real-time.

+## Getting started with Integrating Azure Cosmos DB with Vercel

+This documentation is designed for developers seeking to effectively combine the robust capabilities of Azure Cosmos DB - a globally distributed, multi-model database service - with Vercel's high-performance deployment and hosting solution.

+This integration enables developers to apply the benefits of a versatile and high-performance NoSQL database, while capitalizing on Vercel's serverless architecture and development platform.

+There are two ways to integrate Cosmos DB

+- [Via Vercel Integrations Marketplace](https://vercel.com/integrations/azurecosmosdb)

+- Via Command Line

+## Integrate Cosmos DB with Vercel via Integration Marketplace

+Use this guide if you have already identified the Vercel project(s) or want to integrate an existing vercel project with

+## Prerequisites

+- Vercel Account with Vercel Project ΓÇô [Learn how to create a new Vercel Project](https://vercel.com/docs/concepts/projects/overview#creating-a-project)

+- Azure Cosmos DB - [Quickstart: Create an Azure Cosmos DB account](../cosmos-db/nosql/quickstart-portal.md)

+- Some basic knowledge on Next.js, React and TypeScript

+## Steps for Integrating Azure Cosmos DB with Vercel

+1. Select Vercel Projects for the Integration with Azure Cosmos DB. After you have the prerequisites ready, visit the Cosmos DB [integrations page on the Vercel marketplace](https://vercel.com/integrations/azurecosmosdb) and select Add Integration

+ :::image type="content" source="./media/integrations/vercel/add-integration.png" alt-text="Screenshot shows the Azure Cosmos DB integration page on Vercel's marketplace." lightbox="./media/integrations/vercel/add-integration.png":::

+2. Choose All projects or Specific projects for the integration. In this guide we proceed by choosing specific projects, select continue

+ :::image type="content" source="./media/integrations/vercel/continue.png" alt-text="Screenshot shows to select vercel projects." lightbox="./media/integrations/vercel/continue.png":::

+3. Next screen will show the required permissions for the integration, select Add Integration

+ :::image type="content" source="./media/integrations/vercel/permissions.png" alt-text="Screenshot shows the permissions required for the integration." lightbox="./media/integrations/vercel/permissions.png":::

+4. Log in to Azure using your credentials to select the existing Azure Cosmos DB account for the integration

+ :::image type="content" source="./media/integrations/vercel/sign-in.png" alt-text="Screenshot shows to login to Azure account." lightbox="./media/integrations/vercel/sign-in.png":::

+5. Choose a Directory, subscription and the Azure Cosmos DB Account

+6. Verify Vercel Projects

+ :::image type="content" source="./media/integrations/vercel/projects.png" alt-text="Screenshot shows to verify the vercel projects for the integration." lightbox="./media/integrations/vercel/projects.png":::

+7. Select Integrate

+ :::image type="content" source="./media/integrations/vercel/integrate.png" alt-text="Screenshot shows to confirm the integration." lightbox="./media/integrations/vercel/integrate.png":::

+## Integrate Cosmos DB with Vercel via npm & Command Line

+1. Execute create-next-app with npm, yarn, or pnpm to bootstrap the example:

+ ```bash

+ npx create-next-app --example with-azure-cosmos with-azure-cosmos-app

+ yarn create next-app --example with-azure-cosmos with-azure-cosmos-app

+ pnpm create next-app --example with-azure-cosmos with-azure-cosmos-app

+ ```

+2. Modify pages/index.tsx to add your code.

+ Make changes to pages/index.tsx according to your needs. You could check out the code at **lib/cosmosdb.ts** to see how the `@azure/cosmos` JavaScript client is initialized.

+3. Push the changes to a GitHub repository.

+### Set up environment variables

+- COSMOSDB_CONNECTION_STRING - You need your Cosmos DB connection string. You can find these in the Azure portal in the keys section.

+- COSMOSDB_DATABASE_NAME - Name of the database you plan to use. This should already exist in the Cosmos DB account.

+- COSMOSDB_CONTAINER_NAME - Name of the container you plan to use. This should already exist in the previous database.

+## Integrate Cosmos DB with Vercel using marketplace template

+You could use this [template](https://vercel.com/new/clone?demo-title=CosmosDB%20Starter&demo-description=Starter%20app%20built%20on%20Next.js%20and%20CosmosDB.&demo-url=https://cosmosdb-starter-test.vercel.app/&project-name=CosmosDB%20Starter&repository-name=cosmosdb-starter&repository-url=https%3A%2F%2Fgithub.com%2Fv1k1%2Fcosmosdb-starter&from=templates&integration-ids=oac_mPA9PZCLjkhQGhlA5zntNs0L&env=COSMOSDB_CONNECTION_STRING%2C%E2%80%A2%09COSMOSDB_CONTAINER_NAME) to deploy a starter web app on Vercel with Azure Cosmos DB integration.

+1. Choose the GitHub repository, where you want to clone the starter repo.

+ :::image type="content" source="./media/integrations/vercel/create-git-repository.png" alt-text="Screenshot to create the repository." lightbox="./media/integrations/vercel/create-git-repository.png":::

+2. Select the integration to set up Cosmos DB connection keys, these steps are described in detail in previous section.

+ :::image type="content" source="./media/integrations/vercel/add-integrations.png" alt-text="Screenshot shows the required permissions." lightbox="./media/integrations/vercel/add-integrations.png":::

+3. Set the environment variables for the database name and container name, and finally select Deploy

+ :::image type="content" source="./media/integrations/vercel/configure-project.png" alt-text="Screenshot shows the required variables to establish the connection with Azure Cosmos DB." lightbox="./media/integrations/vercel/configure-project.png":::

+4. Upon successful completion, the completion page would contain the link to the deployed app, or you go to the Vercel project's dashboard to get the link of your app.

+### Error code: DF-SAPODATA-InvalidRunMode

+- **Message**: Failed to execute dataflow with invalid run mode.

+- **Cause**: Possible causes are:

+ 1. Only the read mode `fullLoad` can be specified when `enableCdc` is false.

+ 1. Only the run mode `incrementalLoad` or `fullAndIncrementalLoad` can be specified when `enableCdc` is true.

+ 1. Only `fullLoad`, `incrementalLoad` or `fullAndIncrementalLoad` can be specified.

+- **Recommendation**: Reconfigure the activity and run again. If the issue persists, contact Microsoft support for further assistance.

+### Error code: DF-SAPODATA-StageLinkedServiceMissed

+- **Message**: Failed to execute dataflow when Staging Linked Service is not existed in DSL. Please reconfigure the activity and run again. If issue persists, please contact Microsoft support for further assistance.

+- **Cause**: The staging linked service doesn't exist in DSL.

+- **Recommendation**: Reconfigure the activity and run again. If the issue persists, contact Microsoft support for further assistance.

+### Error code: DF-SAPOODATA-StageContainerMissed

+- **Message**: Container or file system is required for staging storage.

+- **Cause**: No container or file system is specified for the staging storage.

+- **Recommendation**: Specify the container and file system for your staging storage.

+### Error code: DF-SAPODATA-StageFolderPathMissed

+- **Message**: Folder path is required for staging storage.

+- **Cause**: No folder path is specified for the staging storage.

+- **Recommendation**: Specify the folder path for the staging storage.

+### Error code: DF-SAPODATA-ODataServiceOrEntityMissed

+- **Message**: Both SAP servicePath and entityName are required in import-schema, preview-data and read data operation.

+- **Cause**: **Service path** and **Entity name** can't be null when importing schema, previewing data or reading data.

+- **Recommendation**: Specify the **Service path** and **Entity name** when importing schema, previewing data or reading data.

+### Error code: DF-SAPODATA-TimeoutInvalid

+- **Message**: Timeout is invalid, it should be no more than 7 days.

+- **Cause**: The timeout can't exceed 7 days.

+- **Recommendation**: Specify the valid timeout.

+### Error code: DF-SAPODATA-ODataServiceMissed

+- **Message**: SAP servicePath is required when browsing entity name.

+- **Cause**: The **Service path** can't be null when browsing the entity name.

+- **Recommendation**: Specify the **Service path**.

+### Error code: DF-SAPODATA-SystemError

+- **Message**: System Error: Failed to get deltaToken from SAP. Please contact Microsoft support for further assistance.

+- **Cause**: Failed to get the delta token from SAP.

+- **Recommendation**: Contact Microsoft support for further assistance.

+### Error code: DF-SAPODATA-StageAuthInvalid

+- **Message**: Invalid client secret provided

+- **Cause**: The service principal credential of the staging storage is incorrect.

+- **Recommendation**: Test connection in your staging storage linked service, and confirm that the authentication settings in your staging storage are correct.

+### Error code: DF-SAPODATA-NotReached

+- **Causes and recommendations**: Failed to create OData connection to the request URL. Different causes may lead to this issue. Check the list below for possible causes and related recommendations.

+ | Cause analysis | Recommendation |

+ | : | : |

+ | Your SAP server is shut down. | Check if your SAP server is started. |

+ | Self-hosted integration runtime proxy issue. | Check your self-hosted integration runtime proxy. |

+ | Incorrect parameters input (for example, wrong SAP server name or password) | Check your input parameters: SAP server name, password.|

+### Error code: DF-SAPODATA-NoneODPService

+- **Message**: Current odata service doesn't support extracting ODP data, please enable ODP for the service

+- **Cause**: The current OData service doesn't support extracting ODP data.

+- **Recommendation**: Enable ODP for the service.

+| [AntiMalware](https://www.microsoft.com/windows/comprehensive-security) | AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. | Not Open Source |

+[Azure Workbooks](../azure-monitor/visualize/workbooks-overview.md) provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to tap into multiple data sources from across Azure, and combine them into unified interactive experiences.

+ :::image type="content" source="media/custom-dashboards-azure-workbooks/editing-workbooks.png" alt-text="Editing a workbook.":::

+This article described Defender for Cloud's integrated Azure Workbooks page with built-in reports and the option to build your own custom, interactive reports.

+- Learn more about [Azure Workbooks](../azure-monitor/visualize/workbooks-overview.md)

+### Private Endpoint is supported out-of-the-box

+Malware Scanning in Defender for Storage is supported in storage accounts that use private endpoints while maintaining data privacy.

+🔗[Private endpoints](../private-link/private-endpoint-overview.md) provide secure connectivity to your Azure storage services, eliminating public internet exposure, and are considered a best practice.

+| [AntiMalware](https://www.microsoft.com/windows/comprehensive-security) | AntiMalware protection in Windows from Microsoft Defender for Endpoint, that scans for malware and breaks the build if malware has been found. This tool scans by default on windows-latest agent. | Not Open Source |

+- Ensure that [Workflow permissions are set to Read and Write](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) on the GitHub repository.

+A [security incident](alerts-overview.md#what-are-security-incidents) is a correlation of alerts with an attack story that share an entity. For example, Resource, IP Address, User or share a [kill chain](alerts-reference.md#intentions) pattern.

+## December 2022

+Updates in December include:

+- [Announcing express configuration for vulnerability assessment in Defender for SQL](#announcing-express-configuration-for-vulnerability-assessment-in-defender-for-sql)

+### Announcing express configuration for vulnerability assessment in Defender for SQL

+The express configuration for vulnerability assessment in Microsoft Defender for SQL provides security teams with a streamlined configuration experience on Azure SQL Databases and Dedicated SQL Pools outside of Synapse Workspaces.

+With the express configuration experience for vulnerability assessments, security teams can:

+- Complete the vulnerability assessment configuration in the security configuration of the SQL resource, without any another settings or dependencies on customer-managed storage accounts.

+- Immediately add scan results to baselines so that the status of the finding changes from **Unhealthy** to **Healthy** without rescanning a database.

+- Add multiple rules to baselines at once and use the latest scan results.

+- Enable vulnerability assessment for all Azure SQL Servers when you turn on Microsoft Defender for databases at the subscription-level.

+Learn more about [Defender for SQL vulnerability assessment](sql-azure-vulnerability-assessment-overview.md).

+| June 7 | [Express configuration for vulnerability assessments in Defender for SQL is now Generally Available](#express-configuration-for-vulnerability-assessments-in-defender-for-sql-is-now-generally-available) |

+|June 6 | [More scopes added to existing Azure DevOps Connectors](#more-scopes-added-to-existing-azure-devops-connectors) |

+### Express configuration for vulnerability assessments in Defender for SQL is now Generally Available

+June 7, 2023

+Express configuration for vulnerability assessments in Defender for SQL is now Generally Available. Express configuration provides a streamlined onboarding experience for SQL vulnerability assessments by using a one-click configuration (or an API call). There's no extra settings or dependencies on managed storage accounts needed.

+Check out this [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-sql-vulnerability-assessment-updates/ba-p/3837732) to learn more about express configuration.

+You can learn the differences between [express and classic configuration](sql-azure-vulnerability-assessment-overview.md#what-are-the-express-and-classic-configurations).

+### More scopes added to existing Azure DevOps Connectors

+June 6, 2023

+Defender for DevOps added the following extra scopes to the Azure DevOps (ADO) application:

+This new method simplifies the onboarding process for customers focused on core endpoint protection and allows you to take advantage of Defender for ServersΓÇÖ consumption-based billing for both cloud and noncloud assets. The direct onboarding option via Defender for Endpoint is available now, with billing for onboarded machines starting on July 1.

+- For existing customers that already have an AWS connector with agentless scanning enabled, you need to reapply the CloudFormation stack to your onboarded AWS accounts to update and add the new permissions that are required to process encrypted disks. The updated CloudFormation template includes new assignments that allow Defender for Cloud to process encrypted disks.

+Defender for DevOps has expanded its Pull Request (PR) annotation coverage in Azure DevOps to include Infrastructure as Code (IaC) misconfigurations that are detected in Azure Resource Manager and Bicep templates.

+### The built-in policy [Preview]: Private endpoint should be configured for Key Vault has been deprecated

+## Connect Defender for IoT data to your SIEM

+Once Defender for IoT has been deployed, send security alerts and manage OT/IoT incidents by integrating Defender for IoT with your security information and event management (SIEM) platform and existing SOC workflows and tools.

+Integrate Defender for IoT alerts with your organizational SIEM by [integrating with Microsoft Sentinel](../iot-advanced-threat-monitoring.md) and leveraging the out-of-the-box Microsoft Defender for IoT solution, or by [creating forwarding rules](../how-to-forward-alert-information-to-partners.md) to other SIEM systems.

+Defender for IoT integrates out-of-the-box with Microsoft Sentinel, as well as [a broad range of SIEM systems](../integrate-overview.md), such as Splunk, IBM QRadar, LogRhythm, Fortinet, and more.

+For more information, see:

+- [OT threat monitoring in enterprise SOCs](../concept-sentinel-integration.md)

+- [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](../iot-solution.md)

+- [Connect on-premises OT network sensors to Microsoft Sentinel](../integrations/on-premises-sentinel.md)

+- [Integrations with Microsoft and partner services](../integrate-overview.md)

+- [Stream Defender for IoT cloud alerts to a partner SIEM](../integrations/send-cloud-data-to-partners.md)

+After integrating Defender for IoT alerts with a SIEM, we recommend the following next steps to operationalize OT/IoT alerts and fully integrate them with your existing SOC workflows and tools:

+- Identify and define relevant IoT/OT security threats and SOC incidents you would like to monitor based on your specific OT needs and environment.

+- Create detection rules and severity levels in the SIEM. Only relevant incidents will be triggered, thus reducing unnecessary noise. For example, you would define PLC code changes performed from unauthorized devices, or outside of work hours, as a high severity incident due to the high fidelity of this specific alert.

+

+ In Microsoft Sentinel, the Microsoft Defender for IoT solution includes [a set of out-of-the-box detection rules](../iot-advanced-threat-monitoring.md#detect-threats-out-of-the-box-with-defender-for-iot-data), which are built specifically for Defender for IoT data, and help you fine-tune the incidents created in Sentinel.

+- Define the appropriate workflow for mitigation, and create automated investigation playbooks for each use case. In Microsoft Sentinel, the Microsoft Defender for IoT solution includes [out-of-the-box playbooks for automated response to Defender for IoT alerts](../iot-advanced-threat-monitoring.md#automate-response-to-defender-for-iot-alerts).

+- [Improved monitoring and support for OT sensor logs](whats-new.md#improved-monitoring-and-support-for-ot-sensor-logs)

+| **OT networks** | **Sensor version 22.3.9**: <br>- [Improved monitoring and support for OT sensor logs](#improved-monitoring-and-support-for-ot-sensor-logs) <br><br> **Sensor versions 22.3.x and higher**: <br>- [Configure Active Directory and NTP settings in the Azure portal](#configure-active-directory-and-ntp-settings-in-the-azure-portal) |

+### Improved monitoring and support for OT sensor logs

+In version 22.3.9, we've added a new capability to collect logs from the OT sensor through a new endpoint. The additional data helps us troubleshoot customer issues, providing faster response times and more targeted solutions and recommendations. The new endpoint has been added to our list of required endpoints that connect your OT sensors to Azure.

+# Monitor Azure Firewall logs (legacy) and metrics

+> [!TIP]

+> For an improved method to work with firewall logs, see [Azure Structured Firewall Logs](firewall-structured-logs.md).

+It can take a few minutes for the data to appear in your logs after you complete this procedure to turn on diagnostic logging. If you don't see anything at first, check again in a few more minutes.

+ For Azure Firewall, three service-specific legacy logs are available:

+ * Azure Firewall Application Rule (Legacy Azure Diagnostics)

+ * Azure Firewall Network Rule (Legacy Azure Diagnostics)

+ * Azure Firewall Dns Proxy (Legacy Azure Diagnostics)

+5. Type a name for the diagnostic setting.

+6. Under **Logs**, select **Azure Firewall Application Rule (Legacy Azure Diagnostics)**, **Azure Firewall Network Rule (Legacy Azure Diagnostics)**, and **Azure Firewall Dns Proxy (Legacy Azure Diagnostics)** to collect the logs.

+1. For the **Destination table**, select **Azure diagnostics**.

+1. Select **Save**.

+ :::image type="content" source=".\media\firewall-diagnostics\diagnostic-setting-legacy.png" alt-text="Screenshot of Firewall Diagnostic setting.":::

+ Title: 'Tutorial: Configure rules engine'

+description: This article provides a tutorial on how to configure Rules engine in both the Azure portal and Azure CLI.

+# Tutorial: Configure your rules engine

+This tutorial shows how to create a Rules engine configuration and your first rule in both Azure portal and CLI.

+* Before you can complete the steps in this tutorial, you must first create a Front Door. For more information, see [Create a Front Door (classic)](quickstart-create-front-door.md).

+## Configure Rules engine in Azure portal

+1. Within your Front Door (classic) resource, select **Rule Engine configuration** from under *Settings* on the left side menu pane. Select **+ Add**, give your configuration a name, and start creating your first Rules Engine configuration.

+ :::image type="content" source="./media/front-door-rules-engine/rules-engine-tutorial-1.png" alt-text="Screenshot of the rules engine configuration from the Front Door overview page.":::

+1. Enter a name for your first rule. Then select **+ Add condition** or **+ Add action** to define your rule.

+ > - All paths in the rules engine configuration are case sensitive.

+ :::image type="content" source="./media/front-door-rules-engine/rules-engine-tutorial-4.png" alt-text="Screenshot of the rules engine configuration page with a single rule.":::

+1. Once you have created one or more rules, select **Save**. This action creates your rules engine configuration.

+1. Once you have created a rule engine configuration, you can associate the configuration with a routing rule. A single configuration can be applied to multiple routing rules, but a routing rule can only have one rules engine configuration. To associate the configuration, go to the **Front Door designer** and select a **Route**. Then select the **Rules engine configuration** to associate to the routing rule.

+ :::image type="content" source="./media/front-door-rules-engine/rules-engine-tutorial-5.png" alt-text="Screenshot of rules engine configuration associate from the routing rule page.":::

+1. Install [Azure CLI](/cli/azure/install-azure-cli). Add ΓÇ£front-doorΓÇ¥ extension:- az extension add --name front-door. Then, sign in and switch to your subscription az account set --subscription <name_or_Id>.

+For more information, see full list of [Azure Front Door (classic) Rules engine commands](/cli/azure/network/front-door/rules-engine).

+In the preceding steps, you configured and associated rules engine configuration to your routing rules. If you no longer want the Rules engine configuration associated to your Front Door (classic), you can remove the configuration by performing the following steps:

+1. Disassociate any routing rules from the rule engine configuration by selecting the three dots next to rule engine name and selecting **Associate routing rule**.

+ :::image type="content" source="./media/front-door-rules-engine/front-door-rule-engine-routing-association.png" alt-text="Screenshot of the associate routing rules from the menu.":::

+1. Uncheck all routing rules this Rule Engine configuration is associated to and select save.

+* Create a Rule engine configuration

+* Associate a configuration to a routing rule.

+To learn how to add security headers with Rule engine, continue to the next tutorial.

+## Automanage

+## Managed Identity

+## Tags

+## Container Instances

+## Databricks

+## Desktop Virtualization

+## Managed Grafana

+## SQL Server

+* A few of hosts in the cluster are hosting many components and so are required to run many alerts. If the number of components is large, alert jobs might miss their scheduled intervals.

+This release applies to HDInsight 4.x and 5.x HDInsight release will be available to all regions over several days. This release is applicable for image number **2304280205**. [How to check the image number?](./view-hindsight-cluster-image-version.md)

+description: Learn the basic steps for deploying the MedTech service.

+This article and diagram outlines the basic steps to get started with the MedTech service in the [Azure Health Data Services](../healthcare-apis-overview.md). These steps may help you to assess the [MedTech service deployment methods](deploy-choose-method.md) and determine which deployment method is best for you.

+As a prerequisite, you need an Azure subscription and have been granted the proper permissions to deploy Azure resource groups and resources. You can follow all the steps, or skip some if you have an existing environment. Also, you can combine all the steps and complete them in Azure PowerShell, Azure CLI, or REST API scripts.

+> See the MedTech service article, [Choose a deployment method for the MedTech service](deploy-choose-method.md), for a description of the different deployment methods that can help to simplify and automate the deployment of the MedTech service.

+* Azure Health Data Services workspace.

+### Deploy an Azure Health Data Services workspace

+ Deploy an [Azure Health Data Services workspace](../workspace-overview.md). After you create an Azure Health Data Services workspace using the [Azure portal](../healthcare-apis-quickstart.md), a FHIR service and MedTech service can be deployed from the Azure Health Data Services workspace.

+* Create a diagnostic setting to export logs and metrics for audit, analysis, or troubleshooting of the MedTech service.

+* Use the Azure Log Analytics workspace to view the MedTech service logs.

+* Access the MedTech service pre-defined Azure Log Analytics queries.

+> For assistance troubleshooting MedTech service errors, see [Troubleshoot errors using the MedTech service logs](troubleshoot-errors-logs.md).

+> For assistance troubleshooting MedTech service errors, see [Troubleshoot errors using the MedTech service logs](troubleshoot-errors-logs.md).

+> For assistance troubleshooting MedTech service deployment errors, see [Troubleshoot MedTech service deployment errors](troubleshoot-errors-deployment.md).

+> For assistance troubleshooting MedTech service errors, see [Troubleshoot errors using the MedTech service logs](troubleshoot-errors-logs.md).

+# Customer intent: As someone interested in creating an Internet Analyzer resource, I want to learn how to install the JavaScript client, which is necessary to run tests.

+The telemetry, properties, and commands that a device implements are collectively known as the device capabilities. You define these capabilities in a model that's shared between the device and the IoT Central application. In IoT Central, this model is part of the device template that defines a specific type of device. To learn more, see [Assign a device to a device template](concepts-device-templates.md#assign-a-device-to-a-device-template).

+> [!NOTE]

+> IoT Central defines some extensions to the DTDL v2 language. To learn more, see [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md).

+To learn more about the format of the JSON messages that a device exchanges with IoT Central, see [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md).

+## Telemetry timestamps

+By default, IoT Central uses the message enqueued time when it displays telemetry on dashboards and charts. Message enqueued time is set internally when IoT Central receives the message from the device.

+A device can set the `iothub-creation-time-utc` property when it creates a message to send to IoT Central. If this property is present, IoT Central uses it when it displays telemetry on dashboards and charts.

+You can export both the enqueued time and the `iothub-creation-time-utc` property when you export telemetry from your IoT Central application.

+To learn more about message properties, see [System Properties of device-to-cloud IoT Hub messages](../../iot-hub/iot-hub-devguide-messages-construct.md#system-properties-of-d2c-iot-hub-messages).

+A solution builder adds device templates to an IoT Central application. A device developer writes the device code that implements the behaviors defined in the device template. To learn more about the data that a device exchanges with IoT Central, see [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md).

+1. If IoT Central doesn't find the model in the public model repository, the device is marked as **Unassigned**. An operator can:

+ - Create a device template for the device and then migrate the unassigned device to the new device template.

+ - [Autogenerate a device template](howto-set-up-template.md#autogenerate-a-device-template) based on the data the device sends.

+A device model defines how a device interacts with your IoT Central application. The device developer must make sure that the device implements the behaviors defined in the device model so that IoT Central can monitor and manage the device. A device model is made up of one or more _interfaces_, and each interface can define a collection of _telemetry_ types, _device properties_, and _commands_. A solution developer can:

+- Import a JSON file that defines a complete device model or individual interface into a device template.

+- Use the web UI in IoT Central to create or edit a device model.

+> [!NOTE]

+> IoT Central accepts any valid JSON payload from a device but it can only use the data for visualizations if it matches a definition in the device model. You can export data that doesn't match a definition, see [Export IoT data to cloud destinations using Blob Storage](howto-export-to-blob-storage.md).

+To learn more about editing a device model, see [Edit an existing device template](howto-edit-device-template.md)

+A solution developer can also export a JSON file from the device template that contains a complete device model or individual interface. A device developer can use this JSON document to understand how the device should communicate with the IoT Central application.

+The JSON file that defines the device model uses the [Digital Twin Definition Language (DTDL) V2](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md). IoT Central expects the JSON file to contain the device model with the interfaces defined inline, rather than in separate files. Models created in IoT Central have the context `dtmi:iotcentral:context;2` defined to indicate that the model was created in IoT Central:

+"@context": [

+ "dtmi:iotcentral:context;2",

+ "dtmi:dtdl:context;2"

+To learn more about DTDL models, see the [IoT Plug and Play modeling guide](../../iot-develop/concepts-modeling-guide.md).

+> [!NOTE]

+> IoT Central defines some extensions to the DTDL v2 language. To learn more, see [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md).

+You can also mark a property as writable on an interface. A device can receive an update to a writable property from your IoT Central application and report property value updates to your application.

+Offline commands use [IoT Hub cloud-to-device messages](../../iot-hub/iot-hub-devguide-messages-c2d.md) to send the command and payload to the device.

+The payload of the message the device receives is the raw value of the parameter. A custom property called `method-name` stores the name of the IoT Central command. The following table shows some example payloads:

+| IoT Central request schema | Example payload received by device |

+| -- | - |

+| No request parameter | `@` |

+| Double | `1.23` |

+| String | `sample string` |

+| Object | `{"StartTime":"2021-01-05T08:00:00.000Z","Bank":2}` |

+The following snippet from a device model shows the definition of a command. The command has an object parameter with a datetime field and an enumeration:

+```json

+{

+ "@type": "Command",

+ "displayName": {

+ "en": "Generate Diagnostics"

+ },

+ "name": "GenerateDiagnostics",

+ "request": {

+ "@type": "CommandPayload",

+ "displayName": {

+ "en": "Payload"

+ },

+ "name": "Payload",

+ "schema": {

+ "@type": "Object",

+ "displayName": {

+ "en": "Object"

+ },

+ "fields": [

+ {

+ "displayName": {

+ "en": "StartTime"

+ },

+ "name": "StartTime",

+ "schema": "dateTime"

+ },

+ {

+ "displayName": {

+ "en": "Bank"

+ },

+ "name": "Bank",

+ "schema": {

+ "@type": "Enum",

+ "displayName": {

+ "en": "Enum"

+ },

+ "enumValues": [

+ {

+ "displayName": {

+ "en": "Bank 1"

+ },

+ "enumValue": 1,

+ "name": "Bank1"

+ },

+ {

+ "displayName": {

+ "en": "Bank2"

+ },

+ "enumValue": 2,

+ "name": "Bank2"

+ },

+ {

+ "displayName": {

+ "en": "Bank3"

+ },

+ "enumValue": 3,

+ "name": "Bank3"

+ }

+ ],

+ "valueSchema": "integer"

+ }

+ }

+ ]

+ }

+ }

+}

+```

+If you enable the **Queue if offline** option in the device template UI for the command in the previous snippet, then the message the device receives includes the following properties:

+| Property name | Example value |

+| - | -- |

+| `custom_properties` | `{'method-name': 'GenerateDiagnostics'}` |

+| `data` | `{"StartTime":"2021-01-05T08:00:00.000Z","Bank":2}` |

+Now that you've learned about device templates, a suggested next step is to read [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md) to learn more about the data a device exchanges with IoT Central.

+description: This article discusses how to move between application platform as a service (aPaaS) and platform as a service (PaaS) Azure IoT solution approaches.

+- The device must follow the [IoT Plug and Play conventions](../../iot-develop/concepts-convention.md).

+> [!NOTE]

+> IoT Central defines some extensions to the DTDL v2 language. To learn more, see [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md).

+> [!NOTE]

+> IoT Central defines some extensions to the DTDL language. To learn more, see [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md).

+- Author a device model using the [Digital Twin Definition Language (DTDL) V2](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md) and [IoT Central DTDL extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md). Manually import the device model into your IoT Central application. Then add the cloud properties and views your IoT Central application needs.

+| Schema | The telemetry data type, such as double, string, or vector. The semantic type determines the available choices. Schema isn't available for the event and state semantic types. |

+| Schema | The property data type, such as double, string, or vector. The semantic type determines the available choices. Schema isn't available for the event and state semantic types. |

+| Writable | If the property isn't writable, the device can report property values to IoT Central. If the property is writable, the device can report property values to IoT Central, and IoT Central can send property updates to the device. |

+|Color | An IoT Central extension to DTDL. |

+|Min value | Set minimum value - An IoT Central extension to DTDL. |

+|Max value | Set maximum value - An IoT Central extension to DTDL. |

+|Decimal places | An IoT Central extension to DTDL. |

+To learn more about how devices implement commands, see [Telemetry, property, and command payloads > Commands and long running commands](../../iot-develop/concepts-message-payloads.md#commands).

+| Schema | The cloud property data type, such as double, string, or vector. The semantic type determines the available choices. |

+| Message Format | Convert to or manipulate JSON messages. | CSV to JSON | At ingress. IoT Central only accepts value JSON messages. To learn more, see [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md). |

+In this example, the downstream device doesn't need a device template. The downstream device is registered in IoT Central so you can generate the credentials it needs to connect the IoT Edge device. Because the IoT Edge module transforms the data, all the downstream device telemetry arrives in IoT Central as if the IoT Edge device had sent it.

+1. To copy the required certificate from the gateway device, run the following `scp` commands. This `scp` command uses the hostname `edgegateway` to identify the gateway virtual machine. You're prompted for your password:

+To learn about the IoT Pug and Play command conventions, see [IoT Plug and Play conventions](../../iot-develop/concepts-convention.md).

+To learn more about the command data that a device exchanges with IoT Central, see [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md).

+To learn about the Digital Twin Definition Language (DTDL) that Azure IoT Central uses to define commands in a device template, see [IoT Plug and Play conventions > Commands](../../iot-develop/concepts-convention.md#commands).

+To handle a standard command, a device sends a response value as soon as it receives the command from IoT Central. You can use the Azure IoT device SDK to handle standard commands invoked by your IoT Central application.

+For example implementations in multiple languages, see [Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md).

+In a long-running command, a device doesn't immediately complete the command. Instead, the device acknowledges receipt of the command and then later confirms that the command completed. This approach lets a device complete a long-running operation without keeping the connection to IoT Central open.

+> [!NOTE]

+> Long-running commands are not part of the IoT Plug and Play conventions. IoT Central has its own convention to implement long-running commands.

+> This article uses Node.js for simplicity.

+> [!NOTE]

+> Offline commands are not part of the IoT Plug and Play conventions. IoT Central has its own convention to implement offline commands.

+Now that you've learned how to use commands in your Azure IoT Central application, see [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md) to learn more about command parameters and [Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md) to see complete code samples in different languages.

+> The **geopoint** schema type is not part of the [DTDL specification](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md). IoT Central currently supports the **geopoint** schema type and the **location** semantic type for backwards compatibility, see [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md).

+* [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md)

+description: Learn how to use read-only and writable properties in an Azure IoT Central solution. Define properties in IoT Central and use properties programmatically.

+To learn about the IoT Pug and Play property conventions, see [IoT Plug and Play conventions](../../iot-develop/concepts-convention.md).

+To learn more about the property data that a device exchanges with IoT Central, see [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md).

+To learn how to manage properties by using the IoT Central REST API, see [How to use the IoT Central REST API to control devices.](../core/howto-control-devices-with-rest-api.md).

+| Schema | The property data type, such as double, string, or vector. The semantic type determines the available choices. Schema isn't available for the event and state semantic types. |

+To learn about the Digital Twin Definition Language (DTDL) that Azure IoT Central uses to define properties in a device template, see [IoT Plug and Play conventions > Read-only properties](../../iot-develop/concepts-convention.md#read-only-properties).

+A device sends property updates as a JSON payload. For more information, see [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md).

+For example implementations in multiple languages, see [Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md).

+The following view in Azure IoT Central application shows the device read-only properties:

+An IoT Central operator sets writable properties on a form. Azure IoT Central sends the property to the device. Azure IoT Central expects an acknowledgment from the device.

+For example implementations in multiple languages, see [Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md).

+The response message should include the `ac` and `av` fields. The `ad` field is optional. To learn more, see [IoT Plug and Play conventions > Writable properties](../../iot-develop/concepts-convention.md#writable-properties).

+When the operator sets a writable property in the Azure IoT Central UI, the application uses a device twin desired property to send the value to the device. The device then responds by using a device twin reported property. When Azure IoT Central receives the reported property value, it updates the property view with a status of **Accepted**.

+* [IoT Plug and Play conventions](../../iot-develop/concepts-convention.md)

+* [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md)

+IoT Central is an IoT application platform as a service (aPaaS) that reduces the burden and cost of developing, managing, and maintaining IoT solutions. Use IoT Central to quickly evaluate your IoT scenario and assess the opportunities it can create for your business. To streamline the development of a complex and continually evolving IoT infrastructure, IoT Central lets you focus your efforts on determining the business impact you can create with the IoT data stream.

+- Device properties that a device sets and that are read-only in the application. For example, the state of a valve as either open or shut.

+- Device properties that an operator sets and that determine the behavior of the device. For example, a target temperature for the device.

+Start with a prebuilt dashboard in an application template or create your own dashboards tailored to the needs of your operators. You can share dashboards with all users in your application, or keep them private.

+As an application platform, IoT Central lets you transform your IoT data into the business insights that drive actionable outcomes. Examples include: determining machine efficiency trends and predicting future energy usage on a factory floor.

+[Rules](./tutorial-create-telemetry-rules.md), [data export](./howto-export-to-blob-storage.md), and the [public REST API](tutorial-use-rest-api.md) are examples of how you can integrate IoT Central with line-of-business applications:

+Generate business insights by building custom analytics pipelines to process telemetry from your devices and store the results. Configure data exports in your IoT Central application to export telemetry, device property changes, and device template changes to other services where you can analyze, store, and visualize the data with your preferred tools.

+- A _device developer_ [creates the code that runs on a device](./tutorial-connect-device.md) or [IoT Edge module](concepts-iot-edge.md) connected to your application.

+If there are no errors reported, but a value isn't appearing, then it's probably malformed JSON in the payload the device sends. To learn more, see [Telemetry, property, and command payloads](../../iot-develop/concepts-message-payloads.md).

+IoT Plug and Play devices should follow a set of conventions when they exchange messages with an IoT hub. IoT Plug and Play devices use the MQTT protocol to communicate with IoT Hub. IoT Hub also supports the AMQP protocol which available in some IoT device SDKs.

+- When using MQTT, add the `$.sub` property with the component name to the telemetry topic, the system adds the `dt-subject` property.

+- When using AMQP, add the `dt-subject` property with the component name as a message annotation.

+For more telemetry examples, see [Payloads > Telemetry](concepts-message-payloads.md#telemetry)

+A device sets a read-only property which it then reports to the back-end application.

+For more read-only property examples, see [Payloads > Properties](concepts-message-payloads.md#properties).

+A back-end application sets a writable property that IoT Hub then sends to the device.

+When reporting writable properties the device should compose the acknowledgment message, by using the four fields in the previous list, to indicate the actual device state, as described in the following table:

+When the device reaches the target temperature, it sends the following message:

+For more writable property examples, see [Payloads > Properties](concepts-message-payloads.md#writable-property-types).

+For more command examples, see [Payloads > Commands](concepts-message-payloads.md#commands).

+> [!TIP]

+> IoT Central has its own conventions for implementing [Long-running commands](../iot-central/core/howto-use-commands.md#long-running-commands) and [Offline commands](../iot-central/core/howto-use-commands.md#offline-commands).

+IoT Plug and Play lets you build IoT devices that advertise their capabilities to Azure IoT applications. IoT Plug and Play devices don't require manual configuration when a customer connects them to IoT Plug and Play-enabled applications such as IoT Central.

+If you're using IoT Central, you can use the IoT Central UI and REST API to interact with IoT Plug and Play devices connected to your application.

+- [IoT Plug and Play modeling guide](concepts-modeling-guide.md)

+ Title: Plug and Play device message payloads

+description: Understand the format of the telemetry, property, and command messages that a Plug and Play device can exchange with a service.

+# This article applies to device developers.

+# Telemetry, property, and command payloads

+A [device model](concepts-modeling-guide.md) defines the:

+* Telemetry a device sends to a service.

+* Properties a device synchronizes with a service.

+* Commands that the service calls on a device.

+> [!TIP]

+> Azure IoT Central is a service that follows the Plug and Play conventions. In IoT Central, the device model is part of a [device template](../iot-central/core/concepts-device-templates.md). IoT Central currently supports [DTDL v2](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md) with an [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md). An IoT Central application expects to receive UTF-8 encoded JSON data.

+This article describes the JSON payloads that devices send and receive for telemetry, properties, and commands defined in a DTDL device model.

+The article doesn't describe every possible type of telemetry, property, and command payload, but the examples illustrate key types.

+Each example shows a snippet from the device model that defines the type and example JSON payloads to illustrate how the device should interact with a Plug and Play aware service such as IoT Central.

+The example JSON snippets in this article use [Digital Twin Definition Language (DTDL) V2](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md). There are also some [DTDL extensions that IoT Central](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md) uses.

+For sample device code that shows some of these payloads in use, see the [Connect a sample IoT Plug and Play device application running on Linux or Windows to IoT Hub](tutorial-connect-device.md) tutorial or the [Create and connect a client application to your Azure IoT Central application](../iot-central/core/tutorial-connect-device.md) tutorial.

+## View raw data

+If you're using IoT Central, you can view the raw data that a device sends to an application. This view is useful for troubleshooting issues with the payload sent from a device. To view the raw data a device is sending:

+1. Navigate to the device from the **Devices** page.

+1. Select the **Raw data** tab:

+ :::image type="content" source="media/concepts-message-payloads/raw-data.png" alt-text="Screenshot that shows the raw data view." lightbox="media/concepts-message-payloads/raw-data.png":::

+ On this view, you can select the columns to display and set a time range to view. The **Unmodeled data** column shows data from the device that doesn't match any property or telemetry definitions in the device template.

+For more troubleshooting tips, see [Troubleshoot why data from your devices isn't showing up in Azure IoT Central](../iot-central/core/troubleshoot-connection.md).

+## Telemetry

+To learn more about the DTDL telemetry naming rules, see [DTDL > Telemetry](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md#telemetry). You can't start a telemetry name using the `_` character.

+Don't create telemetry types with the following names. IoT Central uses these reserved names internally. If you try to use these names, IoT Central will ignore your data:

+* `EventEnqueuedUtcTime`

+* `EventProcessedUtcTime`

+* `PartitionId`

+* `EventHub`

+* `User`

+* `$metadata`

+* `$version`

+### Telemetry in components

+If the telemetry is defined in a component, add a custom message property called `$.sub` with the name of the component as defined in the device model. To learn more, see [Tutorial: Connect an IoT Plug and Play multiple component device applications](tutorial-multiple-components.md). This tutorial shows how to use different programming languages to send telemetry from a component.

+> [!IMPORTANT]

+> To display telemetry from components hosted in IoT Edge modules correctly, use [IoT Edge version 1.2.4](https://github.com/Azure/azure-iotedge/releases/tag/1.2.4) or later. If you use an earlier version, telemetry from your components in IoT Edge modules displays as *_unmodeleddata*.

+### Telemetry in inherited interfaces

+If the telemetry is defined in an inherited interface, your device sends the telemetry as if it is defined in the root interface. Given the following device model:

+```json

+[

+ {

+ "@id": "dtmi:contoso:device;1",

+ "@type": "Interface",

+ "contents": [

+ {

+ "@type": [

+ "Property",

+ "Cloud",

+ "StringValue"

+ ],

+ "displayName": {

+ "en": "Device Name"

+ },

+ "name": "DeviceName",

+ "schema": "string"

+ }

+ ],

+ "displayName": {

+ "en": "Contoso Device"

+ },

+ "extends": [

+ "dtmi:contoso:sensor;1"

+ ],

+ "@context": [

+ "dtmi:iotcentral:context;2",

+ "dtmi:dtdl:context;2"

+ ]

+ },

+ {

+ "@context": [

+ "dtmi:iotcentral:context;2",

+ "dtmi:dtdl:context;2"

+ ],

+ "@id": "dtmi:contoso:sensor;1",

+ "@type": [

+ "Interface",

+ "NamedInterface"

+ ],

+ "contents": [

+ {

+ "@type": [

+ "Telemetry",

+ "NumberValue"

+ ],

+ "displayName": {

+ "en": "Meter Voltage"

+ },

+ "name": "MeterVoltage",

+ "schema": "double"

+ }

+ ],

+ "displayName": {

+ "en": "Contoso Sensor"

+ },

+ "name": "ContosoSensor"

+ }

+]

+```

+The device sends meter voltage telemetry using the following payload. The device doesn't include the interface name in the payload:

+```json

+{

+ "MeterVoltage": 5.07

+}

+```

+### Primitive types

+This section shows examples of primitive telemetry types that a device can stream.

+The following snippet from a device model shows the definition of a `boolean` telemetry type:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "BooleanTelemetry"

+ },

+ "name": "BooleanTelemetry",

+ "schema": "boolean"

+}

+```

+A device client should send the telemetry as JSON that looks like the following example:

+```json

+{ "BooleanTelemetry": true }

+```

+The following snippet from a device model shows the definition of a `string` telemetry type:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "StringTelemetry"

+ },

+ "name": "StringTelemetry",

+ "schema": "string"

+}

+```

+A device client should send the telemetry as JSON that looks like the following example:

+```json

+{ "StringTelemetry": "A string value - could be a URL" }

+```

+The following snippet from a device model shows the definition of an `integer` telemetry type:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "IntegerTelemetry"

+ },

+ "name": "IntegerTelemetry",

+ "schema": "integer"

+}

+```

+A device client should send the telemetry as JSON that looks like the following example:

+```json

+{ "IntegerTelemetry": 23 }

+```

+The following snippet from a device model shows the definition of a `double` telemetry type:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "DoubleTelemetry"

+ },

+ "name": "DoubleTelemetry",

+ "schema": "double"

+}

+```

+A device client should send the telemetry as JSON that looks like the following example:

+```json

+{ "DoubleTelemetry": 56.78 }

+```

+The following snippet from a device model shows the definition of a `dateTime` telemetry type:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "DateTimeTelemetry"

+ },

+ "name": "DateTimeTelemetry",

+ "schema": "dateTime"

+}

+```

+A device client should send the telemetry as JSON that looks like the following example - `DateTime` types must be in ISO 8061 format:

+```json

+{ "DateTimeTelemetry": "2020-08-30T19:16:13.853Z" }

+```

+The following snippet from a device model shows the definition of a `duration` telemetry type:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "DurationTelemetry"

+ },

+ "name": "DurationTelemetry",

+ "schema": "duration"

+}

+```

+A device client should send the telemetry as JSON that looks like the following example - durations must be in ISO 8601 format:

+```json

+{ "DurationTelemetry": "PT10H24M6.169083011336625S" }

+```

+### Complex types

+This section shows examples of complex telemetry types that a device can stream.

+The following snippet from a device model shows the definition of an `Enum` telemetry type:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "EnumTelemetry"

+ },

+ "name": "EnumTelemetry",

+ "schema": {

+ "@type": "Enum",

+ "displayName": {

+ "en": "Enum"

+ },

+ "valueSchema": "integer",

+ "enumValues": [

+ {

+ "displayName": {

+ "en": "Item1"

+ },

+ "enumValue": 0,

+ "name": "Item1"

+ },

+ {

+ "displayName": {

+ "en": "Item2"

+ },

+ "enumValue": 1,

+ "name": "Item2"

+ },

+ {

+ "displayName": {

+ "en": "Item3"

+ },

+ "enumValue": 2,

+ "name": "Item3"

+ }

+ ]

+ }

+}

+```

+A device client should send the telemetry as JSON that looks like the following example. Possible values are `0`, `1`, and `2` that display in IoT Central as `Item1`, `Item2`, and `Item3`:

+```json

+{ "EnumTelemetry": 1 }

+```

+The following snippet from a device model shows the definition of an `Object` telemetry type. This object has three fields with types `dateTime`, `integer`, and `Enum`:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "ObjectTelemetry"

+ },

+ "name": "ObjectTelemetry",

+ "schema": {

+ "@type": "Object",

+ "displayName": {

+ "en": "Object"

+ },

+ "fields": [

+ {

+ "displayName": {

+ "en": "Property1"

+ },

+ "name": "Property1",

+ "schema": "dateTime"

+ },

+ {

+ "displayName": {

+ "en": "Property2"

+ },

+ "name": "Property2",

+ "schema": "integer"

+ },

+ {

+ "displayName": {

+ "en": "Property3"

+ },

+ "name": "Property3",

+ "schema": {

+ "@type": "Enum",

+ "displayName": {

+ "en": "Enum"

+ },

+ "valueSchema": "integer",

+ "enumValues": [

+ {

+ "displayName": {

+ "en": "Item1"

+ },

+ "enumValue": 0,

+ "name": "Item1"

+ },

+ {

+ "displayName": {

+ "en": "Item2"

+ },

+ "enumValue": 1,

+ "name": "Item2"

+ },

+ {

+ "displayName": {

+ "en": "Item3"

+ },

+ "enumValue": 2,

+ "name": "Item3"

+ }

+ ]

+ }

+ }

+ ]

+ }

+}

+```

+A device client should send the telemetry as JSON that looks like the following example. `DateTime` types must be ISO 8061 compliant. Possible values for `Property3` are `0`, `1`, and that display in IoT Central as `Item1`, `Item2`, and `Item3`:

+```json

+{

+ "ObjectTelemetry": {

+ "Property1": "2020-09-09T03:36:46.195Z",

+ "Property2": 37,

+ "Property3": 2

+ }

+}

+```

+The following snippet from a device model shows the definition of a `vector` telemetry type:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "VectorTelemetry"

+ },

+ "name": "VectorTelemetry",

+ "schema": "vector"

+}

+```

+A device client should send the telemetry as JSON that looks like the following example:

+```json

+{

+ "VectorTelemetry": {

+ "x": 74.72395045538597,

+ "y": 74.72395045538597,

+ "z": 74.72395045538597

+ }

+}

+```

+The following snippet from a device model shows the definition of a `geopoint` telemetry type:

+```json

+{

+ "@type": "Telemetry",

+ "displayName": {

+ "en": "GeopointTelemetry"

+ },

+ "name": "GeopointTelemetry",

+ "schema": "geopoint"

+}

+```

+> [!NOTE]

+> The **geopoint** schema type is part of the [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md) to DTDL. IoT Central currently supports the **geopoint** schema type and the **location** semantic type for backwards compatibility.

+A device client should send the telemetry as JSON that looks like the following example. IoT Central displays the value as a pin on a map:

+```json

+{

+ "GeopointTelemetry": {

+ "lat": 47.64263,

+ "lon": -122.13035,

+ "alt": 0

+ }

+}

+```

+### Event and state types

+This section shows examples of telemetry events and states that a device sends to an IoT Central application.

+> [!NOTE]

+> The **event** and **state** schema types are part of the [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md) to DTDL.

+The following snippet from a device model shows the definition of a `integer` event type:

+```json

+{

+ "@type": [

+ "Telemetry",

+ "Event"

+ ],

+ "displayName": {

+ "en": "IntegerEvent"

+ },

+ "name": "IntegerEvent",

+ "schema": "integer"

+}

+```

+A device client should send the event data as JSON that looks like the following example:

+```json

+{ "IntegerEvent": 74 }

+```

+The following snippet from a device model shows the definition of a `integer` state type:

+```json

+{

+ "@type": [

+ "Telemetry",

+ "State"

+ ],

+ "displayName": {

+ "en": "IntegerState"

+ },

+ "name": "IntegerState",

+ "schema": {

+ "@type": "Enum",

+ "valueSchema": "integer",

+ "enumValues": [

+ {

+ "displayName": {

+ "en": "Level1"

+ },

+ "enumValue": 1,

+ "name": "Level1"

+ },

+ {

+ "displayName": {

+ "en": "Level2"

+ },

+ "enumValue": 2,

+ "name": "Level2"

+ },

+ {

+ "displayName": {

+ "en": "Level3"

+ },

+ "enumValue": 3,

+ "name": "Level3"

+ }

+ ]

+ }

+}

+```

+A device client should send the state as JSON that looks like the following example. Possible integer state values are `1`, `2`, or `3`:

+```json

+{ "IntegerState": 2 }

+```

+## Properties

+To learn more about the DTDL property naming rules, see [DTDL > Property](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md#property). You can't start a property name using the `_` character.

+### Properties in components

+If the property is defined in a component, wrap the property in the component name. The following example sets the `maxTempSinceLastReboot` in the `thermostat2` component. The marker `__t` indicates that this section defines a component:

+```json

+{

+ "thermostat2" : {

+ "__t" : "c",

+ "maxTempSinceLastReboot" : 38.7

+ }

+}

+```

+To learn more, see [Tutorial: Create and connect a client application to your Azure IoT Central application](tutorial-connect-device.md).

+### Primitive types

+This section shows examples of primitive property types that a device sends to a service.

+The following snippet from a device model shows the definition of a `boolean` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "BooleanProperty"

+ },

+ "name": "BooleanProperty",

+ "schema": "boolean",

+ "writable": false

+}

+```

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin:

+```json

+{ "BooleanProperty": false }

+```

+The following snippet from a device model shows the definition of a `long` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "LongProperty"

+ },

+ "name": "LongProperty",

+ "schema": "long",

+ "writable": false

+}

+```

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin:

+```json

+{ "LongProperty": 439 }

+```

+The following snippet from a device model shows the definition of a `date` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "DateProperty"

+ },

+ "name": "DateProperty",

+ "schema": "date",

+ "writable": false

+}

+```

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin. `Date` types must be ISO 8061 compliant:

+```json

+{ "DateProperty": "2020-05-17" }

+```

+The following snippet from a device model shows the definition of a `duration` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "DurationProperty"

+ },

+ "name": "DurationProperty",

+ "schema": "duration",

+ "writable": false

+}

+```

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin - durations must be ISO 8601 Duration compliant:

+```json

+{ "DurationProperty": "PT10H24M6.169083011336625S" }

+```

+The following snippet from a device model shows the definition of a `float` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "FloatProperty"

+ },

+ "name": "FloatProperty",

+ "schema": "float",

+ "writable": false

+}

+```

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin:

+```json

+{ "FloatProperty": 1.9 }

+```

+The following snippet from a device model shows the definition of a `string` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "StringProperty"

+ },

+ "name": "StringProperty",

+ "schema": "string",

+ "writable": false

+}

+```

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin:

+```json

+{ "StringProperty": "A string value - could be a URL" }

+```

+### Complex types

+This section shows examples of complex property types that a device sends to a service.

+The following snippet from a device model shows the definition of an `Enum` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "EnumProperty"

+ },

+ "name": "EnumProperty",

+ "writable": false,

+ "schema": {

+ "@type": "Enum",

+ "displayName": {

+ "en": "Enum"

+ },

+ "valueSchema": "integer",

+ "enumValues": [

+ {

+ "displayName": {

+ "en": "Item1"

+ },

+ "enumValue": 0,

+ "name": "Item1"

+ },

+ {

+ "displayName": {

+ "en": "Item2"

+ },

+ "enumValue": 1,

+ "name": "Item2"

+ },

+ {

+ "displayName": {

+ "en": "Item3"

+ },

+ "enumValue": 2,

+ "name": "Item3"

+ }

+ ]

+ }

+}

+```

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin. Possible values are `0`, `1`, and that display in IoT Central as `Item1`, `Item2`, and `Item3`:

+```json

+{ "EnumProperty": 1 }

+```

+The following snippet from a device model shows the definition of an `Object` property type. This object has two fields with types `string` and `integer`:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "ObjectProperty"

+ },

+ "name": "ObjectProperty",

+ "writable": false,

+ "schema": {

+ "@type": "Object",

+ "displayName": {

+ "en": "Object"

+ },

+ "fields": [

+ {

+ "displayName": {

+ "en": "Field1"

+ },

+ "name": "Field1",

+ "schema": "integer"

+ },

+ {

+ "displayName": {

+ "en": "Field2"

+ },

+ "name": "Field2",

+ "schema": "string"

+ }

+ ]

+ }

+}

+```

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin:

+```json

+{

+ "ObjectProperty": {

+ "Field1": 37,

+ "Field2": "A string value"

+ }

+}

+```

+The following snippet from a device model shows the definition of an `vector` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "VectorProperty"

+ },

+ "name": "VectorProperty",

+ "schema": "vector",

+ "writable": false

+}

+```

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin:

+```json

+{

+ "VectorProperty": {

+ "x": 74.72395045538597,

+ "y": 74.72395045538597,

+ "z": 74.72395045538597

+ }

+}

+```

+The following snippet from a device model shows the definition of a `geopoint` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "GeopointProperty"

+ },

+ "name": "GeopointProperty",

+ "schema": "geopoint",

+ "writable": false

+}

+```

+> [!NOTE]

+> The **geopoint** schema type is part of the [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md) to DTDL. IoT Central currently supports the **geopoint** schema type and the **location** semantic type for backwards compatibility.

+A device client should send a JSON payload that looks like the following example as a reported property in the device twin:

+```json

+{

+ "GeopointProperty": {

+ "lat": 47.64263,

+ "lon": -122.13035,

+ "alt": 0

+ }

+}

+```

+### Writable property types

+This section shows examples of writable property types that a device receives from a service.

+If the writable property is defined in a component, the desired property message includes the component name. The following example shows the message requesting the device to update the `targetTemperature` in the `thermostat2` component. The marker `__t` indicates that this section defines a component:

+```json

+{

+ "thermostat2": {

+ "targetTemperature": {

+ "value": 57

+ },

+ "__t": "c"

+ },

+ "$version": 3

+}

+```

+To learn more, see [Connect an IoT Plug and Play multiple component device applications](tutorial-multiple-components.md).

+The device or module should confirm that it received the property by sending a reported property. The reported property should include:

+* `value` - the actual value of the property (typically the received value, but the device may decide to report a different value).

+* `ac` - an acknowledgment code that uses an HTTP status code.

+* `av` - an acknowledgment version that refers to the `$version` of the desired property. You can find this value in the desired property JSON payload.

+* `ad` - an optional acknowledgment description.

+To learn more about these fields, see [IoT Plug and Play conventions > Acknowledgment responses](concepts-convention.md#acknowledgment-responses)

+The following snippet from a device model shows the definition of a writable `string` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "StringPropertyWritable"

+ },

+ "name": "StringPropertyWritable",

+ "writable": true,

+ "schema": "string"

+}

+```

+The device receives the following payload from the service:

+```json

+{

+ "StringPropertyWritable": "A string from IoT Central", "$version": 7

+}

+```

+The device should send the following JSON payload to the service after it processes the update. This message includes the version number of the original update received from the service.

+> [!TIP]

+> If the service is IoT Central, it marks the property as **synced** in the UI when it receives this message:

+```json

+{

+ "StringPropertyWritable": {

+ "value": "A string from IoT Central",

+ "ac": 200,

+ "ad": "completed",

+ "av": 7

+ }

+}

+```

+The following snippet from a device model shows the definition of a writable `Enum` property type:

+```json

+{

+ "@type": "Property",

+ "displayName": {

+ "en": "EnumPropertyWritable"

+ },

+ "name": "EnumPropertyWritable",

+ "writable": true,

+ "schema": {

+ "@type": "Enum",

+ "displayName": {

+ "en": "Enum"

+ },

+ "valueSchema": "integer",

+ "enumValues": [

+ {

+ "displayName": {

+ "en": "Item1"

+ },

+ "enumValue": 0,

+ "name": "Item1"

+ },

+ {

+ "displayName": {

+ "en": "Item2"

+ },

+ "enumValue": 1,

+ "name": "Item2"

+ },

+ {

+ "displayName": {

+ "en": "Item3"

+ },

+ "enumValue": 2,

+ "name": "Item3"

+ }

+ ]

+ }

+}

+```

+The device receives the following payload from the service:

+```json

+{

+ "EnumPropertyWritable": 1 , "$version": 10

+}

+```

+The device should send the following JSON payload to the service after it processes the update. This message includes the version number of the original update received from the service.

+> [!TIP]

+> If the service is IoT Central, it marks the property as **synced** in the UI when it receives this message:

+```json

+{

+ "EnumPropertyWritable": {

+ "value": 1,

+ "ac": 200,

+ "ad": "completed",

+ "av": 10

+ }

+}

+```

+## Commands

+To learn more about the DTDL command naming rules, see [DTDL > Command](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md#command). You can't start a command name using the `_` character.

+If the command is defined in a component, the name of the command the device receives includes the component name. For example, if the command is called `getMaxMinReport` and the component is called `thermostat2`, the device receives a request to execute a command called `thermostat2*getMaxMinReport`.

+The following snippet from a device model shows the definition of a command that has no parameters and that doesn't expect the device to return anything:

+```json

+{

+ "@type": "Command",

+ "displayName": {

+ "en": "CommandBasic"

+ },

+ "name": "CommandBasic"

+}

+```

+The device receives an empty payload in the request and should return an empty payload in the response with a `200` HTTP response code to indicate success.

+The following snippet from a device model shows the definition of a command that has an integer parameter and that expects the device to return an integer value:

+```json

+{

+ "@type": "Command",

+ "request": {

+ "@type": "CommandPayload",

+ "displayName": {

+ "en": "RequestParam"

+ },

+ "name": "RequestParam",

+ "schema": "integer"

+ },

+ "response": {

+ "@type": "CommandPayload",

+ "displayName": {

+ "en": "ResponseParam"

+ },

+ "name": "ResponseParam",

+ "schema": "integer"

+ },

+ "displayName": {

+ "en": "CommandSimple"

+ },

+ "name": "CommandSimple"

+}

+```

+The device receives an integer value as the request payload. The device should return an integer value as the response payload with a `200` HTTP response code to indicate success.

+The following snippet from a device model shows the definition of a command that has an object parameter and that expects the device to return an object. In this example, both objects have integer and string fields:

+```json

+{

+ "@type": "Command",

+ "request": {

+ "@type": "CommandPayload",

+ "displayName": {

+ "en": "RequestParam"

+ },

+ "name": "RequestParam",

+ "schema": {

+ "@type": "Object",

+ "displayName": {

+ "en": "Object"

+ },

+ "fields": [

+ {

+ "displayName": {

+ "en": "Field1"

+ },

+ "name": "Field1",

+ "schema": "integer"

+ },

+ {

+ "displayName": {

+ "en": "Field2"

+ },

+ "name": "Field2",

+ "schema": "string"

+ }

+ ]

+ }

+ },

+ "response": {

+ "@type": "CommandPayload",

+ "displayName": {

+ "en": "ResponseParam"

+ },

+ "name": "ResponseParam",

+ "schema": {

+ "@type": "Object",

+ "displayName": {

+ "en": "Object"

+ },

+ "fields": [

+ {

+ "displayName": {

+ "en": "Field1"

+ },

+ "name": "Field1",

+ "schema": "integer"

+ },

+ {

+ "displayName": {

+ "en": "Field2"

+ },

+ "name": "Field2",

+ "schema": "string"

+ }

+ ]

+ }

+ },

+ "displayName": {

+ "en": "CommandComplex"

+ },

+ "name": "CommandComplex"

+}

+```

+The following snippet shows an example request payload sent to the device:

+```json

+{ "Field1": 56, "Field2": "A string value" }

+```

+The following snippet shows an example response payload sent from the device. Use a `200` HTTP response code to indicate success:

+```json

+{ "Field1": 87, "Field2": "Another string value" }

+```

+> [!TIP]

+> IoT Central has its own conventions for implementing [Long-running commands](../iot-central/core/howto-use-commands.md#long-running-commands) and [Offline commands](../iot-central/core/howto-use-commands.md#offline-commands).

+## Next steps

+Now that you've learned about device payloads, a suggested next steps is to read the [Device developer guide](concepts-developer-guide-device.md).

+> [!NOTE]

+> IoT Central currently supports [DTDL v2](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.v2.md) with an [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md).

+> [!NOTE]

+> IoT Central defines some extensions to the DTDL language. To learn more, see [IoT Central extension](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/DTDL.iotcentral.v2.md).

+description: Control access to Azure IoT Hub Device Provisioning Service (DPS) for back-end apps. Includes information about Azure Active Directory and RBAC.

+> [IoT Hub Device Provisioning Service concepts](concepts-service.md)

+1. In the **IoT Edge Modules** section of the page, select the **Add** dropdown and select **IoT Edge Module** to display the **Add IoT Edge Module** page.

+2. On the **Settings** tab, provide a name for the module and then specify the container image URI:

+ :::image type="content" source="./media/how-to-deploy-blob/addmodule-tab1.png" alt-text="Screenshot showing the Module Settings tab of the Add IoT Edge Module page. .":::

+1. Copy and paste the following JSON into the box, to provide storage account information and a mount for the storage on your device.

+ "LOCAL_STORAGE_ACCOUNT_NAME=<local storage account name>",

+ "LOCAL_STORAGE_ACCOUNT_KEY=<local storage account key>"

+ "<mount>"

+ :::image type="content" source="./media/how-to-deploy-blob/addmodule-tab3.png" alt-text="Screenshot showing the Container Create Options tab of the Add IoT Edge Module page..":::

+ - Replace `<local storage account name>` with a name that you can remember. Account names should be 3 to 24 characters long, with lowercase letters and numbers. No spaces.

+ - Replace `<local storage account key>` with a 64-byte base64 key. You can generate a key with tools like [GeneratePlus](https://generate.plus/en/base64). You use these credentials to access the blob storage from other modules.

+ - Replace `<mount>` according to your container operating system. Provide the name of a [volume](https://docs.docker.com/storage/volumes/) or the absolute path to an existing directory on your IoT Edge device where the blob module stores its data. The storage mount maps a location on your device that you provide to a set location in the module.

+1. Configure each property with an appropriate value, as indicated by the placeholders. If you're using the IoT Edge simulator, set the values to the related environment variables for these properties as described by [deviceToCloudUploadProperties](how-to-store-data-blob.md#devicetoclouduploadproperties) and [deviceAutoDeleteProperties](how-to-store-data-blob.md#deviceautodeleteproperties).

+ > [!TIP]

+ > The name for your `target` container has naming restrictions, for example using a `$` prefix is unsupported. To see all restrictions, view [Container Names](/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names).

+ :::image type="content" source="./media/how-to-deploy-blob/addmodule-tab4.png" alt-text="Screenshot showing the Module Twin Settings tab of the Add IoT Edge Module page.":::

+ 1. Copy and paste the following code into the `createOptions` field for the blob storage module:

+ ```json

+ "LOCAL_STORAGE_ACCOUNT_NAME=<local storage account name>",

+ "LOCAL_STORAGE_ACCOUNT_KEY=<local storage account key>"

+ "Binds": ["<mount>"],

+ :::image type="content" source="./media/how-to-deploy-blob/create-options.png" alt-text="Screenshot showing how to update module createOptions in Visual Studio Code.":::

+1. Replace `<local storage account name>` with a name that you can remember. Account names should be 3 to 24 characters long, with lowercase letters and numbers. No spaces.

+1. Replace `<local storage account key>` with a 64-byte base64 key. You can generate a key with tools like [GeneratePlus](https://generate.plus/en/base64). You use these credentials to access the blob storage from other modules.

+1. Replace `<mount>` according to your container operating system. Provide the name of a [volume](https://docs.docker.com/storage/volumes/) or the absolute path to a directory on your IoT Edge device where you want the blob module to store its data. The storage mount maps a location on your device that you provide to a set location in the module.

+1. Configure [deviceToCloudUploadProperties](how-to-store-data-blob.md#devicetoclouduploadproperties) and [deviceAutoDeleteProperties](how-to-store-data-blob.md#deviceautodeleteproperties) for your module by adding the following JSON to the *deployment.template.json* file. Configure each property with an appropriate value and save the file. If you're using the IoT Edge simulator, set the values to the related environment variables for these properties, which you can find in the explanation section of [deviceToCloudUploadProperties](how-to-store-data-blob.md#devicetoclouduploadproperties) and [deviceAutoDeleteProperties](how-to-store-data-blob.md#deviceautodeleteproperties)

+ :::image type="content" source="./media/how-to-deploy-blob/devicetocloud-deviceautodelete.png" alt-text="Screenshot showing how to set desired properties for azureblobstorageoniotedge in Visual Studio Code.":::

+If your organization is using a proxy server, you need to configure proxy support for the edgeAgent and edgeHub runtime modules. This process involves two tasks:

+ :::image type="content" source="./media/how-to-deploy-blob/https-proxy-config.png" alt-text="Screenshot showing the Update IoT Edge Module pane where you can enter the specified values.":::

+1. Select **Update**, then **Review + Create**.

+* [Azure IoT SDKs](iot-hub-devguide-sdks.md)

+- [Authenticating a device to IoT Hub](iot-hub-dev-guide-sas.md#authenticating-a-device-to-iot-hub)

+* [Deploying AI to edge devices with Azure IoT Edge](../iot-edge/quickstart-linux.md)

+* [Getting started with IoT Edge](../iot-edge/quickstart-linux.md)

+* [Getting started with IoT Edge](../iot-edge/quickstart-linux.md)

+To continue exploring IoT Hub and device management patterns, update an image in [Device Update for Azure IoT Hub tutorial using the Raspberry Pi 3 B+ Reference Image](../iot-hub-device-update/device-update-raspberry-pi.md).

+> [Azure Key Vault REST API](/rest/api/keyvault/)

+- See [Managed storage account key samples](https://github.com/Azure-Samples?utf8=%E2%9C%93&q=key+vault+storage&type=&language=)

+> [Create a lab using Python and the Azure Python SDK](how-to-create-lab-python.md)

+- Learn about other [cross-tenant management experiences](../concepts/cross-tenant-management-experience.md).

+* [Built-in connectors for Azure Logic Apps](../connectors/built-in.md)

+See the [set of components available](component-reference.md) to Azure Machine Learning.

+<br/><br/>

+For more information on configuring Azure Firewall, see [Tutorial: Deploy and configure Azure Firewall using the Azure portal](../firewall/tutorial-firewall-deploy-portal.md).

+- [Import data assets on a schedule](reference-yaml-schedule-data-import.md)

+1. Select __Next__, until you get to the "Deployment" page. Here, toggle __Application Insights diagnostics__ to Enabled to allow you view graphs of your endpoint's activities in the studio later and analyze metrics and logs using Application Insights.

+To request an exception from the Azure Machine Learning product team, use the steps in the [Endpoint quota increases](#endpoint-quota-increases).

+* [Tune hyperparameters](how-to-tune-hyperparameters.md)

+- [Deploy your model as a serverless .NET Azure Function](/dotnet/machine-learning/how-to-guides/serve-model-serverless-azure-functions-ml-net)

+* [Make predictions with ONNX on computer vision models from AutoML](how-to-inference-onnx-automl-image-models.md)

+* [Manage your models with MLflow](how-to-manage-models-mlflow.md).

+- [Code samples for Spark jobs using Azure Machine Learning Python SDK](https://github.com/Azure/azureml-examples/tree/main/sdk/python/jobs/spark)

+* [Deploy a model](how-to-deploy-and-where.md)

+* [DevOps for Azure Databricks](https://marketplace.visualstudio.com/items?itemName=riserrad.azdo-databricks)

+* [Train with Azure Machine Learning dataset](how-to-train-with-datasets.md).

+* [Train with datasets using pipelines](./how-to-create-machine-learning-pipelines.md).

+* [How to run and debug experiments locally](../how-to-debug-visual-studio-code.md)

+* [Use a prebuilt package as a base for a new Dockerfile](how-to-extend-prebuilt-docker-image-inference.md).

+> [!TIP]

+> Here are some tips for properly configuring SMTP:

+>- When using a business email account such as Office 365, you may need to contact your email administrator to enable SMTP AUTH (for example, [enable-smtp-auth-for-specific-mailboxes](/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission#enable-smtp-auth-for-specific-mailboxes)). You should be able to create an app password afterwards and use it as the SMTP *password* setting.

+>- When using a personal email account such as Outlook or Gmail, you should create an app password and use it as the SMTP *password* setting. Note that your account won't work for email notification if it's configured with multi-factor authentication.

+- Containerizing ASP.NET web apps and deploying them on Windows containers on Azure App Service. [Learn more](./tutorial-app-containerization-aspnet-app-service.md)

+> [Post Migration Management](./10-post-migration-management.md)

+Download the certificate needed to communicate over SSL with your Azure Database for MySQL server from [https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) and save the certificate file to your local drive (this tutorial uses c:\ssl for example).

+1. In the **SSL CA File:** field, enter the file location of the **DigiCertGlobalRootG2.crt.pem**.

+mysql.exe -h mydemoserver.mysql.database.azure.com -u Username@mydemoserver -p --ssl-mode=REQUIRED --ssl-ca=c:\ssl\DigiCertGlobalRootG2.crt.pem

+mysqli_ssl_set($conn,NULL,NULL, "/var/www/html/DigiCertGlobalRootG2.crt.pem", NULL, NULL);

+ PDO::MYSQL_ATTR_SSL_CA => '/var/www/html/DigiCertGlobalRootG2.crt.pem'

+ ssl_ca='/var/www/html/DigiCertGlobalRootG2.crt.pem')

+ ssl={'ca': '/var/www/html/DigiCertGlobalRootG2.crt.pem'})

+ 'ssl': {'ca': '/var/www/html/DigiCertGlobalRootG2.crt.pem'}

+ :sslca => '/var/www/html/DigiCertGlobalRootG2.crt.pem'

+pem, _ := ioutil.ReadFile("/var/www/html/DigiCertGlobalRootG2.crt.pem")

+ SslCa = "DigiCertGlobalRootG2.crt.pem",

+const serverCa = [fs.readFileSync("/var/www/html/DigiCertGlobalRootG2.crt.pem", "utf8")];

+```

+[How to use the Azure Command-Line Interface for Mac and Linux]:cli-install-nodejs.md

+[Notification Hubs How-To for iOS]: /previous-versions/azure/reference/dn223264(v=azure.100)

+* [WebSphere Liberty Container Images](https://github.com/WASdev/ci.docker)

+ Title: Troubleshoot accessing a CSN connected internet hostname within the AKS hybrid cluster for Azure Operator Nexus

+description: Troubleshoot accessing a CSN connected internet hostname within the AKS hybrid cluster for Azure Operator Nexus

+# Accessing a CSN connected internet hostname within the AKS hybrid cluster

+This article outlines troubleshooting for scenarios where the end user is having issues reaching an internet hostname, which is part of the CSN

+attached to AKS hybrid cluster.

+## Prerequisites

+* Subscription ID

+* Cluster name and resource group

+* AKS-Hybrid cluster name and resource group

+* Familiar with procedures provided in [Connect to AKS Hybrid](/azure/AkS/Hybrid/create-aks-hybrid-preview-cli#connect-to-the-aks-hybrid-cluster)

+Once these prerequisites have been applied, we can finalize the repair of the ΓÇ£Curl -vkΓÇ¥ by performing the below workaround.

+## Common scenarios

+User logged in to the jump server and ssh would into AKS hybrid VM using the IP address of the worker nodes or control plane VMs. From AKS hybrid VM users couldnΓÇÖt reach any egress endpoints mentioned while creating an AKS hybrid that uses the CSN

+The user is encountering an error when trying to access the fully qualified domain name (FQDN) of internet hostnames

+~~~bash

+curl -vk [http://www.ubuntu.com](http://www.ubuntu.com)

+~~~

+~~~output

+\*   Trying 192.xxx.xxx.xxx:xx...

+\* TCP_NODELAY set

+\*   Trying 2607:f8b0:xxxx:c17::xx:xx...

+\* TCP_NODELAY set

+\* Immediate connect fail for 2607:f8b0:xxxx:c17::xx: Network is

+unreachable

+\*   Trying 2607:f8b0:xxxx:c17::xx:xx...

+\* TCP_NODELAY set

+\* Immediate connect fail for 2607:f8b0:xxxx:c17::xx: Network is

+unreachable

+\*   Trying 2607:f8b0:xxxx:c17::xx:xx...

+\* TCP_NODELAY set

+\* Immediate connect fail for 2607:f8b0:xxxx:c17::xx: Network is

+unreachable

+\*   Trying 2607:f8b0:xxxx:c17::93:xx...

+~~~

+## Suggested solutions

+~~~bash

+curl -x "http_proxy=http://169.xxx.x.xx.xxxx" -vk "https://ubuntu.com"

+https_proxy=<http://169.xxx.x.xx.xxxx> tdnf -y install openssh-clients

+~~~

+### First attempt with the above commands generated a user

+~~~output

+error:**

+\* Could not resolve proxy: http_proxy=http

+\* Closing connection 0

+curl: (5) Could not resolve proxy: http_proxy=http

+https_proxy=[http://169.xxx.x.xx.xxxx](http://169.xxx.x.xx.xxxx/) curl

+-vk "https://ubuntu.com" shows connected but user get 403 Access denied.

+~~~

+### Second attempt with the commands

+\# option 1 (set proxy inline on curl, settings will go away after

+command is complete)

+~~~bash

+curl -x "http://169.xxx.x.xx.xxxx" -vk "https://ubuntu.com"

+~~~

+\# option 2 (proxy setting is effective while they remain in the shell)

+~~~bash

+export https_proxy="http://169.xxx.x.xx.xxxx"

+export HTTPS_PROXY="http://169.xxx.x.xx.xxxx"

+curl -vk <https://ubuntu.com>

+~~~

+If a customer is running their rpm install with a shell script, they must ensure setting the http(s)\_proxy locally inside their shell script explicitly. They can also try setting the proxy as an option inline on rpm with the '--httpproxy' and '--httpport' options.

+[For additional information](https://www.xmodulo.com/how-to-install-rpm-packages-behind-proxy.html)

+### How to install.RPM packages behind proxy

+RPM has a proxy flag, which must be set:

+~~~bash

+sudo rpm --import <https://aglet.packages.cloudpassage.com/cloudpassage.packages.key>

+--httpproxy 169.xxx.x.xx  --httpport 3128

+~~~

+>[!Note]

+>Keep in mind if you set them system-wide, they may "lose" their ability to run kubectl locally. Set them inline within the script first to help minimize the effects.

+PostgreSQL lets you grant permissions directly to the database users. **As a good security practice, it can be recommended that you create roles with specific sets of permissions based on minimum application and access requirements. You can then assign the appropriate roles to each user. Roles are used to enforce a *least privilege model* for accessing database objects.**

+### Controlling schema access

+Newly created databases in PostgreSQL will have a default set of privileges in the database's public schema that allow all database users and roles to create objects. To better limit application user access to the databases that you create on your Flexible Server, we recommend that you consider revoking these default public privileges. After doing so, you can then grant specific privileges for database users on a more granular basis. For example:

+* To prevent application database users from creating objects in the public schema, revoke create privileges to *public* schema

+ ```sql

+ REVOKE CREATE ON SCHEMA public FROM PUBLIC;

+ ```

+* Next, create new database:

+```sql

+CREATE DATABASE Test_db;

+```

+* Revoke all privileges from the PUBLIC schema on this new database.

+```sql

+REVOKE ALL ON DATABASE Test_db FROM PUBLIC;

+```

+* Create custom role for application db users

+```sql

+CREATE ROLE Test_db_user;

+```

+* Give database users with this role the ability to connect to the database.

+```sql

+GRANT CONNECT ON DATABASE Test_db TO Test_db_user;

+GRANT ALL PRIVILEGES ON DATABASE Test_db TO Test_db_user;

+```

+* Create database user

+```sql

+CREATE ROLE user1 LOGIN PASSWORD 'Password_to_change'

+```

+* Assign role, with its connect and select privileges to user

+```sql

+GRANT Test_db_user TO user1;

+```

+In this example, user *user1* can connect and has all privileges in our test database *Test_db*, but not any other db on the server. It would be recommended further, instead of giving this user\role *ALL PRIVILEGES* on that database and its objects, to provide more selective permissions, such as *SELECT*,*INSERT*,*EXECUTE*, etc. For more information about privileges in PostgreSQL databases, see the [GRANT](https://www.postgresql.org/docs/current/sql-grant.html) and [REVOKE](https://www.postgresql.org/docs/current/sql-revoke.html) commands in the PostgreSQL docs.

+> [Migrate your database using Export and Import](../howto-migrate-using-export-and-import.md)

+ Title: Azure Database for PostgreSQL - Flexible Server API Release notes

+description: API Release notes of Azure Database for PostgreSQL - Flexible Server.

+# API Release notes - Azure Database for PostgreSQL - Flexible Server

+This page provides latest news and updates regarding the recommended API versions to be used. The API versions that are not listed here might be supported, but will be retired soon.

+## API Releases

+| API Version | Stable/Preview | Comments |

+| | | |

+| 2023-03-01-preview | Preview | New GA version features (2022-12-01) +<br>Geo + CMK<br>Storage auto growth<br>IOPS scaling<br>New location capability api<br>Azure Defender<br>Server Logs<br>Migrations<br> |

+| 2022-12-01 | Stable (GA) | Earlier GA features +<br>AAD<br>CMK<br>Backups<br>Administrators<br>Replicas<br>GeoRestore<br>MVU<br> |

+| 2022-05-01-preview | Preview | CheckMigrationNameAvailability<br>Migrations<br> |

+| 2021-06-01 | Stable (GA) | Earlier GA features +<br>Server CRUD<br>CheckNameAvailability<br>Configurations (Server parameters)<br>Database<br>Firewall rules<br>Private<br>DNS zone suffix<br>PITR<br>Server Restart<br>Server Start<br>Server Stop<br>Maintenance window<br>Virtual network subnet usage<br> |

+## Contacts

+For any questions or suggestions you might have on Azure Database for PostgreSQL flexible server, send an email to the Azure Database for PostgreSQL Team ([@Ask Azure DB for PostgreSQL](mailto:AskAzureDBforPostgreSQL@service.microsoft.com)). Please note that this email address isn't a technical support alias.

+In addition, consider the following points of contact as appropriate:

+- To contact Azure Support, [file a ticket from the Azure portal](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade).

+- To fix an issue with your account, file a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) in the Azure portal.

+- To provide feedback or to request new features, create an entry via [UserVoice](https://feedback.azure.com/forums/597976-azure-database-for-postgresql).

+## Next steps

+Now that you've read our API Release Notes on Azure Database for PostgreSQL flexible server, you're ready to create your first server: [Create an Azure Database for PostgreSQL - Flexible Server using Azure portal](./quickstart-create-server-portal.md)

+* Postgres 15 is now available in public preview for Azure Database for PostgreSQL ΓÇô Flexible Server in limited regions (West Europe, East US, West US2, South East Asia, UK South, North Europe, Japan east).

+> [Migrate your database using Export and Import](./how-to-migrate-using-export-and-import.md)

+- [Collect the required information for a site](collect-required-information-for-a-site.md).

+- [Model conversion](../how-tos/conversion/model-conversion.md)

+* [SAP HANA VM storage configurations](./hana-vm-operations-storage.md)

+> [How to create a skillset](cognitive-search-defining-skillset.md)

+> [Add search to a web site (JavaScript)](tutorial-javascript-search-query-integration.md#azure-function-suggestions-from-the-catalog)

+* [IndexerExecutionResult](/dotnet/api/azure.search.documents.indexes.models.indexerexecutionresult)

+> [Configure a SQL Database indexer](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md)

+[Deploy your Static Web App](tutorial-csharp-deploy-static-web-app.md)

+[Deploy your Static Web App](tutorial-javascript-deploy-static-web-app.md)

+The SuppressDefaultHostAuthentication method tells Web API to ignore any authentication that happens before the request reaches the Web API pipeline, either by IIS or by OWIN middleware. That way, we can restrict Web API to authenticate only using bearer tokens.

+- [Securing PKI](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786443(v=ws.11))

+ where ProcessName !contains \"CEF\"