+To use Azure Active Directory (Azure AD) self-service password reset (SSPR), authentication information for a user must be present. Most organizations have users register their authentication data themselves while collecting information for MFA. Some organizations prefer to bootstrap this process through synchronization of authentication data that already exists in Active Directory Domain Services (AD DS). This synchronized data is made available to Azure AD and SSPR without requiring user interaction. When users need to change or reset their password, they can do so even if they haven't previously registered their contact information.

+> Azure AD PowerShell is planned for deprecation. You can start using [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) to interact with Azure AD as you would in Azure AD PowerShell, or use the [Microsoft Graph REST API for managing authentication methods](/graph/api/resources/authenticationmethods-overview).

+### Use Azure AD PowerShell version 1

+#### Set the authentication data with Azure AD PowerShell version 1

+#### Read the authentication data with Azure AD PowerShell version 1

+### Use Azure AD PowerShell version 2

+Get-Module AzureAD

+Install-Module AzureAD

+#### Set the authentication data with Azure AD PowerShell version 2

+#### Read the authentication data with Azure AD PowerShell version 2

+### Use Microsoft Graph PowerShell

+To get started, [download and install the Microsoft Graph PowerShell module](/powershell/microsoftgraph/overview).

+To quickly install from recent versions of PowerShell that support `Install-Module`, run the following commands. The first line checks to see if the module is already installed:

+```PowerShell

+Get-Module Microsoft.Graph

+Install-Module Microsoft.Graph

+Select-MgProfile -Name "beta"

+Connect-MgGraph -Scopes "User.ReadWrite.All"

+```

+After the module is installed, use the following steps to configure each field.

+#### Set the authentication data with Microsoft Graph PowerShell

+```PowerShell

+Connect-MgGraph -Scopes "User.ReadWrite.All"

+Update-MgUser -UserId 'user@domain.com' -otherMails @("emails@domain.com")

+Update-MgUser -UserId 'user@domain.com' -mobilePhone "+1 4251234567"

+Update-MgUser -UserId 'user@domain.com' -businessPhones "+1 4252345678"

+Update-MgUser -UserId 'user@domain.com' -otherMails @("emails@domain.com") -mobilePhone "+1 4251234567" -businessPhones "+1 4252345678"

+```

+#### Read the authentication data with Microsoft Graph PowerShell

+```PowerShell

+Connect-MgGraph -Scopes "User.Read.All"

+Get-MgUser -UserId 'user@domain.com' | select otherMails

+Get-MgUser -UserId 'user@domain.com' | select mobilePhone

+Get-MgUser -UserId 'user@domain.com' | select businessPhones

+Get-MgUser -UserId 'user@domain.com' | Select businessPhones, mobilePhone, otherMails | Format-Table

+```

+For more information, see the following video.

+The information below should be kept in mind, when selecting a solution.

+- Matching across forests doesn't occur with cloud sync

+- You can't change the attribute that is used for source anchor.

+Multiple AD forests is a common topology, with one or multiple domains, and a single Azure AD tenant.

+## Merging objects from disconnected sources

+### (Public Preview)

+

+In this scenario, the attributes of a user are contributed to by two disconnected Active Directory forests.

+An example would be:

+ - one forest (1) contains most of the attributes

+ - a second forest (2) contains a few attributes

+ Since the second forest doesn't have network connectivity to the Azure AD Connect server, the object can't be merged through Azure AD Connect. Cloud Sync in the second forest allows the attribute value to be retrieved from the second forest. The value can then be merged with the object in Azure AD that is synced by Azure AD Connect.

+This configuration is advanced and there are a few caveats to this topology:

+ 1. You must use `msdsConsistencyGuid` as the source anchor in the Cloud Sync configuration.

+ 2. The `msdsConsistencyGuid` of the user object in the second forest must match that of the corresponding object in Azure AD.

+ 3. You must populate the `UserPrincipalName` attribute and the `Alias` attribute in the second forest and it must match the ones that are synced from the first forest.

+ 4. You must remove all attributes from the attribute mapping in the Cloud Sync configuration that don't have a value or may have a different value in the second forest ΓÇô you can't have overlapping attribute mappings between the first forest and the second one.

+ 5. If there's no matching object in the first forest, for an object that is synced from the second forest, then Cloud Sync will still create the object in Azure AD. The object will only have the attributes that are defined in the mapping configuration of Cloud Sync for the second forest.

+ 6. If you delete the object from the second forest, it will be temporarily soft deleted in Azure AD. It will be restored automatically after the next Azure AD Connect sync cycle.

+ 7. If you delete the object from the first forest, it will be soft deleted from Azure AD. The object won't be restored unless a change is made to the object in the second forest. After 30 days the object will be hard deleted from Azure AD and if a change is made to the object in the second forest it will be created as a new object in Azure AD.

+

+Non-persistent session tokens have a Max Inactive Time of 24 hours whereas persistent session tokens have a Max Inactive Time of 180 days. Any time the SSO session token is used within its validity period, the validity period is extended another 24 hours or 180 days. If the SSO session token is not used within its Max Inactive Time period, it is considered expired and will no longer be accepted. Any changes to this default periods should be change using [Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md).

+Any changes that you make to your application object are also reflected in its service principal object in the application's home tenant only (the tenant where it was registered). This means that deleting an application object will also delete its home tenant service principal object. However, restoring that application object through the app registrations UI won't restore its corresponding service principal. For more information on deletion and recovery of applications and their service principal objects, see [delete and recover applications and service principal objects](../manage-apps/recover-deleted-apps-faq.md).

+Applications that you or your organization have registered are represented by both an application object and service principal object in your tenant. For more information, see [Application objects and service principal objects](./app-objects-and-service-principals.md).

+In order to remove an applicationΓÇÖs access to your directory (after having granted consent), the company administrator must remove its service principal. The administrator must have Global Administrator access, and can remove the application through the Azure portal or use the [Azure AD PowerShell Cmdlets](/previous-versions/azure/jj151815(v=azure.100)) to remove access.

+ options.L1CacheOptions.SizeLimit = 1024 * 1024 * 1024; // 1 GB

+ });

+[ms-identity-aspnet-webapp-openidconnect](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) | ASP.NET (net472) | Example of token cache serialization in an ASP.NET MVC application (using MSAL.NET). In particular, see [MsalAppBuilder](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/blob/master/WebApp/Utils/MsalAppBuilder.cs).

+This article describes how to program directly against the protocol in your application. When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to [acquire tokens and call secured web APIs](authentication-flows-app-scenarios.md#scenarios-and-supported-authentication-flows). Also take a look at the [sample apps that use MSAL](sample-v2-code.md). As a side note, refresh tokens will never be granted with this flow as `client_id` and `client_secret` (which would be required to obtain a refresh token) can be used to obtain an access token instead.

+[Create an app registration](quickstart-register-app.md) in Azure AD. [Grant your app access to the Azure resources](howto-create-service-principal-portal.md) targeted by your GitHub workflow.

+Sign into the [Azure portal](https://portal.azure.com/). Go to **App registrations** and open the app you want to configure.

+ > The **Users may join devices to Azure AD** setting is applicable only to Azure AD join on Windows 10 or newer. This setting doesn't apply to hybrid Azure AD joined devices, [Azure AD joined VMs in Azure](./howto-vm-sign-in-azure-ad-windows.md#enable-azure-ad-login-for-a-windows-vm-in-azure), or Azure AD joined devices that use [Windows Autopilot self-deployment mode](/mem/autopilot/self-deploying) because these methods work in a userless context.

+ > The **Require Multi-Factor Authentication to register or join devices with Azure AD** setting applies to devices that are either Azure AD joined (with some exceptions) or Azure AD registered. This setting doesn't apply to hybrid Azure AD joined devices, [Azure AD joined VMs in Azure](./howto-vm-sign-in-azure-ad-windows.md#enable-azure-ad-login-for-a-windows-vm-in-azure), or Azure AD joined devices that use [Windows Autopilot self-deployment mode](/mem/autopilot/self-deploying).

+ Title: Log in to a Linux virtual machine in Azure by using Azure AD and OpenSSH

+description: Learn how to log in to an Azure VM that's running Linux by using Azure Active Directory and OpenSSH certificate-based authentication.

+# Log in to a Linux virtual machine in Azure by using Azure AD and OpenSSH

+To improve the security of Linux virtual machines (VMs) in Azure, you can integrate with Azure Active Directory (Azure AD) authentication. You can now use Azure AD as a core authentication platform and a certificate authority to SSH into a Linux VM by using Azure AD and OpenSSH certificate-based authentication. This functionality allows organizations to manage access to VMs with Azure role-based access control (RBAC) and Conditional Access policies.

+This article shows you how to create and configure a Linux VM and log in with Azure AD by using OpenSSH certificate-based authentication.

+> This capability is now generally available. The previous version that made use of device code flow was [deprecated on August 15, 2021](../../virtual-machines/linux/login-using-aad.md). To migrate from the old version to this version, see the section [Migrate from the previous (preview) version](#migrate-from-the-previous-preview-version).

+There are many security benefits of using Azure AD with OpenSSH certificate-based authentication to log in to Linux VMs in Azure. They include:

+- Get SSH key-based authentication without needing to distribute SSH keys to users or provision SSH public keys on any Azure Linux VMs that you deploy. This experience is much simpler than having to worry about sprawl of stale SSH public keys that could cause unauthorized access.

+- Help secure Linux VMs by configuring password complexity and password lifetime policies for Azure AD.

+- With RBAC, specify who can log in to a VM as a regular user or with administrator privileges. When users join your team, you can update the Azure RBAC policy for the VM to grant access as appropriate. When employees leave your organization and their user accounts are disabled or removed from Azure AD, they no longer have access to your resources.

+- With Conditional Access, configure policies to require multifactor authentication or to require that your client device is managed (for example, compliant or hybrid Azure AD joined) before you can use it SSH into Linux VMs.

+- Use Azure deploy and audit policies to require Azure AD login for Linux VMs and flag unapproved local accounts.

+Login to Linux VMs with Azure Active Directory works for customers who use Active Directory Federation Services.

+The following Linux distributions are currently supported for deployments in a supported region:

+Use of the SSH extension for Azure CLI on Azure Kubernetes Service (AKS) clusters is not supported. For more information, see [Support policies for AKS](../../aks/support-policies.md).

+If you choose to install and use the Azure CLI locally, it must be version 2.22.1 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

+## Meet requirements for login with Azure AD using OpenSSH certificate-based authentication

+To enable Azure AD login through SSH certificate-based authentication for Linux VMs in Azure, be sure to meet the following network, virtual machine, and client (SSH client) requirements.

+VM network configuration must permit outbound access to the following endpoints over TCP port 443.

+Azure Global:

+- `https://packages.microsoft.com`: For package installation and upgrades.

+- `http://169.254.169.254`: Azure Instance Metadata Service endpoint.

+- `https://login.microsoftonline.com`: For PAM-based (pluggable authentication modules) authentication flows.

+- `https://pas.windows.net`: For Azure RBAC flows.

+Azure Government:

+- `https://packages.microsoft.com`: For package installation and upgrades.

+- `http://169.254.169.254`: Azure Instance Metadata Service endpoint.

+- `https://login.microsoftonline.us`: For PAM-based authentication flows.

+- `https://pasff.usgovcloudapi.net`: For Azure RBAC flows.

+Azure China 21Vianet:

+- `https://packages.microsoft.com`: For package installation and upgrades.

+- `http://169.254.169.254`: Azure Instance Metadata Service endpoint.

+- `https://login.chinacloudapi.cn`: For PAM-based authentication flows.

+- `https://pas.chinacloudapi.cn`: For Azure RBAC flows.

+Ensure that your VM is configured with the following functionality:

+- System-assigned managed identity. This option is automatically selected when you use the Azure portal to create VMs and select the Azure AD login option. You can also enable system-assigned managed identity on a new or existing VM by using the Azure CLI.

+- `aadsshlogin` and `aadsshlogin-selinux` (as appropriate). These packages are installed with the AADSSHLoginForLinux VM extension. The extension is installed when you use the Azure portal or the Azure CLI to create VMs and enable Azure AD login (**Management** tab).

+Ensure that your client meets the following requirements:

+- SSH client support for OpenSSH-based certificates for authentication. You can use Azure CLI (2.21.1 or later) with OpenSSH (included in Windows 10 version 1803 or later) or Azure Cloud Shell to meet this requirement.

+- SSH extension for Azure CLI. You can install this extension by using `az extension add --name ssh`. You don't need to install this extension when you're using Azure Cloud Shell, because it comes preinstalled.

+ If you're using any SSH client other than the Azure CLI or Azure Cloud Shell that supports OpenSSH certificates, you'll still need to use the Azure CLI with the SSH extension to retrieve ephemeral SSH certificates and optionally a configuration file. You can then use the configuration file with your SSH client.

+- TCP connectivity from the client to either the public or private IP address of the VM. (ProxyCommand or SSH forwarding to a machine with connectivity also works.)

+> SSH clients based on PuTTY don't support OpenSSH certificates and can't be used to log in with Azure AD OpenSSH certificate-based authentication.

+## Enable Azure AD login for a Linux VM in Azure

+To use Azure AD login for a Linux VM in Azure, you need to first enable the Azure AD login option for your Linux VM. You then configure Azure role assignments for users who are authorized to log in to the VM. Finally, you use the SSH client that supports OpenSSH, such as the Azure CLI or Azure Cloud Shell, to SSH into your Linux VM.

+There are two ways to enable Azure AD login for your Linux VM:

+- The Azure portal experience when you're creating a Linux VM

+- The Azure Cloud Shell experience when you're creating a Linux VM or using an existing one

+### Azure portal

+You can enable Azure AD login for any of the [supported Linux distributions](#supported-linux-distributions-and-azure-regions) by using the Azure portal.

+For example, to create an Ubuntu Server 18.04 Long Term Support (LTS) VM in Azure with Azure AD login:

+1. Sign in to the Azure portal by using an account that has access to create VMs, and then select **+ Create a resource**.

+1. Select **Create** under **Ubuntu Server 18.04 LTS** in the **Popular** view.

+1. On the **Management** tab:

+ 1. Select the **Login with Azure Active Directory** checkbox.

+ 1. Ensure that the **System assigned managed identity** checkbox is selected.

+1. Go through the rest of the experience of creating a virtual machine. You'll have to create an administrator account with username and password or SSH public key.

+### Azure Cloud Shell

+Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. Just select the **Copy** button to copy the code, paste it in Cloud Shell, and then select the Enter key to run it.

+There are a few ways to open Cloud Shell:

+- Select **Try It** in the upper-right corner of a code block.

+If you choose to install and use the Azure CLI locally, this article requires you to use version 2.22.1 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli).

+1. Create a resource group by running [az group create](/cli/azure/group#az-group-create).

+1. Create a VM by running [az vm create](/cli/azure/vm#az-vm-create&preserve-view=true). Use a supported distribution in a supported region.

+1. Install the Azure AD login VM extension by using [az vm extension set](/cli/azure/vm/extension#az-vm-extension-set).

+The following example deploys a VM and then installs the extension to enable Azure AD login for a Linux VM. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. Customize the example as needed to support your testing requirements.

+The AADSSHLoginForLinux extension can be installed on an existing (supported distribution) Linux VM with a running VM agent to enable Azure AD authentication. If you're deploying this extension to a previously created VM, the VM must have at least 1 GB of memory allocated or the installation will fail.

+The `provisioningState` value of `Succeeded` appears when the extension is successfully installed on the VM. The VM must have a running [VM agent](../../virtual-machines/extensions/agent-linux.md) to install the extension.

+Now that you've created the VM, you need to configure an Azure RBAC policy to determine who can log in to the VM. Two Azure roles are used to authorize VM login:

+- **Virtual Machine Administrator Login**: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges.

+- **Virtual Machine User Login**: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges.

+To allow a user to log in to a VM over SSH, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role on the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resources.

+An Azure user who has the Owner or Contributor role assigned for a VM doesn't automatically have privileges to Azure AD login to the VM over SSH. There's an intentional (and audited) separation between the set of people who control virtual machines and the set of people who can access virtual machines.

+There are two ways to configure role assignments for a VM:

+- Azure AD portal experience

+> The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions` and can be assigned at the management group, subscription, resource group, or resource scope. We recommend that you assign the roles at the management group, subscription, or resource level and not at the individual VM level. This practice avoids the risk of reaching the [Azure role assignments limit](../../role-based-access-control/troubleshooting.md#azure-role-assignments-limit) per subscription.

+### Azure AD portal

+To configure role assignments for your Azure AD-enabled Linux VMs:

+1. For **Resource Group**, select the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resource.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles by using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+ 

+### Azure Cloud Shell

+The following example uses [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. You obtain the username of your current Azure account by using [az account show](/cli/azure/account#az-account-show), and you set the scope to the VM created in a previous step by using [az vm show](/cli/azure/vm#az-vm-show).

+You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply.

+> If your Azure AD domain and login username domain don't match, you must specify the object ID of your user account by using `--assignee-object-id`, not just the username for `--assignee`. You can obtain the object ID for your user account by using [az ad user list](/cli/azure/ad/user#az-ad-user-list).

+For more information on how to use Azure RBAC to manage access to your Azure subscription resources, see [Steps to assign an Azure role](../../role-based-access-control/role-assignments-steps.md).

+## Install the SSH extension for Azure CLI

+If you're using Azure Cloud Shell, no other setup is needed because both the minimum required version of the Azure CLI and the SSH extension for Azure CLI are already included in the Cloud Shell environment.

+Run the following command to add the SSH extension for Azure CLI:

+The minimum version required for the extension is 0.1.4. Check the installed version by using the following command:

+## Enforce Conditional Access policies

+You can enforce Conditional Access policies that are enabled with Azure AD login, such as:

+- Requiring multifactor authentication.

+- Requiring a compliant or hybrid Azure AD-joined device for the device running the SSH client.

+- Checking for risks before authorizing access to Linux VMs in Azure.

+The application that appears in the Conditional Access policy is called *Azure Linux VM Sign-In*.

+> Conditional Access policy enforcement that requires device compliance or hybrid Azure AD join on the device that's running the SSH client works only with the Azure CLI that's running on Windows and macOS. It's not supported when you're using the Azure CLI on Linux or Azure Cloud Shell.

+If the Azure Linux VM Sign-In application is missing from Conditional Access, make sure the application isn't in the tenant:

+1. Sign in to the Azure portal.

+1. Browse to **Azure Active Directory** > **Enterprise applications**.

+1. Remove the filters to see all applications, and search for **VM**. If you don't see Azure Linux VM Sign-In as a result, the service principal is missing from the tenant.

+1. Enter the command `Connect-MgGraph -Scopes "ServicePrincipalEndpoint.ReadWrite.All","Application.ReadWrite.All"`.

+1. Sign in with a Global Admin account.

+1. Consent to the prompt that asks for your permission.

+1. Enter the command `Get-MgServicePrincipal -ConsistencyLevel eventual -Search '"DisplayName:Azure Linux VM Sign-In"'`.

+

+ If this command results in no output and returns you to the PowerShell prompt, you can create the service principal by using the following Graph PowerShell command: `New-MgServicePrincipal -AppId ce6ff14a-7fdc-4685-bbe0-f6afdfcfa8e0`.

+

+ Successful output will show that the app ID and the application name Azure Linux VM Sign-In were created.

+1. Sign out of Graph PowerShell by using the following command: `Disconnect-MgGraph`.

+## Log in by using an Azure AD user account to SSH into the Linux VM

+### Log in by using the Azure CLI

+Enter `az login`. This command opens a browser window, where you can sign in by using your Azure AD account.

+Then enter `az ssh vm`. The following example automatically resolves the appropriate IP address for the VM.

+If you're prompted, enter your Azure AD login credentials at the login page, perform multifactor authentication, and/or satisfy device checks. You'll be prompted only if your Azure CLI session doesn't already meet any required Conditional Access criteria. Close the browser window, return to the SSH prompt, and you'll be automatically connected to the VM.

+You're now signed in to the Linux virtual machine with the role permissions as assigned, such as VM User or VM Administrator. If your user account is assigned the Virtual Machine Administrator Login role, you can use sudo to run commands that require root privileges.

+### Log in by using Azure Cloud Shell

+You can use Azure Cloud Shell to connect to VMs without needing to install anything locally to your client machine. Start Cloud Shell by selecting the shell icon in the upper-right corner of the Azure portal.

+Cloud Shell automatically connects to a session in the context of the signed-in user. Now run `az login` again and go through the interactive sign-in flow:

+Then you can use the normal `az ssh vm` commands to connect by using the name and resource group or IP address of the VM:

+> Conditional Access policy enforcement that requires device compliance or hybrid Azure AD join is not supported when you're using Azure Cloud Shell.

+## Log in by using the Azure AD service principal to SSH into the Linux VM

+The Azure CLI supports authenticating with a service principal instead of a user account. Because service principals aren't tied to any particular user, customers can use them to SSH into a VM to support any automation scenarios they might have. The service principal must have VM Administrator or VM User rights assigned. Assign permissions at the subscription or resource group level.

+The following example will assign VM Administrator rights to the service principal at the resource group level. Replace the placeholders for service principal object ID, subscription ID, and resource group name.

+Use the following example to authenticate to the Azure CLI by using the service principal. For more information, see the article [Sign in to the Azure CLI with a service principal](/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal).

+When authentication with a service principal is complete, use the normal Azure CLI SSH commands to connect to the VM:

+## Export the SSH configuration for use with SSH clients that support OpenSSH

+Login to Azure Linux VMs with Azure AD supports exporting the OpenSSH certificate and configuration. That means you can use any SSH clients that support OpenSSH-based certificates to sign in through Azure AD. The following example exports the configuration for all IP addresses assigned to the VM:

+Alternatively, you can export the configuration by specifying just the IP address. Replace the IP address in the following example with the public or private IP address for your VM. (You must bring your own connectivity for private IPs.) Enter `az ssh config -h` for help with this command.

+## Run sudo with Azure AD login

+After users who are assigned the VM Administrator role successfully SSH into a Linux VM, they'll be able to run sudo with no other interaction or authentication requirement. Users who are assigned the VM User role won't be able to run sudo.

+## Connect to VMs in virtual machine scale sets

+Virtual machine scale sets are supported, but the steps are slightly different for enabling and connecting to VMs in a virtual machine scale set:

+1. Create a virtual machine scale set or choose one that already exists. Enable a system-assigned managed identity for your virtual machine scale set:

+ ```azurecli

+ az vmss identity assign --name myVMSS --resource-group AzureADLinuxVM

+ ```

+2. Install the Azure AD extension on your virtual machine scale set:

+ ```azurecli

+ az vmss extension set --publisher Microsoft.Azure.ActiveDirectory --name AADSSHLoginForLinux --resource-group AzureADLinuxVM --vmss-name myVMSS

+ ```

+Virtual machine scale sets usually don't have public IP addresses. You must have connectivity to them from another machine that can reach their Azure virtual network. This example shows how to use the private IP of a VM in a virtual machine scale set to connect from a machine in the same virtual network:

+> You can't automatically determine the virtual machine scale set VM's IP addresses by using the `--resource-group` and `--name` switches.

+## Migrate from the previous (preview) version

+If you're using the previous version of Azure AD login for Linux that was based on device code flow, complete the following steps by using the Azure CLI:

+1. Uninstall the AADLoginForLinux extension on the VM:

+ > Uninstallation of the extension can fail if there are any Azure AD users currently logged in on the VM. Make sure all users are logged out first.

+1. Enable system-assigned managed identity on your VM:

+1. Install the AADSSHLoginForLinux extension on the VM:

+## Use Azure Policy to meet standards and assess compliance

+Use Azure Policy to:

+- Ensure that Azure AD login is enabled for your new and existing Linux virtual machines.

+- Assess compliance of your environment at scale on a compliance dashboard.

+With this capability, you can use many levels of enforcement. You can flag new and existing Linux VMs within your environment that don't have Azure AD login enabled. You can also use Azure Policy to deploy the Azure AD extension on new Linux VMs that don't have Azure AD login enabled, as well as remediate existing Linux VMs to the same standard.

+In addition to these capabilities, you can use Azure Policy to detect and flag Linux VMs that have unapproved local accounts created on their machines. To learn more, review [Azure Policy](../../governance/policy/overview.md).

+Use the following sections to correct common errors that can happen when you try to SSH with Azure AD credentials.

+### Couldn't retrieve token from local cache

+If you get a message that says the token couldn't be retrieved from the local cache, you must run `az login` again and go through an interactive sign-in flow. Review the section about [logging in by using Azure Cloud Shell](#log-in-by-using-azure-cloud-shell).

+If you see an "Azure role not assigned" error on your SSH prompt, verify that you've configured Azure RBAC policies for the VM that grants the user either the Virtual Machine Administrator Login role or the Virtual Machine User Login role. If you're having problems with Azure role assignments, see the article [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#azure-role-assignments-limit).

+If the uninstallation scripts fail, the extension might get stuck in a transitioning state. When this happens, the extension can leave packages that it's supposed to uninstall during its removal. In such cases, it's better to manually uninstall the old packages and then try to run the `az vm extension delete` command.

+To uninstall old packages:

+1. Log in as a local user with admin privileges.

+1. Make sure there are no logged-in Azure AD users. Call the `who -u` command to see who is logged in. Then use `sudo kill <pid>` for all session processes that the previous command reported.

+1. Run `sudo apt remove --purge aadlogin` (Ubuntu/Debian), `sudo yum erase aadlogin` (RHEL or CentOS), or `sudo zypper remove aadlogin` (openSUSE or SLES).

+1. If the command fails, try the low-level tools with scripts disabled:

+ 1. For Ubuntu/Debian, run `sudo dpkg --purge aadlogin`. If it's still failing because of the script, delete the `/var/lib/dpkg/info/aadlogin.prerm` file and try again.

+ 1. For everything else, run `rpm -e ΓÇônoscripts aadogin`.

+### Extension installation errors

+Installation of the AADSSHLoginForLinux VM extension to existing computers might fail with one of the following known error codes.

+#### Non-zero exit code 22

+If you get exit code 22, the status of the AADSSHLoginForLinux VM extension shows as **Transitioning** in the portal.

+This failure happens because a system-assigned managed identity is required.

+The solution is to:

+1. Run the extension installation command again.

+#### Non-zero exit code 23

+If you get exit code 23, the status of the AADSSHLoginForLinux VM extension shows as **Transitioning** in the portal.

+This failure happens when the older AADLoginForLinux VM extension is still installed.

+The solution is to uninstall the older AADLoginForLinux VM extension from the VM. The status of the new AADSSHLoginForLinux VM extension will then change to **Provisioning succeeded** in the portal.

+#### The az ssh vm command fails with KeyError access_token

+If the `az ssh vm` command fails, you're using an outdated version of the Azure CLI client.

+The solution is to upgrade the Azure CLI client to version 2.21.0 or later.

+#### SSH connection is closed

+After a user successfully signs in by using `az login`, connection to the VM through `az ssh vm -ip <address>` or `az ssh vm --name <vm_name> -g <resource_group>` might fail with "Connection closed by <ip_address> port 22."

+One cause for this error is that the user isn't assigned to the Virtual Machine Administrator Login or Virtual Machine User Login role within the scope of this VM. In that case, the solution is to add the user to one of those Azure RBAC roles within the scope of this VM.

+This error can also happen if the user is in a required Azure RBAC role, but the system-assigned managed identity has been disabled on the VM. In that case, perform these actions:

+1. Allow several minutes to pass before the user tries to connect by using `az ssh vm --ip <ip_address>`.

+### Connection problems with virtual machine scale sets

+VM connections with virtual machine scale sets can fail if the scale set instances are running an old model.

+Upgrading scale set instances to the latest model might resolve the problem, especially if an upgrade hasn't been done since the Azure AD Login extension was installed. Upgrading an instance applies a standard scale set configuration to the individual instance.

+### AllowGroups or DenyGroups statements in sshd_config cause the first login to fail for Azure AD users

+If *sshd_config* contains either `AllowGroups` or `DenyGroups` statements, the first login fails for Azure AD users. If the statement was added after users have already had a successful login, they can log in.

+One solution is to remove `AllowGroups` and `DenyGroups` statements from *sshd_config*.

+Another solution is to move `AllowGroups` and `DenyGroups` to a `match user` section in *sshd_config*. Make sure the match template excludes Azure AD users.

+- [What is a device identity?](overview.md)

+- [Common Conditional Access policies](../conditional-access/concept-conditional-access-policy-common.md)

+ Title: Log in to a Windows virtual machine in Azure by using Azure AD

+description: Learn how to log in to an Azure VM that's running Windows by using Azure AD authentication.

+# Log in to a Windows virtual machine in Azure by using Azure AD

+Organizations can improve the security of Windows virtual machines (VMs) in Azure by integrating with Azure Active Directory (Azure AD) authentication. You can now use Azure AD as a core authentication platform to RDP into *Windows Server 2019 Datacenter edition* and later, or *Windows 10 1809* and later. You can then centrally control and enforce Azure role-based access control (RBAC) and Conditional Access policies that allow or deny access to the VMs.

+This article shows you how to create and configure a Windows VM and log in by using Azure AD-based authentication.

+There are many security benefits of using Azure AD-based authentication to log in to Windows VMs in Azure. They include:

+- Use Azure AD credentials to log in to Windows VMs in Azure. The result is federated and managed domain users.

+- Password complexity and password lifetime policies that you configure for Azure AD also help secure Windows VMs.

+- With Azure RBAC:

+ - Specify who can log in to a VM as a regular user or with administrator privileges.

+ - When employees leave your organization and their user accounts are disabled or removed from Azure AD, they no longer have access to your resources.

+- Configure Conditional Access policies to require multifactor authentication (MFA) and other signals, such as user sign-in risk, before you can RDP into Windows VMs.

+- Use Azure deploy and audit policies to require Azure AD login for Windows VMs and to flag the use of unapproved local accounts on the VMs.

+- Use Intune to automate and scale Azure AD join with mobile device management (MDM) auto-enrollment of Azure Windows VMs that are part of your virtual desktop infrastructure (VDI) deployments.

+

+ MDM auto-enrollment requires Azure AD Premium P1 licenses. Windows Server VMs don't support MDM enrollment.

+> After you enable this capability, your Windows VMs in Azure will be Azure AD joined. You cannot join them to another domain, like on-premises Active Directory or Azure Active Directory Domain Services. If you need to do so, disconnect the VM from Azure AD by uninstalling the extension.

+This feature currently supports the following Windows distributions:

+> Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the *same* directory as the VM.

+To enable Azure AD authentication for your Windows VMs in Azure, you need to ensure that your VM's network configuration permits outbound access to the following endpoints over TCP port 443.

+Azure Global:

+- `https://enterpriseregistration.windows.net`: For device registration.

+- `http://169.254.169.254`: Azure Instance Metadata Service endpoint.

+- `https://login.microsoftonline.com`: For authentication flows.

+- `https://pas.windows.net`: For Azure RBAC flows.

+Azure Government:

+- `https://enterpriseregistration.microsoftonline.us`: For device registration.

+- `http://169.254.169.254`: Azure Instance Metadata Service endpoint.

+- `https://login.microsoftonline.us`: For authentication flows.

+- `https://pasff.usgovcloudapi.net`: For Azure RBAC flows.

+Azure China 21Vianet:

+- `https://enterpriseregistration.partner.microsoftonline.cn`: For device registration.

+- `http://169.254.169.254`: Azure Instance Metadata Service endpoint.

+- `https://login.chinacloudapi.cn`: For authentication flows.

+- `https://pas.chinacloudapi.cn`: For Azure RBAC flows.

+## Enable Azure AD login for a Windows VM in Azure

+To use Azure AD login for a Windows VM in Azure, you must:

+1. Enable the Azure AD login option for the VM.

+1. Configure Azure role assignments for users who are authorized to log in to the VM.

+There are two ways to enable Azure AD login for your Windows VM:

+- The Azure portal, when you're creating a Windows VM.

+- Azure Cloud Shell, when you're creating a Windows VM or using an existing Windows VM.

+### Azure portal

+You can enable Azure AD login for VM images in Windows Server 2019 Datacenter or Windows 10 1809 and later.

+To create a Windows Server 2019 Datacenter VM in Azure with Azure AD login:

+1. Sign in to the [Azure portal](https://portal.azure.com) by using an account that has access to create VMs, and select **+ Create a resource**.

+1. In the **Search the Marketplace** search bar, type **Windows Server**.

+1. Select **Windows Server**, and then choose **Windows Server 2019 Datacenter** from the **Select a software plan** dropdown list.

+1. Select **Create**.

+1. On the **Management** tab, select the **Login with Azure AD** checkbox in the **Azure AD** section.

+ 

+1. Make sure that **System assigned managed identity** in the **Identity** section is selected. This action should happen automatically after you enable login with Azure AD.

+1. Go through the rest of the experience of creating a virtual machine. You'll have to create an administrator username and password for the VM.

+> To log in to the VM by using your Azure AD credentials, you first need to [configure role assignments](#configure-role-assignments-for-the-vm) for the VM.

+### Azure Cloud Shell

+Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. Just select the **Copy** button to copy the code, paste it in Cloud Shell, and then select the Enter key to run it. There are a few ways to open Cloud Shell:

+This article requires you to run Azure CLI version 2.0.31 or later. Run `az --version` to find the version. If you need to install or upgrade, see the article [Install the Azure CLI](/cli/azure/install-azure-cli).

+1. Create a resource group by running [az group create](/cli/azure/group#az-group-create).

+1. Create a VM by running [az vm create](/cli/azure/vm#az-vm-create). Use a supported distribution in a supported region.

+The following example deploys a VM named `myVM` (that uses `Win2019Datacenter`) into a resource group named `myResourceGroup`, in the `southcentralus` region. In this example and the next one, you can provide your own resource group and VM names as needed.

+> You must enable system-assigned managed identity on your virtual machine before you install the Azure AD login VM extension.

+Finally, install the Azure AD login VM extension to enable Azure AD login for Windows VMs. VM extensions are small applications that provide post-deployment configuration and automation tasks on Azure virtual machines. Use [az vm extension](/cli/azure/vm/extension#az-vm-extension-set) set to install the AADLoginForWindows extension on the VM named `myVM` in the `myResourceGroup` resource group.

+You can install the AADLoginForWindows extension on an existing Windows Server 2019 or Windows 10 1809 and later VM to enable it for Azure AD authentication. The following example uses the Azure CLI to install the extension:

+After the extension is installed on the VM, `provisioningState` shows `Succeeded`.

+Now that you've created the VM, you need to configure an Azure RBAC policy to determine who can log in to the VM. Two Azure roles are used to authorize VM login:

+- **Virtual Machine Administrator Login**: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges.

+- **Virtual Machine User Login**: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges.

+To allow a user to log in to the VM over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resources.

+An Azure user who has the Owner or Contributor role assigned for a VM does not automatically have privileges to log in to the VM over RDP. The reason is to provide audited separation between the set of people who control virtual machines and the set of people who can access virtual machines.

+There are two ways to configure role assignments for a VM:

+- Azure AD portal experience

+- Azure Cloud Shell experience

+> The Virtual Machine Administrator Login and Virtual Machine User Login roles use `dataActions`, so they can't be assigned at the management group scope. Currently, you can assign these roles only at the subscription, resource group, or resource scope.

+### Azure AD portal

+To configure role assignments for your Azure AD-enabled Windows Server 2019 Datacenter VMs:

+1. For **Resource Group**, select the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resource.

+1. Select **Add** > **Add role assignment** to open the **Add role assignment** page.

+1. Assign the following role. For detailed steps, see [Assign Azure roles by using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+ 

+### Azure Cloud Shell

+The following example uses [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) to assign the Virtual Machine Administrator Login role to the VM for your current Azure user. You obtain the username of your current Azure account by using [az account show](/cli/azure/account#az-account-show), and you set the scope to the VM created in a previous step by using [az vm show](/cli/azure/vm#az-vm-show).

+You can also assign the scope at a resource group or subscription level. Normal Azure RBAC inheritance permissions apply. For more information, see [Log in to a Linux virtual machine in Azure by using Azure Active Directory authentication](../../virtual-machines/linux/login-using-aad.md).

+> If your Azure AD domain and login username domain don't match, you must specify the object ID of your user account by using `--assignee-object-id`, not just the username for `--assignee`. You can obtain the object ID for your user account by using [az ad user list](/cli/azure/ad/user#az-ad-user-list).

+For more information about how to use Azure RBAC to manage access to your Azure subscription resources, see the following articles:

+- [Assign Azure roles by using the Azure CLI](../../role-based-access-control/role-assignments-cli.md)

+- [Assign Azure roles by using the Azure portal](../../role-based-access-control/role-assignments-portal.md)

+- [Assign Azure roles by using Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md)

+## Enforce Conditional Access policies

+You can enforce Conditional Access policies, such as multifactor authentication or user sign-in risk check, before you authorize access to Windows VMs in Azure that are enabled with Azure AD login. To apply a Conditional Access policy, you must select the **Azure Windows VM Sign-In** app from the cloud apps or actions assignment option. Then use sign-in risk as a condition and/or require MFA as a control for granting access.

+> If you require MFA as a control for granting access to the Azure Windows VM Sign-In app, then you must supply an MFA claim as part of the client that initiates the RDP session to the target Windows VM in Azure. The only way to achieve this on a Windows 10 or later client is to use a Windows Hello for Business PIN or biometric authentication with the RDP client. Support for biometric authentication was added to the RDP client in Windows 10 version 1809.

+>

+> Remote desktop using Windows Hello for Business authentication is available only for deployments that use a certificate trust model. It's currently not available for a key trust model.

+> The per-user **Enabled/Enforced Azure AD Multi-Factor Authentication** setting is not supported for the Azure Windows VM Sign-In app.

+## Log in by using Azure AD credentials to a Windows VM

+> Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the *same* directory as the VM. Additionally, to RDP by using Azure AD credentials, users must belong to one of the two Azure roles, Virtual Machine Administrator Login or Virtual Machine User Login.

+>

+> If you're using an Azure AD-registered Windows 10 or later PC, you must enter credentials in the `AzureAD\UPN` format (for example, `AzureAD\john@contoso.com`). At this time, you can use Azure Bastion to log in with Azure AD authentication [via the Azure CLI and the native RDP client mstsc](../../bastion/connect-native-client-windows.md).

+To log in to your Windows Server 2019 virtual machine by using Azure AD:

+1. Go to the overview page of the virtual machine that has been enabled with Azure AD login.

+1. Select **Connect** to open the **Connect to virtual machine** pane.

+1. Select **Open** to open the Remote Desktop Connection client.

+1. Select **Connect** to open the Windows login dialog.

+1. Log in by using your Azure AD credentials.

+You're now logged in to the Windows Server 2019 Azure virtual machine with the role permissions as assigned, such as VM User or VM Administrator.

+> You can save the .rdp file locally on your computer to start future remote desktop connections to your virtual machine, instead of going to the virtual machine overview page in the Azure portal and using the connect option.

+## Use Azure Policy to meet standards and assess compliance

+Use Azure Policy to:

+- Ensure that Azure AD login is enabled for your new and existing Windows virtual machines.

+- Assess compliance of your environment at scale on a compliance dashboard.

+With this capability, you can use many levels of enforcement. You can flag new and existing Windows VMs within your environment that don't have Azure AD login enabled. You can also use Azure Policy to deploy the Azure AD extension on new Windows VMs that don't have Azure AD login enabled, and remediate existing Windows VMs to the same standard.

+In addition to these capabilities, you can use Azure Policy to detect and flag Windows VMs that have unapproved local accounts created on their machines. To learn more, review [Azure Policy](../../governance/policy/overview.md).

+## Troubleshoot deployment problems

+The AADLoginForWindows extension must be installed successfully for the VM to complete the Azure AD join process. If the VM extension fails to be installed correctly, perform the following steps:

+1. RDP to the VM by using the local administrator account and examine the *CommandExecution.log* file under *C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows\1.0.0.1*.

+ > If the extension restarts after the initial failure, the log with the deployment error will be saved as *CommandExecution_YYYYMMDDHHMMSSSSS.log*.

+1. Open a PowerShell window on the VM. Verify that the following queries against the Azure Instance Metadata Service endpoint running on the Azure host return the expected output:

+ | `curl -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01"` | Valid tenant ID associated with the Azure subscription |

+ > You can decode the access token by using a tool like [calebb.net](http://calebb.net/). Verify that the `oid` value in the access token matches the managed identity that's assigned to the VM.

+1. Ensure that the required endpoints are accessible from the VM via PowerShell:

+ > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. `login.microsoftonline.com/<TenantID>`, `enterpriseregistration.windows.net`, and `pas.windows.net` should return 404 Not Found, which is expected behavior.

+1. View the device state by running `dsregcmd /status`. The goal is for the device state to show as `AzureAdJoined : YES`.

+ > Azure AD join activity is captured in Event Viewer under the *User Device Registration\Admin* log at *Event Viewer (local)\Applications* and *Services Logs\Windows\Microsoft\User Device Registration\Admin*.

+If the AADLoginForWindows extension fails with an error code, you can perform the following steps.

+### Terminal error code 1007 and exit code -2145648574.

+Terminal error code 1007 and exit code -2145648574 translate to `DSREG_E_MSI_TENANTID_UNAVAILABLE`. The extension can't query the Azure AD tenant information.

+Connect to the VM as a local administrator and verify that the endpoint returns a valid tenant ID from Azure Instance Metadata Service. Run the following command from an elevated PowerShell window on the VM:

+`curl -H Metadata:true http://169.254.169.254/metadata/identity/info?api-version=2018-02-01`

+This problem can also happen when the VM admin attempts to install the AADLoginForWindows extension, but a system-assigned managed identity hasn't enabled the VM first. In that case, go to the **Identity** pane of the VM. On the **System assigned** tab, verify that the **Status** toggle is set to **On**.

+### Exit code -2145648607

+Exit code -2145648607 translates to `DSREG_AUTOJOIN_DISC_FAILED`. The extension can't reach the `https://enterpriseregistration.windows.net` endpoint.

+1. Verify that the required endpoints are accessible from the VM via PowerShell:

+ > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Azure Active Directory** > **Properties** > **Directory ID** in the Azure portal.

+ >

+ > Attempts to connect to `enterpriseregistration.windows.net` might return 404 Not Found, which is expected behavior. Attempts to connect to `pas.windows.net` might prompt for PIN credentials or might return 404 Not Found. (You don't need to enter the PIN.) Either one is sufficient to verify that the URL is reachable.

+1. If any of the commands fails with "Could not resolve host `<URL>`," try running this command to determine which DNS server the VM is using:

+ > Replace `<URL>` with the fully qualified domain names that the endpoints use, such as `login.microsoftonline.com`.

+1. See whether specifying a public DNS server allows the command to succeed:

+1. If necessary, change the DNS server that's assigned to the network security group that the Azure VM belongs to.

+### Exit code 51

+Exit code 51 translates to "This extension is not supported on the VM's operating system."

+The AADLoginForWindows extension is intended to be installed only on Windows Server 2019 or Windows 10 (Build 1809 or later). Ensure that your version or build of Windows is supported. If it isn't supported, uninstall the extension.

+## Troubleshoot sign-in problems

+Use the following information to correct sign-in problems.

+You can view the device and single sign-on (SSO) state by running `dsregcmd /status`. The goal is for the device state to show as `AzureAdJoined : YES` and for the SSO state to show `AzureAdPrt : YES`.

+RDP sign-in via Azure AD accounts is captured in Event Viewer under the *AAD\Operational* event logs.

+### Azure role not assigned

+You might get the following error message when you initiate a remote desktop connection to your VM: "Your account is configured to prevent you from using this device. For more info, contact your system administrator."

+

+Verify that you've [configured Azure RBAC policies](../../virtual-machines/linux/login-using-aad.md) for the VM that grant the user the Virtual Machine Administrator Login or Virtual Machine User Login role.

+> If you're having problems with Azure role assignments, see [Troubleshoot Azure RBAC](../../role-based-access-control/troubleshooting.md#azure-role-assignments-limit).

+### Unauthorized client or password change required

+You might get the following error message when you initiate a remote desktop connection to your VM: "Your credentials did not work."

+

+Try these solutions:

+- The Windows 10 or later PC that you're using to initiate the remote desktop connection must be Azure AD joined, or hybrid Azure AD joined to the same Azure AD directory. For more information about device identity, see the article [What is a device identity?](./overview.md).

+ > [!NOTE]

+ > Windows 10 Build 20H1 added support for an Azure AD-registered PC to initiate an RDP connection to your VM. When you're using a PC that's Azure AD registered (not Azure AD joined or hybrid Azure AD joined) as the RDP client to initiate connections to your VM, you must enter credentials in the format `AzureAD\UPN` (for example, `AzureAD\john@contoso.com`).

+ Verify that the AADLoginForWindows extension wasn't uninstalled after the Azure AD join finished.

+ Also, make sure that the security policy **Network security: Allow PKU2U authentication requests to this computer to use online identities** is enabled on both the server *and* the client.

+- Verify that the user doesn't have a temporary password. Temporary passwords can't be used to log in to a remote desktop connection.

+ Sign in with the user account in a web browser. For instance, open the [Azure portal](https://portal.azure.com) in a private browsing window. If you're prompted to change the password, set a new password. Then try connecting again.

+### MFA sign-in method required

+You might see the following error message when you initiate a remote desktop connection to your VM: "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your system administrator."

+

+If you've configured a Conditional Access policy that requires MFA before you can access the resource, you need to ensure that the Windows 10 or later PC that's initiating the remote desktop connection to your VM signs in by using a strong authentication method such as Windows Hello. If you don't use a strong authentication method for your remote desktop connection, you'll see the error.

+Another MFA-related error message is the one described previously: "Your credentials did not work."

+

+> The legacy per-user **Enabled/Enforced Azure AD Multi-Factor Authentication** setting is not supported for the Azure Windows VM Sign-In app. This setting causes sign-in to fail with the "Your credentials did not work" error message.

+You can resolve the problem by removing the per-user MFA setting through these commands:

+If you haven't deployed Windows Hello for Business and if that isn't an option for now, you can configure a Conditional Access policy that excludes the Azure Windows VM Sign-In app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business/hello-identity-verification).

+> Windows Hello for Business PIN authentication with RDP has been supported for several versions of Windows 10. Support for biometric authentication with RDP was added in Windows 10 version 1809. Using Windows Hello for Business authentication during RDP is available only for deployments that use a certificate trust model. It's currently not available for a key trust model.

+Share your feedback about this feature or report problems with using it on the [Azure AD feedback forum](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789).

+If the Azure Windows VM Sign-In application is missing from Conditional Access, make sure that the application isn't in the tenant:

+1. Sign in to the Azure portal.

+1. Browse to **Azure Active Directory** > **Enterprise applications**.

+1. Remove the filters to see all applications, and search for **VM**. If you don't see **Azure Windows VM Sign-In** as a result, the service principal is missing from the tenant.

+1. Run `Connect-MgGraph -Scopes "ServicePrincipalEndpoint.ReadWrite.All"`, followed by `"Application.ReadWrite.All"`.

+1. Sign in with a Global Admin account.

+1. Consent to the permission prompt.

+1. Run `Get-MgServicePrincipal -ConsistencyLevel eventual -Search '"DisplayName:Azure Windows VM Sign-In"'`.

+ - If this command results in no output and returns you to the PowerShell prompt, you can create the service principal with the following Graph PowerShell command:

+

+ `New-MgServicePrincipal -AppId 372140e0-b3b7-4226-8ef9-d57986796201`

+ - Successful output will show that the Azure Windows VM Sign-In app and its ID were created.

+1. Sign out of Graph PowerShell by using the `Disconnect-MgGraph` command.

+For more information about Azure AD, see [What is Azure Active Directory?](../fundamentals/active-directory-whatis.md).

+ > [!NOTE]

+ > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](https://docs.microsoft.com/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.

+ > [!NOTE]

+ > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](https://docs.microsoft.com/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.

+description: Get architectural guidance on achieving SSH integration with Azure Active Directory.

+# SSH authentication with Azure Active Directory

+Secure Shell (SSH) is a network protocol that provides encryption for operating network services securely over an unsecured network. It's commonly used in Unix-based systems such as Linux. SSH replaces the Telnet protocol, which doesn't provide encryption in an unsecured network.

+Azure Active Directory (Azure AD) provides a virtual machine (VM) extension for Linux-based systems that run on Azure. It also provides a client extension that integrates with the [Azure CLI](/cli/azure/) and the OpenSSH client.

+You can use SSH authentication with Active Directory when you're:

+* Working with Linux-based VMs that require remote command-line sign-in.

+* Running remote commands in Linux-based systems.

+* Securely transferring files in an unsecured network.

+## Components of the system 

+The following diagram shows the process of SSH authentication with Azure AD:

+

+The system includes the following components:

+* **User**: The user starts the Azure CLI and the SSH client to set up a connection with the Linux VMs. The user also provides credentials for authentication.

+* **Azure CLI**: The user interacts with the Azure CLI to start a session with Azure AD, request short-lived OpenSSH user certificates from Azure AD, and start the SSH session.

+* **Web browser**: The user opens a browser to authenticate the Azure CLI session. The browser communicates with the identity provider (Azure AD) to securely authenticate and authorize the user.

+* **OpenSSH client**: The Azure CLI (or the user) uses the OpenSSH client to start a connection to the Linux VM.

+* **Azure AD**: Azure AD authenticates the identity of the user and issues short-lived OpenSSH user certificates to the Azure CLI client.

+* **Linux VM**: The Linux VM accepts the OpenSSH user certificate and provides a successful connection.

+## Next steps

+* To implement SSH with Azure AD, see [Log in to a Linux VM by using Azure AD credentials](../devices/howto-vm-sign-in-azure-ad-linux.md).

+To restore applications using Microsoft Graph, see [Restore deleted item - Microsoft Graph v1.0.](/graph/api/directory-deleteditems-restore?tabs=http)

+For more information on how to avoid unwanted deletions, see the following articles in [Recoverability best practices](recoverability-overview.md):

+A Delete event for applications, service principals, users, and Microsoft 365 Groups is a soft delete. For any other object type, it's a hard delete.

+| Application| Delete application and service principal| Soft deleted |

+| Application| Hard delete application | Hard deleted |

+| Service principal| Delete service principal| Soft deleted |

+| Service principal| Hard delete service principal| Hard deleted |

+## Required tasks

+These links provide additional information relevant to groups:

+ * Azure AD also works with third party applications in our [Application Gallery](/microsoft-365/enterprise/integrated-apps-and-azure-ads)

+Gradually register and enable SSPR. For example, roll out by region, subsidiary, department, etc. for all users. This enables both MFA and SSPR. Refer to [Sample SSPR rollout materials](https://www.microsoft.com/download/details.aspx?id=56768) to assist with required end-user communications and evangelizing.

+### Move provisioning of users and groups to applications

+* [Deploy Azure AD joined VMs in Azure Virtual Desktop - Azure](/azure/virtual-desktop/deploy-azure-ad-joined-vm)

+* [Microsoft Microsoft 365 Defender for Identity](/defender-for-identity/monitored-activities): Utilize the sign in Operations monitoring capability (note captures binds using LDAP, but not Secure LDAP.

+* **Approach 1** Replace with SaaS alternatives that use modern authentication. In this approach, undertake projects to migrate from legacy applications to SaaS alternatives that use modern authentication. Have the SaaS alternatives authenticate to Azure AD directly.

+* **Approach 2** Replatform (for example, adopt serverless/PaaS) to support modern hosting without servers and/or update the code to support modern authentication. In this approach, undertake projects to update authentication code for applications that will be modernized or replatform on serverless/PaaS to eliminate the need for underlying server management. Enable the app to use modern authentication and integrate to Azure AD directly. [Learn about MSAL - Microsoft identity platform](../develop/msal-overview.md).

+* **Approach 3** Leave the applications as legacy applications for the foreseeable future or sunset the applications and opportunity arises. We recommend that this is considered as a last resort.

+#### Implement approach #1

+>[!NOTE]

+>* Utilize Azure AD Domain Services if the dependencies are aligned with [Common deployment scenarios for Azure AD Domain Services](../../active-directory-domain-services/scenarios.md).

+>* To validate if Azure AD DS is a good fit, you might use tools like Service Map [Microsoft Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.ServiceMapOMS?tab=Overview) and [Automatic Dependency Mapping with Service Map and Live Maps](https://techcommunity.microsoft.com/t5/system-center-blog/automatic-dependency-mapping-with-service-map-and-live-maps/ba-p/351867).

+>* Validate your SQL server instantiations can be [migrated to a different domain](https://social.technet.microsoft.com/wiki/contents/articles/24960.migrating-sql-server-to-new-domain.aspx). If your SQL service is running in virtual machines, [use this guidance](/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide).

+#### Implement approach #2

+Extend on-premises AD to Azure IaaS. If #1 isn't possible and an application has a strong dependency on AD

+#### Implement approach #3

+> The states in this diagram represent a logical progression of cloud transformation. Your ability to move from one state to the next is dependent on the functionality that you have implemented and the capabilities within that functionality to move to the cloud.

+ Title: Frequently asked questions about recovering deleted apps

+description: Find answers to frequently asked questions (FAQs) about recovering deleted apps and service principals.

+# Recover deleted applications in Azure Active Directory FAQs

+This page answers frequently asked questions about deleting and restoring deleted application registrations and service principals.

+## When I create applications, I'm getting Directory_QuotaExceeded error. How can I avoid this problem?

+A non-admin user can create no more than 250 Azure AD resources that include applications and service principals. Both active resources and deleted resources that are available to restore count toward this quota. Even if you delete more applications that you don't need, they'll still add count to the quota. Hence, to free up the quota, you need to [permanently delete](/graph/api/directory-deleteditems-delete?tabs=http) objects in the deleted items container. You can learn more about the service limits through [this link](/azure/azure-resource-manager/management/azure-subscription-service-limits?msclkid=6cb6cc54c68711ec93eb9539fce3cc28#active-directory-limits).

+The quota limit set for Azure AD resources is applicable when creating applications or service principals using a delegated flow such as using Azure AD app registrations or Enterprise apps portal. Creating applications using the Microsoft Graph API programmatically using application flow won't have this restriction.

+## Where can I find all the deleted applications and service principals?

+Soft-deleted application and service principal objects go into the [deleted items](/graph/api/resources/directory?tabs=http) container and remain available to restore for up to 30 days. After 30 days, they're permanently deleted, and this frees up the quota.

+You find the deleted applications by using one of the following approaches:

+- Using the Azure portal

+

+Recently deleted application objects can be found under the **Deleted applications** tab on the App registrations blade of Azure portal.

+ :::image type="content" source="media/delete-application-portal/recover-deleted-apps.png" alt-text="Screenshot shows list of deleted items.":::

+

+- Using the Microsoft Graph API

+Recently deleted application and service principal objects can be found using the [List deletedItems](/graph/api/directory-deleteditems-list?tabs=http) API.

+- Using PowerShell

+Recently deleted application and service principal objects can be found using the

+[Get-AzureADMSDeletedDirectoryObject](/powershell/module/azuread/get-azureadmsdeleteddirectoryobject?tabs=http) cmdlet.

+## How do I restore deleted applications or service principals?

+- Using Microsoft Graph API

+Deleted objects can be restored using the [Restore deleted item](/graph/api/directory-deleteditems-restore?tabs=http) API.

+- Using PowerShell

+Deleted objects can be restored using the [Restore-AzureADMSDeletedDirectoryObject](/powershell/module/azuread/restore-azureadmsdeleteddirectoryobject?tabs=http) cmdlet.

+## How do I permanently delete soft deleted applications or service principals?

+- Using the Microsoft Graph API

+Soft deleted objects can be permanently deleted by using the [Permanently delete an item from deleted items](/graph/api/directory-deleteditems-delete?tabs=http) API.

+- Using PowerShell

+Soft deleted objects can be permanently deleted using the [Remove-AzureADMSDeletedDirectoryObject](/powershell/module/azuread/remove-azureadmsdeleteddirectoryobject?tabs=http) cmdlet.

+## Can I configure the interval in which applications and service principals are permanently deleted by Azure AD?

+No. You canΓÇÖt configure the periodicity of hard deletion.

+## I restored a deleted application using the App registrations portal experience. I don't see the SAML SSO configurations I made to the app prior to deletion.

+The SAML SSO configurations are stored on the service principal object. When you restore an application from the App registrations UI, it recovers the app object but creates a new service principal. Hence, the SAML SSO configurations done earlier to the app are lost when restoring a deleted application using the App registrations UI.

+To correct this problem, delete the new service principal the app registrations experience created and restore the original service principal using the [Microsoft Graph API](/graph/api/directory-deleteditems-restore?tabs=http) or the [Microsoft Graph PowerShell cmdlet](/powershell/module/azuread/restore-azureadmsdeleteddirectoryobject?tabs=http).

+If you recorded the object ID of the service principal before deleting the application, use the [Restore deleted item](/graph/api/directory-deleteditems-restore?tabs=http) API to recover the service principal. Otherwise, use the [list deleted items](/graph/api/directory-deleteditems-list?tabs=http) API to fetch the deleted service principal and filter the results by the client's application ID (**appId**) property using the following syntax:

+`https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.servicePrincipal?$filter=appId eq '{appId}'`

+## Why canΓÇÖt I recover managed identities?

+[Managed identities](../managed-identities-azure-resources/overview.md) are a special type of service principals. Deleted managed identities canΓÇÖt be recovered currently.

+## I canΓÇÖt see the provisioning data from a recovered service principal. How can I recover it back?

+After recovering an SP, you may initially see the error in the following screenshot. This issue will resolve itself between 40 mins and 1 day. If you would like the provisioning job to start immediately, you can hit restart to force the provisioning service to run again. Hitting restart will trigger an initial cycle that can take time for customers with 100 K+ users or group memberships.

+

+## I recovered my application that was configured for application proxy. I canΓÇÖt see app proxy configurations after the recovery. How can I recover it back?

+App proxy configurations can't be recovered through the portal UI. Use the API to recover app proxy settings. Expect a delay of up to 24 hours as the app proxy data gets synced back.

+## I canΓÇÖt see the policies I set on the service principal object after the recovery. How can I recover them?

+Policies can't be recovered currently. When you restore a service principal, you'll have to configure the policies again.

+## Next steps

+- [Delete a service principal](delete-application-portal.md)

+- [Delete an application registration](../develop/howto-restore-app.md)

+ - `Premium_ZRS`, `StandardSSD_ZRS` disk types are supported, ZRS disk could be scheduled on the zone or non-zone node, without the restriction that disk volume should be co-located in the same zone as a given node, check more details about [Zone-redundant storage for managed disks](../virtual-machines/disks-redundancy.md)

+[az-premium-ssd]: ../virtual-machines/disks-types.md#premium-ssds

+> [!IMPORTANT]

+> Ensure your AKS cluster identity has read permission of DiskEncryptionSet

+Be sure that a Secrets Store CSI Driver pod and a Secrets Store Provider Azure pod are running on each node in your cluster's node pools.

+The `validate-jwt` policy enforces existence and validity of a JSON web token (JWT) extracted from a specified HTTP header, extracted from a specified query parameter, or matching a specific value.

+ header-name="name of HTTP header containing the token (alternatively, use query-parameter-name or token-value attribute to specify token)"

+ query-parameter-name="name of query parameter used to pass the token (alternative, use header-name or token-value attribute to specify token)"

+ token-value="expression returning the token as a string (alternatively, use header-name or query-parameter attribute to specify token)"

+| token-value | Expression returning a string containing the token. You must not return `Bearer ` as part of the token value. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |

+### Configure `set-backend-service` policy

+ 1. Enter a **Name** (Id) for the schema.

+API Management adds the schema resource at the relative URI `/schemas/<schemaId>`, and the schema appears in the list on the **Schemas** page. Select a schema to view its properties or to edit in a schema editor.

+> A schema may cross-reference another schema that is added to the API Management instance. For example, include an XML schema added to API Management by using an element similar to:<br/><br/>`<xs:include schemaLocation="/schemas/myschema" />`

+> [!TIP]

+> Open-source tools to resolve WSDL and XSD schema references and to batch-import generated schemas to API Management are available on [GitHub](https://github.com/Azure-Samples/api-management-schema-import).

+- 303 (Permanent redirect): Indicates that the target resource has been assigned a new permanent URI. Any future references to this resource should use one of the enclosed URIs.

+ Title: 'Tutorial: Enable the Ingress Controller add-on for a new AKS cluster with a new Azure application gateway'

+description: Use this tutorial to learn how to enable the Ingress Controller add-on for your new AKS cluster with a new application gateway instance.

+# Tutorial: Enable the ingress controller add-on for a new AKS cluster with a new application gateway instance

+You can use the Azure CLI to enable the [application gateway ingress controller (AGIC)](ingress-controller-overview.md) add-on for a new [Azure Kubernetes Services (AKS)](https://azure.microsoft.com/services/kubernetes-service/) cluster.

+In this tutorial, you'll create an AKS cluster with the AGIC add-on enabled. Creating the cluster will automatically create an Azure application gateway instance to use. You'll then deploy a sample application that will use the add-on to expose the application through application gateway.

+> * Check that the application is reachable through application gateway.

+In Azure, you allocate related resources to a resource group. Create a resource group by using [az group create](/cli/azure/group#az-group-create). The following example creates a resource group named **myResourceGroup** in the **East US** location (region):

+az group create --name myResourceGroup --location eastus

+You'll now deploy a new AKS cluster with the AGIC add-on enabled. If you don't provide an existing application gateway instance to use in this process, you'll automatically create and set up a new application gateway instance to serve traffic to the AKS cluster.

+> The application gateway ingress controller add-on supports *only* application gateway v2 SKUs (Standard and WAF), and *not* the application gateway v1 SKUs. When you're deploying a new application gateway instance through the AGIC add-on, you can deploy only an application gateway Standard_v2 SKU. If you want to enable the add-on for an application gateway WAF_v2 SKU, use either of these methods:

+> - Enable WAF on application gateway through the portal.

+> - Create the WAF_v2 application gateway instance first, and then follow instructions on how to [enable the AGIC add-on with an existing AKS cluster and existing application gateway instance](tutorial-ingress-controller-add-on-existing.md).

+In the following example, you'll deploy a new AKS cluster named *myCluster* by using [Azure CNI](../aks/concepts-network.md#azure-cni-advanced-networking) and [managed identities](../aks/use-managed-identity.md). The AGIC add-on will be enabled in the resource group that you created, **myResourceGroup**.

+Deploying a new AKS cluster with the AGIC add-on enabled without specifying an existing application gateway instance will mean an automatic creation of a Standard_v2 SKU application gateway instance. So, you'll also specify the name and subnet address space of the application gateway instance. The name of the application gateway instance will be **myApplicationGateway**, and the subnet address space will be **10.225.0.0/16**.

+az aks create -n myCluster -g myResourceGroup --network-plugin azure --enable-managed-identity -a ingress-appgw --appgw-name myApplicationGateway --appgw-subnet-cidr "10.225.0.0/16" --generate-ssh-keys

+To configure more parameters for the above command, got to [az aks create](/cli/azure/aks#az-aks-create).

+> The AKS cluster that you created will appear in the resource group that you created, **myResourceGroup**. However, the automatically created application gateway instance will be in the node resource group, where the agent pools are. The node resource group is named **MC_resource-group-name_cluster-name_location** by default, but can be modified.

+You'll now deploy a sample application to the AKS cluster that you created. The application will use the AGIC add-on for ingress and connect the application gateway instance to the AKS cluster.

+Now that you have credentials, run the following command to set up a sample application that uses AGIC for ingress to the cluster. AGIC will update the application gateway instance that you set up earlier with corresponding routing rules to the sample application you're deploying.

+Now that the application gateway instance is set up to serve traffic to the AKS cluster, let's verify that your application is reachable. First, get the IP address of the ingress:

+- Visiting the IP address of the application gateway instance that you got from running the preceding command.

+Application gateway might take a minute to get the update. If application gateway is still in an **Updating** state on the portal, let it finish before you try to reach the IP address.

+When you no longer need them, delete all resources created in this tutorial by deleting **myResourceGroup** and **MC_myResourceGroup_myCluster_eastus** resource groups:

+az group delete --name MC_myResourceGroup_myCluster_eastus

+In this tutorial, you:

+- Created new AKS cluster with the AGIC add-on enabled

+- Deployed a sample application by using AGIC for ingress on the AKS cluster

+To learn more about AGIC, see [What is Application Gateway Ingress Controller?](ingress-controller-overview.md) and [Disable and re-enable AGIC add-on for your AKS cluster](ingress-controller-disable-addon.md)

+To learn how to enable application gateway ingress controller add-on for an existing AKS cluster with an existing application gateway, advance to the next tutorial.

+> [Enable AGIC for existing AKS and application gateway](tutorial-ingress-controller-add-on-existing.md)

+Starting on August 1st 2022, Form Recognizer custom neural model training will only be available in the following Azure regions until further notice:

+* West Europe

+- To add the user assigned managed identity you must have the ```Microsoft.ManagedIdentity/userAssignedIdentities/*/read``` and ```Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action``` permissions over the user assigned managed identity, which are granted to [Managed Identity Operator](/azure/role-based-access-control/built-in-roles.md#managed-identity-operator) and [Managed Identity Contributor](/azure/role-based-access-control/built-in-roles.md#managed-identity-contributor)

+- To assign an Azure role to the managed identity, you must have ```Microsoft.Authorization/roleAssignments/write``` permission, which is granted either to [User Access Administrator](/azure/role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles.md#owner)

+Currently, PowerShell 5.1 is supported and only certain runbook types can call each other:

+> [!IMPORTANT]

+> Executing child scripts using `.\child-runbook.ps1` is not supported in PowerShell 7.1 preview.

+ **Workaround**: Use `Start-AutomationRunbook` (internal cmdlet) or `Start-AzAutomationRunbook` (from *Az.Automation* module) to start another runbook from parent runbook.

+| **Resource** |**Description** |

+|||

+|AzureAutomationTutorialWithIdentityGraphical |An example graphical runbook that demonstrates how to authenticate by using the Managed Identity. The runbook gets all Resource Manager resources. |

+|AzureAutomationTutorialWithIdentity|An example PowerShell runbook that demonstrates how to authenticate by using the Managed Identity. The runbook gets all Resource Manager resources. |

+* For a PowerShell cmdlet reference, see [Az.Automation](/powershell/module/az.automation).

+- If you want to execute hybrid jobs using a managed identity, update the agent-based Hybrid Runbook Worker to the latest version. There is no minimum version requirement for extension-based Hybrid Runbook Worker, and all the versions would work. The minimum required versions for the agent-based Hybrid Worker are:

+ - Windows Hybrid Runbook Worker: version 7.3.1125.0

+ - Linux Hybrid Runbook Worker: version 1.7.4.0

+

+ To check the versions:

+ - Windows Hybrid Runbook Worker: Go to the installation path - `C:\ProgramFiles\Microsoft Monitoring Agent\Agent\AzureAutomation\.` and the folder *Azure Automation* contains a sub-folder with the version number as the name of sub-folder.

+ - Linux Hybrid Runbook Worker: Go to the path - `vi/opt/microsoft/omsconfig/modules/nxOMSAutomationWorker/VERSION.` and the file *VERSION* has the version number of the Hybrid Worker.

+- To assign an Azure role you must have ```Microsoft.Authorization/roleAssignments/write``` permission such as [User Access Administrator](../role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](../role-based-access-control/built-in-roles.md#owner).

+## Scenario: Managed Identity in a Runbook cannot authenticate against Azure

+### Issue

+When using a Managed Identity in your runbook, you receive an error as:

+`connect-azaccount : ManagedIdentityCredential authentication failed: Failed to get MSI token for account d94c0db6-5540-438c-9eb3-aa20e02e1226 and resource https://management.core.windows.net/. Status: 500 (Internal Server Error)`

+### Cause

+This can happen either when:

+- **Cause 1**: You use the Automation account System Managed Identity, which has not yet been created and the `Code Connect-AzAccount -Identity` tries to authenticate to Azure and run a runbook in Azure or on a Hybrid Runbook Worker.

+- **Cause 2**: The Automation account has a User managed identity assigned and not a System Managed Identity and the - `Code Connect-AzAccount -Identity` tries to authenticate to Azure and run a runbook on an Azure virtual machine Hybrid Runbook Worker using the Azure VM System Managed Identity.

+### Resolution

+- **Resolution 1**: You must create the Automation Account System Managed Identity and grant it access to the Azure Resources.

+- **Resolution 2**: As appropriate for your requirements, you can:

+ - Create the Automation Account System Managed Identity and use it to authenticate.</br>

+ Or </br>

+ - Delete the Automation Account User Assigned Managed Identity.

+## Scenario: Unable to find the user assigned managed identity to add it to the Automation account

+### Issue

+You want to add a user-assigned managed identity to the Automation account. However, you can't find the account in the Automation blade.

+### Cause

+This issue occurs when you don't have the following permissions for the user-assigned managed identity to view it in the Automation blade.

+- `Microsoft.ManagedIdentity/userAssignedIdentities/*/read`

+- `Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action`

+>[!NOTE]

+> The above permissions are granted by default to Managed Identity Operator and Managed Identity Contributor.

+### Resolution

+Ensure that you have [Identity Operator role permission](/azure/role-based-access-control/built-in-roles#managed-identity-operator) to add the user-assigned managed identity to your Automation account.

+| [Azure API Management](migrate-api-mgt.md) |  |

+ Title: Migrate Azure API Management to availability zone support

+description: Learn how to migrate your Azure API Management instances to availability zone support.

+# Migrate Azure API Management to availability zone support

+This guide describes how to enable availability zone support for your API Management instance. The API Management service supports [Zone redundancy](../availability-zones/az-overview.md#availability-zones), which provides resiliency and high availability to a service instance in a specific Azure region. With zone redundancy, the gateway and the control plane of your API Management instance (Management API, developer portal, Git configuration) are replicated across datacenters in physically separated zones, making it resilient to a zone failure.

+In this article, we'll take you through the different options for availability zone migration.

+## Prerequisites

+* To configure API Management for zone redundancy, your instance must be in one of the following regions:

+

+ * Australia East

+ * Brazil South

+ * Canada Central

+ * Central India

+ * Central US

+ * East Asia

+ * East US

+ * East US 2

+ * France Central

+ * Germany West Central

+ * Japan East

+ * Korea Central (*)

+ * North Europe

+ * Norway East (*)

+ * South Africa North (*)

+ * South Central US

+ * Southeast Asia

+ * Switzerland North

+ * UK South

+ * West Europe

+ * West US 2

+ * West US 3

+ > [!IMPORTANT]

+ > The regions with * against them have restrictive access in an Azure subscription to enable availability zone support. Please work with your Microsoft sales or customer representative.

+* If you haven't yet created an API Management service instance, see [Create an API Management service instance](../api-management/get-started-create-service-instance.md). Select the Premium service tier.

+* API Management service must be in the Premium tier. If it isn't, you can [upgrade](../api-management/upgrade-and-scale.md#change-your-api-management-service-tier) to the Premium tier.

+* If your API Management instance is deployed (injected) in a [Azure virtual network (VNet)](../api-management/api-management-using-with-vnet.md), check the version of the [compute platform](../api-management/compute-infrastructure.md) (stv1 or stv2) that hosts the service.

+## Downtime requirements

+There are no downtime requirements for any of the migration options.

+## Considerations

+* Changes can take from 15 to 45 minutes to apply. The API Management gateway can continue to handle API requests during this time.

+* Migrating to availability zones or changing the availability zone configuration will trigger a public IP address change.

+* If you've configured autoscaling for your API Management instance in the primary location, you might need to adjust your autoscale settings after enabling zone redundancy. The number of API Management units in autoscale rules and limits must be a multiple of the number of zones.

+## Option 1: Migrate existing location of API Management instance, not injected in VNet

+Use this option to migrate an existing location of your API Management instance to availability zones when itΓÇÖs not injected (deployed) in a virtual network.

+### How to migrate API Management in a VNet

+1. In the Azure portal, navigate to your API Management service.

+1. Select **Locations** in the menu, and then select the location to be migrated. The location must [support availability zones](#prerequisites).

+1. Select the number of scale [Units](../api-management/upgrade-and-scale.md) desired in the location.

+1. In **Availability zones**, select one or more zones. The number of units selected must be distributed evenly across the availability zones. For example, if you selected 3 units, select 3 zones so that each zone hosts one unit.

+1. Select **Apply**, and then select **Save**.

+ :::image type="content" alt-text="Screenshot of how to migrate existing location of API Management instance not injected in VNet." source ="media/migrate-api-mgt/option-one-not-injected-in-vnet.png":::

+

+## Option 2: Migrate existing location of API Management instance (stv1 platform), injected in VNet

+Use this option to migrate an existing location of your API Management instance to availability zones when it is currently injected (deployed) in a virtual network. The following steps are needed when the API Management instance is currently hosted on the stv1 platform. Migrating to availability zones will also migrate the instance to the stv2 platform.

+1. Create a new subnet and public IP address in location to migrate to availability zones. Detailed requirements are in [virtual networking guidance](../api-management/api-management-using-with-vnet.md?tabs=stv2#prerequisites).

+1. In the Azure portal, navigate to your API Management service.

+1. Select **Locations** in the menu, and then select the location to be migrated. The location must [support availability zones](#prerequisites).

+1. Select the number of scale [Units](../api-management/upgrade-and-scale.md) desired in the location.

+1. In **Availability zones**, select one or more zones. The number of units selected must be distributed evenly across the availability zones. For example, if you selected 3 units, select 3 zones so that each zone hosts one unit.

+1. Select the new subnet and new public IP address in the location.

+1. Select **Apply**, and then select **Save**.

+ :::image type="content" alt-text="Screenshot of how to migrate existing location of API Management instance injected in VNet." source ="media/migrate-api-mgt/option-two-injected-in-vnet.png":::

+## Option 3: Migrate existing location of API Management instance (stv2 platform), injected in VNet

+Use this option to migrate an existing location of your API Management instance to availability zones when it is currently injected (deployed) in a virtual network. The following steps are used when the API Management instance is already hosted on the stv2 platform.

+1. Create a new subnet and public IP address in location to migrate to availability zones. Detailed requirements are in [virtual networking guidance](../api-management/api-management-using-with-vnet.md?tabs=stv2#prerequisites).

+1. In the Azure portal, navigate to your API Management service.

+1. Select **Locations** in the menu, and then select the location to be migrated. The location must [support availability zones](#prerequisites).

+1. Select the number of scale [Units](../api-management/upgrade-and-scale.md) desired in the location.

+1. In **Availability zones**, select one or more zones. The number of units selected must be distributed evenly across the availability zones. For example, if you selected 3 units, select 3 zones so that each zone hosts one unit.

+1. Select the new public IP address in the location.

+1. Select **Apply**, and then select **Save**.

+ :::image type="content" alt-text="Screenshot of how to migrate existing location of API Management instance (stv2 platform) injected in VNet." source ="media/migrate-api-mgt/option-three-stv2-injected-in-vnet.png":::

+## Option 4. Add new location for API Management instance (with or without VNet) with availability zones

+Use this option to add a new location to your API Management instance and enable availability zones in that location.

+If your API Management instance is deployed in a virtual network in the primary location, ensure that you set up a [virtual network](../api-management/api-management-using-with-vnet.md?tabs=stv2), subnet, and public IP address in any new location where you plan to enable zone redundancy.

+1. In the Azure portal, navigate to your API Management service.

+1. Select **+ Add** in the top bar to add a new location. The location must [support availability zones](#prerequisites).

+1. Select the number of scale [Units](../api-management/upgrade-and-scale.md) desired in the location.

+1. In **Availability zones**, select one or more zones. The number of units selected must be distributed evenly across the availability zones. For example, if you selected 3 units, select 3 zones so that each zone hosts one unit.

+1. If your API Management instance is deployed in a [virtual network](../api-management/api-management-using-with-vnet.md?tabs=stv2), select the virtual network, subnet, and public IP address that are available in the location.

+1. Select **Add**, and then select **Save**.

+ :::image type="content" alt-text="Screenshot of how to add new location for API Management instance with or without VNet." source ="media/migrate-api-mgt/option-four-add-new-location.png":::

+## Next steps

+Learn more about:

+> [!div class="nextstepaction"]

+> [deploying an Azure API Management service instance to multiple Azure regions](../api-management/api-management-howto-deploy-multi-region.md).

+> [!div class="nextstepaction"]

+> [building for reliability](/azure/architecture/framework/resiliency/app-design) in Azure.

+> [!div class="nextstepaction"]

+> [Regions and Availability Zones in Azure](az-overview.md)

+> [!div class="nextstepaction"]

+> [Azure Services that support Availability Zones](az-region.md)

+##### [Linux](#tab/linux)

+```console

+## variables for Azure subscription, resource group, cluster name, location, extension, and namespace.

+export resourceGroup=<Your resource group>

+export clusterName=<name of your connected Kubernetes cluster>

+export customLocationName=<name of your custom location>

+## variables for logs and metrics dashboard credentials

+export AZDATA_LOGSUI_USERNAME=<username for Kibana dashboard>

+export AZDATA_LOGSUI_PASSWORD=<password for Kibana dashboard>

+export AZDATA_METRICSUI_USERNAME=<username for Grafana dashboard>

+export AZDATA_METRICSUI_PASSWORD=<password for Grafana dashboard>

+```

+##### [Windows (PowerShell)](#tab/windows)

+``` PowerShell

+## variables for Azure location, extension and namespace

+$ENV:resourceGroup="<Your resource group>"

+$ENV:clusterName="<name of your connected Kubernetes cluster>"

+$ENV:customLocationName="<name of your custom location>"

+## variables for Metrics and Monitoring dashboard credentials

+$ENV:AZDATA_LOGSUI_USERNAME="<username for Kibana dashboard>"

+$ENV:AZDATA_LOGSUI_PASSWORD="<password for Kibana dashboard>"

+$ENV:AZDATA_METRICSUI_USERNAME="<username for Grafana dashboard>"

+$ENV:AZDATA_METRICSUI_PASSWORD="<password for Grafana dashboard>"

+

+Deploy the Azure Arc data controller using released profile

+##### [Linux](#tab/linux)

+```azurecli

+az arcdata dc create -name <name> -g ${resourceGroup} --custom-location ${customLocationName} --cluster-name ${clusterName} --connectivity-mode direct --profile-name <the-deployment-profile> --auto-upload-metrics true --auto-upload-logs true --storage-class <storageclass>

+# Example

+az arcdata dc create --name arc-dc1 --resource-group my-resource-group -custom-location cl-name --connectivity-mode direct --profile-name azure-arc-aks-premium-storage --auto-upload-metrics true --auto-upload-logs true --storage-class mystorageclass

+```

+##### [Windows (PowerShell)](#tab/windows)

+```azurecli

+az arcdata dc create -name <name> -g $ENV:resourceGroup --custom-location $ENV:customLocationName --cluster-name $ENV:clusterName --connectivity-mode direct --profile-name <the-deployment-profile> --auto-upload-metrics true --auto-upload-logs true --storage-class <storageclass>

+# Example

+az arcdata dc create --name arc-dc1 --g $ENV:resourceGroup --custom-location $ENV:customLocationName --cluster-name $ENV:clusterName --connectivity-mode direct --profile-name azure-arc-aks-premium-storage --auto-upload-metrics true --auto-upload-logs true --storage-class mystorageclass

+```

+If you want to create the Azure Arc data controller using a custom configuration template, follow the steps described in [Create custom configuration profile](create-custom-configuration-template.md) and provide the path to the file as follows:

+##### [Linux](#tab/linux)

+```azurecli

+az arcdata dc create --name -g ${resourceGroup} --custom-location ${customLocationName} --cluster-name ${clusterName} --connectivity-mode direct --path ./azure-arc-custom --auto-upload-metrics true --auto-upload-logs true

+# Example

+az arcdata dc create --name arc-dc1 --resource-group my-resource-group -custom-location cl-name --connectivity-mode direct --path ./azure-arc-custom --auto-upload-metrics true --auto-upload-logs true

+```

+##### [Windows (PowerShell)](#tab/windows)

+```azurecli

+az arcdata dc create --name <name> -g $ENV:resourceGroup --custom-location $ENV:customLocationName --cluster-name $ENV:clusterName --connectivity-mode direct --path ./azure-arc-custom --auto-upload-metrics true --auto-upload-logs true --storage-class <storageclass>

+# Example

+az arcdata dc create --name arc-dc1 --resource-group $ENV:resourceGroup --custom-location $ENV:customLocationName --cluster-name $ENV:clusterName --connectivity-mode direct --path ./azure-arc-custom --auto-upload-metrics true --auto-upload-logs true --storage-class mystorageclass

+```

+Save a copy of [bootstrapper-unified.yaml](https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/bootstrapper-unified.yaml), and replace the placeholder `{{NAMESPACE}}` in *all the places* in the file with the desired namespace name, for example: `arc`.

+1. Create a service principal and get its `password` field value. This value is required later as `serverApplicationSecret` when you're enabling this feature on the cluster. Please note that this secret is valid for 1 year by default and will need to be [rotated after that](./azure-rbac.md#refresh-the-secret-of-the-server-application). Please refer to [this](/cli/azure/ad/sp/credential?view=azure-cli-latest&preserve-view=true#az-ad-sp-credential-reset) to set a custom expiry duration.

+## Refresh the secret of the server application

+If the secret for the server application's service principal has expired, you will need to rotate it.

+```azurecli

+SERVER_APP_SECRET=$(az ad sp credential reset --name "${SERVER_APP_ID}" --credential-description "ArcSecret" --query password -o tsv)

+```

+Update the secret on the cluster. Please add any optional parameters you configured when this command was originally run.

+```azurecli

+az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --features azure-rbac --app-id "${SERVER_APP_ID}" --app-secret "${SERVER_APP_SECRET}"

+```

+1. Create ClusterRoleBinding to grant this [service account the appropriate permissions on the cluster](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-rolebinding). Example:

+ config-agent-65d5df564f-lffqm 1/2 CrashLoopBackOff 0 1m14s

+ To resolve this issue, try deleting the Arc deployment by running the `az connectedk8s delete` command and reinstalling it. If the issue continues to happen, it could be an issue with your proxy settings. In that case, [try connecting your cluster to Azure Arc via a proxy](./quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server) to connect your cluster to Arc via a proxy. Please also verify if all the [network prerequisites](quickstart-connect-cluster.md#meet-network-requirements) have been met.

+5. If the `kube-aad-proxy` pod is stuck in `ContainerCreating` state, check whether the kube-aad-proxy certificate has been downloaded onto the cluster.

+ ```console

+ kubectl get secret -n azure-arc -o yaml | grep name:

+ ```

+ ```output

+ name: kube-aad-proxy-certificate

+ ```

+ If the certificate is missing, please contact support.

+ Once the cache is created, you connect to it and use it just like a non-clustered cache. Redis distributes the data throughout the Cache shards. If diagnostics is [enabled](cache-how-to-monitor.md#use-a-storage-account-to-export-cache-metrics), metrics are captured separately for each shard, and can be [viewed](cache-how-to-monitor.md) in Azure Cache for Redis on the left.

+To change the cluster size on a premium cache that you created earlier, and is already running with clustering enabled, select **Cluster size** from the Resource menu.

+Per the Redis [Keys distribution model](https://redis.io/topics/cluster-spec#keys-distribution-model) documentation: The key space is split into 16,384 slots. Each key is hashed and assigned to one of these slots, which are distributed across the nodes of the cluster. You can configure which part of the key is hashed to ensure that multiple keys are located in the same shard using hash tags.

+The largest cache size you can have is 1.2 TB. This result is a clustered P5 cache with 10 shards. For more information, see [Azure Cache for Redis Pricing](https://azure.microsoft.com/pricing/details/cache/).

+Many clients libraries support Redis clustering but not all. Check the documentation for the library you're using to verify you're using a library and version that support clustering. StackExchange.Redis is one library that does support clustering, in its newer versions. For more information on other clients, see the [Playing with the cluster](https://redis.io/topics/cluster-tutorial#playing-with-the-cluster) section of the [Redis cluster tutorial](https://redis.io/topics/cluster-tutorial).

+The Redis clustering protocol requires each client to connect to each shard directly in clustering mode, and also defines new error responses such as 'MOVED' na 'CROSSSLOTS'. When you attempt to use a client library that doesn't support clustering, with a cluster mode cache, the result can be many [MOVED redirection exceptions](https://redis.io/topics/cluster-spec#moved-redirection), or just break your application, if you're doing cross-slot multi-key requests.

+This article supports creating both types of compiled C# functions:

+ New-AzFunctionApp -Name <APP_NAME> -ResourceGroupName AzureFunctionsQuickstart-rg -StorageAccount <STORAGE_NAME> -Runtime PowerShell -FunctionsVersion 4 -Location '<REGION>'

+## Remote Debugging using Visual Studio

+Because your isolated process app runs outside the Functions runtime, you need to attach the remote debugger to a separate process. To learn more about debugging using Visual Studio, see [Remote Debugging](functions-develop-vs.md?tabs=isolated-process#remote-debugging).

+ .Setup(x => x.CreateCheckStatusResponse(It.IsAny<HttpRequestMessage>(), instanceId, returnInternalServerErrorOnFailure: It.IsAny<bool>()))

+- Azure Functions Tools. To add Azure Function Tools, include the **Azure development** workload in your Visual Studio installation. If you're using Visual Studio 2017, you may need to [follow some extra installation steps](#azure-functions-tools-with-visual-studio-2017).

+ You'll then be prompted to choose between two Azure storage emulators or referencing a provisioned Azure storage account.

+ In this example, replace `<BINDING_TYPE>` with the name specific to the binding extension and `<TARGET_VERSION>` with a specific version of the package, such as `3.0.0-beta5`. Valid versions are listed on the individual package pages at [NuGet.org](https://nuget.org). The major versions that correspond to Functions runtime 1.x or 2.x are specified in the reference article for the binding.

+Azure Functions Core Tools lets you run Azure Functions project on your local development computer. When you press F5 to debug a Functions project, the local Functions host (func.exe) starts to listen on a local port (usually 7071). Any callable function endpoints are written to the output, and you can use these endpoints for testing your functions. For more information, see [Work with Azure Functions Core Tools](functions-run-local.md). You're prompted to install these tools the first time you start a function from Visual Studio.

+## Remote Debugging

+To debug your function app remotely, you must publish a debug configuration of your project. You also need to enable remote debugging in your function app in Azure.

+This section assumes you've already published to your function app using a release configuration.

+### Remote debugging considerations

+* Remote debugging isn't recommended on a production service.

+* If you have [Just My Code debugging](/visualstudio/debugger/just-my-code#BKMK_Enable_or_disable_Just_My_Code) enabled, disable it.

+* Avoid long stops at breakpoints when remote debugging. Azure treats a process that is stopped for longer than a few minutes as an unresponsive process, and shuts it down.

+* While you're debugging, the server is sending data to Visual Studio, which could affect bandwidth charges. For information about bandwidth rates, see [Azure Pricing](https://azure.microsoft.com/pricing/calculator/).

+* Remote debugging is automatically disabled in your function app after 48 hours. After 48 hours, you'll need to reenable remote debugging.

+### Attach the debugger

+The way you attach the debugger depends on your execution mode. When debugging an isolated process app, you currently need to attach the remote debugger to a separate .NET process, and several other configuration steps are required.

+When you're done, you should [disable remote debugging](#disable-remote-debugging).

+# [In-process](#tab/in-process)

+To attach a remote debugger to a function app running in-process with the Functions host:

+ :::image type="content" source="media/functions-develop-vs/attach-to-process-in-process.png" alt-text="Screenshot of attaching the debugger from Visual Studio.":::

+Visual Studio connects to your function app and enables remote debugging, if it's not already enabled. It also locates and attaches the debugger to the host process for the app. At this point, you can debug your function app as normal.

+# [Isolated process](#tab/isolated-process)

+To attach a remote debugger to a function app running in a process separate from the Functions host:

+1. From the **Publish** tab, select the ellipses (**...**) in the **Hosting** section, and then choose **Download publish profile**. This action downloads a copy of the publish profile and opens the download location. You need this file, which contains the credentials used to attach to your isolated process running in Azure.

+ > [!CAUTION]

+ > The .publishsettings file contains your credentials (unencoded) that are used to administer your function app. The security best practice for this file is to store it temporarily outside your source directories (for example in the Libraries\Documents folder), and then delete it after it's no longer needed. A malicious user who gains access to the .publishsettings file can edit, create, and delete your function app.

+1. Again from the **Publish** tab, select the ellipses (**...**) in the **Hosting** section, and then choose **Attach debugger**.

+ :::image type="content" source="media/functions-develop-vs/attach-to-process-in-process.png" alt-text="Screenshot of attaching the debugger from Visual Studio.":::

+ Visual Studio connects to your function app and enables remote debugging, if it's not already enabled.

+

+ > [!NOTE]

+ > Because the remote debugger isn't able to connect to the host process, you could see an error. In any case, the default debugging won't break into your code.

+1. Back in Visual Studio, copy the URL for the **Site** under **Hosting** in the **Publish** page.

+1. From the **Debug** menu, select **Attach to Process**, and in the **Attach to process** window, paste the URL in the **Connection Target**, remove `https://` and append the port `:4024`.

+ Verify that your target looks like `<FUNCTION_APP>.azurewebsites.net:4024` and press **Enter**.

+ 

+1. If prompted, allow Visual Studio access through your local firewall.

+1. When prompted for credentials, instead of local user credentials choose a different account (**More choices** on Windows). Provide the values of **userName** and **userPWD** from the published profile for **Email address** and **Password** in the authentication dialog on Windows. After a secure connection is established with the deployment server, the available processes are shown.

+ 

+1. Check **Show process from all users** and then choose **dotnet.exe** and select **Attach**. When the operation completes, you're attached to your C# class library code running in an isolated process. At this point, you can debug your function app as normal.

+### Disable remote debugging

+After you're done remote debugging your code, you should disable remote debugging in the [Azure portal](https://portal.azure.com). Remote debugging is automatically disabled after 48 hours, in case you forget.

+1. In the **Publish** tab in your project, select the ellipses (**...**) in the **Hosting** section, and choose **Open in Azure portal**. This action opens the function app in the Azure portal to which your project is deployed.

+1. In the functions app, select **Configuration** under **settings**, choose **General Settings**, set **Remote Debugging** to **Off**, and select **Save** then **Continue**.

+After the function app restarts, you can no longer remotely connect to your remote processes. You can use this same tab in the Azure portal to enable remote debugging outside of Visual Studio.

+> [!NOTE]

+> When using [Azure App Configuration](../../articles/azure-app-configuration/quickstart-azure-functions-csharp.md) or [Key Vault](../key-vault/general/overview.md) to provide settings for Managed Identity connections, setting names should use a valid key separator such as `:` or `/` in place of the `__` to ensure names are resolved correctly.

+>

+> For example, `ServiceBusConnection:fullyQualifiedNamespace`.

+> [!NOTE]

+> When using [Azure App Configuration](../../articles/azure-app-configuration/quickstart-azure-functions-csharp.md) or [Key Vault](../key-vault/general/overview.md) to provide settings for Managed Identity connections, setting names should use a valid key separator such as `:` or `/` in place of the `__` to ensure names are resolved correctly.

+>

+> For example, `ServiceBusConnection:fullyQualifiedNamespace`.

+> [!NOTE]

+> When using [Azure App Configuration](../azure-app-configuration/quickstart-azure-functions-csharp.md) or [Key Vault](../key-vault/general/overview.md) to provide settings for Managed Identity connections, setting names should use a valid key separator such as `:` or `/` in place of the `__` to ensure names are resolved correctly.

+>

+> For example, `Storage1:blobServiceUri`.

+# Send data from Azure diagnostics extension to Azure Monitor Logs

+The platform metrics for these services in the following Azure clouds are supported:

+ > Multi-resource metric alerts are not supported for the following scenarios:

+ > - Alerting on virtual machines' guest metrics

+ > - Alerting on virtual machines' network metrics (Network In Total, Network Out Total, Inbound Flows, Outbound Flows, Inbound Flows Maximum Creation Rate, Outbound Flows Maximum Creation Rate).

+ // Console apps should use the WorkerService package.

+ // This uses ServerTelemetryChannel which does not have synchronous flushing.

+ // For this reason we add a short 5s delay in this sample.

+

+ // If you're using InMemoryChannel, Flush() is synchronous and the short delay is not required.

+az monitor app-insights component create --app demoApp --location westus2 --kind web --resource-group demoRg --application-type web

+az monitor app-insights component create --app demoApp --location eastus --kind web --resource-group demoApp --application-type web

+> [!NOTE]

+> The search job feature is currently in public preview and is not supported in workspaces with [customer-managed keys](customer-managed-keys.md).

+## June, 2022

+### General

+| Article | Description |

+|:|:|

+| [Tutorial - Editing Data Collection Rules](essentials/data-collection-rule-edit.md) | New article|

+### Application Insights

+| Article | Description |

+|:|:|

+| [Application Insights logging with .NET](app/ilogger.md) | Connection string sample code has been added.|

+| [Application Insights SDK support guidance](app/sdk-support-guidance.md) | Updated SDK supportability guidance. |

+| [Azure AD authentication for Application Insights](app/azure-ad-authentication.md) | Azure AD authenticated telemetry ingestion has been reached general availability.|

+| [Azure Application Insights for JavaScript web apps](app/javascript.md) | Our Java on-premises page has been retired and redirected to [Azure Monitor OpenTelemetry-based auto-instrumentation for Java applications](app/java-in-process-agent.md).|

+| [Azure Application Insights Telemetry Data Model - Telemetry Context](app/data-model-context.md) | Clarified that Anonymous User ID is simply User.Id for easy selection in Intellisense.|

+| [Continuous export of telemetry from Application Insights](app/export-telemetry.md) | On February 29, 2024, continuous export will be deprecated as part of the classic Application Insights deprecation.|

+| [Dependency Tracking in Azure Application Insights](app/asp-net-dependencies.md) | The EventHub Client SDK and ServiceBus Client SDK information has been updated.|

+| [Monitor Azure app services performance .NET Core](app/azure-web-apps-net-core.md) | Updated Linux troubleshooting guidance. |

+| [Performance counters in Application Insights](app/performance-counters.md) | A prerequisite section has been added to ensure performance counter data is accessible.|

+### Agents

+| Article | Description |

+|:|:|

+| [Collect text and IIS logs with Azure Monitor agent (preview)](agents/data-collection-text-log.md) | Added troubleshooting section.|

+| [Tools for migrating to Azure Monitor Agent from legacy agents](agents/azure-monitor-agent-migration-tools.md) | New article that explains how to install and use tools for migrating from legacy agents to the new Azure Monitor agent (AMA).|

+### Visualizations

+Azure Monitor Workbooks documentation previously resided on an external GitHub repository. We have migrated all Azure Workbooks content to the same repo as all other Azure Monitor content.

+## Microsoft.App

+> [!div class="mx-tableFixed"]

+> | Entity | Scope | Length | Valid Characters |

+> | | | | |

+> | containerApps | resource group | 2-32 | Lowercase letters, numbers, and hyphens..<br><br>Start with letter and end with alphanumeric. |

+ Title: Invite users to Azure Video Indexer

+description: This article shows how to invite users to Azure Video Indexer.

+## July 8, 2022

+HCX cloud manager in Azure VMware solutions can now be accessible over a public IP address. You can pair HCX sites and create a service mesh from on-premises to Azure VMware Solutions private cloud using Public IP.

+HCX with public IP is especially useful in cases where On-premises sites are not connected to Azure via Express Route or VPN. HCX service mesh appliances can be configured with public IPs to avoid lower tunnel MTUs due to double encapsulation if a VPN is used for on-premises to cloud connections.

+For more information, please see [Enable HCX over the internet](/azure/azure-vmware/enable-hcx-access-over-internet)

+>- Azure workloads such as SQL and SAP HANA backups within Azure VMs have huge number of backup jobs. For example, log backups can run for every 15 minutes. So for such DB workloads, only user triggered operations are displayed. Scheduled backup operations aren't displayed.

+>- In Backup center you can view jobs for upto last 14 days. If you want to view jobs for a large duration, you can go to the individual Recovery Services vaults and select the **Backup Jobs** tab. For jobs older than 6 months, we recommend you to use Log Analytics and/or [Backup Reports](configure-reports.md) to reliably and efficiently query older jobs.

+#### Fire a single alert if all triggered backups for a vault were successful in last 24 hours

+Dimensions["HealthStatus"] != "Healthy"

+- Dimensions["HealthStatus"]!= "Healthy"

+- Dimensions["HealthStatus"]!= "Healthy"

+> [!NOTE]

+> For **Azure CDN from Microsoft** profiles, cache expiration override is only applicable to status codes 200 and 206.

+- [Tutorial: Set Azure CDN caching rules](cdn-caching-rules-tutorial.md)

+| English (Australia) | `en-AU` | Yes |Yes|

+| Japanese (Japan) | `ja-JP` | Yes |Yes|

+ Title: Speech-to-text REST API v3.1 Public Preview - Speech service

+description: Get reference documentation for Speech-to-text REST API v3.1 (Public Preview).

+ms.devlang: csharp

+# Speech-to-text REST API v3.1 (preview)

+The Speech-to-text REST API v3.1 is used for [Batch transcription](batch-transcription.md) and [Custom Speech](custom-speech-overview.md). It is currently in Public Preview.

+> [!TIP]

+> See the [Speech to Text API v3.1 preview1](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1-preview1/) reference documentation for details. This is an updated version of the [Speech to Text API v3.0](./rest-speech-to-text.md)

+Use the REST API v3.1 to:

+- Copy models to other subscriptions if you want colleagues to have access to a model that you built, or if you want to deploy a model to more than one region.

+- Transcribe data from a container (bulk transcription) and provide multiple URLs for audio files.

+- Upload data from Azure storage accounts by using a shared access signature (SAS) URI.

+- Get logs for each endpoint if logs have been requested for that endpoint.

+- Request the manifest of the models that you create, to set up on-premises containers.

+## Changes to the v3.0 API

+### Batch transcription changes:

+- In **Create Transcription** the following three new fields were added to properties:

+ - **displayFormWordLevelTimestampsEnabled** can be used to enable the reporting of word-level timestamps on the display form of the transcription results.

+ - **diarization** can be used to specify hints for the minimum and maximum number of speaker labels to generate when performing optional diarization (speaker separation). With this feature, the service is now able to generate speaker labels for more than two speakers.

+ - **languageIdentification** can be used specify settings for optional language identification on the input prior to transcription. Up to 10 candidate locales are supported for language identification. For the preview API, transcription can only be performed with base models for the respective locales. The ability to use custom models for transcription will be added for the GA version.

+- **Get Transcriptions**, **Get Transcription Files**, **Get Transcriptions For Project** now include a new optional parameter to simplify finding the right resource:

+ - **filter** can be used to provide a filtering expression for selecting a subset of the available resources. You can filter by displayName, description, createdDateTime, lastActionDateTime, status and locale. Example: filter=createdDateTime gt 2022-02-01T11:00:00Z

+### Custom Speech changes

+- **Create Dataset** now supports a new data type of **LanguageMarkdown** to support upload of the new structured text data.

+ It also now supports uploading data in multiple blocks for which the following new operations were added:

+ - **Upload Data Block** - Upload a block of data for the dataset. The maximum size of the block is 8MiB.

+ - **Get Uploaded Blocks** - Get the list of uploaded blocks for this dataset.

+ - **Commit Block List** - Commit block list to complete the upload of the dataset.

+- **Get Base Models** and **Get Base Model** now provide information on the type of adaptation supported by a base model:

+ ```json

+ "features": {

+ …

+ "supportsAdaptationsWith": [

+ ΓÇ£AcousticΓÇ¥,

+ "Language",

+ ΓÇ£LanguageMarkdownΓÇ¥,

+ "Pronunciation"

+ ]

+ }

+```

+|Adaptation Type |DescriptionText |

+|||

+|Acoustic |Supports adapting the model with the audio provided to adapt to the audio condition or specific speaker characteristics. |

+|Language |Supports adapting with Plain Text. |

+|LanguageMarkdown |Supports adapting with Structured Text. |

+|Pronunciation |Supports adapting with a Pronunciation File. |

+- **Create Model** has a new optional parameter under **properties** called **customModelWeightPercent** that lets you specify the weight used when the Custom Language Model (trained from plain or structured text data) is combined with the Base Language Model. Valid values are integers between 1 and 100. The default value is currently 30.

+- **Get Base Models**, **Get Datasets**, **Get Datasets For Project**, **Get Data Set Files**, **Get Endpoints**, **Get Endpoints For Project**, **Get Evaluations**, **Get Evaluations For Project**, **Get Evaluation Files**, **Get Models**, **Get Models For Project**, **Get Projects** now include a new optional parameter to simplify finding the right resource:

+ - **filter** can be used to provide a filtering expression for selecting a subset of the available resources. You can filter by displayName, description, createdDateTime, lastActionDateTime, status, locale and kind. Example: filter=locale eq 'en-US'

+- Added a new **Get Model Files** operation to get the files of the model identified by the given ID as well as a new **Get Model File** operation to get one specific file (identified with fileId) from a model (identified with id). This lets you retrieve a **ModelReport** file that provides information on the data processed during training.

+## Next steps

+- [Customize acoustic models](./how-to-custom-speech-train-model.md)

+- [Customize language models](./how-to-custom-speech-train-model.md)

+- [Get familiar with batch transcription](batch-transcription.md)

+| Real-time API. Prebuilt neural voices and custom neural voices. | 20 transactions per 60 seconds | 200 transactions per second (TPS) (default value) |

+| Adjustable | No<sup>4</sup> | Yes<sup>5</sup>, up to 1000 TPS |

+#### Audio Content Creation tool

+- Create additional Speech service resources in *different* regions, and distribute the workload among them. (Creating multiple Speech service resources in the same region will not affect the performance, because all resources will be served by the same backend cluster).

+1. On the **Review + create** tab, select **Create**.

+1. On the **Review + create** tab, select **Create**.

+ Title: Use cases for Azure Communication Services support Teams identities

+description: This article describes use cases for Azure Communication Services support Teams identities.

+# Azure Communication Services support Teams identities ΓÇö Use cases

+ Title: Integrate communication as Teams user with Azure Communication Services

+description: This article discusses how to integrate communication as Teams user with Azure Communication Services.

+# Integrate communication as Teams user with Azure Communication Services and Graph API

+You can use Azure Communication Services and Graph API to integrate communication as Teams user into your products to communicate with other people in and outside your organization. With Azure Communication Services supporting Teams identities and Graph API, you can customize a voice, video, chat, and screen-sharing experience for Teams users.

+Voice, video, and screen-sharing capabilities are provided via Azure Communication Services Calling SDKs. The following diagram shows an overview of the process you'll follow as you integrate your calling experiences with Azure Communication Services support Teams identities.

+

+Optionally, you can also use Graph API to integrate chat capabilities into your product. For more information about the Graph API, see the [chat resource type](/graph/api/channel-post-messages) documentation.

+

+InCall diagnostics leverages [media quality stats](./media-quality-sdk.md) to calculate quality scores and diagnose issues. During the pre-call diagnostic, the full set of media quality stats are available for consumption. These will include raw values across video and audio metrics that can be used programatically. The InCall diagnostic provides a convenience layer on top of media quality stats to consume the results without the need to process all the raw data. See section on media stats for instructions to access.

+For granular stats on quality metrics like jitter, packet loss, rtt, etc. `callMediaStatistics` are provided as part of the `preCallDiagnosticsResult` feature. See the [full list and description of the available metrics](./media-quality-sdk.md) in the linked article. You can subscribe to the call media stats to get full collection of them. This is the raw metrics that are used to calculate InCall diagnostic results and which can be consumed granularly for further analysis.

+- Learn more about [Azure Communication Services support Teams identities](../concepts/teams-endpoint.md)

+In this quickstart, you'll build a .NET console application to authenticate a Microsoft 365 user by using the Microsoft Authentication Library (MSAL) and retrieving a Microsoft Azure Active Directory (Azure AD) user token. You'll then exchange that token for an access token of Teams user with the Azure Communication Services Identity SDK. The access token for Teams user can then be used by the Communication Services Calling SDK to integrate calling capability as Teams user.

+

+

+

+With a valid access token for Teams user in the *client application*, developers can integrate the Communication Services Calling SDK and manage calls as Teams user.

+- [Azure Communication Services support Teams identities](../concepts/teams-endpoint.md)

+- As a developer, you need to enable an authentication flow for Azure Communication Services support Teams identities, which is done by using an Microsoft 365 Azure Active Directory identity of a Teams' user to fetch an Azure Communication Services token to be able to join Teams calling/chat.

+Network Security Groups (NSGs) needed to configure virtual networks closely resemble the settings required by Kubernetes.

+You can lock down a network via NSGs with more restrictive rules than the default NSG rules to control all inbound and outbound traffic for the Container App Environment.

+Using custom user-defined routes (UDRs) or ExpressRoutes, other than with UDRs of selected destinations that you own, are not yet supported for Container App Environments with VNETs. Therefore, securing a Container App Environment with a firewall is not yet supported.

+| Any | \* | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/23`. |

+| Any | \* | AzureLoadBalancer | Allow the Azure infrastructure load balancer to communicate with your environment. |

+| TCP | `443` | \* | Allowing all outbound on port `443` provides a way to allow all FQDN based outbound dependencies that don't have a static IP. |

+| UDP | `123` | \* | NTP server. |

+| Any | \* | Infrastructure subnet address space | Allow communication between IPs in the infrastructure subnet. This address is passed as a parameter when you create an environment. For example, `10.0.0.0/23`. |

+ Title: Built-in policy definitions for Azure Container Apps

+description: Lists Azure Policy built-in policy definitions for Azure Container Apps. These built-in policy definitions provide common approaches to managing your Azure resources.

+# Azure Policy built-in definitions for Azure Container Apps

+This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy

+definitions for Azure Container Apps. For additional Azure Policy built-ins for other services, see

+[Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md).

+The name of each built-in policy definition links to the policy definition in the Azure portal. Use

+the link in the **Version** column to view the source on the

+[Azure Policy GitHub repo](https://github.com/Azure/azure-policy).

+## Policy definitions

+## Next steps

+- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).

+- Review the [Azure Policy definition structure](../governance/policy/concepts/definition-structure.md).

+- Review [Understanding policy effects](../governance/policy/concepts/effects.md).

+With debug on, the Data Preview tab will light-up on the bottom panel. Without debug mode on, Data Flow will show you only the current metadata in and out of each of your transformations in the Inspect tab. The data preview will only query the number of rows that you have set as your limit in your debug settings. Click **Refresh** to update the data preview based on your current transformations. If your source data has changed, then click the Refresh > Refetch from source.

+ - For Template Parameters, point to 'ArmTemplateParameters_master.json' instead of 'ArmTemplateParametersForFactory.json'

+- [Automate continuous integration using Azure Pipelines releases](continuous-integration-delivery-automate-azure-pipelines.md)

+|Pricing:|Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#plan-2-formerly-defender-for-servers)|

+|Pricing:|Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#plan-2-formerly-defender-for-servers)|

+Microsoft Defender for Containers is the cloud-native solution that is used to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications.

+Defender for Containers assists you with the three core aspects of container security:

+- [**Environment hardening**](#hardening) - Defender for Containers protects your Kubernetes clusters whether they're running on Azure Kubernetes Service, Kubernetes on-premises/IaaS, or Amazon EKS. Defender for Containers continuously assesses clusters to provide visibility into misconfigurations and guidelines to help mitigate identified threats.

+- [**Vulnerability assessment**](#vulnerability-assessment) - Vulnerability assessment and management tools for images stored in ACR registries and running in Azure Kubernetes Service.

+- [**Run-time threat protection for nodes and clusters**](#run-time-protection-for-kubernetes-nodes-and-clusters) - Threat protection for clusters and Linux nodes generates security alerts for suspicious activities.

+You can learn more by watching this video from the Defender for Cloud in the Field video series: [Microsoft Defender for Containers](episode-three.md).

+Defender for Cloud continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations allow you to investigate and remediate issues. For details on the recommendations that might appear for this feature, check out the [compute section](recommendations-reference.md#recs-container) of the recommendations reference table.

+For Kubernetes clusters on EKS, you'll need to [connect your AWS account to Microsoft Defender for Cloud](quickstart-onboard-aws.md) and ensure you've enabled the CSPM plan.

+You can use the resource filter to review the outstanding recommendations for your container-related resources, whether in asset inventory or the recommendations page:

+To protect the workloads of your Kubernetes containers with tailored recommendations, you can install the [Azure Policy for Kubernetes](../governance/policy/concepts/policy-for-kubernetes.md). You can also auto deploy this component as explained in [enable auto provisioning of agents and extensions](enable-data-collection.md#auto-provision-mma).

+With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure it to enforce the best practices and mandate them for future workloads.

+You can learn more about [Kubernetes data plane hardening](kubernetes-workload-protections.md).

+ - When you push the image to your registry

+ - Weekly on any image that was pulled within the last 30

+ - When you import the image to your Azure Container Registry

+ - Continuously in specific situations

+The recommendation `Running container images should have vulnerability findings resolved` shows vulnerabilities for running images by using the scan results from ACR registries and information on running images from the Defender security profile/extension. Images that are deployed from a non-ACR registry, will appear under the Not applicable tab.

+In addition, our threat detection goes beyond the Kubernetes management layer. Defender for Containers includes host-level threat detection with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload.

+You can use the Azure Policy `Configure Microsoft Defender for Containers to be enabled`, to enable Defender for Containers at scale. You can also see all of the options that are available to [enable Microsoft Defender for Containers](defender-for-containers-enable.md).

+Learn more about Defender for Containers in the following blogs:

+The release state of Defender for Containers is broken down by two dimensions: environment and feature. So, for example:

+Defender for Servers is one of the enhanced security features available in Microsoft Defender for Cloud. You can use it to add threat detection and advanced defenses to your Windows and Linux machines that exist in hybrid and multicloud environments.

+To protect your machines, Defender for Cloud uses [Azure Arc](../azure-arc/index.yml). You can [Connect your non-Azure machines to Microsoft Defender for Cloud](quickstart-onboard-machines.md), [Connect your AWS accounts to Microsoft Defender for Cloud](quickstart-onboard-aws.md) or [Connect your GCP projects to Microsoft Defender for Cloud](quickstart-onboard-gcp.md).

+> You can check out the [Supported features for virtual machines and servers](supported-machines-endpoint-solutions-clouds-servers.md?tabs=features-windows#supported-features-for-virtual-machines-and-servers) for details on which Defender for Servers features are relevant for machines running on other cloud environments.

+## Available Defender for Server plans

+Defender for Servers offers you a choice between two paid plans:

+| Feature | [Defender for Servers Plan 1](#plan-1) | [Defender for Servers Plan 2](#plan-2-formerly-defender-for-servers) |

+|:|::|::|

+| Automatic onboarding for resources in Azure, AWS, GCP | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Microsoft threat and vulnerability management | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Flexibility to use Microsoft Defender for Cloud or Microsoft 365 Defender portal | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| [Integration of Microsoft Defender for Cloud and Microsoft Defender for Endpoint](#integrated-license-for-microsoft-defender-for-endpoint) (alerts, software inventory, Vulnerability Assessment) | :::image type="icon" source="./media/icons/yes-icon.png"::: | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Security Policy and Regulatory Compliance | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Log-analytics (500 MB free) | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| [Vulnerability Assessment using Qualys](#vulnerability-scanner-powered-by-qualys) | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| Threat detections: OS level, network layer, control plane | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| [Adaptive application controls](#adaptive-application-controls-aac) | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| [File integrity monitoring](#file-integrity-monitoring-fim) | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| [Just-in time VM access](#just-in-time-jit-virtual-machine-vm-access) | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+| [Adaptive network hardening](#adaptive-network-hardening-anh) | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+### Plan 1

+Plan 1 includes the following benefits:

+- Automatic onboarding for resources in Azure, AWS, GCP

+- Microsoft threat and vulnerability management

+- Flexibility to use Microsoft Defender for Cloud or Microsoft 365 Defender portal

+- A Microsoft Defender for Endpoint subscription that includes access to alerts, software inventory, Vulnerability Assessment and an automatic integration with Microsoft Defender for Cloud.

+The subscription to Microsoft Defender for Endpoint allows you to deploy Defender for Endpoint to your servers. Defender for Endpoint includes the following capabilities:

+- Licenses are charged per hour instead of per seat, lowering your costs to protect virtual machines only when they are in use.

+- Microsoft Defender for Endpoint deploys automatically to all cloud workloads so that you know that they're protected when they spin up.

+- Alerts and vulnerability data is shown in Microsoft Defender for Cloud.

+### Plan 2 (formerly Defender for Servers)

+Plan 2 includes all of the benefits included with Plan 1. However, plan 2 also includes all of the other Microsoft Defender for Servers features listed in the [table above](#available-defender-for-server-plans).

+## Select a plan

+You can select your plan when you [Enable enhanced security features on your subscriptions and workspaces:](enable-enhanced-security.md#enable-enhanced-security-features-on-your-subscriptions-and-workspaces). By default, plan 2 is selected when you set the Defender for Servers plan to On.

+If at any point, you want to change the Defender for Servers plan, you can change it on the Defender plans page by selecting **Change plan**.

+## Benefits of the Defender for Servers plans

+Defender for Servers offers both threat detection and protection capabilities that consist of:

+### Plan 1 & Plan 2

+#### Microsoft threat and vulnerability management

+Defender for Servers includes a selection of vulnerability discovery and management tools for your machines. You can select which tools to deploy to your machines. The discovered vulnerabilities are shown in a security recommendation.

+Discovers vulnerabilities and misconfigurations in real time with Microsoft Defender for Endpoint, and without the need of other agents or periodic scans. [Threat and vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) prioritizes vulnerabilities according to the threat landscape, detections in your organization, sensitive information on vulnerable devices, and the business context. Learn more in [Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md)

+#### Integrated license for Microsoft Defender for Endpoint

+Defender for Servers includes [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/security/endpoint-defender). Together, they provide comprehensive endpoint detection and response (EDR) capabilities. When you enable Defender for Servers, Defender for Cloud gains access to the Defender for Endpoint data that is related to vulnerabilities, installed software, and alerts for your endpoints.

+When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown on Defender for Cloud's Recommendation page. From Defender for Cloud, you can also pivot to the Defender for Endpoint console, and perform a detailed investigation to uncover the scope of the attack. Learn how to [Protect your endpoints](integration-defender-for-endpoint.md).

+### Plan 2 only

+#### Vulnerability scanner powered by Qualys

+Defender for Servers includes a selection of vulnerability discovery and management tools for your machines. You can select which tools to deploy to your machines. The discovered vulnerabilities are shown in a security recommendation.

+The Qualys scanner is one of the leading tools for real-time identification of vulnerabilities in your Azure and hybrid virtual machines. You don't need a Qualys license or a Qualys account - everything's handled seamlessly inside Defender for Cloud. You can learn more about [Defender for Cloud's integrated Qualys scanner for Azure and hybrid machines](deploy-vulnerability-assessment-vm.md).

+#### Adaptive application controls (AAC)

+Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines.

+After you enable and configure adaptive application controls, you get security alerts if any application runs other than the ones you defined as safe. Learn how to [use adaptive application controls to reduce your machines' attack surfaces](adaptive-application-controls.md).

+#### File integrity monitoring (FIM)

+File integrity monitoring (FIM), also known as change monitoring, examines files and registries of operating system, application software, and others for changes that might indicate an attack. A comparison method is used to determine if the current state of the file is different from the last scan of the file. You can use this comparison to determine if valid or suspicious modifications have been made to your files.

+When you enable Defender for Servers, you can use FIM to validate the integrity of Windows files, your Windows registries, and Linux files. Learn more about [File integrity monitoring in Microsoft Defender for Cloud](file-integrity-monitoring-overview.md).

+#### Just-in-time (JIT) virtual machine (VM) access

+Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. All of your virtual machines are potential targets for an attack. When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment.

+When you enable Microsoft Defender for Servers, you can use just-in-time VM access to lock down the inbound traffic to your VMs. This reduces exposure to attacks and provides easy access to connect to VMs when needed. Learn more about [JIT VM access](just-in-time-access-overview.md).

+#### Adaptive network hardening (ANH)

+Applying network security groups (NSG) to filter traffic to and from resources, improves your network security posture. However, there can still be some cases in which the actual traffic flowing through the NSG is a subset of the NSG rules defined. In these cases, further improving the security posture can be achieved by hardening the NSG rules, based on the actual traffic patterns.

+Adaptive network hardening provides recommendations to further harden the NSG rules. It uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise. ANH then provides recommendations to allow traffic only from specific IP and port tuples. Learn how to [improve your network security posture with adaptive network hardening](adaptive-network-hardening.md).

+#### Docker host hardening

+Defender for Cloud identifies containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers that are not managed. Defender for Cloud continuously assesses the configurations of these containers. It then compares them with the Center for Internet Security (CIS) Docker Benchmark. Defender for Cloud includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls. For more information, see [Harden your Docker hosts](harden-docker-hosts.md).

+#### Fileless attack detection

+Fileless attacks inject malicious payloads into memory to avoid detection by disk-based scanning techniques. The attackerΓÇÖs payload then persists within the memory of compromised processes and performs a wide range of malicious activities.

+With fileless attack detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. This solution periodically scans your machine at runtime, and extracts insights directly from the memory of processes. Specific insights include the identification of:

+- Well-known toolkits and crypto mining software

+- Shellcode - a small piece of code typically used as the payload in the exploitation of a software vulnerability.

+- Injected malicious executable in process memory

+Fileless attack detection generates detailed security alerts that include descriptions with process metadata such as network activity. These details accelerate alert triage, correlation, and downstream response time. This approach complements event-based EDR solutions, and provides increased detection coverage.

+For details of the fileless attack detection alerts, see the [Reference table of alerts](alerts-reference.md#alerts-windows).

+#### Linux auditd alerts and Log Analytics agent integration (Linux only)

+The auditd system consists of a kernel-level subsystem, which is responsible for monitoring system calls. It filters them by a specified rule set, and writes messages for them to a socket. Defender for Cloud integrates functionalities from the auditd package within the Log Analytics agent. This integration enables collection of auditd events in all supported Linux distributions, without any prerequisites.

+Log Analytics agent for Linux collects auditd records and enriches and aggregates them into events. Defender for Cloud continuously adds new analytics that use Linux signals to detect malicious behaviors on cloud and on-premises Linux machines. Similar to Windows capabilities, these analytics include tests that check for suspicious processes, dubious sign-in attempts, kernel module loading, and other activities. These activities can indicate a machine is either under attack or has been breached.

+For a list of the Linux alerts, see the [Reference table of alerts](alerts-reference.md#alerts-linux).

+To learn more about Defender for Servers, you can check out the following blogs:

+For related material, see the following page:

+- Whether Defender for Cloud generates an alert or receives an alert from a different security product, you can export alerts from Defender for Cloud. To export your alerts to Microsoft Sentinel, any third-party SIEM, or any other external tool, follow the instructions in [Exporting alerts to a SIEM](continuous-export.md).

+|Pricing:|Requires [Microsoft Defender for Servers Plan 1 or Plan 2](defender-for-servers-introduction.md#available-defender-for-server-plans)|

+|Pricing:|Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#available-defender-for-server-plans)|

+|Pricing:|Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#available-defender-for-server-plans).<br>Using the Log Analytics agent, FIM uploads data to the Log Analytics workspace. Data charges apply, based on the amount of data you upload. See [Log Analytics pricing](https://azure.microsoft.com/pricing/details/log-analytics/) to learn more.|

+|Pricing:|Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#available-defender-for-server-plans)|

+| Pricing: | Requires [Microsoft Defender for Servers Plan 1 or Plan 2](defender-for-servers-introduction.md#available-defender-for-server-plans) |

+| Clouds: | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government (Windows only)<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure China 21Vianet <br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts <br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected GCP projects |

+[Microsoft Defender for Endpoint Plan 2](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) protects your Windows and Linux machines whether they're hosted in Azure, hybrid clouds (on-premises), or multicloud. Protections include:

+If you already have a license for **Microsoft Defender for Endpoint for Servers** , you won't pay for that part of your [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#plan-2-formerly-defender-for-servers) license. Learn more about [the Microsoft 365 license](/microsoft-365/security/defender-endpoint/minimum-requirements#licensing-requirements).

+When a user requests access to a VM, Defender for Cloud checks that the user has [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) permissions for that VM. If the request is approved, Defender for Cloud configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address (or range), for the amount of time that was specified. In AWS, Defender for Cloud creates a new EC2 security group that allows inbound traffic to the specified ports. After the time has expired, Defender for Cloud restores the NSGs to their previous states. Connections that are already established are not interrupted.

+JIT Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#plan-2-formerly-defender-for-servers) to be enabled on the subscription.

+- Network map (requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#plan-2-formerly-defender-for-servers))

+- [Adaptive network hardening](adaptive-network-hardening.md) (requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#plan-2-formerly-defender-for-servers))

+|Pricing:|Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#plan-2-formerly-defender-for-servers)|

+|Pricing:|Requires [Microsoft Defender for Servers Plan 2](defender-for-servers-introduction.md#plan-2-formerly-defender-for-servers)|

+## January 2022

+Updates in January include:

+- [Microsoft Defender for Resource Manager updated with new alerts and greater emphasis on high-risk operations mapped to MITRE ATT&CK® Matrix](#microsoft-defender-for-resource-manager-updated-with-new-alerts-and-greater-emphasis-on-high-risk-operations-mapped-to-mitre-attck-matrix)

+- [Recommendations to enable Microsoft Defender plans on workspaces (in preview)](#recommendations-to-enable-microsoft-defender-plans-on-workspaces-in-preview)

+- [Auto provision Log Analytics agent to Azure Arc-enabled machines (preview)](#auto-provision-log-analytics-agent-to-azure-arc-enabled-machines-preview)

+- [Deprecated the recommendation to classify sensitive data in SQL databases](#deprecated-the-recommendation-to-classify-sensitive-data-in-sql-databases)

+- [Communication with suspicious domain alert expanded to included known Log4Shell-related domains](#communication-with-suspicious-domain-alert-expanded-to-included-known-log4shell-related-domains)

+- ['Copy alert JSON' button added to security alert details pane](#copy-alert-json-button-added-to-security-alert-details-pane)

+- [Renamed two recommendations](#renamed-two-recommendations)

+- [Deprecate Kubernetes cluster containers should only listen on allowed ports policy](#deprecate-kubernetes-cluster-containers-should-only-listen-on-allowed-ports-policy)

+- [Added 'Active Alerts' workbook](#added-active-alert-workbook)

+- ['System update' recommendation added to government cloud](#system-update-recommendation-added-to-government-cloud)

+### Microsoft Defender for Resource Manager updated with new alerts and greater emphasis on high-risk operations mapped to MITRE ATT&CK® Matrix

+The cloud management layer is a crucial service connected to all your cloud resources. Because of this, it's also a potential target for attackers. We recommend security operations teams closely monitor the resource management layer.

+Microsoft Defender for Resource Manager automatically monitors the resource management operations in your organization, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Defender for Cloud runs advanced security analytics to detect threats and alerts you about suspicious activity.

+The plan's protections greatly enhance an organization's resiliency against attacks from threat actors and significantly increase the number of Azure resources protected by Defender for Cloud.

+In December 2020, we introduced the preview of Defender for Resource Manager, and in May 2021 the plan was release for general availability.

+With this update, we've comprehensively revised the focus of the Microsoft Defender for Resource Manager plan. The updated plan includes many **new alerts focused on identifying suspicious invocation of high-risk operations**. These new alerts provide extensive monitoring for attacks across the *complete* [MITRE ATT&CK® matrix for cloud-based techniques](https://attack.mitre.org/matrices/enterprise/cloud/).

+This matrix covers the following range of potential intentions of threat actors who may be targeting your organization's resources: *Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact*.

+The new alerts for this Defender plan cover these intentions as shown in the following table.

+> [!TIP]

+> These alerts also appear in the [alerts reference page](alerts-reference.md).

+| Alert (alert type) | Description | MITRE tactics (intentions)| Severity |

+|-|--|:-:|-|

+| **Suspicious invocation of a high-risk 'Initial Access' operation detected (Preview)**<br>(ARM_AnomalousOperation.InitialAccess) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access restricted resources. The identified operations are designed to allow administrators to efficiently access their environments. While this activity may be legitimate, a threat actor might utilize such operations to gain initial access to restricted resources in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Initial Access | Medium |

+| **Suspicious invocation of a high-risk 'Execution' operation detected (Preview)**<br>(ARM_AnomalousOperation.Execution) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation on a machine in your subscription, which might indicate an attempt to execute code. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Execution | Medium |

+| **Suspicious invocation of a high-risk 'Persistence' operation detected (Preview)**<br>(ARM_AnomalousOperation.Persistence) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to establish persistence. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to establish persistence in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Persistence | Medium |

+| **Suspicious invocation of a high-risk 'Privilege Escalation' operation detected (Preview)**<br>(ARM_AnomalousOperation.PrivilegeEscalation) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to escalate privileges. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to escalate privileges while compromising resources in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Privilege Escalation | Medium |

+| **Suspicious invocation of a high-risk 'Defense Evasion' operation detected (Preview)**<br>(ARM_AnomalousOperation.DefenseEvasion) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to evade defenses. The identified operations are designed to allow administrators to efficiently manage the security posture of their environments. While this activity may be legitimate, a threat actor might utilize such operations to avoid being detected while compromising resources in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Defense Evasion | Medium |

+| **Suspicious invocation of a high-risk 'Credential Access' operation detected (Preview)**<br>(ARM_AnomalousOperation.CredentialAccess) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to access credentials. The identified operations are designed to allow administrators to efficiently access their environments. While this activity may be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Credential Access | Medium |

+| **Suspicious invocation of a high-risk 'Lateral Movement' operation detected (Preview)**<br>(ARM_AnomalousOperation.LateralMovement) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to perform lateral movement. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to compromise additional resources in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Lateral Movement | Medium |

+| **Suspicious invocation of a high-risk 'Data Collection' operation detected (Preview)**<br>(ARM_AnomalousOperation.Collection) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempt to collect data. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to collect sensitive data on resources in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Collection | Medium |

+| **Suspicious invocation of a high-risk 'Impact' operation detected (Preview)**<br>(ARM_AnomalousOperation.Impact) | Microsoft Defender for Resource Manager identified a suspicious invocation of a high-risk operation in your subscription, which might indicate an attempted configuration change. The identified operations are designed to allow administrators to efficiently manage their environments. While this activity may be legitimate, a threat actor might utilize such operations to access restricted credentials and compromise resources in your environment. This can indicate that the account is compromised and is being used with malicious intent. | Impact | Medium |

+In addition, these two alerts from this plan have come out of preview:

+| Alert (alert type) | Description | MITRE tactics (intentions)| Severity |

+|-|--|:-:|-|

+| **Azure Resource Manager operation from suspicious IP address**<br>(ARM_OperationFromSuspiciousIP) | Microsoft Defender for Resource Manager detected an operation from an IP address that has been marked as suspicious in threat intelligence feeds. | Execution | Medium |

+| **Azure Resource Manager operation from suspicious proxy IP address**<br>(ARM_OperationFromSuspiciousProxyIP) | Microsoft Defender for Resource Manager detected a resource management operation from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when threat actors try to hide their source IP. | Defense Evasion | Medium |

+### Recommendations to enable Microsoft Defender plans on workspaces (in preview)

+To benefit from all of the security features available from [Microsoft Defender for Servers](defender-for-servers-introduction.md) and [Microsoft Defender for SQL on machines](defender-for-sql-introduction.md), the plans must be enabled on **both** the subscription and workspace levels.

+When a machine is in a subscription with one of these plan enabled, you'll be billed for the full protections. However, if that machine is reporting to a workspace *without* the plan enabled, you won't actually receive those benefits.

+We've added two recommendations that highlight workspaces without these plans enabled, that nevertheless have machines reporting to them from subscriptions that *do* have the plan enabled.

+The two recommendations, which both offer automated remediation (the 'Fix' action), are:

+|Recommendation |Description |Severity |

+||||

+|[Microsoft Defender for Servers should be enabled on workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1ce68079-b783-4404-b341-d2851d6f0fa2) |Microsoft Defender for Servers brings threat detection and advanced defenses for your Windows and Linux machines.<br>With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for Servers but missing out on some of the benefits.<br>When you enable Microsoft Defender for Servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for Servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for Servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.<br>Learn more in <a target="_blank" href="/azure/defender-for-cloud/defender-for-servers-introduction?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation">Overview of Microsoft Defender for Servers</a>.<br />(No related policy) |Medium |

+|[Microsoft Defender for SQL on machines should be enabled on workspaces](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/e9c320f1-03a0-4d2b-9a37-84b3bdc2e281) |Microsoft Defender for Servers brings threat detection and advanced defenses for your Windows and Linux machines.<br>With this Defender plan enabled on your subscriptions but not on your workspaces, you're paying for the full capability of Microsoft Defender for Servers but missing out on some of the benefits.<br>When you enable Microsoft Defender for Servers on a workspace, all machines reporting to that workspace will be billed for Microsoft Defender for Servers - even if they're in subscriptions without Defender plans enabled. Unless you also enable Microsoft Defender for Servers on the subscription, those machines won't be able to take advantage of just-in-time VM access, adaptive application controls, and network detections for Azure resources.<br>Learn more in <a target="_blank" href="/azure/defender-for-cloud/defender-for-servers-introduction?wt.mc_id=defenderforcloud_inproduct_portal_recoremediation">Overview of Microsoft Defender for Servers</a>.<br />(No related policy) |Medium |

+### Auto provision Log Analytics agent to Azure Arc-enabled machines (preview)

+Defender for Cloud uses the Log Analytics agent to gather security-related data from machines. The agent reads various security-related configurations and event logs and copies the data to your workspace for analysis.

+Defender for Cloud's auto provisioning settings has a toggle for each type of supported extension, including the Log Analytics agent.

+In a further expansion of our hybrid cloud features, we've added an option to auto provision the Log Analytics agent to machines connected to Azure Arc.

+As with the other auto provisioning options, this is configured at the subscription level.

+When you enable this option, you'll be prompted for the workspace.

+> [!NOTE]

+> For this preview, you can't select the default workspaces that was created by Defender for Cloud. To ensure you receive the full set of security features available for the Azure Arc-enabled servers, verify that you have the relevant security solution installed on the selected workspace.

+### Deprecated the recommendation to classify sensitive data in SQL databases

+We've removed the recommendation **Sensitive data in your SQL databases should be classified** as part of an overhaul of how Defender for Cloud identifies and protects sensitive date in your cloud resources.

+Advance notice of this change appeared for the last six months in the [Important upcoming changes to Microsoft Defender for Cloud](upcoming-changes.md) page.

+### Communication with suspicious domain alert expanded to included known Log4Shell-related domains

+The following alert was previously only available to organizations who had enabled the [Microsoft Defender for DNS](defender-for-dns-introduction.md) plan.

+With this update, the alert will also show for subscriptions with the [Microsoft Defender for Servers](defender-for-servers-introduction.md) or [Defender for App Service](defender-for-app-service-introduction.md) plan enabled.

+In addition, [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684) has expanded the list of known malicious domains to include domains associated with exploiting the widely publicized vulnerabilities associated with Log4j.

+| Alert (alert type) | Description | MITRE tactics | Severity |

+|-|-|:--:|-|

+| **Communication with suspicious domain identified by threat intelligence**<br>(AzureDNS_ThreatIntelSuspectDomain) | Communication with suspicious domain was detected by analyzing DNS transactions from your resource and comparing against known malicious domains identified by threat intelligence feeds. Communication to malicious domains is frequently performed by attackers and could imply that your resource is compromised. | Initial Access / Persistence / Execution / Command And Control / Exploitation | Medium |

+### 'Copy alert JSON' button added to security alert details pane

+To help our users quickly share an alert's details with others (for example, SOC analysts, resource owners, and developers) we've added the capability to easily extract all the details of a specific alert with one button from the security alert's details pane.

+The new **Copy alert JSON** button puts the alertΓÇÖs details, in JSON format, into the user's clipboard.

+### Renamed two recommendations

+For consistency with other recommendation names, we've renamed the following two recommendations:

+- Recommendation to resolve vulnerabilities discovered in running container images

+ - Previous name: Vulnerabilities in running container images should be remediated (powered by Qualys)

+ - New name: Running container images should have vulnerability findings resolved

+- Recommendation to enable diagnostic logs for Azure App Service

+ - Previous name: Diagnostic logs should be enabled in App Service

+ - New name: Diagnostic logs in App Service should be enabled

+### Deprecate Kubernetes cluster containers should only listen on allowed ports policy

+We've deprecated the **Kubernetes cluster containers should only listen on allowed ports** recommendation.

+| Policy name | Description | Effect(s) | Version |

+|--|--|--|--|

+| [Kubernetes cluster containers should only listen on allowed ports](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F440b515e-a580-421e-abeb-b159a61ddcbc) | Restrict containers to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see [https://aka.ms/kubepolicydoc](../governance/policy/concepts/policy-for-kubernetes.md). | audit, deny, disabled | [6.1.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedPorts.json) |

+The **[Services should listen on allowed ports only](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/add45209-73f6-4fa5-a5a5-74a451b07fbe)** recommendation should be used to limit ports that an application exposes to the internet.

+### Added 'Active Alert' workbook

+To assist our users in their understanding of the active threats to their environments, and prioritize between active alerts during the remediation process, we've added the Active Alerts workbook.

+The active alerts workbook allows users to view a unified dashboard of their aggregated alerts by severity, type, tag, MITRE ATT&CK tactics, and location. Learn more in [Use the 'Active Alerts' workbook](custom-dashboards-azure-workbooks.md#use-the-active-alerts-workbook).

+### 'System update' recommendation added to government cloud

+The 'System updates should be installed on your machines' recommendation is now available on all government clouds.

+It's likely that this change will impact your government cloud subscription's secure score. We expect the change to lead to a decreased score, but it's possible the recommendation's inclusion might result in an increased score in some cases.

+We are integrating the Windows crash dump analysis (CDA) detection capabilities into [fileless attack detection](defender-for-servers-introduction.md#fileless-attack-detection). Fileless attack detection analytics brings improved versions of the following security alerts for Windows machines: Code injection discovered, Masquerading Windows Module Detected, Shell code discovered, and Suspicious code segment detected.

+All auto-provisioning components available in the connector level (Azure Arc, MDE, and vulnerability assessments) are enabled by default, and the new configuration supports both [Plan 1 and Plan 2 pricing tiers](defender-for-servers-introduction.md#available-defender-for-server-plans).

+While Defender for Servers Plan 2 continues to provide protections from threats and vulnerabilities to your cloud and on-premises workloads, Defender for Servers Plan 1 provides endpoint protection only, powered by the natively integrated Defender for Endpoint. Read more about the [Defender for Servers plans](defender-for-servers-introduction.md#available-defender-for-server-plans).

+description: This article describes how to use Azure Policy as an Event Grid event source. It provides the schema and links to tutorial and how-to articles.

+* If you plan to use a shared key/MD5 hash, be sure to use the key on both sides of the tunnel. The limit is a maximum of 25 alphanumeric characters. Special characters aren't supported.

+ :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/not-provisioned.png" alt-text="Screenshot showing the Overview page for the ExpressRoute Demo Circuit with a red box highlighting the Provider status set to Not provisioned.":::

+ :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/provisioned.png" alt-text="Screenshot that showing the Overview page for the ExpressRoute Demo Circuit with a red box highlighting the Provider status set to Provisioned.":::

+ * A pair of subnets owned by you and registered in an RIR/IRR. One subnet will be used for the primary link, while the other will be used for the secondary link. From each of these subnets, you'll assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets:

+ :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/select-microsoft-peering.png" alt-text="Screenshot showing how to select the Microsoft peering row.":::

+ :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/configuration-m-validation-needed.png" alt-text="Screenshot showing Microsoft peering configuration.":::

+ :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/ticket-portal-m.png" alt-text="Screenshot showing new support ticket request to submit proof of ownership for public prefixes.":::

+ :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/not-provisioned.png" alt-text="Screenshot showing the Overview page for the ExpressRoute Demo Circuit with a red box highlighting the Provider status that is set to Not provisioned.":::

+ :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/provisioned.png" alt-text="Screenshot showing the Overview page for the ExpressRoute Demo Circuit with a red box highlighting the Provider status that is set to Provisioned.":::

+ * A pair of subnets that aren't part of any address space reserved for virtual networks. One subnet will be used for the primary link, while the other will be used for the secondary link. From each of these subnets, you'll assign the first usable IP address to your router as Microsoft uses the second usable IP for its router. You have three options for this pair of subnets:

+ :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/select-private-peering.png" alt-text="Screenshot showing how to select the private peering row.":::

+ :::image type="content" source="./media/expressroute-howto-routing-portal-resource-manager/private-peering-configuration.png" alt-text="Screenshot showing private peering configuration.":::

+description: Use Azure Event Grid to subscribe to Azure Policy events, which allow applications to react to state changes without the need for complicated code.

+ Title: Azure Policy glossary

+description: A glossary defining the terminology used throughout Azure Policy

+# Azure Policy glossary

+The term _policy_ is used widely in virtually every industry and is associated with many use cases. Azure Policy has specific vocabulary and applications that are not to be confused with policy embedded in other contexts.

+This glossary provides definitions and descriptions of terms used by Azure Policy.

+## Alias

+A field used in policy definitions that maps to a resource property.

+## Applicability

+Describes the relevance of resources that are considered for assessment against a policy. A resource is considered applicable to a policy when it resides within the scope of the policy assignment, is not excluded or exempt from the policy assignment, and meets the conditions specified in the `if` block of the policy rule.

+## Assignment

+A JSON-defined object that determines the resources to which a policy definition is applied. Learn more about the policy assignment JSON structure here: [Azure Policy assignment structure](./concepts/assignment-structure.md).

+## Azure Policy

+A service that enables users to govern Azure resources by enforcing organizational standards and assessing compliance at scale.

+## Built-in

+Describes a type of policy definition that is available by default and generated by Azure Resource Providers. It is the alternative to a custom policy definition. View the list of available [built-in policy definitions](./samples/built-in-policies.md).

+## Category

+Metadata property in the policy definition that classifies the definition based on its area of focus. The category often indicates the resource provider of the target resource (For example: Compute, Storage, Monitoring).

+## Compliance state

+Describes a resource's adherence to applicable policies. Can be compliant, non-compliant, exempt, conflict, not started, or protected. Learn more about [how compliance works](./how-to/get-compliance-data.md).

+## Compliant

+A compliance state which indicates that a resource conformed to the policy rule in the policy definition.

+## Control

+Another term used for _group_, specifically in the context of regulatory compliance.

+## Custom

+Describes a type of policy definition that is authored by a policy user. It is the alternative to a built-in policy definition.

+## Definition

+A JSON-defined object that describes a policy, including resource compliance requirements and the effect to take if they are violated. Learn more about the policy definition JSON structure here: [Azure Policy definition structure](./concepts/definition-structure.md).

+## Definition location

+The scope to which an initiative definition or policy definition can be assigned. It can be either a management group or a subscription, and assignments can be made at or below that scope in the hierarchy.

+## Effect

+The action taken on a resource when the conditions of an applicable policy's rule are met. Learn more about [effects](./concepts/effects.md).

+## Enforcement

+Describes the preventative behavior that certain types of policy effects can have.

+## Enforcement mode

+A property of a policy assignment that allows users to enable or disable enforcement of certain policy effects like deny, while still evaluating for compliance and providing logs.

+## Evaluation

+Describes the process of scanning resources in the cloud environment to determine applicability and compliance of assigned policies.

+## Event

+An incident or outcome when something changes in Azure Policy, available for integration with Event Grid. Example events include instances in which a policy state is created, changed, or deleted. See [available event types for Azure Policy](../../event-grid/event-schema-policy.md).

+## Exclusion

+Also referred to as _NotScopes_; A property in the policy assignment which eliminates child resource containers or child resources from the assignment so they are not considered for compliance evaluation. Excluded scopes do not appear on the Azure portal Compliance blade. Learn more about [excluded scopes](./concepts/assignment-structure.md#excluded-scopes).

+## Exempt

+A compliance state which indicates that a resource is covered by an exemption.

+## Exemption

+A JSON-defined object that eliminates a resource hierarchy or an individual resource from evaluation. Resources that are exempt count toward overall compliance, but are not evaluated. Learn more about the exemption JSON structure here: [Azure Policy exemption structure](./concepts/exemption-structure.md).

+## Group

+A sub-collection of policy definition IDs within an initiative definition.

+## Identity

+A system-assigned or user-assigned managed identity used for remediation in Azure Policy. Learn more about [managed identities](../../active-directory/managed-identities-azure-resources/overview.md).

+## Initiative

+Also known as a _policy set_. A type of policy definition consisting of a collection of policy definition IDs. Used to centralize multiple policy definitions with a common goal that can share parameters, identities and be managed in a single assignment.

+## JSON

+Abbreviation for JavaScript Object Notation (JSON). Used by Azure Policy to define policy objects.

+## Mode

+Property on the policy definition that determines which resource types are evaluated for a policy definition. It is configured depending on whether the policy is targeting an Azure Resource Manager (ARM) property defined in an ARM template or a Resource Provider (RP) property.

+## Non-compliant

+A compliance state which indicates that a resource did not conform to the policy rule in the policy definition.

+## Policy rule

+The component of a policy definition that describes resource compliance requirements through logic-based conditional statements, as well as the effect taken if those conditions are not met. It is composed of an `if` block and `then` block.

+## Policy state

+Describes the aggregated compliance state of a policy assignment

+## Regulatory Compliance

+Describes a specific type of initiative that allows grouping of policies into controls and categorization of policies into compliance domains based on responsibility (_Customer_, _Microsoft_, _Shared_). There are many sample Regulatory Compliance built-ins, and customers have the ability to create their own. Learn more about [Regulatory Compliance](./concepts/regulatory-compliance.md).

+> [!NOTE]

+> Regulatory Compliance is a Preview feature.

+## Remediation

+A JSON-defined object that, when triggered, corrects resources violating policies with **deployIfNotExists** or **modify** effects. Remediation is only

+automatic for resources during creation or update. Existing resources must be remediated by

+triggering a remediation task. Learn how to [remediate non-compliant resources](./how-to/remediate-resources.md).

+## Scope

+The extent or area to which a policy is relevant, as described by Azure Resource Manager (ARM). It determines the set of resources that an assignment applies to, and may be a subscription, management group, resource group, or resource. Learn more about [scope in Azure Policy](./concepts/scope.md).

+## Template info

+The component of a policy definition used to define the constraint template. Specific to [Azure Policy for Kubernetes clusters](./concepts/policy-for-kubernetes.md).

+## Next steps

+To get started with Azure Policy, see [What is Azure Policy?](./overview.md).

+- [Transparent gateway manifest (EdgeTransparentGatewayManifest.json)](https://raw.githubusercontent.com/Azure-Samples/iot-central-docs-samples/main/transparent-gateway-1-1/EdgeTransparentGatewayManifest.json) - this file is the IoT Edge deployment manifest for the gateway device.

+- [Transparent gateway manifest (EdgeTransparentGatewayManifest.json)](https://raw.githubusercontent.com/Azure-Samples/iot-central-docs-samples/main/transparent-gateway-1-2/EdgeTransparentGatewayManifest.json) - this file is the IoT Edge deployment manifest for the gateway device.

+ wget https://raw.githubusercontent.com/Azure-Samples/iot-central-docs-samples/main/transparent-gateway-1-1/provision_device.py

+ wget https://raw.githubusercontent.com/Azure-Samples/iot-central-docs-samples/main/transparent-gateway-1-1/simple_thermostat.py

+To follow the steps in this article, download the [EnvironmentalSensorManifest.json](https://raw.githubusercontent.com/Azure-Samples/iot-central-docs-samples/main/iotedge/EnvironmentalSensorManifest.json) file to your computer.

+1. Choose to import from a URL and enter the following address: [https://github.com/Azure-Samples/iot-central-docs-samples/blob/main/databricks/IoT%20Central%20Analysis.dbc?raw=true](https://github.com/Azure-Samples/iot-central-docs-samples/blob/main/databricks/IoT%20Central%20Analysis.dbc?raw=true)

+To register a large number of devices to your application, you can bulk import devices from a CSV file. You can find an example CSV file in the [Azure Samples repository](https://github.com/Azure-Samples/iot-central-docs-samples/tree/main/bulk-upload-devices). The CSV file should include the following column headers:

+1. Download the Power BI desktop [IoT Central ADX Connector.pbit](https://github.com/Azure-Samples/iot-central-docs-samples/raw/main/azure-data-explorer-power-bi/IoT%20Central%20ADX%20Connector.pbit) file from GitHub.

+Rather than use a predefined theme, you can create a custom theme. If you want to use a set of sample images to customize the application and complete the tutorial, download the [Contoso sample images](https://github.com/Azure-Samples/iot-central-docs-samples/tree/main/retail).

+The Azure IoT Hub Device Provisioning Service supports two types of enrollments for provisioning devices:

+* [Enrollment groups](concepts-service.md#enrollment-group): Used to enroll multiple related devices. This tutorial demonstrates provisioning with enrollment groups.

+The Azure IoT Hub Device Provisioning Service supports three forms of authentication for provisioning devices:

+* [X.509 certificates](concepts-x509-attestation.md). This tutorial demonstrates X.509 certificate attestation.

+* [Trusted platform module (TPM)](concepts-tpm-attestation.md)

+* [Symmetric keys](./concepts-symmetric-key-attestation.md)

+This tutorial uses the [custom HSM sample](https://github.com/Azure/azure-iot-sdk-c/tree/master/provisioning_client/samples/custom_hsm_example), which provides a stub implementation for interfacing with hardware-based secure storage. A [Hardware Security Module (HSM)](./concepts-service.md#hardware-security-module) is used for secure, hardware-based storage of device secrets. An HSM can be used with symmetric key, X.509 certificate, or TPM attestation to provide secure storage for secrets. Hardware-based storage of device secrets isn't required, but it is strongly recommended to help protect sensitive information like your device certificate's private key.

+In this tutorial, you'll complete the following objectives:

+> * Create a new group enrollment that uses the certificate chain.

+> * Set up the development environment for provisioning a device using code from the [Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c).

+In this section, you'll prepare a development environment used to build the [Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c). The SDK includes sample code and tools used by devices provisioning with DPS.

+In this section, you'll generate an X.509 certificate chain of three certificates for testing each device with this tutorial. The certificates have the following hierarchy.

+[Root certificate](concepts-x509-attestation.md#root-certificate): You'll complete [proof of possession](how-to-verify-certificates.md) to verify the root certificate. This verification enables DPS to trust that certificate and verify certificates signed by it.

+[Intermediate certificate](concepts-x509-attestation.md#intermediate-certificate): It's common to use intermediate certificates to group devices logically by product lines, company divisions, or other criteria. This tutorial uses a certificate chain with one intermediate certificate, but in a production scenario you may have several. The intermediate certificate in this chain is signed by the root certificate. This certificate is provided to the enrollment group created in DPS to logically group a set of devices. This configuration allows managing a whole group of devices that have device certificates signed by the same intermediate certificate.

+[Device certificates](concepts-x509-attestation.md#end-entity-leaf-certificate): The device certificates (sometimes called leaf certificates) will be signed by the intermediate certificate and stored on the device along with its private key. Ideally these sensitive items would be stored securely with an HSM. Each device presents its certificate and private key, along with the certificate chain, when attempting provisioning.

+1. In your Git Bash command prompt, navigate to a folder where you want to generate the X.509 certificates and keys for this tutorial.

+In this section, you create two device certificates and their full chain certificates. The full chain certificate contains the device certificate, the intermediate CA certificate, and the root CA certificate. The device must present its full chain certificate when it registers with DPS.

+1. Create the first device private key.

+ The subject common name (CN) of the device certificate must be set to the [registration ID](./concepts-service.md#registration-id) that your device will use to register with DPS. The registration ID is a case-insensitive string of alphanumeric characters plus the special characters: `'-'`, `'.'`, `'_'`, `':'`. The last character must be alphanumeric or dash (`'-'`). The common name must adhere to this format. DPS supports registration IDs up to 128 characters long; however, the maximum length of the subject common name in an X.509 certificate is 64 characters. The registration ID, therefore, is limited to 64 characters when using X.509 certificates. For group enrollments, the registration ID is also used as the device ID in IoT Hub.

+ The subject common name is set using the `-subj` parameter. In the following command, the common name is set to **device-01**.

+1. The device must present the full certificate chain when it authenticates with DPS. Use the following command to create the certificate chain:

+1. Open the certificate chain file, *./certs/device-01-full-chain.cert.pem*, in a text editor to examine it. The certificate chain text contains the full chain of all three certificates. You'll use this text as the certificate chain with in the custom HSM device code later in this tutorial for `device-01`.

+1. To create the private key, X.509 certificate, and full chain certificate for the second device, copy and paste this script into your GitBash command prompt. To create certificates for more devices, you can modify the `registration_id` variable declared at the beginning of the script.

+For DPS to be able to validate the device's certificate chain during authentication, you must upload and verify ownership of the root CA certificate. Because you created the root CA certificate in the last section, you'll auto-verify that it's valid when you upload it. Alternatively, you can do manual verification of the certificate if you're using a CA certificate from a 3rd-party. To learn more about verifying CA certificates, see [How to do proof-of-possession for X.509 CA certificates](how-to-verify-certificates.md).

+To add the root CA certificate to your DPS instance, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com), select the **All resources** button on the left-hand menu and open your Device Provisioning Service instance.

+1. Select the box next to **Set certificate status to verified on upload**.

+ :::image type="content" source="./media/tutorial-custom-hsm-enrollment-group-x509/add-root-certificate.png" alt-text="Screenshot that shows adding the root C A certificate and the set certificate status to verified on upload box selected.":::

+ Root CA certificate:

+ Intermediate CA certificate:

+2. Right-click the Windows **Start** button. Then select **Run**. Enter *certmgr.msc* and select **Ok** to start certificate manager MMC snap-in.

+3. In certificate manager, under **Certificates - Current User**, select **Trusted Root Certification Authorities**. Then on the menu, select **Action** > **All Tasks** > **Import** to import `root.pfx`.

+4. In certificate manager, under **Certificates - Current User**, select **Intermediate Certification Authorities**. Then on the menu, select **Action** > **All Tasks** > **Import** to import `intermediate.pfx`.

+1. From your DPS instance in Azure portal, select the **Manage enrollments** tab. then select the **Add enrollment group** button at the top.

+ | **Primary certificate .pem or .cer file** | Navigate to the intermediate certificate that you created earlier (*./certs/azure-iot-test-only.intermediate.cert.pem*). This intermediate certificate is signed by the root certificate that you already uploaded and verified. DPS trusts that root once it's verified. DPS can verify that the intermediate provided with this enrollment group is truly signed by the trusted root. DPS will trust each intermediate truly signed by that root certificate, and therefore be able to verify and trust leaf certificates signed by the intermediate. |

+ :::image type="content" source="./media/tutorial-custom-hsm-enrollment-group-x509/custom-hsm-enrollment-group-x509.png" alt-text="Screenshot that shows adding an enrollment group in the portal.":::

+1. In the Azure portal, select the **Overview** tab for your Device Provisioning Service instance and note the **ID Scope** value.

+4. Find the `id_scope` constant, and replace the value with your **ID Scope** value that you copied earlier. For example:

+5. Find the definition for the `main()` function in the same file. Make sure the `hsm_type` variable is set to `SECURE_DEVICE_TYPE_X509` and that all other `hsm_type` lines are commented out. For example:

+While HSM hardware isn't required, it is recommended to protect sensitive information like the certificate's private key. If an actual HSM was being called by the sample, the private key wouldn't be present in the source code. Having the key in the source code exposes the key to anyone that can view the code. This is only done in this article to assist with learning.

+ Updating this string value manually can be prone to error. To generate the proper syntax, you can copy and paste the following command into your **Git Bash prompt**, and press **ENTER**. This command generates the syntax for the `CERTIFICATE` string constant value and writes it to the output.

+ Updating this string value manually can be prone to error. To generate the proper syntax, you can copy and paste the following command into your **Git Bash prompt**, and press **ENTER**. This command generates the syntax for the `PRIVATE_KEY` string constant value and writes it to the output.

+6. Right-click the **custom_hsm_example** project and select **Build**.

+ The following output is an example of simulated device `device-01` successfully booting up and connecting to the provisioning service. The device was assigned to an IoT hub and registered:

+1. In the Azure portal, go to your Device Provisioning Service instance.

+1. From the left-hand menu in the Azure portal, select **All resources** and then select your Device Provisioning Service instance. Open **Manage Enrollments** for your service, and then select the **Enrollment Groups** tab. Select the check box next to the *Group Name* of the device group you created in this tutorial, and select **Delete** at the top of the pane.

+1. Select **Certificates** in DPS. For each certificate you uploaded and verified in this tutorial, select the certificate and select **Delete** to remove it.

+1. From the left-hand menu in the Azure portal, select **All resources** and then select your IoT hub. Open **IoT devices** for your hub. Select the check box next to the *DEVICE ID* of the device that you registered in this tutorial. Select **Delete** at the top of the pane.

+In this tutorial, you provisioned an X.509 device using a custom HSM to your IoT hub. To learn how to provision IoT devices to multiple hubs continue to the next tutorial.

+

+6. Verify that your proxy settings are propagated using `docker inspect edgeAgent` in the `Env` section. If not, the container must be recreated.

+ ```bash

+ sudo docker rm -f edgeAgent

+ ```

+

+7. The IoT Edge runtime should recreate `edgeAgent` within a minute. Once `edgeAgent` container is running again, `docker inspect edgeAgent` and verify the proxy settings matches the configuration file.

+Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, you may review the [Overview](../general/overview.md).

+Follow this guide to learn how to use the [azcertificates](https://aka.ms/azsdk/go/keyvault-certificates/docs) package to manage your Azure Key Vault certificates using Go.

+- **Go installed**: Version 1.18 or [above](https://go.dev/dl/)

+ az keyvault create --name <keyVaultName> --resource-group myResourceGroup

+ "log"

+ log.Fatal("KEY_VAULT_NAME environment variable not set")

+ log.Fatal(err)

+ return azcertificates.NewClient(keyVaultUrl, cred, nil)

+ params := azcertificates.CreateCertificateParameters{

+ CertificatePolicy: &azcertificates.CertificatePolicy{

+ IssuerParameters: &azcertificates.IssuerParameters{

+ Name: to.Ptr("Self"),

+ },

+ X509CertificateProperties: &azcertificates.X509CertificateProperties{

+ Subject: to.Ptr("CN=DefaultPolicy"),

+ },

+ resp, err := client.CreateCertificate(context.TODO(), "myCertName", params, nil)

+ log.Fatal(err)

+ fmt.Printf("Requested a new certificate. Operation status: %s\n", *resp.Status)

+ // an empty string version gets the latest version of the certificate

+ version := ""

+ getResp, err := client.GetCertificate(context.TODO(), "myCertName", version, nil)

+ log.Fatal(err)

+ fmt.Println("Enabled set to:", *getResp.Attributes.Enabled)

+ pager := client.NewListCertificatesPager(nil)

+ for pager.More() {

+ page, err := pager.NextPage(context.Background())

+ if err != nil {

+ log.Fatal(err)

+ }

+ for _, cert := range page.Value {

+ params := azcertificates.UpdateCertificateParameters{

+ CertificateAttributes: &azcertificates.CertificateAttributes{

+ Enabled: to.Ptr(false),

+ Expires: to.Ptr(time.Now().Add(72 * time.Hour)),

+ Tags: map[string]*string{"Owner": to.Ptr("SRE")},

+ }

+ // an empty string version updates the latest version of the certificate

+ version := ""

+ _, err := client.UpdateCertificate(context.TODO(), "myCertName", version, params, nil)

+ log.Fatal(err)

+ // DeleteCertificate returns when Key Vault has begun deleting the certificate. That can take several

+ // seconds to complete, so it may be necessary to wait before performing other operations on the

+ // deleted certificate.

+ resp, err := client.DeleteCertificate(context.TODO(), "myCertName", nil)

+ log.Fatal(err)

+ fmt.Println("Deleted certificate with ID: ", *resp.ID)

+See the [module documentation](https://aka.ms/azsdk/go/keyvault-certificates/docs) for more examples.

+Azure Key Vault is a cloud service that works as a secure secrets store. You can securely store keys, passwords, certificates, and other secrets. For more information on Key Vault, you may review the [Overview](../general/overview.md).

+Follow this guide to learn how to use the [azkeys](https://aka.ms/azsdk/go/keyvault-keys/docs) package to manage your Azure Key Vault keys using Go.

+- **Go installed**: Version 1.18 or [above](https://go.dev/dl/)

+ client := azkeys.NewClient(keyVaultUrl, cred, nil)

+ rsaKeyParams := azkeys.CreateKeyParameters{

+ Kty: to.Ptr(azkeys.JSONWebKeyTypeRSA),

+ KeySize: to.Ptr(int32(2048)),

+ }

+ rsaResp, err := client.CreateKey(context.TODO(), "new-rsa-key", rsaKeyParams, nil)

+ fmt.Printf("New RSA key ID: %s\n", *rsaResp.Key.KID)

+ ecKeyParams := azkeys.CreateKeyParameters{

+ Kty: to.Ptr(azkeys.JSONWebKeyTypeEC),

+ Curve: to.Ptr(azkeys.JSONWebKeyCurveNameP256),

+ }

+ ecResp, err := client.CreateKey(context.TODO(), "new-ec-key", ecKeyParams, nil)

+ fmt.Printf("New EC key ID: %s\n", *ecResp.Key.KID)

+ pager := client.NewListKeysPager(nil)

+ for pager.More() {

+ page, err := pager.NextPage(context.TODO())

+ if err != nil {

+ log.Fatal(err)

+ }

+ for _, key := range page.Value {

+ // update key properties to disable key

+ updateParams := azkeys.UpdateKeyParameters{

+ Enabled: to.Ptr(false),

+ // an empty string version updates the latest version of the key

+ version := ""

+ updateResp, err := client.UpdateKey(context.TODO(), "new-rsa-key", version, updateParams, nil)

+ fmt.Printf("Key %s Enabled attribute set to: %t\n", *updateResp.Key.KID, *updateResp.Attributes.Enabled)

+ // delete the created keys

+ for _, keyName := range []string{"new-rsa-key", "new-ec-key"} {

+ // DeleteKey returns when Key Vault has begun deleting the key. That can take several

+ // seconds to complete, so it may be necessary to wait before performing other operations

+ // on the deleted key.

+ delResp, err := client.DeleteKey(context.TODO(), keyName, nil)

+ if err != nil {

+ panic(err)

+ }

+ fmt.Printf("Successfully deleted key %s", *delResp.Key.KID)

+> The output is for informational purposes only. Your return values may vary based on your Azure subscription and Azure Key Vault.

+See the [module documentation](https://aka.ms/azsdk/go/keyvault-keys/docs) for more examples.

+description: Learn how to create, retrieve, and delete secrets from an Azure key vault by using the Go client library.

+You can store a variety of [object types](../general/about-keys-secrets-certificates.md#object-types) in an Azure key vault. When you store secrets in a key vault, you avoid having to store them in your code, which helps improve the security of your applications.

+Get started with the [azsecrets](https://aka.ms/azsdk/go/keyvault-secrets/docs) package and learn how to manage your secrets in an Azure key vault by using Go.

+- [Go version 1.18 or later](https://go.dev/dl/), installed.

+ // Create a credential using the NewDefaultAzureCredential type.

+ // Establish a connection to the Key Vault client

+ client := azsecrets.NewClient(vaultURI, cred, nil)

+ // Create a secret

+ params := azsecrets.SetSecretParameters{Value: &mySecretValue}

+ _, err = client.SetSecret(context.TODO(), mySecretName, params, nil)

+ // Get a secret. An empty string version gets the latest version of the secret.

+ version := ""

+ resp, err := client.GetSecret(context.TODO(), mySecretName, version, nil)

+ // List secrets

+ pager := client.NewListSecretsPager(nil)

+ for pager.More() {

+ page, err := pager.NextPage(context.TODO())

+ if err != nil {

+ log.Fatal(err)

+ }

+ for _, secret := range page.Value {

+ // Delete a secret. DeleteSecret returns when Key Vault has begun deleting the secret.

+ // That can take several seconds to complete, so it may be necessary to wait before

+ // performing other operations on the deleted secret.

+ delResp, err := client.DeleteSecret(context.TODO(), mySecretName, nil)

+ fmt.Println(delResp.ID.Name() + " has been deleted")

+## Code examples

+See the [module documentation](https://aka.ms/azsdk/go/keyvault-secrets/docs) for more examples.

+ Title: Azure Lab Services quickstart - Create a lab plan using Python

+description: In this quickstart, you learn how to create an Azure Lab Services lab plan using Python and the Azure Python SDK.

+# Quickstart: Create a lab plan using Python and the Azure libraries (SDK) for Python

+In this article you, as the admin, use Python and the Azure Python SDK to create a lab plan. Lab plans are used when creating labs for Azure Lab Services. You'll also add a role assignment so an educator can create labs based on the lab plan. For an overview of Azure Lab Services, see [An introduction to Azure Lab Services](lab-services-overview.md).

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free).

+- [Setup Local Python dev environment for Azure](/azure/developer/python/configure-local-development-environment).

+- [The requirements.txt can be downloaded from the Azure Python samples](https://github.com/RogerBestMsft/azure-samples-python-management/blob/rbest_ALSSample/samples/labservices/requirements.txt)

+## Create a lab plan

+The following steps will show you how to create a lab plan. Any properties set in the lab plan will be used in labs created with this plan.

+```python

+# --

+# Copyright (c) Microsoft Corporation. All rights reserved.

+# Licensed under the MIT License. See License.txt in the project root for

+# license information.

+# --

+import os

+import time

+from datetime import timedelta

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.labservices import LabServicesClient

+from azure.mgmt.resource import ResourceManagementClient

+def main():

+ SUBSCRIPTION_ID = "<Subscription ID>"

+ TIME = str(time.time()).replace('.','')

+ GROUP_NAME = "BellowsCollege_rg"

+ LABPLAN = "BellowsCollege_labplan"

+ LAB = "BellowsCollege_lab"

+ LOCATION = 'southcentralus'

+ # Create clients

+ # # For other authentication approaches, please see: https://pypi.org/project/azure-identity/

+ resource_client = ResourceManagementClient(

+ credential=DefaultAzureCredential(),

+ subscription_id=SUBSCRIPTION_ID

+ )

+

+ labservices_client = LabServicesClient(

+ credential=DefaultAzureCredential(),

+ subscription_id=SUBSCRIPTION_ID

+ )

+ # Create resource group

+ resource_client.resource_groups.create_or_update(

+ GROUP_NAME,

+ {"location": LOCATION}

+ )

+ # Create lab services lab plan

+ LABPLANBODY = {

+ "location" : LOCATION,

+ "properties" : {

+ "defaultConnectionProfile" : {

+ "webSshAccess" : "None",

+ "webRdpAccess" : "None",

+ "clientSshAccess" : "None",

+ "clientRdpAccess" : "Public"

+ },

+ "defaultAutoShutdownProfile" : {

+ "shutdownOnDisconnect" : "Disabled",

+ "shutdownWhenNotConnected" : "Disabled",

+ "shutdownOnIdle" : "None"

+ },

+ "allowedRegions" : [LOCATION],

+ "supportInfo" : {

+ "email" : "user@bellowscollege.com",

+ "phone" : "123-123-1234",

+ "instructions" : "Bellows College support."

+ }

+ }

+ }

+ #Create Lab Plan

+ poller = labservices_client.lab_plans.begin_create_or_update(

+ GROUP_NAME,

+ LABPLAN,

+ LABPLANBODY

+ )

+ # Poll for long running execution.

+ labplan_result = poller.result()

+ print(f"Created Lab Plan: {labplan_result.name}")

+ # Get LabServices Lab Plans by resource group

+ labservices_client.lab_plans.list_by_resource_group(

+ GROUP_NAME

+ )

+ #Get single LabServices Lab Plan

+ labservices_labplan = labservices_client.lab_plans.get(GROUP_NAME, LABPLAN)

+if __name__ == "__main__":

+ main()

+```

+## Clean up resources

+If you're not going to continue to use this application, delete the lab with the following steps:

+```python

+# --

+# Copyright (c) Microsoft Corporation. All rights reserved.

+# Licensed under the MIT License. See License.txt in the project root for

+# license information.

+# --

+from datetime import timedelta

+import time

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.labservices import LabServicesClient

+from azure.mgmt.resource import ResourceManagementClient

+# - other dependence -

+# - end -

+#

+def main():

+ SUBSCRIPTION_ID = "<Subscription ID>"

+ TIME = str(time.time()).replace('.','')

+ GROUP_NAME = "BellowsCollege_rg" + TIME

+ LABPLAN = "BellowsCollege_labplan" + TIME

+ LAB = "BellowsCollege_lab" + TIME

+ LOCATION = 'southcentralus'

+ # Create clients

+ # # For other authentication approaches, please see: https://pypi.org/project/azure-identity/

+ resource_client = ResourceManagementClient(

+ credential=DefaultAzureCredential(),

+ subscription_id=SUBSCRIPTION_ID

+ )

+

+ labservices_client = LabServicesClient(

+ credential=DefaultAzureCredential(),

+ subscription_id=SUBSCRIPTION_ID

+ )

+ # Delete Lab

+ labservices_client.labs.begin_delete(

+ GROUP_NAME,

+ LAB

+ ).result()

+ print("Deleted lab.\n")

+ # Delete Group

+ resource_client.resource_groups.begin_delete(

+ GROUP_NAME

+ ).result()

+if __name__ == "__main__":

+ main()

+```

+## Next steps

+In this QuickStart, you created a resource group and a lab plan. As an admin, you can learn more about [Azure PowerShell module](/powershell/azure) and [Az.LabServices cmdlets](/powershell/module/az.labservices/).

+> [!div class="nextstepaction"]

+> [Quickstart: Create a lab using Python and the Azure Python SDK](quick-create-lab-python.md)

+ Title: Azure Lab Services quickstart - Create a lab using Python

+description: In this quickstart, you learn how to create an Azure Lab Services lab using Python and the Azure Python libraries (SDK).

+# Quickstart: Create a lab using Python and the Azure Python libraries (SDK)

+In this quickstart, you, as the educator, create a lab using Python and the Azure Python libraries (SDK). The lab will use the settings from a previously created lab plan. For detailed overview of Azure Lab Services, see [An introduction to Azure Lab Services](lab-services-overview.md).

+## Prerequisites

+- Azure subscription. If you donΓÇÖt have one, [create a free account](https://azure.microsoft.com/free/) before you begin.

+- [Setup Local Python dev environment for Azure](/azure/developer/python/configure-local-development-environment).

+- [The requirements.txt can be downloaded from the Azure Python samples](https://github.com/RogerBestMsft/azure-samples-python-management/blob/rbest_ALSSample/samples/labservices/requirements.txt)

+- Lab plan. To create a lab plan, see [Quickstart: Create a lab plan using Python and the Azure Python libraries (SDK)](quick-create-lab-plan-python.md).

+## Create a lab

+Before we can create a lab, we need the lab plan object. In the [previous quickstart](quick-create-lab-plan-python.md), we created a lab plan named `BellowsCollege_labplan` in a resource group named `BellowsCollege_rg`.

+```python

+# --

+# Copyright (c) Microsoft Corporation. All rights reserved.

+# Licensed under the MIT License. See License.txt in the project root for

+# license information.

+# --

+from datetime import timedelta

+import time

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.labservices import LabServicesClient

+from azure.mgmt.resource import ResourceManagementClient

+def main():

+ SUBSCRIPTION_ID = "<Subscription ID>"

+ TIME = str(time.time()).replace('.','')

+ GROUP_NAME = "BellowsCollege_rg"

+ LABPLAN = "BellowsCollege_labplan"

+ LAB = "BellowsCollege_lab"

+ LOCATION = 'southcentralus'

+ # Create clients

+ # # For other authentication approaches, please see: https://pypi.org/project/azure-identity/

+ resource_client = ResourceManagementClient(

+ credential=DefaultAzureCredential(),

+ subscription_id=SUBSCRIPTION_ID

+ )

+

+ labservices_client = LabServicesClient(

+ credential=DefaultAzureCredential(),

+ subscription_id=SUBSCRIPTION_ID

+ )

+ #Get single LabServices Lab Plan

+ labservices_labplan = labservices_client.lab_plans.get(GROUP_NAME, LABPLAN)

+ print("Get lab plans")

+ print(labservices_labplan)

+ #Get image information

+ LABIMAGES = labservices_client.images.list_by_lab_plan(GROUP_NAME,LABPLAN)

+ image = (list(filter(lambda x: (x.name == "microsoftwindowsdesktop.windows-11.win11-21h2-pro"), LABIMAGES)))

+

+ #Get lab quota

+ USAGEQUOTA = timedelta(hours=10)

+ # Password

+ CUSTOMPASSWORD = "<custom password>"

+ # Create LabServices Lab

+ LABBODY = {

+ "name": LAB,

+ "location" : LOCATION,

+ "properties" : {

+ "networkProfile": {},

+ "connectionProfile" : {

+ "webSshAccess" : "None",

+ "webRdpAccess" : "None",

+ "clientSshAccess" : "None",

+ "clientRdpAccess" : "Public"

+ },

+ "AutoShutdownProfile" : {

+ "shutdownOnDisconnect" : "Disabled",

+ "shutdownWhenNotConnected" : "Disabled",

+ "shutdownOnIdle" : "None"

+ },

+ "virtualMachineProfile" : {

+ "createOption" : "TemplateVM",

+ "imageReference" : {

+ "offer": image[0].offer,

+ "publisher": image[0].publisher,

+ "sku": image[0].sku,

+ "version": image[0].version

+ },

+ "sku" : {

+ "name" : "Classic_Fsv2_2_4GB_128_S_SSD",

+ "capacity" : 2

+ },

+ "additionalCapabilities" : {

+ "installGpuDrivers" : "Disabled"

+ },

+ "usageQuota" : USAGEQUOTA,

+ "UseSharedPassword" : "Enabled",

+ "adminUser" : {

+ "username" : "testuser",

+ "password" : CUSTOMPASSWORD

+ }

+ },

+ "securityProfile" : {

+ "openAccess" : "Disabled"

+ },

+ "rosterProfile" : {},

+ "labPlanId" : labservices_labplan.id,

+ "title" : "lab-python",

+ "description" : "lab 99 description updated"

+ }

+ }

+ poller = labservices_client.labs.begin_create_or_update(

+ GROUP_NAME,

+ LAB,

+ LABBODY

+ )

+ lab_result = poller.result()

+ print(f"Created Lab {lab_result.name}")

+ # Get LabServices Labs

+ labservices_lab = labservices_client.labs.get(GROUP_NAME,LAB)

+ print("Get lab:\n{}".format(labservices_lab))

+

+if __name__ == "__main__":

+ main()

+```

+## Clean up resources

+If you're not going to continue to use this application, delete

+the group and lab with the following steps:

+```python

+# --

+# Copyright (c) Microsoft Corporation. All rights reserved.

+# Licensed under the MIT License. See License.txt in the project root for

+# license information.

+# --

+from datetime import timedelta

+import time

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.labservices import LabServicesClient

+from azure.mgmt.resource import ResourceManagementClient

+# - other dependence -

+# - end -

+#

+def main():

+ SUBSCRIPTION_ID = "<Subscription ID>"

+ TIME = str(time.time()).replace('.','')

+ GROUP_NAME = "BellowsCollege_rg"

+ LABPLAN = "BellowsCollege_labplan"

+ LAB = "BellowsCollege_lab"

+ LOCATION = 'southcentralus'

+ # Create clients

+ # # For other authentication approaches, please see: https://pypi.org/project/azure-identity/

+ resource_client = ResourceManagementClient(

+ credential=DefaultAzureCredential(),

+ subscription_id=SUBSCRIPTION_ID

+ )

+

+ labservices_client = LabServicesClient(

+ credential=DefaultAzureCredential(),

+ subscription_id=SUBSCRIPTION_ID

+ )

+ # Delete Lab

+ labservices_client.labs.begin_delete(

+ GROUP_NAME,

+ LAB

+ ).result()

+ print("Deleted lab.\n")

+ # Delete Group

+ resource_client.resource_groups.begin_delete(

+ GROUP_NAME

+ ).result()

+if __name__ == "__main__":

+ main()

+```

+## Next steps

+As an admin, you can learn more about [Azure PowerShell module](/powershell/azure) and [Az.LabServices cmdlets](/powershell/module/az.labservices/).

+This section discusses the syntax of Azure Load Testing pass/fail criteria. When a criterion evaluates to `true`, the load test gets the *failed* status.

+The structure of a pass/fail criterion is: `Request: Aggregate_function (client_metric) condition threshold`.

+The following table describes the different components:

+|`Request` | *Optional.* Name of the sampler in the JMeter script to which the criterion applies. If you don't specify a request name, the criterion applies to the aggregate of all the requests in the script. |

+|`Threshold` | *Required.* The numeric value to compare with the client metric. |

+Azure Load Testing supports the following metrics:

+|`response_time_ms` | `avg` (average)<BR> `min` (minimum)<BR> `max` (maximum)<BR> `pxx` (percentile), xx can be 50, 90, 95, 99 | Integer value, representing number of milliseconds (ms). | `>` (greater than)<BR> `<` (less than) |

+|`latency_ms` | `avg` (average)<BR> `min` (minimum)<BR> `max` (maximum)<BR> `pxx` (percentile), xx can be 50, 90, 95, 99 | Integer value, representing number of milliseconds (ms). | `>` (greater than)<BR> `<` (less than) |

+|`error` | `percentage` | Numerical value in the range 0-100, representing a percentage. | `>` (greater than) <BR> `<` (less than) |

+|`requests_per_sec` | `avg` (average) | Numerical value with up to two decimal places. | `>` (greater than) <BR> `<` (less than) |

+|`requests` | `count` | Integer value. | `>` (greater than) <BR> `<` (less than) |

+ - GetCustomerDetails: avg(latency_ms) >200

+| `failureCriteria` | object | | Criteria that indicate when a test should fail. The structure of a pass/fail criterion is: `Request: Aggregate_function (client_metric) condition threshold`. For more information on the supported values, see [Load test pass/fail criteria](./how-to-define-test-criteria.md#load-test-passfail-criteria). |

+ - GetCustomerDetails: avg(latency_ms) >200

+| Managed connector | - Azure Automation <br>- Azure Blob Storage <br>- Azure Event Grid <br>- Azure Event Hubs <br>- Azure Key Vault <br>- Azure Resource Manager <br>- Azure Service Bus <br>- HTTP with Azure AD <br>- SQL Server |

+| Managed connector | - Azure Automation <br>- Azure Blob Storage <br>- Azure Event Grid <br>- Azure Event Hubs <br>- Azure Key Vault <br>- Azure Resource Manager <br>- Azure Service Bus <br>- HTTP with Azure AD <br>- SQL Server |

+All MLflow models contain a `predict` function. **This function is the one that is called when a model is deployed using a no-code-deployment experience**. What the `predict` function returns (classes, probabilities, a forecast, etc.) depend on the framework (i.e. flavor) used for training. Read the documentation of each flavor to know what they return.

+## Loading MLflow models back

+Models created as MLflow models can be loaded back directly from the run where they were logged, from the file system where they are saved or from the model registry where they are registered. MLflow provides a consistent way to load those models regardless of the location.

+There are two workflows available for loading models:

+* **Loading back the same object and types that were logged:**: You can load models using MLflow SDK and obtain an instance of the model with types belonging to the training library. For instance, an ONNX model will return a `ModelProto` while a decision tree trained with Scikit-Learn model will return a `DecisionTreeClassifier` object. Use `mlflow.<flavor>.load_model()` to do so.

+* **Loading back a model for running inference:** You can load models using MLflow SDK and obtain a wrapper where MLflow warranties there will be a `predict` function. It doesn't matter which flavor you are using, every MLflow model needs to implement this contract. Furthermore, MLflow warranties that this function can be called using arguments of type `pandas.DataFrame`, `numpy.ndarray` or `dict[strin, numpyndarray]` (depending on the signature of the model). MLflow handles the type conversion to the input type the model actually expects. Use `mlflow.pyfunc.load_model()` to do so.

+mlflow.autolog()

+model = XGBClassifier(use_label_encoder=False, eval_metric="logloss")

+model.fit(X_train, y_train, eval_set=[(X_test, y_test)], verbose=False)

+y_pred = model.predict(X_test)

+accuracy = accuracy_score(y_test, y_pred)

+mlflow.autolog(log_models=False)

+model = XGBClassifier(use_label_encoder=False, eval_metric="logloss")

+model.fit(X_train, y_train, eval_set=[(X_test, y_test)], verbose=False)

+y_pred = model.predict(X_test)

+accuracy = accuracy_score(y_test, y_pred)

+# Signature

+signature = infer_signature(X_test, y_test)

+# Conda environment

+custom_env =_mlflow_conda_env(

+ additional_conda_deps=None,

+ additional_pip_deps=["xgboost==1.5.2"],

+ additional_conda_channels=None,

+)

+# Sample

+input_example = X_train.sample(n=1)

+# Log the model manually

+mlflow.xgboost.log_model(model,

+ artifact_path="classifier",

+ conda_env=custom_env,

+ signature=signature,

+ input_example=input_example)

+mlflow.xgboost.autolog(log_models=False)

+model = XGBClassifier(use_label_encoder=False, eval_metric="logloss")

+model.fit(X_train, y_train, eval_set=[(X_test, y_test)], verbose=False)

+y_probs = model.predict_proba(X_test)

+accuracy = accuracy_score(y_test, y_probs.argmax(axis=1))

+mlflow.log_metric("accuracy", accuracy)

+signature = infer_signature(X_test, y_probs)

+mlflow.pyfunc.log_model("classifier",

+ python_model=ModelWrapper(model),

+ signature=signature)

+mlflow.xgboost.autolog(log_models=False)

+encoder = OrdinalEncoder(handle_unknown='ignore')

+X_train['thal'] = enc.fit_transform(X_train['thal'])

+X_test['thal'] = enc.transform(X_test['thal'])

+model = XGBClassifier(use_label_encoder=False, eval_metric="logloss")

+model.fit(X_train, y_train, eval_set=[(X_test, y_test)], verbose=False)

+y_probs = model.predict_proba(X_test)

+accuracy = accuracy_score(y_test, y_probs.argmax(axis=1))

+mlflow.log_metric("accuracy", accuracy)

+encoder_path = 'encoder.pkl'

+joblib.dump(encoder, encoder_path)

+model_path = "xgb.model"

+model.save_model(model_path)

+signature = infer_signature(X, y_probs)

+mlflow.pyfunc.log_model("classifier",

+ python_model=ModelWrapper(),

+ artifacts={

+ 'encoder': encoder_path,

+ 'model': model_path

+ },

+ signature=signature)

+mlflow.xgboost.autolog(log_models=False)

+model = XGBClassifier(use_label_encoder=False, eval_metric="logloss")

+model.fit(X_train, y_train, eval_set=[(X_test, y_test)], verbose=False)

+y_probs = model.predict_proba(X_test)

+accuracy = accuracy_score(y_test, y_probs.argmax(axis=1))

+mlflow.log_metric("accuracy", accuracy)

+model_path = "xgb.model"

+model.save_model(model_path)

+signature = infer_signature(X_test, y_probs)

+mlflow.pyfunc.log_model("classifier",

+ data_path=model_path,

+ code_path=["loader_module.py"],

+ loader_module="loader_module",

+ signature=signature)

+## Querying model registries

+## Loading models from registry

+You can load models directly from the registry to restore the models objects that were logged. Use the functions `mlflow.<flavor>.load_model()` or `mlflow.pyfunc.load_model()` indicating the URI of the model you want to load using the following syntax:

+* `models:/<model-name>/latest`, to load the last version of the model.

+* `models:/<model-name>/<version-number>`, to load a specific version of the model.

+* `models:/<model-name>/<stage-name>`, to load a specific version in a given stage for a model. View [Model stages](#model-stages) for details.

+> [!TIP]

+> For learning about the difference between `mlflow.<flavor>.load_model()` and `mlflow.pyfunc.load_model()`, view [Loading MLflow models back](concept-mlflow-models.md#loading-mlflow-models-back) article.

+> [!TIP]

+> You can also load models from the registry using MLflow. View [loading MLflow models with MLflow](how-to-manage-models-mlflow.md#loading-models-from-registry) for details.

+ ml_client = MLClient.from_config(credential=DefaultAzureCredential())

+The `sweep_step` is the step for hyperparameter tuning. Its type needs to be `sweep`. And `trial` refers to the command component defined in `train.yaml`. From the `search space` field we can see three hyparmeters (`c_value`, `kernel`, and `coef`) are added to the search space. After you submit this pipeline job, Azure Machine Learning will run the trial component multiple times to sweep over hyperparameters based on the search space and terminate policy you defined in `sweep_step`. Check [sweep job YAML schema](reference-yaml-job-sweep.md) for full schema of sweep job.

+You can find all available Grafana data sources by going to your resource and selecting **Configuration** > **Data sources** from the left menu. Search for the data source you need from the available list and select **Add data source**.

+> [!NOTE]

+> Installing Grafana plugins listed on the page **Configuration** > **Plugins** isnΓÇÖt currently supported.

+For more information about data sources, go to [Data sources](https://grafana.com/docs/grafana/latest/datasources/) on the Grafana Labs website.

+1. Azure Monitor is listed as a built-in data source for your Managed Grafana instance. Select **Azure Monitor**.

+1. Check how frequently the dashboard is configured to refresh data.

+## General issues with data sources

+The user can't connect to a data source, or a data source cannot fetch data.

+### Solution: review network settings and IP address

+To troubleshoot this issue:

+1. Check the network setting of the data source server. There should be no firewall blocking Grafana from accessing it.

+1. Check that the data source isn't trying to connect to a private IP address. Azure Managed Grafana doesn't currently support connections to private networks.

+ Title: Align your business with our e-commerce platform and Azure Marketplace.

+description: Align your business with our e-commerce platform (Azure Marketplace).

+This article describes how the commercial marketplace user interface (UI) and programmatic application programming interfaces (APIs) combine to support your business processes.

+The following guide shows how to integrate different APIs to automate each activity. The links in the API column point to the specific interfaces that developers can use to integrate their customer relationship management (CRM) system with the commercial marketplace. The activity that you use depends on your business needs and sales processes.

+| <center>Activity | ISV sales activities | Corresponding marketplace API | Corresponding marketplace UI |

+| <center>**Product marketing**<br><img src="medi)</ul> | Product messaging, positioning, promotion, and pricing;<br>Partner Center: offer creation |

+| <center>**Demand generation**<br><img src="medi); <br>[co-sell Connector for Salesforce CRM](/partner-center/connector-salesforce); <br>[co-sell connector for Dynamics 365 CRM](/partner-center/connector-dynamics) | Product promotion,<br>lead nurturing,<br>evaluation, trial, and PoC;<br>Azure Marketplace and AppSource;<br>Partner Center Marketplace insights;<br>Partner Center co-sell opportunities |

+| <center>**Negotiation and quote creation**<br><img src="medi)<br>[Partner Center 7 API family](/partner-center/) | T&Cs,<br>pricing,<br>discount approvals,<br>final quote,<br>Partner Center: plans (public or private) |

+| <center>**Sale**<br><img src="medi),<br>[reporting APIs](https://partneranalytics-api.azureedge.net/partneranalytics-api/Programmatic%20Access%20to%20Commercial%20Marketplace%20Analytics%20Data_v1.pdf) | Contract signing,<br>revenue recognition,<br>invoicing,<br>billing,<br>Azure portal / admin center,<br>Partner Center Marketplace Rewards,<br>Partner Center payouts reports,<br>Partner Center marketplace analytics,<br>Partner Center co-sell closing |

+| <center>**Maintenance**<br><img src="medi), <br>[Enterprise Agreement (EA) Customer, Azure Consumption API](/rest/api/consumption/)<br>[(EA customer), Azure charges list API](/rest/api/consumption/charges/list) | Recurring billing,<br>overages,<br>product support,<br>Partner Center payouts reports,<br>Partner Center marketplace analytics |

+| <center>**Contract end**<br><img src="medi),<br>Azure Monitor agent/VMs: auto-renew | Renew or<br>terminate,<br>Partner Center marketplace analytics |

+- Visit the API links in the table, as needed.

+ Title: Ground station contact profile - Azure Orbital GSaaS

+description: Learn more about the contact profile object, including how to create, modify, and delete the profile.

+#Customer intent: As a satellite operator or user, I want to understand how to use the contact profile so that I can take passes using the GSaaS service.

+# Ground station contact profile

+The contact profile object stores pass requirements such as links and endpoint details for each link. Use this object with the spacecraft object at time of scheduling to view and schedule available passes.

+You can create many contact profiles to represent different types of passes depending on your mission operations. For example, you can create a contact profile for a command and control pass or a contact profile for a downlink only pass.

+These objects are mutable and don't undergo an authorization process like the spacecraft objects do. One contact profile can be used with many spacecraft objects.

+See [how to configure a contact profile](contact-profile.md) for the full list of parameters.

+## Prerequisites

+- Subnet that is created in the VNET and resource group you desire. See [Prepare network for Orbital GSaaS integration.](prepare-network.md)

+## Creating a contact profile

+Follow the steps in [how to create a contact profile.](contact-profile.md).

+## Adjusting pass parameters

+Specify a minimum pass time to ensure passes of a certain duration. Specify a minimum elevation to ensure passes above a certain elevation.

+The two parameters above are used by the service during the contact scheduling. Avoid changing these on a pass-by-pass basis and create multiple contact profiles if you need such flexibility.

+At the moment autotrack is disabled and autotracking options are not applied.

+## Understanding links and channels

+A whole band, unique in direction, and unique in polarity is called a link. Channels, which are children under links, specify center frequency, bandwidth, and endpoints. Typically there's only one channel per link but some applications require multiple channels per link. Refer to the Ground Station manual for a full list of supported bands and antenna capabilities.

+You can specify an EIRP and G/T requirement for each link. EIRP applies to uplinks and G/T applies to downlinks. You can give a name to each link and channel to keep track of these properties.

+Look at the example below to see how to specify an RHCP channel and an LHCP channel if your mission requires dual-polarization on downlink.

+```json

+{

+ "location": "eastus2",

+ "tags": null,

+ "id": "/subscriptions/c1be1141-a7c9-4aac-9608-3c2e2f1152c3/resourceGroups/contoso-Rgp/providers/Microsoft.Orbital/contactProfiles/CONTOSO-CP",

+ "name": "CONTOSO-CP",

+ "type": "Microsoft.Orbital/contactProfiles",

+ "properties": {

+ "provisioningState": "Succeeded",

+ "minimumViableContactDuration": "PT1M",

+ "minimumElevationDegrees": 5,

+ "autoTrackingConfiguration": "disabled",

+ "eventHubUri": "/subscriptions/c1be1141-a7c9-4aac-9608-3c2e2f1152c3/resourceGroups/contoso-Rgp/providers/Microsoft.EventHub/namespaces/contosoHub/eventhubs/contosoHub",

+ "networkConfiguration": {

+ "subnetId": "/subscriptions/c1be1141-a7c9-4aac-9608-3c2e2f1152c3/resourceGroups/contoso-Rgp/providers/Microsoft.Network/virtualNetworks/contoso-vnet/subnets/orbital-delegated-subnet"

+ },

+ "links": [

+ {

+ "name": "contoso-downlink-rhcp",

+ "polarization": "RHCP",

+ "direction": "downlink",

+ "gainOverTemperature": 25,

+ "eirpdBW": 0,

+ "channels": [

+ {

+ "name": "contoso-downlink-channel-rhcp",

+ "centerFrequencyMHz": 8160,

+ "bandwidthMHz": 15,

+ "endPoint": {

+ "ipAddress": "10.1.0.5",

+ "endPointName": "ContosoTest_Downlink_RHCP",

+ "port": "51103",

+ "protocol": "UDP"

+ },

+ "modulationConfiguration": null,

+ "demodulationConfiguration": null,

+ "encodingConfiguration": null,

+ "decodingConfiguration": null

+ }

+ ]

+ }

+ {

+ "name": "contoso-downlink-lhcp",

+ "polarization": "LHCP",

+ "direction": "downlink",

+ "gainOverTemperature": 25,

+ "eirpdBW": 0,

+ "channels": [

+ {

+ "name": "contoso-downlink-channel-lhcp",

+ "centerFrequencyMHz": 8160,

+ "bandwidthMHz": 15,

+ "endPoint": {

+ "ipAddress": "10.1.0.5",

+ "endPointName": "ContosoTest_Downlink_LHCP",

+ "port": "51104",

+ "protocol": "UDP"

+ },

+ "modulationConfiguration": null,

+ "demodulationConfiguration": null,

+ "encodingConfiguration": null,

+ "decodingConfiguration": null

+ }

+ ]

+ }

+ ]

+ }

+}

+```

+## Applying modems or bring your own

+We recommend taking advantage of Orbital's GSaaS software modem functionality if possible. This modem is managed by the service and is inserted between your endpoint and the incoming or outgoing virtual RF stream per channel. We have a library of modems that will be available in the marketplace for you to utilize. If there is no modem that can be used with your application then utilize the virtual RF delivery feature to bring your own modem.

+There are 4 parameters related to modem configurations. The table below shows you how to configure these parameters.

+| Parameter | Options |

+||--|

+| modulationConfiguration | 1. Null for virtual RF<br />2. JSON escaped modem config for software modem |

+| demodulationConfiguration | 1. Null for virtual RF<br />2. JSON escaped modem config for software modem |

+| encodingConfiguration | Null (not used) |

+| decodingConfiguration | Null (not used) |

+Use the same modem config file in uplink and downlink channels for full-duplex communications in the same band.

+The modem config should be a JSON escaped raw save file from a software modem. Please see the marketplace for modem options.

+## Modifying or deleting a contact profile

+You can modify or delete the contact profile via the Portal or through the API.

+## Configuring contact profile for third party ground stations

+When you onboard a third party network, you'll receive a token that identifies your profile. Use this token in the object to link a contact profile to the third party network.

+## Next steps

+- [Quickstart: Schedule a contact](schedule-contact.md)

+- [How to: Update the Spacecraft TLE](update-tle.md)

+ Title: Ground station contact - Azure Orbital GSaSS

+description: Learn more about the contact object and how to schedule a contact.

+#Customer intent: As a satellite operator or user, I want to understand how to what the contact object is so I can manage my mission operations.

+# Ground station contact

+A contact occurs when the spacecraft is over a specified ground station. You can find available passes on the system and schedule them for use through Azure Orbital GSaaS. A contact and ground station pass mean the same thing.

+When you schedule a contact, a contact object is created under your spacecraft object in your resource group. The contact only associated with this spacecraft and can't be transferred to another spacecraft, resource group, or region.

+## Contact object

+The contact object contains the start time and end time of the pass and other parameters of interest related to pass operations. The full list is below.

+| Parameter | Description |

+||--|

+| Reservation Start Time | Start time of pass in UTC. |

+| Reservation End Time | End time of pass in UTC. |

+| Maximum Elevation Degrees | The maximum elevation the spacecraft will be in the sky relative to horizon in degrees, used to gauge the quality of the pass. |

+| TX Start Time | Start time of permissible transmission window in UTC. This start time will be equal to or come after Reservation Start Time. |

+| TX End Time | End time of permissible transmission window in UTC. This end time will be equal to or come before Reservation End Time. |

+| RX Start Time | Start time of permissible reception window in UTC. This start time will be equal to or come after Reservation Start Time. |

+| RX End Time | End time of permissible reception window in UTC. This end time will be equal to or come before Reservation End Time. |

+| Start Azimuth | Starting azimuth position of the spacecraft measured clockwise from North in degrees. |

+| End Azimuth | End azimuth position of the spacecraft measured clockwise from North in degrees. |

+| Start Elevation | Starting elevation position of the spacecraft measured from the horizon up in degrees. |

+| End Elevation | Starting elevation position of the spacecraft measured from the horizon up in degrees. |

+The RX and TX start/end times may differ depending on the individual station masks. Billing meters are engaged between the Reservation Start Time and Reservation End Time.

+## Creating a contact

+In order to create a contact, you must have the following pre-requisites:

+* Authorized spacecraft object

+* Contact profile with links in accordance with the spacecraft object above

+Contacts are created on a per pass and per ground station basis. If you already know the pass timings for your spacecraft and selected ground station, then you can directly proceed to schedule the pass with these times. The service will succeed in creating the contact object if the window is available and fail if it isn't.

+If you don't know the pass timings, or which sites are available, then you can use the portal or API to get those details. Query the available passes and use the results to schedule your passes accordingly.

+| Method | List available contacts | Schedule contacts | Notes |

+|-|-|-|-|

+|Portal| Yes | Yes | Custom pass timings not possible. You have to use the results of the query|

+|API | Yes | Yes| Custom pass timings possible. |

+See [how-to schedule a contact](schedule-contact.md) for the Portal method. The API can also be used to create a contact. See the API docs (link to API docs) for this method.

+## Next steps

+- [Quickstart: Schedule a contact](schedule-contact.md)

+- [How to: Update the Spacecraft TLE](update-tle.md)

+Sign in to the [Azure portal - Orbital](https://aka.ms/orbital/portal).

+ | Region | Select a region |

+ | Direction | Select the link direction |

+ | Demodulation Configuration (Downlink only) | If applicable, paste your modem demodulation configuration |

+ | Decoding Configuration (Downlink only)| If applicable, paste your decoding configuration |

+ | Modulation Configuration (Uplink only) | If applicable, paste your modem modulation configuration |

+ | Encoding Configuration (Uplink only)| If applicable, paste your encoding configuration |

+- [How-to Receive real-time telemetry](receive-real-time-telemetry.md)

+- [Tutorial: Cancel a contact](delete-contact.md)

+ Title: Cancel a scheduled contact on Azure Orbital Earth Observation service

+description: Learn how to cancel a scheduled contact.

+# Tutorial: Cancel a scheduled contact

+Sign in to the [Azure portal - Orbital](https://aka.ms/orbital/portal).

+- [Tutorial: Update the spacecraft TLE](update-tle.md)

+ Title: Schedule a contact with NASA's AQUA public satellite using Azure Orbital Earth Observation Service

+description: How to schedule a contact with NASA's AQUA public satellite using Azure Orbital Earth Observation Service

+# Customer intent: As a satellite operator, I want to ingest data from NASA's AQUA public satellite into Azure.

+# Tutorial: Downlink data from NASA's AQUA public satellite

+You can communicate with satellites directly from Azure using Azure Orbital's ground station service. Once downlinked, this data can be processed and analyzed in Azure. In this guide you'll learn how to:

+> [!div class="checklist"]

+> * Create & authorize a spacecraft for AQUA

+> * Prepare a virtual machine (VM) to receive the downlinked AQUA data

+> * Configure a contact profile for an AQUA downlink mission

+> * Schedule a contact with AQUA using Azure Orbital and save the downlinked data

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Complete the onboarding process for the preview. [Onboard to the Azure Orbital Preview](orbital-preview.md).

+## Sign in to Azure

+Sign in to the [Azure portal - Orbital Preview](https://aka.ms/orbital/portal).

+> [!NOTE]

+> These steps must be followed as is or you won't be able to find the resources. Please use the specific link above to sign in directly to the Azure Orbital Preview page.

+## Create & authorize a spacecraft for AQUA

+1. In the Azure portal search box, enter **Spacecrafts*. Select **Spacecrafts** in the search results.

+2. In the **Spacecrafts** page, select Create.

+3. Learn an up-to-date Two-Line Element (TLE) for AQUA by checking celestrak at https://celestrak.com/NORAD/elements/active.txt

+ > [!NOTE]

+ > You will want to periodically update this TLE value to ensure that it is up-to-date prior to scheduling a contact. A TLE that is more than one or two weeks old may result in an unsuccessful downlink.

+4. In **Create spacecraft resource**, enter or select this information in the Basics tab:

+ | **Field** | **Value** |

+ | | |

+ | Subscription | Select your subscription |

+ | Resource Group | Select your resource group |

+ | Name | **AQUA** |

+ | Region | Select **West US 2** |

+ | NORAD ID | **27424** |

+ | TLE title line | **AQUA** |

+ | TLE line 1 | Enter TLE line 1 from Celestrak |

+ | TLE line 2 | Enter TLE line 2 from Celestrak |

+5. Select the **Links** tab, or select the **Next: Links** button at the bottom of the page.

+6. In the **Links** page, enter or select this information:

+ | **Field** | **Value** |

+ | | |

+ | Direction | Select **Downlink** |

+ | Center Frequency | Enter **8160** |

+ | Bandwidth | Enter **15** |

+ | Polarization | Select **RHCP** |

+7. Select the **Review + create** tab, or select the **Review + create** button.

+8. Select **Create**

+9. Access the [Azure Orbital Spacecraft Authorization Form](https://forms.office.com/r/QbUef0Cmjr)

+10. Provide the following information:

+ - Spacecraft name: **AQUA**

+ - Region where spacecraft resource was created: **West US 2**

+ - Company name and email

+ - Azure Subscription ID

+11. Submit the form

+12. Await a 'Spacecraft resource authorized' email from Azure Orbital

+ > [!NOTE]

+ > You can confirm that your spacecraft resource for AQUA is authorized by checking that the **Authorization status** shows **Allowed** in the spacecraft's overiew page.

+## Prepare a virtual machine (VM) to receive the downlinked AQUA data

+1. [Create a virtual network](../virtual-network/quick-create-portal.md) to host your data endpoint virtual machine (VM)

+2. [Create a virtual machine (VM)](../virtual-network/quick-create-portal.md#create-virtual-machines) within the virtual network above. Ensure that this VM has the following specifications:

+- Operation System: Linux (Ubuntu 18.04 or higher)

+- Size: at least 32 GiB of RAM

+- Ensure that the VM has at least one standard public IP

+3. Create a tmpfs on the virtual machine. This virtual machine is where the data will be written to in order to avoid slow writes to disk:

+```console

+sudo mount -t tmpfs -o size=28G tmpfs /media/aqua

+```

+4. Ensure that SOCAT is installed on the machine:

+```console

+sudo apt install socat

+```

+5. Edit the [Network Security Group](../virtual-network/network-security-groups-overview.md) for the subnet that your virtual machine is using to allow inbound connections from the following IPs over TCP port 56001:

+- 20.47.120.4

+- 20.47.120.38

+- 20.72.252.246

+- 20.94.235.188

+- 20.69.186.50

+- 20.47.120.177

+## Configure a contact profile for an AQUA downlink mission

+1. In the Azure portal search box, enter **Contact profile**. Select **Contact profile** in the search results.

+2. In the **Contact profile** page, select **Create**.

+3. In **Create contact profile resource**, enter or select this information in the **Basics** tab:

+ | **Field** | **Value** |

+ | | |

+ | Subscription | Select your subscription |

+ | Resource group | Select your resource group |

+ | Name | Enter **AQUA_Downlink** |

+ | Region | Select **West US 2** |

+ | Minimum viable contact duration | **PT1M** |

+ | Minimum elevation | **5.0** |

+ | Auto track configuration | **Disabled** |

+ | Event Hubs Namespace | Select an Event Hubs Namespace to which you'll send telemetry data of your contacts. Select a Subscription before you can select an Event Hubs Namespace. |

+ | Event Hubs Instance | Select an Event Hubs Instance that belongs to the previously selected Namespace. *This field will only appear if an Event Hubs Namespace is selected first*. |

+4. Select the **Links** tab, or select the **Next: Links** button at the bottom of the page.

+5. In the **Links** page, select **Add new Link**

+6. In the **Add Link** page, enter, or select this information:

+ | **Field** | **Value** |

+ | | |

+ | Direction | **Downlink** |

+ | Gain/Temperature in db/K | **0** |

+ | Center Frequency | **8160.0** |

+ | Bandwidth MHz | **15.0** |

+ | Polarization | **RHCP** |

+ | Endpoint name | Enter the name of the virtual machine (VM) you created above |

+ | IP Address | Enter the Public IP address of the virtual machine you created above (VM) |

+ | Port | **56001** |

+ | Protocol | **TCP** |

+ | Demodulation Configuration | Leave this field **blank** or request a demodulation configuration from the [Azure Orbital team](mailto:msazureorbital@microsoft.com) to use a software modem. Include your Subscription ID, Spacecraft resource ID, and Contact Profile resource ID in your email request.|

+ | Decoding Configuration | Leave this field **blank** |

+7. Select the **Submit** button

+8. Select the **Review + create** tab or select the **Review + create** button

+9. Select the **Create** button

+## Schedule a contact with AQUA using Azure Orbital and save the downlinked data

+1. In the Azure portal search box, enter **Spacecrafts**. Select **Spacecrafts** in the search results.

+2. In the **Spacecrafts** page, select **AQUA**.

+3. Select **Schedule contact** on the top bar of the spacecraftΓÇÖs overview.

+4. In the **Schedule contact** page, specify this information from the top of the page:

+ | **Field** | **Value** |

+ | | |

+ | Contact profile | Select **AQUA_Downlink** |

+ | Ground station | Select **Quincy** |

+ | Start time | Identify a start time for the contact availability window |

+ | End time | Identify an end time for the contact availability window |

+5. Select **Search** to view available contact times.

+6. Select one or more contact windows and select **Schedule**.

+7. View the scheduled contact by selecting the **AQUA** spacecraft and navigating to **Contacts**.

+8. Shortly before the contact begins executing, start listening on port 56001, and output the data received into the file:

+```console

+socat -u tcp-listen:56001,fork create:/media/aqua/out.bin

+```

+9. Once your contact has executed, copy the output file,

+```console

+/media/aqua/out.bin out

+```

+ of the tmpfs and into your home directory to avoid being overwritten when another contact is executed.

+ > [!NOTE]

+ > For a 10 minute long contact with AQUA while it is transmitting with 15MHz of bandwidth, you should expect to receive somewhere in the order of 450MB of data.

+

+## Next steps

+- [Quickstart: Configure a contact profile](contact-profile.md)

+- [Quickstart: Schedule a contact](schedule-contact.md)

+ Title: License your spacecraft - Azure Orbital

+description: Learn how to license your spacecraft with Orbital.

+# License your spacecraft

+This page provides an overview on how to register or license your spacecraft with Azure Orbital.

+## Prerequisites

+To initiate the spacecraft licensing process, you'll need:

+- A spacecraft object that corresponds to the spacecraft in orbit or slated for launch. The links in this object must match all current and planned filings.

+- List of ground stations that you wish to use

+## Step 1 - Initiate the request

+The process starts by initiating the licensing request via the Azure portal.

+1. Navigate to the spacecraft object and select New Support Request under the Support + troubleshooting category to the left.

+1. Complete the following fields:

+ 1. Summary: Provide a relevant ticket title.

+ 1. Issue type: Technical.

+ 1. Subscription: Choose your current subscription.

+ 1. Service: My Service

+ 1. Service Type: Azure orbital

+ 1. Problem type: Spacecraft Management and Setup

+ 1. Problem subtype: Spacecraft Registration

+1. Click next to Solutions

+1. Click next to Details

+1. Enter the desired ground stations in the Description field

+1. Enable advanced diagnostic information

+1. Click next to Review + Create

+1. Click Create.

+## Step 2 - Provide more details

+When the request is generated, our regulatory team will investigate the request and determine if more detail is required. If so, a customer support representative will reach out to you with a regulatory intake form. You'll need to input information regarding relevant filings, call signs, orbital parameters, link details, antenna details, point of contacts, etc.

+Fill out all relevant fields in this form as it helps speeds up the process. When you're done entering information, email this form back to the customer support representative.

+## Step 3 - Await feedback from our regulatory team

+Based on the details provided in the steps above, our regulatory team will make an assessment on time and cost to onboard your spacecraft to all requested ground stations. This step will take a few weeks to execute.

+Once the determination is made, we'll confirm the cost with you and ask you to authorize before proceeding.

+## Step 4 - Orbital requests the relevant licensing

+Upon authorization, you'll be billed and our regulatory team will seek the relevant licenses to enable your spacecraft with the desired ground stations. This step will take 2 to 6 months to execute.

+## Step 5 - Spacecraft is authorized

+Once the licenses are in place, the spacecraft object will be updated by Orbital to represent the licenses held at the specified ground stations. Refer to (to add link to spacecraft concept) to understand how the authorizations are applied.

+## FAQ

+Q. Are third party ground stations such as KSAT included in this process?

+A. No, the process on this page applies to Microsoft sites only. For more information, see (to add link to third party page).

+## Next steps

+ Title: Integrate partner network ground stations into your Azure Orbital Ground Station as a Service solution

+description: Leverage partner network ground station locations through Azure Orbital.

+# Integrate partner network ground stations into your Azure Orbital Ground Station as a Service solution

+This article describes how to integrate partner network ground stations.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An active contract with the partner network(s) you wish to integrate with Azure Orbital.

+- KSAT Lite

+- [Viasat RTE](https://azuremarketplace.microsoft.com/marketplace/apps/viasatinc1628707641775.viasat-real-time-earth?tab=overview)

+## Request integration resource information

+1. Email the Azure Orbital Ground Station as a Service (GSaaS) team at **azorbitalpm@microsoft.com** to initiate partner network integration by providing the details below:

+ - Azure Subscription ID

+ - List of partner networks you've contracted with

+ - List of ground station locations included in partner contracts

+2. The Azure Orbital GSaaS team will reply to your message with additional requested information, or, the Contact Profile resource parameters that will enable your partner network integration.

+3. Create a contact profile resource with the parameters provided by the Azure Orbital GSaaS team.

+4. Await integration confirmation prior to scheduling Contacts with the newly integrated partner network(s).

+> [!NOTE]

+> It is important that the contact profile resource parameters match those provided by the Azure Orbital GSaaS team.

+## Next steps

+- [Configure a contact profile](./contact-profile.md)

+- [Learn more about the contact profile object](./concepts-contact-profile.md)

+- [Overview of the Azure Space Partner Community](./space-partner-program-overview.md)

+ Title: Prepare network to send and receive data - Azure Orbital

+description: Learn how to deliver and receive data from Azure Orbital.

+# Prepare the network for Azure Orbital GSaaS integration

+The Orbital GSaaS platform interfaces with your resources using VNET injection, which is used in both uplink and downlink directions. This page describes how to ensure your Subnet and Orbital GSaaS objects are configured correctly.

+Ensure the objects comply with the recommendations in this article. Note, these steps don't have to be followed in order.

+## Prepare subnet for VNET injection

+Prerequisites:

+- An entire subnet that can be dedicated to Orbital GSaaS in your virtual network in your resource group.

+Steps:

+1. Delegate a subnet to service named: Microsoft.Orbital/orbitalGateways. Follow instructions here: [Add or remove a subnet delegation in an Azure virtual network](/azure/virtual-network/manage-subnet-delegation).

+> [!NOTE]

+> Address range needs to be at least /24 (example 10.0.0.0/23)

+## Setting up the contact profile

+Prerequisites:

+- The subnet/vnet is in the same region as the contact profile

+Make sure the contact profile properties are set as follows:

+1. subnetId (under networkConfiguration): The full ID to the delegated subnet, which can be found inside the VNET's JSON view

+1. For each link

+ 1. ipAddress: Enter an IP here for TCP/UDP server mode. Leave blank for TCP/UDP client mode. See section below for a detailed explanation on configuring this property.

+ 1. port: Needs to be within 49152 and 65535 range and need to be unique across all links in the contact profile.

+> [!NOTE]

+> You can have multiple links/channels in a contact profile, and you can have multiple IPs. But the combination of port/protocol needs to be unique. You can't have two identical ports, even if you have two different destination IPs.

+## Scheduling the contact

+The platform pre-reserves IPs in the subnet when the contact is scheduled. These IPs represent the platform side endpoints for each link. IPs will be unique between contacts, and if multiple concurrent contacts are using the same subnet, we guarantee those IPs to be distinct. The service will fail to schedule the contact and an error will be returned if the service runs out of IPs or can't allocate an IP.

+When you create a contact, you can find these IPs by viewing the contact properties. Select JSON view in the portal or use the GET contact API call to view the contact properties. The parameters of interest are below:

+| Parameter | Usage |

+||-|

+| antennaConfiguration.destinationIP | Connect to this IP when you configure the link as tcp/udp client. |

+| antennaConfiguration.sourceIps | Data will come from this IP when you configure the link as tcp/udp server. |

+You can use this information to set up network policies or to distinguish between simultaneous contacts to the same endpoint.

+> [!NOTE]

+> - The source and destination IPs are always taken from the subnet address range

+> - Only one destination IP is present. Any link in client mode should connect to this IP and the links are differentiated based on port.

+> - Many source IPs can be present. Links in server mode will connect to your specified IP address in the contact profile. The flows will originate from the source IPs present in this field and target the port as per the link details in the contact profile. There is no fixed assignment of link to source IP so please make sure to allow all IPs in any networking setup or firewalls.

+## Client/Server, TCP/UDP, and link direction

+Here's how to set up the link flows based on direction on tcp or udp preference.

+### Uplink

+| Setting | TCP Client | TCP Server | UDP Client | UDP Server |

+|--|-|--|-|--|

+| Contact Profile Link ipAddress | Blank | Routable IP from delegated subnet | Blank | Routable IP from delegated subnet |

+| Contact Profile Link port | Unique port in 49152-65535 | Unique port in 49152-65535 | Unique port in 49152-65535 | Unique port in 49152-65535 |

+| **Output** | | | | |

+| Contact Object destinationIP | Connect to this IP | Not applicable | Connect to this IP | Not applicable |

+| Contact Object sourceIP | Not applicable | Link will come from one of these IPs | Not applicable | Link will come from one of these IPs |

+### Downlink

+| Setting | TCP Client | TCP Server | UDP Client | UDP Server |

+|--|-|--|-|--|

+| Contact Profile Link ipAddress | Blank | Routable IP from delegated subnet | Blank | Routable IP from delegated subnet |

+| Contact Profile Link port | Unique port in 49152-65535 | Unique port in 49152-65535 | Unique port in 49152-65535 | Unique port in 49152-65535 |

+| **Output** | | | | |

+| Contact Object destinationIP | Connect to this IP | Not applicable | Connect to this IP | Not applicable |

+| Contact Object sourceIP | Not applicable | Link will come from one of these IPs | Not applicable | Link will come from one of these IPs |

+## Next steps

+- [Quickstart: Register Spacecraft](register-spacecraft.md)

+- [Quickstart: Schedule a contact](schedule-contact.md)

+ Title: Receive real-time telemetry - Azure Orbital

+description: Learn how to receive real-time telemetry during contacts.

+# Receive real-time telemetry

+An Azure Orbital Ground station emits telemetry events that can be used to analyze the ground station operation during a contact. You can configure your contact profile to send telemetry events to Azure Event Hubs. The steps in this article describe how to create and sent events to Event Hubs.

+## Configure Event Hubs

+1. In your subscription, go to Resource Provider settings and register Microsoft.Orbital as a provider

+1. Create an Azure Event Hubs in your subscription.

+1. From the left menu, select Access Control (IAM). Under Grant Access to this Resource, select Add Role Assignment

+1. Select Azure Event Hubs Data Sender.

+1. Assign access to 'User, group, or service principal'

+1. Click '+ Select members'

+1. Search for 'Azure Orbital Resource Provider' and press Select

+1. Press Review + Assign. This action will grant Azure Orbital the rights to send telemetry into your event hub.

+1. To confirm the newly added role assignment, go back to the Access Control (IAM) page and select View access to this resource.

+Congrats! Orbital can now communicate with your hub.

+## Enable telemetry for a contact profile in the Azure portal

+Ensure the contact profile is configured as follows:

+1. Choose a namespace using the Event Hubs Namespace dropdown.

+1. Choose an instance using the Event Hubs Instance dropdown that appears after namespace selection.

+## Schedule a contact

+Schedule a contact using the Contact Profile that you previously configured for Telemetry.

+Once the contact begins, you should begin seeing data in your Event Hubs soon after.

+## Verifying telemetry data

+You can verify both the presence and content of incoming telemetry data multiple ways.

+### Portal: Event Hubs Capture

+To verify that events are being received in your Event Hubs, you can check the graphs present on the Event Hubs namespace Overview page. This view shows data across all Event Hubs instances within a namespace. You can navigate to the Overview page of a specific instance to see the graphs for that instance.

+### Verify content of telemetry data

+You can enable Event Hubs Capture feature that will automatically deliver the telemetry data to an Azure Blob storage account of your choosing.

+Follow the [instructions to enable Capture](/azure/event-hubs/event-hubs-capture-enable-through-portal). Once enabled, you can check your container and view/download the data.

+## Event Hubs consumer

+Code: Event Hubs Consumer.

+Event Hubs documentation provides guidance on how to write simple consumer apps to receive events from your Event Hubs:

+- [Python](/azure/event-hubs/event-hubs-python-get-started-send)

+- [.NET](/azure/event-hubs/event-hubs-dotnet-standard-getstarted-send)

+- [Java](/azure/event-hubs/event-hubs-java-get-started-send)

+- [JavaScript](/azure/event-hubs/event-hubs-node-get-started-send)

+## Understanding telemetry points

+The ground station provides telemetry using Avro as a schema. The schema is below:

+```json

+{

+ "namespace": "EventSchema",

+ "name": "TelemetryEventSchema",

+ "type": "record",

+ "fields": [

+ {

+ "name": "version",

+ "type": [ "null", "string" ]

+ },

+ {

+ "name": "contactId",

+ "type": [ "null", "string" ]

+ },

+ {

+ "name": "contactPlatformIdentifier",

+ "type": [ "null", "string" ]

+ },

+ {

+ "name": "gpsTime",

+ "type": [ "null", "double" ]

+ },

+ {

+ "name": "utcTime",

+ "type": "string"

+ },

+ {

+ "name": "azimuthDecimalDegrees",

+ "type": [ "null", "double" ]

+ },

+ {

+ "name": "elevationDecimalDegrees",

+ "type": [ "null", "double" ]

+ },

+ {

+ "name": "antennaType",

+ "type": {

+ "name": "antennaTypeEnum",

+ "type": "enum",

+ "symbols": [

+ "Microsoft",

+ "KSAT"

+ ]

+ }

+ },

+ {

+ "name": "links",

+ "type": [

+ "null",

+ {

+ "type": "array",

+ "items": {

+ "name": "antennaLink",

+ "type": "record",

+ "fields": [

+ {

+ "name": "direction",

+ "type": {

+ "name": "directionEnum",

+ "type": "enum",

+ "symbols": [

+ "Uplink",

+ "Downlink"

+ ]

+ }

+ },

+ {

+ "name": "polarization",

+ "type": {

+ "name": "polarizationEnum",

+ "type": "enum",

+ "symbols": [

+ "RHCP",

+ "LHCP",

+ "linearVertical",

+ "linearHorizontal"

+ ]

+ }

+ },

+ {

+ "name": "inputRfPowerDbm",

+ "type": [ "null", "double" ]

+ },

+ {

+ "name": "uplinkEnabled",

+ "type": [ "null", "boolean" ]

+ },

+ {

+ "name": "channels",

+ "type": [

+ "null",

+ {

+ "type": "array",

+ "items": {

+ "name": "antennaLinkChannel",

+ "type": "record",

+ "fields": [

+ {

+ "name": "endpointName",

+ "type": "string"

+ },

+ {

+ "name": "inputEbN0InDb",

+ "type": [ "null", "double" ]

+ },

+ {

+ "name": "modemLockStatus",

+ "type": [

+ "null",

+ {

+ "name": "modemLockStatusEnum",

+ "type": "enum",

+ "symbols": [

+ "Unlocked",

+ "Locked"

+ ]

+ }

+ ]

+ }

+ ]

+ }

+ }

+ ]

+ }

+ ]

+ }

+ }

+ ]

+ }

+ ]

+}

+```

+## Next steps

+- [Event Hubs using Python Getting Started](/azure/event-hubs/event-hubs-python-get-started-send)

+- [Azure Event Hubs client library for Python code samples](/azure-sdk-for-python/tree/main/sdk/eventhub/azure-eventhub/samples/async_samples)

+ Title: Register Spacecraft on Azure Orbital Earth Observation service

+Sign in to the [Azure portal](https://aka.ms/orbital/portal).

+1. In the Azure portal search box, enter **Spacecraft**. Select **Spacecraft** in the search results.

+2. In the **Spacecraft** page, select Create.

+## Request authorization of the new spacecraft resource

+1. Navigate to the newly created spacecraft resource's overview page.

+1. Select **New support request** in the Support + troubleshooting section of the left-hand blade.

+1. In the **New support request** page, enter or select this information in the Basics tab:

+| **Field** | **Value** |

+| | |

+| Summary | Request Authorization for [Spacecraft Name] |

+| Issue type | Select **Technical** |

+| Subscription | Select the subscription in which the spacecraft resource was created |

+| Service | Select **My services** |

+| Service type | Search for and select **Azure Orbital** |

+| Problem type | Select **Spacecraft Management and Setup** |

+| Problem subtype | Select **Spacecraft Registration** |

+1. Select the Details tab at the top of the page

+1. In the Details tab, enter this information in the Problem details section:

+| **Field** | **Value** |

+| | |

+| When did the problem start? | Select the current date & time |

+| Description | List your spacecraft's frequency bands and desired ground stations |

+| File upload | Upload any pertinent licensing material, if applicable |

+1. Complete the **Advanced diagnostic information** and **Support method** sections of the **Details** tab.

+1. Select the **Review + create** tab, or select the **Review + create** button.

+1. Select **Create**.

+1. In the Azure portal search box, enter **Spacecraft**. Select **Spacecraft** in the search results.

+1. In the **Spacecraft** page, select the newly registered spacecraft.

+1. In the new spacecraft's overview page, check the **Authorization status** shows **Allowed**.

+You must first follow the steps listed in [Tutorial: Downlink data from NASA's AQUA public satellite](downlink-aqua.md).

+> In the section [Prepare a virtual machine (VM) to receive the downlinked AQUA data](downlink-aqua.md#prepare-a-virtual-machine-vm-to-receive-the-downlinked-aqua-data), use the following values:

+- [Spaceborne data analysis with Azure Synapse Analytics](/azure/architecture/industries/aerospace/geospatial-processing-analytics)

+ Title: How to schedule a contact on Azure Orbital Earth Observation service

+description: Learn how to schedule a contact.

+Sign in to the [Azure portal - Orbital](https://aka.ms/orbital/portal).

+1. In the Azure portal search box, enter **Spacecraft**. Select **Spacecraft** in the search results.

+2. In the **Spacecraft** page, select the spacecraft for the contact.

+ Title: Spacecraft object - Azure Orbital

+description: Learn about how you can represent your spacecraft details in Azure Orbital.

+#Customer intent: As a satellite operator or user, I want to understand what the spacecraft object does so I can manage my mission.

+# Spacecraft object

+Learn about how you can represent your spacecraft details in Azure Orbital GSaaS.

+## Spacecraft details

+The spacecraft object captures three types of information:

+- **Links** - RF details on center frequency, direction, and bandwidth for each link.

+- **Ephemeris** - The latest TLE.

+- **Licensing** - Authorizations held on a per link per ground station basis.

+## Links

+Make sure to capture each link that you wish to use with Azure Orbital when you create the spacecraft object. The following details are required:

+| **Field** | **Values** |

+||--|

+| Direction | Uplink or Downlink |

+| Center Frequency | Center frequency in MHz |

+| Bandwidth | Bandwidth in MHz |

+| Polarization | RHCP, LHCP, or Linear Vertical |

+Dual polarization schemes are represented by two individual links with their respective LHCP and RHCP polarizations.

+## Ephemeris

+The spacecraft ephemeris is captured in Azure Orbital using the Two-Line Element or TLE.

+A TLE is associated with the spacecraft to determine contact opportunities at the time of scheduling. The TLE is also used to determine the path the antenna must follow during the contact as the spacecraft passes over the ground station during contact execution.

+As TLEs are prone to expiration, the user must keep the TLE up-to-date using the [TLE update](update-tle.md) procedure.

+## Licensing

+In order to uphold regulatory requirements across the world, the spacecraft object contains authorizations on a per link and per site level that permits usage of the Azure Orbital ground station sites.

+The platform will deny scheduling or execution of contacts if the spacecraft object links aren't authorized. The platform will also deny contact if a profile contains links that aren't included in the spacecraft object authorized links.

+For more information, see the Licensing (add link to: concepts-licensing.md when article is created) documentation.

+## Create spacecraft resource

+For more information on how to create a spacecraft resource, see the details listed in the [register a spacecraft](register-spacecraft.md) article.

+## Managing spacecraft objects

+Spacecraft objects can be created and deleted via the Portal and Azure Orbital APIs. Once the object is created, modification to the object is dependent on the authorization status.

+When the spacecraft is unauthorized, then the spacecraft object can be modified. The API is the best way to make changes as the Portal only lets you make TLE updates.

+When the spacecraft is unauthorized, then TLE updates are the only modifications possible. Other fields such as links become immutable. The TLE updates are possible via the Portal and Orbital SDK.

+## Delete spacecraft resource

+You can delete the spacecraft object via the Portal or through the API. See [How-to: Delete Contact](delete-contact.md)

+## Next steps

+- [Register a spacecraft](register-spacecraft.md)

+ Title: Update the spacecraft TLE on Azure Orbital Earth Observation service

+description: Update the TLE of an existing spacecraft resource.

+# Tutorial: Update the spacecraft TLE

+1. In the Azure portal search box, enter **Spacecraft**. Select **Spacecraft** in the search results.

+2. In the **Spacecraft** page, select the name of the spacecraft for which to update the ephemeris.

+ | TLE Line 1 | Updated TLE Line 1 |

+ | TLE Line 2 | Updated TLE Line 2 |

+- [Tutorial: Cancel a scheduled contact](delete-contact.md)

+> [!NOTE]

+> To access Azure Database for PostgreSQL from your local computer, ensure that the firewall on your network and local computer allow outgoing communication on TCP port 5432.

+> [!NOTE]

+> To access Azure Database for PostgreSQL from your local computer, ensure that the firewall on your network and local computer allow outgoing communication on TCP port 5432.

+The current minor release is 11.16. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/11/release-11-16.html) to learn more about improvements and fixes in this minor release.

+The current minor release is 10.21. Refer to the [PostgreSQL documentation](https://www.postgresql.org/docs/10/release-10-21.html) to learn more about improvements and fixes in this minor release.

+When you start a session, the search service creates a copy of the skillset, indexer, and a data source containing a single document that will be used to test the skillset. All session state will be saved to a new blob container created by the Azure Cognitive Search service in an Azure Storage account that you provide. The name of the generated container has a prefix of "ms-az-cognitive-search-debugsession".

+> If you're using a search service that was created before July 2020, the scoring algorithm is most likely the previous default, `ClassicSimilarity`, which you can upgrade on a per-index basis. See [Enable BM25 scoring on older services](index-ranking-similarity.md#enable-bm25-scoring-on-older-services) for details.

+- Canada Central

+- East Asia

+- Germany West Central

+- Korea Central

+- [Disaster recovery and storage account failover](../common/storage-disaster-recovery-guidance.md)

+> [!IMPORTANT]

+> Because you must enable hierarchical namespace for your account to use SFTP, all of the known issues that are described in the Known issues with [Azure Data Lake Storage Gen2](data-lake-storage-known-issues.md) article also apply to your account.

+The unsupported client list above is not exhaustive and may change over time.

+| SSH Commands | SFTP is the only supported subsystem. Shell requests after the completion of key exchange will fail. |

+| Multi-protocol writes | Random writes and appends (`PutBlock`,`PutBlockList`, `GetBlockList`, `AppendBlock`, `AppendFile`) aren't allowed from other protocols (NFS, Blob REST, Data Lake Storage Gen2 REST) on blobs that are created by using SFTP. Full overwrites are allowed.|

+

+To learn more, see [SFTP permission model](secure-file-transfer-protocol-support.md#sftp-permission-model) and see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md).

+- Static IP addresses aren't supported for storage accounts. This is not an SFTP specific limitation.

+- For performance issues and considerations, see [SSH File Transfer Protocol (SFTP) performance considerations in Azure Blob storage](secure-file-transfer-protocol-performance.md).

+

+- TLS and SSL aren't related to SFTP.

+Prior to the release of this feature, if you wanted to use SFTP to transfer data to Azure Blob Storage you would have to either purchase a third party product or orchestrate your own solution. For custom solutions, you would have to create virtual machines (VMs) in Azure to host an SFTP server, and then update, patch, manage, scale, and maintain a complex architecture.

+Now, with SFTP support for Azure Blob Storage, you can enable an SFTP endpoint for Blob Storage accounts with a single click. Then you can set up local user identities for authentication to connect to your storage account with SFTP via port 22.

+SFTP support requires hierarchical namespace to be enabled. Hierarchical namespace organizes objects (files) into a hierarchy of directories and subdirectories in the same way that the file system on your computer is organized. The hierarchical namespace scales linearly and doesn't degrade data capacity or performance.

+Different protocols are supported by the hierarchical namespace. SFTP is one of these available protocols.

+> For example, Jeff has read only permission (can be controlled via RBAC, ABAC, or ACLs) via their Azure AD identity for file _foo.txt_ stored in container _con1_. If Jeff is accessing the storage account via NFS (when not mounted as root/superuser), Blob REST, or Data Lake Storage Gen2 REST, these permissions will be enforced. However, if Jeff also has a local user identity with delete permission for data in container _con1_, they can delete _foo.txt_ via SFTP using the local user identity.

+For SFTP enabled storage accounts, you can use the full breadth of Azure Blob Storage security settings, to authenticate and authorize users accessing Blob Storage via Azure portal, Azure CLI, Azure PowerShell commands, AzCopy, as well as Azure SDKs, and Azure REST APIs. To learn more, see [Access control model in Azure Data Lake Storage Gen2](data-lake-storage-access-control-model.md).

+You cannot set custom passwords, rather Azure generates one for you. If you choose password authentication, then your password will be provided after you finish configuring a local user. Make sure to copy that password and save it in a location where you can find it later. You won't be able to retrieve that password from Azure again. If you lose the password, you'll have to generate a new one. For security reasons, you can't set the password yourself.

+| Read | r | <li>Read file content</li> |

+| Write | w | <li>Upload file</li><li>Create directory</li><li>Upload directory</li> |

+| List | l | <li>List content within container</li><li>List content within directory</li> |

+| Delete | d | <li>Delete file/directory</li> |

+| Create | c | <li>Upload file if file doesn't exist</li><li>Create directory if directory doesn't exist</li> |

+When performing write operations on blobs in sub directories, Read permission is required to open the directory and access blob properties.

+| Host key ¹ | Key exchange | Ciphers/encryption | Integrity/MAC | Public key |

+| rsa-sha2-256 ² | ecdh-sha2-nistp384 | aes128-gcm@openssh.com | hmac-sha2-256 | ssh-rsa ² |

+| rsa-sha2-512 ² | ecdh-sha2-nistp256 | aes256-gcm@openssh.com | hmac-sha2-512 | ecdsa-sha2-nistp256 |

+¹ Host keys are published [here](secure-file-transfer-protocol-host-keys.md).

+² RSA keys must be minimum 2048 bits in length.

+At this time, in accordance with the Microsoft Security SDL, we do not plan on supporting the following: `ssh-dss`, `diffie-hellman-group14-sha1`, `diffie-hellman-group1-sha1`, `hmac-sha1`, `hmac-sha1-96`. Algorithm support is subject to change in the future.

+## Connecting with SFTP

+To get started, enable SFTP support, create a local user, and assign permissions for that local user. Then, you can use any SFTP client to securely connect and then transfer files. For step-by-step guidance, see [Connect to Azure Blob Storage by using the SSH File Transfer Protocol (SFTP)](secure-file-transfer-protocol-support-how-to.md).

+The supported client list above is not exhaustive and may change over time.

+- [Soft delete for blobs](./soft-delete-blob-overview.md)

+| [Delete containers with a specific prefix](../scripts/storage-blobs-container-delete-by-prefix-powershell.md?toc=%2fpowershell%2fmodule%2ftoc.json) | Deletes containers starting with a specified string. |

+- [Scalability targets for the Azure Storage resource provider](scalability-targets-resource-provider.md)

+- [Security recommendations for Blob storage](../blobs/security-recommendations.md)

+- [Azure subscription limits and quotas](../../azure-resource-manager/management/azure-subscription-service-limits.md)

+- [Assign an Azure role for access to queue data](assign-azure-role-data-access.md)

+* [Apache Spark SQL connector](apache-spark-sql-connector.md)

+ Title: Assessment options in update management center (preview).

+description: The article describes the assessment options available in Update management center (preview).

+# Assessment options in update management center (preview)

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article provides an overview of the assessment options available by update management center (preview).

+Update management center (preview) provides you the flexibility to assess the status of available updates and manage the process of installing required updates for your machines.

+## Periodic assessment

+

+ Periodic assessment is an update setting on a machine that allows you to enable automatic periodic checking of updates by update management center (preview). We recommend that you enable this property on your machines as it allows update management center (preview) to fetch latest updates for your machines every 24 hours and enables you to view the latest compliance status of your machines. You must register this [feature in your Azure subscription](enable-machines.md#periodic-assessment). You can enable this setting using update settings flow as detailed [here](manage-update-settings.md#configure-settings-on-single-vm) or enable it at scale by using [Policy](periodic-assessment-at-scale.md).

+## Check for updates now/On-demand assessment

+Update management center (preview) allows you to check for latest updates on your machines at any time, on-demand. You can view the latest update status and act accordingly. Go to **Updates** blade on any VM and select **Check for updates** or select multiple machines from update management center (preview) and check for updates for all machines at once. For more information, see [check and install on-demand updates](view-updates.md).

+## Update assessment scan

+ You can initiate a software updates compliance scan on a machine to get a current list of operating system updates available.

+ - **On Windows** - the software update scan is actually performed by the Windows Update Agent.

+ - **On Linux** - the software update scan is performed using OVAL-compatible tools to test for the presence of vulnerabilities based on the OVAL Definitions for that platform, which is retrieved from a local or remote repository.

+ In the **Updates (preview)** page, after you initiate an assessment, a notification is generated to inform you the activity has started and another is displayed when it is finished.

+ :::image type="content" source="media/assessment-options/updates-preview-page.png" alt-text="Screenshot of the Updates (preview) page.":::

+The **Recommended updates** section is updated to reflect the OS updates applicable. You can also select **Refresh** to update the information on the page and review the assessment details of the selected machine.

+In the **History** section, you can view:

+- **Total deployments**ΓÇöthe total number of deployments.

+- **Failed deployments**ΓÇöthe number out of the total deployments that failed.

+- **Successful deployments**ΓÇöthe number out of the total deployments that were successful.

+A list of the deployments created are shown in the update deployment grid and include relevant information about the deployment. Every update deployment has a unique GUID, represented as **Activity ID**, which is listed along with **Status**, **Updates Installed**, and **Time details**. You can filter the results listed in the grid in the following ways:

+- Select one of the tile visualizations

+- Select a specific time period. Options are: **Last 30 Days**, **Last 15 Days**, **Last 7 Days**, and **Last 24 hrs**. By default, deployments from the last 30 days are shown.

+- Select a specific deployment status. Options are: **Succeeded**, **Failed**, **CompletedWithWarnings**, **InProgress**, and **NotStarted**. By default, all status types are selected.

+Selecting any one of the update deployments from the list will open the **Assessment run** page. Here, it shows a detailed breakdown of the updates and the installation results for the Azure VM or Arc-enabled server.

+In the **Scheduling** section, you can either **create a maintenance configuration** or **attach existing maintenance configuration**. See the section for more information on [how to create a maintenance configuration](scheduled-patching.md#create-a-new-maintenance-configuration) and [how to attach existing maintenance configuration](scheduled-patching.md#attach-a-maintenance-configuration).

+## Next steps

+* To view update assessment and deployment logs generated by update management center (preview), see [query logs](query-logs.md).

+* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) update management center (preview).

+ Title: Configure Windows Update settings in Update management center (Preview)

+description: This article tells how to configure Windows update settings to work with Update management center (Preview).

+# Configure Windows update settings for update management center (preview)

+Update management center (Preview) relies on the [Windows Update client](/windows/deployment/update/windows-update-overview) to download and install Windows updates. There are specific settings that are used by the Windows Update client when connecting to Windows Server Update Services (WSUS) or Windows Update. Many of these settings can be managed by:

+- Local Group Policy Editor

+- Group Policy

+- PowerShell

+- Directly editing the Registry

+The Update management center (preview) respects many of the settings specified to control the Windows Update client. If you use settings to enable non-Windows updates, the Update management center (preview) will also manage those updates. If you want to enable downloading of updates before an update deployment occurs, update deployment can be faster, more efficient, and less likely to exceed the maintenance window.

+For additional recommendations on setting up WSUS in your Azure subscription and to secure your Windows virtual machines up to date, review [Plan your deployment for updating Windows virtual machines in Azure using WSUS](/azure/architecture/example-scenario/wsus).

+## Pre-download updates

+To configure the automatic downloading of updates without automatically installing them, you can use Group Policy to [configure the Automatic Updates setting](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#configure-automatic-updates) to 3. This setting enables downloads of the required updates in the background, and notifies you that the updates are ready to install. In this way, update management center (Preview) remains in control of schedules, but allows downloading of updates outside the maintenance window. This behavior prevents `Maintenance window exceeded` errors in update management center (preview).

+You can enable this setting in PowerShell:

+```powershell

+$WUSettings = (New-Object -com "Microsoft.Update.AutoUpdate").Settings

+$WUSettings.NotificationLevel = 3

+$WUSettings.Save()

+```

+## Configure reboot settings

+The registry keys listed in [Configuring Automatic Updates by editing the registry](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry) and [Registry keys used to manage restart](/windows/deployment/update/waas-restart#registry-keys-used-to-manage-restart) can cause your machines to reboot, even if you specify **Never Reboot** in the **Update Deployment** settings. Configure these registry keys to best suit your environment.

+## Enable updates for other Microsoft products

+By default, the Windows Update client is configured to provide updates only for Windows. If you enable the **Give me updates for other Microsoft products when I update Windows** setting, you also receive updates for other products, including security patches for Microsoft SQL Server and other Microsoft software. You can configure this option if you have downloaded and copied the latest [Administrative template files](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) available for Windows 2016 and later.

+If you have machines running Windows Server 2012 R2, you can't configure this setting through Group Policy. Run the following PowerShell command on these machines:

+```powershell

+$ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")

+$ServiceManager.Services

+$ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"

+$ServiceManager.AddService2($ServiceId,7,"")

+```

+## Make WSUS configuration settings

+Update management center (Preview) supports WSUS settings. You can specify sources for scanning and downloading updates using instructions in [Specify intranet Microsoft Update service location](/windows/deployment/update/waas-wu-settings#specify-intranet-microsoft-update-service-location). By default, the Windows Update client is configured to download updates from Windows Update. When you specify a WSUS server as a source for your machines, the update deployment fails, if the updates aren't approved in WSUS.

+To restrict machines to the internal update service, see [do not connect to any Windows Update Internet locations](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#do-not-connect-to-any-windows-update-internet-locations).

+## Next steps

+Configure an update deployment by following instructions in [Deploy updates](deploy-updates.md).

+ Title: Deploy updates and track results in update management center (preview).

+description: The article details how to use update management center (preview) in the Azure portal to deploy updates and view results for supported machines.

+# Deploy updates now and track results with update management center (preview)

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+The article describes how to perform an on-demand update on a single VM or multiple VMs using update management center (preview).

+See the following sections for detailed information:

+- [Install updates on a single VM](#install-updates-on-single-vm)

+- [Install updates at scale](#install-updates-at-scale)

+## Supported regions

+Update management center (preview) is available in all [Azure public regions](support-matrix.md#supported-regions).

+## Install updates on single VM

+>[!NOTE]

+> You can install the updates from the Overview or Machines blade in update management center (preview) page or from the selected VM.

+# [From Overview blade](#tab/install-single-overview)

+To install one time updates on a single VM, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com)

+1. In **Update management center (preview)**, **Overview**, choose your **Subscription** and select **One-time update** to install updates.

+ :::image type="content" source="./media/deploy-updates/install-updates-now-inline.png" alt-text="Example of installing one-time updates." lightbox="./media/deploy-updates/install-updates-now-expanded.png":::

+1. Select **Install now** to proceed with the one-time updates.

+1. In **Install one-time updates**, select **+Add machine** to add the machine for deploying one-time.

+1. In **Select resources**, choose the machine and select **Add**.

+1. In **Updates**, specify the updates to include in the deployment. For each product, select or deselect all supported update classifications and specify the ones to include in your update deployment. If your deployment is meant to apply only for a select set of updates, its necessary to deselect all the pre-selected update classifications when configuring the **Inclusion/exclusion** updates described below. This ensures only the updates you've specified to include in this deployment are installed on the target machine.

+ > [!NOTE]

+ > Selected Updates shows a preview of OS updates which may be installed based on the last OS update assessment information available. If the OS update assessment information in update center management (preview) is obsolete, the actual updates installed would vary. Especially if you have chosen to install a specific update category, where the OS updates applicable may vary as new packages or KB Ids may be available for the category.

+ - Select **+Include update classification**, in the **Include update classification** select the appropriate classification(s) that must be installed on your machines.

+

+ :::image type="content" source="./media/deploy-updates/include-update-classification-inline.png" alt-text="Screenshot on including update classification." lightbox="./media/deploy-updates/include-update-classification-expanded.png":::

+

+ - Select **Include KB ID/package** to include in the updates. Enter a comma-separated list of Knowledge Base article ID numbers to include or exclude for Windows updates. For example, `3103696, 3134815`. For Windows, you can refer to the [MSRC link](https://msrc.microsoft.com/update-guide/deployments) to get the details of the latest Knowledge Base released. For supported Linux distros, you specify a comma separated list of packages by the package name, and you can include wildcards. For example, `kernel*, glibc, libc=1.0.1`. Based on the options specified, update management center (preview) shows a preview of OS updates under the **Selected Updates** section.

+ - To exclude updates that you don't want to install, select **Exclude KB ID/package**. We recommend checking this option because updates that are not displayed here might be installed, as newer updates might be available.

+

+ - To ensure that the updates published are on or before a specific date, choose the date and select**Add** and **Next**.

+1. In **Properties**, specify the reboot and maintenance window.

+ - Use the **Reboot** option to specify the way to handle reboots during deployment. The following options are available:

+ * Reboot if required

+ * Never reboot

+ * Always reboot

+ - Use the **Maximum duration (in minutes)** to specify the amount of time allowed for updates to install. The maximum limit supported is 235 minutes. Consider the following details when specifying the window:

+ * It controls the number of updates that must be installed.

+ * New updates will continue to install if the maintenance window limit is approaching.

+ * In-progress updates aren't terminated if the maintenance window limit is exceeded

+ * Any remaining updates that are not yet installed aren't attempted. We recommend that you reevaluate the maintenance window if this is consistently encountered.

+ * If the limit is exceeded on Windows, it's often because of a service pack update that is taking a long time to install.

+1. When you're finished configuring the deployment, verify the summary in **Review + install** and select **Install**.

+

+# [From Machines blade](#tab/install-single-machine)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In **Update management center (Preview)**, **Machine**, choose your **Subscription**, choose your machine and select **One-time update** to install updates.

+1. Select to **Install now** to proceed with installing updates.

+1. In **Install one-time updates** page, the selected machine appears. Choose the machine, select **Next** and follow the procedure from step 6 listed in **From Overview blade** of [Install updates on single VM](#install-updates-on-single-vm).

+ A notification appears to inform you the activity has started and another is created when it's completed. When it is successfully completed, you can view the installation operation results in **History**. The status of the operation can be viewed at any time from the [Azure Activity log](/azure/azure-monitor/essentials/activity-log).

+# [From a selected VM](#tab/singlevm-deploy-home)

+1. Select your virtual machine and the **virtual machines | Updates** page opens.

+1. Under **Operations**, select **Updates**.

+1. In **Updates**, select **Go to Updates using Update Center**.

+1. In **Updates (Preview)**, select **One-time update** to install the updates.

+1. In **Install one-time updates** page, the selected machine appears. Choose the machine, select **Next** and follow the procedure from step 6 listed in **From Overview blade** of [Install updates on single VM](#install-updates-on-single-vm).

+

+## Install updates at scale

+

+To create a new update deployment for multiple machines, follow these steps:

+>[!NOTE]

+> You can check the updates from **Overview** or **Machines** blade.

+You can schedule updates

+# [From Overview blade](#tab/install-scale-overview)

+1. Sign in to the [Azure portal](https://portal.azure.com)

+1. In **Update management center (Preview)**, **Overview**, choose your **Subscription**, select **One-time update**, and **Install now** to install updates.

+ :::image type="content" source="./media/deploy-updates/install-updates-now-inline.png" alt-text="Example of installing one-time updates." lightbox="./media/deploy-updates/install-updates-now-expanded.png":::

+

+1. In **Install one-time updates**, you can select the resources and machines to install the updates.

+1. In **Machines**, you can view all the machines available in your subscription. You can also use the **+Add machine** to add the machines for deploying one-time updates. You can add up to 20 machines. Choose **Select all** and select **Add**.

+The **Machines** displays a list of machines for which you can deploy one-time update. Select **Next** and follow the procedure from step 6 listed in **From Overview blade** of [Install updates on single VM](#install-updates-on-single-vm).

+# [From Machines blade](#tab/install-scale-machines)

+1. Sign in to the [Azure portal](https://portal.azure.com)

+1. Go to **Machines**, select your subscription and choose your machines. You can choose **Select all** to select all the machines.

+1. Select **One-time update**, **Install now** to deploy one-time updates.

+

+1. In **Install one-time updates**, you can select the resources and machines to install the updates.

+1. In **Machines**, you can view all the machines available in your subscription. You can also select using the **+Add machine** to add the machines for deploying one-time updates. You can add up to 20 machines. Choose the **Select all** and select **Add**.

+The **Machines** displays a list of machines for which you want to deploy one-time update, select **Next** and follow the procedure from step 6 listed in **From Overview blade** of [Install updates on single VM](#install-updates-on-single-vm).

+-

+A notification appears to inform you the activity has started and another is created when it's completed. When it is successfully completed, you can view the installation operation results in **History**. The status of the operation can be viewed at any time from the [Azure Activity log](/azure/azure-monitor/essentials/activity-log).

+## View update history for single VM

+You can browse information about your Azure VMs and Arc-enabled servers across your Azure subscriptions. For more information, see [Update deployment history](manage-multiple-machines.md#update-deployment-history).

+After your scheduled deployment starts, you can see it's status on the **History** tab. It displays the total number of deployments including the successful and failed deployments.

+A list of the deployments created are show in the update deployment grid and include relevant information about the deployment. Every update deployment has a unique GUID, represented as **Operation ID**, which is listed along with **Status**, **Updates Installed** and **Time** details. You can filter the results listed in the grid.

+Select any one of the update deployments from the list to open the **Update deployment run** page. Here, it shows a detailed breakdown of the updates and the installation results for the Azure VM or Arc-enabled server.

+ The available values are:

+- **Not attempted** - The update wasn't installed because there was insufficient time available, based on the defined maintenance window duration.

+- **Not selected** - The update wasn't selected for deployment.

+- **Succeeded** - The update succeeded.

+- **Failed** - The update failed.

+## Next steps

+* To view update assessment and deployment logs generated by update management center (preview), see [query logs](query-logs.md).

+* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) update management center (preview).

+ Title: Enable update management center (preview) for periodic assessment and scheduled patching

+description: This article describes how to enable the periodic assessment and scheduled patching features using update management center (preview) for Windows and Linux machines running on Azure or outside of Azure connected to Azure Arc-enabled servers.

+# How to enable update management center (preview)

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article describes how to enable update management center (preview) for periodic assessment and scheduled patching using one of the following methods:

+- From the Azure portal

+- Using Azure PowerShell

+- Using the Azure CLI

+- Using the Azure REST API

+Register the periodic assessment and scheduled patching feature resource providers in your Azure subscription, as detailed below, to enable update management center (preview) functionality. After your register for the features, access the preview link: **https://aka.ms/umc-preview**.

+## Prerequisites

+- Azure subscription - if you don't have one yet, you can [activate your MSDN subscriber benefits](/pricing/member-offers/msdn-benefits-details/) or sign up for a [free account](/free/?WT.mc_id=A261C142F).

+- Your account must be a member of the Azure [Owner](/azure/role-based-access-control/built-in-roles#owner) or [Contributor](/azure/role-based-access-control/built-in-roles#contributor) role in the subscription.

+- One or more [Azure virtual machines](/azure/virtual-machines), or physical or virtual machines managed by [Arc-enabled servers](/azure/azure-arc/servers/overview).

+- Ensure that you meet all [prerequisites for update management center](overview.md#prerequisites)

+## Periodic assessment

+The following section describes how to enable periodic assessment feature for your subscription using Azure portal, PowerShell, CLI and REST API:

+### [Azure portal](#tab/portal-periodic)

+**For Arc-enabled servers**, no onboarding is required for using periodic assessment feature.

+**For Azure machines**, your subscription needs to be allowlisted for preview feature **InGuestAutoAssessmentVMPreview**.

+Follow the steps below to register for the *InGuestAutoAssessmentVMPreview* feature:

+1. Sign in to the Update management center (preview) portal link: **https://aka.ms/umc-preview**.

+1. In the Azure portal menu, search for **Preview features** and select it from the available options.

+1. In the **Preview features** page, search for **InGuestAutoAssessmentVMPreview**.

+1. Select **Virtual Machine Guest Automatic Patch Assessment Preview** from the list.

+1. In the **Virtual Machine Guest Automatic Patch Assessment Preview** pane, select **Register** to register the provider with your subscription.

+After your register for the above feature, go to update management center (preview) portal link: **https://aka.ms/umc-preview**.

+### [PowerShell](#tab/ps-periodic)

+**Arc-enabled servers** - No onboarding is required to use periodic assessment feature.

+**Azure VMs**

+For Azure VMs, to register the resource provider, use:

+```azurepowershell

+Register-AzResourceProvider -FeatureName InGuestAutoAssessmentVMPreview -ProviderNamespace Microsoft.Compute

+```

+### [CLI](#tab/cli-periodic)

+To enable periodic assessment feature in Azure for your subscription use the Azure CLI [az feature register](/cli/azure/feature#az_feature_register) command.

+**Arc-enabled servers** - No onboarding is required for using Periodic assessment feature.

+**Azure machines** - To register the resource provider, use:

+```azurecli

+az feature register --namespace Microsoft.Compute --name InGuestAutoAssessmentVMPreview

+```

+### [REST API](#tab/rest-periodic-assessment)

+To enable periodic assessment feature in Azure for your subscription use the [Azure REST API](/rest/api/azure).

+>[!NOTE]

+> This option is only applicable to Azure VMs.

+To register a resource provider, use:

+```rest

+POST on `/subscriptions/subscriptionId/providers/Microsoft.Features/providers/Microsoft.Compute/features/InGuestAutoAssessmentVMPreview/register?api-version=2015-12-01`

+```

+Replace the value `subscriptionId` with the ID of the target subscription.

+>[!NOTE]

+> This preview feature will be auto-approved.

+## Next steps

+* [View updates for single machine](view-updates.md)

+* [Deploy updates now (on-demand) for single machine](deploy-updates.md)

+* [Schedule recurring updates](scheduled-patching.md)

+* [Manage update settings via Portal](manage-update-settings.md)

+* [Manage multiple machines using update management center](manage-multiple-machines.md)

+ Title: Programmatically manage updates for Azure Arc-enabled servers in Update management center (preview)

+description: This article tells how to use Update management center (preview) using REST API with Azure Arc-enabled servers.

+# How to programmatically manage updates for Azure Arc-enabled servers

+This article walks you through the process of using the Azure REST API to trigger an assessment and an update deployment on your Azure Arc-enabled servers with update management (preview) in Azure. If you are new to update management center (preview) and you want to learn more, see [overview of update management center (preview)](overview.md). To use the Azure REST API to manage Azure virtual machines, see [How to programmatically work with Azure virtual machines](manage-vms-programmatically.md).

+Update management center (preview) in Azure enables you to use the [Azure REST API](/rest/api/azure) for access programmatically. Additionally, you can use the appropriate REST commands from [Azure PowerShell](/powershell/azure) and [Azure CLI](/cli/azure).

+Support for Azure REST API to manage Azure Arc-enabled servers is available through the update management center (preview) virtual machine extension.

+## Update assessment

+To trigger an update assessment on your Azure Arc-enabled server, specify the following POST request:

+```rest

+POST on `subscriptions/subscriptionId/resourceGroups/resourceGroupName/provider/Microsoft.HybridCompute/machines/machineName/assessPatches?api-version=2020-08-15-preview`

+{

+}

+```

+# [Azure CLI](#tab/cli)

+To specify the POST request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method post --url https://management.azure.com/subscriptions/subscriptionId/resourceGroups/resourceGroupName/provider/Microsoft.HybridCompute/machines/machineName/assessPatches?api-version=2020-08-15-preview --body @body.json

+```

+The format of the request body for version 2020-08-15 is as follows:

+```json

+{

+}

+```

+# [Azure PowerShell](#tab/powershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod

+ -ResourceGroupName resourceGroupName

+ -Name "machineName"

+ -ResourceProviderName "Microsoft.HybridCompute"

+ -ResourceType "machines"

+ -ApiVersion 2020-08-15-preview

+ -Payload '{

+ }'

+ -Method POST

+```

+## Update deployment

+To trigger an update deployment to your Azure Arc-enabled server, specify the following POST request:

+```rest

+POST on `subscriptions/subscriptionId/resourceGroups/resourceGroupName/provider/Microsoft.HybridCompute/machines/machineName/installPatches?api-version=2020-08-15-preview`

+```

+#### Request body

+The following table describes the elements of the request body:

+| Property | Description |

+|-|-|

+| `maximumDuration` | Maximum amount of time in minutes the OS update operation can take. It must be an ISO 8601-compliant duration string such as `PT100M`. |

+| `rebootSetting` | Flag to state if machine should be rebooted if Guest OS update installation needs it for completion. Acceptable values are: `IfRequired, NeverReboot, AlwaysReboot`. |

+| `windowsParameters` | Parameter options for Guest OS update on machine running a supported Microsoft Windows Server operating system. |

+| `windowsParameters - classificationsToInclude` | List of categories or classifications of OS updates to apply, as supported and provided by Windows Server OS. Acceptable values are: `Critical, Security, UpdateRollUp, FeaturePack, ServicePack, Definition, Tools, Update` |

+| `windowsParameters - kbNumbersToInclude` | List of Windows Update KB IDs that are available to the machine and need to be installed. If you have included any 'classificationsToInclude', the KBs available in the category will be installed. 'kbNumbersToInclude' is an option to provide list of specific KB IDs over and above that you want to get installed. For example: `1234` |

+| `windowsParameters - kbNumbersToExclude` | List of Windows Update KB Ids that are available to the machine and should **not** to be installed. If you have included any 'classificationsToInclude', the KBs available in the category will be installed. 'kbNumbersToExclude' is an option to provide list of specific KB IDs that you want to ensure don't get installed. For example: `5678` |

+| `linuxParameters` | Parameter options for Guest OS update when machine is running supported Linux distribution |

+| `linuxParameters - classificationsToInclude` | List of categories or classifications of OS updates to apply, as supported & provided by Linux OS's package manager used. Acceptable values are: `Critical, Security, Others`. For more information, see [Linux package manager and OS support](./support-matrix.md#supported-operating-systems). |

+| `linuxParameters - packageNameMasksToInclude` | List of Linux packages that are available to the machine and need to be installed. If you have included any 'classificationsToInclude', the packages available in the category will be installed. 'packageNameMasksToInclude' is an option to provide list of packages over and above that you want to get installed. For example: `mysql, libc=1.0.1.1, kernel*` |

+| `linuxParameters - packageNameMasksToExclude` | List of Linux packages that are available to the machine and should **not** be installed. If you have included any 'classificationsToInclude', the packages available in the category will be installed. 'packageNameMasksToExclude' is an option to provide list of specific packages that you want to ensure don't get installed. For example: `mysql, libc=1.0.1.1, kernel*` |

+# [Azure REST API](#tab/rest)

+To specify the POST request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+POST on 'subscriptions/subscriptionI/resourceGroups/resourceGroupName/providers/Microsoft.HybridCompute/machines/machineName/installPatches?api-version=2020-08-15-preview

+{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }'

+```

+# [Azure CLI](#tab/azurecli)

+To specify the POST request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method post --url https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/Test/providers/Microsoft.HybridCompute/machines/WIN-8/installPatches?api-version=2020-08-15-preview @body.json

+```

+The format of the request body for version 2020-08-15 is as follows:

+```json

+{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }

+```

+# [Azure PowerShell](#tab/azurepowershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod

+ -ResourceGroupName resourceGroupName

+ -Name "machineName"

+ -ResourceProviderName "Microsoft.HybridCompute"

+ -ResourceType "machines"

+ -ApiVersion 2020-08-15-preview

+ -Payload '{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }'

+ -Method POST

+```

+## Create a maintenance configuration schedule

+To create a maintenance configuration schedule, specify the following PUT request:

+```rest

+PUT on `/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenanceConfigurationsName>?api-version=2021-09-01-preview`

+```

+#### Request body

+The following table describes the elements of the request body:

+| Property | Description |

+|-|-|

+| `id` | Fully qualified identifier of the resource |

+| `location` | Gets or sets location of the resource |

+| `name` | Name of the resource |

+| `properties.extensionProperties` | Gets or sets extensionProperties of the maintenanceConfiguration |

+| `properties.maintenanceScope` | Gets or sets maintenanceScope of the configuration |

+| `properties.maintenanceWindow.duration` | Duration of the maintenance window in HH:mm format. If not provided, default value will be used based on maintenance scope provided. Example: 05:00. |

+| `properties.maintenanceWindow.expirationDateTime` | Effective expiration date of the maintenance window in YYYY-MM-DD hh:MM format. The window will be created in the time zone provided and adjusted to daylight savings according to that time zone. Expiration date must be set to a future date. If not provided, it will be set to the maximum datetime 9999-12-31 23:59:59. |

+| `properties.maintenanceWindow.recurEvery` | Rate at which a Maintenance window is expected to recur. The rate can be expressed as daily, weekly, or monthly schedules. Daily schedule are formatted as recurEvery: [Frequency as integer]['Day(s)']. If no frequency is provided, the default frequency is 1. Daily schedule examples are recurEvery: Day, recurEvery: 3Days. Weekly schedule are formatted as recurEvery: [Frequency as integer]['Week(s)'] [Optional comma separated list of weekdays Monday-Sunday]. Weekly schedule examples are recurEvery: 3Weeks, recurEvery: Week Saturday,Sunday. Monthly schedules are formatted as [Frequency as integer]['Month(s)'] [Comma separated list of month days] or [Frequency as integer]['Month(s)'] [Week of Month (First, Second, Third, Fourth, Last)] [Weekday Monday-Sunday]. Monthly schedule examples are recurEvery: Month, recurEvery: 2Months, recurEvery: Month day23,day24, recurEvery: Month Last Sunday, recurEvery: Month Fourth Monday. |

+| `properties.maintenanceWindow.startDateTime` | Effective start date of the maintenance window in YYYY-MM-DD hh:mm format. The start date can be set to either the current date or future date. The window will be created in the time zone provided and adjusted to daylight savings according to that time zone. |

+| `properties.maintenanceWindow.timeZone` | Name of the timezone. List of timezones can be obtained by executing [System.TimeZoneInfo]::GetSystemTimeZones() in PowerShell. Example: Pacific Standard Time, UTC, W. Europe Standard Time, Korea Standard Time, Cen. Australia Standard Time. |

+| `properties.namespace` | Gets or sets namespace of the resource |

+| `properties.visibility` | Gets or sets the visibility of the configuration. The default value is 'Custom' |

+| `systemData` | Azure Resource Manager metadata containing createdBy and modifiedBy information. |

+| `tags` | Gets or sets tags of the resource |

+| `type` | Type of the resource |

+# [Azure REST API](#tab/rest)

+To specify the POST request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+PUT on '/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourceGroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestAdv2?api-version=2021-09-01-preview

+{

+ "location": "eastus2euap",

+ "properties": {

+ "namespace": null,

+ "extensionProperties": {},

+ "maintenanceScope": "InGuestPatch",

+ "maintenanceWindow": {

+ "startDateTime": "2021-08-21 01:18",

+ "expirationDateTime": "2221-05-19 03:30",

+ "duration": "01:30",

+ "timeZone": "India Standard Time",

+ "recurEvery": "Day"

+ },

+ "visibility": "Custom",

+ "installPatches": {

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "Critical",

+ "UpdateRollup"

+ ]

+ },

+ "linuxParameters": {

+ "classificationsToInclude": [

+ "Other"

+ ]

+ }

+ }

+ }

+}'

+```

+# [Azure CLI](#tab/azurecli)

+To specify the PUT request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method put --url https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenanceConfigurationsName>?api-version=2021-09-01-preview @body.json

+```

+The format of the request body is as follows:

+```json

+{

+ "location": "eastus2euap",

+ "properties": {

+ "namespace": null,

+ "extensionProperties": {},

+ "maintenanceScope": "InGuestPatch",

+ "maintenanceWindow": {

+ "startDateTime": "2021-08-21 01:18",

+ "expirationDateTime": "2221-05-19 03:30",

+ "duration": "01:30",

+ "timeZone": "India Standard Time",

+ "recurEvery": "Day"

+ },

+ "visibility": "Custom",

+ "installPatches": {

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "Critical",

+ "UpdateRollup"

+ ]

+ },

+ "linuxParameters": {

+ "classificationsToInclude": [

+ "Other"

+ ]

+ }

+ }

+ }

+}

+```

+# [Azure PowerShell](#tab/azurepowershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod -Path "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenanceConfigurationsName>?api-version=2021-09-01-preview"

+-Method PUT `

+-Payload '{

+ "location": "eastus2euap",

+ "properties": {

+ "namespace": null,

+ "extensionProperties": {},

+ "maintenanceScope": "InGuestPatch",

+ "maintenanceWindow": {

+ "startDateTime": "2021-12-21 01:18",

+ "expirationDateTime": "2221-05-19 03:30",

+ "duration": "01:30",

+ "timeZone": "India Standard Time",

+ "recurEvery": "Day"

+ },

+ "visibility": "Custom",

+ "installPatches": {

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "Critical",

+ "UpdateRollup"

+ ]

+ },

+ "linuxParameters": {

+ "classificationsToInclude": [

+ "Other"

+ ]

+ }

+ }

+ }

+}'

+```

+## Associate a VM with a schedule

+To associate a VM with a maintenance configuration schedule, specify the following PUT request:

+```rest

+PUT on `<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview`

+```

+# [Azure REST API](#tab/rest)

+To specify the PUT request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+PUT on '/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourceGroups/atscalepatching/providers/Microsoft.Compute/virtualMachines/win-atscalepatching-1/providers/Microsoft.Maintenance/configurationAssignments/TestAzureInGuestAdv?api-version=2021-09-01-preview

+{

+ "properties": {

+ "maintenanceConfigurationId": "/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+ },

+ "location": "eastus2euap"

+}'

+```

+# [Azure CLI](#tab/azurecli)

+To specify the PUT request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method put --url https://management.azure.com/<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview @body.json

+```

+The format of the request body is as follows:

+```json

+{

+ "properties": {

+ "maintenanceConfigurationId": "/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+ },

+ "location": "eastus2euap"

+}

+```

+# [Azure PowerShell](#tab/azurepowershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod -Path "<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview"

+-Method PUT `

+-Payload '{

+ "properties": {

+ "maintenanceConfigurationId": "/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+ },

+ "location": "eastus2euap"

+}'

+```

+## Next steps

+* To view update assessment and deployment logs generated by Update management center (preview), see [query logs](query-logs.md).

+* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) Update management center (preview).

+ Title: Manage multiple machines in update management center (preview)

+description: The article details how to use Update management center (preview) in Azure to manage multiple supported machines and view their compliance state in the Azure portal.

+# Manage multiple machines with update management center (Preview)

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+This article describes the various features that update management center (Preview) offers to manage the system updates on your machines. Using the update management center (preview), you can:

+- Quickly assess the status of available operating system updates.

+- Deploy updates.

+- Set up recurring update deployment schedule.

+- Get insights on the number of machines managed.

+- Information on how they're managed, and other relevant details.

+Instead of performing these actions from a selected Azure VM or Arc-enabled server, you can manage all your machines in the Azure subscription.

+## View update management center (Preview) status

+1. Sign in to the [Azure portal](https://portal.azure.com)

+1. To view update assessment across all machines, including Azure Arc-enabled servers navigate to **Update management center(Preview)**.

+ :::image type="content" source="./media/manage-multiple-machines/overview-page-inline.png" alt-text="Screenshot of update management center overview page in the Azure portal." lightbox="./media/manage-multiple-machines/overview-page-expanded.png":::

+

+ In the **Overview** page - the summary tiles show the following status:

+ - **Filters**ΓÇöuse filters to focus on a subset of your resources. The selectors above the tiles return **Subscription**, **Resource group**, **Resource type** (Azure VMs and Arc-enabled servers) **Location**, and **OS** type (Windows or Linux) based on the Azure role-based access rights you've been granted. You can combine filters to scope to a specific resource.

+ - **Update status of machines**ΓÇöshows the update status information for assessed machines that had applicable or needed updates. You can filter the results based on classification types. By default, all [classifications](/azure/automation/update-management/overview#update-classifications) are selected and as per the classification selection, the tile is updated.

+ The graph provides a snapshot for all your machines in your subscription, regardless of whether you have used update management center (preview) for that machine. This assessment data comes from Azure Resource Graph, and it stores the data for seven days.

+ From the assessment data available, machines are classified into the following categories:

+ - **No updates available**ΓÇöno updates are pending for these machines and these machines are up to date.

+ - **Updates available**ΓÇöupdates are pending for these machines and these machines aren't up to date.

+ - **Reboot Required**ΓÇöpending a reboot for the updates to take effect.

+ - **No updates data**ΓÇöno assessment data is available for these machines.

+

+ There following could be the reasons for no assessment data:

+ - No assessment has been done over the last seven days

+ - The machine has an unsupported OS

+ - The machine is in an unsupported region and you can't perform an assessment.

+ - **Patch orchestration configuration of Azure virtual machines** ΓÇö all the Azure or Arc-enabled machines inventoried in the subscription are summarized by each update orchestration method. Values are:

+ - **Azure orchestrated**ΓÇöthis mode enables automatic VM guest patching for the Azure virtual machine and Arc-enabled server. Subsequent patch installation is orchestrated by Azure.

+ - **Image Default**ΓÇöfor Linux machines, it uses the default patching configuration.

+ - **OS orchestrated**ΓÇöthe OS automatically updates the machine.

+ - **Manual updates**ΓÇöyou control the application of patches to a machine by applying patches manually inside the machine. In this mode, automatic updates are disabled for Windows OS.

+ For more information about each orchestration method see, [automatic VM guest patching for Azure VMs](/azure/virtual-machines/automatic-vm-guest-patching#patch-orchestration-modes).

+ - **Update installation status**ΓÇöby default, the tile shows the status for the last 30 days. Using the **Time** picker, you can choose a different range. The values are:

+ - **Failed**ΓÇöis when one or more updates in the deployment have failed.

+ - **Completed**ΓÇöis when the deployment ends successfully by the time range selected.

+ - **Completed with warnings**ΓÇöis when the deployment is completed successfully but had warnings.

+ - **In progress**ΓÇöis when the deployment is currently running.

+- Select the **Update status of machines** or **Patch orchestration configuration of Azure Virtual machines** to go to the **Machines** page.

+- Select the **Update installation status**, to go to the **History** page.

+- **Pending Windows updates** ΓÇö the tile shows the status of pending updates for Windows machines in your subscription.

+- **Pending Linux updates** ΓÇö the tile shows the status of pending updates for Linux machines in your subscription.

+## Summary of machine status

+Update management center (preview) in Azure enables you to browse information about your Azure VMs and Arc-enabled servers across your Azure subscriptions relevant to update management center (preview). The section shows how you can filter information to understand the update status of your machine resources, and for multiple machines, initiate an update assessment, update deployment, and manage their update settings.

+ In the update management center (preview) page, select **Machines** from the left menu.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-machines-page-inline.png" alt-text="Screenshot of update management center(preview) Machines page in the Azure portal." lightbox="./media/manage-multiple-machines/update-center-machines-page-expanded.png":::

+ On the page, the table lists all the machines in the specified subscription, and for each machine it helps you understand the following details that show up based on the latest assessment.

+ - **Update status**ΓÇöthe total number of updates available identified as applicable to the machine's OS.

+ - **Operating system**ΓÇöthe operating system running on the machine.

+ - **Resource type**ΓÇöthe machine is either hosted in Azure or is a hybrid machine managed by Arc-enabled servers.

+ - **Patch orchestration**ΓÇö the patches are applied following availability-first principles and managed by Azure.

+ - **Periodic assessment**ΓÇöan update setting that allows you to enable automatic periodic checking of updates.

+The column **Patch Orchestration**, in the machine's patch mode has the following values:

+ * **Automatic by OS**ΓÇöthe machine is automatically updated by the OS.

+ * **Azure orchestrated**ΓÇöfor a group of virtual machines undergoing an update, the Azure platform will orchestrate updates. The VM is set to [automatic VM guest patching](/azure/virtual-machines/automatic-vm-guest-patching), and for an Azure virtual machine scale set, it's set to [automatic OS image upgrade](/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade).

+ * **Image Default**ΓÇöfor Linux machines, its default patching configuration is used.

+ * **Manual**ΓÇöyou control the application of patches to a machine by applying patches manually inside the machine. In this mode automatic updates are disabled for Windows OS.

+The machine's statusΓÇöfor an Azure VM, it shows it's [power state](/azure/virtual-machines/states-billing#power-states-and-billing), and for an Arc-enabled server, it shows if it's connected or not.

+Use filters to focus on a subset of your resources. The selectors above the tiles return subscriptions, resource groups, resource types (that is, Azure VMs and Arc-enabled servers), regions, etc. and are based on the Azure role-based access rights you've been granted. You can combine filters to scope to a specific resource.

+The summary tiles at the top of the page summarize the number of machines that have been assessed and their update status.

+To manage the machine's update settings, see [Manage update configuration settings](manage-update-settings.md).

+### Check for updates

+For machines that haven't had a compliance assessment scan for the first time, you can select one or more of them from the list and then select the **Check for updates**. You'll receive status messages as the configuration is performed.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-assess-now-multi-selection-inline.png" alt-text="Screenshot of initiating a scan assessment for selected machines with the check for updates option." lightbox="./media/manage-multiple-machines/update-center-assess-now-multi-selection-expanded.png":::

+ Otherwise, a compliance scan is initiated, and then the results are forwarded and stored in **Azure Resource Graph**. This process takes several minutes. When the assessment is completed, a confirmation message appears on the page.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-assess-now-complete-banner-inline.png" alt-text="Screenshot of assessment banner on Manage Machines page." lightbox="./media/manage-multiple-machines/update-center-assess-now-complete-banner-expanded.png":::

+Select a machine from the list to open update management center (Preview) scoped to that machine. Here, you can view its detailed assessment status, update history, configure its patch orchestration options, and initiate an update deployment.

+### Deploy the updates

+For assessed machines that are reporting updates available, select one or more of the machines from the list and initiate an update deployment that starts immediately. Select the machine and go to **One-time update**.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-install-updates-now-multi-selection-inline.png" alt-text="Screenshot of install one time updates for machine(s) on updates preview page." lightbox="./media/manage-multiple-machines/update-center-install-updates-now-multi-selection-expanded.png":::

+

+ A notification appears to confirm that an activity has started and another is created when it's completed. When it's successfully completed, the installation operation results are available to view from either the **Update history** tab, when you select the machine from the **Machines** page, or on the **History** page, which you're redirected to automatically after initiating the update deployment. The status of the operation can be viewed at any time from the [Azure Activity log](/azure/azure-monitor/essentials/activity-log).

+### Set up a recurring update deployment

+You can create a recurring update deployment for your machines. Select your machine and select **Scheduled updates**. This opens [Create new maintenance configuration](scheduled-patching.md) flow.

+## Update deployment history

+Update management center (preview) enables you to browse information about your Azure VMs and Arc-enabled servers across your Azure subscriptions relevant to Update management center (preview). You can filter information to understand the update assessment and deployment history for multiple machines. In Update management center (preview), select **History** from the left menu.

+## Update deployment history by machines

+Provides a summarized status of update and assessment actions performed against your Azure VMs and Arc-enabled servers. You can also drill into a specific machine to view update-related details and manage it directly, review the detailed update or assessment history for the machine, and other related details in the table.

+ - **Machine Name**

+ - **Status**

+ - **Update installed**

+ - **Update operation**

+ - **Operation type**

+ - **Operation start time**

+ - **Resource Type**

+ - **Tags**

+ - **Last assessed time**

+## Update deployment history by maintenance run ID

+In the **History** page, select **By maintenance run ID** to view the history of the maintenance run schedules. Each record shows

+ :::image type="content" source="./media/manage-multiple-machines/update-center-history-by-maintenance-run-id-inline.png" alt-text="Screenshot of update center History page by maintenance run ID in the Azure portal." lightbox="./media/manage-multiple-machines/update-center-history-by-maintenance-run-id-expanded.png":::

+- **Maintenance run ID**

+- **Status**

+- **Updated machines**

+- **Operation start time**

+- **Operation end time**

+When you select any one maintenance run ID record, you can view an expanded status of the maintenance run. It contains information about machines and updates. It includes the number of machines that were updated and updates installed on them, along with the status of each of the machines in the form of a pie chart. At the end of the page, it contains a list view of both machines and updates that were a part of this maintenance run.

+ :::image type="content" source="./media/manage-multiple-machines/update-center-maintenance-run-record-inline.png" alt-text="Screenshot of maintenance run ID record." lightbox="./media/manage-multiple-machines/update-center-maintenance-run-record-expanded.png":::

+### Resource Graph

+The update assessment and deployment data are available for querying in Azure Resource Graph. You can apply this data to scenarios that include security compliance, security operations, and troubleshooting. Select **Go to resource graph** to go to the Azure Resource Graph Explorer. It enables running Resource Graph queries directly in the Azure portal. Resource Graph supports Azure CLI, Azure PowerShell, Azure SDK for Python, and more. For more information, see [First query with Azure Resource Graph Explorer](/azure/governance/resource-graph/first-query-portal).

+When the Resource Graph Explorer opens, it is automatically populated with the same query used to generate the results presented in the table on the **History** page in Update management center (preview). Ensure that you review the [query Update logs](query-logs.md) article to learn about the log records and their properties, and the sample queries included.

+## Next steps

+* To set up and manage recurring deployment schedules, see [Schedule recurring updates](scheduled-patching.md)

+* To view update assessment and deployment logs generated by update management center (preview), see [query logs](query-logs.md).

+ Title: Manage update configuration settings in Update management center (preview)

+description: The article describes how to manage the update settings for your Windows and Linux machines managed by Update management center (preview).

+# Manage Update configuration settings

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers.

+The article describes how to configure update settings from Update management center (preview) in Azure, to control the update settings on your Azure VMs and Arc-enabled servers for one or more machines.

+## Configure settings on single VM

+To configure update settings on your machines on a single VM, follow these steps:

+>[!NOTE]

+> You can schedule updates from the Overview or Machines blade in update management center (preview) page or from the selected VM.

+# [From Overview blade](#tab/manage-single-overview)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In **Update management center**, select **Overview**, select your **Subscription**, and select **Update settings**.

+1. In **Change update settings**, select the update settings that you want to change for your machine and select **Next**.

+ :::image type="content" source="./media/manage-update-settings/update-setting-to-change.png" alt-text="Highlighting the Update settings to change option in the Azure portal.":::

+

+ The following update settings are available for configuration for the selected machine(s):

+ - **Periodic assessment** - enable periodic **Assessment** to run every 24 hours.

+ >[!NOTE]

+ > You must [register for the periodic assessement](/azure/update-center/enable-machines?branch=release-updatecenterv2-publicpreview&tabs=portal-periodic%2Cps-periodic-assessment%2Ccli-periodic-assessment%2Crest-periodic-assessment) in your Azure subscription to enable this feature.

+ - **Hot patching** - for Azure VMs, you can enable [hot patching](/azure/automanage/automanage-hotpatch) on supported Windows Server Azure Edition Virtual Machines (VMs) don't require a reboot after installation. You can use update management center (preview) to install patches with other patch classifications or to schedule patch installation when you require immediate critical patch deployment.

+ - **Patch orchestration** option provides the following:

+ - **Automatic by operating system** - When the workload running on the VM doesn't have to meet availability targets, operating system updates are automatically downloaded and installed. Machines are rebooted as needed.

+ - **Azure-orchestrated (preview)** - Available *Critical* and *Security* patches are downloaded and applied automatically on the Azure VM using [automatic VM guest patching](/azure/virtual-machines/automatic-vm-guest-patching). This process kicks off automatically every month when new patches are released. Patch assessment and installation are automatic, and the process includes rebooting the VM as required.

+ - **Manual updates** - Configures the Windows Update agent by setting [configure automatic updates](/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates#configure-automatic-updates).

+ - **Image Default** - Only supported for Linux Virtual Machines, this mode honors the default patching configuration in the image used to create the VM.

+1. In **Machines**, select the checkbox for your machine and Select **Next** to continue.

+1. In **Review and change**, verify your selected resources and the update settings and select **Review and change**.

+# [From Machines blade](#tab/manage-single-machines)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In **Update management center**, select **Machines**, your **subscription**, and select the checkbox of your machine from the list and select **Update settings**.

+1. Select **Update Settings** to proceed with the type of update for your machine.

+1. In **Change update settings**, you can select the update settings that you want to change for your machines and follow the procedure from step 3 listed in **From Overview blade** of [Configure settings on single VM](#configure-settings-on-single-vm).

+# [From a selected VM](#tab/singlevm-schedule-home)

+>[!NOTE]

+> **For Azure machines**, your subscription needs to be allowlisted for preview feature. For more information, see

+[On-boarding preview features](enable-machines.md)

+1. Select your virtual machine and the **virtual machines | Updates** page opens.

+1. Under **Operations**, select **Updates**.

+1. In **Updates**, select **Go to Updates using Update Center**.

+1. In **Updates preview**, select **Update Settings**.

+1. In **Change update settings**, you can select the update settings that you want to change for your machine and follow the procedure from step 3 listed in **From Overview blade** of [Configure settings on single VM](#configure-settings-on-single-vm).

+A notification appears to confirm that the update settings are successfully changed.

+## Configure settings at scale

+To configure update settings on your machines at scale, follow these steps:

+>[!NOTE]

+> You can schedule updates from the Overview or Machines blade.

+# [From Overview blade](#tab/manage-scale-overview)

+

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In **Update management center**, select **Overview**, select your **Subscription** and select **Update settings**.

+1. In **Change update settings**, select the update settings that you want to change for your machines follow the procedure from step 3 listed in **From Overview blade** of [Configure settings on single VM](#configure-settings-on-single-vm).

+# [From Machines blade](#tab/manage-scale-machines)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In **Update management center**, select **Machines**, your **subscription**, and select the checkbox for all your machines from the list and select **Update settings**.

+1. Select **Update Settings** to proceed with the type of update for your machines.

+1. In **Change update settings**, you can select the update settings that you want to change for your machine and follow the procedure from step 3 listed in **From Overview blade** of [Configure settings on single VM](#configure-settings-on-single-vm).

+A notification appears to confirm that the update settings are successfully changed.

+## Next steps

+* [View assessment compliance](view-updates.md) and [deploy updates](deploy-updates.md) for a selected Azure VM or Arc-enabled server, or across [multiple machines](manage-multiple-machines.md) in your subscription in the Azure portal.

+* To view update assessment and deployment logs generated by update management center (preview), see [query logs](query-logs.md).

+* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) update management center (preview).

+ Title: Programmatically manage updates for Azure VMs

+description: This article tells how to use update management center (preview) in Azure using REST API with Azure virtual machines.

+# How to programmatically manage updates for Azure VMs

+This article walks you through the process of using the Azure REST API to trigger an assessment and an update deployment on your Azure virtual machine with update management center (preview) in Azure. If you are new to update management center (preview) and you want to learn more, see [overview of update management center (preview)](overview.md). To use the Azure REST API to manage Arc-enabled servers, see [How to programmatically work with Arc-enabled servers](manage-arc-enabled-servers-programmatically.md).

+Update management center (private preview) in Azure enables you to use the [Azure REST API](/rest/api/azure/) for access programmatically. Additionally, you can use the appropriate REST commands from [Azure PowerShell](/powershell/azure/) and [Azure CLI](/cli/azure/).

+Support for Azure REST API to manage Azure VMs is available through the update management center (preview) virtual machine extension.

+## Update assessment

+To trigger an update assessment on your Azure VM, specify the following POST request:

+```rest

+POST on `subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Compute/virtualMachines/virtualMachineName/assessPatches?api-version=2020-12-01`

+```

+# [Azure CLI](#tab/cli)

+To specify the POST request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method post --url https://management.azure.com/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Network/Microsoft.Compute/virtualMachines/virtualMachineName/assessPatches?api-version=2020-12-01

+```

+# [Azure PowerShell](#tab/powershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod

+ -ResourceGroupName resourceGroupName

+ -Name "virtualMachineName"

+ -ResourceProviderName "Microsoft.Compute"

+ -ResourceType "virtualMachines"

+ -ApiVersion xx

+ -Payload '{

+ }'

+ -Method POST

+```

+## Update deployment

+To trigger an update deployment to your Azure VM, specify the following POST request:

+```rest

+POST on `subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Compute/machines/virtualMachineName/installPatches?api-version=2020-12-01`

+```

+#### Request body

+The following table describes the elements of the request body:

+| Property | Description |

+|-|-|

+| `maximumDuration` | Maximum amount of time that the operation runs. It must be an ISO 8601-compliant duration string such as `PT4H` (4 hours). |

+| `rebootSetting` | Flag to state if machine should be rebooted if Guest OS update installation requires it for completion. Acceptable values are: `IfRequired, NeverReboot, AlwaysReboot`. |

+| `windowsParameters` | Parameter options for Guest OS update on Azure VMs running a supported Microsoft Windows Server operating system. |

+| `windowsParameters - classificationsToInclude` | List of categories/classifications to be used for selecting the updates to be installed on the machine. Acceptable values are: `Critical, Security, UpdateRollUp, FeaturePack, ServicePack, Definition, Tools, Update` |

+| `windowsParameters - kbNumbersToInclude` | List of Windows Update KB Ids that should be installed. All updates belonging to the classifications provided in `classificationsToInclude` list will be installed. `kbNumbersToInclude` is an optional list of specific KBs to be installed in addition to the classifications. For example: `1234` |

+| `windowsParameters - kbNumbersToExclude` | List of Windows Update KB Ids that should **not** be installed. This parameter overrides `windowsParameters - classificationsToInclude`, meaning a Windows Update KB Id specified here will not be installed even if it belongs to the classification provided under `classificationsToInclude` parameter. |

+| `linuxParameters` | Parameter options for Guest OS update on Azure VMs running a supported Linux server operating system. |

+| `linuxParameters - classificationsToInclude` | List of categories/classifications to be used for selecting the updates to be installed on the machine. Acceptable values are: `Critical, Security, Others` |

+| `linuxParameters - packageNameMasksToInclude` | List of Linux packages that should be installed. All updates belonging to the classifications provided in `classificationsToInclude` list will be installed. `packageNameMasksToInclude` is an optional list of package names to be installed in addition to the classifications. For example: `mysql, libc=1.0.1.1, kernel*` |

+| `linuxParameters - packageNameMasksToExclude` | List of updates that should **not** be installed. This parameter overrides `linuxParameters - packageNameMasksToExclude`, meaning a package specified here will not be installed even if it belongs to the classification provided under `classificationsToInclude` parameter. |

+# [Azure REST API](#tab/rest)

+To specify the POST request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+POST on 'subscriptions/{subscriptionId}/resourceGroups/acmedemo/providers/Microsoft.Compute/virtualMachines/ameacr/installPatches?api-version=2020-12-01

+{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }'

+```

+# [Azure CLI](#tab/azurecli)

+To specify the POST request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method post --url https://management.azure.com/subscriptions/subscriptionId/resourceGroups/resourceGroupName/providers/Microsoft.Compute/virtualMachines/virtualMachineName/installPatches?api-version==2020-12-01 @body.json

+```

+The format of the request body for version 2020-12-01 is as follows:

+```json

+{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }

+```

+# [Azure PowerShell](#tab/azurepowershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod

+ -ResourceGroupName resourceGroupName

+ -Name "machineName"

+ -ResourceProviderName "Microsoft.Compute"

+ -ResourceType "virtualMachines"

+ -ApiVersion 2020-12-01-preview

+ -Payload '{

+ "maximumDuration": "PT120M",

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "UpdateRollup",

+ "FeaturePack",

+ "ServicePack"

+ ],

+ "kbNumbersToInclude": [

+ "11111111111",

+ "22222222222222"

+ ],

+ "kbNumbersToExclude": [

+ "333333333333",

+ "55555555555"

+ ]

+ }

+ }'

+ -Method POST

+```

+## Create a maintenance configuration schedule

+To create a maintenance configuration schedule, specify the following PUT request:

+```rest

+PUT on `/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenanceConfigurationsName>?api-version=2021-09-01-preview`

+```

+#### Request body

+The following table describes the elements of the request body:

+| Property | Description |

+|-|-|

+| `id` | Fully qualified identifier of the resource |

+| `location` | Gets or sets location of the resource |

+| `name` | Name of the resource |

+| `properties.extensionProperties` | Gets or sets extensionProperties of the maintenanceConfiguration |

+| `properties.maintenanceScope` | Gets or sets maintenanceScope of the configuration |

+| `properties.maintenanceWindow.duration` | Duration of the maintenance window in HH:MM format. If not provided, default value will be used based on maintenance scope provided. Example: 05:00. |

+| `properties.maintenanceWindow.expirationDateTime` | Effective expiration date of the maintenance window in YYYY-MM-DD hh:mm format. The window will be created in the time zone provided and adjusted to daylight savings according to that time zone. Expiration date must be set to a future date. If not provided, it will be set to the maximum datetime 9999-12-31 23:59:59. |

+| `properties.maintenanceWindow.recurEvery` | Rate at which a maintenance window is expected to recur. The rate can be expressed as daily, weekly, or monthly schedules. Daily schedule are formatted as recurEvery: [Frequency as integer]['Day(s)']. If no frequency is provided, the default frequency is 1. Daily schedule examples are recurEvery: Day, recurEvery: 3Days. Weekly schedule are formatted as recurEvery: [Frequency as integer]['Week(s)'] [Optional comma separated list of weekdays Monday-Sunday]. Weekly schedule examples are recurEvery: 3Weeks, recurEvery: Week Saturday,Sunday. Monthly schedules are formatted as [Frequency as integer]['Month(s)'] [Comma separated list of month days] or [Frequency as integer]['Month(s)'] [Week of Month (First, Second, Third, Fourth, Last)] [Weekday Monday-Sunday]. Monthly schedule examples are recurEvery: Month, recurEvery: 2Months, recurEvery: Month day23,day24, recurEvery: Month Last Sunday, recurEvery: Month Fourth Monday. |

+| `properties.maintenanceWindow.startDateTime` | Effective start date of the maintenance window in YYYY-MM-DD hh:mm format. The start date can be set to either the current date or future date. The window will be created in the time zone provided and adjusted to daylight savings according to that time zone. |

+| `properties.maintenanceWindow.timeZone` | Name of the timezone. List of timezones can be obtained by executing [System.TimeZoneInfo]::GetSystemTimeZones() in PowerShell. Example: Pacific Standard Time, UTC, W. Europe Standard Time, Korea Standard Time, Cen. Australia Standard Time. |

+| `properties.namespace` | Gets or sets namespace of the resource |

+| `properties.visibility` | Gets or sets the visibility of the configuration. The default value is 'Custom' |

+| `systemData` | Azure Resource Manager metadata containing createdBy and modifiedBy information. |

+| `tags` | Gets or sets tags of the resource |

+| `type` | Type of the resource |

+# [Azure REST API](#tab/rest)

+To specify the POST request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+PUT on '/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourceGroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestAdv2?api-version=2021-09-01-preview

+{

+ "location": "eastus2euap",

+ "properties": {

+ "namespace": null,

+ "extensionProperties": {},

+ "maintenanceScope": "InGuestPatch",

+ "maintenanceWindow": {

+ "startDateTime": "2021-08-21 01:18",

+ "expirationDateTime": "2221-05-19 03:30",

+ "duration": "01:30",

+ "timeZone": "India Standard Time",

+ "recurEvery": "Day"

+ },

+ "visibility": "Custom",

+ "installPatches": {

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "Critical",

+ "UpdateRollup"

+ ]

+ },

+ "linuxParameters": {

+ "classificationsToInclude": [

+ "Other"

+ ]

+ }

+ }

+ }

+}'

+```

+# [Azure CLI](#tab/azurecli)

+To specify the PUT request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method put --url https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenanceConfigurationsName>?api-version=2021-09-01-preview @body.json

+```

+The format of the request body is as follows:

+```json

+{

+ "location": "eastus2euap",

+ "properties": {

+ "namespace": null,

+ "extensionProperties": {},

+ "maintenanceScope": "InGuestPatch",

+ "maintenanceWindow": {

+ "startDateTime": "2021-08-21 01:18",

+ "expirationDateTime": "2221-05-19 03:30",

+ "duration": "01:30",

+ "timeZone": "India Standard Time",

+ "recurEvery": "Day"

+ },

+ "visibility": "Custom",

+ "installPatches": {

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "Critical",

+ "UpdateRollup"

+ ]

+ },

+ "linuxParameters": {

+ "classificationsToInclude": [

+ "Other"

+ ]

+ }

+ }

+ }

+}

+```

+# [Azure PowerShell](#tab/azurepowershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod -Path "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenanceConfigurationsName>?api-version=2021-09-01-preview"

+-Method PUT `

+-Payload '{

+ "location": "eastus2euap",

+ "properties": {

+ "namespace": null,

+ "extensionProperties": {},

+ "maintenanceScope": "InGuestPatch",

+ "maintenanceWindow": {

+ "startDateTime": "2021-12-21 01:18",

+ "expirationDateTime": "2221-05-19 03:30",

+ "duration": "01:30",

+ "timeZone": "India Standard Time",

+ "recurEvery": "Day"

+ },

+ "visibility": "Custom",

+ "installPatches": {

+ "rebootSetting": "IfRequired",

+ "windowsParameters": {

+ "classificationsToInclude": [

+ "Security",

+ "Critical",

+ "UpdateRollup"

+ ]

+ },

+ "linuxParameters": {

+ "classificationsToInclude": [

+ "Other"

+ ]

+ }

+ }

+ }

+}'

+```

+## Associate a VM with a schedule

+To associate a VM with a maintenance configuration schedule, specify the following PUT request:

+```rest

+PUT on `<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview`

+```

+# [Azure REST API](#tab/rest)

+To specify the PUT request, you can use the following Azure REST API call with valid parameters and values.

+```rest

+PUT on '/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourceGroups/atscalepatching/providers/Microsoft.Compute/virtualMachines/win-atscalepatching-1/providers/Microsoft.Maintenance/configurationAssignments/TestAzureInGuestAdv?api-version=2021-09-01-preview

+{

+ "properties": {

+ "maintenanceConfigurationId": "/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+ },

+ "location": "eastus2euap"

+}'

+```

+# [Azure CLI](#tab/azurecli)

+To specify the PUT request, you can use the Azure CLI [az rest](/cli/azure/reference-index#az_rest) command.

+```azurecli

+az rest --method put --url https://management.azure.com/<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview @body.json

+```

+The format of the request body is as follows:

+```json

+{

+ "properties": {

+ "maintenanceConfigurationId": "/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+ },

+ "location": "eastus2euap"

+}

+```

+# [Azure PowerShell](#tab/azurepowershell)

+To specify the POST request, you can use the Azure PowerShell [Invoke-AzRestMethod](/powershell/module/az.accounts/invoke-azrestmethod) cmdlet.

+```azurepowershell

+Invoke-AzRestMethod -Path "<ARC or Azure VM resourceId>/providers/Microsoft.Maintenance/configurationAssignments/<configurationAssignment name>?api-version=2021-09-01-preview"

+-Method PUT `

+-Payload '{

+ "properties": {

+ "maintenanceConfigurationId": "/subscriptions/0f55bb56-6089-4c7e-9306-41fb78fc5844/resourcegroups/atscalepatching/providers/Microsoft.Maintenance/maintenanceConfigurations/TestAzureInGuestIntermediate2"

+ },

+ "location": "eastus2euap"

+}'

+```

+## Next steps

+* To view update assessment and deployment logs generated by update management center (preview), see [query logs](query-logs.md).

+* To troubleshoot issues, see [Troubleshoot](troubleshoot.md) update management center (preview).

+ Title: Update management center (preview) overview

+description: The article tells what update management center (preview) in Azure is and the system updates for your Windows and Linux machines in Azure, on-premises, and other cloud environments.

+# About Update management center (preview)

+Update management center (preview) is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. Using Update management center (preview), you can make updates in real-time or schedule them within a defined maintenance window.

+You can use the update management center (preview) in Azure to:

+- Oversee update compliance for your entire fleet of machines in Azure, on- premises, and other cloud environments.

+- Instantly deploy critical updates to help secure your machines.

+- Leverage flexible patching options such as [automatic VM guest patching](/azure/virtual-machines/automatic-vm-guest-patching) in Azure, [hot patching](/azure/automanage/automanage-hotpatch), and customer-defined maintenance schedules.

+We also offer other capabilities to help you manage updates for your Azure Virtual Machines (VM) that you should consider as part of your overall update management strategy. Review the Azure VM [Update options](/azure/virtual-machines/updates-maintenance-overview) to learn more about the options available.

+Before you enable your machines for update management center (preview), make sure that you understand the information in the following sections.

+> [!IMPORTANT]

+> Update management center (preview) can manage machines that are currently managed by Azure Automation [Update management](/azure/automation/update-management/overview) feature without interrupting your update management process. However, we don't recommend migrating from Automation Update Management since this preview gives you a chance to evaluate and provide feedback on features before it's generally available (GA).

+>

+> While update management center is in **preview**, the [Supplemental Terms of Use for Microsoft Azure Previews](/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Key benefits

+Update management center (preview) has been redesigned and doesn't depend on Azure Automation or Azure Monitor Logs, as required by the [Azure Automation Update Management feature](/azure/automation/update-management/overview). Update management center (preview) offers many new features and provides enhanced functionality over the original version available with Azure Automation and some of those benefits are listed below:

+- Provides native experience with zero on-boarding.

+ - Built as native functionality on Azure Compute and Azure Arc for Servers platform for ease of use.

+ - No dependency on Log Analytics and Azure Automation.

+ - Azure policy support.

+ - Global availability in all Azure Compute and Azure Arc regions.

+- Works with Azure roles and identity.

+ - Granular access control at per resource level instead of access control at Automation account and Log Analytics workspace level.

+ - Update management center now as Azure Resource Manager based operations. It allows RBAC and roles based of ARM in Azure.

+- Enhanced flexibility

+ - Ability to take immediate action either by installing updates immediately or schedule them for a later date.

+ - Check updates automatically or on demand.

+ - Helps secure machines with new ways of patching such as [automatic VM guest patching](/azure/virtual-machines/automatic-vm-guest-patching) in Azure, [hotpatching](/azure/automanage/automanage-hotpatch) or custom maintenance schedules.

+ - Sync patch cycles in relation to patch TuesdayΓÇöthe unofficial term for Microsoft's scheduled security fix release on every Tuesday.

+The following diagram illustrates how update management center (preview) assesses and applies updates to all Azure machines and Arc-enabled servers for both Windows and Linux.

+

+To support management of your Azure VM or non-Azure machine, update management center (preview) relies on a new [Azure extension](/azure/virtual-machines/extensions/overview) designed to provide all the functionality required to interact with the operating system to manage the assessment and application of updates. This extension is automatically installed when you initiate any update management center operations such as **check for updates**, **install one time update**, **periodic assessment** on your machine. The extension supports deployment to Azure VMs or Arc-enabled servers using the extension framework. The update management center (preview) extension is installed and managed using the following:

+- [Azure virtual machine Windows agent](/azure/virtual-machines/extensions/agent-windows) or [Azure virtual machine Linux agent](/azure/virtual-machines/extensions/agent-linux) for Azure VMs.

+- [Azure arc-enabled servers agent](/azure/azure-arc/servers/agent-overview) for non-Azure Linux and Windows machines or physical servers.

+ The extension agent installation and configuration is managed by update management center (preview) and there's no manual intervention required as long as the Azure VM agent or Azure Arc-enabled server agent is functional. The update management center (preview) extension runs code locally on the machine to interact with the operating system, and it includes:

+- Retrieving the assessment information about status of system updates for it specified by the Windows Update client or Linux package manager.

+- Initiating the download and installation of approved updates with Windows Update client or Linux package manager.

+All assessment information and update installation results are reported to update management center (preview) from the extension and is available for analysis with [Azure Resource Graph](/azure/governance/resource-graph/overview). You can view up to the last seven days of assessment data, and up to the last 30 days of update installation results.

+The machines assigned to update management center (preview) report how up to date they're based on what source they're configured to synchronize with. [Windows Update Agent (WUA)](/windows/win32/wua_sdk/updating-the-windows-update-agent) on Windows machines can be configured to report to [Windows Server Update Services](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or Microsoft Update which is by default, and Linux machines can be configured to report to a local or public YUM or APT package repository. If the Windows Update Agent is configured to report to WSUS, depending on when WSUS last synchronized with Microsoft update, the results in update management center (preview) might differ from what Microsoft update shows. This behavior is the same for Linux machines that are configured to report to a local repository instead of a public package repository.

+>[!NOTE]

+> You can manage your Azure VMs or Arc-enabled servers directly, or at-scale with update management center (preview).

+## Prerequisites

+Along with the prerequisites listed below, see [support matrix](support-matrix.md) for update management center (preview).

+### Role

+**Resource** | **Role**

+ |

+|Azure VM | [Azure Virtual Machine Contributor](/azure/role-based-access-control/built-in-roles#virtual-machine-contributor) or Azure [Owner](/azure/role-based-access-control/built-in-roles#owner).

+Arc enabled server | [Azure Connected Machine Resource Administrator](/azure/azure-arc/servers/security-overview#identity-and-access-control).

+### Permissions

+You need the following permissions to create and manage update deployments. The following table shows the permissions needed when using update management center (preview).

+

+**Actions** |**Permission** |**Scope** |

+ | | |

+|Install update on Azure VMs |*Microsoft.Compute/virtualMachines/installPatches/action* ||

+|Update assessment on Azure VMs |*Microsoft.Compute/virtualMachines/assessPatches/action* ||

+|Install update on Arc enabled server |*Microsoft.HybridCompute/machines/installPatches/action* ||

+|Update assessment on Arc enabled server |*Microsoft.HybridCompute/machines/assessPatches/action* ||

+|Create/modify maintenance configuration |*Microsoft.Maintenance/maintenanceConfigurations/write* |Subscription/resource group |

+|Create/modify configuration assignments |*Microsoft.Maintenance/configurationAssignments/write* |Machine |

+|Read permission for Maintenance updates resource |*Microsoft.Maintenance/updates/read* |Machine |

+|Read permission for Maintenance apply updates resource |*Microsoft.Maintenance/applyUpdates/read* |Machine |

+### Network planning

+To prepare your network to support update management center (preview), you may need to configure some infrastructure components.

+For Windows machines, you must allow traffic to any endpoints required by Windows Update agent. You can find an updated list of required endpoints in [Issues related to HTTP/Proxy](/windows/deployment/update/windows-update-troubleshooting#issues-related-to-httpproxy). If you have a local [WSUS](/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment) (WSUS) deployment, you must also allow traffic to the server specified in your [WSUS key](/windows/deployment/update/waas-wu-settings#configuring-automatic-updates-by-editing-the-registry).

+For Red Hat Linux machines, see [IPs for the RHUI content delivery servers](/azure/virtual-machines/workloads/redhat/redhat-rhui#the-ips-for-the-rhui-content-delivery-servers) for required endpoints. For other Linux distributions, see your provider documentation.

+### VM images

+Update management center (preview) supports Azure VMs created using Azure Marketplace images, where the virtual machine agent is already included in the Azure Marketplace image. If you have created Azure VMs using custom VM images and not an image from the Azure Marketplace, you need to manually install and enable the Azure virtual machine agent. For details, see:

+- [Manual install of Azure Windows VM agent](/azure/virtual-machines/extensions/agent-windows#manual-installation)

+- [Manual install of Azure Linux VM agent](/azure/virtual-machines/extensions/agent-linux#installation)

+

+## Next steps

+- [View updates for single machine](view-updates.md)

+- [Deploy updates now (on-demand) for single machine](deploy-updates.md)

+- [Schedule recurring updates](scheduled-patching.md)

+- [Manage update settings via Portal](manage-update-settings.md)

+- [Manage multiple machines using update management center](manage-multiple-machines.md)

+ Title: Enable periodic assessment using policy

+description: This article describes how to manage the update settings for your Windows and Linux machines managed by update management center (preview).

+# Automate assessment at scale using Policy to see latest update status

+This article describes how to enable Periodic Assessment for your machines at scale using Azure Policy. Periodic Assessment is a setting on your machine that enables you to see the latest updates available for your machines and removes the hassle of performing assessment manually every time you need to check the update status. Once you enable this setting, update management center (preview) fetches updates on your machine once every 24 hours.

+>[!NOTE]

+> You must [register for the periodic assessement](/azure/update-center/enable-machines?branch=release-updatecenterv2-publicpreview&tabs=portal-periodic%2Cps-periodic-assessment%2Ccli-periodic-assessment%2Crest-periodic-assessment) in your Azure subscription to enable this feature.

+## Enable Periodic assessment for your Azure machines using Policy

+1. Go to **Policy** from the Azure portal and under **Authoring**, go to **Definitions**.

+1. From the **Category** dropdown, select **Update management center**. Select *[Preview]: Configure periodic checking for missing system updates on Azure virtual machines* for Azure machines.

+1. When the Policy Definition opens, select Assign.

+1. In **Basics**, select your subscription as your scope. You can also specify a resource group within subscription as the scope and select Next.

+1. In **Parameters**, uncheck **Only show parameters that need input or review** so that you can see the values of parameters. In **Assessment** mode, select *AutomaticByPlatform*, select *Operating system* and select **Next**. You need to create separate policies for Windows and Linux.

+1. In **Remediation**, check **Create a remediation task**, so that periodic assessment is enabled on your machines and click **Next**.

+1. In **Non-compliance message**, provide the message that you would like to see in case of non-compliance. For example: *Your machine doesn't have periodic assessment enabled.* Select **Review+Create.**

+1. On the **Review+Create** tab, select **Create**. This action triggers Assignment and Remediation Task creation, which can take a minute or so.

+You can monitor the compliance of resources under **Compliance** and remediation status under **Remediation** from the Policy home page.

+## Enable Periodic assessment for your Arc machines using Policy

+1. Go to **Policy** from the Azure portal and under **Authoring**, **Definitions**.

+1. From the **Category** dropdown, select **Update management center**. Select *[Preview]: Configure periodic checking for missing system updates on Azure Arc-enabled servers* for Arc-enabled machines.

+1. When the Policy Definition opens, select **Assign**.

+1. In **Basics**, select your subscription as your scope. You can also specify a resource group within subscription as the scope and select **Next**.

+1. In **Parameters**, uncheck **Only show parameters that need input or review** so that you can see the values of parameters. In **Assessment** mode, select *AutomaticByPlatform*, select *Operating system* and select **Next**. You need to create separate policies for Windows and Linux.

+1. In **Remediation**, check *Create a remediation task*, so that periodic assessment is enabled on your machines and click on Next.

+1. In **Non-compliance message**, provide the message that you would like to see in case of non-compliance. For example: *Your machine doesn't have periodic assessment enabled.* Click **Review+Create.**

+1. In **Review+Create**, select **Create** to trigger Assignment and Remediation Task creation which can take a minute or so.

+You can monitor compliance of resources under **Compliance** and remediation status under **Remediation** from the Policy home page.

+## Monitor if Periodic Assessment is enabled for your machines (both Azure and Arc-enabled machines)

+1. Go to **Policy** from the Azure portal and under **Authoring**, go to **Definitions**.

+1. From the Category dropdown above, select **Update management center**. Select *[Preview]: Machines should be configured to periodically check for missing system updates*.

+1. When the Policy Definition opens, select **Assign**.

+1. In **Basics**, select your subscription as your scope. You can also specify a resource group within subscription as the scope. Select **Next.**

+1. In **Parameters** and **Remediation**, select **Next.**

+1. In **Non-compliance message**, provide the message that you would like to see in case of non-compliance. For example: *Your machine doesn't have periodic assessment enabled.* and select **Review+Create.**

+1. In **Review+Create**, click **Create** to trigger Assignment and Remediation Task creation which can take a minute or so.

+You can monitor compliance of resources under **Compliance** and remediation status under **Remediation** from the Policy home page.

+## Next steps

+* [View assessment compliance](view-updates.md) and [deploy updates](deploy-updates.md) for a selected Azure VM or Arc-enabled server, or across [multiple machines](manage-multiple-machines.md) in your subscription in the Azure portal.

+* To view update assessment and deployment logs generated by update management center (preview), see [query logs](query-logs.md).

+* To troubleshoot issues, see the [Troubleshoot](troubleshoot.md) update management center (preview).

+ Title: Query logs and results from Update management center (preview)

+description: The article provides details on how you can review logs and search results from update management center (preview) in Azure using Azure Resource Graph

+# Overview of query logs in update management center (Preview)

+Logs created from operations like update assessments and installations are stored by Update management center (preview) in an [Azure Resource Graph](/azure/governance/resource-graph/overview). The Azure Resource Graph is a service in Azure designed to be the store for Azure service details without any cost or deployment requirements. Update management center (preview) uses the Azure Resource Graph to store its results, and you can view the update history of the last 30 days from the resources.

+Azure Resource Graph's query language is based on the [Kusto query language](/azure/governance/resource-graph/concepts/query-language) used by Azure Data Explorer.

+The article describes the structure of the logs from Update management center (Preview) and how you can use [Azure Resource Graph Explorer](/azure/governance/resource-graph/first-query-portal) to analyze them in support of your reporting, visualizing, and export needs.

+## Log structure

+Update management center (preview) sends the results of all its operation into Azure Resource Graph as logs, which are available for 30 days. Listed below are the structure of logs being sent to Azure Resource Graph.

+### Patch assessment results

+The table `patchassessmentresources` includes resources related to machine patch assessment. The following table describes its properties.

+| Property | Description |

+|-|-|

+| `ID` | The Azure Resource Manager ID forwarding the result. It will be the similar to the [REST API](manage-vms-programmatically.md) path for Guest OS assessment. Typically, *`<resourcePath>/patchAssessmentResults/latest`* or *`<resourcePath>/patchAssessmentResults/latest/softwarePatches/<update>`* |

+| `NAME` | If the ID is of type *`<resourcePath>/patchAssessmentResults/latest`* - then the record contains unique GUID for the assessment operation completed. If *`<resourcePath>/patchAssessmentResults/latest/softwarePatches/<update>`* - then the record contains update name or label. |

+| `TYPE` |Specifies the type of log for assessment. If type is `patchassessmentresults` , then the record provides a summary of OS assessment with numerical aggregate statistics. If type is `patchassessmentresults/softwarepatches`, then the record describes a specific OS update available for the resource. |

+| `TENANTID` | Azure tenant ID for the Azure VM or Azure Arc-enabled server resource|

+| `KIND` | Intentionally left blank for future use. |

+| `LOCATION` | Azure cloud region where the Azure VM or Azure Arc-enabled server resource exists|

+| `RESOURCEGROUP` | Azure resource group hosting the Azure VM or Azure Arc-enabled server resource|

+| `SUBSCRIPTIONID` | Azure subscription ID for the Azure VM or Azure Arc-enabled server resource |

+| `MANAGEDBY` | Intentionally left blank for future use. |

+| `SKU` | Intentionally left blank for future use. |

+| `PLAN` | Intentionally left blank for future use. |

+| `PROPERTIES` | Captures details of operation in JSON format. Additional information follows this table.|

+| `TAGS` | Azure tags defined for the Azure VM or Azure Arc-enabled server(s) resource |

+| `IDENTITY` | Intentionally left blank for future use. |

+| `ZONES` | Intentionally left blank for future use. |

+| `EXTENDEDLOCATION` | Intentionally left blank for future use. |

+### Description of the **PROPERTIES** property

+If the `PROPERTIES` property for the resource type is `patchassessmentresources`, it includes the following information:

+|Value |Description |

+|||

+| `rebootPending` |Flag to specify if the specific update requires the OS to reboot to complete installation. As provided by machine's OS update service or package manager. If your OS package manager or update service doesn't require a reboot, the value of the field is set to `false`.|

+|`patchServiceUsed` |OS service used on the machine to install updates. `WU-WSUS` for Windows Update service and/or Windows Server Update Service. For Linux, it's the OS package manager like `YUM`, `APT`, or `Zypper`.|

+|`osType` |Represents the type of operating system `Windows` or `Linux`.|

+|`startDateTime` |Timestamp (UTC) representing when the OS update assessment task started execution on the machine.|

+|`lastModifiedDateTime` |Timestamp (UTC) representing when the record was last updated.|

+|`startedBy` |Identifies if the OS update installation run was triggered by a user or Azure service. Further details of the operation can be found in [Azure Activity Log](/azure/azure-resource-manager/management/view-activity-logs).|

+|`errorDetails` |First five error messages generated while executing update installation from the machine's OS package manager or update service.|

+|`availablePatchCountByClassification` |Number of OS updates by the category that the specific updates belong based on the OS vendor. Information is generated by the machine's OS update service or package manager. If the OS package manager or update service, doesn't provide the detail of category, then the value is `Others` (for Linux) or `Updates` (for Windows Server).|

+|

+If the `PROPERTIES` property for the resource type is `patchassessmentresults/softwarepatches`, it includes the following information:

+|Value |Description |

+|||

+|`lastModifiedDateTime` |Timestamp (UTC) representing when the record was last updated.|

+|`publishedDateTime` |Timestamp representing when the specific update was made available by the OS vendor. Information is generated by the machine's OS update service or package manager. If your OS package manager or update service doesn't provide the detail of when an update was provided by OS vendor, then the value is null.|

+|`classifications` |Category of which the specific update belongs to as per the OS vendor. Information is generated by the machine's OS update service or package manager. If your OS package manager or update service doesn't provide the detail of category, then the value is `Others` (for Linux) or `Updates` (for Windows Server). |

+|`rebootRequired` |Value indicates if the specific update requires the OS to reboot to complete the installation. Information is generated by the machine's OS update service or package manager. If your OS package manager or update service doesn't require a reboot, then the value is `false`.|

+|`rebootBehavior` |Behavior set in the OS update installation runs job when configuring the update deployment if update management center (preview) can reboot the target machine. |

+|`patchName` |Name or label for the specific update generated by the machine's OS package manager or update service.|

+|`Kbid` |If the machine's OS is Windows Server, the value includes the unique KB ID for the update provided by the Windows Update service.|

+|`version` |If the machine's OS is Linux, the value includes the version details for the update as provided by Linux package manager. For example, `1.0.1.el7.3`.|

+### Patch installation results

+The table `patchinstallationresources` includes resources related to machine patch assessment. The following table describes its properties.

+| Property | Description |

+|-|-|

+| `ID` | The Azure Resource Manager ID forwarding the result. It will be the similar to the [REST API](manage-vms-programmatically.md) path for Guest OS assessment. Typically, *`<resourcePath>/patchInstallationResults/<GUID>`* or *`<resourcePath>/patchAssessmentResults/latest/softwarePatches/<update>`* |

+| `NAME` | If the ID is of type *`<resourcePath>/patchInstallationResults`* - then the record contains unique GUID for the update operation completed. If *`<resourcePath>/patchInstallationResults/softwarePatches/<update>`* - then the record contains update name or label being installed on the machine. |

+| `TYPE` |Specifies the type of log for assessment. If type is `patchinstallationresults` , then the record provides a summary of OS installation with numerical aggregate statistics. If type is `patchinstallationresults/softwarepatches`, then the record describes a specific OS update installed for the resource. |

+| `TENANTID` | Azure tenant ID for the Azure VM or Azure Arc-enabled server resource |

+| `KIND` | Intentionally left blank for future use. |

+| `LOCATION` | Azure cloud region where the Azure VM or Azure Arc-enabled server resource exists|

+| `RESOURCEGROUP` | Azure resource group hosting the Azure VM or Azure Arc-enabled server resource|

+| `SUBSCRIPTIONID` | Azure subscription ID for the Azure VM or Azure Arc-enabled server resource|

+| `MANAGEDBY` | Intentionally left blank for future use. |

+| `SKU` | Intentionally left blank for future use. |

+| `PLAN` | Intentionally left blank for future use. |

+| `PROPERTIES` | Captures details of operation in JSON format. Additional information follows this table.|

+| `TAGS` | Azure tags defined for the Azure VM or Azure Arc-enabled server(s) resource |

+| `IDENTITY` | Intentionally left blank for future use. |

+| `ZONES` | Intentionally left blank for future use. |

+| `EXTENDEDLOCATION` | Intentionally left blank for future use. |

+### Description of the **PROPERTIES** property

+If the `PROPERTIES` property for the resource type is `patchinstallationresults`, it includes the following information:

+|Value |Description |

+|||

+|`installationActivityId` | Unique GUID for the OS update installation run. |

+|`maintenanceWindowExceeded` | Values are `True` or `False` if the update installation run exceeded the defined maintenance window. |

+|`lastModifiedDateTime` |Timestamp (UTC) representing when the record was last updated |

+|`notSelectedPatchCount` |Number of OS updates available on the machine not selected for installation in an update deployment. |

+|`installedPatchCount` |Number of OS updates that were successfully installed that were specified in an update deployment. |

+|`excludedPatchCount` |Number of OS updates available on the machine and excluded for installation in an update deployment.|

+|`pendingPatchCount` |Number of OS updates still awaiting to be installed that were specified in an update deployment. |

+|`patchServiceUsed` |OS service used on the machine to install updates. `WU-WSUS` for Windows Update service and/or Windows Server Update Service. For Linux, it's the OS package manager like `YUM`, `APT`, or `Zypper`. |

+|`failedPatchCount` |Number of OS updates that failed to successfully get installed that were specified in an update deployment. |

+|`startDateTime` |Timestamp (UTC) representing when the OS update installation task started execution on the machine. |

+|`rebootStatus` |Information from the OS update service or package manager, if the OS needs to be restarted to complete the update installation. Status values are `NotNeeded` (No restart is needed), `Required` (OS restart is needed for completion), `Started` (Restart was initiated), `Failed` (OS couldn't be restarted), and `Completed` (Restart was done successfully). |