+ 1. Install the ECMA Connector host and provisioning agent on a Windows Server, using the [provisioning users into SQL based applications](on-premises-sql-connector-configure.md#3-install-and-configure-the-azure-ad-connect-provisioning-agent) or [provisioning users into LDAP directories](on-premises-ldap-connector-configure.md#install-and-configure-the-azure-ad-connect-provisioning-agent) articles.

+ Title: Continuous access evaluation strict location enforcement in Azure AD

+description: Responding to changes in user state faster with continuous access evaluation strict location enforcement in Azure AD

+# Strictly enforce location policies using continuous access evaluation (preview)

+Strictly enforce location policies is a new enforcement mode for continuous access evaluation (CAE), used in Conditional Access policies. This new mode provides protection for resources, immediately stopping access if the IP address detected by the resource provider isn't allowed by Conditional Access policy. This option is the highest security modality of CAE location enforcement, and requires that administrators understand the routing of authentication and access requests in their network environment. See our [Introduction to continuous access evaluation](concept-continuous-access-evaluation.md) for a review of how CAE-capable clients and resource providers, like the Outlook email client and Exchange Online evaluate location changes.

+| Location enforcement mode | Recommended network topology | If the IP address detected by the Resource isn't in the allowed list | Benefits | Configuration |

+| | | | | |

+| Standard (Default) | Suitable for all topologies | A short-lived token is issued only if Azure AD detects an allowed IP address. Otherwise, access is blocked | Falls back to the pre-CAE location detection mode in split tunnel network deployments where CAE enforcement would affect productivity. CAE still enforces other events and policies. | None (Default Setting) |

+| Strictly enforced location policies | Egress IP addresses are dedicated and enumerable for both Azure AD and all resource provider traffic | Access blocked | Most secure, but requires well understood network paths | 1. Test IP address assumptions with a small population <br><br> 2. Enable ΓÇ£Strictly enforceΓÇ¥ under Session controls |

+> [!NOTE]

+> The **IP address (seen by resource)** is blank when that IP matches the IP address.

+## Configure strictly enforced location policies

+### Step 1 - Configure a Conditional Access location based policy for your target users

+Before administrators create a Conditional Access policy requiring strict location enforcement, they must be comfortable using policies like the one described in [Conditional Access location based policies](howto-conditional-access-policy-location.md). Policies like this one should be tested with a subset of users before proceeding to the next step. Administrators can avoid discrepancies between the allowed and actual IP addresses seen by Azure AD during authentication, by testing before enabling strict enforcement.

+### Step 2 - Test policy on a small subset of users

+

+After enabling policies requiring strict location enforcement on a subset of test users, validate your testing experience using the filter **IP address (seen by resource)** in the Azure AD Sign-in logs. This validation allows administrators to find scenarios where strict location enforcement may block users with an unallowed IP seen by the CAE-enabled resource provider.

+ - Admins must ensure all authentication traffic towards Azure AD and access traffic to resource providers are from dedicated egress IPs that are known.

+ - Like Exchange Online, Teams, SharePoint Online, and Microsoft Graph

+ - Before administrators turn on Conditional Access policies requiring strict location enforcement, they should ensure that all IP addresses from which your users can access Azure AD and resource providers are included in their [IP-based named locations](location-condition.md#ipv4-and-ipv6-address-ranges).

+If administrators don't perform this validation, their users may be negatively impacted. If traffic to Azure AD or a CAE supported resource is through a shared or undefinable egress IP, don't enable strict location enforcement in your Conditional Access policies.

+### Step 3 - Identify IP addresses that should be added to your named locations

+If the filter search of **IP address (seen by resource)** in the Azure AD Sign-in logs isn't empty, you might have a split-tunnel network configuration. To ensure your users aren't accidentally locked out by policies requiring strict location enforcement, administrators should:

+- Investigate and identify any IP addresses identified in the Sign-in logs.

+- Add public IP addresses associated with known organizational egress points to their defined [named locations](location-condition.md#named-locations).

+ [  ](./media/concept-continuous-access-evaluation-strict-enforcement/sign-in-logs-ip-address-seen-by-resource.png#lightbox)

+The following screenshot shows an example of a clientΓÇÖs access to a resource being blocked. This block is due to policies requiring CAE strict location enforcement being triggered revoking the clientΓÇÖs session.

+ 

+This behavior can be verified in the sign-in logs. Look for **IP address (seen by resource)** and investigate adding this IP to [named locations](location-condition.md#named-locations) if experiencing unexpected blocks from Conditional Access on users.

+ 

+Looking at the **Conditional Access Policy details** tab provides more details of blocked sign-in events.

+ 

+### Step 4 - Continue deployment

+Repeat steps 2 and 3 with expanding groups of users until Strictly Enforce Location Policies are applied across your target user base. Roll out carefully to avoid impacting user experience.

+## Troubleshooting with Sign-in logs

+Administrators can investigate the Sign-in logs to find cases with **IP address (seen by resource)**.

+1. Sign in to the **Azure portal** as at least a Global Reader.

+1. Browse to **Azure Active Directory** > **Sign-ins**.

+1. Find events to review by adding filters and columns to filter out unnecessary information.

+ 1. Add the **IP address (seen by resource)** column and filter out any blank items to narrow the scope.

+ [  ](./media/concept-continuous-access-evaluation-strict-enforcement/sign-in-logs-ip-address-seen-by-resource.png#lightbox)

+**IP address (seen by resource)** contains filter isn't empty in the following examples:

+### Initial authentication

+1. Authentication succeeds using a CAE token.

+ 

+1. The **IP address (seen by resource)** is different from the IP address seen by Azure AD. Although the IP address seen by the resource is known, there's no enforcement until the resource redirects the user for reevaluation of the IP address seen by the resource.

+ 

+1. Azure AD authentication is successful because strict location enforcement isn't applied at the resource level.

+ 

+

+### Resource redirect for reevaluation

+1. Authentication fails and a CAE token isn't issued.

+ 

+1. **IP address (seen by resource)** is different from the IP seen by Azure AD.

+ 

+1. Authentication isn't successful because **IP address (seen by resource)** isn't a known [named location](location-condition.md#named-locations) in Conditional Access.

+ 

+## Next steps

+- [Continuous access evaluation in Azure AD](concept-continuous-access-evaluation.md)

+- [Claims challenges, claims requests, and client capabilities](../develop/claims-challenge.md)

+- [How to use continuous access evaluation enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md)

+- [Monitor and troubleshoot sign-ins with continuous access evaluation](howto-continuous-access-evaluation-troubleshoot.md#potential-ip-address-mismatch-between-azure-ad-and-resource-provider)

+- `actortoken`

+- `assertion`

+- `aud`

+- `auth_data`

+- `authorization_code`

+- `bk_claim`

+- `bk_enclave`

+- `bk_pub`

+- `brk_client_id`

+- `brk_redirect_uri`

+- `capolids_latebind`

+- `cert_token_use`

+- `child_client_id`

+- `child_redirect_uri`

+- `client_id`

+- `client_ip`

+- `cloud_graph_host_name`

+- `cloud_instance_host_name`

+- `cloud_instance_name`

+- `CloudAssignedMdmId`

+- `controls_auds`

+- `csr`

+- `csr_type`

+- `dns_names`

+- `exp`

+- `extn. as prefix`

+- `fido_ver`

+- `fwd_appidacr`

+- `grant_type`

+- `hash_alg`

+- `iat`

+- `iss`

+- `jwk`

+- `key_id`

+- `key_type`

+- `msgraph_host`

+- `nbf`

+- `netbios_name`

+- `password`

+- `previous_refresh_token`

+- `redirect_uri`

+- `refresh_token`

+- `request_nonce`

+- `resource`

+- `role`

+- `rp_id`

+- `scope`

+- `signature`

+- `tenant_id`

+- `user_agent`

+- `username`

+- `vsm_binding_key`

+- `win_ver`

+- `x5c_ca`

+Restricted Claim type (URI):

+- `http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged`

+- `http://schemas.microsoft.com/2014/02/devicecontext/claims/isknown`

+- `http://schemas.microsoft.com/2014/03/psso`

+- `http://schemas.microsoft.com/2014/09/devicecontext/claims/iscompliant`

+- `http://schemas.microsoft.com/claims/authnmethodsreferences`

+- `http://schemas.microsoft.com/claims/groups.link`

+- `http://schemas.microsoft.com/identity/claims/accesstoken`

+- `http://schemas.microsoft.com/identity/claims/acct`

+- `http://schemas.microsoft.com/identity/claims/agegroup`

+- `http://schemas.microsoft.com/identity/claims/aio`

+- `http://schemas.microsoft.com/identity/claims/identityprovider`

+- `http://schemas.microsoft.com/identity/claims/objectidentifier`

+- `http://schemas.microsoft.com/identity/claims/openid2_id`

+- `http://schemas.microsoft.com/identity/claims/puid`

+- `http://schemas.microsoft.com/identity/claims/scope`

+- `http://schemas.microsoft.com/identity/claims/tenantid`

+- `http://schemas.microsoft.com/identity/claims/xms_et`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/confirmationkey`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlywindowsdevicegroup`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/expired`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/groups`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/ispersistent`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/role`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/samlissuername`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/wids`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdeviceclaim`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdevicegroup`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsfqbnversion`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowssubauthority`

+- `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsuserclaim`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecision`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`

+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname`

+- `http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor`

+Azure AD Registration is not the same as device enrolment. If Administrators permit users to enrol their devices, organisations can further control these Azure AD registered devices by enrolling the device(s) into Mobile Device Management (MDM) tools like Microsoft Intune. MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, and security software kept updated.

+1. To make sure you're using the directory that contains your customer tenant, select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.

+1.If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.

+2. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant.

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the customer tenant you created earlier.

+1. Make sure you're using the directory that contains your Azure AD customer tenant: Select the Directories + subscriptions icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar and find your customer tenant in the list. If it's not the current directory, select **Switch**.

+1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. Make sure you're using your customer tenant. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar.

+1. Make sure you're using the directory that contains your Azure AD customer tenant: Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the toolbar and find your customer tenant in the list. If it's not the current directory, select **Switch**.

+

+ 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar.

+### To call an API follow the steps below (optional):

+ 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar.

+### To call an API follow the steps below (optional):

+### To add app roles follow the steps below (optional):

+ 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar.

+### To call an API follow the steps below (optional):

+### To call an API follow the steps below (optional)

+# [Microsoft Graph API](#tab/graphapi)

+## How to register a Microsoft Graph API application?

+### Grant API Access to your application

+### Create a client secret

+## Next steps

+- Learn more how to manage [Azure Active Directory for customers resources with Microsoft Graph](microsoft-graph-operations.md)

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to your customer tenant.

+ 1. Select the **Directories + subscriptions** icon :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the portal toolbar.

+1. Ensure that you're signed in to the directory that you want to delete through the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the Azure portal. Switch to the target directory if needed.

+ Title: "What's new in Azure Active Directory for customers"

+description: "New and updated documentation for the Azure Active Directory for customers documentation."

+# Azure Active Directory for customers: What's new

+Welcome to what's new in Azure Active Directory for customers documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.

+## June 2023

+### New articles

+- [Quickstart: Create a tenant (preview)](quickstart-tenant-setup.md)

+- [Tutorial: Create a .NET MAUI shell app](tutorial-mobile-app-maui-sign-in-prepare-app.md)

+- [Tutorial: Register and configure .NET MAUI mobile app in a customer tenant](tutorial-mobile-app-maui-sign-in-prepare-tenant.md)

+- [Tutorial: Sign in users in .NET MAUI shell app](tutorial-mobile-app-maui-sign-in-sign-out.md)

+- [Use role-based access control in your Node.js web application](how-to-web-app-role-based-access-control.md)

+- [Tutorial: Handle authentication flows in a React single-page app](how-to-single-page-application-react-configure-authentication.md)

+- [Tutorial: Create a .NET MAUI app](tutorial-desktop-app-maui-sign-in-prepare-app.md)

+- [Tutorial: Register and configure .NET MAUI app in a customer tenant](tutorial-desktop-app-maui-sign-in-prepare-tenant.md)

+- [Tutorial: Sign in users in .NET MAUI app](tutorial-desktop-app-maui-sign-in-sign-out.md)

+### Updated articles

+- [What is Microsoft Entra External ID for customers?](overview-customers-ciam.md) - Added a section regarding Azure AD B2C to the overview and emphasized tenant creation when getting started.

+- [Add user attributes to token claims](how-to-add-attributes-to-token.md) - Added attributes to token claims: fixed steps for updating the app manifest.

+- [Tutorial: Prepare a React single-page app (SPA) for authentication in a customer tenant](how-to-single-page-application-react-prepare-app.md) - JavaScript tutorial edits, code sample updates and fixed SPA aligning content styling.

+- [Tutorial: Add sign-in and sign-out to a React single-page app (SPA) for a customer tenant](how-to-single-page-application-react-sign-in-out.md) - JavaScript tutorial edits and fixed SPA aligning content styling.

+- [Tutorial: Handle authentication flows in a vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-configure-authentication.md) - Fixed SPA aligning content styling.

+- [Tutorial: Prepare a vanilla JavaScript single-page app for authentication in a customer tenant](how-to-single-page-app-vanillajs-prepare-app.md) - Fixed SPA aligning content styling.

+- [Tutorial: Prepare your customer tenant to authenticate a vanilla JavaScript single-page app](how-to-single-page-app-vanillajs-prepare-tenant.md) - Fixed SPA aligning content styling.

+- [Tutorial: Add sign-in and sign-out to a vanilla JavaScript single-page app for a customer tenant](how-to-single-page-app-vanillajs-sign-in-sign-out.md) - Fixed SPA aligning content styling.

+- [Tutorial: Prepare your customer tenant to authenticate users in a React single-page app (SPA)](how-to-single-page-application-react-prepare-tenant.md) - Fixed SPA aligning content styling.

+- [Tutorial: Prepare an ASP.NET web app for authentication in a customer tenant](how-to-web-app-dotnet-sign-in-prepare-app.md) - ASP.NET web app fixes.

+- [Tutorial: Prepare your customer tenant to authenticate users in an ASP.NET web app](how-to-web-app-dotnet-sign-in-prepare-tenant.md) - ASP.NET web app fixes.

+- [Tutorial: Add sign-in and sign-out to an ASP.NET web application for a customer tenant](how-to-web-app-dotnet-sign-in-sign-out.md) - ASP.NET web app fixes.

+- [Collect user attributes during sign-up](how-to-define-custom-attributes.md) - Added a step for the Show more attributes pane and custom attributes.

+- [Manage Azure Active Directory for customers resources with Microsoft Graph](microsoft-graph-operations.md) - Combined Graph API references into one doc.

+| [Azure AD threat intelligence](#azure-ad-threat-intelligence-sign-in) | Real-time or Offline | Nonpremium |

+**Calculated in real-time or offline**. This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources.

+- [Security overview](concept-identity-protection-security-overview.md)

+ 1. This detection was triggered by a real-time rule

+ 1. Validate that no other users in your directory are targets of the same attack. This can be found by the TI_RI_#### number assigned to the rule.

+ 1. Real-time rules protect against novel attacks identified by Microsoft's threat intelligence. If multiple users in your directory were targets of the same attack, investigate unusual patterns in other attributes of the sign in.

+The following table includes links to PowerShell script examples for Azure AD Application Management.

+These samples require the [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation) SDK module.

+| [Export expiring secrets and certs (app registrations)](scripts/powershell-export-apps-with-expiring-secrets.md) | Export app registrations with expiring secrets and certificates and their Owners in Azure Active Directory tenant. |

+| [Export expiring secrets and certs (enterprise apps)](scripts/powershell-export-enterprise-apps-with-expiring-secrets.md) | Export enterprise apps with expiring secrets and certificates and their Owners in Azure Active Directory tenant. |

+This sample requires the [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation) SDK module.

+The script can be used directly without any modifications. The admin will be asked about the expiration date and whether they would like to see already expired secrets or certificates or not.

+| [Get-MgApplication](/powershell/module/microsoft.graph.applications/get-mgapplication?view=graph-powershell-1.0&preserve-view=true) | Retrieves an application from your directory. |

+| [Get-MgApplicationOwner](/powershell/module/microsoft.graph.applications/get-mgapplicationowner?view=graph-powershell-1.0&preserve-view=true) | Retrieves the owners of an application from your directory. |

+For more information on the Microsoft Graph PowerShell module, see [Microsoft Graph PowerShell module overview](/powershell/microsoftgraph/installation).

+For other PowerShell examples for Application Management, see [Azure Microsoft Graph PowerShell examples for Application Management](../app-management-powershell-samples.md).

+This sample requires the [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation) SDK module.

+The script can be used directly without any modifications. The admin will be asked about the expiration date and whether they would like to see already expired secrets or certificates or not.

+| [Get-MgServicePrincipal](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal?view=graph-powershell-1.0&preserve-view=true) | Retrieves an enterprise application from your directory. |

+| [Get-MgServicePrincipalOwner](/powershell/module/microsoft.graph.applications/get-mgserviceprincipalowner?view=graph-powershell-1.0&preserve-view=true) | Retrieves the owners of an enterprise application from your directory. |

+For more information on the Microsoft Graph PowerShell module, see [Microsoft Graph PowerShell module overview](/powershell/microsoftgraph/installation).

+For other PowerShell examples for Application Management, see [Azure Microsoft Graph PowerShell examples for Application Management](../app-management-powershell-samples.md).

+ Title: PowerShell sample - Export app registrations with expiring secrets and certificates in Azure Active Directory tenant.

+description: PowerShell example that exports all app registrations with expiring secrets and certificates for the specified apps in your Azure Active Directory tenant.

+# Export app registrations with expiring secrets and certificates

+This PowerShell script example exports all app registrations with secrets and certificates expiring in the next X days (and already expired if you choose so) with their owners for the specified apps from your directory in a CSV file.

+This sample requires the [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation) SDK module.

+| [Get-MgApplication](/powershell/module/microsoft.graph.applications/get-mgapplication?view=graph-powershell-1.0&preserve-view=true) | Retrieves an application from your directory. |

+| [Get-MgApplicationOwner](/powershell/module/microsoft.graph.applications/get-mgapplicationowner?view=graph-powershell-1.0&preserve-view=true) | Retrieves the owners of an application from your directory. |

+For more information on the Microsoft Graph PowerShell module, see [Microsoft Graph PowerShell module overview](/powershell/microsoftgraph/installation).

+For other PowerShell examples for Application Management, see [Azure Microsoft Graph PowerShell examples for Application Management](../app-management-powershell-samples.md).

+ Title: PowerShell sample - Export enterprise apps with expiring secrets and certificates in Azure Active Directory tenant.

+description: PowerShell example that exports all enterprise apps with expiring secrets and certificates for the specified enterprise apps in your Azure Active Directory tenant.

+# Export enterprise apps with expiring secrets and certificates

+This PowerShell script example exports all enterprise applications with secrets and certificates expiring in the next X days (and already expired if you choose so), with their owners for the specified enterprise apps from your directory in a CSV file.

+This sample requires the [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation) SDK module.

+## Sample script

+[!code-azurepowershell[main](~/powershell_scripts/application-management/export-enterprise-apps-with-expiring-secrets.ps1 "Exports all apps with expiring secrets and certificates for the specified apps in your directory.")]

+## Script explanation

+The script can be used directly without any modifications. The admin will be asked about the expiration date and whether they would like to see already expired secrets or certificates or not.

+The "Add-Member" command is responsible for creating the columns in the CSV file.

+The "New-Object" command creates an object to be used for the columns in the CSV file export.

+You can modify the "$Path" variable directly in PowerShell, with a CSV file path, in case you'd prefer the export to be non-interactive.

+| Command | Notes |

+|||

+| [Get-MgServicePrincipal](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal?view=graph-powershell-1.0&preserve-view=true) | Retrieves an enterprise application from your directory. |

+| [Get-MgServicePrincipalOwner](/powershell/module/microsoft.graph.applications/get-mgserviceprincipalowner?view=graph-powershell-1.0&preserve-view=true) | Retrieves the owners of an enterprise application from your directory. |

+## Next steps

+For more information on the Microsoft Graph PowerShell module, see [Microsoft Graph PowerShell module overview](/powershell/microsoftgraph/installation).

+For other PowerShell examples for Application Management, see [Azure Microsoft Graph PowerShell examples for Application Management](../app-management-powershell-samples.md).

+| [Migrate from ADAL to MSAL](recommendation-migrate-from-adal-to-msal.md) | Applications | All licenses | Generally available |

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Headspace Client support team](mailto:employer-solution-squad@headspace.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+To configure single sign-on on **Headspace** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Azure portal to [Headspace support team](mailto:employer-solution-squad@headspace.com). They set this setting to have the SAML SSO connection set properly on both sides.

+* Click on **Test this application** in Azure portal. This will redirect to Headspace Sign on URL where you can initiate the login flow.

+* Go to Headspace Sign on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Headspace tile in the My Apps, this will redirect to Headspace Sign on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+

+> [!WARNING]

+> Prior to Windows OS Build 20348.1668, there was a limitation around Windows Overlay pods incorrectly SNATing packets from host network pods, which had a more detrimental effect for clusters upgrading to Overlay. To avoid this issue, **use Windows OS Build greater than or equal to 20348.1668**.

+> [!WARNING]

+> If using a custom azure-ip-masq-agent config to include additional IP ranges that should not SNAT packets from pods, upgrading to Azure CNI Overlay may break connectivity to these ranges. Pod IPs from the overlay space will not be reachable by anything outside the cluster nodes.

+> Additionally, for sufficiently old clusters there may be a ConfigMap left over from a previous version of azure-ip-masq-agent. If this ConfigMap, named `azure-ip-masq-agent-config`, exists and is not intetionally in-place it should be deleted before running the update command.

+> If not using a custom ip-masq-agent config, only the `azure-ip-masq-agent-config-reconciled` ConfigMap should exist with respect to Azure ip-masq-agent ConfigMaps and this will be updated automatically during the upgrade process.

+| `azurefile-csi` | Uses Azure Standard storage to create an Azure file share. The reclaim policy ensures that the underlying Azure file share is deleted when the persistent volume that used it is deleted. |

+[azure-disk-customer-managed-key]: azure-disk-customer-managed-keys.md

+For policy XML examples, see [API Management policy snippets repo](https://github.com/Azure/api-management-policy-snippets).

+[Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md). If you're looking for policies you can use to modify API behavior in API Management, see [API Management policy reference](api-management-policies.md).

+* [Policy snippets repo](https://github.com/Azure/api-management-policy-snippets)

+ | **CER certificate file** | Select your .cer file. |

+description: Learn how to use WebJobs to run background tasks in Azure App Service. Choose from various script formats and run them with CRON expressions.

+If instead of the Azure App Service, you're using Visual Studio to develop and deploy WebJobs, see [Deploy WebJobs using Visual Studio](webjobs-dotnet-deploy-vs.md).

+WebJobs is a feature of [Azure App Service](index.yml) that enables you to run a program or script in the same instance as a web app, API app, or mobile app. There's no extra cost to use WebJobs.

+You can use the Azure WebJobs SDK with WebJobs to simplify many programming tasks. WebJobs aren't supported for App Service on Linux yet. For more information, see [What is the WebJobs SDK](https://github.com/Azure/azure-webjobs-sdk/wiki).

+1. From the left pane, select **WebJobs**, then select **Add**.

+ :::image type="content" source="media/webjobs-create/add-webjob.png" alt-text="Screenshot that shows how to add a WebJob in an App Service app in the portal.":::

+1. Fill in the **Add WebJob** settings as specified in the table, then select **Create Webjob**.

+ :::image type="content" source="media/webjobs-create/configure-new-continuous-webjob.png" alt-text="Screenshot that shows how to configure a mult-instance continuous WebJob for an App Service app.":::

+ | **Name** | myContinuousWebJob | A name that is unique within an App Service app. Must start with a letter or a number and must not contain special characters other than "-" and "_". |

+ | **File Upload** | ConsoleApp.zip | A *.zip* file that contains your executable or script file and any supporting files needed to run the program or script. The supported executable or script file types are listed in the [Supported file types](#acceptablefiles) section. |

+ | **Scale** | Multi Instance | Available only for Continuous WebJobs. Determines whether the program or script runs on all instances or just one instance. The option to run on multiple instances doesn't apply to the Free or Shared [pricing tiers](https://azure.microsoft.com/pricing/details/app-service/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). |

+1. The new WebJob appears on the **WebJobs** page. If you see a message that says the WebJob was added, but you don't see it, select **Refresh**.

+1. To stop or restart a continuous WebJob, right-click the WebJob in the list and select the **Stop** or **Run** button, then confirm your selection.

+ :::image type="content" source="media/webjobs-create/continuous-webjob-stop.png" alt-text="Screenshot that shows how to stop a continuous WebJob in the Azure portal.":::

+1. In the [Azure portal](https://portal.azure.com), go to the **App Service** page of your App Service web app, API app, or mobile app.

+1. From the left pane, select **WebJobs**, then select **Add**.

+ :::image type="content" source="media/webjobs-create/add-webjob.png" alt-text="Screenshot that shows how to add a WebJob in an App Service app in the portal (manually triggered WebJob).":::

+1. Fill in the **Add WebJob** settings as specified in the table, then select **Create Webjob**.

+ :::image type="content" source="media/webjobs-create/configure-new-triggered-webjob.png" alt-text="Screenshot that shows how to configure a manually triggered WebJob for an App Service app.":::

+ | **Name** | myTriggeredWebJob | A name that is unique within an App Service app. Must start with a letter or a number and must not contain special characters other than "-" and "_".|

+ | **File Upload** | ConsoleApp1.zip | A *.zip* file that contains your executable or script file and any supporting files needed to run the program or script. The supported executable or script file types are listed in the [Supported file types](#acceptablefiles) section. |

+1. The new WebJob appears on the **WebJobs** page. If you see a message that says the WebJob was added, but you don't see it, select **Refresh**.

+1. To run a manually triggered WebJob, right-click the WebJob in the list and select the **Run** button, then confirm your selection.

+ :::image type="content" source="media/webjobs-create/triggered-webjob-run.png" alt-text="Screenshot that shows how to run a manually triggered WebJob in the Azure portal.":::

+1. In the [Azure portal](https://portal.azure.com), go to the **App Service** page of your App Service web app, API app, or mobile app.

+1. From the left pane, select **WebJobs**, then select **Add**.

+ :::image type="content" source="media/webjobs-create/add-webjob.png" alt-text="Screenshot that shows how to add a WebJob in an App Service app in the portal (scheduled WebJob).":::

+1. Fill in the **Add WebJob** settings as specified in the table, then select **Create Webjob**.

+ :::image type="content" source="media/webjobs-create/configure-new-scheduled-webjob.png" alt-text="Screenshot that shows how to configure a scheduled WebJob in an App Service app.":::

+ | **Name** | myScheduledWebJob | A name that is unique within an App Service app. Must start with a letter or a number and must not contain special characters other than "-" and "_". |

+ | **File Upload** | ConsoleApp.zip | A *.zip* file that contains your executable or script file and any supporting files needed to run the program or script. The supported executable or script file types are listed in the [Supported file types](#acceptablefiles) section. |

+1. The new WebJob appears on the **WebJobs** page. If you see a message that says the WebJob was added, but you don't see it, select **Refresh**.

+1. The scheduled WebJob is run at the schedule defined by the CRON expression. To run it manually at anytime, right-click the WebJob in the list and select the **Run** button, then confirm your selection.

+ :::image type="content" source="media/webjobs-create/scheduled-webjob-run.png" alt-text="Screenshot that shows how to run a manually scheduled WebJob in the Azure portal.":::

+You can also [add an application setting](configure-common.md#configure-app-settings) named `WEBJOBS_STOPPED` with a value of `1` to stop all WebJobs running on your site. You can use this method to prevent conflicting WebJobs from running both in staging and production slots. You can similarly use a value of `1` for the `WEBJOBS_DISABLE_SCHEDULE` setting to disable triggered WebJobs in the site or a staging slot. For slots, remember to enable the **Deployment slot setting** option so that the setting itself doesn't get swapped.

+1. For the WebJob you want to see, select **Logs**.

+ :::image type="content" source="media/webjobs-create/open-logs.png" alt-text="Screenshot that shows how to access logs for a WebJob.":::

+

+ :::image type="content" source="media/webjobs-create/webjob-details-page.png" alt-text="Screenshot that shows how to choose a WebJob run to see its detailed logs.":::

+3. In the **WebJob Run Details** page, you can select **download** to get a text file of the logs, or select the **WebJobs** breadcrumb link at the top of the page to see logs for a different WebJob.

+## WebJob statuses

+Below is a list of common WebJob statuses:

+- **Initializing** The app has just started and the WebJob is going through its initialization process.

+- **Starting** The WebJob is starting up.

+- **Running** The WebJob is running.

+- **PendingRestart** A continuous WebJob exits in less than two minutes since it started for any reason, and App Service waits 60 seconds before restarting the WebJob. If the continuous WebJob exits after the two-minute mark, App Service doesn't wait the 60 seconds and restarts the WebJob immediately.

+- **Stopped** The WebJob was stopped (usually from the Azure portal) and is currently not running and won't run until you start it again manually, even for a continuous or scheduled WebJob.

+- **Aborted** This can occur for a number of reasons, such as when a long-running WebJob reaches the timeout marker.

+The Application Gateway Ingress Controller (AGIC) is a pod within your Azure Kubernetes Service (AKS) cluster.

+## Outline

+ - Option 1: [Set up Azure AD workload identity](#set-up-azure-ad-workload-identity) and create Azure Identity on ARMs

+ - Option 2: [Set up a Service Principal](#using-a-service-principal)

+shared between one AKS cluster and/or other Azure components.

+- [An AKS cluster](../aks/intro-kubernetes.md) with [Azure Container Networking Interface (CNI)](../aks/configure-azure-cni.md)

+- [Application Gateway v2](./tutorial-autoscale-ps.md) in the same virtual network as the AKS cluster

+- [Azure AD workload identity](../aks/workload-identity-overview.md) configured for your AKS cluster

+- [Cloud Shell](https://shell.azure.com/) is the Azure shell environment, which has `az` CLI, `kubectl`, and `helm` installed. These tools are required for commands used to support configuring this deployment.

+ 1. From the [Azure portal](https://portal.azure.com/), navigate to your Application Gateway instance.

+ 2. Under the **Automation** section, select **Export template** and then select **Download**.

+## Set up Azure AD workload identity

+[Azure AD workload identity](../aks/workload-identity-overview.md) is an identity you assign to a software workload, to authenticate and access other services and resources. This identity enables your AKS pod to use this identity and authenticate with other Azure resources. For this configuration, we need authorization

+1. Use the Azure CLI [az account set](/cli/azure/account#az-account-set) command to set a specific subscription to be the current active subscription. Then use the [az identity create](/cli/azure/identity#az-identity-create) command to create a managed identity. The identity needs to be created in the [node resource group](../aks/concepts-clusters-workloads.md#node-resource-group). The node resource group is assigned a name by default, such as *MC_myResourceGroup_myAKSCluster_eastus*.

+ ```azurecli-interactive

+ az account set --subscription "subscriptionID"

+ ```

+ ```azurecli-interactive

+ az identity create --name "userAssignedIdentityName" --resource-group "resourceGroupName" --location "location" --subscription "subscriptionID"

+1. For the role assignment, run the following command to identify the `principalId` for the newly created identity:

+1. Grant the identity **Contributor** access to your Application Gateway. You need the ID of the Application Gateway, which

+looks like: `/subscriptions/A/resourceGroups/B/providers/Microsoft.Network/applicationGateways/C`. First, get the list of Application Gateway IDs in your subscription by running the following command:

+ ```azurecli

+ az network application-gateway list --query '[].id'

+ ```

+ To assign the identity **Contributor** access, run the following command:

+1. Grant the identity **Reader** access to the Application Gateway resource group. The resource group ID looks like:

+>[!NOTE]

+> If the virtual network Application Gateway is deployed into doesn't reside in the same resource group as the AKS nodes, please ensure the identity used by AGIC has the **Microsoft.Network/virtualNetworks/subnets/join/action** permission delegated to the subnet Application Gateway is deployed into. If a custom role is not defined with this permission, you may use the built-in **Network Contributor** role, which contains the **Microsoft.Network/virtualNetworks/subnets/join/action** permission.

+It's also possible to provide AGIC access to ARM using a Kubernetes secret.

+ ```azurecli

+ az ad sp create-for-rbac --role Contributor --sdk-auth | base64 -w0

+ ```

+ ```yaml

+ armAuth:

+ type: servicePrincipal

+ secretJSON: <Base64-Encoded-Credentials>

+ ```

+ Or copy the following YAML file:

+ # result in Ingress Controller observing all accessible namespaces.

+ # - Option 1: Azure-AD-workload-identity

+ type: workloadIdentity

+ > [!NOTE]

+ > The `<identity-client-id>` is a property of the Azure AD workload identity you setup in the previous section. You can retrieve this information by running the following command: `az identity show -g <resourcegroup> -n <identity-name>`, where `<resourcegroup>` is the resource group hosting the infrastructure resources related to the AKS cluster, Application Gateway and managed identity.

+ 1. From the [Azure portal](https://portal.azure.com/), navigate to your `Application Gateway` instance

+ 2. Under the **Automation** section, select **Export template** and then select **Download**.

+ - `dev.contoso.com` - hosted on a new AKS cluster, using Application Gateway and AGIC

+Gateway's configuration. If you manually create a listener for `prod.contoso.com` (on Application Gateway) without

+To limit AGIC (version 0.8.0 and later) to a subset of the Application Gateway configuration, modify the `helm-config.yaml` template.

+As a result, your AKS cluster has a new instance of `AzureIngressProhibitedTarget` called `prohibit-all-targets`:

+1. Create a new YAML file named `AzureIngressProhibitedTarget` with the following snippet containing your specific setup:

+Let's assume that we already have a working AKS cluster, Application Gateway, and configured AGIC in our cluster. We have an Ingress for

+`prod.contoso.com` and are successfully serving traffic for it from the cluster. We want to add `staging.contoso.com` to our

+`staging.contoso.com`. But manually tweaking Application Gateway config (using

+1. Create a new YAML file named `AzureIngressProhibitedTarget` with the following snippet:

+3. Modify Application Gateway config from the Azure portal - add listeners, routing rules, backends etc. The new object we created

+Preview APIs are periodically deprecated. If you're using a preview API version, please update your application to target the GA API version. To migrate from the 2021-09-30-preview, 2022-01-30-preview or the 2022-06-30-preview API versions to the `2022-08-31` (GA) API version using the SDK, update to the [current version of the language specific SDK](sdk-overview.md).

+> [!IMPORTANT]

+>

+> Preview API versions 2021-09-30-preview, 2022-01-30-preview and 2022-06-30-preview are being retired July 31st 2023. All analyze requests that use these API versions will fail. Custom neural models trained with any of these API versions will no longer be usable once the API versions are deprecated. All custom neural models trained with preview API versions will need to be retrained with the GA API version.

+The `2022-08-31` (GA) API has a few updates from the preview API versions:

+## Are Connections and Credentials assets retiring on 30th Sep 2023?

+Automation Run As accounts will not be supported after **30 September 2023**. Connections and Credentials assets don't come under the purview of this retirement. For more secure way of authentication, we recommend you to use [Managed Identities](automation-security-overview.md#managed-identities).

+Run As accounts in Azure Automation provide authentication for managing resources deployed through Azure Resource Manager or the classic deployment model. Whenever a Run As account is created, an Azure AD application is registered, and a self-signed certificate is generated. The certificate is valid for one month. Renewing the certificate every month before it expires keeps the Automation account working but adds overhead.

+ #### [.NET 6.0+](#tab/core6x)

+ #### [.NET 6.0+](#tab/core6x)

+ #### [.NET 6.0+](#tab/core6x)

+ Title: "Tutorial: Use dynamic configuration in a .NET app"

+description: In this tutorial, you learn how to dynamically update the configuration data for .NET apps

+# Tutorial: Use dynamic configuration in a .NET app

+The App Configuration .NET provider library supports updating configuration on demand without causing an application to restart. This tutorial shows how you can implement dynamic configuration updates in your code. It builds on the app introduced in the quickstart. You should finish [Create a .NET app with App Configuration](./quickstart-dotnet-core-app.md) before continuing.

+> * Set up your .NET app to update its configuration in response to changes in an App Configuration store.

+Finish the quickstart [Create a .NET app with App Configuration](./quickstart-dotnet-core-app.md).

+Open the `Program.cs` file and update the code configurations to match the following:

+### [ASP.NET Core 6.0+](#tab/core6x)

+```csharp

+using Microsoft.Extensions.Configuration;

+using Microsoft.Extensions.Configuration.AzureAppConfiguration;

+IConfiguration _configuration = null;

+IConfigurationRefresher _refresher = null;

+var builder = new ConfigurationBuilder();

+builder.AddAzureAppConfiguration(options =>

+{

+ options.Connect(Environment.GetEnvironmentVariable("ConnectionString"))

+ .ConfigureRefresh(refresh =>

+ {

+ refresh.Register("TestApp:Settings:Message")

+ .SetCacheExpiration(TimeSpan.FromSeconds(10));

+ });

+ _refresher = options.GetRefresher();

+});

+_configuration = builder.Build();

+Console.WriteLine(_configuration["TestApp:Settings:Message"] ?? "Hello world!");

+// Wait for the user to press Enter

+Console.ReadLine();

+if (_refresher != null)

+{

+ await _refresher.TryRefreshAsync();

+ Console.WriteLine(_configuration["TestApp:Settings:Message"] ?? "Hello world!");

+}

+```

+### [ASP.NET Core 3.x](#tab/core3x)

+Calling the `ConfigureRefresh` method alone won't cause the configuration to refresh automatically. You call the `TryRefreshAsync` method from the interface `IConfigurationRefresher` to trigger a refresh. This design is to avoid phantom requests sent to App Configuration even when your application is idle. You'll want to include the `TryRefreshAsync` call where you consider your application active. For example, it can be when you process an incoming message, an order, or an iteration of a complex task. It can also be in a timer if your application is active all the time. In this example, you call `TryRefreshAsync` every time you press the Enter key. Even if the call `TryRefreshAsync` fails for any reason, your application continues to use the cached configuration. Another attempt is made when the configured cache expiration time has passed and the `TryRefreshAsync` call is triggered by your application activity again. Calling `TryRefreshAsync` is a no-op before the configured cache expiration time elapses, so its performance impact is minimal, even if it's called frequently.

+In this tutorial, you enabled your .NET app to dynamically refresh configuration settings from App Configuration. To learn how to use an Azure managed identity to streamline the access to App Configuration, continue to the next tutorial.

+Azure App Configuration and its .NET, .NET Framework, and Java Spring client libraries have managed identity support built into them. Although you aren't required to use it, the managed identity eliminates the need for an access token that contains secrets. Your code can access the App Configuration store using only the service endpoint. You can embed this URL in your code directly without exposing any secret.

+* [.NET SDK](https://dotnet.microsoft.com/download).

+1. To access values stored in App Configuration, update the `Builder` configuration to use the the `AddAzureAppConfiguration()` method.

+ ### [.NET 6.0+](#tab/core6x)

+ var builder = WebApplication.CreateBuilder(args);

+ builder.Configuration.AddAzureAppConfiguration(options =>

+ options.Connect(

+ new Uri(builder.Configuration["AppConfig:Endpoint"]),

+ new ManagedIdentityCredential()));

+ >new ManagedIdentityCredential("<your_clientId>")

+### [ASP.NET Core 6.0+](#tab/core6x)

+var builder = WebApplication.CreateBuilder(args);

+builder.Configuration.AddAzureAppConfiguration(options =>

+ {

+ options.Connect(builder.Configuration.GetConnectionString("AppConfig"))

+ // Load configuration values with no label

+ .Select(KeyFilter.Any, LabelFilter.Null)

+ // Override with any configuration values specific to current hosting env

+ .Select(KeyFilter.Any, builder.Environment.EnvironmentName);

+ });

+### [ASP.NET Core 3.x](#tab/core3x)

+ Title: Quickstart for Azure App Configuration with .NET | Microsoft Docs

+description: In this quickstart, create a .NET app with Azure App Configuration to centralize storage and management of application settings separate from your code.

+#Customer intent: As a .NET developer, I want to manage all my app settings in one place.

+# Quickstart: Create a .NET app with App Configuration

+In this quickstart, you incorporate Azure App Configuration into a .NET console app to centralize storage and management of application settings separate from your code.

+- [.NET SDK](https://dotnet.microsoft.com/download) - also available in the [Azure Cloud Shell](https://shell.azure.com).

+## Create a .NET console app

+You use the [.NET command-line interface (CLI)](/dotnet/core/tools/) to create a new .NET console app project. The advantage of using the .NET CLI over Visual Studio is that it's available across the Windows, macOS, and Linux platforms. Alternatively, use the preinstalled tools available in the [Azure Cloud Shell](https://shell.azure.com).

+2. In the new folder, run the following command to create a new .NET console app project:

+3. Open *Program.cs*, and add a reference to the .NET App Configuration provider.

+4. Use App Configuration by calling the `builder.AddAzureAppConfiguration()` method in the `Program.cs` file.

+ ### [ASP.NET Core 6.0+](#tab/core6x)

+ ```csharp

+ var builder = new ConfigurationBuilder();

+ builder.AddAzureAppConfiguration(Environment.GetEnvironmentVariable("ConnectionString"));

+

+ var config = builder.Build();

+ Console.WriteLine(config["TestApp:Settings:Message"] ?? "Hello world!");

+ ```

+ ### [ASP.NET Core 3.x](#tab/core3x)

+

+

+

+ Restart the command prompt to allow the change to take effect. Print the value of the environment variable to validate that it's set properly.

+ Restart the command prompt to allow the change to take effect. Print the value of the environment variable to validate that it's set properly.

+ Restart the command prompt to allow the change to take effect. Print the value of the environment variable to validate that it's set properly.

+In this quickstart, you created a new App Configuration store and used it with a .NET console app via the [App Configuration provider](/dotnet/api/Microsoft.Extensions.Configuration.AzureAppConfiguration). To learn how to configure your .NET app to dynamically refresh configuration settings, continue to the next tutorial.

+- **Azure App Configuration Data Owner**: This role provides full access to all operations. It permits the following actions:

+ * Microsoft.AppConfiguration/configurationStores/*/read

+ * Microsoft.AppConfiguration/configurationStores/*/write

+ * Microsoft.AppConfiguration/configurationStores/*/delete

+ * Microsoft.AppConfiguration/configurationStores/*/action

+- **Azure App Configuration Data Reader**: This role enables read operations. It permits the following actions:

+ * Microsoft.AppConfiguration/configurationStores/*/read

+- `Microsoft.AppConfiguration/configurationStores/snapshots/read`: This action allows read access to App Configuration snapshot resources, as well as any key-values contained within snapshots.

+- `Microsoft.AppConfiguration/configurationStores/snapshots/write`: This action allows write access to App Configuration snapshot resouces.

+- `Microsoft.AppConfiguration/configurationStores/snapshots/archive/action`: This action allows access to archive and recover App Configuration snapshot resources.

+ "status": 409

+

+ Title: Azure App Configuration REST API - snapshot

+description: Reference pages for working with snapshots by using the Azure App Configuration REST API

+# Snapshots

+A snapshot is a resource identified uniquely by its name. See details for each operation.

+This article applies to API version 2022-11-01-preview.

+## Operations

+- Get

+- List multiple

+- Create

+- Archive/Recover

+- List key-values

+## Prerequisites

+## Syntax

+`Snapshot`

+```json

+{

+ "etag": [string],

+ "name": [string],

+ "status": [string, enum("provisioning", "ready", "archived", "failed")],

+ "filters": [array<SnapshotFilter>],

+ "composition_type": [string, enum("key", "key_label")],

+ "created": [datetime ISO 8601],

+ "size": [number, bytes],

+ "items_count": [number],

+ "tags": [object with string properties],

+ "retention_period": [number, timespan in seconds],

+ "expires": [datetime ISO 8601]

+}

+```

+`SnapshotFilter`

+```json

+{

+ "key": [string],

+ "label": [string]

+}

+```

+## Get snapshot

+Required: ``{name}``, ``{api-version}``

+```http

+GET /snapshots/{name}?api-version={api-version}

+```

+**Responses:**

+```http

+HTTP/1.1 200 OK

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json; charset=utf-8

+Last-Modified: Mon, 03 Mar 2023 9:00:03 GMT

+ETag: "4f6dd610dd5e4deebc7fbaef685fb903"

+Link: </kv?snapshot=prod-2023-03-20&api-version={api-version}>; rel="items"

+```

+```json

+{

+ "etag": "4f6dd610dd5e4deebc7fbaef685fb903",

+ "name": "prod-2023-03-20",

+ "status": "ready",

+ "filters": [

+ {

+ "key": "*",

+ "label": null

+ }

+ ],

+ "composition_type": "key",

+ "created": "2023-03-20T21:00:03+00:00",

+ "size": 2000,

+ "items_count": 4,

+ "tags": {

+ "t1": "value1",

+ "t2": "value2"

+ },

+ "retention_period": 7776000

+}

+```

+If a snapshot with the provided name doesn't exist, the following response is returned:

+```http

+HTTP/1.1 404 Not Found

+```

+## Get (conditionally)

+To improve client caching, use `If-Match` or `If-None-Match` request headers. The `etag` argument is part of the snapshot representation. For more information, see [sections 14.24 and 14.26](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html).

+The following request retrieves the snapshot only if the current representation doesn't match the specified `etag`:

+```http

+GET /snapshot/{name}?api-version={api-version} HTTP/1.1

+Accept: application/vnd.microsoft.appconfig.snapshot+json;

+If-None-Match: "{etag}"

+```

+**Responses:**

+```http

+HTTP/1.1 304 NotModified

+```

+or

+```http

+HTTP/1.1 200 OK

+```

+## List snapshots

+Optional: ``name`` (If not specified, it implies any name.)

+Optional: ``status`` (If not specified, it implies any status.)

+```http

+GET /snapshots?name=prod-*&api-version={api-version} HTTP/1.1

+```

+**Response:**

+```http

+HTTP/1.1 200 OK

+Content-Type: application/vnd.microsoft.appconfig.snapshotset+json; charset=utf-8

+```

+For additional options, see the "Filtering" section later in this article.

+## Pagination

+The result is paginated if the number of items returned exceeds the response limit. Follow the optional `Link` response headers, and use `rel="next"` for navigation.

+Alternatively, the content provides a next link in form of the `@nextLink` property. The linked URI includes the `api-version` argument.

+```http

+GET /snapshots?api-version={api-version} HTTP/1.1

+```

+**Response:**

+```http

+HTTP/1.1 200 OK

+Content-Type: application/vnd.microsoft.appconfig.snapshotset+json; charset=utf-8

+Link: <{relative uri}>; rel="next"

+```

+```json

+{

+ "items": [

+ ...

+ ],

+ "@nextLink": "{relative uri}"

+}

+```

+## Filtering

+A combination of `name` and `status` filtering is supported.

+Use the optional `name` and `status` query string parameters.

+```http

+GET /snapshots?name={name}&status={status}&api-version={api-version}

+```

+### Supported filters

+|Name filter|Effect|

+|--|--|

+|`name` is omitted or `name=*`|Matches snapshots with **any** name|

+|`name=abc`|Matches a snapshot named **abc**|

+|`name=abc*`|Matches snapshots with names that start with **abc**|

+|`name=abc,xyz`|Matches snapshots with names **abc** or **xyz** (limited to 5 CSV)|

+|Status filter|Effect|

+|--|--|

+|`status` is omitted or `status=*`|Matches snapshots with **any** status|

+|`status=ready`|Matches snapshots with a **ready** status|

+|`status=ready,archived`|Matches snapshots with **ready** or **archived** status (limited to 5 CSV)|

+***Reserved characters***

+`*`, `\`, `,`

+If a reserved character is part of the value, then it must be escaped by using `\{Reserved Character}`. Non-reserved characters can also be escaped.

+***Filter validation***

+In the case of a filter validation error, the response is HTTP `400` with error details:

+```http

+HTTP/1.1 400 Bad Request

+Content-Type: application/problem+json; charset=utf-8

+```

+```json

+{

+ "type": "https://azconfig.io/errors/invalid-argument",

+ "title": "Invalid request parameter '{filter}'",

+ "name": "{filter}",

+ "detail": "{filter}(2): Invalid character",

+ "status": 400

+}

+```

+**Examples**

+- All

+ ```http

+ GET /snapshots?api-version={api-version}

+ ```

+- Snapshot name starts with **abc**

+ ```http

+ GET /snapshot?name=abc*&api-version={api-version}

+ ```

+- Snapshot name starts with **abc** and status equals **ready** or **archived**

+ ```http

+ GET /snapshot?name=abc*&status=ready,archived&api-version={api-version}

+ ```

+## Request specific fields

+Use the optional `$select` query string parameter and provide a comma-separated list of requested fields. If the `$select` parameter is omitted, the response contains the default set.

+```http

+GET /snapshot?$select=name,status&api-version={api-version} HTTP/1.1

+```

+## Create snapshot

+**parameters**

+| Property Name | Required | Default value | Validation |

+|-|-|-|-|

+| name | yes | n/a | Length <br/> &nbsp;&nbsp;&nbsp;&nbsp; maximum: 256 |

+| filters | yes | n/a | Count <br/> &nbsp;&nbsp;&nbsp;&nbsp; minimum: 1<br/> &nbsp;&nbsp;&nbsp;&nbsp; maximum: 3 |

+| filters[\<index\>].key | yes | n/a | |

+| tags | no | {} | |

+| filters[\<index\>].label | no | null | Multi-match label filters (E.g.: "*", "comma,separated") aren't supported with 'key' composition type. |

+| composition_type | no | key | |

+| retention_period | no | Standard tier <br/>&nbsp;&nbsp;&nbsp;&nbsp; 2592000 (30 days) <br/> Free tier <br/> &nbsp;&nbsp;&nbsp;&nbsp; 604800 (7 days) | Standard tier <br/> &nbsp;&nbsp;&nbsp;&nbsp; minimum: 3600 (1 hour) <br/> &nbsp;&nbsp;&nbsp;&nbsp; maximum: 7776000 (90 days) <br/> Free tier <br/> &nbsp;&nbsp;&nbsp;&nbsp; minimum: 3600 (1 hour) <br/> &nbsp;&nbsp;&nbsp;&nbsp; maximum: 604800 (7 days) |

+```http

+PUT /snapshot/{name}?api-version={api-version} HTTP/1.1

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json

+```

+```json

+{

+ "filters": [ // required

+ {

+ "key": "app1/*", // required

+ "label": "prod" // optional

+ }

+ ],

+ "tags": { // optional

+ "tag1": "value1",

+ "tag2": "value2",

+ },

+ "composition_type": "key", // optional

+ "retention_period": 2592000 // optional

+}

+```

+**Responses:**

+```http

+HTTP/1.1 201 Created

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json; charset=utf-8

+Last-Modified: Tue, 05 Dec 2017 02:41:26 GMT

+ETag: "4f6dd610dd5e4deebc7fbaef685fb903"

+Operation-Location: {appConfigurationEndpoint}/operations?snapshot={name}&api-version={api-version}

+```

+```json

+{

+ "etag": "4f6dd610dd5e4deebc7fbaef685fb903",

+ "name": "{name}",

+ "status": "provisioning",

+ "filters": [

+ {

+ "key": "app1/*",

+ "label": "prod"

+ }

+ ],

+ "composition_type": "key",

+ "created": "2023-03-20T21:00:03+00:00",

+ "size": 2000,

+ "items_count": 4,

+ "tags": {

+ "t1": "value1",

+ "t2": "value2"

+ },

+ "retention_period": 2592000

+}

+```

+The status of the newly created snapshot will be "provisioning".

+Once the snapshot is fully provisioned, the status will update to "ready".

+Clients can poll the snapshot to wait for the snapshot to be ready before listing its associated key-values.

+To query additional information about the operation, reference the [polling snapshot creation](#polling-snapshot-creation) section.

+If the snapshot already exists, you'll receive the following response:

+```http

+HTTP/1.1 409 Conflict

+Content-Type: application/problem+json; charset=utf-8

+```

+```json

+{

+ "type": "https://azconfig.io/errors/already-exists",

+ "title": "The resource already exists.",

+ "status": 409,

+ "detail": ""

+}

+```

+### Polling snapshot creation

+The response of a snapshot creation request returns an `Operation-Location` header.

+**Responses:**

+```http

+HTTP/1.1 201 Created

+...

+Operation-Location: {appConfigurationEndpoint}/operations?snapshot={name}&api-version={api-version}

+```

+The status of the snapshot provisioning operation can be found at the URI contained in `Operation-Location`.

+Clients can poll this status object to ensure a snapshot is provisioned before listing its associated key-values.

+```http

+GET {appConfigurationEndpoint}/operations?snapshot={name}&api-version={api-version}

+```

+**Response:**

+```http

+HTTP/1.1 200 OK

+Content-Type: application/json; charset=utf-8

+```

+```json

+{

+ "id": "{id}",

+ "status": "Succeeded",

+ "error": null

+}

+```

+If any error occurs during the provisioning of the snapshot, the `error` property will contain details describing the error.

+```json

+{

+ "id": "{name}",

+ "status": "Failed",

+ "error": {

+ "code": "QuotaExceeded",

+ "message": "The allotted quota for snapshot creation has been surpassed."

+ }

+}

+```

+## Archive (Patch)

+A snapshot in the `ready` state can be archived.

+An archived snapshot will be assigned an expiration date, based off the retention period established at the time of its creation.

+After the expiration date passes, the snapshot will be permanently deleted.

+At any time before the expiration date, the snapshot's items can still be listed.

+Archiving a snapshot that is already `archived` doesn't affect the snapshot.

+- Required: `{name}`, `{status}`, `{api-version}`

+```http

+PATCH /snapshots/{name}?api-version={api-version} HTTP/1.1

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json

+```

+```json

+{

+ "status": "archived"

+}

+```

+**Response:**

+Return the archived snapshot

+```http

+HTTP/1.1 200 OK

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json; charset=utf-8

+...

+```

+```json

+{

+ "etag": "33a0c9cdb43a4c2cb5fc4c1feede1c68",

+ "name": "{name}",

+ "status": "archived",

+ ...

+ "expires": "2023-08-11T21:00:03+00:00"

+}

+```

+Archiving a snapshot that is currently in the `provisioning` or `failed` state is an invalid operation.

+**Response:**

+```http

+HTTP/1.1 409 Conflict

+Content-Type: application/problem+json; charset="utf-8"

+```

+```json

+{

+ "type": "https://azconfig.io/errors/invalid-state",

+ "title": "Target resource state invalid.",

+ "detail": "The target resource is not in a valid state to perform the requested operation.",

+ "status": 409

+}

+```

+## Recover (Patch)

+A snapshot in the `archived` state can be recovered.

+Once the snapshot is recovered the snapshot's expiration date is removed.

+Recovering a snapshot that is already `ready` doesn't affect the snapshot.

+- Required: `{name}`, `{status}`, `{api-version}`

+```http

+PATCH /snapshots/{name}?api-version={api-version} HTTP/1.1

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json

+```

+```json

+{

+ "status": "ready"

+}

+```

+**Response:**

+Return the recovered snapshot

+```http

+HTTP/1.1 200 OK

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json; charset=utf-8

+...

+```

+```json

+{

+ "etag": "90dd86e2885440f3af9398ca392095b9",

+ "name": "{name}",

+ "status": "ready",

+ ...

+}

+```

+Recovering a snapshot that is currently in the `provisioning` or `failed` state is an invalid operation.

+**Response:**

+```http

+HTTP/1.1 409 Conflict

+Content-Type: application/problem+json; charset="utf-8"

+```

+```json

+{

+ "type": "https://azconfig.io/errors/invalid-state",

+ "title": "Target resource state invalid.",

+ "detail": "The target resource is not in a valid state to perform the requested operation.",

+ "status": 409

+}

+```

+## Archive/recover snapshot (conditionally)

+To prevent race conditions, use `If-Match` or `If-None-Match` request headers. The `etag` argument is part of the snapshot representation.

+If `If-Match` or `If-None-Match` are omitted, the operation is unconditional.

+The following response updates the resource only if the current representation matches the specified `etag`:

+```http

+PATCH /snapshots/{name}?api-version={api-version} HTTP/1.1

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json

+If-Match: "4f6dd610dd5e4deebc7fbaef685fb903"

+```

+The following response updates the resource only if the current representation doesn't match the specified `etag`:

+```http

+PATCH /snapshots/{name}?api-version={api-version} HTTP/1.1

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json;

+If-None-Match: "4f6dd610dd5e4deebc7fbaef685fb903"

+```

+**Responses**

+```http

+HTTP/1.1 200 OK

+Content-Type: application/vnd.microsoft.appconfig.snapshot+json; charset=utf-8

+...

+```

+or

+```http

+HTTP/1.1 412 PreconditionFailed

+```

+## List snapshot key-values

+Required: ``{name}``, ``{api-version}``

+```http

+GET /kv?snapshot={name}&api-version={api-version}

+```

+>[!Note]

+>Attempting to list the items of a snapshot that isn't in the `ready` or `archived` state will result in an empty list response.

+### Request specific fields

+Use the optional `$select` query string parameter and provide a comma-separated list of requested fields. If the `$select` parameter is omitted, the response contains the default set.

+```http

+GET /kv?snapshot={name}&$select=key,value&api-version={api-version} HTTP/1.1

+```

+ Title: Tutorial for using feature flags in a .NET app | Microsoft Docs

+The .NET Feature Management libraries provide idiomatic support for implementing feature flags in a .NET or ASP.NET Core application. These libraries allow you to declaratively add feature flags to your code so that you don't have to manually write code to enable or disable features with `if` statements.

+To access the .NET feature manager, your app must have references to the `Microsoft.FeatureManagement.AspNetCore` NuGet package.

+The .NET feature manager is configured from the framework's native configuration system. As a result, you can define your application's feature flag settings by using any configuration source that .NET supports, including the local `appsettings.json` file or environment variables.

+### [.NET 6.0+](#tab/core6x)

+```csharp

+using Microsoft.FeatureManagement;

+builder.Services.AddFeatureManagement();

+```

+### [.NET Core 3.x](#tab/core3x)

+### [.NET 6.0+](#tab/core6x)

+```csharp

+using Microsoft.FeatureManagement;

+builder.Services.AddFeatureManagement(Configuration.GetSection("MyFeatureFlags"));

+```

+### [.NET Core 3.x](#tab/core3x)

+### [.NET 6.0+](#tab/core6x)

+```csharp

+using Microsoft.FeatureManagement;

+builder.Services.AddFeatureManagement()

+ .AddFeatureFilter<PercentageFilter>();

+```

+### [.NET Core 3.x](#tab/core3x)

+ ### [.NET 6.0+](#tab/core6x)

+ var builder = WebApplication.CreateBuilder(args);

+

+ builder.Configuration.AddAzureAppConfiguration(options =>

+ options.Connect(

+ builder.Configuration["ConnectionStrings:AppConfig"])

+ .UseFeatureFlags());

+

+2. Update the middleware and service configurations for your app using the following code.

+ ### [.NET 6.0+](#tab/core6x)

+ Inside the `program.cs` class, register the Azure App Configuration services and middleware on the `builder` and `app` objects:

+ builder.Services.AddAzureAppConfiguration();

+ app.UseAzureAppConfiguration();

+ ### [.NET Core 3.x](#tab/core3x)

+ Open `Startup.cs` and update the `Configure` and `ConfigureServices` method to add the built-in middleware called `UseAzureAppConfiguration`. This middleware allows the feature flag values to be refreshed at a recurring interval while the ASP.NET Core web app continues to receive requests.

+ ```csharp

+ public void ConfigureServices(IServiceCollection services)

+ {

+ services.AddAzureAppConfiguration();

+ }

+ ```

+

+### [.NET 6.0+](#tab/core6x)

+```csharp

+config.AddAzureAppConfiguration(options =>

+ options.Connect(

+ builder.Configuration["ConnectionStrings:AppConfig"])

+ .UseFeatureFlags(featureFlagOptions => {

+ featureFlagOptions.CacheExpirationInterval = TimeSpan.FromMinutes(5);

+ }));

+```

+### [.NET Core 3.x](#tab/core3x)

+For some operations, such as manually checking feature flag values, you need to get an instance of [IFeatureManager](/dotnet/api/microsoft.featuremanagement.ifeaturemanager). In ASP.NET Core MVC, you can access the feature manager `IFeatureManager` through dependency injection. In the following example, an argument of type `IFeatureManager` is added to the signature of the constructor for a controller. The runtime automatically resolves the reference and provides an implementation of the interface when calling the constructor. If you're using an application template in which the controller already has one or more dependency injection arguments in the constructor, such as `ILogger`, you can just add `IFeatureManager` as an additional argument:

+### [.NET 6.0+](#tab/core6x)

+Before you start this tutorial, install the [.NET SDK](https://dotnet.microsoft.com/download).

+ #### [.NET 6.0+](#tab/core6x)

+ var builder = WebApplication.CreateBuilder(args);

+ builder.Configuration.AddAzureAppConfiguration(options =>

+ {

+ options.Connect(

+ builder.Configuration["ConnectionStrings:AppConfig"])

+ .ConfigureKeyVault(kv =>

+ {

+ kv.SetCredential(new DefaultAzureCredential());

+ });

+ });

+

+1. To build the app by using the .NET CLI, run the following command in the command shell:

+## July 11, 2023

+### Image tag

+`v1.20.0_2023-07-11`

+For complete release version information, review [Version log](version-log.md#july-11-2023).

+### Release notes

+- Proxy bypass is now supported for Arc SQL Server Extension. Starting this release, you can also specify services which should not use the specified proxy server.

+## July 11, 2023

+|Component|Value|

+|--|--|

+|Container images tag |`v1.21.0_2023-07-11`|

+|**CRD names and version:**| |

+|`activedirectoryconnectors.arcdata.microsoft.com`| v1beta1, v1beta2, v1|

+|`datacontrollers.arcdata.microsoft.com`| v1beta1, v1 through v5|

+|`exporttasks.tasks.arcdata.microsoft.com`| v1beta1, v1, v2|

+|`failovergroups.sql.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2|

+|`kafkas.arcdata.microsoft.com`| v1beta1 through v1beta4|

+|`monitors.arcdata.microsoft.com`| v1beta1, v1, v3|

+|`postgresqls.arcdata.microsoft.com`| v1beta1 through v1beta6|

+|`postgresqlrestoretasks.tasks.postgresql.arcdata.microsoft.com`| v1beta1|

+|`sqlmanagedinstances.sql.arcdata.microsoft.com`| v1beta1, v1 through v13|

+|`sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com`| v1beta1, v1beta2|

+|`sqlmanagedinstancereprovisionreplicatasks.tasks.sql.arcdata.microsoft.com`| v1beta1|

+|`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`| v1beta1, v1|

+|`telemetrycollectors.arcdata.microsoft.com`| v1beta1 through v1beta5|

+|`telemetryrouters.arcdata.microsoft.com`| v1beta1 through v1beta5|

+|Azure Resource Manager (ARM) API version|2023-01-15-preview|

+|`arcdata` Azure CLI extension version|1.5.3 ([Download](https://aka.ms/az-cli-arcdata-ext))|

+|Arc-enabled Kubernetes helm chart extension version|1.21.0|

+|Azure Arc Extension for Azure Data Studio<br/>`arc`<br/>`azcli`|<br/>1.8.0 ([Download](https://aka.ms/ads-arcdata-ext))</br>1.8.0 ([Download](https://aka.ms/ads-azcli-ext))|

+|SQL Database version | 957 |

+| AZ_ACR_NAME | Azure ACR name, for example arc-demo-acr |

+| AZ_ACR_NAME | Azure ACR name, for example arc-demo-acr |

+## Version 1.28 - March 2023

+Download for [Windows](https://download.microsoft.com/download/5/9/7/59789af8-5833-4c91-8dc5-91c46ad4b54f/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+### Fixed

+- Improved reliability of delete requests for extensions

+- More frequent reporting of VM UUID (system firmware identifier) changes

+- Improved reliability when writing changes to agent configuration files

+- JSON output for `azcmagent connect` now includes Azure portal URL for the server

+- Linux installation script now installs the `gnupg` package if it's missing on Debian operating systems

+- Removed weekly restarts for the extension and guest configuration services

+## Version 1.32 - July 2023

+Download for [Windows](https://download.microsoft.com/download/7/e/5/7e51205f-a02e-4fbe-94fe-f36219be048c/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

+### New features

+- Added support for the Debian 12 operating system

+- [azcmagent show](azcmagent-show.md) now reflects the "Expired" status when a machine has been disconnected long enough for the managed identity to expire. Previously, the agent only showed "Disconnected" while the Azure portal and API showed the correct state, "Expired."

+### Fixed

+- Fixed an issue that could result in high CPU usage if the agent was unable to send telemetry to Azure.

+- Improved local logging when there are network communication errors

+The proxy bypass feature does not require you to enter specific URLs to bypass. Instead, you provide the name of the service(s) that should not use the proxy server. The location parameter refers to the Azure region of the Arc Server(s).

+| `Arc` | `his.arc.azure.com`, `guestconfiguration.azure.com` , `san-af-<location>-prod.azurewebsites.net`|

+* Debian 10, 11, and 12

+To use SDK type bindings, your project must reference [Microsoft.Azure.Functions.Worker 1.15.0-preview1 or later](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker/1.15.0-preview1) and [Microsoft.Azure.Functions.Worker.Sdk 1.11.0-preview1 or later](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Sdk/1.11.0-preview1). Specific package versions will be needed for each of the service extensions as well. When testing SDK types locally on your machine, you will also need to use [Azure Functions Core Tools version 4.0.5000 or later](./functions-run-local.md). You can check your current version using the command `func version`.

+| [Azure Blobs][blob-sdk-types] | **Preview support** | **Preview support** | _SDK types not recommended¹_ |

+| [Azure Queues][queue-sdk-types] | **Preview support** | _Input binding does not exist_ | _SDK types not recommended¹_ |

+| [Azure Service Bus][servicebus-sdk-types] | **Preview support²** | _Input binding does not exist_ | _SDK types not recommended¹_ |

+| [Azure Event Hubs][eventhub-sdk-types] | **Preview support** | _Input binding does not exist_ | _SDK types not recommended¹_ |

+| [Azure Cosmos DB][cosmos-sdk-types] | _SDK types not used³_ | **Preview support** | _SDK types not recommended¹_ |

+| [Azure Tables][tables-sdk-types] | _Trigger does not exist_ | **Preview support** | _SDK types not recommended¹_ |

+| [Azure Event Grid][eventgrid-sdk-types] | **Preview support** | _Input binding does not exist_ | _SDK types not recommended¹_ |

+[tables-sdk-types]: ./functions-bindings-storage-table.md?tabs=isolated-process%2Ctable-api&pivots=programming-language-csharp#binding-types

+[eventgrid-sdk-types]: ./functions-bindings-event-grid.md?tabs=isolated-process%2Cextensionv3&pivots=programming-language-csharp#binding-types

+[queue-sdk-types]: ./functions-bindings-storage-queue.md?tabs=isolated-process%2Cextensionv5&pivots=programming-language-csharp#binding-types

+[eventhub-sdk-types]: ./functions-bindings-event-hubs.md?tabs=isolated-process%2Cextensionv5&pivots=programming-language-csharp#binding-types

+[servicebus-sdk-types]: ./functions-bindings-service-bus.md?tabs=isolated-process%2Cextensionv5&pivots=programming-language-csharp#binding-types

+¹ For output scenarios in which you would use an SDK type, you should create and work with SDK clients directly instead of using an output binding.

+² The preview for the Service Bus trigger does not yet support message settlement scenarios.

+³ The Cosmos DB trigger uses the [Azure Cosmos DB change feed](../cosmos-db/change-feed.md) and exposes change feed items as JSON-serializable types. The absence of SDK types is by-design for this scenario.

+> When using [binding expressions](./functions-bindings-expressions-patterns.md) that rely on trigger data, SDK types for the trigger itself cannot be used.

+# [Functions 2.x+](#tab/functionsv2/in-process)

+# [Functions 2.x+](#tab/functionsv2/isolated-process)

+# [Functions 2.x+](#tab/functionsv2/csharp-script)

+|`collection_name` | The name of the Azure Cosmos DB collection being monitored. |

+# [Functions 2.x+](#tab/functionsv2)

+# [Extension 4.x+](#tab/extensionv4/in-process)

+# [Extension 4.x+](#tab/extensionv4/isolated-process)

+# [Extension 4.x+](#tab/extensionv4/csharp-script)

+The parameter type supported by the Cosmos DB input binding depends on the Functions runtime version, the extension package version, and the C# modality used.

+# [Extension 4.x+](#tab/extensionv4/in-process)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Functions 2.x+](#tab/functionsv2/in-process)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cfunctionsv2&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Extension 4.x+](#tab/extensionv4/isolated-process)

+# [Functions 2.x+](#tab/functionsv2/isolated-process)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp#binding-types) for a list of supported types.

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Functions 2.x+](#tab/functionsv2/csharp-script)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cfunctionsv2&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Functions 2.x+](#tab/functionsv2/in-process)

+# [Functions 2.x+](#tab/functionsv2/isolated-process)

+# [Functions 2.x+](#tab/functionsv2/csharp-script)

+|`collection_name` | The name of the Azure Cosmos DB collection being monitored. |

+# [Functions 2.x+](#tab/functionsv2)

+By default, when you write to the output parameter in your function, a document is created in your database. This document has an automatically generated GUID as the document ID. You can specify the document ID of the output document by specifying the `id` property in the JSON object passed to the output parameter.

+The parameter type supported by the Cosmos DB output binding depends on the Functions runtime version, the extension package version, and the C# modality used.

+# [Extension 4.x+](#tab/extensionv4/in-process)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Functions 2.x+](#tab/functionsv2/in-process)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cfunctionsv2&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Extension 4.x+](#tab/extensionv4/isolated-process)

+# [Functions 2.x+](#tab/functionsv2/isolated-process)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Extension 4.x+](#tab/extensionv4/csharp-script)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Functions 2.x+](#tab/functionsv2/csharp-script)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cfunctionsv2&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Extension 4.x+](#tab/extensionv4/in-process)

+Apps using [Azure Cosmos DB extension version 4.x](./functions-bindings-cosmosdb-v2.md?tabs=extensionv4) or higher will have different attribute properties, which are shown below. This example refers to a simple `ToDoItem` type.

+```cs

+namespace CosmosDBSamplesV2

+{

+ // Customize the model with your own desired properties

+ public class ToDoItem

+ {

+ public string id { get; set; }

+ public string Description { get; set; }

+ }

+}

+```

+```cs

+using System.Collections.Generic;

+using Microsoft.Azure.WebJobs;

+using Microsoft.Azure.WebJobs.Host;

+using Microsoft.Extensions.Logging;

+namespace CosmosDBSamplesV2

+{

+ public static class CosmosTrigger

+ {

+ [FunctionName("CosmosTrigger")]

+ public static void Run([CosmosDBTrigger(

+ databaseName: "databaseName",

+ containerName: "containerName",

+ Connection = "CosmosDBConnectionSetting",

+ LeaseContainerName = "leases",

+ CreateLeaseContainerIfNotExists = true)]IReadOnlyList<ToDoItem> input, ILogger log)

+ {

+ if (input != null && input.Count > 0)

+ {

+ log.LogInformation("Documents modified " + input.Count);

+ log.LogInformation("First document Id " + input[0].id);

+ }

+ }

+ }

+}

+```

+# [Extension 4.x+](#tab/extensionv4/isolated-process)

+This example refers to a simple `ToDoItem` type:

+```csharp

+public class ToDoItem

+ public string? Id { get; set; }

+ public string? Description { get; set; }

+The following function is invoked when there are inserts or updates in the specified database and collection.

+```csharp

+[Function("CosmosTrigger")]

+public void Run([CosmosDBTrigger(

+ databaseName: "ToDoItems",

+ containerName:"TriggerItems",

+ Connection = "CosmosDBConnection",

+ LeaseContainerName = "leases",

+ CreateLeaseContainerIfNotExists = true)] IReadOnlyList<ToDoItem> todoItems,

+ FunctionContext context)

+ if (todoItems is not null && todoItems.Any())

+ foreach (var doc in todoItems)

+ _logger.LogInformation("ToDoItem: {desc}", doc.Description);

+# [Extension 4.x+](#tab/extensionv4/csharp-script)

+ "leaseContainerName": "leases",

+ "connection": "<connection-app-setting>",

+ "containerName": "Items",

+ "createLeaseContainerIfNotExists": true

+ // Customize the model with your own desired properties

+ public class ToDoItem

+ {

+ public string id { get; set; }

+ public string Description { get; set; }

+ }

+ public static void Run(IReadOnlyList<ToDoItem> documents, ILogger log)

+ log.LogInformation("First document Id " + documents[0].id);

+# [Functions 2.x+](#tab/functionsv2/csharp-script)

+ "leaseCollectionName": "leases",

+ "connectionStringSetting": "<connection-app-setting>",

+ "collectionName": "Items",

+ "createLeaseCollectionIfNotExists": true

+ #r "Microsoft.Azure.DocumentDB.Core"

+ using Microsoft.Azure.Documents;

+ public static void Run(IReadOnlyList<Document> documents, ILogger log)

+ log.LogInformation("First document Id " + documents[0].Id);

+# [Extension 4.x+](#tab/extensionv4/in-process)

+# [Extension 4.x+](#tab/extensionv4/isolated-process)

+# [Extension 4.x+](#tab/extensionv4/csharp-script)

+The parameter type supported by the Azure Cosmos DB trigger depends on the Functions runtime version, the extension package version, and the C# modality used.

+# [Extension 4.x+](#tab/extensionv4/in-process)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Functions 2.x+](#tab/functionsv2/in-process)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cfunctionsv2&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Extension 4.x+](#tab/extensionv4/isolated-process)

+# [Functions 2.x+](#tab/functionsv2/isolated-process)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Extension 4.x+](#tab/extensionv4/csharp-script)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4&pivots=programming-language-csharp#binding-types) for a list of supported types.

+# [Functions 2.x+](#tab/functionsv2/csharp-script)

+See [Binding types](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cfunctionsv2&pivots=programming-language-csharp#binding-types) for a list of supported types.

+In a variation of this model, Functions can be run using [C# scripting], which is supported primarily for C# portal editing. To update existing binding extensions for C# script apps running in the portal without having to republish your function app, see [Update your extensions].

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 4.x._

+# [Functions 2.x+](#tab/functionsv2/in-process)

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 2.x or 3.x._

+Working with the trigger and bindings requires that you reference the appropriate NuGet package. Install the [NuGet package](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.CosmosDB/3.0.10), version 3.x.

+# [Functions 2.x+](#tab/functionsv2/isolated-process)

+Add the extension to your project by installing the [NuGet package](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.CosmosDB/), version 3.x.

+# [Bundle v4.x](#tab/extensionv4)

+This version of the bundle contains version 4.x of the Azure Cosmos DB bindings extension that introduces the ability to [connect using an identity instead of a secret](./functions-reference.md#configure-an-identity-based-connection). For a tutorial on configuring your function apps with managed identities, see the [creating a function app with identity-based connections tutorial](./functions-identity-based-connections-tutorial.md).

+# [Bundle v2.x and v3.x](#tab/functionsv2)

+You can install this version of the extension in your function app by registering the [extension bundle], version 2.x or 3.x.

+# [In-process](#tab/in-process)

+# [Extension 4.x+](#tab/extensionv4/in-process)

+| Binding scenario | Parameter types |

+| Cosmos DB trigger (single document) | JSON serializable types¹ |

+| Cosmos DB trigger (batch of documents) | `IEnumerable<T>`where `T` is a JSON serializable type¹ |

+| Cosmos DB input (single document) | JSON serializable types¹<br/> |

+| Cosmos DB input (query returning multiple documents) | [CosmosClient]<br/>`IEnumerable<T>` where `T` is a JSON serializable type¹ |

+| Cosmos DB output (single document) | JSON serializable types¹ |

+| Cosmos DB output (multiple documents) | `ICollector<T>` or `IAsyncCollector<T>` where `T` is a JSON serializable type¹ |

+# [Functions 2.x+](#tab/functionsv2/in-process)

+# [Extension 4.x+](#tab/extensionv4/isolated-process)

+The isolated worker process supports parameter types according to the tables below. Support for binding to types from [Microsoft.Azure.Cosmos]is in preview.

+**Cosmos DB trigger**

+**Cosmos DB input binding**

+**Cosmos DB output binding**

+# [Functions 2.x+](#tab/functionsv2/isolated-process)

+# [Extension 4.x+](#tab/extensionv4)

+ "userAgentSuffix": "MyDesiredUserAgentStamp"

+|**userAgentSuffix**| n/a | Adds the specified string value to all requests made by the trigger or binding to the service. This makes it easier for you to track the activity in Azure Monitor, based on a specific function app and filtering by `User Agent`.

+# [Functions 2.x+](#tab/functionsv2)

+ "protocol": "Https",

+ "leaseOptions": {

+ "leasePrefix": "prefix1"

+ }

+|**protocol**|`Https`|The connection protocol used by the function when connection to the Azure Cosmos DB service. Read [here for an explanation of both modes](../cosmos-db/performance-tips.md#networking). |

+|**leasePrefix**|n/a|Lease prefix to use across all functions in an app. |

+[C# scripting]: ./functions-reference-csharp.md

+In a variation of this model, Functions can be run using [C# scripting], which is supported primarily for C# portal editing. To update existing binding extensions for C# script apps running in the portal without having to republish your function app, see [Update your extensions].

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 3.x._

+This version of the extension supports updated Event Grid binding parameter types of [Azure.Messaging.CloudEvent][CloudEvent] and [Azure.Messaging.EventGrid.EventGridEvent][EventGridEvent].

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 2.x._

+Supports the default Event Grid binding parameter type of [Microsoft.Azure.EventGrid.Models.EventGridEvent](/dotnet/api/microsoft.azure.eventgrid.models.eventgridevent). Event Grid extension versions earlier than 3.x don't support [CloudEvents schema](../event-grid/cloudevents-schema.md#azure-functions). To consume this schema, instead use an HTTP trigger, or switch to **Extension v3.x**.

+Functions 1.x apps automatically have a reference to the [Microsoft.Azure.WebJobs](https://www.nuget.org/packages/Microsoft.Azure.WebJobs) NuGet package, version 2.x. Event Grid extension versions earlier than 3.x don't support [CloudEvents schema](../event-grid/cloudevents-schema.md#azure-functions). To consume this schema, instead use an HTTP trigger, or switch to **Extension v3.x**. To do so, you will need to [upgrade your application to Functions 4.x].

+## Binding types

+The binding types supported for .NET depend on both the extension version and C# execution mode, which can be one of the following:

+

+# [In-process](#tab/in-process)

+An in-process class library is a compiled C# function runs in the same process as the Functions runtime.

+

+# [Isolated process](#tab/isolated-process)

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+Choose a version to see binding type details for the mode and version.

+# [Extension v3.x](#tab/extensionv3/in-process)

+The Event Grid extension supports parameter types according to the table below.

+| Binding | Parameter types |

+|-|-|

+| Event Grid trigger | [CloudEvent]<br/>[EventGridEvent]<br/>[BinaryData]<br/>[Newtonsoft.Json.Linq.JObject][JObject]<br/>`string` |

+| Event Grid output (single event) | [CloudEvent]<br/>[EventGridEvent]<br/>[BinaryData]<br/>[Newtonsoft.Json.Linq.JObject][JObject]<br/>`string` |

+| Event Grid output (multiple events) | `ICollector<T>` or `IAsyncCollector<T>` where `T` is one of the single event types |

+# [Extension v2.x](#tab/extensionv2/in-process)

+This version of the extension supports parameter types according to the table below. It doesn't support for the [CloudEvents schema], which is exclusive to **Extension v3.x**.

+| Binding | Parameter types |

+|-|-|

+| Event Grid trigger | [Microsoft.Azure.EventGrid.Models.EventGridEvent]<br/>[Newtonsoft.Json.Linq.JObject][JObject]<br/>`string` |

+| Event Grid output | [Microsoft.Azure.EventGrid.Models.EventGridEvent]<br/>[Newtonsoft.Json.Linq.JObject][JObject]<br/>`string` |

+# [Functions 1.x](#tab/functionsv1/in-process)

+This version of the extension supports parameter types according to the table below. It doesn't support for the [CloudEvents schema], which is exclusive to **Extension v3.x**.

+| Binding | Parameter types |

+|-|-|

+| Event Grid trigger | [Newtonsoft.Json.Linq.JObject][JObject]<br/>`string` |

+| Event Grid output | [Newtonsoft.Json.Linq.JObject][JObject]<br/>`string` |

+# [Extension v3.x](#tab/extensionv3/isolated-process)

+The isolated worker process supports parameter types according to the tables below. Support for binding to `Stream`, and to types from [Azure.Messaging] is in preview.

+**Event Grid trigger**

+**Event Grid output binding**

+# [Extension v2.x](#tab/extensionv2/isolated-process)

+Earlier versions of this extension in the isolated worker process only support binding to strings and plain-old CLR object (POCO) types. Additional options are available to **Extension v3.x**.

+# [Functions 1.x](#tab/functionsv1/isolated-process)

+Functions version 1.x doesn't support isolated worker process. To use the isolated worker model, [upgrade your application to Functions 4.x].

+[CloudEvent]: /dotnet/api/azure.messaging.cloudevent

+[EventGridEvent]: /dotnet/api/azure.messaging.eventgrid.eventgridevent

+[BinaryData]: /dotnet/api/system.binarydata

+[JObject]: https://www.newtonsoft.com/json/help/html/t_newtonsoft_json_linq_jobject.htm

+[Microsoft.Azure.EventGrid.Models.EventGridEvent]: /dotnet/api/microsoft.azure.eventgrid.models.eventgridevent

+[upgrade your application to Functions 4.x]: ./migrate-version-1-version-4.md

+[Azure.Messaging]: /dotnet/api/azure.messaging

+[Azure.Messaging.EventGrid]: /dotnet/api/azure.messaging.eventgrid

+[CloudEvents schema]: ../event-grid/cloudevents-schema.md#azure-functions

+[C# scripting]: ./functions-reference-csharp.md

+The following example shows how to use the `IAsyncCollector` interface to send a batch of messages. This scenario is common when you are processing messages coming from one event hub and sending the result to another event hub.

+ // If only the event is passed, an Event Hubs partition to be be assigned via

+ // Event Hubs partition, you can specify a partition key. Events added with

+The following example shows a Java function that writes a message containing the current time to an event hub.

+In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), use the `@EventHubOutput` annotation on parameters whose value would be published to Event Hubs. The parameter should be of type `OutputBinding<T>` , where `T` is a POJO or any native Java type.

+In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), use the [EventHubOutput](/java/api/com.microsoft.azure.functions.annotation.eventhuboutput) annotation on parameters whose value would be published to Event Hubs. The following settings are supported on the annotation:

+There are two options for outputting an Event Hubs message from a function by using the [EventHubOutput](/java/api/com.microsoft.azure.functions.annotation.eventhuboutput) annotation:

+- **Return value**: By applying the annotation to the function itself, the return value of the function is persisted as an Event Hubs message.

+- **Imperative**: To explicitly set the message value, apply the annotation to a specific parameter of the type [`OutputBinding<T>`](/java/api/com.microsoft.azure.functions.OutputBinding), where `T` is a POJO or any native Java type. With this configuration, passing a value to the `setValue` method persists the value as an Event Hubs message.

+There are two options for outputting an Event Hubs message from a function:

+- **Return value**: Set the `name` property in *function.json* to `$return`. With this configuration, the function's return value is persisted as an Event Hubs message.

+- **Imperative**: Pass a value to the [set](/python/api/azure-functions/azure.functions.out#set-val--t--none) method of the parameter declared as an [Out](/python/api/azure-functions/azure.functions.out) type. The value passed to `set` is persisted as an Event Hubs message.

+| Event Hubs | [Operations Guide](/rest/api/eventhub/publisher-policy-operations) |

+Messaging-specific parameter types contain additional message metadata. The specific types supported by the output binding depend on the Functions runtime version, the extension package version, and the C# modality used.

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 2.x or later._

+## Binding types

+The binding types supported for .NET depend on both the extension version and C# execution mode, which can be one of the following:

+

+# [In-process class library](#tab/in-process)

+An in-process class library is a compiled C# function runs in the same process as the Functions runtime.

+

+# [Isolated process](#tab/isolated-process)

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+Choose a version to see binding type details for the mode and version.

+# [Extension 5.x+](#tab/extensionv5/in-process)

+The Service Bus extension supports parameter types according to the table below.

+| Binding scenario | Parameter types |

+|-|-|

+| Service Bus trigger (single message)| [ServiceBusReceivedMessage]<br/>`string`<br/>`byte[]`<br/>JSON serializable types¹ |

+| Service Bus trigger (message batch) | `ServiceBusReceivedMessage[]`<br/>`string[]` |

+| Service Bus trigger advanced scenarios² | [ServiceBusClient]<br/>[ServiceBusMessageActions]<br/>[ServiceBusSessionMessageActions]<br/>[ServiceBusReceiveActions]<br/> |

+| Service Bus output (single message) | [ServiceBusMessage]<br/>`string`<br/>`byte[]`<br/>JSON serializable types¹ |

+| Service Bus output (multiple messages) | `ICollector<T>` or `IAsyncCollector<T>` where `T` is one of the single message types<br/>[ServiceBusSender] |

+¹ Messages containing JSON data can be deserialized into known plain-old CLR object (POCO) types.

+² Advanced scenarios include message settlement, sessions, and transactions. These types are available as separate parameters in addition to the normal trigger parameter.

+# [Functions 2.x+](#tab/functionsv2/in-process)

+Earlier versions of the extension exposed types from the now deprecated [Microsoft.Azure.ServiceBus] namespace. Newer types from [Azure.Messaging.ServiceBus] are exclusive to **Extension 5.x+**.

+This version of the extension supports parameter types according to the table below.

+The Service Bus extension supports parameter types according to the table below.

+| Binding scenario | Parameter types |

+|-|-|

+| Service Bus trigger (single message)| [Microsoft.Azure.ServiceBus.Message]<br/>`string`<br/>`byte[]`<br/>JSON serializable types¹ |

+| Service Bus trigger (message batch) | `ServiceBusReceivedMessage[]`<br/>`string[]` |

+| Service Bus trigger advanced scenarios² | [IMessageReceiver]<br/>[MessageReceiver]<br/>[IMessageSession]<br/> |

+| Service Bus output (single message) | [Message]<br/>`string`<br/>`byte[]`<br/>JSON serializable types¹ |

+| Service Bus output (multiple messages) | `ICollector<T>` or `IAsyncCollector<T>` where `T` is one of the single message types<br/>[MessageSender]|

+¹ Messages containing JSON data can be deserialized into known plain-old CLR object (POCO) types.

+² Advanced scenarios include message settlement, sessions, and transactions. These types are available as separate parameters in addition to the normal trigger parameter.

+# [Functions 1.x](#tab/functionsv1/in-process)

+Functions 1.x exposed types from the deprecated [Microsoft.ServiceBus.Messaging] namespace. Newer types from [Azure.Messaging.ServiceBus] are exclusive to **Extension 5.x+**. To use these, you will need to [upgrade your application to Functions 4.x].

+# [Extension 5.x+](#tab/extensionv5/isolated-process)

+The isolated worker process supports parameter types according to the tables below. Support for binding to types from [Azure.Messaging.ServiceBus] is in preview.

+**Service Bus trigger**

+**Service Bus output binding**

+# [Functions 2.x+](#tab/functionsv2/isolated-process)

+Earlier versions of extensions in the isolated worker process only support binding to `string`, `byte[]`, and JSON serializable types. Additional options are available to **Extension 5.x+**.

+# [Functions 1.x](#tab/functionsv1/isolated-process)

+Functions version 1.x doesn't support isolated worker process. To use the isolated worker model, [upgrade your application to Functions 4.x].

+[Azure.Messaging.ServiceBus]: /dotnet/api/azure.messaging.servicebus

+[ServiceBusReceivedMessage]: /dotnet/api/azure.messaging.servicebus.servicebusreceivedmessage

+[ServiceBusMessage]: /dotnet/api/azure.messaging.servicebus.servicebusmessage

+[ServiceBusClient]: /dotnet/api/azure.messaging.servicebus.servicebusclient

+[ServiceBusSender]: /dotnet/api/azure.messaging.servicebus.servicebussender

+[ServiceBusMessageActions]: /dotnet/api/microsoft.azure.webjobs.servicebus.servicebusmessageactions

+[ServiceBusSessionMessageActions]: /dotnet/api/microsoft.azure.webjobs.servicebus.servicebussessionmessageactions

+[ServiceBusReceiveActions]: /dotnet/api/microsoft.azure.webjobs.servicebus.servicebusreceiveactions

+[Microsoft.Azure.ServiceBus]: /dotnet/api/microsoft.azure.servicebus

+[Message]: /dotnet/api/microsoft.azure.servicebus.message

+[IMessageReceiver]: /dotnet/api/microsoft.azure.servicebus.core.imessagereceiver

+[MessageReceiver]: /dotnet/api/microsoft.azure.servicebus.core.messagereceiver

+[IMessageSession]: /dotnet/api/microsoft.azure.servicebus.imessagesession

+[MessageSender]: /dotnet/api/microsoft.azure.servicebus.core.messagesender

+[Microsoft.ServiceBus.Messaging]: /dotnet/api/microsoft.servicebus.messaging

+[upgrade your application to Functions 4.x]: ./migrate-version-1-version-4.md

+[C# scripting]: ./functions-reference-csharp.md

+The binding types supported by Blob input depend on the extension package version and the C# modality used in your function app.

+# [In-process](#tab/in-process)

+See [Binding types](./functions-bindings-storage-blob.md?tabs=in-process#binding-types) for a list of supported types.

+# [Isolated process](#tab/isolated-process)

+# [C# Script](#tab/csharp-script)

+See [Binding types](./functions-bindings-storage-blob.md?tabs=in-process#binding-types) for a list of supported types.

+The binding types supported by blob output depend on the extension package version and the C# modality used in your function app.

+# [In-process](#tab/in-process)

+See [Binding types](./functions-bindings-storage-blob.md?tabs=in-process#binding-types) for a list of supported types.

+# [Isolated process](#tab/isolated-process)

+# [C# Script](#tab/csharp-script)

+See [Binding types](./functions-bindings-storage-blob.md?tabs=in-process#binding-types) for a list of supported types.

+The binding types supported by Blob trigger depend on the extension package version and the C# modality used in your function app.

+# [In-process](#tab/in-process)

+See [Binding types](./functions-bindings-storage-blob.md?tabs=in-process#binding-types) for a list of supported types.

+# [Isolated process](#tab/isolated-process)

+# [C# Script](#tab/csharp-script)

+See [Binding types](./functions-bindings-storage-blob.md?tabs=in-process#binding-types) for a list of supported types.

+In a variation of this model, Functions can be run using [C# scripting], which is supported primarily for C# portal editing. To update existing binding extensions for C# script apps running in the portal without having to republish your function app, see [Update your extensions].

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 4.x._

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 2.x._

+# [In-process](#tab/in-process)

+| Binding scenario | Parameter types |

+| Blob trigger | [Stream]<br/>`TextReader`<br/>`string`<br/>`byte[]`<br/>[BinaryData]<br/>[BlobClient]¹<br/>[BlockBlobClient]¹<br/>[PageBlobClient]¹<br/>[AppendBlobClient]¹<br/>[BlobBaseClient]¹|

+| Blob input (single blob)| [Stream]<br/>`TextReader`<br/>`string`<br/>`byte[]`<br/>[BinaryData]<br/>[BlobClient]¹<br/>[BlockBlobClient]¹<br/>[PageBlobClient]¹<br/>[AppendBlobClient]¹<br/>[BlobBaseClient]¹|

+| Blob input (multiple blobs from a container)| `IEnumerable<T>` where `T` is one of the single blob input binding types |

+| Blob output (single blob) | [Stream]<br/>`TextWriter`<br/>`string`<br/>`byte[]` |

+| Blob output (multiple blobs) | `ICollector<T>` or `IAsyncCollector<T>` where `T` is one of the single blob output binding types |

+For examples using these types, see [the GitHub repository for the extension](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/storage/Microsoft.Azure.WebJobs.Extensions.Storage.Blobs#examples). Learn more about types from the Azure SDK, how they are different from earlier versions, and how to migrate to them from the [Azure.Storage.Blobs Migration Guide](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/storage/Azure.Storage.Blobs/AzureStorageNetMigrationV12.md).

+| Blob output | [Stream]<br/>`TextWriter`<br/>`string`<br/>`byte[]` |

+Functions 1.x exposed types from the deprecated [Microsoft.WindowsAzure.Storage] namespace. Newer types from [Azure.Storage.Blobs] are exclusive to **Extension 5.x and higher**. To use these, you will need to [upgrade your application to Functions 4.x].

+The isolated worker process supports parameter types according to the tables below. Support for binding to `Stream`, and to types from [Azure.Storage.Blobs] is in preview.

+**Blob trigger**

+**Blob input binding**

+**Blob output binding**

+Functions version 1.x doesn't support isolated worker process. To use the isolated worker model, [upgrade your application to Functions 4.x].

+[BinaryData]: /dotnet/api/system.binarydata

+[upgrade your application to Functions 4.x]: ./migrate-version-1-version-4.md

+[Microsoft.WindowsAzure.Storage]: /dotnet/api/microsoft.windowsazure.storage

+[C# scripting]: ./functions-reference-csharp.md

+In a variation of this model, Functions can be run using [C# scripting], which is supported primarily for C# portal editing. To update existing binding extensions for C# script apps running in the portal without having to republish your function app, see [Update your extensions].

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 4.x._

+This version allows you to bind to types from [Azure.Storage.Queues].

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 2.x._

+## Binding types

+The binding types supported for .NET depend on both the extension version and C# execution mode, which can be one of the following:

+

+# [In-process](#tab/in-process)

+An in-process class library is a compiled C# function runs in the same process as the Functions runtime.

+

+# [Isolated process](#tab/isolated-process)

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+

+Choose a version to see binding type details for the mode and version.

+# [Extension 5.x+](#tab/extensionv5/in-process)

+The Azure Queues extension supports parameter types according to the table below.

+ Binding scenario | Parameter types |

+|-|-|

+| Queue trigger | [QueueMessage]<br/>JSON serializable types¹<br/>`string`<br/>`byte[]`<br/>[BinaryData] |

+| Queue output (single message) | [QueueMessage]<br/>JSON serializable types¹<br/>`string`<br/>`byte[]`<br/>[BinaryData] |

+| Queue output (multiple messages) | [QueueClient]<br/>`ICollector<T>` or `IAsyncCollector<T>` where `T` is one of the single message types |

+¹ Messages containing JSON data can be deserialized into known plain-old CLR object (POCO) types.

+# [Functions 2.x+](#tab/functionsv2/in-process)

+Earlier versions of the extension exposed types from the now deprecated [Microsoft.Azure.Storage.Queues] namespace. Newer types from [Azure.Storage.Queues] are exclusive to **Extension 5.x+**.

+This version of the extension supports parameter types according to the table below.

+ Binding scenario | Parameter types |

+|-|-|

+| Queue trigger | [CloudQueueMessage]<br/>JSON serializable types¹<br/>`string`<br/>`byte[]` |

+| Queue output | [CloudQueueMessage]<br/>JSON serializable types¹<br/>`string`<br/>`byte[]`<br/>[CloudQueue] |

+¹ Messages containing JSON data can be deserialized into known plain-old CLR object (POCO) types.

+# [Functions 1.x](#tab/functionsv1/in-process)

+Functions 1.x exposed types from the deprecated [Microsoft.WindowsAzure.Storage] namespace. Newer types from [Azure.Storage.Queues] are exclusive to the **Extension 5.x+**. To use these, you will need to [upgrade your application to Functions 4.x].

+# [Extension 5.x+](#tab/extensionv5/isolated-process)

+The isolated worker process supports parameter types according to the tables below. Support for binding to types from [Azure.Storage.Queues] is in preview.

+**Queue trigger**

+**Queue output binding**

+# [Functions 2.x+](#tab/functionsv2/isolated-process)

+Earlier versions of extensions in the isolated worker process only support binding to string types. Additional options are available to the **Extension 5.x**.

+# [Functions 1.x](#tab/functionsv1/isolated-process)

+Functions version 1.x doesn't support the isolated worker process. To use the isolated worker model, [upgrade your application to Functions 4.x].

+[QueueMessage]: /dotnet/api/azure.storage.queues.models.queuemessage

+[QueueClient]: /dotnet/api/azure.storage.queues.queueclient

+[BinaryData]: /dotnet/api/system.binarydata

+[CloudQueueMessage]: /dotnet/api/microsoft.azure.storage.queue.cloudqueuemessage

+[CloudQueue]: /dotnet/api/microsoft.azure.storage.queue.cloudqueue

+[upgrade your application to Functions 4.x]: ./migrate-version-1-version-4.md

+[Azure.Storage.Queues]: /dotnet/api/azure.storage.queues

+[Microsoft.Azure.Storage.Queues]: /dotnet/api/microsoft.azure.storage.queue

+[Microsoft.WindowsAzure.Storage]: /dotnet/api/microsoft.windowsazure.storage

+[C# scripting]: ./functions-reference-csharp.md

+# [Azure Tables extension](#tab/table-api/in-process)

+- A plain-old CLR object (POCO) that includes the `PartitionKey` and `RowKey` properties. You can accompany these properties by implementing `ITableEntity`.

+- `ICollector<T>` or `IAsyncCollector<T>` where `T` includes the `PartitionKey` and `RowKey` properties. You can accompany these properties by implementing `ITableEntity`.

+You can also bind to `TableClient` [from the Azure SDK](/dotnet/api/azure.data.tables.tableclient). You can then use that object to write to the table.

+# [Combined Azure Storage extension](#tab/storage-extension/in-process)

+- A plain-old CLR object (POCO) that includes the `PartitionKey` and `RowKey` properties. You can accompany these properties by implementing `ITableEntity` or inheriting `TableEntity`.

+- `ICollector<T>` or `IAsyncCollector<T>` where `T` includes the `PartitionKey` and `RowKey` properties. You can accompany these properties by implementing `ITableEntity` or inheriting `TableEntity`.

+You can also bind to `CloudTable` [from the Storage SDK](/dotnet/api/microsoft.azure.cosmos.table.cloudtable) as a method parameter. You can then use that object to write to the table.

+# [Azure Tables extension](#tab/table-api/isolated-process)

+# [Functions 1.x](#tab/functionsv1/isolated-process)

+Functions version 1.x doesn't support isolated worker process.

+# [Azure Tables extension](#tab/table-api/csharp-script)

+In a variation of this model, Functions can be run using [C# scripting], which is supported primarily for C# portal editing. To update existing binding extensions for C# script apps running in the portal without having to republish your function app, see [Update your extensions].

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 4.x._

+This version allows you to bind to types from [`Azure.Data.Tables`][Azure.Data.Tables]. It also introduces the ability to use Azure Cosmos DB for Table.

+_This section describes using a [class library](./functions-dotnet-class-library.md). For [C# scripting], you would need to instead [install the extension bundle][Update your extensions], version 2.x._

+## Binding types

+The binding types supported for .NET depend on both the extension version and C# execution mode, which can be one of the following:

+

+# [In-process](#tab/in-process)

+An in-process class library is a compiled C# function runs in the same process as the Functions runtime.

+

+# [Isolated process](#tab/isolated-process)

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+Choose a version to see binding type details for the mode and version.

+# [Azure Tables extension](#tab/table-api/in-process)

+The Azure Tables extension supports parameter types according to the table below.

+| Binding scenario | Parameter types |

+|-|-|

+| Table input (single entity) | A type deriving from [ITableEntity] |

+| Table input (multiple entities from query) | `IEnumerable<T>` where `T` derives from [ITableEntity]<br/>[TableClient] |

+| Table output (single entity) | A type deriving from [ITableEntity] |

+| Table output (multiple entities) | [TableClient]<br/>`ICollector<T>` or `IAsyncCollector<T>` where `T` implements `ITableEntity` |

+# [Combined Azure Storage extension](#tab/storage-extension/in-process)

+Earlier versions of the extension exposed types from the now deprecated [Microsoft.Azure.Cosmos.Table] namespace. Newer types from [Azure.Data.Tables] are exclusive to the **Azure Tables extension**.

+This version of the extension supports parameter types according to the table below.

+| Binding scenario | Parameter types |

+|-|-|

+| Table input | A plain old CLR object (POCO) representing the entity<br/>[CloudTable] |

+| Table output | A plain old CLR object (POCO) representing the entity<br/>[CloudTable] |

+# [Functions 1.x](#tab/functionsv1/in-process)

+Functions 1.x exposed types from the deprecated [Microsoft.WindowsAzure.Storage.Table] namespace. Newer types from [Azure.Data.Tables] are exclusive to the **Azure Tables extension**. To use these, you will need to [upgrade your application to Functions 4.x].

+# [Azure Tables extension](#tab/table-api/isolated-process)

+The isolated worker process supports parameter types according to the tables below. Support for binding to types from [Azure.Data.Tables] is in preview.

+**Azure Tables input binding**

+**Azure Tables output binding**

+# [Combined Azure Storage extension](#tab/storage-extension/isolated-process)

+Earlier versions of extensions in the isolated worker process only support binding to plain-old CLR object (POCO) types. Additional options are available to the **Azure Tables extension**.

+# [Functions 1.x](#tab/functionsv1/isolated-process)

+Functions version 1.x doesn't support isolated worker process. To use the isolated worker model, [upgrade your application to Functions 4.x].

+[ITableEntity]: /dotnet/api/azure.data.tables.itableentity

+[TableClient]: /dotnet/api/azure.data.tables.tableclient

+[TableEntity]: /dotnet/api/azure.data.tables.tableentity

+[CloudTable]: /dotnet/api/microsoft.azure.cosmos.table.cloudtable

+[upgrade your application to Functions 4.x]: ./migrate-version-1-version-4.md

+[Azure.Data.Tables]: /dotnet/api/azure.data.tables

+[Microsoft.Azure.Cosmos.Table]: /dotnet/api/microsoft.azure.cosmos.table

+[Microsoft.WindowsAzure.Storage.Table]: /dotnet/api/microsoft.windowsazure.storage.table

+[C# scripting]: ./functions-reference-csharp.md

+| [API Management policy samples](https://github.com/Azure/api-management-policy-snippets) | Helpful collection of samples using API Management policies in key scenarios. |

+| June 2023| **Windows** <ul><li>Add new file path column to custom logs table</li><li>Config setting to disable custom IMDS endpoint in Tenant.json file</li><li>FluentBit binaries signed with Microsoft customer Code Sign cert</li><li>Minimize number of retries on calls to refresh tokens</li><li>Don't overwrite resource ID with empty string</li><li>AzSecPack updated to version 4.27</li><li>AzureProfiler and AzurePerfCollector updated to version 1.0.0.990</li><li>MetricsExtension updated to version 2.2023.513.10</li><li>Troubleshooter updated to version 1.5.0</li></ul>**Linux** <ul><li>Add new column CollectorHostName to syslog table to identify forwarder/collector machine</li><li>Link OpenSSL dynamically</li><li>Support Arc-Enabled Servers proxy configuration file</li><li>**Fixes**<ul><li>Allow uploads soon after AMA start up</li><li>Run LocalSink GC on a dedicated thread to avoid thread pool scheduling issues</li><li>Fix upgrade restart of disabled services</li><li>Handle Linux Hardening where sudo on root is blocked</li><li>CEF processing fixes for noncomliant RFC 5424 logs</li><li>ASA tenant can fail to start up due to config-cache directory permissions</li><li>Fix auth proxy in AMA</li><li>Fix to remove null characters in agentlauncher.log after log rotation</li></ul></li></ul>|1.17.0 |1.27.2|

+| May 2023 | **Windows** <ul><li>Enable Large Event support for all regions.</li><li>Update to TroubleShooter 1.4.0.</li><li>Fixed issue when Event Log subscription become invalid an would not resubscribe.</li><li>AMA: Fixed issue with Large Event sending too large data. Also affecting Custom Log.</li></ul> **Linux** <ul><li>Support for CIS and SELinux [hardening](./agents-overview.md)</li><li>Include Ubuntu 22.04 (Jammy) in azure-mdsd package publishing</li><li>Move storage SDK patch to build container</li><li>Add system Telegraf counters to AMA</li><li>Drop msgpack and syslog data if not configured in active configuration</li><li>Limit the events sent to Public ingestion pipeline</li><li>**Fixes** <ul><li>Fix mdsd crash in init when in persistent mode </li><li>Remove FdClosers from ProtocolListeners to avoid a race condition</li><li>Fix sed regex special character escaping issue in rpm macro for Centos 7.3.Maipo</li><li>Fix latency and future timestamp issue</li><li>Install AMA syslog configs only if customer is opted in for syslog in DCR</li><li>Fix heartbeat time check</li><li>Skip unnecessary cleanup in fatal signal handler</li><li>Fix case where fast-forwarding may cause intervals to be skipped</li><li>Fix comma separated custom log paths with fluent</li><li>Fix to prevent events folder growing too large and filling the disk</li></ul></li><ul> | 1.16.0.0 | 1.26.2 |

+Action Groups uses two different email providers to ensure email notification delivery. The primary email provider is very resilient and quick but occasionally suffers outages. In this case, the secondary email provider handles email requests. The secondary provider is only a fallback solution. Due to provider differences, an email sent from our secondary provider may have a degraded email experience. The degradation results in slightly different email formatting and content. Since email templates differ in the two systems, maintaining parity across the two systems is not feasible. You can know that you are recieving a degraded experience, if there is a note at the top of your email notification that says:

+"This is a degraded email experience. That means the formatting may be off or details could be missing. For more infomration on teh degraded emaiol experience, read here."

+If your notification does not contain this note and you have received the alert, but believe some of its fields are missing or incorrect, follow these steps:

+

+This article describes how to enable and configure OpenTelemetry-based data collection to power the experiences within [Azure Monitor Application Insights](app-insights-overview.md#application-insights-overview). We walk through how to install the "Azure Monitor OpenTelemetry Distro". The Distro will [automatically collect](opentelemetry-add-modify.md#automatic-data-collection) traces, metrics, logs, and exceptions across your application and its dependencies. The To learn more about collecting data using OpenTelemetry, see [Data Collection Basics](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry).

+|[Metrics Explorer](essentials/metrics-getting-started.md)|You can use Metrics Explorer to interactively work with metric data and create metric alerts. You need minimal training to use Metrics Explorer, but you must be familiar with the metrics you want to analyze. |- Once data collection is configured, no other configuration is required.<br>- Platform metrics for Azure resources are automatically available.<br>- Guest metrics for virtual machines are available after an Azure Monitor agent is deployed to the virtual machine.<br>- Application metrics are available after Application Insights is configured. |

+1. To clean up jobs that are finished, specify the cleanup policy in your job definition yaml. Following is example Job definition with clean up policy. For more details, refer to [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/job/#clean-up-finished-jobs-automatically).

+- If a transformation reduces the ingested data by more than 50%, you'll be charged for the amount of filtered data above 50%.

+To calculate the data processing charge resulting from transformations, use the following formula:<br>[GB filtered out by transformations] - ([GB data ingested by pipeline] / 2). The following table shows examples.

+| Data ingested by pipeline | Data dropped by transformation | Data ingested by Log Analytics workspace | Data processing charge | Ingestion charge |

+|:|:-:|:-:|:-:|:-:|

+| 20 GB | 12 GB | 8 GB | 2 GB ¹ | 8 GB |

+| 20 GB | 8 GB | 12 GB | 0 GB | 12 GB |

+¹ This charge excludes the charge for data ingested by Log Analytics workspace.

+To avoid this charge, you should filter ingested data using alternative methods before applying transformations. By doing so, you can reduce the amount of data processed by transformations and, therefore, minimize any additional costs.

+- You must get the existing Azure Monitor workspace integrations for a Grafana instance and update the ARM template with it. Otherwise, the ARM deployment gets over-written, which removes existing integrations.

+Currently, the Azure CLI is the only option to remove the metrics add-on and stop sending Prometheus metrics to Azure Monitor managed service for Prometheus. Use the following command to remove the agent from the cluster nodes and delete the recording rules created for that cluster. This will also delete the data collection endpoint (DCE), data collection rule (DCR), DCRA and recording rules groups created as part of onboarding. . This action doesn't remove any existing data stored in your Azure Monitor workspace.

+| Communication Services | [ACSCallAutomationIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallAutomationIncomingOperations)<br>[ACSCallAutomationMediaSummary](/azure/azure-monitor/reference/tables/ACSCallAutomationMediaSummary)<br>[ACSCallRecordingIncomingOperations](/azure/azure-monitor/reference/tables/ACSCallRecordingIncomingOperations)<br>[ACSCallRecordingSummary](/azure/azure-monitor/reference/tables/ACSCallRecordingSummary)<br>[ACSCallSummary](/azure/azure-monitor/reference/tables/ACSCallSummary)<br>[ACSRoomsIncomingOperations](/azure/azure-monitor/reference/tables/acsroomsincomingoperations) |

+An [Azure Monitor Logs dedicated cluster](logs-dedicated-clusters.md) is a collection of workspaces in a single managed Azure Data Explorer cluster. Dedicated clusters support advanced features, such as [customer-managed keys](customer-managed-keys.md), and use the same commitment-tier pricing model as workspaces, although they must have a commitment level of at least 100 GB per day. Any usage above the commitment level (overage) is billed at that same price per GB as provided by the current commitment tier. There's no pay-as-you-go option for clusters.

+Azure Monitor is a comprehensive monitoring solution for collecting, analyzing, and responding to monitoring data from your cloud and on-premises environments. You can use Azure Monitor to maximize the availability and performance of your applications and services. It helps you understand how your applications are performing and allows you to manually and programmatically respond to system events.

+Azure Monitor collects and aggregates the data from every layer and component of your system across multiple Azure and non-Azure subscrtiptions and tenants. It stores it in a common data platform for consumption by a common set of tools which can correlate, analyze, visualize, and/or respond to the data. You can also integrate additional Microsoft and non-Microsoft tools.

+The diagram above shows an abstracted view of the monitoring process. A more detailed breakdown of the Azure Monitor architecture is shown in the [High level architecture](#high-level-architecture) section below.

+## High level architecture

+Azure Monitor can monitor these types of resources in Azure, other clouds, or on-premises:

+- Applications

+- Virtual machines

+- Guest operating systems

+- Containers including Prometheus metrics

+- Databases

+- Security events in combination with Azure Sentinel

+- Networking events and health in combination with Network Watcher

+- Custom sources that use the APIs to get data into Azure Monitor

+You can also export monitoring data from Azure Monitor into other systems so you can:

+- Integrate with other third-party and open-source monitoring and visualization tools

+- Integrate with ticketing and other ITSM systems

+If you are a System Center Operations Manager (SCOM) user, Azure Monitor now includes a preview of Azure Monitor [SCOM Managed Instance (SCOM MI)](./vm/scom-managed-instance-overview.md). SCOM MI is a cloud-hosted version of SCOM and allows you to move your on-premises SCOM installation to Azure.

+The following diagram shows a high-level architecture view of Azure Monitor.

+Click on the diagram to see a more detailed expanded version showing a larger breakdown of data sources and data collection methods.

+- The **[data sources](data-sources.md)** are the types of data collected from each monitored resource.

+- The data is **collected and routed** to the data platform. Clicking on the diagram shows these options, which are also called out in detail later in this article.

+- The **[data platform](data-platform.md)** stores the collected monitoring data. Azure Monitor's core data platform has stores for metrics, logs, traces, and changes. SCOM MI uses it's own database hosted in SQL Server Managed Instance.

+- The **consumption** section shows the components that use data from the data platform.

+ - Azure Monitor's core consumption methods include tools to provide **insights**, **visualize**, and **analyize** data. The visualization tools build on the analysis tools and the insights build on top of both the visualization and analysis tools.

+ - There are additional mechanisms to help you **respond** to incoming monitoring data.

+- The **SCOM MI** path uses the traditional Operations Manager console that SCOM customers are already familiar with.

+- Interoperability options are shown in the **integrate** section. Not all services integrate at all levels. SCOM MI only integrates with Power BI.

+## Monitoring, observability, and artificial intelligence for IT operations

+**Observability** is the ability to assess an internal systemΓÇÖs state based on the data it produces. An observability solution analyzes output data, provides an assessment of the systemΓÇÖs health, and offers actionable insights for addressing problems across your IT infrastructure.

+Observability wouldnΓÇÖt be possible without monitoring. Monitoring is the collection and analysis of data pulled from IT systems. When a system is observable, a user can identify the root cause of a performance problem by looking at the data it produces without additional testing or coding.

+The pillars of observability are the different kinds of data that a monitoring tool must collect and analyze to provide sufficient observability of a monitored system. Metrics, logs, and distributed traces are commonly referred to as the pillars of observability. Azure Monitor adds "changes" to these pillars.

+Azure Monitor achieves observability by correlating data from multiple pillars and aggregating data across the entire set of monitored resources.

+## Data sources

+Azure Monitor can collect [data from multiple sources](data-sources.md).

+The diagram below shows an expanded version of the datasource types gathered by Azure Monitor.

+Click on the diagram above to see a larger version of the data sources diagram in context.

+You can integrate application, infrastructure, and custom data source monitoring data from outside Azure, including from on-premises, and non-Microsoft clouds.

+Azure Monitor collects these types of data:

+|Data Type|Description and subtypes|

+||--|

+|App/Workloads |**App**- Application performance, health, and activity data. <br/><br/>**Workloads** - IaaS workloads such as SQL server, Oracle or SAP running on a hosted Virtual Machine.|

+|Infrastructure|**Container** - Data about containers, such as [Azure Kubernetes Service](../aks/intro-kubernetes.md), [Prometheus](./essentials/prometheus-metrics-overview.md), and the applications running inside containers.<br><br>**Operating system** - Data about the guest operating system on which your application is running.|

+|Azure Platform|**Azure resource** - Data about the operation of an Azure resource from inside the resource, including changes. Resource Logs are one example. <br><br>**Azure subscription** - The operation and management of an Azure subscription, and data about the health and operation of Azure itself. The activity log is one example.<br><br>**Azure tenant** - Data about the operation of tenant-level Azure services, such as Azure Active Directory.<br> |

+|Custom Sources| Data which gets into the system using the <br/> - Azure Monitor REST API <br/> - Data Collection API |

+For detailed information about each of the data sources, see [data sources](./data-sources.md).

+SCOM MI (like on premises SCOM) collects only IaaS Workload and Operating System sources.

+Click on the diagram to see a larger version of the data collection in context.

+|[Application instrumentation](app/app-insights-overview.md)| Application Insights is enabled through either [Auto-Instrumentation (agent)](app/codeless-overview.md) or by adding the Application Insights SDK to your application code. In addition, Application Insights is in process of implementing [Open Telemetry](./app/opentelemetry-overview.md). For more information, reference [How do I instrument an application?](app/app-insights-overview.md#how-do-i-instrument-an-application).|

+|Zero Config| Data is automatically sent to a destination without user configuration. Platform metrics are the most common example. |

+SCOM MI (like on-premises SCOM) uses an agent to collect data, which it sends to a management server running in a SCOM MI on Azure.

+## Data platform

+Azure Monitor stores data in data stores for each of the three pillars of observability, plus an addition one:

+ - metrics

+ - logs

+ - distributed traces

+ - changes

+ Each store is optimized for specific types of data and monitoring scenarios.

+Click on the picture above for a to see the Data Platform in the context of the whole of Azure Monitor.

+|Pillar of Observability/<br>Data Store|Description|

+|||

+|[Azure Monitor Metrics](essentials/data-platform-metrics.md)|Metrics are numerical values that describe an aspect of a system at a particular point in time. [Azure Monitor Metrics](./essentials/data-platform-metrics.md) is a time-series database, optimized for analyzing time-stamped data. Azure Monitor collects metrics at regular intervals. Metrics are identified with a timestamp, a name, a value, and one or more defining labels. They can be aggregated using algorithms, compared to other metrics, and analyzed for trends over time. It supports native Azure Monitor metrics and [Prometheus metrics](essentials/prometheus-metrics-overview.md).|

+|[Azure Monitor Logs](logs/data-platform-logs.md)|Logs are recorded system events. Logs can contain different types of data, be structured or free-form text, and they contain a timestamp. Azure Monitor stores structured and unstructured log data of all types in [Azure Monitor Logs](./logs/data-platform-logs.md). You can route data to [Log Analytics workspaces](./logs/log-analytics-overview.md) for querying and analysis.|

+|Traces|[Distributed tracing](app/distributed-tracing.md) allows you to see the path of a request as it travels through different services and components. Azure Monitor gets distributed trace data from [instrumented applications](app/app-insights-overview.md#how-do-i-instrument-an-application). The trace data is stored in a separate workspace in Azure Monitor Logs.|

+|Changes|Changes are a series of events in your application and resources. They're tracked and stored when you use the [Change Analysis](./change/change-analysis.md) service, which uses [Azure Resource Graph](../governance/resource-graph/overview.md) as its store. Change Analysis helps you understand which changes, such as deploying updated code, may have caused issues in your systems.|

+Distributed tracing is a technique used to trace requests as they travel through a distributed system. It allows you to see the path of a request as it travels through different services and components. It helps you to identify performance bottlenecks and troubleshoot issues in a distributed system.

+For less expensive, long-term archival of monitoring data for auditing or compliance purposes, you can export to [Azure Storage](/azure/storage/).

+SCOM MI is similar to SCOM on-premises. It stores it's information in an SQL Database, but uses SQL Managed Instance because it's in Azure.

+The top part of the consumption section applies to Azure Monitor core only. SCOM MI uses the traditional Ops Console running in the cloud. It can also can send monitoring data to Power BI for visualization.

+Some Azure resource providers have curated visualizations that provide a customized monitoring experience and require minimal configuration. Insights are large, scalable, curated visualizations.

+For more information, see the [list of insights and curated visualizations in the Azure Monitor Insights overview](insights/insights-overview.md).

+|[Grafana](visualize/grafana-plugin.md)|Grafana is an open platform that excels in operational dashboards. All versions of Grafana include the Azure Monitor data source plug-in to visualize your Azure Monitor metrics and logs. Azure Managed Grafana also optimizes this experience for Azure-native data stores such as Azure Monitor and Azure Data Explorer. In this way, you can easily connect to any resource in your subscription and view all resulting monitoring data in a familiar Grafana dashboard. It also supports pinning charts from Azure Monitor metrics and logs to Grafana dashboards. <br/><br/> Grafana has popular plug-ins and dashboard templates for non-Microsoft APM tools such as Dynatrace, New Relic, and AppDynamics as well. You can use these resources to visualize Azure platform data alongside other metrics from higher in the stack collected by these other tools. It also has AWS CloudWatch and GCP BigQuery plug-ins for multicloud monitoring in a single pane of glass.|

+[**Artificial Intelligence for IT Operations (AIOps)**](logs/aiops-machine-learning.md) can improve service quality and reliability by using machine learning to process and automatically act on data you collect from applications, services, and IT resources into Azure Monitor. It automates data-driven tasks, predicts capacity usage, identifies performance issues, and detects anomalies across applications, services, and IT resources. These features simplify IT monitoring and operations without requiring machine learning expertise.

+**[Azure Monitor Alerts](alerts/alerts-overview.md)** notify you of critical conditions and can take corrective action. Alert rules can be based on metric or log data.

+

+- Metric alert rules provide near-real-time alerts based on collected metrics.

+- Log alerts rules based on logs allow for complex logic across data from multiple sources.

+Alert rules use [action groups](alerts/action-groups.md), which can perform actions such as sending email or SMS notifications. Action groups can send notifications using webhooks to trigger external processes or to integrate with your IT service management tools. Action groups, actions, and sets of recipients can be shared across multiple rules.

+SCOM MI currently uses it's own separate traditional SCOM alerting mechanism in the Ops Console.

+**[Azure Logic Apps](../logic-apps/logic-apps-overview.md)** is also an option. For more information, see the [Integrate](#integrate) section below.

+|[Azure Storage](../storage/common/storage-introduction.md)| Export data to Azure storage for less expensive, long-term archival of monitoring data for auditing or compliance purposes.

+|Hosted and Managed Partners | Many [external partners](partners.md) integrate with Azure Monitor. Azure Monitor has partnered with other monitoring providers to provide an [Azure-hosted version of their products](/azure/partner-solutions/) to make interoperability easier. Examples include Elastic, Datadog, Logz.io, and Dynatrace.

+|[Azure Logic Apps](../logic-apps/logic-apps-overview.md)|Azure Logic Apps is a service you can use to automate tasks and business processes by using workflows that integrate with different systems and services with little or no code. Activities are available that read and write metrics and logs in Azure Monitor. You can use Logic Apps to [customize responses and perform other actions in response to to Azure Monitor alerts](alerts/alerts-logic-apps.md). You can also perform other [more complex actions](logs/logicapp-flow-connector.md) when the Azure Monitor infrastructure doesn't already supply a built-it method.|

+|[Azure Functions](../azure-functions/functions-overview.md)| Similar to Azure Logic Apps, Azure Functions give you the ability to pre process and post process monitoring data as well as perform complex action beyond the scope of typical Azure Monitor alerts. Azure Functions uses code however providing additional flexibility over Logic Apps.

+|Azure DevOps and GitHub | Azure Monitor Application Insights gives you the ability to create [Work Item Integration](app/work-item-integration.md) with monitoring data embedding in it. Additional options include [release annotations](app/annotations.md) and [continuous monitoring](app/continuous-monitoring.md). |

+* [Disaster Recovery using cross-region replication with Azure NetApp Files datastores for AVS](https://techcommunity.microsoft.com/t5/azure-architecture-blog/disaster-recovery-using-cross-region-replication-with-azure/ba-p/3870682)

+- **Supported regions** - The target resources must be in [one of the regions supported by the Azure Chaos Studio Preview](https://azure.microsoft.com/global-infrastructure/services/?products=chaos-studio).

+- **Resource Move not supported** - Azure Chaos Studio tracked resources (for example, Experiments) currently do NOT support Resource Move. Experiments can be easily copied (by copying Experiment JSON) for use in other subscriptions, resource groups, or regions. Experiments can also already target resources across regions. Extension resources (Targets and Capabilities) do support Resource Move.

+- **VMs require network access to Chaos studio** - For agent-based faults, the virtual machine must have outbound network access to the Chaos Studio agent service:

+ - Regional endpoints to allowlist are listed in [Permissions and security in Azure Chaos Studio](chaos-studio-permissions-security.md#network-security).

+ - If you're sending telemetry data to Application Insights, the IPs in [IP addresses used by Azure Monitor](../azure-monitor/app/ip-addresses.md) are also required.

+- **Supported VM operating systems** - If you run an experiment that makes use of the Chaos Studio agent, the virtual machine must run one of the following operating systems:

+ - Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2012 R2

+ - Red Hat Enterprise Linux 8.2, SUSE Enterprise Linux 15 SP2, CentOS 8.2, Debian 10 Buster (with unzip installation required), Oracle Linux 7.8, Ubuntu Server 16.04 LTS, and Ubuntu Server 18.04 LTS

+- **Hardened Linux untested** - The Chaos Studio agent isn't tested against custom Linux distributions or hardened Linux distributions (for example, FIPS or SELinux).

+- **Supported browsers** The Chaos Studio portal experience has only been tested on the following browsers:

+## July 2023 Guest OS

+>[!NOTE]

+>The July Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the July Guest OS. This list is subject to change.

+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |

+| | | | | |

+| Rel 23-07 | [5028168] | Latest Cumulative Update(LCU) | 6.60 | Jul 11, 2023 |

+| Rel 23-07 | [5028171] | Latest Cumulative Update(LCU) | 7.28 | Jul 11, 2023 |

+| Rel 23-07 | [5028169] | Latest Cumulative Update(LCU) | 5.84 | Jun 11, 2023 |

+| Rel 23-07 | [5028871] | .NET Framework 3.5 Security and Quality Rollup | 2.140 | Jul 11, 2023 |

+| Rel 23-07 | [5028865] | .NET Framework 4.7.2 Security and Quality Rollup | 2.140 | Jul 11, 2023 |

+| Rel 23-07 | [5028872] | .NET Framework 3.5 Security and Quality Rollup LKG | 4.120 | Jul 11, 2023 |

+| Rel 23-07 | [5028864] | .NET Framework 4.7.2 Cumulative Update LKG | 4.120 | Ju1 11, 2023 |

+| Rel 23-07 | [5028869] | .NET Framework 3.5 Security and Quality Rollup LKG | 3.128 | Jul 11, 2023 |

+| Rel 23-07 | [5028863] | .NET Framework 4.7.2 Cumulative Update LKG | 3.128 | Jul 11, 2023 |

+| Rel 23-07 | [5028862] | .NET Framework DotNet | 6.60 | Jul 11, 2023 |

+| Rel 23-07 | [5028858] | .NET Framework 4.8 Security and Quality Rollup LKG | 7.28 | Ju1 11, 2023 |

+| Rel 23-07 | [5028240] | Monthly Rollup | 2.140 | Jul 11, 2023 |

+| Rel 23-07 | [5028232] | Monthly Rollup | 3.128 | Jul 11, 2023 |

+| Rel 23-07 | [5028228] | Monthly Rollup | 4.120 | Jul 11, 2023 |

+| Rel 23-07 | [5027575] | Servicing Stack Update | 3.128 | Jun 13, 2023 |

+| Rel 23-07 | [5027574] | Servicing Stack Update LKG | 4.120 | Jun 13, 2023 |

+| Rel 23-07 | [4578013] | OOB Standalone Security Update | 4.120 | Aug 19, 2023 |

+| Rel 23-07 | [5023788] | Servicing Stack Update LKG | 5.84 | Mar 14, 2023 |

+| Rel 23-07 | [5028264] | Servicing Stack Update LKG | 2.140 | Jul 11, 2023 |

+| Rel 23-07 | [4494175] | Microcode | 5.84 | Sep 1, 2020 |

+| Rel 23-07 | [4494174] | Microcode | 6.60 | Sep 1, 2020 |

+| Rel 23-07 | 5028317 | Servicing Stack Update | 7.28 | |

+| Rel 23-07 | 5028316 | Servicing Stack Update | 6.60 | |

+[5028168]: https://support.microsoft.com/kb/5028168

+[5028171]: https://support.microsoft.com/kb/5028171

+[5028169]: https://support.microsoft.com/kb/5028169

+[5028871]: https://support.microsoft.com/kb/5028871

+[5028865]: https://support.microsoft.com/kb/5028865

+[5028872]: https://support.microsoft.com/kb/5028872

+[5028864]: https://support.microsoft.com/kb/5028864

+[5028869]: https://support.microsoft.com/kb/5028869

+[5028863]: https://support.microsoft.com/kb/5028863

+[5028862]: https://support.microsoft.com/kb/5028862

+[5028858]: https://support.microsoft.com/kb/5028858

+[5028240]: https://support.microsoft.com/kb/5028240

+[5028232]: https://support.microsoft.com/kb/5028232

+[5028228]: https://support.microsoft.com/kb/5028228

+[5027575]: https://support.microsoft.com/kb/5027575

+[5027574]: https://support.microsoft.com/kb/5027574

+[4578013]: https://support.microsoft.com/kb/4578013

+[5023788]: https://support.microsoft.com/kb/5023788

+[5028264]: https://support.microsoft.com/kb/5028264

+[4494175]: https://support.microsoft.com/kb/4494175

+[4494174]: https://support.microsoft.com/kb/4494174

+[5028317]: https://support.microsoft.com/kb/5028317

+[5028316]: https://support.microsoft.com/kb/5028316

+ curl.exe -H "Ocp-Apim-Subscription-Key: <subscriptionKey>" -H "Content-Type: application/json" "<endpoint>/computervision/imagecomposition:stitch?api-version=2023-04-01-preview" --output <your_filename> -d "{

+ curl.exe -H "Ocp-Apim-Subscription-Key: <subscriptionKey>" -H "Content-Type: application/json" "<endpoint>/computervision/imagecomposition:rectify?api-version=2023-04-01-preview" --output <your_filename> -d "{

+* One of the following installed:

+ * [cURL](https://curl.haxx.se/) for REST API calls.

+ * [Python 3.x](https://www.python.org/) installed

+ * Your Python installation should include [pip](https://pip.pypa.io/en/stable/). You can check if you have pip installed by running `pip --version` on the command line. Get pip by installing the latest version of Python.

+ * If you're using Python, you'll need to install the Azure AI Content Safety client library for Python. Run the command `pip install azure-ai-contentsafety` in your project directory.

+ * [.NET Runtime](https://dotnet.microsoft.com/download/dotnet/) installed.

+ * [.NET 6.0](https://dotnet.microsoft.com/download/dotnet-core) SDK or above installed.

+ * If you're using .NET, you'll need to install the Azure AI Content Safety client library for .NET. Run the command `dotnet add package Azure.AI.ContentSafety --prerelease` in your project directory.

+#### [C#](#tab/csharp)

+Create a new C# console app and open it in your preferred editor or IDE. Paste in the following code.

+```csharp

+string endpoint = "<endpoint>";

+string key = "<enter_your_key_here>";

+ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

+var blocklistName = "<your_list_id>";

+var blocklistDescription = "<description>";

+var data = new

+{

+ description = blocklistDescription,

+};

+var createResponse = client.CreateOrUpdateTextBlocklist(blocklistName, RequestContent.Create(data));

+if (createResponse.Status == 201)

+{

+ Console.WriteLine("\nBlocklist {0} created.", blocklistName);

+}

+else if (createResponse.Status == 200)

+{

+ Console.WriteLine("\nBlocklist {0} updated.", blocklistName);

+}

+```

+1. Replace `<endpoint>` with your endpoint URL.

+1. Replace `<enter_your_key_here>` with your key.

+1. Replace `<your_list_id>` with a custom name for your list. Also replace the last term of the REST URL with the same name. Allowed characters: 0-9, A-Z, a-z, `- . _ ~`.

+1. Optionally replace `<description>` with a custom description.

+1. Run the script.

+# Create a Content Safety client

+ print("\nCreate or update text blocklist failed: ")

+ if e.error:

+ print(f"Error code: {e.error.code}")

+ print(f"Error message: {e.error.message}")

+ raise

+ raise

+#### [C#](#tab/csharp)

+Create a new C# console app and open it in your preferred editor or IDE. Paste in the following code.

+```csharp

+string endpoint = "<endpoint>";

+string key = "<enter_your_key_here>";

+ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

+var blocklistName = "<your_list_id>";

+string blockItemText1 = "k*ll";

+string blockItemText2 = "h*te";

+var blockItems = new TextBlockItemInfo[] { new TextBlockItemInfo(blockItemText1), new TextBlockItemInfo(blockItemText2) };

+var addedBlockItems = client.AddBlockItems(blocklistName, new AddBlockItemsOptions(blockItems));

+if (addedBlockItems != null && addedBlockItems.Value != null)

+{

+ Console.WriteLine("\nBlockItems added:");

+ foreach (var addedBlockItem in addedBlockItems.Value.Value)

+ {

+ Console.WriteLine("BlockItemId: {0}, Text: {1}, Description: {2}", addedBlockItem.BlockItemId, addedBlockItem.Text, addedBlockItem.Description);

+ }

+}

+```

+1. Replace `<endpoint>` with your endpoint URL.

+1. Replace `<enter_your_key_here>` with your key.

+1. Replace `<your_list_id>` with the ID value you used in the list creation step.

+1. Replace the value of the `block_item_text_1` field with the item you'd like to add to your blocklist. The maximum length of a blockItem is 128 characters.

+1. Optionally add more blockItem strings to the `blockItems` parameter.

+1. Run the script.

+ print("\nAdd block items failed: ")

+ if e.error:

+ print(f"Error code: {e.error.code}")

+ print(f"Error message: {e.error.message}")

+ raise

+ raise

+#### [C#](#tab/csharp)

+Create a new C# console app and open it in your preferred editor or IDE. Paste in the following code.

+```csharp

+string endpoint = "<endpoint>";

+string key = "<enter_your_key_here>";

+ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

+var blocklistName = "<your_list_id>";

+// After you edit your blocklist, it usually takes effect in 5 minutes, please wait some time before analyzing with blocklist after editing.

+var request = new AnalyzeTextOptions("I h*te you and I want to k*ll you");

+request.BlocklistNames.Add(blocklistName);

+request.BreakByBlocklists = true;

+Response<AnalyzeTextResult> response;

+try

+{

+ response = client.AnalyzeText(request);

+}

+catch (RequestFailedException ex)

+{

+ Console.WriteLine("Analyze text failed.\nStatus code: {0}, Error code: {1}, Error message: {2}", ex.Status, ex.ErrorCode, ex.Message);

+ throw;

+}

+if (response.Value.BlocklistsMatchResults != null)

+{

+ Console.WriteLine("\nBlocklist match result:");

+ foreach (var matchResult in response.Value.BlocklistsMatchResults)

+ {

+ Console.WriteLine("Blockitem was hit in text: Offset: {0}, Length: {1}", matchResult.Offset, matchResult.Length);

+ Console.WriteLine("BlocklistName: {0}, BlockItemId: {1}, BlockItemText: {2}, ", matchResult.BlocklistName, matchResult.BlockItemId, matchResult.BlockItemText);

+ }

+}

+```

+1. Replace `<endpoint>` with your endpoint URL.

+1. Replace `<enter_your_key_here>` with your key.

+1. Replace `<your_list_id>` with the ID value you used in the list creation step.

+1. Replace the `request` input text with whatever text you want to analyze.

+1. Run the script.

+ print("\nAnalyze text failed: ")

+ if e.error:

+ print(f"Error code: {e.error.code}")

+ print(f"Error message: {e.error.message}")

+ raise

+ raise

+#### [C#](#tab/csharp)

+Create a new C# console app and open it in your preferred editor or IDE. Paste in the following code.

+```csharp

+string endpoint = "<endpoint>";

+string key = "<enter_your_key_here>";

+ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

+var blocklistName = "<your_list_id>";

+var allBlockitems = client.GetTextBlocklistItems(blocklistName);

+Console.WriteLine("\nList BlockItems:");

+foreach (var blocklistItem in allBlockitems)

+{

+ Console.WriteLine("BlockItemId: {0}, Text: {1}, Description: {2}", blocklistItem.BlockItemId, blocklistItem.Text, blocklistItem.Description);

+}

+```

+1. Replace `<endpoint>` with your endpoint URL.

+1. Replace `<enter_your_key_here>` with your key.

+1. Replace `<your_list_id>` with the ID value you used in the list creation step.

+1. Run the script.

+ print("\nList block items failed: ")

+ if e.error:

+ print(f"Error code: {e.error.code}")

+ print(f"Error message: {e.error.message}")

+ raise

+ raise

+#### [C#](#tab/csharp)

+Create a new C# console app and open it in your preferred editor or IDE. Paste in the following code.

+```csharp

+string endpoint = "<endpoint>";

+string key = "<enter_your_key_here>";

+ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

+var blocklists = client.GetTextBlocklists();

+Console.WriteLine("\nList blocklists:");

+foreach (var blocklist in blocklists)

+{

+ Console.WriteLine("BlocklistName: {0}, Description: {1}", blocklist.BlocklistName, blocklist.Description);

+}

+```

+1. Replace `<endpoint>` with your endpoint URL.

+1. Replace `<enter_your_key_here>` with your key.

+1. Run the script.

+ print("\nList text blocklists failed: ")

+ if e.error:

+ print(f"Error code: {e.error.code}")

+ print(f"Error message: {e.error.message}")

+ raise

+ raise

+#### [C#](#tab/csharp)

+Create a new C# console app and open it in your preferred editor or IDE. Paste in the following code.

+```csharp

+string endpoint = "<endpoint>";

+string key = "<enter_your_key_here>";

+ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

+var blocklistName = "<your_list_id>";

+var getBlocklist = client.GetTextBlocklist(blocklistName);

+if (getBlocklist != null && getBlocklist.Value != null)

+{

+ Console.WriteLine("\nGet blocklist:");

+ Console.WriteLine("BlocklistName: {0}, Description: {1}", getBlocklist.Value.BlocklistName, getBlocklist.Value.Description);

+}

+```

+1. Replace `<endpoint>` with your endpoint URL.

+1. Replace `<enter_your_key_here>` with your key.

+1. Replace `<your_list_id>` with the ID value you used in the list creation step.

+1. Run the script.

+ print("\nGet text blocklist failed: ")

+ if e.error:

+ print(f"Error code: {e.error.code}")

+ print(f"Error message: {e.error.message}")

+ raise

+ raise

+#### [C#](#tab/csharp)

+Create a new C# console app and open it in your preferred editor or IDE. Paste in the following code.

+```csharp

+string endpoint = "<endpoint>";

+string key = "<enter_your_key_here>";

+ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

+var blocklistName = "<your_list_id>";

+var getBlockItemId = addedBlockItems.Value.Value[0].BlockItemId;

+var getBlockItem = client.GetTextBlocklistItem(blocklistName, getBlockItemId);

+Console.WriteLine("\nGet BlockItem:");

+Console.WriteLine("BlockItemId: {0}, Text: {1}, Description: {2}", getBlockItem.Value.BlockItemId, getBlockItem.Value.Text, getBlockItem.Value.Description);

+```

+1. Replace `<endpoint>` with your endpoint URL.

+1. Replace `<enter_your_key_here>` with your key.

+1. Replace `<your_list_id>` with the ID value you used in the list creation step.

+1. Optionally change the value of `getBlockItemId` to the ID of a previously added item.

+1. Run the script.

+#### [C#](#tab/csharp)

+Create a new C# console app and open it in your preferred editor or IDE. Paste in the following code.

+```csharp

+string endpoint = "<endpoint>";

+string key = "<enter_your_key_here>";

+ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

+var blocklistName = "<your_list_id>";

+var removeBlockItemId = addedBlockItems.Value.Value[0].BlockItemId;

+var removeBlockItemIds = new List<string> { removeBlockItemId };

+var removeResult = client.RemoveBlockItems(blocklistName, new RemoveBlockItemsOptions(removeBlockItemIds));

+if (removeResult != null && removeResult.Status == 204)

+{

+ Console.WriteLine("\nBlockItem removed: {0}.", removeBlockItemId);

+}

+```

+1. Replace `<endpoint>` with your endpoint URL.

+1. Replace `<enter_your_key_here>` with your key.

+1. Replace `<your_list_id>` with the ID value you used in the list creation step.

+1. Optionally change the value of `removeBlockItemId` to the ID of a previously added item.

+1. Run the script.

+#### [C#](#tab/csharp)

+Create a new C# console app and open it in your preferred editor or IDE. Paste in the following code.

+```csharp

+string endpoint = "<endpoint>";

+string key = "<enter_your_key_here>";

+ContentSafetyClient client = new ContentSafetyClient(new Uri(endpoint), new AzureKeyCredential(key));

+var blocklistName = "<your_list_id>";

+var deleteResult = client.DeleteTextBlocklist(blocklistName);

+if (deleteResult != null && deleteResult.Status == 204)

+{

+ Console.WriteLine("\nDeleted blocklist.");

+}

+```

+1. Replace `<endpoint>` with your endpoint URL.

+1. Replace `<enter_your_key_here>` with your key.

+1. Replace `<your_list_id>` (in the request URL) with the ID value you used in the list creation step.

+1. Run the script.

+| Quantity.NumberRange | A numeric interval. For example: "between 25 and 35" | English, Chinese, French, Italian, German, Brazilian Portuguese, Spanish |

+| Person.Name | The name of an individual. For example: "Joe", "Ann" | English, Chinese, French, Italian, German, Brazilian Portuguese, Spanish |

+| General.Organization | Companies and corporations. For example: "Microsoft" | English, Chinese, French, Italian, German, Brazilian Portuguese, Spanish |

+| Geography.Location | The name of a location. For example: "Tokyo" | English, Chinese, French, Italian, German, Brazilian Portuguese, Spanish |

+| IP Address | An IP address. For example: "192.168.0.4" | English, Chinese, French, Italian, German, Brazilian Portuguese, Spanish |

+In multilingual conversation projects, you can enable any of the prebuilt components. The component is only predicted if the language of the query is supported by the prebuilt entity. The language is either specified in the request or defaults to the primary language of the application if not provided.

+As part of the diagnostics performed, the user is asked to enable permissions for the tool to access their devices. Next, the tool performs an audio and video test to measure the audio and video network conditions.

+The verification process involves sending a one-time passcode via SMS to the recipient phone number. The recipient needs to enter this code in the Azure portal to complete the verification.

+### From where can I verify phone numbers?

+Currently, only phone numbers that originate from the United States (i.e., have a +1 preffix) can be verified for use with trial phone numbers.

+zone_pivot_groups: acs-plat-web-ios-android-windows-unity

+zone_pivot_groups: acs-plat-web-ios-android-windows-unity

+The sample has both a client-side application and a server-side application. The **client-side application** is a React/Redux web application that uses Microsoft's Fluent UI framework. This application sends requests to a Node.js **server-side application** that helps the client-side application connect to Azure.

+* By default, the Service Bus built-in connector operations are *stateless*. To run these operations in stateful mode, see [Enable stateful mode for stateless built-in connectors](../connectors/enable-stateful-affinity-built-in-connectors.md).

+## Efficient incremental data capture with internally managed checkpoints

+Each change in Cosmos DB container appears exactly once in the CDC feed, and the checkpoints are managed internally for you. This helps to address the below disadvantages of the common pattern of using custom checkpoints based on the ΓÇ£_tsΓÇ¥ value:

+ * The ΓÇ£_tsΓÇ¥ filter is applied against the data files which does not always guarantee minimal data scan. The internally managed GLSN based checkpoints in the new CDC capability ensure that the incremental data identification is done, just based on the metadata and so guarantees minimal data scanning in each stream.

+* The analytical store sync process does not guarantee ΓÇ£_tsΓÇ¥ based ordering which means that there could be cases where an incremental recordΓÇÖs ΓÇ£_tsΓÇ¥ is lesser than the last checkpointed ΓÇ£_tsΓÇ¥ and could be missed out in the incremental stream. The new CDC does not consider ΓÇ£_tsΓÇ¥ to identify the incremental records and thus guarantees that none of the incremental records are missed.

+* The emulator does not offer all of the [Azure Cosmos DB consistency levels](consistency-levels.md) that the cloud service does, only [*Session*](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/cosmos-db/consistency-levels.md#session-consistency) consistency and [*Strong*](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/cosmos-db/consistency-levels.md#strong-consistency) consistency are supported. The default consistency level is *Session*, which can be changed using [command line parameters](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/cosmos-db/emulator-command-line-parameters.md).

+To add vectors to your database's collection, you first need to create the embeddings by using your own model, [Azure OpenAI Embeddings](../../../cognitive-services/openai/tutorials/embeddings.md), or another API (such as [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure/)). In this example, new documents are added through sample embeddings:

+be used to restore your cluster to a specified time - point-in-time restore (PITR).

+Automated process performs backup of each Azure Cosmos DB for PostgreSQL node from the moment your cluster is provisioned and throughout cluster's lifecycle. Azure Cosmos DB for PostgreSQL takes periodic disk snapshots and combines it with the node's [WAL files](https://www.postgresql.org/docs/current/wal-intro.html) streaming to Azure blob storage.

+The backups allow you to restore a

+In Azure regions that support availability zones, backup snapshots and WAL files are stored

+> [!NOTE]

+> While cluster backups are always stored for 35 days, you may need to

+> open a support request to restore the cluster to a point that is earlier

+> than the latest failover time.

+When all nodes are up and running, you can restore cluster without any data loss. In an extremely rare case of a node experiencing a catastrophic event (and [high availability](./concepts-high-availability.md) isn't enabled on the cluster), you may lose up to 5 minutes of data.

+Networking settings aren't preserved from the original cluster, they're reset to default values. You'll need to manually adjust these settings after restore to allow access to the restored cluster. In general, see our list of suggested [post-restore tasks](howto-restore-portal.md#post-restore-tasks).

+In most cases, cluster restore takes up to 1 hour.

+* Ensure appropriate [networking settings for private or public access](./concepts-security-overview.md#network-security) are in place for

+ users to connect. These settings aren't copied from the original cluster.

+* Ensure appropriate [logins](./howto-create-users.md) and database level permissions are in place.

+* Configure [alerts](./howto-alert-on-metric.md#suggested-alerts), as appropriate.

+For example, if you start with a maximum RU/s of 50,000 RU/s (scales between 5000 - 50,000 RU/s), you can store up to 5000 GB of data. If you exceed 5000 GB - e.g. storage is now 6000 GB, the new maximum RU/s will be 60,000 RU/s (scales between 6000 - 60,000 RU/s).

+There are constraints on the activities that support nesting (ForEach, Until, Switch, and If Condition), for nesting another nested activity. Specifically:

+- If and Switch can be used inside ForEach or Until activities.

+- If and Switch can not used inside If and Switch activities.

+- ForEach or Until support only a single level of nesting.

+See the best practices section below on how to use other pipeline activities to enable this scenario. In addition, the

+If and Switch can be used inside ForEach or Until activities.

+ForEach or Until supports only single level nesting

+If and Switch can not used inside If and Switch activities.

+ 1. In **Subscriber name**, enter a unique name to register and identify this Data Factory connection as a subscriber that consumes data packages that are produced in the Operational Delta Queue (ODQ) by your SAP system. For example, you might name it `<YOUR_DATA_FACTORY_NAME>_<YOUR_LINKED_SERVICE_NAME>`. Make sure to only use upper case letters. Also be sure that the total character count doesn't exceed 32 characters, or SAP will truncate the name. This can be an issue if your factory and linked services both have long names.

+4. **Create the data store linked service. In its configuration, reference the corresponding secret stored in Azure Key Vault.** Refer to [Reference a secret stored in Azure Key Vault](#reference-secret-stored-in-key-vault).

+## November 2022

+

+### Data flow

+- Incremental only is available in SAP CDC - get changes only from SAP system without initial full load [Learn more](connector-sap-change-data-capture.md?tabs=data-factory#mapping-data-flow-properties)

+- Source partitions in initial full data load of SAP CDC to improve performance [Learn more](connector-sap-change-data-capture.md?tabs=data-factory#mapping-data-flow-properties)

+- A new pipeline template - Load multiple objects with big amounts from SAP via SAP CDC [Learn more](solution-template-replicate-multiple-objects-sap-cdc.md?tabs=data-factory)

+### Data Movement

+- Support to Azure Databricks through private link from a Data Factory managed virtual network [Learn more](managed-virtual-network-private-endpoint.md?tabs=data-factory#supported-data-sources-and-services)

+### User Interface

+3 Pipeline designer enhancements added to ADF Studio preview experience

+- Dynamic content flyout - make it easier to set dynamic content in your pipeline activities without using the expression builder [Learn more](how-to-manage-studio-preview-exp.md?tabs=data-factory#dynamic-content-flyout)

+- Error message relocation to status column - make it easier for you to view errors when you see a Failed pipeline run [Learn more](how-to-manage-studio-preview-exp.md?tabs=data-factory#error-message-relocation-to-status-column)

+- Container view - in Author Tab, Pipeline can change output view from list to container [Learn more](how-to-manage-studio-preview-exp.md?tabs=data-factory#container-view)

+### Continuous integration and continuous deployment

+In auto publish config, disable publish button is available to void overwriting the last automated publish deployment [Learn more](source-control.md?tabs=data-factory#editing-repo-settings)

+## June 2023

+### Continuous integration and continuous deployment

+NPM package now supports pre-downloaded bundle for building ARM templates. If your firewall setting is blocking direct download for your NPM package, you can now pre-load the package upfront, and let NPM package consume local version instead. This is a super boost for your CI/CD pipeline in a firewalled environment.

+### Region expansion

+Azure Data Factory is now available in Sweden Central. You can co-locate your ETL workflow in this new region if you are utilizing the region for storing and managing your modern data warehouse. [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/continued-region-expansion-azure-data-factory-just-became/ba-p/3857249)

+### Data movement

+Securing outbound traffic with Azure Data Factory's outbound network rules is now supported. [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/securing-outbound-traffic-with-azure-data-factory-s-outbound/ba-p/3844032)

+### Connectors

+The Amazon S3 connector is now supported as a sink destination using Mapping Data Flows. [Learn more](connector-amazon-simple-storage-service.md)

+### Data flow

+We introduce optional Source settings for DelimitedText and JSON sources in top-level CDC resource. The top-level CDC resource in data factory now supports optional source configurations for Delimited and JSON sources. You can now select the column/row delimiters for delimited sources and set the document type for JSON sources. [Learn more](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-optional-source-settings-for-delimitedtext-and-json/ba-p/3824274)

+| **VBScript HTTP object allocation detected** | Creation of a VBScript file using Command Prompt has been detected. The following script contains HTTP object allocation command. This action can be used to download malicious files.

+| **Suspicious installation of GPU extension in your virtual machine (Preview)** <br> (VM_GPUDriverExtensionUnusualExecution) | Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers may use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking. | Impact | Low |

+|**Suspicious installation of GPU extension in your virtual machine (Preview)** <br> (VM_GPUDriverExtensionUnusualExecution) | Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers may use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking. | Impact | Low

+ Title: Connect your Azure subscriptions to Microsoft Defender for Cloud

+description: Learn how to connect your Azure subscriptions to Microsoft Defender for Cloud

+# Connect your Azure subscriptions

+ > Enable database protection for your multicloud SQL servers through the [AWS connector](quickstart-onboard-aws.md#connect-your-aws-account) or the [GCP connector](quickstart-onboard-gcp.md#configure-the-defender-for-databases-plan).

+1. Navigate to **Microsoft Defender for Cloud** > **Attack path analysis**.

+ Title: Manage classic cloud connectors

+description: Learn how to manage AWS and GCP classic connectors and remove them from your subscription.

+# Manage classic cloud connectors (retired)

+The retired *classic cloud connector* requires configuration in your Google Cloud Platform (GCP) project or Amazon Web Services (AWS) account to create a user that Microsoft Defender for Cloud can use to connect to your GCP project or AWS environment. The classic connector is available only to customers who previously used it to connect GCP projects or AWS environments.

+To connect a [GCP project](quickstart-onboard-gcp.md) or an [AWS account](quickstart-onboard-aws.md), you should use the native connector available in Defender for Cloud.

+## Connect your AWS account by using the classic connector

+To complete the procedures for connecting an AWS account, you need:

+- A Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free one](https://azure.microsoft.com/pricing/free-trial/).

+- [Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) enabled on your Azure subscription.

+- **Owner** permission on the relevant Azure subscription. A **Contributor** can also connect an AWS account if an **Owner** provides the service principal details.

+If you're using an AWS management account, repeat the following steps to configure the management account and all connected member accounts across all relevant regions.

+1. Verify that data is flowing to Security Hub. When you first enable Security Hub, the data might take several hours to become available.

+- [Create an identity and access management (IAM) role for Defender for Cloud](#create-an-iam-role-for-defender-for-cloud): The more secure and recommended method.

+- [Create an AWS user for Defender for Cloud](#create-an-aws-user-for-defender-for-cloud): A less secure option if you don't have IAM enabled.

+#### Create an IAM role for Defender for Cloud

+1. Select **Roles** > **Create role**.

+ - For **Account ID**, enter the Microsoft account ID **158177204117**, as shown on the AWS connector page in Defender for Cloud.

+ - Select **Require External ID**.

+ - For **External ID**, enter the subscription ID, as shown on the AWS connector page in Defender for Cloud.

+ - `SecurityAudit` (`arn:aws:iam::aws:policy/SecurityAudit`)

+ - `AmazonSSMAutomationRole` (`arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole`)

+ - `AWSSecurityHubReadOnlyAccess` (`arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess`)

+1. Optionally, add tags. Adding tags to the user doesn't affect the connection.

+1. In The **Roles** list, choose the role that you created.

+#### Create an AWS user for Defender for Cloud

+1. In the **Details** step, enter a username for Defender for Cloud. Select **Programmatic access** for the AWS access type.

+1. Select **Next: Permissions**.

+ - `SecurityAudit`

+ - `AmazonSSMAutomationRole`

+ - `AWSSecurityHubReadOnlyAccess`

+1. Select **Next: Tags**. Optionally, add tags. Adding tags to the user doesn't affect the connection.

+1. Save the automatically generated **Access key ID** and **Secret access key** CSV files for later.

+1. Review the summary, and then select **Create user**.

+AWS Systems Manager (SSM) is required for automating tasks across your AWS resources. If your EC2 instances don't have the SSM Agent, follow the relevant instructions from Amazon:

+1. Make sure the appropriate [Azure resource providers](../azure-arc/servers/prerequisites.md#azure-resource-providers) are registered:

+ - `Microsoft.HybridCompute`

+ - `Microsoft.GuestConfiguration`

+1. As an **Owner** on the subscription that you want to use for onboarding, create a service principal for Azure Arc onboarding, as described in [Create a service principal for onboarding at scale](../azure-arc/servers/onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale).

+1. From the Defender for Cloud menu, open **Environment settings**. Then select the option to switch back to the classic connectors experience.

+ :::image type="content" source="media/quickstart-onboard-gcp/classic-connectors-experience.png" alt-text="Screenshot that shows how to switch back to the classic connectors experience in Defender for Cloud." lightbox="media/quickstart-onboard-gcp/classic-connectors-experience.png":::

+ :::image type="content" source="./media/quickstart-onboard-aws/add-aws-account.png" alt-text="Screenshot that shows the button for adding an AWS account on the pane for multicloud connectors in Defender for Cloud." lightbox="./media/quickstart-onboard-aws/add-aws-account.png":::

+1. Configure the options on the **AWS authentication** tab:

+ 1. For **Display name**, enter a name for the connector.

+ 1. For **Subscription**, confirm that the value is correct. It's the subscription that includes the connector and AWS Security Hub recommendations.

+ 1. Depending on the authentication option that you chose when you [set up authentication for Defender for Cloud in AWS](#set-up-authentication-for-defender-for-cloud-in-aws), take one of the following actions:

+ - For **Authentication method**, select **Assume Role**. Then, for **AWS role ARN**, paste the ARN that you got when you [created an IAM role for Defender for Cloud](#create-an-iam-role-for-defender-for-cloud).

+ :::image type="content" source="./media/quickstart-onboard-aws/paste-arn-in-portal.png" alt-text="Screenshot that shows the location for pasting the ARN file in the AWS connection wizard in the Azure portal." lightbox="./media/quickstart-onboard-aws/paste-arn-in-portal.png":::

+ - For **Authentication method**, select **Credentials**. Then, in the relevant boxes, paste the access key and secret key from the CSV files that you saved when you [created an AWS user for Defender for Cloud](#create-an-aws-user-for-defender-for-cloud).

+1. Configure the options on the **Azure Arc Configuration** tab.

+ Defender for Cloud discovers the EC2 instances in the connected AWS account and uses SSM to onboard them to Azure Arc. For the list of supported operating systems, see [What operating systems for my EC2 instances are supported?](faq-general.yml) in the common questions.

+ 1. For **Resource Group** and **Azure Region**, select the resource group and region that the discovered AWS EC2s will be onboarded to in the selected subscription.

+ 1. Enter the **Service Principal ID** and **Service Principal Client Secret** values for Azure Arc, as described in [Create a service principal for onboarding at scale](../azure-arc/servers/onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale).

+ 1. If the machine is connecting to the internet via proxy server, specify the proxy server IP address, or the name and port number that the machine uses to communicate with the proxy server. Enter the value in the format `http://<proxyURL>:<proxyport>`.

+ 1. Select **Review + create**.

+1. Review the summary information.

+ The **Tags** section lists all Azure tags that are automatically created for each onboarded EC2 instance. Each tag has its own relevant details, so you can easily recognize it in Azure. Learn more about Azure tags in [Use tags to organize your Azure resources and management hierarchy](../azure-resource-manager/management/tag-resources.md).

+### Confirm the connection

+After you successfully create the connector and properly configure AWS Security Hub:

+- Defender for Cloud scans the environment for AWS EC2 instances and onboards them to Azure Arc. You can then install the Log Analytics agent and get threat protection and security recommendations.

+- The AWS CIS standard appears in the regulatory compliance dashboard in Defender for Cloud.

+- If a Security Hub policy is enabled, recommendations appear in the Defender for Cloud portal and the regulatory compliance dashboard 5 to 10 minutes after onboarding finishes.

+To remove any connectors that you created by using the classic connectors experience:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Defender for Cloud** > **Environment settings**.

+ :::image type="content" source="media/quickstart-onboard-gcp/classic-connectors-experience.png" alt-text="Screenshot that shows switching back to the classic connectors experience in Defender for Cloud." lightbox="media/quickstart-onboard-gcp/classic-connectors-experience.png":::

+1. For each connector, select the ellipsis (**…**) button at the end of the row, and then select **Delete**.

+1. On AWS, delete the ARN role or the credentials created for the integration.

+## Connect your GCP project by using the classic connector

+Create a connector for every organization that you want to monitor from Defender for Cloud.

+When you're connecting GCP projects to specific Azure subscriptions, consider the [Google Cloud resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#resource-hierarchy-detail) and these guidelines:

+- You can connect your GCP projects to Defender for Cloud at the *organization* level.

+- You can connect multiple organizations to one Azure subscription.

+- You can connect multiple organizations to multiple Azure subscriptions.

+- When you connect an organization, all projects within that organization are added to Defender for Cloud.

+### Prerequisites

+To complete the procedures for connecting a GCP project, you need:

+- A Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free one](https://azure.microsoft.com/pricing/free-trial/).

+- [Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) enabled on your Azure subscription.

+- Access to a GCP project.

+- The **Owner** or **Contributor** role on the relevant Azure subscription.

+You can learn more about Defender for Cloud pricing on [the pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+For all the GCP projects in your organization, you must:

+1. Set up GCP Security Command Center by using [these instructions from the GCP documentation](https://cloud.google.com/security-command-center/docs/quickstart-scc-setup).

+1. Enable Security Health Analytics by using [these instructions from the GCP documentation](https://cloud.google.com/security-command-center/docs/how-to-use-security-health-analytics).

+1. Verify that data is flowing to Security Command Center.

+The instructions for connecting your GCP environment for security configuration follow Google's recommendations for consuming security configuration recommendations. The integration applies Google Security Command Center and consumes extra resources that might affect your billing.

+When you first enable Security Health Analytics, the data might take several hours to become available.

+### Enable the GCP Security Command Center API

+1. Go to Google's Cloud Console API Library.

+1. Select each project in the organization that you want to connect to Microsoft Defender for Cloud.

+1. Find and select **Security Command Center API**.

+[Learn more about the Security Command Center API](https://cloud.google.com/security-command-center/docs/reference/rest/).

+1. On the GCP console, select a project from the organization in which you're creating the required service account.

+ > When you add this service account at the organization level, it will be used to access the data that Security Command Center gathers from all of the other enabled projects in the organization.

+1. In the **IAM & admin** section of the left menu, select **Service accounts**.

+1. Enter an account name, and then select **Create**.

+1. Specify **Role** as **Defender for Cloud Admin Viewer**, and then select **Continue**.

+1. Copy the **Email value** information for the created service account, and save it for later use.

+1. In the **IAM & admin** section of the left menu, select **IAM**, and then:

+ 1. Switch to the organization level.

+ 1. In the **New members** box, paste the **Email value** information that you copied earlier.

+ 1. Specify the role as **Security Center Admin Viewer**, and then select **Save**.

+1. Switch to the project level.

+1. In the **IAM & admin** section of the left menu, select **Service accounts**.

+1. Open the dedicated service account, and then select **Edit**.

+1. In the **Keys** section, select **ADD KEY** > **Create new key**.

+1. On the **Create private key** pane, select **JSON**, and then select **CREATE**.

+1. From the Defender for Cloud menu, open **Environment settings**. Then select the option to switch back to the classic connectors experience.

+ :::image type="content" source="media/quickstart-onboard-gcp/classic-connectors-experience.png" alt-text="Screenshot that shows how to switch back to the classic connectors experience in Defender for Cloud." lightbox="media/quickstart-onboard-gcp/classic-connectors-experience.png" :::

+1. Select **Add GCP project**.

+1. On the onboarding page:

+ 1. In the **Display name** box, enter a display name for the connector.

+ 1. In the **Organization ID** box, enter your organization's ID. If you don't know it, see the Google guide [Creating and managing organizations](https://cloud.google.com/resource-manager/docs/creating-managing-organization).

+ 1. In the **Private key** box, browse to the JSON file that you downloaded when you [created a private key for the dedicated service account](#create-a-private-key-for-the-dedicated-service-account).

+1. Select **Next**.

+### Confirm the connection

+After you successfully create the connector and properly configure GCP Security Command Center:

+- The GCP CIS standard appears in the regulatory compliance dashboard in Defender for Cloud.

+- Security recommendations for your GCP resources appear in the Defender for Cloud portal and the regulatory compliance dashboard 5 to 10 minutes after onboarding finishes.

+ :::image type="content" source="./media/quickstart-onboard-gcp/gcp-resources-in-recommendations.png" alt-text="Screenshot that shows the GCP resources and recommendations on the recommendations pane in Defender for Cloud." lightbox="./media/quickstart-onboard-gcp/gcp-resources-in-recommendations.png" :::

+To remove any connectors that you created by using the classic connectors experience:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Defender for Cloud** > **Environment settings**.

+ :::image type="content" source="media/quickstart-onboard-gcp/classic-connectors-experience.png" alt-text="Screenshot that shows how to switch back to the classic connectors experience in Defender for Cloud." lightbox="media/quickstart-onboard-gcp/classic-connectors-experience.png":::

+1. For each connector, select the ellipsis (**...**) button at the end of the row, and then select **Delete**.

+ Title: Connect your AWS account to Microsoft Defender for Cloud

+description: Defend your AWS resources by using Microsoft Defender for Cloud.

+# Connect your AWS account to Microsoft Defender for Cloud

+Workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Amazon Web Services (AWS), but you need to set up the connection between them to your Azure subscription.

+If you're connecting an AWS account that you previously connected by using the classic connector, you must [remove it](how-to-use-the-classic-connector.md#remove-classic-aws-connectors) first. Using an AWS account that's connected by both the classic and native connectors can produce duplicate recommendations.

+The following screenshot shows AWS accounts displayed in the Defender for Cloud [overview dashboard](overview-page.md).

+You can learn more by watching the [New AWS connector in Defender for Cloud](episode-one.md) video from the *Defender for Cloud in the Field* video series.

+For a reference list of all the recommendations that Defender for Cloud can provide for AWS resources, see [Security recommendations for AWS resources - a reference guide](recommendations-reference-aws.md).

+To complete the procedures in this article, you need:

+- A Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free one](https://azure.microsoft.com/pricing/free-trial/).

+- [Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) set up on your Azure subscription.

+- **Contributor** permission for the relevant Azure subscription, and **Administrator** permission on the AWS account.

+### Defender for Containers

+If you choose the Microsoft Defender for Containers plan, you need:

+- At least one Amazon EKS cluster with permission to access to the EKS Kubernetes API server. If you need to create a new EKS cluster, follow the instructions in [Getting started with Amazon EKS ΓÇô eksctl](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html).

+- The resource capacity to create a new Amazon SQS queue, Kinesis Data Firehose delivery stream, and Amazon S3 bucket in the cluster's region.

+### Defender for SQL

+If you choose the Microsoft Defender for SQL plan, you need:

+- Microsoft Defender for SQL enabled on your subscription. [Learn how to protect your databases](tutorial-enable-databases-plan.md).

+- An active AWS account, with EC2 instances running SQL Server or RDS Custom for SQL Server.

+- Azure Arc for servers installed on your EC2 instances or RDS Custom for SQL Server.

+We recommend that you use the auto-provisioning process to install Azure Arc on all of your existing and future EC2 instances. To enable the Azure Arc auto-provisioning, you need **Owner** permission on the relevant Azure subscription.

+AWS Systems Manager (SSM) manages auto-provisioning by using the SSM Agent. Some Amazon Machine Images already have the [SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html). If your EC2 instances don't have the SSM Agent, install it by using these instructions from Amazon: [Install SSM Agent for a hybrid and multicloud environment (Windows)](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-win.html).

+Ensure that your SSM Agent has the managed policy [AmazonSSMManagedInstanceCore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html). It enables core functionality for the AWS Systems Manager service.

+Enable these other extensions on the Azure Arc-connected machines:

+

+- Microsoft Defender for Endpoint

+- A vulnerability assessment solution (TVM or Qualys)

+- The Log Analytics agent on Azure Arc-connected machines or the Azure Monitor agent

+Make sure the selected Log Analytics workspace has a security solution installed. The Log Analytics agent and the Azure Monitor agent are currently configured at the *subscription* level. All of your AWS accounts and Google Cloud Platform (GCP) projects under the same subscription inherit the subscription settings for the Log Analytics agent and the Azure Monitor agent.

+[Learn more about monitoring components](monitoring-components.md) for Defender for Cloud.

+### Defender for Servers

+If you choose the Microsoft Defender for Servers plan, you need:

+- Microsoft Defender for Servers enabled on your subscription. Learn how to enable plans in [Enable enhanced security features](enable-enhanced-security.md).

+- An active AWS account, with EC2 instances.

+- Azure Arc for servers installed on your EC2 instances.

+We recommend that you use the auto-provisioning process to install Azure Arc on all of your existing and future EC2 instances. To enable the Azure Arc auto-provisioning, you need **Owner** permission on the relevant Azure subscription.

+AWS Systems Manager manages auto-provisioning by using the SSM Agent. Some Amazon Machine Images already have the [SSM Agent preinstalled](https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html). If your EC2 instances don't have the SSM Agent, install it by using either of the following instructions from Amazon:

+- [Install SSM Agent for a hybrid and multicloud environment (Windows)](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-win.html)

+- [Install SSM Agent for a hybrid and multicloud environment (Linux)](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-linux.html)

+Ensure that your SSM Agent has the managed policy [AmazonSSMManagedInstanceCore](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSSMManagedInstanceCore.html), which enables core functionality for the AWS Systems Manager service.

+If you want to manually install Azure Arc on your existing and future EC2 instances, use the [EC2 instances should be connected to Azure Arc](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/231dee23-84db-44d2-bd9d-c32fbcfb42a3) recommendation to identify instances that don't have Azure Arc installed.

+Enable these other extensions on the Azure Arc-connected machines:

+

+- Microsoft Defender for Endpoint

+- A vulnerability assessment solution (TVM or Qualys)

+- The Log Analytics agent on Azure Arc-connected machines or the Azure Monitor agent

+Make sure the selected Log Analytics workspace has a security solution installed. The Log Analytics agent and the Azure Monitor agent are currently configured at the *subscription* level. All of your AWS accounts and GCP projects under the same subscription inherit the subscription settings for the Log Analytics agent and the Azure Monitor agent.

+[Learn more about monitoring components](monitoring-components.md) for Defender for Cloud.

+Defender for Servers assigns tags to your AWS resources to manage the auto-provisioning process. You must have these tags properly assigned to your resources so that Defender for Cloud can manage them: `AccountId`, `Cloud`, `InstanceId`, and `MDFCSecurityConnector`.

+To connect your AWS to Defender for Cloud by using a native connector:

+1. Go to **Defender for Cloud** > **Environment settings**.

+ :::image type="content" source="media/quickstart-onboard-aws/add-aws-account-environment-settings.png" alt-text="Screenshot that shows connecting an AWS account to an Azure subscription." lightbox="media/quickstart-onboard-aws/add-aws-account-environment-settings.png":::

+ :::image type="content" source="media/quickstart-onboard-aws/add-aws-account-details.png" alt-text="Screenshot that shows the tab for entering account details for an AWS account." lightbox="media/quickstart-onboard-aws/add-aws-account-details.png":::

+ Optionally, select **Management account** to create a connector to a management account. Connectors are created for each member account discovered under the provided management account. Auto-provisioning is enabled for all of the newly onboarded accounts.

+ The **Select plans** tab is where you choose which Defender for Cloud capabilities to enable for this AWS account. Each plan has its own [requirements for permissions](concept-aws-connector.md#native-connector-plan-requirements) and might incur [charges](https://azure.microsoft.com/pricing/details/defender-for-cloud/?v=17.23h).

+ :::image type="content" source="media/quickstart-onboard-aws/add-aws-account-plans-selection.png" alt-text="Screenshot that shows the tab for selecting plans for an AWS account." lightbox="media/quickstart-onboard-aws/add-aws-account-plans-selection.png":::

+ > To present the current status of your recommendations, the Microsoft Defender Cloud Security Posture Management plan queries the AWS resource APIs several times a day. These read-only API calls incur no charges, but they *are* registered in CloudTrail if you've enabled a trail for read events.

+ >

+ > As explained in [the AWS documentation](https://aws.amazon.com/cloudtrail/pricing/), there are no additional charges for keeping one trail. If you're exporting the data out of AWS (for example, to an external SIEM system), this increased volume of calls might also increase ingestion costs. In such cases, we recommend filtering out the read-only calls from the Defender for Cloud user or ARN role: `arn:aws:iam::[accountId]:role/CspmMonitorAws`. (This is the default role name. Confirm the role name configured on your account.)

+1. By default, the **Servers** plan is set to **On**. This setting is necessary to extend the coverage of Defender for Servers to AWS EC2. Ensure that you've fulfilled the [network requirements for Azure Arc](../azure-arc/servers/network-requirements.md?tabs=azure-cloud).

+ Optionally, select **Configure** to edit the configuration as required.

+ > The respective Azure Arc servers for EC2 instances or GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of [Disconnected or Expired](/azure/azure-arc/servers/overview)) are removed after 7 days. This process removes irrelevant Azure Arc entities to ensure that only Azure Arc servers related to existing instances are displayed.

+1. By default, the **Containers** plan is set to **On**. This setting is necessary to have Defender for Containers protect your AWS EKS clusters. Ensure that you've fulfilled the [network requirements](./defender-for-containers-enable.md?pivots=defender-for-container-eks&source=docs&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#network-requirements) for the Defender for Containers plan.

+ > [!NOTE]

+ > Azure Arc-enabled Kubernetes, the Azure Arc extension for Microsoft Defender, and the Azure Arc extension for Azure Policy should be installed. Use the dedicated Defender for Cloud recommendations to deploy the extensions (and Azure Arc, if necessary), as explained in [Protect Amazon Elastic Kubernetes Service clusters](defender-for-containers-enable.md?tabs=defender-for-container-eks).

+ Optionally, select **Configure** to edit the configuration as required. If you choose to turn off this configuration, the **Threat detection (control plane)** feature is also disabled. [Learn more about feature availability](supported-machines-endpoint-solutions-clouds-containers.md).

+1. By default, the **Databases** plan is set to **On**. This setting is necessary to extend coverage of Defender for SQL to AWS EC2 and RDS Custom for SQL Server.

+ Optionally, select **Configure** to edit the configuration as required. We recommend that you leave it set to the default configuration.

+1. On the **Configure access** tab, select **Click to download the CloudFormation template** to download the CloudFormation template.

+ :::image type="content" source="media/quickstart-onboard-aws/download-cloudformation-template.png" alt-text="Screenshot that shows the button to download the CloudFormation template." lightbox="media/quickstart-onboard-aws/download-cloudformation-template.png":::

+1. Continue to configure access by making the following selections:

+ a. Choose a deployment type:

+ - **Default access**: Allows Defender for Cloud to scan your resources and automatically include future capabilities.

+ - **Least privilege access**: Grants Defender for Cloud access only to the current permissions needed for the selected plans. If you select the least privileged permissions, you'll receive notifications on any new roles and permissions that are required to get full functionality for connector health.

+ b. Choose a deployment method: **AWS CloudFormation** or **Terraform**.

+ :::image type="content" source="media/quickstart-onboard-aws/aws-configure-access.png" alt-text="Screenshot that shows deployment options and instructions for configuring access.":::

+1. Follow the on-screen instructions for the selected deployment method to complete the required dependencies on AWS. If you're onboarding a management account, you need to run the CloudFormation template both as Stack and as StackSet. Connectors are created for the member accounts up to 24 hours after the onboarding.

+Defender for Cloud immediately starts scanning your AWS resources. Security recommendations appear within a few hours.

+As part of connecting an AWS account to Microsoft Defender for Cloud, you deploy a CloudFormation template to the AWS account. This template creates all of the required resources for the connection.

+Deploy the CloudFormation template by using Stack (or StackSet if you have a management account). When you're deploying the template, the Stack creation wizard offers the following options.

+- **Amazon S3 URL**: Upload the downloaded CloudFormation template to your own S3 bucket with your own security configurations. Enter the URL to the S3 bucket in the AWS deployment wizard.

+- **Upload a template file**: AWS automatically creates an S3 bucket that the CloudFormation template is saved to. The automation for the S3 bucket has a security misconfiguration that causes the `S3 buckets should require requests to use Secure Socket Layer` recommendation to appear. You can remediate this recommendation by applying the following policy:

+The security recommendations page in Defender for Cloud displays your AWS resources. You can use the environments filter to enjoy multicloud capabilities in Defender for Cloud.

+To view all the active recommendations for your resources by resource type, use the asset inventory page in Defender for Cloud and filter to the AWS resource type that you're interested in.

+Check out the following blogs:

+- [Ignite 2021: Microsoft Defender for Cloud news](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/ignite-2021-microsoft-defender-for-cloud-news/ba-p/2882807)

+There's no need to clean up any resources for this article.

+Connecting your AWS account is part of the multicloud experience available in Microsoft Defender for Cloud:

+- [Protect all of your resources with Defender for Cloud](enable-all-plans.md).

+- Set up your [on-premises machines](quickstart-onboard-machines.md) and [GCP projects](quickstart-onboard-gcp.md).

+- Get answers to [common questions](faq-general.yml) about onboarding your AWS account.

+- [Troubleshoot your multicloud connectors](troubleshooting-guide.md#troubleshooting-the-native-multicloud-connector).

+Cloud workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Azure, Amazon Web Services, Google Cloud Platform, GitHub, and Azure DevOps.

+In this quickstart, you connect your Azure DevOps organizations on the **Environment settings** page in Microsoft Defender for Cloud. This page provides a simple onboarding experience (including auto-discovery).

+By connecting your Azure DevOps repositories to Defender for Cloud, you extend the security features of Defender for Cloud to your Azure DevOps resources. These features include:

+- **Microsoft Defender Cloud Security Posture Management features**: You can assess your Azure DevOps resources for compliance with Azure DevOps-specific security recommendations. You can also learn about all the [recommendations for DevOps](recommendations-reference.md) resources. The Defender for Cloud [asset inventory page](asset-inventory.md) is a multicloud-enabled feature that helps you manage your Azure DevOps resources alongside your Azure resources.

+- **Workload protection features**: You can extend the threat detection capabilities and advanced defenses in Defender for Cloud to your Azure DevOps resources.

+API calls that Defender for Cloud performs count against the [Azure DevOps global consumption limit](/azure/devops/integrate/concepts/rate-limits). For more information, see the [common questions about Microsoft Defender for DevOps](faq-defender-for-devops.yml).

+To complete this quickstart, you need:

+- An Azure account with Defender for Cloud onboarded. If you don't already have an Azure account, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- The [Microsoft Security DevOps Azure DevOps extension](azure-devops-extension.md) configured.

+| Release state: | Preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability. |

+| Required permissions: | **Account Administrator** with permissions to sign in to the Azure portal. <br> **Contributor** on the Azure subscription where the connector will be created. <br> **Security Admin** in Defender for Cloud. <br> **Organization Administrator** in Azure DevOps. <br> **Basic or Basic + Test Plans Access Level** in Azure DevOps. Third-party applications gain access via OAuth, which must be set to `On`. [Learn more about OAuth](/azure/devops/organizations/accounts/change-application-access-policies).|

+| Clouds: | :::image type="icon" source="media/quickstart-onboard-github/check-yes.png" border="false"::: Commercial <br> :::image type="icon" source="media/quickstart-onboard-github/x-no.png" border="false"::: National (Azure Government, Azure China 21Vianet) |

+To connect your Azure DevOps organization to Defender for Cloud by using a native connector:

+1. Go to **Microsoft Defender for Cloud** > **Environment settings**.

+ :::image type="content" source="media/quickstart-onboard-ado/devop-connector.png" alt-text="Screenshot that shows selections for adding Azure DevOps as a connector." lightbox="media/quickstart-onboard-ado/devop-connector.png":::

+1. Enter a name, subscription, resource group, and region.

+ The subscription is the location where Microsoft Defender for DevOps creates and stores the Azure DevOps connection.

+ The authorization automatically signs in by using the session from your browser's tab. After you select **Authorize**, if you don't see the Azure DevOps organizations that you expect, check whether you're signed in to Microsoft Defender for Cloud on one browser tab and signed in to Azure DevOps on another browser tab.

+1. In the popup dialog, read the list of permission requests, and then select **Accept**.

+ :::image type="content" source="media/quickstart-onboard-ado/accept.png" alt-text="Screenshot that shows the button for accepting permissions.":::

+1. Select your relevant organizations from the drop-down menu.

+1. For projects, do one of the following:

+ - Select **Auto discover projects** to discover all projects automatically and apply auto-discovery to all current and future projects.

+ - Select your relevant projects from the drop-down menu. Then, select **Auto-discover repositories** or select individual repositories.

+1. Select **Next: Review and create**.

+1. Review the information, and then select **Create**.

+The Defender for DevOps service automatically discovers the organizations, projects, and repositories that you selected and analyzes them for any security problems.

+When you select auto-discovery during the onboarding process, repositories can take up to 4 hours to appear.

+The **Inventory** page shows your selected repositories. The **Recommendations** page shows any security problems related to a selected repository.

+- Learn more about [Azure DevOps](/azure/devops/).

+- Learn how to [create your first pipeline](/azure/devops/pipelines/create-first-pipeline).

+description: Defend your GCP resources by using Microsoft Defender for Cloud.

+# Connect your GCP project to Microsoft Defender for Cloud

+Workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Google Cloud Platform (GCP), but you need to set up the connection between them to your Azure subscription.

+If you're connecting a GCP project that you previously connected by using the classic connector, you must [remove it](how-to-use-the-classic-connector.md#remove-classic-gcp-connectors) first. Using a GCP project that's connected by both the classic and native connectors can produce duplicate recommendations.

+This screenshot shows GCP accounts displayed in the Defender for Cloud [overview dashboard](overview-page.md).

+To complete the procedures in this article, you need:

+- A Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free one](https://azure.microsoft.com/pricing/free-trial/).

+- [Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) set up on your Azure subscription.

+- **Contributor** permission on the relevant Azure subscription, and **Owner** permission on the GCP organization or project.

+You can learn more about Defender for Cloud pricing on [the pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+When you're connecting GCP projects to specific Azure subscriptions, consider the [Google Cloud resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#resource-hierarchy-detail) and these guidelines:

+- You can connect your GCP projects to Microsoft Defender for Cloud at the *project* level.

+To connect your GCP project to Defender for Cloud by using a native connector:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Defender for Cloud** > **Environment settings**.

+1. Select **Add environment** > **Google Cloud Platform**.

+ :::image type="content" source="media/quickstart-onboard-gcp/google-cloud.png" alt-text="Screenshot that shows selections for adding Google Cloud Platform as a connector." lightbox="media/quickstart-onboard-gcp/google-cloud.png":::

+ :::image type="content" source="media/quickstart-onboard-gcp/create-connector.png" alt-text="Screenshot of the pane for creating a GCP connector." lightbox="media/quickstart-onboard-gcp/create-connector.png":::

+ Optionally, if you select **Organization**, a management project and an organization custom role are created on your GCP project for the onboarding process. Auto-provisioning is enabled for the onboarding of new projects.

+1. Select **Next: Select plans**.

+1. For the plans that you want to connect, turn the toggle to **On**. By default, all necessary prerequisites and components are provisioned. [Learn how to configure each plan](#optional-configure-selected-plans).

+ If you choose to turn on the Microsoft Defender for Containers plan, ensure that you meet the [network requirements](defender-for-containers-enable.md?tabs=defender-for-container-gcp#network-requirements) for it.

+1. Select **Next: Configure access**.

+ 1. Choose the deployment type:

+ - **Default access**: Allows Defender for Cloud to scan your resources and automatically include future capabilities.

+ - **Least privilege access**: Grants Defender for Cloud access to only the current permissions needed for the selected plans. If you select the least privileged permissions, you'll receive notifications on any new roles and permissions that are required to get full functionality for connector health.

+ 1. Choose the deployment method: **GCP Cloud Shell** or **Terraform**.

+ :::image type="content" source="media/quickstart-onboard-gcp/copy-button.png" alt-text="Screenshot that shows the location of the copy button.":::

+ > [!NOTE]

+ > For the discovery of GCP resources and for the authentication process, you must enable the following APIs: `iam.googleapis.com`, `sts.googleapis.com`, `cloudresourcemanager.googleapis.com`, `iamcredentials.googleapis.com`, and `compute.googleapis.com`. If you don't enable these APIs, we'll enable them during the onboarding process by running the GCloud script.

+1. Select **GCP Cloud Shell >**. The GCP Cloud Shell opens.

+1. Paste the script into the GCP Cloud Shell terminal and run it.

+1. Ensure that you created the following resources for Microsoft Defender Cloud Security Posture Management (CSPM) and Defender for Containers:

+ | CSPM service account reader role <br><br> Microsoft Defender for Cloud identity federation <br><br> CSPM identity pool <br><br>Microsoft Defender for Servers service account (when the servers plan is enabled) <br><br>*Azure Arc for servers onboarding* service account (when Azure Arc for servers auto-provisioning is enabled) | Microsoft Defender for Containers service account role <br><br> Microsoft Defender Data Collector service account role <br><br> Microsoft Defender for Cloud identity pool |

+After you create the connector, a scan starts on your GCP environment. New recommendations appear in Defender for Cloud after up to 6 hours. If you enabled auto-provisioning, Azure Arc and any enabled extensions are installed automatically for each newly detected resource.

+## Optional: Configure selected plans

+By default, all plans are **On**. You can turn off plans that you don't need.

+### Configure the Defender for Servers plan

+Microsoft Defender for Servers brings threat detection and advanced defenses to your GCP virtual machine (VM) instances. To have full visibility into Microsoft Defender for Servers security content, connect your GCP VM instances to Azure Arc. If you choose the Microsoft Defender for Servers plan, you need:

+- Microsoft Defender for Servers enabled on your subscription. Learn how to enable plans in [Enable enhanced security features](enable-enhanced-security.md).

+We recommend that you use the auto-provisioning process to install Azure Arc on your VM instances. Auto-provisioning is enabled by default in the onboarding process and requires **Owner** permissions on the subscription. The Azure Arc auto-provisioning process uses the OS Config agent on the GCP end. [Learn more about the availability of the OS Config agent on GCP machines](https://cloud.google.com/compute/docs/images/os-details#vm-manager).

+The Azure Arc auto-provisioning process uses the VM manager on GCP to enforce policies on your VMs through the OS Config agent. A VM that has an [active OS Config agent](https://cloud.google.com/compute/docs/manage-os#agent-state) incurs a cost according to GCP. To see how this cost might affect your account, refer to the [GCP technical documentation](https://cloud.google.com/compute/docs/vm-manager#pricing).

+Microsoft Defender for Servers does not install the OS Config agent to a VM that doesn't have it installed. However, Microsoft Defender for Servers enables communication between the OS Config agent and the OS Config service if the agent is already installed but not communicating with the service. This communication can change the OS Config agent from `inactive` to `active` and lead to more costs.

+Alternatively, you can manually connect your VM instances to Azure Arc for servers. Instances in projects with the Defender for Servers plan enabled that aren't connected to Azure Arc are surfaced by the recommendation **GCP VM instances should be connected to Azure Arc**. Select the **Fix** option in the recommendation to install Azure Arc on the selected machines.

+The respective Azure Arc servers for EC2 instances or GCP virtual machines that no longer exist (and the respective Azure Arc servers with a status of [Disconnected or Expired](/azure/azure-arc/servers/overview)) are removed after 7 days. This process removes irrelevant Azure Arc entities to ensure that only Azure Arc servers related to existing instances are displayed.

+Ensure that you fulfill the [network requirements for Azure Arc](../azure-arc/servers/network-requirements.md?tabs=azure-cloud).

+Enable these other extensions on the Azure Arc-connected machines:

+

+- Microsoft Defender for Endpoint

+- A vulnerability assessment solution (Microsoft Defender Vulnerability Management or Qualys)

+- The Log Analytics agent on Azure Arc-connected machines or the Azure Monitor agent

+Make sure the selected Log Analytics workspace has a security solution installed. The Log Analytics agent and the Azure Monitor agent are currently configured at the *subscription* level. All the multicloud accounts and projects (from both AWS and GCP) under the same subscription inherit the subscription settings for the Log Analytics agent and the Azure Monitor agent. [Learn more about monitoring components for Defender for Servers](monitoring-components.md).

+Defender for Servers assigns tags to your GCP resources to manage the auto-provisioning process. You must have these tags properly assigned to your resources so that Defender for Servers can manage your resources: `Cloud`, `InstanceName`, `MDFCSecurityConnector`, `MachineId`, `ProjectId`, and `ProjectNumber`.

+To configure the Defender for Servers plan:

+1. Follow the [steps to connect your GCP project](#connect-your-gcp-project).

+1. On the **Select plans** tab, select **Configure**.

+ :::image type="content" source="media/quickstart-onboard-gcp/view-configuration.png" alt-text="Screenshot that shows the link for configuring the Defender for Servers plan.":::

+1. On the **Auto-provisioning configuration** pane, turn the toggles to **On** or **Off**, depending on your need.

+ :::image type="content" source="media/quickstart-onboard-gcp/auto-provision-screen.png" alt-text="Screenshot that shows the toggles for the Defender for Servers plan.":::

+ If **Azure Arc agent** is **Off**, you need to follow the manual installation process mentioned earlier.

+1. Continue from step 8 of the [Connect your GCP project](#connect-your-gcp-project) instructions.

+### Configure the Defender for Databases plan

+To have full visibility into Microsoft Defender for Databases security content, connect your GCP VM instances to Azure Arc.

+To configure the Defender for Databases plan:

+1. Follow the [steps to connect your GCP project](#connect-your-gcp-project).

+1. On the **Select plans** tab, select **Configure**.

+ :::image type="content" source="media/quickstart-onboard-gcp/view-configuration.png" alt-text="Screenshot that shows the link for configuring the Defender for Databases plan.":::

+1. On the **Auto-provisioning configuration** pane, turn the toggles to **On** or **Off**, depending on your need.

+ :::image type="content" source="media/quickstart-onboard-gcp/auto-provision-databases-screen.png" alt-text="Screenshot that shows the toggles for the Defender for Databases plan.":::

+ If the toggle for Azure Arc is **Off**, you need to follow the manual installation process mentioned earlier.

+1. Select **Save**.

+1. Continue from step 8 of the [Connect your GCP project](#connect-your-gcp-project) instructions.

+### Configure the Defender for Containers plan

+Microsoft Defender for Containers brings threat detection and advanced defenses to your GCP Google Kubernetes Engine (GKE) Standard clusters. To get the full security value out of Defender for Containers and to fully protect GCP clusters, ensure that you meet the following requirements.

+> If you choose to disable the available configuration options, no agents or components will be deployed to your clusters. [Learn more about feature availability](supported-machines-endpoint-solutions-clouds-containers.md).

+- **Kubernetes audit logs to Defender for Cloud**: Enabled by default. This configuration is available at the GCP project level only. It provides agentless collection of the audit log data through [GCP Cloud Logging](https://cloud.google.com/logging/) to the Microsoft Defender for Cloud back end for further analysis.

+- **Azure Arc-enabled Kubernetes, the Defender extension, and the Azure Policy extension**: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways:

+ - Enable Defender for Containers auto-provisioning at the project level, as explained in the instructions in this section. We recommend this method.

+ - Use Defender for Cloud recommendations for per-cluster installation. They appear on the Microsoft Defender for Cloud recommendations page. [Learn how to deploy the solution to specific clusters](defender-for-containers-enable.md?tabs=defender-for-container-gke#deploy-the-solution-to-specific-clusters).

+ - Manually install [Arc-enabled Kubernetes](../azure-arc/kubernetes/quickstart-connect-cluster.md) and [extensions](../azure-arc/kubernetes/extensions.md).

+To configure the Defender for Containers plan:

+1. Follow the steps to [connect your GCP project](#connect-your-gcp-project).

+1. On the **Select plans** tab, select **Configure**.

+ :::image type="content" source="media/quickstart-onboard-gcp/containers-configure.png" alt-text="Screenshot that shows the link for configuring the Defender for Containers plan.":::

+1. On the **Defender for Containers configuration** pane, turn the toggles to **On**.

+ :::image type="content" source="media/quickstart-onboard-gcp/containers-configuration.png" alt-text="Screenshot that shows toggles for the Defender for Containers plan.":::

+1. Continue from step 8 of the [Connect your GCP project](#connect-your-gcp-project) instructions.

+The security recommendations page in Defender for Cloud displays your GCP resources together with your Azure and AWS resources for a true multicloud view.

+To view all the active recommendations for your resources by resource type, use the asset inventory page in Defender for Cloud and filter to the GCP resource type that you're interested in.

+Connecting your GCP project is part of the multicloud experience available in Microsoft Defender for Cloud:

+- Set up your [on-premises machines](quickstart-onboard-machines.md) and [AWS account](quickstart-onboard-aws.md).

+- Get answers to [common questions](faq-general.yml) about connecting your GCP project.

+# Quickstart: Connect your GitHub repositories to Microsoft Defender for Cloud

+Cloud workloads commonly span multiple cloud platforms. Cloud security services must do the same. Microsoft Defender for Cloud helps protect workloads in Azure, Amazon Web Services, Google Cloud Platform, GitHub, and Azure DevOps.

+In this quickstart, you connect your GitHub organizations on the **Environment settings** page in Microsoft Defender for Cloud. This page provides a simple onboarding experience (including auto-discovery).

+By connecting your GitHub repositories to Defender for Cloud, you extend the enhanced security features of Defender for Cloud to your GitHub resources. These features include:

+- **Cloud Security Posture Management features**: You can assess your GitHub resources according to GitHub-specific security recommendations. You can also learn about all of the [recommendations for DevOps](recommendations-reference.md) resources. Resources are assessed for compliance with built-in standards that are specific to DevOps. The Defender for Cloud [asset inventory page](asset-inventory.md) is a multicloud-enabled feature that helps you manage your GitHub resources alongside your Azure resources.

+- **Workload protection features**: You can extend Defender for Cloud threat detection capabilities and advanced defenses to your GitHub resources.

+To complete this quickstart, you need:

+- An Azure account with Defender for Cloud onboarded. If you don't already have an Azure account, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- GitHub Enterprise with GitHub Advanced Security enabled, so you can use all advanced security capabilities that the GitHub connector provides in Defender for Cloud.

+| Release state: | Preview. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability. |

+| Required permissions: | **Account Administrator** with permissions to sign in to the Azure portal. <br> **Contributor** on the Azure subscription where the connector will be created. <br> **Security Admin** in Defender for Cloud. <br> **Organization Administrator** in GitHub. |

+| GitHub supported versions: | GitHub Free, Pro, Team, and Enterprise Cloud |

+| Clouds: | :::image type="icon" source="media/quickstart-onboard-github/check-yes.png" border="false"::: Commercial <br> :::image type="icon" source="media/quickstart-onboard-github/x-no.png" border="false"::: National (Azure Government, Azure China 21Vianet) |

+During the preview, the maximum number of GitHub repositories that you can onboard to Microsoft Defender for Cloud is 2,000. If you try to connect more than 2,000 GitHub repositories, only the first 2,000 repositories, sorted alphabetically, will be onboarded.

+If your organization is interested in onboarding more than 2,000 GitHub repositories, please complete [this survey](https://aka.ms/dfd-forms/onboarding).

+To connect your GitHub account to Microsoft Defender for Cloud:

+1. Go to **Microsoft Defender for Cloud** > **Environment settings**.

+ :::image type="content" source="media/quickstart-onboard-github/select-github.png" alt-text="Screenshot that shows selections for adding GitHub as a connector." lightbox="media/quickstart-onboard-github/select-github.png":::

+1. Enter a name (limit of 20 characters), and then select your subscription, resource group, and region.

+ The subscription is the location where Defender for Cloud creates and stores the GitHub connection.

+1. Select **Authorize** to grant your Azure subscription access to your GitHub repositories. Sign in, if necessary, with an account that has permissions to the repositories that you want to protect.

+ The authorization automatically signs in by using the session from your browser's tab. After you select **Authorize**, if you don't see the GitHub organizations that you expect, check whether you're signed in to Microsoft Defender for Cloud on one browser tab and signed in to GitHub on another browser tab.

+ After authorization, if you wait too long to install the DevOps application, the session will time out and you'll get an error message.

+ This step grants Defender for Cloud access to the selected repositories.

+1. Select **Next: Review and create**.

+1. Select **Create**.

+When the process finishes, the GitHub connector appears on your **Environment settings** page.

+The Defender for Cloud service automatically discovers the repositories that you selected and analyzes them for any security problems. Initial repository discovery can take up to 10 minutes during the onboarding process.

+When you select auto-discovery during the onboarding process, repositories can take up to 4 hours to appear after onboarding is completed. The auto-discovery process detects any new repositories and connects them to Defender for Cloud.

+The **Inventory** page shows your selected repositories. The **Recommendations** page shows any security problems related to a selected repository. This information can take 3 hours or more to appear.

+- [Azure and GitHub integration](/azure/developer/github/)

+- [Security hardening for GitHub Actions](https://docs.github.com/actions/security-guides/security-hardening-for-github-actions)

+- Learn about [Defender for DevOps](defender-for-devops-introduction.md).

+- Learn how to [configure the Microsoft Security DevOps GitHub action](github-action.md).

+- Learn how to [configure pull request annotations](enable-pull-request-annotations.md) in Defender for Cloud.

+ Title: Connect on-premises machines to Defender for Cloud

+description: Learn how to connect your non-Azure machines to Microsoft Defender for Cloud.

+Microsoft Defender for Cloud can monitor the security posture of your non-Azure machines, but first you need to connect them to Azure.

+ - By using Azure Arc-enabled servers (recommended)

+ - By using the Azure portal

+- [Onboarding directly with Microsoft Defender for Endpoint](onboard-machines-with-defender-for-endpoint.md)

+This article describes the methods for onboarding with Azure Arc.

+If you're connecting machines from other cloud providers, see [Connect your AWS account](quickstart-onboard-aws.md) or [Connect your GCP project](quickstart-onboard-gcp.md). The multicloud connectors for Amazon Web Services (AWS) and Google Cloud Platform (GCP) in Defender for Cloud transparently handle the Azure Arc deployment for you.

+To complete the procedures in this article, you need:

+- A Microsoft Azure subscription. If you don't have an Azure subscription, you can [sign up for a free one](https://azure.microsoft.com/pricing/free-trial/).

+- [Microsoft Defender for Cloud](get-started.md#enable-defender-for-cloud-on-your-azure-subscription) set up on your Azure subscription.

+- Access to an on-premises machine.

+## Connect on-premises machines by using Azure Arc

+A machine that has [Azure Arc-enabled servers](../azure-arc/servers/overview.md) becomes an Azure resource. When you install the Log Analytics agent on it, it appears in Defender for Cloud with recommendations, like your other Azure resources.

+Azure Arc-enabled servers provide enhanced capabilities, such as enabling guest configuration policies on the machine and simplifying deployment with other Azure services. For an overview of the benefits of Azure Arc-enabled servers, see [Supported cloud operations](../azure-arc/servers/overview.md#supported-cloud-operations).

+To deploy Azure Arc on one machine, follow the instructions in [Quickstart: Connect hybrid machines with Azure Arc-enabled servers](../azure-arc/servers/learn/quick-enable-hybrid-vm.md).

+To deploy Azure Arc on multiple machines at scale, follow the instructions in [Connect hybrid machines to Azure at scale](../azure-arc/servers/onboard-service-principal.md).

+Defender for Cloud tools for automatically deploying the Log Analytics agent work with machines running Azure Arc. However, this capability is currently in preview. When you connect your machines by using Azure Arc, use the relevant Defender for Cloud recommendation to deploy the agent and benefit from the full range of protections that Defender for Cloud offers:

+- [Log Analytics agent should be installed on your Linux-based Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1)

+- [Log Analytics agent should be installed on your Windows-based Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/27ac71b1-75c5-41c2-adc2-858f5db45b08)

+## Connect on-premises machines by using the Azure portal

+After you connect Defender for Cloud to your Azure subscription, you can start connecting your on-premises machines from the **Getting started** page in Defender for Cloud.

+1. On the Defender for Cloud menu, select **Getting started**.

+1. Find **Add non-Azure servers** and select **Configure**.

+ :::image type="content" source="./media/quickstart-onboard-machines/onboarding-get-started-tab.png" alt-text="Screenshot of the tab for getting started with Defender for Cloud and adding an on-premises server." lightbox="./media/quickstart-onboard-machines/onboarding-get-started-tab.png":::

+ A list of your Log Analytics workspaces appears.

+1. (Optional) If you don't already have a Log Analytics workspace in which to store the data, select **Create new workspace** and follow the on-screen guidance.

+1. From the list of workspaces, select **Upgrade** for the relevant workspace to turn on Defender for Cloud paid plans for 30 free days.

+1. On the **Agents management** page, choose one of the following procedures, depending on the type of machines you're onboarding:

+ - [Onboard your Windows server](#onboard-your-windows-server)

+ - [Onboard your Linux server](#onboard-your-linux-server)

+When you add a Windows server, you need to get the information on the **Agents management** page and download the appropriate agent file (32 bit or 64 bit).

+To onboard a Windows server:

+ :::image type="content" source="media/quickstart-onboard-machines/windows-servers.png" alt-text="Screenshot that shows the tab for Windows servers.":::

+1. Select the **Download Windows Agent** link that's applicable to your computer processor type to download the setup file.

+1. From the **Agents management** page, copy the **Workspace ID** and **Primary Key** values into Notepad.

+1. Follow the installation wizard (select **Next** > **I Agree** > **Next** > **Next**).

+1. On the **Azure Log Analytics** page, paste the **Workspace ID** and **Primary Key** values that you copied into Notepad.

+1. If the computer should report to a Log Analytics workspace in the Azure Government cloud, select **Azure US Government** from the **Azure Cloud** dropdown list.

+1. If the computer needs to communicate through a proxy server to the Log Analytics service, select **Advanced**. Then provide the URL and port number of the proxy server.

+1. When you finish entering all of the configuration settings, select **Next**.

+1. On the **Ready to Install** page, review the settings to be applied and select **Install**.

+1. On the **Configuration completed successfully** page, select **Finish**.

+When the process is complete, **Microsoft Monitoring agent** appears in **Control Panel**. You can review your configuration there and verify that the agent is connected.

+### Onboard your Linux server

+To add Linux machines, you need the `wget` command from the **Agents management** page.

+To onboard your Linux server:

+ :::image type="content" source="media/quickstart-onboard-machines/linux-servers.png" alt-text="Screenshot that shows the tab for Linux servers.":::

+1. Copy the `wget` command into Notepad. Save this file to a location that you can access from your Linux computer.

+1. On your Linux computer, open the file that contains the `wget` command. Copy the entire contents and paste them into a terminal console.

+1. When the installation finishes, validate that the Operations Management Suite Agent is installed by running the `pgrep` command. The command returns the `omsagent` persistent ID.

+ You can find the logs for the agent at `/var/opt/microsoft/omsagent/<workspace id>/log/`. The new Linux machine might take up to 30 minutes to appear in Defender for Cloud.

+## Verify that your machines are connected

+To verify that your machines are connected:

+1. On the Defender for Cloud menu, select **Inventory** to show the [asset inventory](asset-inventory.md).

+  Non-Azure machine

+  Azure VM

+  Azure Arc-enabled server

+There's no need to clean up any resources for this article.

+- [Protect all of your resources with Defender for Cloud](enable-all-plans.md).

+- Set up your [AWS account](quickstart-onboard-aws.md) and [GCP projects](quickstart-onboard-gcp.md).

+| July 12 | [New Security alert in Defender for Servers plan 2: Detecting Potential Attacks leveraging Azure VM GPU driver extensions](#new-security-alert-in-defender-for-servers-plan-2-detecting-potential-attacks-leveraging-azure-vm-gpu-driver-extensions)

+| July 9 | [Support for disabling specific vulnerability findings](#support-for-disabling-specific-vulnerability-findings)

+### New security alert in Defender for Servers plan 2: detecting potential attacks leveraging Azure VM GPU driver extensions

+July 12, 2023

+This alert focuses on identifying suspicious activities leveraging Azure virtual machine **GPU driver extensions** and provides insights into attackers' attempts to compromise your virtual machines. The alert targets suspicious deployments of GPU driver extensions; such extensions are often abused by threat actors to utilize the full power of the GPU card and perform cryptojacking.

+| Alert Display Name <br> (Alert Type) | Description | Severity | MITRE Tactic |

+|||||

+| Suspicious installation of GPU extension in your virtual machine (Preview) <br> (VM_GPUDriverExtensionUnusualExecution) | Suspicious installation of a GPU extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers may use the GPU driver extension to install GPU drivers on your virtual machine via the Azure Resource Manager to perform cryptojacking. | Low | Impact |

+For a complete list of alerts, see the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-reference.md).

+ ### Support for disabling specific vulnerability findings

+If you disabled any of the default auto provisioning configurations to Off, during the [GCP connector onboarding process](quickstart-onboard-gcp.md#configure-the-defender-for-containers-plan), or afterwards. You need to manually install Azure Arc-enabled Kubernetes, the Defender extension, and the Azure Policy extensions to each of your GKE clusters to get the full security value out of Defender for Containers.

+1. Follow the options through to buy the license and add it to your Microsoft 365 products.

+ Make sure to select the number of licenses you want to purchase, based on the number of sites you want to monitor at the selected size.

+ When you're finished, select **Save**. If you've selected to download the on-premises management console activation file, the file is downloaded and you're prompted to save it locally. You'll use it later, when [activating your on-premises management console](ot-deploy/activate-deploy-management.md#activate-the-on-premises-management-console).

+Your new plan is listed under the relevant subscription on the **Plans and pricing** > **Plans** page.

+### Cancel your Defender for IoT licenses

+Canceling an OT plan in the Azure portal *doesn't* also cancel your Defender for IoT license. To change your billed licenses, make sure that you also cancel your Defender for IoT license from the Microsoft 365 admin center.

+

+For more information, see the [Microsoft 365 admin center documentation](/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins#cancel-a-purchase-or-trial-subscription).

+## Migrate from a legacy OT plan

+If you're an existing customer with a legacy OT plan, we recommend migrating your plan to a site-based Microsoft 365 plan. After you've edited your plan, make sure to update your site details with a site size that matches your Microsoft 365 license.

+After migrating your plan to a site-based Microsoft 365 plan, edits are supported only in the Microsoft 365 admin center.

+> [!NOTE]

+> Defender for IoT supports migration for a single subscription only. If you have multiple subscriptions, choose the one you want to migrate, and then move all sensors to that subscription before you update your plan settings.

+> For more information, see [Move existing sensors to a different subscription](#move-existing-sensors-to-a-different-subscription).

+**To migrate your plan**:

+1. Purchase a new, site-based license in the Microsoft 365 Marketplace for the site size that you need. For more information, see [Purchase a Defender for IoT license](#purchase-a-defender-for-iot-license).

+1. In Defender for IoT in the Azure portal, go to **Plans and pricing** and locate the subscription for the plan you want to migrate.

+1. On the subscription row, select the options menu (**...**) at the right > select **Edit plan**.

+1. In the **Price plan** field, select **Microsoft 365 (recommended)** > **Next**. For example:

+ :::image type="content" source="media/release-notes/migrate-to-365.png" alt-text="Screenshot of updating your pricing plan to Microsoft 365.":::

+1. Review your plan details and select **Save**.

+**To update your site sizes**:

+1. In Defender for IoT in the Azure portal, select **Sites and sensors** and then select the name of the site you want to migrate.

+1. In the **Edit site** pane, in the **Size** field, edit your site size to match your licensed sites. For example:

+ :::image type="content" source="media/release-notes/edit-site-size.png" alt-text="Screenshot of editing a site size on the Azure portal.":::

+### Warnings for exceeding committed devices

+If the number of actual devices detected by Defender for IoT exceeds the number of committed devices currently listed on your subscription, you may see a warning message in the Azure portal and on your OT sensor that you have exceeded the maximum number of devices for your subscription.

+This warning indicates you need to update the number of committed devices on the relevant subscription to the actual number of devices being monitored. Click the link in the warning message to take you to the **Plans and pricing** page, with the **Edit plan** pane already open.

+### Move existing sensors to a different subscription

+If you have multiple legacy subscriptions and are migrating to a Microsoft 365 plan, you'll first need to consolidate your sensors to a single subscription. To do this, you'll need to register the sensors under the new subscription and remove them from the original subscription.

+- Devices are synchronized from the sensor to the new subscription automatically.

+- Manual edits made in the portal aren't migrated.

+- New alerts created by the sensor are created under the new subscription, and existing alerts in the old subscription can be closed in bulk.

+**To move sensors to a different subscription**:

+1. In the Azure portal, [onboard the sensor](onboard-sensors.md) from scratch to the new subscription in order to create a new activation file. When onboarding your sensor:

+ - Replicate site and sensor hierarchy as is.

+ - For sensors monitoring overlapping network segments, create the activation file under the same zone. Identical devices that are detected in more than one sensor in a zone, will be merged into one device.

+1. On your sensor, upload the new activation file.

+1. Delete the sensor identities from the previous subscription. For more information, see [Site management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#site-management-options-from-the-azure-portal).

+1. If relevant, cancel the Defender for IoT plan from the previous subscription. For more information, see [Cancel a Defender for IoT plan](#cancel-a-defender-for-iot-plan).

+### Edit a legacy plan on the Azure portal

+ - Change your price plan from a trial to a monthly, annual, or Microsoft 365 plan

+ - Update the number of [committed devices](best-practices/plan-prepare-deploy.md#calculate-devices-in-your-network) (monthly and annual plans only)

+ - Update the number of sites (annual plans only)

+1. Select the **I accept the terms and conditions** option, and then select **Save**.

+1. In Defender for IoT on the Azure portal, select **Plans and pricing**.

+1. Select your plan and then select **Download on-premises management console activation file**.

+- A Defender for IoT OT plan. For more information, see [Add an OT plan to your Azure subscription](../how-to-manage-subscriptions.md#add-an-ot-plan-to-your-azure-subscription).

+ When you add a plan, you're given the option of downloading an activation file for your on-premises management console. Either use the file you'd downloaded then, or use the steps in this article to download it afresh.

+Activate your on-premises management console using a downloaded file from the Azure portal. Either use an activation file you'd downloaded when [adding your plan](../how-to-manage-subscriptions.md#add-an-ot-plan-to-your-azure-subscription), or use the steps in this procedure to download the activation file afresh.

+**To download the activation file**:

+1. In Defender for IoT in the Azure portal, select **Plans and pricing**.

+ > [!NOTE]

+ > If you'd prefer to start in the on-premises management console, you'll see a message prompting you to take action for a missing activation file after signing into the on-premises management console for the first time.

+ >

+ > In the message bar, select the **Take action** link. An **Activation** dialog shows the number of monitored and licensed devices. <br><br>Since you're just starting the deployment, both of these values should be **0**. <br> <br> Select the link to the **Azure portal** to jump to Defender for IoT's **Plans and pricing** page in the Azure portal. |

+**To activate your on-premises management console**:

+1. If you haven't yet, sign into your on-premises management console. In the **Activation** dialog, select **CHOOSE FILE** and select the downloaded activation file.

+## July 2023

+|Service area |Updates |

+|||

+| **OT networks** | [Migrate to site-based licenses](#migrate-to-site-based-licenses) |

+### Migrate to site-based licenses

+Existing customers can now migrate their legacy Defender for IoT purchasing plans to a **Microsoft 365** plan, based on site-based, Microsoft 365 licenses.

+On the **Plans and pricing** page, edit your plan and select the **Microsoft 365** plan instead of your current monthly or annual plan. For example:

+Make sure to edit any relevant sites to match your newly licensed site sizes. For example:

+For more information, see [Migrate from a legacy OT plan](how-to-manage-subscriptions.md#migrate-from-a-legacy-ot-plan) and [Defender for IoT subscription billing](billing.md).

+ Title: Microsoft Azure Data Manager for Energy tier concepts

+description: This article describes tier concepts

+# Azure Data Manager for Energy tiers

+Azure Data Manager for Energy is available in two tiers; Standard and Developer.

+## Developer tier

+The Developer tier of Azure Data Manager for Energy is designed for users who want more flexibility and speed in building out new applications and testing their [OSDU&trade;](https://osduforum.org) Data Platform backed solutions. The Developer tier provides users with the same high bar of security features, and application integration services as the Standard tier at a lower cost and with reduced resource capacity. Organizations can isolate and manage their test and production environments more cost-effectively. Use cases for the Developer tier of Azure Data Manager for Energy includes the following:

+* Evaluating and creating data migration strategy

+* Building proof of concepts and business case demonstrations

+* Defining deployment pipeline

+* Validating application compatibility

+* Validating security features such as Customer Managed Encryption Keys (CMEK)

+* Implementing sensitive data classification

+* Testing new [OSDU&trade;](https://osduforum.org) Data Platform releases

+* Validating data by ingesting in a safe pre production environment

+* Testing new third party or in-house applications

+* Validating service updates

+* Testing API functionality

+Customers can isolate their test and production environments in a safe and effective way.

+## Standard tier

+The Standard tier of Azure Data Manager for energy is ideal for customers' production ready scenarios. These include the following:

+* Operationalizing domain workflows (such as seismic or well log)

+* Deploying and testing predictive reservoir models to a production environment on the cloud

+* Running subsurface models

+* Migrating seismic data across applications

+The standard tier is designed for production scenarios as it provides high availability, reliability and scale. The Standard tier includes the following:

+* Availability Zones

+* Disaster Recovery

+* Financial Backed Service Level Agreement

+* Higher Database Throughput

+* Higher data partition maximum

+* Higher support prioritization

+## Tier details

+| Features | Developer Tier | Standard Tier |

+| | - | - |

+Recommended Use Cases | Non-Production scenario such as [OSDU&trade;](https://osduforum.org) Data Platform testing, data validation, feature testing, troubleshooting, training, and proof of concepts. | Production data availability and business workflows

+[OSDU&trade;](https://osduforum.org) Data Platform Compatibility| Yes | Yes

+Pre Integration w/ Leading Industry Apps | Yes | Yes

+Support | Yes | Yes

+Azure Customer Managed Encryption Keys|Yes| Yes

+Azure Private Links|Yes| Yes

+Financial Backed Service Level Agreement (SLA) Credits | No | Yes

+Disaster Recovery |No| Yes

+Availability Zones |No| Yes

+Database Throughput |Low| High

+Included Data Partition | 1| 1

+Maximum Data Partition |5 | 10

+## How to participate

+You can easily create a Developer tier resource by going to Azure Marketplace, [create portal](https://portal.azure.com/#create/Microsoft.AzureDataManagerforEnergy), and select your desired tier.

+The first thing you want to do is handle `Microsoft.EventGrid.SubscriptionValidationEvent` events. Every time someone subscribes to an event, Event Grid sends a validation event to the endpoint with a `validationCode` in the data payload. The endpoint is required to echo this back in the response body to [prove the endpoint is valid and owned by you](webhook-event-delivery.md). If you're using an [Event Grid Trigger](../azure-functions/functions-bindings-event-grid.md) rather than a WebHook triggered Function, endpoint validation is handled for you. If you use a third-party API service (like [Zapier](https://zapier.com/) or [IFTTT](https://ifttt.com/)), you might not be able to programmatically echo the validation code. For those services, you can manually validate the subscription by using a validation URL that is sent in the subscription validation event. Copy that URL in the `validationUrl` property and send a GET request either through a REST client or your web browser.

+ Title: Defender EASM data connections

+description: "The data connector sends Defender EASM asset data to Log Analytics and Azure Data Explorer. You can export Defender EASM data to either tool."

+# Use data connections

+This article discusses the data connections feature in Microsoft Defender External Attack Surface Management (Defender EASM).

+## Overview

+Defender EASM now offers data connections to help you seamlessly integrate your attack surface data into other Microsoft solutions to supplement existing workflows with new insights. You must get data from Defender EASM into the other security tools you use for remediation purposes to make the best use of your attack surface data.

+The data connector sends Defender EASM asset data to two different platforms: Log Analytics and Azure Data Explorer. You need to export Defender EASM data to either tool. Data connections are subject to the pricing model for each respective platform.

+[Log Analytics](/azure/sentinel/overview) provides security information and event management and security orchestration, automation, and response capabilities. Defender EASM asset or insights information can be used in Log Analytics to enrich existing workflows with other security data. This information can supplement firewall and configuration information, threat intelligence, and compliance data to provide visibility into your external-facing infrastructure on the open internet.

+You can:

+- Create or enrich security incidents.

+- Build investigation playbooks.

+- Train machine learning algorithms.

+- Trigger remediation actions.

+[Azure Data Explorer](/azure/data-explorer/data-explorer-overview) is a big data analytics platform that helps you analyze high volumes of data from various sources with flexible customization capabilities. Defender EASM asset and insights data can be integrated to use visualization, query, ingestion, and management capabilities within the platform.

+Whether you're building custom reports with Power BI or hunting for assets that match precise KQL queries, exporting Defender EASM data to Azure Data Explorer enables you to use your attack surface data with endless customization potential.

+Defender EASM data connections offer you the ability to integrate two different kinds of attack surface data into the tool of your choice. You can elect to migrate asset data, attack surface insights, or both data types. Asset data provides granular details about your entire inventory. Attack surface insights provide immediately actionable insights based on Defender EASM dashboards.

+To accurately present the infrastructure that matters most to your organization, both content options only include assets in the **Approved** inventory state.

+**Asset data**: The Asset Data option sends data about all your inventory assets to the tool of your choice. This option is best for use cases where the granular underlying metadata is key to your Defender EASM integration. Examples include Microsoft Sentinel or customized reporting in Azure Data Explorer. You can export high-level context on every asset in inventory and granular details specific to the particular asset type.

+This option doesn't provide any predetermined insights about the assets. Instead, it offers an expansive amount of data so that you can find the customized insights you care about most.

+**Attack surface insights**: Attack surface insights provide an actionable set of results based on the key insights delivered through dashboards in Defender EASM. This option provides less granular metadata on each asset. It categorizes assets based on the corresponding insights and provides the high-level context required to investigate further. This option is ideal if you want to integrate these predetermined insights into custom reporting workflows with data from other tools.

+## Configuration overviews

+This section presents general information on configuration.

+### Access data connections

+On the leftmost pane in your Defender EASM resource pane, under **Manage**, select **Data Connections**. This page displays the data connectors for both Log Analytics and Azure Data Explorer. It lists any current connections and provides the option to add, edit, or remove connections.

+

+### Connection prerequisites

+To successfully create a data connection, you must first ensure that you've completed the required steps to grant Defender EASM permission to the tool of your choice. This process enables the application to ingest your exported data. It also provides the authentication credentials needed to configure the connection.

+## Configure Log Analytics permissions

+1. Open the Log Analytics workspace that will ingest your Defender EASM data or [create a new workspace](/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal).

+1. On the leftmost pane, under **Settings**, select **Agents**.

+ 

+1. Expand the **Log Analytics agent instructions** section to view your workspace ID and primary key. These values are used to set up your data connection.

+Use of this data connection is subject to the pricing structure of Log Analytics. For more information, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

+## Configure Azure Data Explorer permissions

+Ensure that the Defender EASM API service principal has access to the correct roles in the database where you want to export your attack surface data. First, ensure that your Defender EASM resource was created in the appropriate tenant because this action provisions the EASM API principal.

+1. Open the Azure Data Explorer cluster that will ingest your Defender EASM data or [create a new cluster](/azure/data-explorer/create-cluster-database-portal).

+1. On the leftmost pane, under **Data**, select **Databases**.

+1. Select **Add Database** to create a database to house your Defender EASM data.

+ 

+1. Name your database, configure retention and cache periods, and select **Create**.

+ 

+1. After your Defender EASM database is created, select the database name to open the details page. On the leftmost pane, under **Overview**, select **Permissions**.

+ To successfully export Defender EASM data to Azure Data Explorer, you must create two new permissions for the EASM API: **user** and **ingestor**.

+ 

+1. Select **Add** and create a user. Search for **EASM API**, select the value, and choose **Select**.

+1. Select **Add** to create an ingestor. Follow the same steps previously outlined to add the **EASM API** as an ingestor.

+1. Your database is now ready to connect to Defender EASM. You need the cluster name, database name, and region when you configure your data connection.

+You can connect your Defender EASM data to either Log Analytics or Azure Data Explorer. To do so, select **Add connection** for the appropriate tool from the **Data Connections** page.

+A configuration pane opens on the right side of the **Data Connections** page. The following fields are required for each respective tool.

+- **Name**: Enter a name for this data connection.

+- **Workspace ID**: Enter the workspace ID for the Log Analytics instance where you want to export Defender EASM data.

+- **API key**: Enter the API key for the Log Analytics instance.

+- **Content**: Select to integrate asset data, attack surface insights, or both datasets.

+- **Frequency**: Select the frequency that the Defender EASM connection uses to send updated data to the tool of your choice. Available options are daily, weekly, and monthly.

+ 

+### Azure Data Explorer

+- **Name**: Enter a name for this data connection.

+- **Cluster name**: Enter the name of the Azure Data Explorer cluster where you want to export Defender EASM data.

+- **Region**: Enter the region of the Azure Data Explorer cluster.

+- **Database name**: Enter the name of the desired database.

+- **Content**: Select to integrate asset data, attack surface insights, or both datasets.

+- **Frequency**: Select the frequency that the Defender EASM connection uses to send updated data to the tool of your choice. Available options are daily, weekly, and monthly.

+ 

+ After all fields are configured, select **Add** to create the data connection. At this point, the **Data Connections** page displays a banner that indicates the resource was successfully created. In 30 minutes, data begins to populate. After connections are created, they're listed under the applicable tool on the main **Data Connections** page.

+You can edit or delete a data connection. For example, you might notice that a connection is listed as **Disconnected**. In this case, you need to reenter the configuration details to fix the issue.

+To edit or delete a data connection:

+1. Select the appropriate connection from the list on the main **Data Connections** page.

+ 

+1. A page opens that provides more data about the connection. It displays the configurations you chose when you created the connection and any error messages. You also see the following data:

+ - **Recurring on**: The day of the week or month that Defender EASM sends updated data to the connected tool.

+ - **Created**: The date and time that the data connection was created.

+ - **Updated**: The date and time that the data connection was last updated.

+ 

+1. From this page, you can reconnect, edit, or delete your data connection.

+ - **Reconnect**: Attempts to validate the data connection without any changes to the configuration. This option is best if you validated the authentication credentials used for the data connection.

+ - **Edit**: Allows you to change the configuration for the data connection.

+ - **Delete**: Deletes the data connection.

+ Title: Create a Defender EASM Azure resource

+description: This article explains how to create a Microsoft Defender External Attack Surface Management (Defender EASM) Azure resource by using the Azure portal.

+# Create a Defender EASM Azure resource

+This article explains how to create a Microsoft Defender External Attack Surface Management (Defender EASM) Azure resource by using the Azure portal.

+Creating the Defender EASM Azure resource involves two steps:

+- Create a resource group.

+- Create a Defender EASM resource in the resource group.

+Before you create a Defender EASM resource group, become familiar with how to access and use the [Azure portal](https://portal.azure.com/). Also read the [Defender EASM Overview article](index.md) for key context on the product. You need:

+- A Contributor role assigned for you to create a resource. To get this role assigned to your account, follow the steps in the [Assign roles](../role-based-access-control/role-assignments-steps.md) documentation. Or you can contact your administrator.

+1. To create a new resource group, select **Resource groups** in the Azure portal.

+ 

+1. Under **Resource groups**, select **Create**.

+ 

+1. Select or enter the following property values:

+ - **Subscription**: Select an Azure subscription.

+ - **Resource group**: Give the resource group a name.

+ - **Region**: Specify an Azure location. This location is where the resource group stores metadata about the resource. For compliance reasons, you might want to specify where that metadata is stored. In general, we recommend that you specify a location where most of your resources will be. Using the same location can simplify your template. The following regions are supported:

+ - southcentralus

+ - eastus

+ - australiaeast

+ - westus3

+ - swedencentral

+ - eastasia

+ - japaneast

+ - westeurope

+ - northeurope

+ - switzerlandnorth

+ - canadacentral

+ - centralus

+ - norwayeast

+ - francecentral

+ 

+1. Select **Review + create**.

+1. Review the values and select **Create**.

+1. Select **Refresh** to view the new resource group in the list.

+After you create a resource group, you can create Defender EASM resources in the group by searching for Defender EASM in the Azure portal.

+1. In the search box, enter **Microsoft Defender EASM** and select Enter.

+1. Select **Create** to create a Defender EASM resource.

+ 

+1. Select or enter the following property values:

+ - **Resource group**: Select the resource group created in the earlier step. You can also create a new one as part of the process of creating this resource.

+ - **Name**: Give the Defender EASM workspace a name.

+ - **Region**: Select an Azure location. See the supported regions listed in the preceding section.

+ 

+1. Select **Review + create**.

+1. Review the values and select **Create**.

+1. Select **Refresh** to see the status of the resource creation. Now you can go to the resource to get started.

+- [Use and manage discovery](using-and-managing-discovery.md)

+- [Understand dashboards](understanding-dashboards.md)

+description: This article outlines the filter functionality available in Defender EASM to help you find specific subsets of inventory assets based on selected parameters.

+This article outlines the filter functionality available in Microsoft Defender External Attack Surface Management (Defender EASM). Filtering helps you find specific subsets of inventory assets based on selected parameters. This article outlines each filter and operator and provides guidance on input options that yield the best results. It also explains how to save queries for easy accessibility to the filtered results.

+## How it works

+Inventory filters allow you to access a specific subset of data that meets your search parameters. You can apply as many filters as you need to obtain the results you want.

+By default, the **Inventory** screen displays only **Approved** inventory assets. Assets in an alternative state are hidden. This filter can be removed if you want to view assets in a different state. Other states are **Candidate**, **Dependency**, and **Requires investigation**.

+Removing the **Approved** inventory filter is useful when you need to:

+- Review potential new assets.

+- Investigate a third-party dependency issue.

+- See a complete view of all potential owned assets when you conduct a search.

+Defender EASM offers various filters to obtain results of differing levels of granularity. With some filters, you can select value options from a dropdown list. Others require you to manually enter the value you want.

+

+## Saved queries

+You can save queries of interest to quickly access the resulting asset list. This feature is beneficial if you need to search for a particular subset of assets on a routine basis. It's also helpful if you need to easily refer to a specific filter configuration at a later time. Saved filters help you easily access the assets you care about most based on highly customizable parameters.

+To save a query:

+1. First, carefully select the filters to produce the results you want. For more information on the applicable filters for each kind of asset, see the "Next steps" section. In this example, you're searching for domains that expire within 30 days that require renewal. Select **Search**.

+ 

+1. Review the resulting assets. If you're satisfied with the selected filters and want to save the query, select **Save query**.

+1. Name your query and provide a description. Query names can't be edited after the initial setup, but descriptions can be changed at a later time. Select **Save**. A banner appears that confirms the query was saved.

+ 

+1. To view your saved filters, select the **Saved queries** tab at the top of the inventory list page. Any saved queries are visible in the top section. Selecting **Open query** filters your inventory by the designated parameters. From this page, you can also edit or delete saved queries.

+ 

+Inventory filters can be used with the following operators. Some operators aren't available for every filter. Some operators are hidden if they aren't logically applicable to the specific filter.

+| `Equals` | Returns results that exactly match the search value. This filter only returns results for one value at a time. For filters that populate a dropdown list of options, only one option can be selected at a time. To select multiple values, see the `In` operator. |

+| `Does not match` | Returns results where a tokenized term in the field doesn't exactly match the search value. |

+| `In` | Returns results where the field exactly matches one of the search values. For dropdown lists, multiple options can be selected. |

+| `Not In` | Returns results where the field doesn't exactly match any of the search values. Multiple options can be selected. Manually input fields exclude results that match an exact value. |

+| `Greater Than or Equal To` | Returns results that are greater than or equal to a numerical value. Includes dates. |

+| `Between` | Returns results within a numerical range. Includes date ranges. |

+These filters apply to all kinds of assets within an inventory. You can use these filters when you search for a wider range of assets. For a list of filters for specific kinds of assets, see the "Next steps" section.

+### Defined value filters

+ The following filters provide a dropdown list of options that you can select. The available values are predefined.

+| Kind | Filters by specific web property types that comprise your inventory. | ASN, Contact, Domain, Host, IP Address, IP Block, Page, SSL Cert | `Equals`, `Not Equals`, `In`, `Not In`, `Empty`, `Not Empty` |

+| Removed from Inventory | The method by which an asset was removed from inventory. | Archived, Dismissed | |

+| Created At | Filters by the date that an asset was created in your inventory. | Date range via calendar dropdown | `Greater Than or Equal To`, `Less Than or Equal To`, `Between` |

+| Labels | Filters for labels manually applied to inventory assets. | Accepts freeform responses, but also offers a dropdown of labels available in your Defender EASM resource |

+| Wildcard | A wildcard DNS record answers DNS requests for subdomains that haven't already been defined. An example is *.contoso.com. | True, False | `Equals`, `Not Equals` |

+### Freeform filters

+The following filters require you to manually enter the value you want to use for your search. Many of these values are case sensitive.

+| UUID | The universally unique identifier assigned to a particular asset. | acabe677-f0c6-4807-ab4e-3a59d9e66b22 | `Equals`, `Not Equals`, `In`, `Not In` |

+| Name | The name of an asset. | Must align to the format of the asset name as listed in inventory. For instance, a host would appear as mail.contoso.com or an IP as 192.168.92.73. | `Equals`, `Not Equals`, `Starts with`, `Does not start with`, `In`, `Not In`, `Starts with in`, `Does not start with in` |

+| External ID | An identifier provided by a third party. | Typically a numerical value. | `Equals`, `Not Equals`, `Starts with`, `Does not start with`, `Matches`, `Does not match`, `In`, `Not In`, `Starts with in`, `Does not start with in`, `Matches in`, `Does not match in`, `Contains`, `Does Not Contain`, `Contains In`, `Does Not Contain In`, `Empty`, `Not Empty` |

+## Filter for assets outside your approved inventory

+1. On the leftmost pane, select **Inventory** to view your inventory.

+1. To remove the **Approved** inventory filter, select the **X** next to the **State = Approved** filter. Your inventory list expands to include assets in other states, such as **Dismissed**.

+ 

+1. Use the inventory filters to identify the assets you want to find. You might want to review all assets in the **Candidate** state. You can also add any assets that are important to your organization to the **Approved** inventory.

+ 

+ 

+1. Or you might need to find a single specific asset that you want to add to the **Approved** inventory. To discover a specific asset, apply a filter to search for the name.

+ 

+ 

+1. When your inventory list shows the unapproved assets you were searching for, you can modify the assets. For more information on how to update assets, see [Modifying inventory assets](labeling-inventory-assets.md).

+## Next steps

+- [Understand asset details](understanding-asset-details.md)

+- [ASN asset filters](asn-asset-filters.md)

+- [Contact asset filters](contact-asset-filters.md)

+- [Domain asset filters](domain-asset-filters.md)

+- [Host asset filters](host-asset-filters.md)

+- [IP address asset filters](ip-address-asset-filters.md)

+- [IP block asset filters](ip-block-asset-filters.md)

+- [Page asset filters](page-asset-filters.md)

+- [SSL certificate asset filters](ssl-certificate-asset-filters.md)

+ Title: Modify inventory assets

+description: This article outlines how to update assets with customized text labels to categorize and make use of inventory data.

+# Modify inventory assets

+This article outlines how to modify inventory assets. You can change the state of an asset or apply labels to help provide context and use inventory data. This article describes how to modify a single asset or multiple assets and track any updates with the Task Manager.

+## Label assets

+Labels help you organize your attack surface and apply business context in a customizable way. You can apply any text label to a subset of assets to group assets and make better use of your inventory. Customers commonly categorize assets that:

+- Have recently come under your organization's ownership through a merger or acquisition.

+- Are owned by a specific business unit in their organization.

+- Are affected by a specific vulnerability that requires mitigation.

+Labels are freeform text fields, so you can create a label for any use case that applies to your organization.

+[](media/labels-1a.png#lightbox)

+## Apply labels and modify asset states

+You can apply labels or modify asset states from both the inventory list and asset details pages. You can make changes to a single asset from the asset details page. You can make changes to multiple assets from the inventory list page. The following sections describe how to apply changes from the two inventory views depending on your use case.

+### Inventory list page

+You should modify assets from the inventory list page if you want to update numerous assets at once. You can refine your asset list based on filter parameters. This process helps you to identify assets that should be categorized with the label or state change that you want. To modify assets from this page:

+1. On the leftmost pane of your Microsoft Defender External Attack Surface Management (Defender EASM) resource, select **Inventory**.

+1. Apply filters to produce your intended results. In this example, we're looking for domains that expire within 30 days that require renewal. The applied label helps you more quickly access any expiring domains to simplify the remediation process. You can apply as many filters as necessary to obtain the specific results that are needed. For more information on filters, see [Inventory filters overview](inventory-filters.md).

+ 

+1. After your inventory list is filtered, select the dropdown by the checkbox next to the **Asset** table header. This dropdown gives you the option to select all results that match your query or the results on that specific page (up to 25). The **None** option clears all assets. You can also choose to select only specific results on the page by selecting the individual check marks next to each asset.

+ 

+1. Select **Modify assets**.

+1. On the **Modify Assets** pane that opens on the right side of your screen, you can quickly change the state of the selected assets. For this example, you create a new label. Select **Create a new label**.

+1. Determine the label name and display text values. The label name can't be changed after you initially create the label, but the display text can be edited at a later time. The label name is used to query for the label in the product interface or via API, so edits are disabled to ensure these queries work properly. To edit a label name, you need to delete the original label and create a new one.

+ Select a color for your new label and select **Add**. This action takes you back to the **Modify Assets** screen.

+ 

+1. Apply your new label to the assets. Click inside the **Add labels** text box to view a full list of available labels. Or you can type inside the box to search by keyword. After you select the labels you want to apply, select **Update**.

+ 

+1. Allow a few moments for the labels to be applied. After the process is finished, you see a "Completed" notification. The page automatically refreshes and displays your asset list with the labels visible. A banner at the top of the screen confirms that your labels were applied.

+ [](media/labels-6.png#lightbox)

+### Asset details page

+You can also modify a single asset from the asset details page. This option is ideal for situations when assets need to be thoroughly reviewed before a label or state change is applied.

+1. On the leftmost pane of your Defender EASM resource, select **Inventory**.

+1. Select the specific asset you want to modify to open the asset details page.

+1. On this page, select **Modify asset**.

+ 

+1. Follow steps 5 to 7 in the "Inventory list page" section.

+1. The asset details page refreshes and displays the newly applied label or state change. A banner indicates that the asset was successfully updated.

+## Modify, remove, or delete labels

+Users can remove a label from an asset by accessing the same **Modify asset** pane from either the inventory list or asset details view. From the inventory list view, you can select multiple assets at once and then add or remove the desired label in one action.

+To modify the label itself or delete a label from the system:

+1. On the leftmost pane of your Defender EASM resource, select **Labels (Preview)**.

+ [](media/labels-8a.png#lightbox)

+ This page displays all the labels within your Defender EASM inventory. Labels on this page might exist in the system but not be actively applied to any assets. You can also add new labels from this page.

+1. To edit a label, select the pencil icon in the **Actions** column of the label you want to edit. A pane opens on the right side of your screen where you can modify the name or color of a label. Select **Update**.

+1. To remove a label, select the trash can icon from the **Actions** column of the label you want to delete. Select **Remove Label**.

+ 

+The **Labels** page automatically refreshes. The label is removed from the list and also removed from any assets that had the label applied. A banner confirms the removal.

+## Task Manager and notifications

+After a task is submitted, a notification confirms that the update is in progress. From any page in Azure, select the notification (bell) icon to see more information about recent tasks.

+

+

+The Defender EASM system can take seconds to update a handful of assets or minutes to update thousands. You can use the Task Manager to check on the status of any modification tasks in progress. This section outlines how to access the Task Manager and use it to better understand the completion of submitted updates.

+1. On the leftmost pane of your Defender EASM resource, select **Task Manager**.

+ 

+1. This page displays all your recent tasks and their status. Tasks are listed as **Completed**, **Failed**, or **In Progress**. A completion percentage and progress bar also appear. To see more details about a specific task, select the task name. A pane opens on the right side of your screen that provides more information.

+1. Select **Refresh** to see the latest status of all items in the Task Manager.

+## Filter for labels

+After you label assets in your inventory, you can use inventory filters to retrieve a list of all assets with a specific label applied.

+1. On the leftmost pane of your Defender EASM resource, select **Inventory**.

+1. Select **Add filter**.

+1. Select **Labels** from the **Filter** dropdown list. Select an operator and choose a label from the dropdown list of options. The following example shows how to search for a single label. You can use the **In** operator to search for multiple labels. For more information on filters, see the [inventory filters overview](inventory-filters.md).

+ 

+1. Select **Apply**. The inventory list page reloads and displays all assets that match your criteria.

+## Next steps

+- [Understand inventory assets](understanding-inventory-assets.md)

+- [Understand asset details](understanding-asset-details.md)

+ Title: Understand asset details

+description: Learn how Microsoft Defender External Attack Surface Management discovers and defines your organization's internet-exposed attack surface.

+# Understand asset details

+Microsoft Defender External Attack Surface Management (Defender EASM) frequently scans all inventory assets and collects robust contextual metadata that powers Attack Surface Insights. This data can also be viewed more granularly on the asset details page. The data that's provided changes depending on the asset type. For instance, the platform provides unique Whois data for domains, hosts, and IP addresses. It provides signature algorithm data for Secure Sockets Layer (SSL) certificates.

+This article describes how to view and interpret the expansive data collected by Microsoft for each of your inventory assets. It defines this metadata for each asset type and explains how the insights derived from it can help you manage the security posture of your online infrastructure.

+For more information, see [Understanding inventory assets](understanding-inventory-assets.md) to familiarize yourself with the key concepts mentioned in this article.

+You can view the asset details page for any asset by selecting its name from your inventory list. On the left pane of this page, you can view an asset summary that provides key information about that particular asset. This section primarily includes data that applies to all asset types, although more fields are available in some cases. For more information on the metadata provided for each asset type in the summary section, see the following chart.

+

+This section includes high-level information that's key to understanding your assets at a glance. Most of these fields apply to all assets. This section can also include information that's specific to one or more asset types.

+| Name | Definition | Asset types |

+| Asset name | The name of an asset. | All |

+| UUID | This 128-bit label represents the universally unique identifier (UUID) for the asset. | All |

+| Added to inventory | The date that an asset was added to inventory, whether it was automatically added to the **Approved Inventory** state or it's in another state like **Candidate**. | All |

+| Status | The status of the asset within the RiskIQ system. Options include **Approved Inventory**, **Candidate**, **Dependencies**, or **Requires Investigation**. | All |

+| First seen (Global Security Graph) | The date that Microsoft first scanned the asset and added it to the comprehensive Global Security Graph. | All |

+| Discovered on | Indicates the creation date of the discovery group that detected the asset. | All |

+| Last updated | The date that a manual user last updated the asset (for example, by making a state change or asset removal). | All |

+| Whois name | The name associated with a Whois record. | Host |

+| Whois email | The primary contact email in a Whois record. | Host |

+| Whois organization | The listed organization in a Whois record. | Host |

+| Whois registrar | The listed registrar in a Whois record. | Host |

+| Whois name servers | The listed name servers in a Whois record. | Host |

+| Certificate expires | The date when a certificate expires. | SSL certificate |

+| SSL version | The version of SSL that the certificate was registered. | SSL certificate |

+| Certificate key size | The number of bits in an SSL certificate key. | SSL certificate |

+| Signature algorithm OID | The OID that identifies the hash algorithm used to sign the certificate request. | SSL certificate |

+The following IP address information provides more context about the use of the IP.