+## Multiple accounts on iOS (preview)

+You can enable passwordless phone sign-in for multiple accounts in Microsoft Authenticator on any supported iOS device. Consultants, students, and others with multiple accounts in Azure AD can add each account to Microsoft Authenticator and use passwordless phone sign-in for all of them from the same iOS device.

+Previously, admins might not require passwordless sign-in for users with multiple accounts because it requires them to carry more devices for sign-in. By removing the limitation of one user sign-in from a device, admins can more confidently encourage users to register passwordless phone sign-in and use it as their default sign-in method.

+The Azure AD accounts can be in the same tenant or different tenants. Guest accounts aren't supported for multiple account sign-in from one device.

+>[!NOTE]

+>Multiple accounts on iOS is currently in public preview. Some features might not be supported or have limited capabilities. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Prerequisites

+To use passwordless phone sign-in with Microsoft Authenticator, the following prerequisites must be met:

+- Recommended: Azure AD Multi-Factor Authentication, with push notifications allowed as a verification method. Push notifications to your smartphone or tablet help the Authenticator app to prevent unauthorized access to accounts and stop fraudulent transactions. The Authenticator app automatically generates codes when set up to do push notifications so a user has a backup sign-in method even if their device doesn't have connectivity.

+- Latest version of Microsoft Authenticator installed on devices running iOS 12.0 or greater, or Android 6.0 or greater.

+- For Android, the device that runs Microsoft Authenticator must be registered to an individual user. We're actively working to enable multiple accounts on Android.

+- For iOS, the device must be registered with each tenant where it's used to sign in. For example, the following device must be registered with Contoso and Wingtiptoys to allow all accounts to sign in:

+ - balas@contoso.com

+ - balas@wingtiptoys.com and bsandhu@wingtiptoys

+- For iOS, the option in Microsoft Authenticator to allow Microsoft to gather usage data must be enabled. It's not enabled by default. To enable it in Microsoft Authenticator, go to **Settings** > **Usage Data**.

+

+ :::image type="content" border="true" source="./media/howto-authentication-passwordless-phone/telemetry.png" alt-text="Screenshot os Usage Data in Microsoft Authenticator.":::

+## Enable passwordless phone sign-in authentication methods

+> [!NOTE]

+> If you enabled Microsoft Authenticator passwordless sign-in using Azure AD PowerShell, it was enabled for your entire directory. If you enable using this new method, it supersedes the PowerShell policy. We recommend you enable for all users in your tenant via the new **Authentication Methods** menu, otherwise users who aren't in the new policy can't sign in without a password.

+1. Sign in to the [Azure portal](https://portal.azure.com) with an *Authentication Policy Administrator* account.

+1. From the **Identity Subtype**, select the type of user: **All**, **ED** (Enterprise Directory), **Local**, or **Cross Account**.

+- To view assigned permissions and usage of the serverless functions, see [View analytic information about serverless functions](usage-analytics-serverless-functions.md).

+> - This function is currently only supported for "Workday and SuccessFactors to Active Directory User Provisioning". It cannot be used with other provisioning applications.

+- The AADCloudSyncTools module might not work correctly if the Azure AD Connect cloud provisioning agent is not running or the configuration wizard has not finished successfully.

+> [!NOTE]

+> Before using AADCloudSyncTools module make sure the Azure AD Connect cloud provisioning agent is running and the configuration wizard has finished successfully. To troubleshoot wizard issues, you can find trace logs in the folder *C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace*, see [Cloud sync troubleshooting](how-to-troubleshoot.md) for more information.

+1. Sets verbose tracing and starts collecting data from the provisioning agent (same as `Start-AADCloudSyncToolsVerboseLogs`).

+2. Stops data collection after three minutes and disables verbose tracing (same as `Stop-AADCloudSyncToolsVerboseLogs`).

+4. Compresses all the agent logs, verbose logs, and Event Viewer logs into a .zip file in the user's *Documents* folder.

+You can use the following options to fine-tune your data collection:

+- `SkipVerboseTrace` to only export current logs without capturing verbose logs (default = false).

+- `TracingDurationMins` to specify a different capture duration (default = 3 minutes).

+- `OutputPath` to specify a different output path (default = userΓÇÖs Documents folder).

+An applicationΓÇÖs publisher domain informs the users where their information is being sent and acts as an input/prerequisite for [publisher verification](publisher-verification-overview.md). Depending on whether an app is a [multi-tenant app](/azure/architecture/guide/multitenant/overview), when it was registered and it's verified publisher status, either the publisher domain or the verified publisher status will be displayed to the user on the [application's consent prompt](application-consent-experience.md). Multi-tenant applications are applications that support accounts outside of a single organizational directory; for example, support all Azure AD accounts, or support all Azure AD accounts and personal Microsoft accounts.

+ - If the application's publisher domain isn't set, or if it's set to a domain that ends in .onmicrosoft.com, the app's consent prompt will show **unverified** in place of the publisher domain.

+ - If the application has a verified app domain, the consent prompt will show the verified domain.

+ - If the application is publisher verified, it will show a [blue "verified" badge](publisher-verification-overview.md) indicating the same

+ - If the application is not publisher verified, the app will show as "**unverified**" in the consent prompt (i.e, no publisher domain related info is shown)

+ - If the application is publisher verified, it will show a [blue "verified" badge](publisher-verification-overview.md) indicating the same

+If your app was registered **before May 21, 2019**, your application's consent prompt will not show **unverified** even if you have not set a publisher domain. We recommend that you set the publisher domain value so that users can see this information on your app's consent prompt.

+If your application uses permissions that require admin consent, have a gesture such as a button or link where the admin can initiate the action. The request your application sends for this action is the usual OAuth2/OpenID Connect authorization request that also includes the `prompt=consent` query string parameter. Once the admin has consented and the service principal is created in the customerΓÇÖs tenant, subsequent sign-in requests do not need the `prompt=consent` parameter. Since the administrator has decided the requested permissions are acceptable, no other users in the tenant are prompted for consent from that point forward.

+The `prompt=consent` parameter can also be used by applications that request permissions that do not require admin consent. An example of when this would be used is if the application requires an experience where the tenant admin ΓÇ£signs upΓÇ¥ one time, and no other users are prompted for consent from that point on.

+If an application requires admin consent and an admin signs in without the `prompt=consent` parameter being sent, when the admin successfully consents to the application it will apply **only for their user account**. Regular users will still not be able to sign in or consent to the application. This feature is useful if you want to give the tenant administrator the ability to explore your application before allowing other users access.

+[OpenIDConnect-ID-Token]: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

+- Node version 10, 12, 14, 16 or 18. See the [note on version support](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node#node-version-support)

+ scopes: ["https://graph.microsoft.com/.default"],

+ forceCache: true,

+ console.log(response);

+ console.log(error);

+For more information, please refer to the [ADAL Node to MSAL Node migration sample](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-node-samples/refresh-token).

+var tenant = 'Enter_the_Tenant_Info_Here';

+ authority: "https://login.microsoftonline.com/Enter_the_Tenant_Info_Here",

+> Azure AD issued tokens may not be used for federated identity flows. The federated identity credentials flow does not support tokens issued by Azure AD.

+ AzureADPreview\Connect-AzureAD

+You might want to override the value of an attribute that has already been mapped. For example, if you always want to set a null value to an attribute in Azure AD, simply create an inbound rule only. Make the expression value, `AuthoritativeNull`, flow to the target attribute.

+>[!NOTE]

+> This feature cannot be combined with using an existing ADSync database. The use of import/export configuration and using existing database are mutually exclusive.

+> [!NOTE]

+> It is not supported to modify the exported JSON file to change the configuration

+When you install the synchronization services, you can leave the optional configuration section unselected. Azure AD Connect sets up everything automatically. It sets up a SQL Server 2019 Express LocalDB instance, creates the appropriate groups, and assign permissions. If you want to change the defaults, select the appropriate boxes. The following table summarizes these options and provides links to additional information.

+For more information about other common topics, see [Azure AD Connect sync: Scheduler](how-to-connect-sync-feature-scheduler.md) and [Integrate your on-premises identities with Azure AD](whatis-hybrid-identity.md).

+* Azure AD Connect requires network connectivity to the root domain of all configured forest

+ `set-adsyncscheduler -synccycleenabled:$true`

+The option **Delete Connector and connector space** removes the data, the configuration and all the sync rules associated with the connector. This option is used when you do not want to connect to a forest anymore.

+|AADSTS80002|A timeout occurred connecting to Active Directory|Check to ensure that Active Directory is available and is responding to requests from the agents.

+In this article, you'll learn how to review permissions granted to applications in your Azure Active Directory (Azure AD) tenant. You may need to review permissions when you've detected a malicious application or the application has been granted more permissions than is necessary.

+- One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator.

+- A Service principal owner who isn't an administrator is able to invalidate refresh tokens.

+1. Give a reason for why you want to review permissions for the application by selecting any of the options listed after the question, **Why do you want to review permissions for this application?**

+After you've disabled or restricted user consent, you have several important steps to take to help keep your organization secure as you continue to allow business-critical applications to be used. These steps are crucial to minimize impact on your organization's support team and IT administrators, and to help prevent the use of un-managed accounts in third-party applications.

+Before you grant tenant-wide admin consent, it's important to ensure that you trust the application, and the application publisher for the level of access you're granting. If you aren't confident that you understand who controls the application and why the application is requesting the permissions, do *not* grant consent.

+ The permissions requested by the application are listed in the [consent prompt](../develop/application-consent-experience.md). Expanding the permission title displays the permissionΓÇÖs description. The description for application permissions generally ends in "without a signed-in user." The description for delegated permissions generally end with "on behalf of the signed-in user." Permissions for the Microsoft Graph API are described in [Microsoft Graph Permissions Reference](/graph/permissions-reference). Refer to the documentation for other APIs to understand the permissions they expose.

+## Revoke tenant wide admin consent

+To revoke tenant-wide admin consent, you can review and revoke the permissions previously granted to the application. For more information, see [review permissions granted to applications](manage-application-permissions.md). You can also remove userΓÇÖs access to the application by [disabling user sign-in to application](disable-user-sign-in-portal.md) or by [hiding the application](hide-application-from-user-portal.md) so that it doesnΓÇÖt appear in the My apps portal.

+User access to applications can still be limited even when tenant-wide admin consent has been granted. To limit user access, require user assignment to an application. For more information, see [Methods for assigning users and groups](./assign-user-or-group-access-portal.md). Administrators can also limit user access to applications by disabling all future user consent operations to any application.

+ Title: 'Tutorial: Azure AD SSO integration with Birst Agile Business Analytics'

+# Tutorial: Azure AD SSO integration with Birst Agile Business Analytics

+In this tutorial, you'll learn how to integrate Birst Agile Business Analytics with Azure Active Directory (Azure AD). When you integrate Birst Agile Business Analytics with Azure AD, you can:

+* Control in Azure AD who has access to Birst Agile Business Analytics.

+* Enable your users to be automatically signed-in to Birst Agile Business Analytics with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Birst Agile Business Analytics single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Birst Agile Business Analytics supports **SP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Birst Agile Business Analytics from the gallery

+To configure the integration of Birst Agile Business Analytics into Azure AD, you need to add Birst Agile Business Analytics from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Birst Agile Business Analytics** in the search box.

+1. Select **Birst Agile Business Analytics** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Birst Agile Business Analytics

+Configure and test Azure AD SSO with Birst Agile Business Analytics using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Birst Agile Business Analytics.

+To configure and test Azure AD SSO with Birst Agile Business Analytics, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Birst Agile Business Analytics SSO](#configure-birst-agile-business-analytics-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Birst Agile Business Analytics test user](#create-birst-agile-business-analytics-test-user)** - to have a counterpart of B.Simon in Birst Agile Business Analytics that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Birst Agile Business Analytics** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ In the **Sign-on URL** textbox, type a URL using the following pattern: `https://login.bws.birst.com/SAMLSSO/Services.aspx?birst.idpid=<TENANTIDPID>`

+ * For US datacenter use following the pattern: `https://login.bws.birst.com/SAMLSSO/Services.aspx?birst.idpid=<TENANTIDPID>`

+ * For Europe datacenter use the following pattern: `https://login.eu1.birst.com/SAMLSSO/Services.aspx?birst.idpid=<TENANTIDPID>`

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up Birst Agile Business Analytics** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Birst Agile Business Analytics.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Birst Agile Business Analytics**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Birst Agile Business Analytics SSO

+To configure single sign-on on **Birst Agile Business Analytics** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Birst Agile Business Analytics support team](mailto:info@birst.com). They set this setting to have the SAML SSO connection set properly on both sides.

+> [!NOTE]

+> Mention to Birst team that this integration needs SHA256 Algorithm (SHA1 will not be supported) so that they can set the SSO on the appropriate server like **app2101** etc.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Birst Agile Business Analytics Sign-on URL where you can initiate the login flow.

+* Go to Birst Agile Business Analytics Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Birst Agile Business Analytics tile in the My Apps, this will redirect to Birst Agile Business Analytics Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Birst Agile Business Analytics you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Blue Access for Members (BAM)'

+# Tutorial: Azure AD SSO integration with Blue Access for Members (BAM)

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Blue Access for Members (BAM) supports **IDP** initiated SSO.

+## Add Blue Access for Members (BAM) from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for Blue Access for Members (BAM)

+To configure and test Azure AD SSO with Blue Access for Members (BAM), perform the following steps:

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+ 1. **[Create Blue Access for Members (BAM) test user](#create-blue-access-for-members-bam-test-user)** - to have a counterpart of B.Simon in Blue Access for Members (BAM) that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **Blue Access for Members (BAM)** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type a value using the following pattern:

+ 

+ 

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Blue Access for Members (BAM) for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Blue Access for Members (BAM) tile in the My Apps, you should be automatically signed in to the Blue Access for Members (BAM) for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Blue Access for Members (BAM) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Folloze'

+# Tutorial: Azure AD SSO integration with Folloze

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Folloze supports **IDP** initiated SSO.

+* Folloze supports **Just In Time** user provisioning.

+## Add Folloze from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for Folloze

+To configure and test Azure AD SSO with Folloze, perform the following steps:

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+ 1. **[Create Folloze test user](#create-folloze-test-user)** - to have a counterpart of B.Simon in Folloze that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **Folloze** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the application is pre-configured in **IDP** initiated mode and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.

+ 

+ 

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Folloze for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Folloze tile in the My Apps, you should be automatically signed in to the Folloze for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Folloze you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with FreshGrade'

+# Tutorial: Azure AD SSO integration with FreshGrade

+In this tutorial, you'll learn how to integrate FreshGrade with Azure Active Directory (Azure AD). When you integrate FreshGrade with Azure AD, you can:

+* Control in Azure AD who has access to FreshGrade.

+* Enable your users to be automatically signed-in to FreshGrade with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* FreshGrade single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* FreshGrade supports **SP** initiated SSO.

+## Add FreshGrade from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **FreshGrade** in the search box.

+1. Select **FreshGrade** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for FreshGrade

+Configure and test Azure AD SSO with FreshGrade using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FreshGrade.

+To configure and test Azure AD SSO with FreshGrade, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure FreshGrade SSO](#configure-freshgrade-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create FreshGrade test user](#create-freshgrade-test-user)** - to have a counterpart of B.Simon in FreshGrade that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **FreshGrade** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** textbox, type a URL using one of the following patterns:

+ | **Identifier** |

+ |-|

+ |`https://login.onboarding.freshgrade.com:443/saml/metadata/alias/<instancename>`|

+ |`https://login.freshgrade.com:443/saml/metadata/alias/<instancename>`|

+ b. In the **Sign-on URL** textbox, type a URL using one of the following patterns:

+

+ | **Sign-on URL** |

+ ||

+ |`https://<subdomain>.freshgrade.com/login`|

+ |`https://<subdomain>.onboarding.freshgrade.com/login`|

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [FreshGrade Client support team](mailto:support@freshgrade.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to FreshGrade.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **FreshGrade**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure FreshGrade SSO

+To configure single sign-on on **FreshGrade** side, you need to send the **App Federation Metadata Url** to [FreshGrade support team](mailto:support@freshgrade.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to FreshGrade Sign-on URL where you can initiate the login flow.

+* Go to FreshGrade Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the FreshGrade tile in the My Apps, this will redirect to FreshGrade Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure FreshGrade you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Headspace'

+description: Learn how to configure single sign-on between Azure Active Directory and Headspace.

+# Tutorial: Azure AD SSO integration with Headspace

+In this tutorial, you'll learn how to integrate Headspace with Azure Active Directory (Azure AD). When you integrate Headspace with Azure AD, you can:

+* Control in Azure AD who has access to Headspace.

+* Enable your users to be automatically signed-in to Headspace with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Headspace single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Headspace supports **SP** initiated SSO.

+* Headspace supports **Just In Time** user provisioning.

+## Add Headspace from the gallery

+To configure the integration of Headspace into Azure AD, you need to add Headspace from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Headspace** in the search box.

+1. Select **Headspace** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Headspace

+Configure and test Azure AD SSO with Headspace using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Headspace.

+To configure and test Azure AD SSO with Headspace, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Headspace SSO](#configure-headspace-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Headspace test user](#create-headspace-test-user)** - to have a counterpart of B.Simon in Headspace that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Headspace** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `urn:auth0:<Auth0TenantName>:<CustomerConnectionName>`

+ b. In the **Reply URL** textbox, type a value using the following pattern:

+ `https://auth.<Enviornment>.headspace.com/login/callback?connection=<CustomerConnectionName>`

+ c. In the **Sign on URL** textbox, type a value using the following pattern:

+ `https://<Environment>.headspace.com/sso-login`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Headspace Client support team](mailto:ecosystem-integration-squad@headspace.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Headspace application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Headspace application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | family_name | user.surname |

+ | userName | user.userprincipalname |

+

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (PEM)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Headspace** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Headspace.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Headspace**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Headspace SSO

+To configure single sign-on on **Headspace** side, you need to send the downloaded **Certificate (PEM)** and appropriate copied URLs from Azure portal to [Headspace support team](mailto:ecosystem-integration-squad@headspace.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Headspace test user

+In this section, a user called B.Simon is created in Headspace. Headspace supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Headspace, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Headspace Sign-on URL where you can initiate the login flow.

+* Go to Headspace Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Headspace tile in the My Apps, this will redirect to Headspace Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Headspace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Infogix Data3Sixty Govern'

+# Tutorial: Azure AD SSO integration with Infogix Data3Sixty Govern

+In this tutorial, you'll learn how to integrate Infogix Data3Sixty Govern with Azure Active Directory (Azure AD). When you integrate Infogix Data3Sixty Govern with Azure AD, you can:

+* Control in Azure AD who has access to Infogix Data3Sixty Govern.

+* Enable your users to be automatically signed-in to Infogix Data3Sixty Govern with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Infogix Data3Sixty Govern single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Infogix Data3Sixty Govern supports **SP and IDP** initiated SSO.

+* Infogix Data3Sixty Govern supports **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Infogix Data3Sixty Govern from the gallery

+To configure the integration of Infogix Data3Sixty Govern into Azure AD, you need to add Infogix Data3Sixty Govern from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Infogix Data3Sixty Govern** in the search box.

+1. Select **Infogix Data3Sixty Govern** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Infogix Data3Sixty Govern

+Configure and test Azure AD SSO with Infogix Data3Sixty Govern using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Infogix Data3Sixty Govern.

+To configure and test Azure AD SSO with Infogix Data3Sixty Govern, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Infogix Data3Sixty Govern SSO](#configure-infogix-data3sixty-govern-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Infogix Data3Sixty Govern test user](#create-infogix-data3sixty-govern-test-user)** - to have a counterpart of B.Simon in Infogix Data3Sixty Govern that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Infogix Data3Sixty Govern** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** text box, type the URL:

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+1. Infogix Data3Sixty Govern application expects the SAML assertions in a specific format. Configure the following claims for this application. You can manage the values of these attributes from the **User Attributes** section on application integration page. On the **Set up Single Sign-On with SAML** page, click **Edit** button to open **User Attributes** dialog.

+ 

+1. In the **User Claims** section on the **User Attributes** dialog, edit the claims by using **Edit icon** or add the claims by using **Add new claim** to configure SAML token attribute as shown in the image above and perform the following steps:

+ 

+ 

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up Infogix Data3Sixty Govern** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Infogix Data3Sixty Govern.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Infogix Data3Sixty Govern**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Infogix Data3Sixty Govern SSO

+To configure single sign-on on **Infogix Data3Sixty Govern** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Infogix Data3Sixty Govern support team](mailto:data3sixtysupport@infogix.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Infogix Data3Sixty Govern Sign-on URL where you can initiate the login flow.

+* Go to Infogix Data3Sixty Govern Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Infogix Data3Sixty Govern for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Infogix Data3Sixty Govern tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Infogix Data3Sixty Govern for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Infogix Data3Sixty Govern you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+2. **[Configure Sage Intacct SSO](#configure-sage-intacct-sso)** - to configure the single sign-on settings on application side.

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a unique identifier for your Sage Intacct company, such as `https://saml.intacct.com`.

+ b. In the **Reply URL** text box, add the following URLs:

+ | Reply URL |

+ | - |

+ | `https://www.intacct.com/ia/acct/sso_response.phtml` (Select as the default.) |

+ | `https://www-p02.intacct.com/ia/acct/sso_response.phtml` |

+ | `https://www-p03.intacct.com/ia/acct/sso_response.phtml` |

+ | `https://www-p04.intacct.com/ia/acct/sso_response.phtml` |

+ | `https://www-p05.intacct.com/ia/acct/sso_response.phtml` |

+

+1. The Sage Intacct application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click **Edit** icon to open User Attributes dialog.

+1. In the **Attributes & Claims** dialog, perform the following steps:

+ a. Edit **Unique User Identifier (Name ID)** and set source attribute to user.mail and verify Name identifier format is set to Email address and click **Save**

+

+ b. Remove all default Additional claims attributes by clicking ***...*** and Delete.

+

+ > Enter the `<User ID>` value should be same as the Sage Intacct **User ID**, which you enter in the **[Set up individual users in Intacct](#set-up-individual-users-in-intacct)**, which is explained later in the tutorial. Usually, this is the prefix of the email address. In this case, you can set the source as a transformation and use ExtractMailPrefix() on user.mail parameter.

+ c. Click **Add new claim** to open the **Manage user claims** dialog.

+ d. In the **Name** textbox, type the attribute name shown for that row.

+ e. Leave the **Namespace** blank.

+ f. Select Source as **Attribute**.

+ g. From the **Source attribute** list, type or select the attribute value shown for that row.

+ h. Click **Ok**

+ i. Click **Save**.

+

+ > Repeat steps c-i to add both custom attibutes.

+

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Edit** to open the dialog. Click **...** next to the Active certificate and select **PEM certificate download** to download the certificate and save it to your local drive.

+ 

+1. On the **Set up Sage Intacct** section, copy the Login URL as you will use it within Sage Intacct configuration.

+ c. In **Issuer URL** textbox, paste the value of **Identifier (Entity ID)**, which you created in the Basic SAML Configuration dialog.

+ e. Open your **PEM** encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **Certificate** box.

+When SSO is enabled for your company, you can individually require users to use SSO when logging in to your company. After you set up a user for SSO, the user will no longer be able to use a password to log in to your company directly. Instead, that user will need to use single sign-on and be authenticated by your SSO identity provider as an authorized user. Any users who are not set up for SSO can continue to log in to your company using the basic sign-in page.

+1. Sign in to your **Sage Intacct** company.

+ 

+1. Click the **Single sign-on** tab and type the **Federated SSO user ID**.

+> [!NOTE]

+> This value is mapped with the Unique User Identifier found in Azure's Attributes & Claims dialog.

+

+Once you configure Sage Intacct you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with LIFT'

+# Tutorial: Azure AD SSO integration with LIFT

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* LIFT supports **SP** initiated SSO.

+## Add LIFT from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for LIFT

+To configure and test Azure AD SSO with LIFT, perform the following steps:

+1. In the Azure portal, on the **LIFT** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+

+ b. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<companyname>.portal.liftsoftware.nl/lift/secure`

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [LIFT Client support team](mailto:support@liftsoftware.nl) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to LIFT Sign-on URL where you can initiate the login flow.

+* Go to LIFT Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the LIFT tile in the My Apps, this will redirect to LIFT Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure LIFT you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with MaxxPoint'

+# Tutorial: Azure AD SSO integration with MaxxPoint

+In this tutorial, you'll learn how to integrate MaxxPoint with Azure Active Directory (Azure AD). When you integrate MaxxPoint with Azure AD, you can:

+* Control in Azure AD who has access to MaxxPoint.

+* Enable your users to be automatically signed-in to MaxxPoint with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* MaxxPoint single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* MaxxPoint supports **SP** and **IDP** initiated SSO.

+## Add MaxxPoint from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **MaxxPoint** in the search box.

+1. Select **MaxxPoint** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for MaxxPoint

+Configure and test Azure AD SSO with MaxxPoint using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in MaxxPoint.

+To configure and test Azure AD SSO with MaxxPoint, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure MaxxPoint SSO](#configure-maxxpoint-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create MaxxPoint test user](#create-maxxpoint-test-user)** - to have a counterpart of B.Simon in MaxxPoint that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **MaxxPoint** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up MaxxPoint** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to MaxxPoint.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **MaxxPoint**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure MaxxPoint SSO

+To get SSO configured for your application, call MaxxPoint support team on **888-728-0950** and they'll assist you further on how to provide them the downloaded **Federation Metadata XML** file.

+### Create MaxxPoint test user

+In this section, you create a user called Britta Simon in MaxxPoint. Please call MaxxPoint support team on **888-728-0950** to add the users in the MaxxPoint application.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to MaxxPoint Sign-on URL where you can initiate the login flow.

+* Go to MaxxPoint Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the MaxxPoint for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the MaxxPoint tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the MaxxPoint for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure MaxxPoint you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Mindflash'

+# Tutorial: Azure AD SSO integration with Mindflash

+In this tutorial, you'll learn how to integrate Mindflash with Azure Active Directory (Azure AD). When you integrate Mindflash with Azure AD, you can:

+* Control in Azure AD who has access to Mindflash.

+* Enable your users to be automatically signed-in to Mindflash with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Mindflash single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Mindflash supports **SP** initiated SSO.

+## Add Mindflash from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Mindflash** in the search box.

+1. Select **Mindflash** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Mindflash

+Configure and test Azure AD SSO with Mindflash using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Mindflash.

+To configure and test Azure AD SSO with Mindflash, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Mindflash SSO](#configure-mindflash-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Mindflash test user](#create-mindflash-test-user)** - to have a counterpart of B.Simon in Mindflash that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Mindflash** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ b. In the **Sign on URL** text box, type a URL using the following pattern:

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [Mindflash Client support team](https://www.mindflash.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up Mindflash** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Mindflash.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Mindflash**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Mindflash SSO

+To configure single sign-on on **Mindflash** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Mindflash support team](https://www.mindflash.com/contact/). They set this setting to have the SAML SSO connection set properly on both sides.

+ 

+ 

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Mindflash Sign-on URL where you can initiate the login flow.

+* Go to Mindflash Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Mindflash tile in the My Apps, this will redirect to Mindflash Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Mindflash you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Moxi Engage'

+# Tutorial: Azure AD SSO integration with Moxi Engage

+In this tutorial, you'll learn how to integrate Moxi Engage with Azure Active Directory (Azure AD). When you integrate Moxi Engage with Azure AD, you can:

+* Control in Azure AD who has access to Moxi Engage.

+* Enable your users to be automatically signed-in to Moxi Engage with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Moxi Engage single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Moxi Engage supports **SP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Moxi Engage from the gallery

+To configure the integration of Moxi Engage into Azure AD, you need to add Moxi Engage from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Moxi Engage** in the search box.

+1. Select **Moxi Engage** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Moxi Engage

+Configure and test Azure AD SSO with Moxi Engage using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Moxi Engage.

+To configure and test Azure AD SSO with Moxi Engage, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Moxi Engage SSO](#configure-moxi-engage-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Moxi Engage test user](#create-moxi-engage-test-user)** - to have a counterpart of B.Simon in Moxi Engage that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Moxi Engage** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following step:

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up Moxi Engage** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Moxi Engage.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Moxi Engage**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Moxi Engage SSO

+To configure single sign-on on **Moxi Engage** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Moxi Engage support team](mailto:support@moxiworks.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Moxi Engage Sign-on URL where you can initiate the login flow.

+* Go to Moxi Engage Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Moxi Engage tile in the My Apps, this will redirect to Moxi Engage Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Moxi Engage you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ `https://cloud.oracle.com/?region=<REGIONNAME>`

+ Title: 'Tutorial: Azure AD SSO integration with PatentSQUARE'

+# Tutorial: Azure AD SSO integration with PatentSQUARE

+In this tutorial, you'll learn how to integrate PatentSQUARE with Azure Active Directory (Azure AD). When you integrate PatentSQUARE with Azure AD, you can:

+* Control in Azure AD who has access to PatentSQUARE.

+* Enable your users to be automatically signed-in to PatentSQUARE with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* PatentSQUARE single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* PatentSQUARE supports **SP** initiated SSO.

+## Add PatentSQUARE from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **PatentSQUARE** in the search box.

+1. Select **PatentSQUARE** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for PatentSQUARE

+Configure and test Azure AD SSO with PatentSQUARE using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in PatentSQUARE.

+To configure and test Azure AD SSO with PatentSQUARE, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure PatentSQUARE SSO](#configure-patentsquare-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create PatentSQUARE test user](#create-patentsquare-test-user)** - to have a counterpart of B.Simon in PatentSQUARE that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **PatentSQUARE** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+

+ b. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<companysubdomain>.pat-dss.com:443/patlics/secure/aad`

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [PatentSQUARE Client support team](https://www.panasonic.com/jp/business/its/patentsquare.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up PatentSQUARE** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to PatentSQUARE.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **PatentSQUARE**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure PatentSQUARE SSO

+To configure single sign-on on **PatentSQUARE** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [PatentSQUARE support team](https://www.panasonic.com/jp/business/its/patentsquare.html). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to PatentSQUARE Sign-on URL where you can initiate the login flow.

+* Go to PatentSQUARE Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the PatentSQUARE tile in the My Apps, this will redirect to PatentSQUARE Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure PatentSQUARE you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Planview ID'

+description: Learn how to configure single sign-on between Azure Active Directory and Planview ID.

+# Tutorial: Azure AD SSO integration with Planview ID

+In this tutorial, you'll learn how to integrate Planview ID with Azure Active Directory (Azure AD). When you integrate Planview ID with Azure AD, you can:

+* Control in Azure AD who has access to Planview ID.

+* Enable your users to be automatically signed-in to Planview ID with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Planview ID single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Planview ID supports **SP** and **IDP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add Planview ID from the gallery

+To configure the integration of Planview ID into Azure AD, you need to add Planview ID from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Planview ID** in the search box.

+1. Select **Planview ID** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Planview ID

+Configure and test Azure AD SSO with Planview ID using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Planview ID.

+To configure and test Azure AD SSO with Planview ID, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Planview ID SSO](#configure-planview-id-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Planview ID test user](#create-planview-id-test-user)** - to have a counterpart of B.Simon in Planview ID that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Planview ID** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following step:

+ In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<Region>.id.planview.com/api/loginsso/callback`

+1. Click **Set additional URLs** and perform the following step, if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<Region>.id.planview.com`

+ > [!Note]

+ > These values are not real. Update these values with the actual Reply URL and Sign on URL. Contact [Planview ID support team](mailto:jordan.nguyen@planview.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Planview ID.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Planview ID**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Planview ID SSO

+To configure single sign-on on **Planview ID** side, you need to send the **App Federation Metadata Url** to [Planview ID support team](mailto:jordan.nguyen@planview.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Planview ID test user

+In this section, you create a user called Britta Simon in Planview ID. Work with [Planview ID support team](mailto:jordan.nguyen@planview.com) to add the users in the Planview ID platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Planview ID Sign-on URL where you can initiate the login flow.

+* Go to Planview ID Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Planview ID for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Planview ID tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Planview ID for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Planview ID you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+1. The Rise.com application expects the default attributes to be replaced with the specific attributes as shown below. These attributes are also pre populated but you can review them as per your requirements.

+ Title: 'Tutorial: Azure Active Directory integration with SAP Cloud Identity Services | Microsoft Docs'

+description: Learn how to configure single sign-on between Azure Active Directory and SAP Cloud Identity Services.

+# Tutorial: Azure Active Directory single sign-on (SSO) integration with SAP Cloud Identity Services

+In this tutorial, you'll learn how to integrate SAP Cloud Identity Services with Azure Active Directory (Azure AD). When you integrate SAP Cloud Identity Services with Azure AD, you can:

+* Control in Azure AD who has access to SAP Cloud Identity Services.

+* Enable your users to be automatically signed-in to SAP Cloud Identity Services with their Azure AD accounts.

+* SAP Cloud Identity Services single sign-on (SSO) enabled subscription.

+* SAP Cloud Identity Services supports **SP** and **IDP** initiated SSO.

+* SAP Cloud Identity Services supports [Automated user provisioning](sap-cloud-platform-identity-authentication-provisioning-tutorial.md).

+Before you dive into the technical details, it's vital to understand the concepts you're going to look at. The SAP Cloud Identity Services and Active Directory Federation Services enable you to implement SSO across applications or services that are protected by Azure AD (as an IdP) with SAP applications and services that are protected by SAP Cloud Identity Services.

+Currently, SAP Cloud Identity Services acts as a Proxy Identity Provider to SAP applications. Azure Active Directory in turn acts as the leading Identity Provider in this setup.

+With this setup, your SAP Cloud Identity Services tenant is configured as a trusted application in Azure Active Directory.

+All SAP applications and services that you want to protect this way are subsequently configured in the SAP Cloud Identity Services management console.

+Therefore, the authorization for granting access to SAP applications and services needs to take place in SAP Cloud Identity Services (as opposed to Azure Active Directory).

+By configuring SAP Cloud Identity Services as an application through the Azure Active Directory Marketplace, you don't need to configure individual claims or SAML assertions.

+## Adding SAP Cloud Identity Services from the gallery

+To configure the integration of SAP Cloud Identity Services into Azure AD, you need to add SAP Cloud Identity Services from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **SAP Cloud Identity Services** in the search box.

+1. Select **SAP Cloud Identity Services** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for SAP Cloud Identity Services

+Configure and test Azure AD SSO with SAP Cloud Identity Services using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SAP Cloud Identity Services.

+To configure and test Azure AD SSO with SAP Cloud Identity Services, perform the following steps:

+1. **[Configure SAP Cloud Identity Services SSO](#configure-sap-cloud-identity-services-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create SAP Cloud Identity Services test user](#create-sap-cloud-identity-services-test-user)** - to have a counterpart of B.Simon in SAP Cloud Identity Services that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **SAP Cloud Identity Services** application integration page, find the **Manage** section and select **single sign-on**.

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact the [SAP Cloud Identity Services Client support team](https://cloudplatform.sap.com/capabilities/security/trustcenter.html) to get these values. If you don't understand Identifier value, read the SAP Cloud Identity Services documentation about [Tenant SAML 2.0 configuration](https://help.hana.ondemand.com/cloud_identity/frameset.htm?e81a19b0067f4646982d7200a8dab3ca.html).

+ 

+ > This value is not real. Update this value with the actual sign-on URL. Please use your specific business application Sign-on URL. Contact the [SAP Cloud Identity Services Client support team](https://cloudplatform.sap.com/capabilities/security/trustcenter.html) if you have any doubt.

+1. SAP Cloud Identity Services application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+1. In addition to above, SAP Cloud Identity Services application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+9. On the **Set up SAP Cloud Identity Services** section, copy the appropriate URL(s) as per your requirement.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SAP Cloud Identity Services.

+1. In the applications list, select **SAP Cloud Identity Services**.

+## Configure SAP Cloud Identity Services SSO

+1. To automate the configuration within SAP Cloud Identity Services, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.

+2. After adding extension to the browser, click on **Set up SAP Cloud Identity Services** will direct you to the SAP Cloud Identity Services application. From there, provide the admin credentials to sign into SAP Cloud Identity Services. The browser extension will automatically configure the application for you and automate steps 3-7.

+3. If you want to set up SAP Cloud Identity Services manually, in a different web browser window, go to the SAP Cloud Identity Services administration console. The URL has the following pattern: `https://<tenant-id>.accounts.ondemand.com/admin`. Then read the documentation about SAP Cloud Identity Services at [Integration with Microsoft Azure AD](https://developers.sap.com/tutorials/cp-ias-azure-ad.html).

+3. Continue with the following only if you want to add and enable SSO for another SAP application. Repeat the steps under the section **Adding SAP Cloud Identity Services from the gallery**.

+4. In the Azure portal, on the **SAP Cloud Identity Services** application integration page, select **Linked Sign-on**.

+> The new application leverages the single sign-on configuration of the previous SAP application. Make sure you use the same Corporate Identity Providers in the SAP Cloud Identity Services administration console.

+### Create SAP Cloud Identity Services test user

+You don't need to create a user in SAP Cloud Identity Services. Users who are in the Azure AD user store can use the SSO functionality.

+SAP Cloud Identity Services supports the Identity Federation option. This option allows the application to check whether users who are authenticated by the corporate identity provider exist in the user store of SAP Cloud Identity Services.

+The Identity Federation option is disabled by default. If Identity Federation is enabled, only the users that are imported in SAP Cloud Identity Services can access the application.

+For more information about how to enable or disable Identity Federation with SAP Cloud Identity Services, see "Enable Identity Federation with SAP Cloud Identity Services" in [Configure Identity Federation with the User Store of SAP Cloud Identity Services](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/c029bbbaefbf4350af15115396ba14e2.html).

+> SAP Cloud Identity Services also supports automatic user provisioning, you can find more details [here](./sap-cloud-platform-identity-authentication-provisioning-tutorial.md) on how to configure automatic user provisioning.

+* Click on **Test this application** in Azure portal. This will redirect to SAP Cloud Identity Services Sign on URL where you can initiate the login flow.

+* Go to SAP Cloud Identity Services Sign-on URL directly and initiate the login flow from there.

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SAP Cloud Identity Services for which you set up the SSO

+You can also use Microsoft My Apps to test the application in any mode. When you click the SAP Cloud Identity Services tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SAP Cloud Identity Services for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+Once you configure the SAP Cloud Identity Services you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with SeekOut'

+description: Learn how to configure single sign-on between Azure Active Directory and SeekOut.

+# Tutorial: Azure AD SSO integration with SeekOut

+In this tutorial, you'll learn how to integrate SeekOut with Azure Active Directory (Azure AD). When you integrate SeekOut with Azure AD, you can:

+* Control in Azure AD who has access to SeekOut.

+* Enable your users to be automatically signed-in to SeekOut with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* SeekOut single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* SeekOut supports **SP** and **IDP** initiated SSO.

+* SeekOut supports **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add SeekOut from the gallery

+To configure the integration of SeekOut into Azure AD, you need to add SeekOut from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **SeekOut** in the search box.

+1. Select **SeekOut** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for SeekOut

+Configure and test Azure AD SSO with SeekOut using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SeekOut.

+To configure and test Azure AD SSO with SeekOut, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure SeekOut SSO](#configure-seekout-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create SeekOut test user](#create-seekout-test-user)** - to have a counterpart of B.Simon in SeekOut that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **SeekOut** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following step:

+ In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://app.seekout.io/api/auth/sso/<ID>`

+1. Click **Set additional URLs** and perform the following step, if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type the URL:

+ `https://app.seekout.io`

+ > [!Note]

+ > This value is not real. Update this value with the actual Reply URL. Contact [SeekOut support team](mailto:support@seekout.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up SeekOut** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SeekOut.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **SeekOut**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure SeekOut SSO

+To configure single sign-on on **SeekOut** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [SeekOut support team](mailto:support@seekout.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create SeekOut test user

+In this section, a user called B.Simon is created in SeekOut. SeekOut supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in SeekOut, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to SeekOut Sign-on URL where you can initiate the login flow.

+* Go to SeekOut Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SeekOut for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the SeekOut tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SeekOut for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure SeekOut you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with ShareVault'

+# Tutorial: Azure AD SSO integration with ShareVault

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* ShareVault supports **SP and IDP** initiated SSO.

+* ShareVault supports **Just In Time** user provisioning.

+## Add ShareVault from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+To configure and test Azure AD SSO with ShareVault, perform the following steps:

+1. In the Azure portal, on the **ShareVault** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+ 

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to ShareVault Sign-on URL where you can initiate the login flow.

+* Go to ShareVault Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ShareVault for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the ShareVault tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ShareVault for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure ShareVault you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with SmartLPA'

+# Tutorial: Azure AD SSO integration with SmartLPA

+In this tutorial, you'll learn how to integrate SmartLPA with Azure Active Directory (Azure AD). When you integrate SmartLPA with Azure AD, you can:

+* Control in Azure AD who has access to SmartLPA.

+* Enable your users to be automatically signed-in to SmartLPA with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* SmartLPA single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* SmartLPA supports **SP** initiated SSO.

+## Add SmartLPA from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **SmartLPA** in the search box.

+1. Select **SmartLPA** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for SmartLPA

+Configure and test Azure AD SSO with SmartLPA using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SmartLPA.

+To configure and test Azure AD SSO with SmartLPA, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure SmartLPA SSO](#configure-smartlpa-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create SmartLPA test user](#create-smartlpa-test-user)** - to have a counterpart of B.Simon in SmartLPA that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **SmartLPA** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+

+ b. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<TENANTNAME>.smartlpa.com/`

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [SmartLPA Client support team](mailto:support@smartlpa.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up SmartLPA** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SmartLPA.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **SmartLPA**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure SmartLPA SSO

+To configure single sign-on on **SmartLPA** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [SmartLPA support team](mailto:support@smartlpa.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to SmartLPA Sign-on URL where you can initiate the login flow.

+* Go to SmartLPA Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the SmartLPA tile in the My Apps, this will redirect to SmartLPA Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure SmartLPA you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+1. In the **SAML2_ISSUER**, paste **Identifier** value, which you have copied from the Azure portal.

+1. In the **SAML2_SSO_URL**, paste **Login URL** value, which you have copied from the Azure portal.

+1. In the **SAML2_PROVIDER**, give the value like `CUSTOM`.

+* Click on **Test this application** in Azure portal. This will redirect to Snowflake Sign on URL where you can initiate the login flow.

+Once you configure Snowflake you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Stackby'

+description: Learn how to configure single sign-on between Azure Active Directory and Stackby.

+# Tutorial: Azure AD SSO integration with Stackby

+In this tutorial, you'll learn how to integrate Stackby with Azure Active Directory (Azure AD). When you integrate Stackby with Azure AD, you can:

+* Control in Azure AD who has access to Stackby.

+* Enable your users to be automatically signed-in to Stackby with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Stackby single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Stackby supports **IDP** initiated SSO.

+* Stackby supports **Just In Time** user provisioning.

+## Add Stackby from the gallery

+To configure the integration of Stackby into Azure AD, you need to add Stackby from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Stackby** in the search box.

+1. Select **Stackby** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Stackby

+Configure and test Azure AD SSO with Stackby using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at Stackby.

+To configure and test Azure AD SSO with Stackby, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Stackby SSO](#configure-stackby-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Stackby test user](#create-stackby-test-user)** - to have a counterpart of B.Simon in Stackby that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Stackby** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Stackby** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Stackby.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Stackby**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Stackby SSO

+To configure single sign-on on **Stackby** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Stackby support team](mailto:support@stackby.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Stackby test user

+In this section, a user called B.Simon is created in Stackby. Stackby supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Stackby, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Stackby for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Stackby tile in the My Apps, you should be automatically signed in to the Stackby for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Stackby you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with TiViTz'

+# Tutorial: Azure AD SSO integration with TiViTz

+In this tutorial, you'll learn how to integrate TiViTz with Azure Active Directory (Azure AD). When you integrate TiViTz with Azure AD, you can:

+* Control in Azure AD who has access to TiViTz.

+* Enable your users to be automatically signed-in to TiViTz with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* TiViTz single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* TiViTz supports **SP** initiated SSO.

+* TiViTz supports **Just In Time** user provisioning.

+## Add TiViTz from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **TiViTz** in the search box.

+1. Select **TiViTz** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for TiViTz

+Configure and test Azure AD SSO with TiViTz using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TiViTz.

+To configure and test Azure AD SSO with TiViTz, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure TiViTz SSO](#configure-tivitz-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create TiViTz test user](#create-tivitz-test-user)** - to have a counterpart of B.Simon in TiViTz that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **TiViTz** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ b. In the **Sign on URL** text box, type a URL using the following pattern:

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [TiViTz Client support team](mailto:info@tivitz.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up TiViTz** section, copy the appropriate URL(s) as per your requirement.

+ 

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TiViTz.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **TiViTz**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure TiViTz SSO

+To configure single sign-on on **TiViTz** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [TiViTz support team](mailto:info@tivitz.com). They set this setting to have the SAML SSO connection set properly on both sides.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to TiViTz Sign-on URL where you can initiate the login flow.

+* Go to TiViTz Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the TiViTz tile in the My Apps, this will redirect to TiViTz Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure TiViTz you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with UserEcho'

+# Tutorial: Azure AD SSO integration with UserEcho

+In this tutorial, you'll learn how to integrate UserEcho with Azure Active Directory (Azure AD). When you integrate UserEcho with Azure AD, you can:

+* Control in Azure AD who has access to UserEcho.

+* Enable your users to be automatically signed-in to UserEcho with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).

+* UserEcho single sign-on enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* UserEcho supports **SP** initiated SSO.

+## Add UserEcho from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **UserEcho** in the search box.

+1. Select **UserEcho** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for UserEcho

+Configure and test Azure AD SSO with UserEcho using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in UserEcho.

+To configure and test Azure AD SSO with UserEcho, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure UserEcho SSO](#configure-userecho-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create UserEcho test user](#create-userecho-test-user)** - to have a counterpart of B.Simon in UserEcho that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **UserEcho** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ `https://<companyname>.userecho.com/saml/metadata/`

+ b. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<companyname>.userecho.com/`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier and Sign on URL. Contact [UserEcho Client support team](https://feedback.userecho.com/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.

+ 

+1. On the **Set up UserEcho** section, copy the appropriate URL(s) as per your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to UserEcho.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **UserEcho**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure UserEcho SSO

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+ 

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to UserEcho Sign-on URL where you can initiate the login flow.

+* Go to UserEcho Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the UserEcho tile in the My Apps, this will redirect to UserEcho Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure UserEcho you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Visit.org'

+# Tutorial: Azure AD SSO integration with Visit.org

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+* Visit.org supports **IDP** initiated SSO.

+## Add Visit.org from the gallery

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+## Configure and test Azure AD SSO for Visit.org

+To configure and test Azure AD SSO with Visit.org, perform the following steps:

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+ 1. **[Create Visit.org test user](#create-visitorg-test-user)** - to have a counterpart of B.Simon in Visit.org that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **Visit.org** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+ 

+ 

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Visit.org for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Visit.org tile in the My Apps, you should be automatically signed in to the Visit.org for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Visit.org you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Workable'

+# Tutorial: Azure AD SSO integration with Workable

+ `https://id.workable.com/auth/saml/ats_server/<SUBDOMAIN>/callback`

+ In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<SUBDOMAIN>.workable.com/signin`

+ > These values are not real. Update these values with the actual Reply URL and Sign on URL. Contact [Workable Client support team](mailto:support@workable.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+ },

+ "validityInterval": 2592000,

+ "vc": {

+ "type": [

+ "VerifiedCredentialExpert"

+ ]

+Add-ons are a fully-supported way to provide extra capabilities for your AKS cluster. Add-ons' installation, configuration, and lifecycle is managed by AKS. Use `az aks addon` to install an add-on or manage the add-ons for your cluster.

+The following rules are used by AKS for applying updates to installed add-ons:

+- Only an add-on's patch version can be upgraded within a Kubernetes minor version. The add-on's major/minor version will not be upgraded within the same Kubernetes minor version.

+- The major/minor version of the add-on will only be upgraded when moving to a later Kubernetes minor version.

+- Any breaking or behavior changes to the add-on will be announced well before, usually 60 days, a later minor version of Kubernetes is released on AKS.

+- Add-ons can be patched weekly with every new release of AKS which will be announced in the release notes. AKS releases can be controlled using [maintenance windows][maintenance-windows] and followed using [release tracker][release-tracker].

+[web-app-routing]: web-app-routing.md

+[maintenance-windows]: planned-maintenance.md

+[release-tracker]: release-tracker.md

+* Any additional [add-ons][add-ons] or system component running in the kube-system namespace

+[add-ons]: integrations.md#add-ons

+Web Application Firewall (WAF) is a service that provides centralized protection of your web applications from common exploits and vulnerabilities. WAF is based on rules from the [OWASP (Open Web Application Security Project) core rule sets](https://owasp.org/www-project-modsecurity-core-rule-set/) 3.1 (WAF_v2 only), 3.0, and 2.2.9.

+- Learn [how an application gateway works](how-application-gateway-works.md)

+- 303 (See Other): Indicates that the target resource is redirecting the user agent to a different resource, as indicated by a URI in the Location header field.

+* [**Java**](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/ComposeModel.java).

+* [**Python**](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-beta/sample_compose_model.py)

+>

+Starting August 01, 2022, Form Recognizer custom neural model training will only be available in the following Azure regions until further notice:

+# Form Recognizer service quotas and limits

+- To assign an Azure role, you must have ```Microsoft.Authorization/roleAssignments/write``` permissions, such as [User Access Administrator](/azure/role-based-access-control/built-in-roles.md#user-access-administrator) or [Owner](/azure/role-based-access-control/built-in-roles.md.md#owner).

+ Title: Manage an Azure Automation Run As account

+description: This article tells how to manage your Azure Automation Run As account with PowerShell or from the Azure portal.

+# Manage an Azure Automation Run As account

+Run As accounts in Azure Automation provide authentication for managing resources on the Azure Resource Manager or Azure Classic deployment model using Automation runbooks and other Automation features.

+In this article we cover how to manage a Run as or Classic Run As account, including:

+ * How to renew a self-signed certificate

+ * How to renew a certificate from an enterprise or third-party certificate authority (CA)

+ * Manage permissions for the Run As account

+To learn more about Azure Automation account authentication, permissions required to manage the Run as account, and guidance related to process automation scenarios, see [Automation Account authentication overview](automation-security-overview.md).

+## <a name="cert-renewal"></a>Renew a self-signed certificate

+The self-signed certificate that you have created for the Run As account expires one year from the date of creation. At some point before your Run As account expires, you must renew the certificate. You can renew it any time before it expires.

+When you renew the self-signed certificate, the current valid certificate is retained to ensure that any runbooks that are queued up or actively running, and that authenticate with the Run As account, aren't negatively affected. The certificate remains valid until its expiration date.

+>[!NOTE]

+>If you think that the Run As account has been compromised, you can delete and re-create the self-signed certificate.

+>[!NOTE]

+>If you have configured your Run As account to use a certificate issued by your enterprise or third-party CA and you use the option to renew a self-signed certificate option, the enterprise certificate is replaced by a self-signed certificate. To renew your certificate in this case, see [Renew an enterprise or third-party certificate](#renew-an-enterprise-or-third-party-certificate).

+Use the following steps to renew the self-signed certificate.

+1. Sign-in to the [Azure portal](https://portal.azure.com).

+1. Go to your Automation account and select **Run As Accounts** in the account settings section.

+ :::image type="content" source="media/manage-run-as-account/automation-account-properties-pane.png" alt-text="Automation account properties pane.":::

+1. On the **Run As Accounts** properties page, select either **Run As Account** or **Classic Run As Account** depending on which account you need to renew the certificate for.

+1. On the **Properties** page for the selected account, select **Renew certificate**.

+ :::image type="content" source="media/manage-run-as-account/automation-account-renew-run-as-certificate.png" alt-text="Renew certificate for Run As account.":::

+1. While the certificate is being renewed, you can track the progress under **Notifications** from the menu.

+## Renew an enterprise or third-party certificate

+Every certificate has a built-in expiration date. If the certificate you assigned to the Run As account was issued by a certification authority (CA), you need to perform a different set of steps to configure the Run As account with the new certificate before it expires. You can renew it any time before it expires.

+1. Import the renewed certificate following the steps for [Create a new certificate](./shared-resources/certificates.md#create-a-new-certificate). Automation requires the certificate to have the following configuration:

+ * Specify the provider **Microsoft Enhanced RSA and AES Cryptographic Provider**

+ * Marked as exportable

+ * Configured to use the SHA256 algorithm

+ * Saved in the `*.pfx` or `*.cer` format.

+ After you import the certificate, note or copy the certificate **Thumbprint** value. This value is used to update the Run As connection properties with the new certificate.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for and select **Automation Accounts**.

+1. On the Automation Accounts page, select your Automation account from the list.

+1. In the left pane, select **Connections**.

+1. On the **Connections** page, select **AzureRunAsConnection** and update the **Certificate Thumbprint** with the new certificate thumbprint.

+1. Select **Save** to commit your changes.

+## Grant Run As account permissions in other subscriptions

+Azure Automation supports using a single Automation account from one subscription, and executing runbooks against Azure Resource Manager resources across multiple subscriptions. This configuration does not support the Azure Classic deployment model.

+You assign the Run As account service principal the [Contributor](../role-based-access-control/built-in-roles.md#contributor) role in the other subscription, or more restrictive permissions. For more information, see [Role-based access control](automation-role-based-access-control.md) in Azure Automation. To assign the Run As account to the role in the other subscription, the user account performing this task needs to be a member of the **Owner** role in that subscription.

+> [!NOTE]

+> This configuration only supports multiple subscriptions of an organization using a common Azure AD tenant.

+Before granting the Run As account permissions, you need to first note the display name of the service principal to assign.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. From your Automation account, select **Run As Accounts** under **Account Settings**.

+1. Select **Azure Run As Account**.

+1. Copy or note the value for **Display Name** on the **Azure Run As Account** page.

+For detailed steps for how to add role assignments, check out the following articles depending on the method you want to use.

+* [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md)

+* [Assign Azure roles using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)

+* [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)

+* [Assign Azure roles using the REST API](..//role-based-access-control/role-assignments-rest.md)

+After assigning the Run As account to the role, in your runbook specify `Set-AzContext -SubscriptionId "xxxx-xxxx-xxxx-xxxx"` to set the subscription context to use. For more information, see [Set-AzContext](/powershell/module/az.accounts/set-azcontext).

+## Check role assignment for Azure Automation Run As account

+To check the role assigned to the Automation Run As account Azure AD, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Go to your Automation account and in **Account Settings**, select **Run as accounts**.

+1. Select **Azure Run as Account** to view the **Application ID**.

+ :::image type="content" source="media/manage-run-as-account/automation-run-as-app-id.png" alt-text="Screenshot that describes on how to copy application ID.":::

+1. Go to Azure portal and search for **Azure Active Directory**.

+1. On the **Active Directory Overview** page, **Overview** tab, in the search box, enter the Application ID.

+ :::image type="content" source="media/manage-run-as-account/active-directory-app-id-inline.png" alt-text="Screenshot that describes application ID copied in the Overview tab." lightbox="media/manage-run-as-account/active-directory-app-id-expanded.png":::

+ In the **Enterprise applications** section, you will see the display name of your Run As Account.

+1. Select the application ID and in the properties page of that ID, go to **Overview** blade, **Properties**, and copy the name of the Enterprise application.

+1. Go to Azure portal and search for your **Subscription** and select your subscription.

+1. Go to **Access Control (IAM)**, **Role Assignment** and paste the name of the Enterprise application in the search box to view the App along with the role and scope assigned to it.

+For example: in the screenshot below, the Run As Account Azure AD App has the Contributor access at the subscription level.

+ :::image type="content" source="media/manage-run-as-account/check-role-assignments-inline.png" alt-text="Screenshot that describes how to view the role and scope assigned to the enterprise application." lightbox="media/manage-run-as-account/check-role-assignments-expanded.png":::

+## Limit Run As account permissions

+To control the targeting of Automation against resources in Azure, you can run the [Update-AutomationRunAsAccountRoleAssignments.ps1](https://aka.ms/AA5hug8) script. This script changes your existing Run As account service principal to create and use a custom role definition. The role has permissions for all resources except [Key Vault](../key-vault/index.yml).

+>[!IMPORTANT]

+>After you run the **Update-AutomationRunAsAccountRoleAssignments.ps1** script, runbooks that access Key Vault through the use of Run As accounts no longer work. Before running the script, you should review runbooks in your account for calls to Azure Key Vault. To enable access to Key Vault from Azure Automation runbooks, you must [add the Run As account to Key Vault's permissions](#add-permissions-to-key-vault).

+If you need to further restrict what the Run As service principal can do, you can add other resource types to the `NotActions` element of the custom role definition. The following example restricts access to `Microsoft.Compute/*`. If you add this resource type to `NotActions` for the role definition, the role will not be able to access any Compute resource. To learn more about role definitions, see [Understand role definitions for Azure resources](../role-based-access-control/role-definitions.md).

+```powershell

+$roleDefinition = Get-AzRoleDefinition -Name 'Automation RunAs Contributor'

+$roleDefinition.NotActions.Add("Microsoft.Compute/*")

+$roleDefinition | Set-AzRoleDefinition

+```

+You can determine if the service principal used by your Run As account assigned the **Contributor** role or a custom one.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to your Automation account and select **Run As Accounts** in the account settings section.

+1. Select **Azure Run As Account**.

+1. Select **Role** to locate the role definition that is being used.

+You can also determine the role definition used by the Run As accounts for multiple subscriptions or Automation accounts. Do this by using the [Check-AutomationRunAsAccountRoleAssignments.ps1](https://aka.ms/AA5hug5) script in the PowerShell Gallery.

+### Add permissions to Key Vault

+You can allow Azure Automation to verify if Key Vault and your Run As account service principal are using a custom role definition. You must:

+* Grant permissions to Key Vault.

+* Set the access policy.

+You can use the [Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1](https://aka.ms/AA5hugb) script in the PowerShell Gallery to grant your Run As account permissions to Key Vault. See [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-powershell.md) for more details on setting permissions on Key Vault.

+## Resolve misconfiguration issues for Run As accounts

+Some configuration items necessary for a Run As or Classic Run As account might have been deleted or created improperly during initial setup. Possible instances of misconfiguration include:

+* Certificate asset

+* Connection asset

+* Run As account removed from the Contributor role

+* Service principal or application in Azure AD

+For such misconfiguration instances, the Automation account detects the changes and displays a status of *Incomplete* on the Run As Accounts properties pane for the account.

+When you select the Run As account, the account properties pane displays the following error message:

+```text

+The Run As account is incomplete. Either one of these was deleted or not created - Azure Active Directory Application, Service Principal, Role, Automation Certificate asset, Automation Connect asset - or the Thumbprint is not identical between Certificate and Connection. Please delete and then re-create the Run As Account.

+```

+You can quickly resolve these Run As account issues by [deleting](delete-run-as-account.md) and [re-creating](create-run-as-account.md) the Run As account.

+## Next steps

+* [Application Objects and Service Principal Objects](../active-directory/develop/app-objects-and-service-principals.md).

+* [Certificates overview for Azure Cloud Services](../cloud-services/cloud-services-certs-create.md).

+* To create or re-create a Run As account, see [Create a Run As account](create-run-as-account.md).

+* If you no longer need to use a Run As account, see [Delete a Run As account](delete-run-as-account.md).

+> The KVSet file content profile is currently supported in

+> - Azure CLI version 2.30.0 or later

+> - [Azure App Configuration Push Task](./push-kv-devops-pipeline.md) version 3.3.0 or later

+It is important to know about the following concepts to benefit the most from Azure Arc-enabled PostgreSQL Hyperscale:

+The recommended distribution varies by the type of application and its query patterns. There are broadly two kinds of applications that work well on Azure Arc-enabled PostgreSQL Hyperscale:

+- **the number of worker nodes** you want to deploy to scale out and potentially reach better performances. Before proceeding here, read the [concepts about PostgreSQL Hyperscale](concepts-distributed-postgres-hyperscale.md). The table below indicates the range of supported values and what form of Postgres deployment you get with them. For example, if you want to deploy a server group with 2 worker nodes, indicate 2. This will create three pods, one for the coordinator node/instance and two for the worker nodes/instances (one for each of the workers).

+ |A basic form of PostgreSQL Hyperscale for you to do functional validation of your application at minimum cost. Not valid for performance and scalability validation. For that you need to use the type of deployments described above. |1 Postgres instance that is both coordinator and worker. |0 and add Citus to the list of extensions to load. |The Citus extension that provides the Hyperscale capability is loaded. |

+ :::image type="content" source="media/postgres-hyperscale/deployment-parameters.png" alt-text="Diagram that depicts PostgreSQL Hyperscale worker node parameters and associated architecture." border="false":::

+- Read the concepts and How-to guides of Azure Database for PostgreSQL Hyperscale to distribute your data across multiple PostgreSQL Hyperscale nodes and to benefit from all the power of Azure Database for PostgreSQL Hyperscale. :

+ :::image type="content" source="media/postgres-hyperscale/deployment-parameters.png" alt-text="Diagram that depicts PostgreSQL Hyperscale worker node parameters and associated architecture." border="false":::

+- **the number of worker nodes** you want to deploy to scale out and potentially reach better performances. Before proceeding here, read the [concepts about PostgreSQL Hyperscale](concepts-distributed-postgres-hyperscale.md). To indicate the number of worker nodes to deploy, use the parameter `--workers` or `-w` followed by an integer. The table below indicates the range of supported values and what form of Postgres deployment you get with them. For example, if you want to deploy a server group with two worker nodes, indicate `--workers 2` or `-w 2`. This will create three pods, one for the coordinator node/instance and two for the worker nodes/instances (one for each of the workers).

+ |A basic form of PostgreSQL Hyperscale for you to do functional validation of your application at minimum cost. Not valid for performance and scalability validation. For that you need to use the type of deployments described above. |One Postgres instance that is both coordinator and worker. |Use `-w 0` and load the Citus extension. Use the following parameters if deploying from command line: `-w 0` --extensions Citus. |The Citus extension that provides the Hyperscale capability is loaded. |

+ :::image type="content" source="media/postgres-hyperscale/deployment-parameters.png" alt-text="Diagram that depicts PostgreSQL Hyperscale worker node parameters and associated architecture." border="false":::

+> *In these documents, skip the sections **Sign in to the Azure portal**, and **Create an Azure Database for PostgreSQL - Hyperscale (Citus)**. Implement the remaining steps in your Azure Arc deployment. Those sections are specific to the Azure Database for PostgreSQL Hyperscale (Citus) offered as a PaaS service in the Azure cloud but the other parts of the documents are directly applicable to your Azure Arc-enabled PostgreSQL Hyperscale.

+- Download the latest pre-release Azure Data Studio extension .vsix files from [https://aka.ms/ads-arcdata-ext](https://aka.ms/ads-arcdata-ext) and [https://aka.ms/ads-azcli-ext](https://aka.ms/ads-azcli-ext).

+- Install the extensions by choosing File -> Install Extension from VSIX package and then browsing to the download location of the .vsix files. Install the `azcli` extension first and then `arc`.

+- Resource Sync rule is created automatically when Data Controller is deployed in Direct connected mode. This enables customers to deploy an Azure Arc enabled SQL Managed Instance by directly talking to the kubernetes APIs.

+- [Resource providers for Azure services](../../azure-resource-manager/management/azure-services-resource-providers.md)

+ Title: Resource sync

+description: Synchronize resources for Azure Arc-enabled data services in directly connected mode

+# Resource sync

+Resource sync lets you create, update, or delete resources directly on the Kubernetes cluster using Kubernetes APIs in the direct connected mode, and automatically synchronizes those changes to Azure. This article explains resource sync.

+When you deploy Azure Arc-enabled data services in direct connected mode, the deployment creates a *resource sync* rule. This resource sync rule ensures that the Arc resources such as SQL managed instance created or updated by directly calling the Kubernetes APIs get updated appropriately in the mapped resources in Azure and the resource metadata is continually synced back to Azure. This rule is created within the same resource group as the data controller.

+ > [!NOTE]

+ > The resource sync rule is created by default, during the Azure Arc Data Controller deployment and is only applicable in direct connected mode.

+Without the resource sync rule, the SQL managed instance is created using the following command:

+```azurecli

+az sql mi-arc create --name <name> --resource-group <group> --location <Azure location> -ΓÇôsubscription <subscription> --custom-location <custom-location> --storage-class-backups <RWX capable storageclass>

+```

+In this scenario, first the Azure ARM APIs are called and the mapped Azure resource is created. Once this mapped resource is created successfully, then the Kubernetes API is called to create the SQL managed instance on the Kubernetes cluster.

+With the resource sync rule, you can use the Kubernetes API to create the Arc-enabled SQL managed instance, as follows:

+```azurecli

+az sql mi-arc create --name <name> -k <namespace> --use-k8 --storage-class-backups <RWX capable storageclass>

+```

+In this scenario, the SQL managed instance is directly created in the Kubernetes cluster. The resource sync rule ensures that the equivalent resource in Azure is created as well.

+If the resource sync rule is deleted accidentally, you can add it back to restore the sync functionality by using the below REST API. Refer to Azure REST API reference for guidance on executing REST APIs. Please make sure to use data controller Azure resource subscription and resource group.

+```rest

+https://management.azure.com/subscriptions/{{subscription}}/resourcegroups/{{resource_group}}/providers/microsoft.extendedlocation/customlocations/{{custom_location_name}}/resourcesyncrules/defaultresourcesyncrule?api-version=2021-08-31-preview

+```

+```azurecli

+ "location": "{{Azure region}}",

+ "properties": {

+ "targetResourceGroup": "/subscriptions/{{subscription}}/resourcegroups/{{resource_group_of_ data_controller}}",

+ "priority": 100,

+ "selector": {

+ "matchLabels": {

+ "management.azure.com/resourceProvider": "Microsoft.AzureArcData" //Mandatory

+ }

+ }

+ }

+}

+```

+### Limitations:

+- Resource sync rule does not hydrate Azure Arc Data controller. The Azure Arc Data controller must be deployed via ARM API.

+- Resource sync only applies to the data services such as Arc enabled SQL managed instance, post deployment of Data controller.

+- Resource sync rule does not hydrate Azure Arc enabled PostgreSQL

+- Resource sync rule does not hydrate Azure Arc Active Directory connector

+- Resource sync rule does not hydrate Azure Arc Instance Failover Groups

+## Next steps

+[Create Azure Arc-enabled data controller using Kubernetes tools](create-data-controller-using-kubernetes-native-tools.md)

+> Use the pod name of the Coordinator node of the PostgreSQL Hyperscale server group. Its name is \<server group name\>c-0 (for example postgres01c-0, where c stands for Coordinator node). If you are not sure of the pod name run the command `kubectl get pod`

+You scale out when you add Postgres instances (PostgreSQL Hyperscale worker nodes) to your Azure Arc-enabled PosrgreSQL Hyperscale server group.

+You scale in when you remove Postgres instances (PostgreSQL Hyperscale worker nodes) from your Azure Arc-enabled PosrgreSQL Hyperscale server group.

+- Read the concepts and How-to guides of Azure Database for PostgreSQL Hyperscale to distribute your data across multiple PostgreSQL Hyperscale nodes and to benefit from all the power of Azure Database for PostgreSQL Hyperscale. :

+[Helm charts](https://helm.sh/) help you manage Kubernetes applications by providing the building blocks needed to define, install, and upgrade even the most complex Kubernetes applications. The cluster extension feature builds on top of the packaging components of Helm by providing an Azure Resource Manager-driven experience for installation and lifecycle management of different Azure capabilities on top of your Kubernetes cluster.

+A cluster operator or admin can use the cluster extensions feature to:

+An extension can be [cluster-scoped or scoped to a namespace](extensions.md#extension-scope). Each extension type (such as Azure Monitor for containers, Microsoft Defender for Cloud, Azure App services) defines the scope at which they operate on the cluster.

+> `config-agent` checks for new or updated extension instances on top of Azure Arc-enabled Kubernetes cluster. The agents require connectivity for the desired state of the extension to be pulled down to the cluster. If agents are unable to connect to Azure, propagation of the desired state to the cluster is delayed.

+>

+> Protected configuration settings for an extension instance are stored for up to 48 hours in the Azure Arc-enabled Kubernetes services. As a result, if the cluster remains disconnected during the 48 hours after the extension resource was created on Azure, the extension changes from a `Pending` state to `Failed` state. To prevent this, we recommend bringing clusters online regularly.

+- Use our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).

+- [Deploy cluster extensions](./extensions.md) on your Azure Arc-enabled Kubernetes cluster.

+The following extensions are currently available.

+| [Azure Arc-enabled Data Services](../../azure-arc/kubernetes/custom-locations.md#create-custom-location) | Makes it possible for you to run Azure data services on-premises, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. |

+| [Azure Event Grid on Kubernetes](../../event-grid/kubernetes/overview.md) | Create and manage event grid resources such as topics and event subscriptions on top of Azure Arc-enabled Kubernetes clusters. |

+### Extension scope

+Extension installations on the Arc-enabled Kubernetes cluster are either *cluster-scoped* or *namespace-scoped*.

+A cluster-scoped extension will be installed in the `release-namespace` specified during extension creation. Typically, only one instance of the cluster-scoped extension and its components, such as pods, operators, and Custom Resource Definitions (CRDs), are installed in the release namespace on the cluster.

+A namespace-scoped extension can be installed in a given namespace provided using the `ΓÇônamespace` property. Since the extension can be deployed at a namespace scope, multiple instances of the namespace-scoped extension and its components can run on the cluster. Each extension instance has permissions on the namespace where it is deployed to. All the above extensions are cluster-scoped except Event Grid on Kubernetes.

+All of the extensions listed above are cluster-scoped, except for [Azure API Management on Azure Arc](../../api-management/how-to-deploy-self-hosted-gateway-azure-arc.md) .

+> The service is unable to retain sensitive information for more than 48 hours. If Azure Arc-enabled Kubernetes agents don't have network connectivity for more than 48 hours and cannot determine whether to create an extension on the cluster, then the extension transitions to `Failed` state. Once in `Failed` state, you will need to run `k8s-extension create` again to create a fresh extension Azure resource.

+>

+> Azure Monitor for containers is a singleton extension (only one required per cluster). You'll need to clean up any previous Helm chart installations of Azure Monitor for containers (without extensions) before installing the same via extensions. Follow the instructions for [deleting the Helm chart before running `az k8s-extension create`](../../azure-monitor/containers/container-insights-optout-hybrid.md).

+Azure Arc resource bridge (preview) is part of the core Azure Arc platform, and is designed to host other Azure Arc services. In this release, the resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](/azure-stack/hci/overview) and VMware.

+The resource bridge is a packaged virtual machine, which hosts a *management* Kubernetes cluster that requires no user management. This virtual appliance delivers the following benefits:

+* Enables VM self-servicing from Azure without having to create and manage a Kubernetes cluster.

+* Fully supported by Microsoft, including updates to core components.

+All management operations are performed from Azure, so no local configuration is required on the appliance.

+Azure Arc resource bridge (preview) hosts other components such as [custom locations](..\platform\conceptual-custom-locations.md), cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports. This complex system is composed of three layers:

+* The base layer that represents the resource bridge and the Arc agents.

+* The platform layer that includes the custom location and cluster extension.

+* Cluster extension: The Azure service deployed to run on-premises. For the preview release, it supports two

+ * Azure Arc-enabled VMware

+ * Azure Arc-enabled Azure Stack HCI

+* Custom locations: A deployment target where you can create Azure resources. It maps to different resource for different Azure services. For example, for Arc-enabled VMware, the custom locations resource maps to an instance of vCenter, and for Arc-enabled Azure Stack HCI, it maps to an HCI cluster instance.

+Custom locations and cluster extension are both Azure resources, which are linked to the Azure Arc resource bridge (preview) resource in Azure Resource Manager. When you create an on-premises VM from Azure, you can select the custom location, and that routes that *create action* to the mapped vCenter or Azure Stack HCI cluster.

+Some resources are unique to the infrastructure. For example, vCenter has a resource pool, network, and template resources. During VM creation, these resources need to be specified. With Azure Stack HCI, you just need to select the custom location, network and template to create a VM.

+To summarize, the Azure resources are projections of the resources running in your on-premises private cloud. If the on-premises resource is not healthy, it can impact the health of the related resources. For example, if the Arc resource bridge (preview) has been deleted by accident, all the resources hosted in the Arc resource bridge (preview) are impacted. That is, the custom locations and cluster extensions are deleted as a result. The actual VMs are not impacted, as they are running on vCenter, but the management path to those VMs is interrupted, and you won't be able to start or stop the VM from Azure. It is not recommended to manage or modify the Arc resource bridge (preview) using any on-premises applications directly.

+Through Azure Arc resource bridge (preview), you can accomplish the following for each private cloud infrastructure from Azure:

+### VMware vSphere

+By registering resource pools, networks, and VM templates, you can represent a subset of your vCenter resources in Azure to enable self-service. Integration with Azure allows you to manage access to your vCenter resources in Azure to maintain a secure environment. You can also perform various operations on the VMware virtual machines that are enabled by Arc-enabled VMware vSphere:

+* Start, stop, and restart a virtual machine

+* Control access and add Azure tags

+* Add, remove, and update network interfaces

+* Add, remove, and update disks and update VM size (CPU cores and memory)

+* Enable guest management

+* Install extensions

+### Azure Stack HCI

+You can provision and manage on-premises Windows and Linux virtual machines (VMs) running on Azure Stack HCI clusters.

+* East US

+* West Europe

+* To onboard the Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.

+* To read, modify, and delete the Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.

+You may need to allow specific URLs to [ensure outbound connectivity is not blocked](troubleshoot-resource-bridge.md#restricted-outbound-connectivity) by your firewall or proxy server.

+* Learn more about [how Azure Arc-enabled VMware vSphere extends Azure's governance and management capabilities to VMware vSphere infrastructure](../vmware-vsphere/overview.md).

+* Learn more about [provisioning and managing on-premises Windows and Linux VMs running on Azure Stack HCI clusters](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines).

+By default, an Azure Active Directory system-assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) is created and assigned to the Azure Arc resource bridge (preview). Azure Arc resource bridge currently supports only a system-assigned identity. The `clusteridentityoperator` identity initiates the first outbound communication and fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure.

+Users and applications who are granted the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) or Administrator role to the resource group can make changes to the resource bridge, including deploying or deleting cluster extensions.

+The Azure Arc resource bridge stores resource information in Azure Cosmos DB. As described in [Encryption at rest in Azure Cosmos DB](../../cosmos-db/database-encryption-at-rest.md), all the data is encrypted at rest.

+The [activity log](../../azure-monitor/essentials/activity-log.md) is a platform log in Azure that provides insight into subscription-level events. This includes tracking when the Azure Arc resource bridge is modified, deleted, or added. You can [view the activity log](../../azure-monitor/essentials/activity-log.md#view-the-activity-log) in the Azure portal or retrieve entries with PowerShell and Azure CLI. By default, activity log events are [retained for 90 days](../../azure-monitor/essentials/activity-log.md#retention-period) and then deleted.

+- Review the [Azure Arc resource bridge (preview) overview](overview.md) to understand more about requirements and technical details.

+- Learn more about [Azure Arc](../overview.md).

+### Restricted outbound connectivity

+If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked.

+URLS:

+| Agent resource | Description |

+|||

+|`https://mcr.microsoft.com`|Microsoft container registry|

+|`https://*.his.arc.azure.com`|Azure Arc Identity service|

+|`https://*.dp.kubernetesconfiguration.azure.com`|Azure Arc configuration service|

+|`https://*.servicebus.windows.net`|Cluster connect|

+|`https://guestnotificationservice.azure.com` |Guest notification service|

+|`https://*.dp.prod.appliances.azure.com`|Resource bridge data plane service|

+|`https://ecpacr.azurecr.io` |Resource bridge container image download |

+|`.blob.core.windows.net`<br> `*.dl.delivery.mp.microsoft.com`<br> `*.do.dsp.mp.microsoft.com` |Resource bridge image download |

+- Caches with more than one replica can't be geo-replicated.

+- Private links can't be added to caches that are already geo-replicated. To add a private link to a geo-replicated cache: 1. Unlink the geo-replication. 2. Add a Private Link. 3. Last, relink the geo-replication.

+Use [Azure Monitor for Azure Cache for Redis](redis-cache-insights-overview.md) for a view of the overall performance, failures, capacity, and operational health of all your Azure Cache for Redis resources. View metrics in a customizable, unified, and interactive experience that lets you drill down into details for individual resources. Azure Monitor for Azure Cache for Redis is based on the [workbooks feature of Azure Monitor](../azure-monitor/visualize/workbooks-overview.md) that provides rich visualizations for metrics and other data. To learn more, see the [Explore Azure Monitor for Azure Cache for Redis](redis-cache-insights-overview.md) article.

+- [Azure Monitor for Azure Cache for Redis](redis-cache-insights-overview.md)

+description: Learn how to create an Azure Cache, an Azure Virtual Network, and a Private Endpoint using the Azure portal.

+- Trying to connect from the Azure portal console is an unsupported scenario where you'll see a connection failure.

+- Private links can't be added to caches that are already geo-replicated. To add a private link to a geo-replicated cache: 1. Unlink the geo-replication. 2. Add a Private Link. 3. Last, relink the geo-replication.

+Reserved capacity is sold in increments of nodes. Each shard contains 2 nodes by default. To buy reserved capacity for a shard, you buy 2 reserved capacity. For the number of nodes calculation, see "View Cost Calculation" on [Pricing calculator](https://azure.microsoft.com/pricing/calculator/). For an explanation of the architecture of a cache, see [A quick summary of cache architecture](cache-failover.md#a-quick-summary-of-cache-architecture).

+ Title: Azure Monitor for Azure Cache for Redis | Microsoft Docs

+description: This article describes the Azure Monitor for Azure Redis Cache feature, which provides cache owners with a quick understanding of performance and utilization problems.

+# Explore Azure Monitor for Azure Cache for Redis

+For all of your Azure Cache for Redis resources, Azure Monitor for Azure Cache for Redis provides a unified, interactive view of:

+- Overall performance

+- Failures

+- Capacity

+- Operational health

+This article helps you understand the benefits of this new monitoring experience. It also shows how to modify and adapt the experience to fit the unique needs of your organization.

+## Introduction

+Before starting the experience, you should understand how Azure Monitor for Azure Cache for Redis visually presents information.

+It delivers:

+- **At scale perspective** of your Azure Cache for Redis resources in a single location across all of your subscriptions. You can selectively scope to only the subscriptions and resources you want to evaluate.

+- **Drill-down analysis** of a particular Azure Cache for Redis resource. You can diagnose problems and see detailed analysis of utilization, failures, capacity, and operations. Select any of these categories to see an in-depth view of relevant information.

+- **Customization** of this experience, which is built atop Azure Monitor workbook templates. The experience lets you change what metrics are displayed and modify or set thresholds that align with your limits. You can save the changes in a custom workbook and then pin workbook charts to Azure dashboards.

+This feature doesn't require you to enable or configure anything. Azure Cache for Redis information is collected by default.

+>[!NOTE]

+>There is no charge to access this feature. You're charged only for the Azure Monitor essential features you configure or enable, as described on the [Azure Monitor pricing details](https://azure.microsoft.com/pricing/details/monitor/) page.

+## View utilization and performance metrics for Azure Cache for Redis

+To view the utilization and performance of your storage accounts across all of your subscriptions, do the following steps:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for **Monitor**, and select **Monitor**.

+ 

+1. Select **Azure Cache for Redis**. If this option isn't present, select **More** > **Azure Cache for Redis**.

+### Overview

+On **Overview**, the table displays interactive Azure Cache for Redis metrics. You can filter the results based on the options you select from the following drop-down lists:

+- **Subscriptions**: Only subscriptions that have an Azure Cache for Redis resource are listed.

+- **Azure Cache for Redis**: You can select all, a subset, or a single Azure Cache for Redis resource.

+- **Time Range**: By default, the table displays the last four hours of information based on the corresponding selections.

+There's a counter tile under the drop-down lists. The tile shows the total number of Azure Cache for Redis resources in the selected subscriptions. Conditional color codes or heat maps for workbook columns report transaction metrics. The deepest color represents the highest value. Lighter colors represent lower values.

+Selecting a drop-down list arrow next to one of the Azure Cache for Redis resources reveals a breakdown of the performance metrics at the individual resource level.

+

+When you select the Azure Cache for Redis resource name highlighted in blue, you see the default **Overview** table for the associated account. It shows these columns:

+- **Used Memory**

+- **Used Memory Percentage**

+- **Server Load**

+- **Server Load Timeline**

+- **CPU**

+- **Connected Clients**

+- **Cache Misses**

+- **Errors (Max)**

+### Operations

+When you select **Operations** at the top of the page, the **Operations** table of the workbook template opens. It shows these columns:

+- **Total Operations**

+- **Total Operations Timeline**

+- **Operations Per Second**

+- **Gets**

+- **Sets**

+

+### Usage

+When you select **Usage** at the top of the page, the **Usage** table of the workbook template opens. It shows these columns:

+- **Cache Read**

+- **Cache Read Timeline**

+- **Cache Write**

+- **Cache Hits**

+- **Cache Misses**

+

+### Failures

+When you select **Failures** at the top of the page, the **Failures** table of the workbook template opens. It shows these columns:

+- **Total Errors**

+- **Failover/Errors**

+- **UnresponsiveClient/Errors**

+- **RDB/Errors**

+- **AOF/Errors**

+- **Export/Errors**

+- **Dataloss/Errors**

+- **Import/Errors**

+

+### Metric definitions

+For a full list of the metric definitions that form these workbooks, check out the [article on available metrics and reporting intervals](./cache-how-to-monitor.md#create-your-own-metrics).

+## View from an Azure Cache for Redis resource

+To access Azure Monitor for Azure Cache for Redis directly from an individual resource:

+1. In the Azure portal, select Azure Cache for Redis.

+2. From the list, choose an individual Azure Cache for Redis resource. In the monitoring section, choose Insights.

+ 

+These views are also accessible by selecting the resource name of an Azure Cache for Redis resource from the Azure Monitor level workbook.

+### Resource-level overview

+On the **Overview** workbook for the Azure Redis Cache, it shows several performance metrics that give you access to:

+- Interactive performance charts showing the most essential details related to Azure Cache for Redis performance.

+- Metrics and status tiles highlighting shard performance, total number of connected clients, and overall latency.

+

+Selecting any of the other tabs for **Performance** or **Operations** opens the respective workbooks.

+### Resource-level performance

+

+### Resource-level operations

+

+## Pin, export, and expand

+To pin any metric section to an [Azure dashboard](../azure-portal/azure-portal-dashboards.md), select the pushpin symbol in the section's upper right.

+

+To export your data into an Excel format, select the down arrow symbol to the left of the pushpin symbol.

+

+To expand or collapse all views in a workbook, select the expand symbol to the left of the export symbol.

+

+## Customize Azure Monitor for Azure Cache for Redis

+Because this experience is built atop Azure Monitor workbook templates, you can select **Customize** > **Edit** > **Save** to save a copy of your modified version into a custom workbook.

+

+Workbooks are saved within a resource group in either the **My Reports** section or the **Shared Reports** section. **My Reports** is available only to you. **Shared Reports** is available to everyone with access to the resource group.

+After you save a custom workbook, go to the workbook gallery to open it.

+

+## Troubleshooting

+For troubleshooting guidance, refer to the dedicated workbook-based insights [troubleshooting article](../azure-monitor/insights/troubleshoot-workbooks.md).

+## Next steps

+* Configure [metric alerts](../azure-monitor/alerts/alerts-metric.md) and [service health notifications](../service-health/alerts-activity-log-service-notifications-portal.md) to set up automated alerts that aid in detecting problems.

+* Learn the scenarios that workbooks support, how to author or customize reports, and more by reviewing [Create interactive reports with Azure Monitor workbooks](../azure-monitor/visualize/workbooks-overview.md).

+|**`FUNCTIONS_WORKER_RUNTIME`** | `dotnet`<br/>`dotnet-isolated`<br/>`node`<br/>`java`<br/>`powershell`<br/>`python`| Indicates the targeted language of the Functions runtime. Required for version 2.x and higher of the Functions runtime. This setting is generated for your project by Core Tools. To learn more, see the [`FUNCTIONS_WORKER_RUNTIME`](functions-app-settings.md#functions_worker_runtime) reference.|

+The Azure FC allocates infrastructure resources to tenants and manages unidirectional communications from the Host OS to Guest VMs. The VM placement algorithm of the Azure FC is highly sophisticated and nearly impossible to predict. The FA resides in the Host OS and it manages tenant VMs. The collection of the Azure Hypervisor, Host OS and FA, and customer VMs constitute a compute node, as shown in Figure 4. FCs manage FAs although FCs exist outside of compute nodes ΓÇô separate FCs exist to manage compute and storage clusters. If you update your applicationΓÇÖs configuration file while running in the MC, the MC communicates through CRP with the FC, and the FC communicates with the FA.

+- **Trusted Path/Channels** ΓÇô Windows implements IPsec, TLS, and HTTPS trusted channels and paths for remote administration, transfer of audit data to the operational environment, and separation of management and operational networks.

+Encryption at host ensures that data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Disks with encryption at host enabled aren't encrypted with Azure Storage encryption; instead, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage. For more information, see [Encryption at host - End-to-end encryption for your VM data](../virtual-machines/disk-encryption.md#encryption-at-hostend-to-end-encryption-for-your-vm-data). As mentioned previously, [Azure Disk encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) for virtual machines and virtual machine scale sets isn't supported by Managed HSM. However, encryption at host with CMK is supported by Managed HSM.

+||Cost Management|consumption.azure.com|consumption.azure.us||

+IL5 separation requirements are stated in Section 5.2.2.3 (Page 51) of the [Cloud Computing SRG](https://public.cyber.mil/dccs/dccs-documents/). The SRG focuses on compute separation during "processing" of IL5 data. This separation ensures that a virtual machine that could potentially compromise the physical host can't affect a DoD workload. To remove the risk of runtime attacks and ensure long running workloads aren't compromised from other workloads on the same host, **all IL5 virtual machines and virtual machine scale sets** should be isolated by DoD mission owners via [Azure Dedicated Host](https://azure.microsoft.com/services/virtual-machines/dedicated-host/) or [isolated virtual machines](../virtual-machines/isolation.md). Doing so provides a dedicated physical server to host your Azure Virtual Machines (VMs) for Windows and Linux.

+The DoD requirements for encrypting data at rest are provided in Section 5.11 (Page 122) of the [Cloud Computing SRG](https://public.cyber.mil/dccs/dccs-documents/). DoD emphasizes encrypting all data at rest stored in virtual machine virtual hard drives, mass storage facilities at the block or file level, and database records where the mission owner doesn't have sole control over the database service. For cloud applications where encrypting data at rest with DoD key control isn't possible, mission owners must perform a risk analysis with relevant data owners before transmitting data into a cloud service offering.

+- When you store images and other artifacts in a Container Registry, Azure automatically encrypts the registry content at rest by using service-managed keys. You can supplement the default encryption with an extra encryption layer by [using a key that you create and manage in Azure Key Vault](../container-registry/container-registry-customer-managed-keys.md).

+Log Analytics may also be used to ingest extra customer-provided logs. These logs may include data ingested as part of operating Microsoft Defender for Cloud or Microsoft Sentinel. If the ingested logs or the queries written against these logs are categorized as IL5 data, then you should configure customer-managed keys (CMK) for your Log Analytics workspaces and Application Insights components. Once configured, any data sent to your workspaces or components is encrypted with your Azure Key Vault key. For more information, see [Azure Monitor customer-managed keys](../azure-monitor/logs/customer-managed-keys.md).

+- Intune supports Impact Level 5 workloads in Azure Government with no extra configuration required. Line-of-business apps should be evaluated for IL5 restrictions prior to [uploading to Intune storage](/mem/intune/apps/apps-add). While Intune does encrypt applications that are uploaded to the service for distribution, it doesn't support customer-managed keys.

+> When you use this encryption method, you need to enable it before you add content to the storage account. Any content that's added before the customer-managed key is configured will be protected with Microsoft-managed keys.

+| Red Hat Enterprise Linux Server 8.5, 8.6 | X | X | | |

+All configuration options have been moved towards the end of the script. This placement avoids accidentally introducing JavaScript errors that wouldn't just cause the SDK to fail to load, but also it would disable the reporting of the failure.

+Microsoft announces feature deprecations or breaking changes at least one year in advance and strives to provide a seamless process for migration to the replacement experience.

+For more information, review the [Azure SDK Lifecycle and Support Policy](https://azure.github.io/azure-sdk/policies_support.html).

+|Latest stable minor version of a GA SDK | Newer supported stable version | **UPDATE REQUIRED** |

+|Unsupported ([support policy](/lifecycle/faq/azure)) | Any supported version | **UPDATE REQUIRED** |

+* Maximum of 45 characters for column names.

+| [Azure Monitor for Azure Cache for Redis (preview)](../azure-cache-for-redis/redis-cache-insights-overview.md) | GA | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/redisCacheInsights) | Provides a unified, interactive view of overall performance, failures, capacity, and operational health |

+ | [Azure Cache for Redis](../azure-cache-for-redis/index.yml) | Microsoft.Cache/Redis | [**Yes**](./essentials/metrics-supported.md#microsoftcacheredis) | [**Yes**](./essentials/resource-logs-categories.md#microsoftcacheredis) | [Azure Monitor for Azure Cache for Redis (preview)](../azure-cache-for-redis/redis-cache-insights-overview.md) | |

+ | [Azure Cache for Redis](../azure-cache-for-redis/index.yml) | Microsoft.Cache/redisEnterprise | [**Yes**](./essentials/metrics-supported.md#microsoftcacheredisenterprise) | No | [Azure Monitor for Azure Cache for Redis (preview)](../azure-cache-for-redis/redis-cache-insights-overview.md) | |

+ Title: Move and Azure Workbook template to another region

+# Create an Azure Workbook

+# Get started with Azure Workbooks

+# Use JSONPath to transform JSON data in workbooks

+## Create a text parameter

+## Reference a text parameter

+## Set the default values using queries

+## Add validations

+ Title: Use MSBuild to convert Bicep to JSON

+description: Use MSBuild to convert a Bicep file to Azure Resource Manager template (ARM template) JSON.

+# Customer intent: As a developer I want to convert Bicep files to Azure Resource Manager template (ARM template) JSON in an MSBuild pipeline.

+# Quickstart: Use MSBuild to convert Bicep to JSON

+This article describes how to use MSBuild to convert a Bicep file to Azure Resource Manager template (ARM template) JSON. The examples use MSBuild from the command line with C# project files that convert Bicep to JSON. The project files are examples that can be used in an MSBuild continuous integration (CI) pipeline.

+## Prerequisites

+You'll need the latest versions of the following software:

+- [Visual Studio](/visualstudio/install/install-visual-studio). The free community version will install .NET 6.0, .NET Core 3.1, .NET SDK, MSBuild, .NET Framework 4.8, NuGet package manager, and C# compiler. From the installer, select **Workloads** > **.NET desktop development**.

+- [Visual Studio Code](https://code.visualstudio.com/) with the extensions for [Bicep](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep) and [Azure Resource Manager (ARM) Tools](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools).

+- [PowerShell](/powershell/scripting/install/installing-powershell) or a command-line shell for your operating system.

+## MSBuild tasks and CLI packages

+If your existing continuous integration (CI) pipeline relies on [MSBuild](/visualstudio/msbuild/msbuild), you can use MSBuild tasks and CLI packages to convert Bicep files into ARM template JSON.

+The functionality relies on the following NuGet packages. The latest NuGet package versions match the latest Bicep version.

+| Package Name | Description |

+| - |- |

+| [Azure.Bicep.MSBuild](https://www.nuget.org/packages/Azure.Bicep.MSBuild) | Cross-platform MSBuild task that invokes the Bicep CLI and compiles Bicep files into ARM template JSON. |

+| [Azure.Bicep.CommandLine.win-x64](https://www.nuget.org/packages/Azure.Bicep.CommandLine.win-x64) | Bicep CLI for Windows. |

+| [Azure.Bicep.CommandLine.linux-x64](https://www.nuget.org/packages/Azure.Bicep.CommandLine.linux-x64) | Bicep CLI for Linux. |

+| [Azure.Bicep.CommandLine.osx-x64](https://www.nuget.org/packages/Azure.Bicep.CommandLine.osx-x64) | Bicep CLI for macOS. |

+### Azure.Bicep.MSBuild package

+When referenced in a project file's `PackageReference` the `Azure.Bicep.MSBuild` package imports the `Bicep` task that's used to invoke the Bicep CLI. The package converts its output into MSBuild errors and the `BicepCompile` target that's used to simplify the `Bicep` task's usage. By default the `BicepCompile` runs after the `Build` target and compiles all `@(Bicep)` items and places the output in `$(OutputPath)` with the same file name and the _.json_ extension.

+The following example compiles _one.bicep_ and _two.bicep_ files in the same directory as the project file and places the compiled _one.json_ and _two.json_ in the `$(OutputPath)` directory.

+```xml

+<ItemGroup>

+ <Bicep Include="one.bicep" />

+ <Bicep Include="two.bicep" />

+</ItemGroup>

+```

+You can override the output path per file using the `OutputFile` metadata on `Bicep` items. The following example will recursively find all _main.bicep_ files and place the compiled _.json_ files in `$(OutputPath)` under a subdirectory with the same name in `$(OutputPath)`:

+```xml

+<ItemGroup>

+ <Bicep Include="**\main.bicep" OutputFile="$(OutputPath)\%(RecursiveDir)\%(FileName).json" />

+</ItemGroup>

+```

+More customizations can be performed by setting one of the following properties in your project:

+| Property Name | Default Value | Description |

+| - |- | - |

+| `BicepCompileAfterTargets` | `Build` | Used as `AfterTargets` value for the `BicepCompile` target. Change the value to override the scheduling of the `BicepCompile` target in your project. |

+| `BicepCompileDependsOn` | None | Used as `DependsOnTargets` value for the `BicepCompile` target. This property can be set to targets that you want `BicepCompile` target to depend on. |

+| `BicepCompileBeforeTargets` | None | Used as `BeforeTargets` value for the `BicepCompile` target. |

+| `BicepOutputPath` | `$(OutputPath)` | Set this property to override the default output path for the compiled ARM template. `OutputFile` metadata on `Bicep` items takes precedence over this value. |

+The `Azure.Bicep.MSBuild` requires the `BicepPath` property to be set either in order to function. You may set it by referencing the appropriate `Azure.Bicep.CommandLine.*` package for your operating system or manually by installing the Bicep CLI and setting the `BicepPath` environment variable or MSBuild property.

+### Azure.Bicep.CommandLine packages

+The `Azure.Bicep.CommandLine.*` packages are available for Windows, Linux, and macOS. When referenced in a project file via a `PackageReference`, the `Azure.Bicep.CommandLine.*` packages set the `BicepPath` property to the full path of the Bicep executable for the platform. The reference to this package may be omitted if Bicep CLI is installed through other means and the `BicepPath` environment variable or MSBuild property are set accordingly.

+### SDK-based examples

+The following examples contain a default Console App SDK-based C# project file that was modified to convert Bicep files into ARM templates. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

+The .NET Core 3.1 and .NET 6 examples are similar. But .NET 6 uses a different format for the _Program.cs_ file. For more information, see [.NET 6 C# console app template generates top-level statements](/dotnet/core/tutorials/top-level-templates).

+### .NET 6

+In this example, the `RootNamespace` property contains a placeholder value. When you create a project file, the value matches your project's name.

+```xml

+<Project Sdk="Microsoft.NET.Sdk">

+ <PropertyGroup>

+ <OutputType>Exe</OutputType>

+ <TargetFramework>net6.0</TargetFramework>

+ <RootNamespace>net6-sdk-project-name</RootNamespace>

+ <ImplicitUsings>enable</ImplicitUsings>

+ <Nullable>enable</Nullable>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Azure.Bicep.CommandLine.win-x64" Version="__LATEST_VERSION__" />

+ <PackageReference Include="Azure.Bicep.MSBuild" Version="__LATEST_VERSION__" />

+ </ItemGroup>

+ <ItemGroup>

+ <Bicep Include="**\main.bicep" OutputFile="$(OutputPath)\%(RecursiveDir)\%(FileName).json" />

+ </ItemGroup>

+</Project>

+```

+### .NET Core 3.1

+```xml

+<Project Sdk="Microsoft.NET.Sdk">

+ <PropertyGroup>

+ <OutputType>Exe</OutputType>

+ <TargetFramework>netcoreapp3.1</TargetFramework>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Azure.Bicep.CommandLine.win-x64" Version="__LATEST_VERSION__" />

+ <PackageReference Include="Azure.Bicep.MSBuild" Version="__LATEST_VERSION__" />

+ </ItemGroup>

+ <ItemGroup>

+ <Bicep Include="**\main.bicep" OutputFile="$(OutputPath)\%(RecursiveDir)\%(FileName).json" />

+ </ItemGroup>

+</Project>

+```

+### NoTargets SDK

+The following example contains a project that converts Bicep files into ARM templates using [Microsoft.Build.NoTargets](https://www.nuget.org/packages/Microsoft.Build.NoTargets). This SDK allows creation of standalone projects that compile only Bicep files. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

+For [Microsoft.Build.NoTargets](/dotnet/core/project-sdk/overview#project-files), specify a version like `Microsoft.Build.NoTargets/3.5.6`.

+```xml

+<Project Sdk="Microsoft.Build.NoTargets/__LATEST_VERSION__">

+ <PropertyGroup>

+ <TargetFramework>net48</TargetFramework>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Azure.Bicep.CommandLine.win-x64" Version="__LATEST_VERSION__" />

+ <PackageReference Include="Azure.Bicep.MSBuild" Version="__LATEST_VERSION__" />

+ </ItemGroup>

+ <ItemGroup>

+ <Bicep Include="main.bicep"/>

+ </ItemGroup>

+</Project>

+```

+### Classic framework

+The following example converts Bicep to JSON inside a classic project file that's not SDK-based. Only use the classic example if the previous examples don't work for you. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

+In this example, the `ProjectGuid`, `RootNamespace` and `AssemblyName` properties contain placeholder values. When you create a project file, a unique GUID is created and the name values match your project's name.

+```xml

+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+ <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />

+ <PropertyGroup>

+ <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>

+ <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>

+ <ProjectGuid>{11111111-1111-1111-1111-111111111111}</ProjectGuid>

+ <OutputType>Exe</OutputType>

+ <RootNamespace>ClassicFramework</RootNamespace>

+ <AssemblyName>ClassicFramework</AssemblyName>

+ <TargetFrameworkVersion>v4.8</TargetFrameworkVersion>

+ <FileAlignment>512</FileAlignment>

+ <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>

+ <Deterministic>true</Deterministic>

+ </PropertyGroup>

+ <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">

+ <PlatformTarget>AnyCPU</PlatformTarget>

+ <DebugSymbols>true</DebugSymbols>

+ <DebugType>full</DebugType>

+ <Optimize>false</Optimize>

+ <OutputPath>bin\Debug\</OutputPath>

+ <DefineConstants>DEBUG;TRACE</DefineConstants>

+ <ErrorReport>prompt</ErrorReport>

+ <WarningLevel>4</WarningLevel>

+ </PropertyGroup>

+ <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">

+ <PlatformTarget>AnyCPU</PlatformTarget>

+ <DebugType>pdbonly</DebugType>

+ <Optimize>true</Optimize>

+ <OutputPath>bin\Release\</OutputPath>

+ <DefineConstants>TRACE</DefineConstants>

+ <ErrorReport>prompt</ErrorReport>

+ <WarningLevel>4</WarningLevel>

+ </PropertyGroup>

+ <ItemGroup>

+ <Reference Include="System" />

+ <Reference Include="System.Core" />

+ <Reference Include="System.Xml.Linq" />

+ <Reference Include="System.Data.DataSetExtensions" />

+ <Reference Include="Microsoft.CSharp" />

+ <Reference Include="System.Data" />

+ <Reference Include="System.Net.Http" />

+ <Reference Include="System.Xml" />

+ </ItemGroup>

+ <ItemGroup>

+ <Compile Include="Program.cs" />

+ <Compile Include="Properties\AssemblyInfo.cs" />

+ </ItemGroup>

+ <ItemGroup>

+ <None Include="App.config" />

+ <Bicep Include="main.bicep" />

+ </ItemGroup>

+ <ItemGroup>

+ <PackageReference Include="Azure.Bicep.CommandLine.win-x64">

+ <Version>__LATEST_VERSION__</Version>

+ </PackageReference>

+ <PackageReference Include="Azure.Bicep.MSBuild">

+ <Version>__LATEST_VERSION__</Version>

+ </PackageReference>

+ </ItemGroup>

+ <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />

+</Project>

+```

+## Convert Bicep to JSON

+The following examples show how MSBuild converts a Bicep file to JSON. Follow the instructions to create one of the project files for .NET, .NET Core 3.1, or Classic framework. Then continue to create the Bicep file and run MSBuild.

+# [.NET](#tab/dotnet)

+Build a project in .NET with the dotnet CLI.

+1. Open Visual Studio code and select **Terminal** > **New Terminal** to start a PowerShell session.

+1. Create a directory named _bicep-msbuild-demo_ and go to the directory. This example uses _C:\bicep-msbuild-demo_.

+ ```powershell

+ New-Item -Name .\bicep-msbuild-demo -ItemType Directory

+ Set-Location -Path .\bicep-msbuild-demo

+ ```

+1. Run the `dotnet` command to create a new console with the .NET 6 framework.

+ ```powershell

+ dotnet new console --framework net6.0

+ ```

+ The project file uses the same name as your directory, _bicep-msbuild-demo.csproj_. For more information about how to create a console application from Visual Studio Code, see the [tutorial](/dotnet/core/tutorials/with-visual-studio-code).

+1. Replace the contents of _bicep-msbuild-demo.csproj_ with the [.NET 6](#net-6) or [NoTargets SDK](#notargets-sdk) examples.

+1. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

+1. Save the file.

+# [.NET Core 3.1](#tab/netcore31)

+Build a project in .NET Core 3.1 using the dotnet CLI.

+1. Open Visual Studio code and select **Terminal** > **New Terminal** to start a PowerShell session.

+1. Create a directory named _bicep-msbuild-demo_ and go to the directory. This example uses _C:\bicep-msbuild-demo_.

+ ```powershell

+ New-Item -Name .\bicep-msbuild-demo -ItemType Directory

+ Set-Location -Path .\bicep-msbuild-demo

+ ```

+1. Run the `dotnet` command to create a new console with the .NET 6 framework.

+ ```powershell

+ dotnet new console --framework netcoreapp3.1

+ ```

+ The project file is named the same as your directory, _bicep-msbuild-demo.csproj_. For more information about how to create a console application from Visual Studio Code, see the [tutorial](/dotnet/core/tutorials/with-visual-studio-code).

+1. Replace the contents of _bicep-msbuild-demo.csproj_ with the [.NET Core 3.1](#net-core-31) or [NoTargets SDK](#notargets-sdk) examples.

+1. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

+1. Save the file.

+# [Classic framework](#tab/classicframework)

+Build a project using the classic framework.

+To create the project file and dependencies, use Visual Studio.

+1. Open Visual Studio.

+1. Select **Create a new project**.

+1. For the C# language, select **Console App (.NET Framework)** and select **Next**.

+1. Enter a project name. For this example, use _bicep-msbuild-demo_ for the project.

+1. Select **Place solution and project in same directory**.

+1. Select **.NET Framework 4.8**.

+1. Select **Create**.

+If you know how to unload a project and reload a project, you can edit _bicep-msbuild-demo.csproj_ in Visual Studio.

+Otherwise, edit the project file in Visual Studio Code.

+1. Open Visual Studio Code and go to the _bicep-msbuild-demo_ directory.

+1. Replace _bicep-msbuild-demo.csproj_ with the [Classic framework](#classic-framework) code sample.

+1. Replace `__LATEST_VERSION__` with the latest version of the Bicep NuGet packages.

+1. Save the file.

+### Create Bicep file

+You'll need a Bicep file that will be converted to JSON.

+1. Use Visual Studio Code and create a new file.

+1. Copy the following sample and save it as _main.bicep_ in the _C:\bicep-msbuild-demo_ directory.

+```bicep

+@allowed([

+ 'Premium_LRS'

+ 'Premium_ZRS'

+ 'Standard_GRS'

+ 'Standard_GZRS'

+ 'Standard_LRS'

+ 'Standard_RAGRS'

+ 'Standard_RAGZRS'

+ 'Standard_ZRS'

+])

+@description('Storage account type.')

+param storageAccountType string = 'Standard_LRS'

+@description('Location for all resources.')

+param location string = resourceGroup().location

+var storageAccountName = 'storage${uniqueString(resourceGroup().id)}'

+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {

+ name: storageAccountName

+ location: location

+ sku: {

+ name: storageAccountType

+ }

+ kind: 'StorageV2'

+}

+output storageAccountNameOutput string = storageAccount.name

+```

+### Run MSBuild

+Run MSBuild to convert the Bicep file to JSON.

+1. Open a Visual Studio Code terminal session.

+1. In the PowerShell session, go to the _C:\bicep-msbuild-demo_ directory.

+1. Run MSBuild.

+ ```powershell

+ MSBuild.exe -restore .\bicep-msbuild-demo.csproj

+ ```

+ The `restore` parameter creates dependencies needed to compile the Bicep file during the initial build. The parameter is optional after the initial build.

+1. Go to the output directory and open the _main.json_ file that should look like the sample.

+ MSBuild creates an output directory based on the SDK or framework version:

+ - .NET 6: _\bin\Debug\net6.0_

+ - .NET Core 3.1: _\bin\Debug\netcoreapp3.1_

+ - NoTargets SDK: _\bin\Debug\net48_

+ - Classic framework: _\bin\Debug_

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "metadata": {

+ "_generator": {

+ "name": "bicep",

+ "version": "0.8.9.13224",

+ "templateHash": "12345678901234567890"

+ }

+ },

+ "parameters": {

+ "storageAccountType": {

+ "type": "string",

+ "defaultValue": "Standard_LRS",

+ "metadata": {

+ "description": "Storage account type."

+ },

+ "allowedValues": [

+ "Premium_LRS",

+ "Premium_ZRS",

+ "Standard_GRS",

+ "Standard_GZRS",

+ "Standard_LRS",

+ "Standard_RAGRS",

+ "Standard_RAGZRS",

+ "Standard_ZRS"

+ ]

+ },

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]",

+ "metadata": {

+ "description": "Location for all resources."

+ }

+ }

+ },

+ "variables": {

+ "storageAccountName": "[format('storage{0}', uniqueString(resourceGroup().id))]"

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Storage/storageAccounts",

+ "apiVersion": "2021-09-01",

+ "name": "[variables('storageAccountName')]",

+ "location": "[parameters('location')]",

+ "sku": {

+ "name": "[parameters('storageAccountType')]"

+ },

+ "kind": "StorageV2"

+ }

+ ],

+ "outputs": {

+ "storageAccountNameOutput": {

+ "type": "string",

+ "value": "[variables('storageAccountName')]"

+ }

+ }

+ }

+ ```

+If you make changes or want to rerun the build, delete the output directory so new files can be created.

+## Clean up resources

+When you're finished with the files, delete the directory. For this example, delete _C:\bicep-msbuild-demo_.

+```powershell

+Remove-Item -Path "C:\bicep-msbuild-demo" -Recurse

+```

+## Next steps

+- For more information about MSBuild, see [MSBuild reference](/visualstudio/msbuild/msbuild-reference) and [.NET project files](/dotnet/core/project-sdk/overview#project-files).

+- To learn more about MSBuild properties, items, targets, and tasks, see [MSBuild concepts](/visualstudio/msbuild/msbuild-concepts).

+- For more information about the .NET CLI, see [.NET CLI overview](/dotnet/core/tools/).

+[Enable HCX access over the internet](enable-hcx-access-over-internet.md)

+ Title: Enable SQL Azure hybrid benefit for Azure VMware Solution (Preview)

+description: This article shows you how to apply SQL Azure hybrid benefits to your Azure VMware Solution private cloud by configuring a placement policy.

+# Enable SQL Azure hybrid benefit for Azure VMware Solution (Preview)

+In this article, youΓÇÖll learn how to apply SQL Azure hybrid benefits to an Azure VMware Solution private cloud by configuring a placement policy. The placement policy defines the number of hosts that are running SQL.

+>[!IMPORTANT]

+> It is important to note that SQL benefits are applied at the host level.

+For example, if each host in Azure VMware Solution has 36 cores and you signal that two hosts run SQL, then SQL Azure hybrid benefit will apply to 72 cores.

+## Configure host-VM placement policy

+1. From your Azure VMware Solution private cloud, select Azure hybrid benefit, then Create host-VM placement policy.

+ :::image type="content" source="media/sql-azure-hybrid-benefit/azure-hybrid-benefit.png" alt-text="Diagram that shows how to create a host new virtual machine placement policy.":::

+1. Fill in the required fields for creating the placement policy.

+ 1. **Name** ΓÇô Select the name that identifies this policy.

+ 2. **Type** ΓÇô Select the type of policy. This type must be VM-Host affinity only.

+ 3. **Azure hybrid benefit** ΓÇô Select the checkbox to apply the SQL Azure hybrid benefit.

+ 4. **Cluster** ΓÇô Select the necessary cluster. The policy is applicable per cluster only.

+ 1. **Enabled** ΓÇô Select enabled to apply the policy immediately once created.

+

+ :::image type="content" source="media/sql-azure-hybrid-benefit/create-placement-policy.png" alt-text="Diagram that shows how to create a host virtual machine placement policy using the host VM affinity.":::

+3. Select the hosts and VMs that will be applied to the VM-Host affinity policy.

+ 1. **Add Hosts** ΓÇô Select the hosts that will be running SQL.

+ 2. **Add VMs** ΓÇô Select the VMs that should run on the selected hosts.

+ 3. **Review and Create** the policy.

+ :::image type="content" source="media/sql-azure-hybrid-benefit/select-policy-host.png" alt-text="Diagram that shows how to create a host virtual machine affinity.":::

+## Manage placement policies

+After creating the placement policy, you can review, manage, or edit the policy by way of the Placement policies menu in the Azure VMware Solution private cloud.

+By checking the Azure hybrid benefit checkbox in the configuration setting, you can enable existing host-VM affinity policies with the SQL Azure hybrid benefit.

+## Next steps

+[Azure Hybrid Benefit](https://azure.microsoft.com/pricing/hybrid-benefit/)

+[Attach Azure NetApp Files datastores to Azure VMware Solution hosts (Preview)](attach-azure-netapp-files-to-azure-vmware-solution-hosts.md)

+This article shows you how to securely and seamlessly create an SSH connection to your Windows VMs located in an Azure virtual network directly through the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. You can also connect to a Windows VM using RDP. For information, see [Create an RDP connection to a Windows VM](bastion-connect-vm-rdp-windows.md).

+You may use a private DNS zone ending with one of the names listed above (ex: privatelink.blob.core.windows.net).

+ az network bastion rdp --name "<BastionName>" --resource-group "<BastionResourceGroupName>" --target-resource-id "<VMResourceId>"

+* An excel file (.xlsx) containing time series data points.

+Each time you iterate on your model to improve it, don't add large quantities of utterances. Consider adding utterances in quantities of 15. Then [Train](/azure/cognitive-services/luis/luis-how-to-train), [publish](/azure/cognitive-services/luis/luis-how-to-publish-app), and [test](/azure/cognitive-services/luis/luis-interactive-test) again.

+* [Patterns and features concepts](patterns-features.md)

+| Somali (Somalia) | `so-SO` |

+| Welsh (United Kingdom) | `cy-GB` |

+| Chinese (Mandarin, Simplified) | `zh-CN-liaoning` | Female | `zh-CN-liaoning-XiaobeiNeural` ^New | General, Liaoning accent |

+| Chinese (Mandarin, Simplified) | `zh-CN-sichuan` | Male | `zh-CN-sichuan-YunxiSichuanNeural` ^New | General, Sichuan accent |

+ "supportsAdaptationsWith": [

+ "Acoustic",

+ "Language",

+ "LanguageMarkdown",

+The following content types are supported for the `interpret-as` and `format` attributes. Include the `format` attribute only if `format` column is not empty in the table below.

+| `duration` | hms, hm, ms | The text is spoken as a duration. The `format` attribute specifies the duration's format (*h=hour, m=minute, and s=second*). The speech synthesis engine pronounces:<br /><br />`<say-as interpret-as="duration">01:18:30</say-as>`<br /><br /> As "one hour eighteen minutes and thirty seconds".<br />Pronounces:<br /><br />`<say-as interpret-as="duration" format="ms">01:18</say-as>`<br /><br /> As "one minute and eighteen seconds".<br />This tag is only supported on English and Spanish.|

+|Localization Interchange File Format|xlf| A parallel document format, export of Translation Memory systems. The languages used are defined inside the file.|

+> Just getting started with Azure Cognitive Service for Language? See the [overview article](../overview.md) for details on the service, available features, and links to quickstarts for information on the current version of the API.

+If your applications are still using the Text Analytics API, or client library (before stable v5.1.0), this article will help you upgrade your applications to use the latest version of the [Azure Cognitive Service for language](../overview.md) features.

+## Unified Language endpoint (REST API)

+This section applies to applications that use the older `/text/analytics/...` endpoint format for REST API calls. For example:

+```http

+https://<your-custom-subdomain>.cognitiveservices.azure.com/text/analytics/<version>/<feature>

+```

+If your application uses the above endpoint format, the REST API endpoint for the following Language service features has changed:

+* [Entity linking](../entity-linking/quickstart.md?pivots=rest-api)

+* [Key phrase extraction](../key-phrase-extraction/quickstart.md?pivots=rest-api)

+* [Language detection](../language-detection/quickstart.md?pivots=rest-api)

+* [Named entity recognition (NER)](../named-entity-recognition/quickstart.md?pivots=rest-api)

+* [Personally Identifying Information (PII) detection](../personally-identifiable-information/quickstart.md?pivots=rest-api)

+* [Sentiment analysis and opinion mining](../sentiment-opinion-mining/quickstart.md?pivots=rest-api)

+* [Text analytics for health](../text-analytics-for-health/quickstart.md?pivots=rest-api)

+The Language service now provides a unified endpoint for sending REST API requests to these features. If your application uses the REST API, update its request endpoint to use the current endpoint:

+```http

+https://<your-language-resource-endpoint>/language/:analyze-text?api-version=2022-05-01

+```

+Additionally, the format of the JSON request body has changed. You'll need to update the request structure that your application sends to the API, for example the following entity recognition JSON body:

+```json

+{

+ "kind": "EntityRecognition",

+ "parameters": {

+ "modelVersion": "latest"

+ },

+ "analysisInput":{

+ "documents":[

+ {

+ "id":"1",

+ "language": "en",

+ "text": "I had a wonderful trip to Seattle last week."

+ }

+ ]

+ }

+}

+```

+Use the quickstarts linked above to see current example REST API calls for the feature(s) you're using, and the associated API output.

+## Client libraries

+To use the latest version of the client library, you will need to download the latest software package in the `Azure.AI.TextAnalytics` namespace. See the quickstart articles linked above for example code and instructions for using the client library in your preferred language.

+<!--[!INCLUDE [SDK target versions](../includes/sdk-target-versions.md)]-->

+## Version 2.1 functionality changes

+If you're migrating an application from v2.1 of the API, there are several changes to feature functionality you should be aware of.

+### Sentiment analysis v2.1

+[Sentiment Analysis](../sentiment-opinion-mining/quickstart.md) in version 2.1 returns sentiment scores between 0 and 1 for each document sent to the API, with scores closer to 1 indicating more positive sentiment. The current version of this feature returns sentiment labels (such as "positive" or "negative") for both the sentences and the document as a whole, and their associated confidence scores.

+### NER, PII, and entity linking v2.1

+In version 2.1, the Text Analytics API used one endpoint for Named Entity Recognition (NER) and entity linking. The current version of this feature provides expanded named entity detection, and has separate endpoints for [NER](../named-entity-recognition/quickstart.md?pivots=rest-api) and [entity linking](../entity-linking/quickstart.md?pivots=rest-api) requests. Additionally, you can use another feature offered in the Language service that lets you detect [detect personal (PII) and health (PHI) information](../personally-identifiable-information/overview.md).

+### Version 2.1 entity categories

+### Language detection v2.1

+The [language detection](../language-detection/quickstart.md) feature output has changed in the current version. The JSON response will contain `ConfidenceScore` instead of `score`. The current version also only returns one language for each document.

+### Key phrase extraction v2.1

+The key phrase extraction feature functionality currently has not changed outside of the endpoint and request format.

+* [What is Azure Cognitive Service for Language?](../overview.md)

+* [Language service developer guide](developer-guide.md)

+* See the following reference documentation for information on previous API versions.

+ * [Version 2.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v2-1/operations/56f30ceeeda5650db055a3c9)

+ * [Version 3.0](https://westus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-0/operations/Sentiment)

+ * [Version 3.1](https://westcentralus.dev.cognitive.microsoft.com/docs/services/TextAnalytics-v3-1/operations/Sentiment)

+* Use the following quickstart guides to see examples for the current version of these features.

+ * [Entity linking](../entity-linking/quickstart.md)

+ * [Key phrase extraction](../key-phrase-extraction/quickstart.md)

+ * [Named entity recognition (NER)](../named-entity-recognition/quickstart.md)

+ * [Language detection](../language-detection/quickstart.md)

+ * [Personally Identifying Information (PII) detection](../personally-identifiable-information/quickstart.md)

+ * [Sentiment analysis and opinion mining](../sentiment-opinion-mining/quickstart.md)

+ * [Text analytics for health](../text-analytics-for-health/quickstart.md)

+

+### Pricing example: Outbound Call from a Dynamics 365 Omnichannel (D365 OC) agent application via Azure Communication Services direct routing

+Alice is a D365 contact center agent, who makes an outbound call from D365 OC to a telephone number (Bob) via Azure Communication Services direct routing.

+- Alice uses D365 OC client application

+- D365 OC bot starts new outgoing call via direct routing

+- Call goes to a Session Border Controller (SBC) connected via Communication Services direct routing

+- D365 OC bot adds Alice to a call by escalating the direct routing call to a group call

+- The call lasts a total of 10 minutes.

+**Cost calculations**

+- One participant on the VoIP leg (Alice) from D365 OC client application x 10 minutes x $0.004 per participant leg per minute = $0.04

+- One participant on the Communication Services direct routing outbound leg (Bob) from Communication Services servers to an SBC x 10 minutes x $0.004 per participant leg per minute = $0.04.

+- D365 OC bot does not introduce additional ACS charges.

+**Total cost for the call**: $0.04 + $0.04 = $0.08

+## Direct routing pricing

+For Azure Communication Services direct routing there is a flat rate regardless of the geography:

+|Number type |To make calls |To receive calls|

+|--|--||

+|Direct routing|USD 0.0040/min|USD 0.0040/min |

+You can find your current Teams license using [licenseDetails](/graph/api/resources/licensedetails) Microsoft Graph API that returns licenses assigned to a user. Follow the steps below to use the Graph Explorer tool to view licenses assigned to a user:

+- [Service limits](service-limits.md)

+You can find your current Teams license using [licenseDetails](/graph/api/resources/licensedetails) Microsoft Graph API that returns licenses assigned to a user.

+ Title: Quickstart - Call to a telephone number

+# Quickstart: Outbound call to a telephone number

+### Securing your Azure Blob Storage Container

+Note that the tutorial above assumes that your Azure blob storage container allows public access to the files you upload. Making your Azure storage containers public isn't recommended for real world production applications.

+For downloading the files you upload to Azure blob storage, you can use shared access signatures (SAS). A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data.

+The downloadable [GitHub sample](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/ui-library-filesharing-chat-composite) showcases the use of SAS for creating SAS URLs to Azure Storage contents. Additionally, you can [read more about SAS](/azure/storage/common/storage-sas-overview).

+- [Learn about authentication](../concepts/authentication.md)

+[Azure App Service](../app-service/index.yml) provides fully managed hosting for web applications including websites and web APIs. These web applications may be deployed using code or containers. Azure App Service is optimized for web applications. Azure App Service is integrated with other Azure services including Azure Container Apps or Azure Functions. When building web apps, Azure App Service is an ideal option.

+[Azure Container Instances (ACI)](../container-instances/index.yml) provides a single pod of Hyper-V isolated containers on demand. It can be thought of as a lower-level "building block" option compared to Container Apps. Concepts like scale, load balancing, and certificates are not provided with ACI containers. For example, to scale to five container instances, you create five distinct container instances. Azure Container Apps provide many application-specific concepts on top of containers, including certificates, revisions, scale, and environments. Users often interact with Azure Container Instances through other services. For example, Azure Kubernetes Service can layer orchestration and scale on top of ACI through [virtual nodes](../aks/virtual-nodes.md). If you need a less "opinionated" building block that doesn't align with the scenarios Azure Container Apps is optimizing for, Azure Container Instances is an ideal option.

+> [Deploy your first container app](get-started.md)

+When you deploy an internal or an external environment into your own network, a new resource group prefixed with `MC_` is created in the Azure subscription where your environment is hosted. This resource group contains infrastructure components managed by the Azure Container Apps platform, and shouldn't be modified. The resource group contains Public IP addresses used specifically for outbound connectivity from your environment and a load balancer. In addition to the [Azure Container Apps billing](./billing.md), you will be billed for the following:

+- [Deploy with an internal environment](vnet-custom-internal.md)

+[cloud-shell-bash]: ../cloud-shell/overview.md

+## Prerequisites

+> [!NOTE}

+> Due to some current limitations, not all limit increase requests are guaranteed to be approved.

+* If you would like to use this sku for your production container deployments, create an [Azure Support request](https://azure.microsoft.com/support) to increase the limit.

+* Depending on your subscription type, [certain ports may be blocked](../virtual-network/network-security-groups-overview.md#azure-platform-considerations).

+[az-network-profile-list]: /cli/azure/network/profile#az_network_profile_list

+The following table lists the operations that Azure Container Instances may record in the Activity log. This is a subset of the possible entries you might find in the activity log. You can also find this information in the [Azure role-based access control (RBAC) Resource provider operations documentation](../role-based-access-control/resource-provider-operations.md#microsoftcontainerinstance).

+See [all the possible resource provider operations in the activity log](../role-based-access-control/resource-provider-operations.md).

+For more information on the schema of Activity Log entries, see [Activity Log schema](../azure-monitor/essentials/activity-log-schema.md).

+- See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.

+This article describes the monitoring data generated by Azure Container Instances. Azure Container Instances includes built-in support for [Azure Monitor](../azure-monitor/overview.md). If you're unfamiliar with the features of Azure Monitor common to all Azure services that use it, read [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md).

+Azure Container Instances collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data-from-azure-resources).

+You can analyze metrics for *Azure Container Instances* with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md) for details on using this tool.

+For reference, you can see a list of [all resource metrics supported in Azure Monitor](../azure-monitor/essentials/metrics-supported.md).

+All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](../azure-monitor/essentials/resource-logs-schema.md) The schema for Azure Container Instances resource logs is found in the [Azure Container Instances Data Reference](monitor-azure-container-instances-reference.md#schemas).

+The [Activity log](../azure-monitor/essentials/activity-log.md) is a type of Azure platform log that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics. You can see a list of the kinds of operations that will be logged in the [Azure Container Instances Data Reference](monitor-azure-container-instances-reference.md#activity-log)

+> When you select **Logs** from the Azure Container Instances menu, Log Analytics is opened with the query scope set to the current Azure Container Instances. This means that log queries will only include data from that resource. If you want to run a query that includes data from other resources or data from other Azure services, select **Logs** from the **Azure Monitor** menu. See [Log query scope and time range in Azure Monitor Log Analytics](../azure-monitor/logs/scope.md) for details.

+For a list of common queries for Azure Container Instances, see the [Log Analytics queries interface](../azure-monitor/logs/queries.md).

+* See [Monitoring Azure resources with Azure Monitor](../azure-monitor/essentials/monitor-azure-resource.md) for details on monitoring Azure resources.

+### [Azure CLI](#tab/azure-cli)

+To create the Azure resources, this article requires that you run the Azure CLI version 2.0.55 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+### [Azure PowerShell](#tab/azure-powershell)

+To create the Azure resources, this article requires that you run the Azure PowerShell module version 7.5.0 or later. Run `Get-Module Az -ListAvailable` to find the version. If you need to install or upgrade, see [Install Azure PowerShell module][azure-powershell-install].

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+If you don't already have an Azure container registry, create a registry and push a sample container image to it. For steps, see [Quickstart: Create a private container registry using Azure PowerShell](container-registry-get-started-powershell.md).

+This article assumes you have the `aci-helloworld:v1` container image stored in your registry. The examples use a registry name of *myContainerRegistry*. Replace with your own registry and image names in later steps.

+### [Azure CLI](#tab/azure-cli)

+Create a Docker-enabled Ubuntu virtual machine. You also need to install the [Azure CLI][azure-cli-install] on the virtual machine. If you already have an Azure virtual machine, skip this step to create the virtual machine.

+```azurecli-interactive

+### [Azure PowerShell](#tab/azure-powershell)

+Create a Docker-enabled Ubuntu virtual machine. You also need to install the [Azure PowerShell][azure-powershell-install] on the virtual machine. If you already have an Azure virtual machine, skip this step to create the virtual machine.

+Deploy a default Ubuntu Azure virtual machine with [New-AzVM][new-azvm]. The following example creates a VM named *myDockerVM* in an existing resource group named *myResourceGroup*. You will be prompted for a user name that will be used when you connect to the VM. Specify *azureuser* as the user name. You will also be asked for a password, which you can leave blank. Password login for the VM is disabled when using an SSH key.

+```azurepowershell-interactive

+$vmParams = @{

+ ResourceGroupName = 'MyResourceGroup'

+ Name = 'myDockerVM'

+ Image = 'UbuntuLTS'

+ PublicIpAddressName = 'myPublicIP'

+ GenerateSshKey = $true

+ SshKeyName = 'mySSHKey'

+}

+New-AzVM @vmParams

+```

+It takes a few minutes for the VM to be created. When the command completes, run the following command to get the public IP address. Use this address to make SSH connections to the VM.

+```azurepowershell-interactive

+Get-AzPublicIpAddress -Name myPublicIP -ResourceGroupName myResourceGroup | Select-Object -ExpandProperty IpAddress

+```

+```output

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+### Install the Azure PowerShell

+Follow the steps in [Installing PowerShell on Ubuntu][powershell-install] and [Install the Azure Az PowerShell module][azure-powershell-install] to install PowerShell and Azure PowerShell on your Ubuntu virtual machine. For this article, ensure that you install Azure PowerShell version 7.5.0 or later.

+### [Azure CLI](#tab/azure-cli)

+Create an identity in your subscription using the [az identity create][az-identity-create] command. You can use the same resource group you used previously to create the container registry or virtual machine, or a different one.

+To configure the identity in the following steps, use the [az identity show][az-identity-show] command to store the identity's resource ID and service principal ID in variables.

+```azurecli-interactive

+```output

+/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId

+```

+### [Azure PowerShell](#tab/azure-powershell)

+Create an identity in your subscription using the [New-AzUserAssignedIdentity][new-azuserassignedidentity] cmdlet. You can use the same resource group you used previously to create the container registry or virtual machine, or a different one.

+```azurepowershell-interactive

+New-AzUserAssignedIdentity -ResourceGroupName myResourceGroup -Location eastus -Name myACRId

+To configure the identity in the following steps, use the [Get-AzUserAssignedIdentity][get-azuserassignedidentity] cmdlet to store the identity's resource ID and service principal ID in variables.

+```azurepowershell-interactive

+# Get resource ID of the user-assigned identity

+$userID = (Get-AzUserAssignedIdentity -ResourceGroupName myResourceGroup -Name myACRId).Id

+# Get service principal ID of the user-assigned identity

+$spID = (Get-AzUserAssignedIdentity -ResourceGroupName myResourceGroup -Name myACRId).PrincipalId

+```

+Because you need the identity's ID in a later step when you sign in to the Azure PowerShell from your virtual machine, show the value:

+```azurepowershell-interactive

+$userID

+```

+The ID is of the form:

+```output

+### [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+### [Azure PowerShell](#tab/azure-powershell)

+The following [Update-AzVM][update-azvm] command configures your Docker VM with the user-assigned identity:

+```azurepowershell-interactive

+$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myDockerVM

+Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType UserAssigned -IdentityID $userID

+```

+### [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+Use the [az role assignment create][az-role-assignment-create] command to assign the AcrPull role to the identity. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the AcrPush role.

+```azurecli-interactive

+### [Azure PowerShell](#tab/azure-powershell)

+Now configure the identity to access your container registry. First use the [Get-AzContainerRegistry][get-azcontainerregistry] command to get the resource ID of the registry:

+```azurepowershell-interactive

+$resourceID = (Get-AzContainerRegistry -ResourceGroupName myResourceGroup -Name myContainerRegistry).Id

+```

+Use the [New-AzRoleAssignment][new-azroleassignment] cmdlet to assign the AcrPull role to the identity. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the AcrPush role.

+```azurepowershell-interactive

+New-AzRoleAssignment -ObjectId $spID -Scope $resourceID -RoleDefinitionName AcrPull

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+SSH into the Docker virtual machine that's configured with the identity. Run the following Azure PowerShell commands, using the Azure PowerShell installed on the VM.

+First, authenticate to the Azure PowerShell with [Connect-AzAccount][connect-azaccount], using the identity you configured on the VM. For `-AccountId` specify a client ID of the identity.

+```azurepowershell

+$clientId = (Get-AzUserAssignedIdentity -ResourceGroupName myResourceGroup -Name myACRId).ClientId

+Connect-AzAccount -Identity -AccountId $clientId

+```

+Then, authenticate to the registry with [Connect-AzContainerRegistry][connect-azcontainerregistry]. When you use this command, the Azure PowerShell uses the Active Directory token created when you ran `Connect-AzAccount` to seamlessly authenticate your session with the container registry. (Depending on your VM's setup, you might need to run this command and docker commands with `sudo`.)

+```azurepowershell

+sudo pwsh -command Connect-AzContainerRegistry -Name myContainerRegistry

+```

+You should see a `Login succeeded` message. You can then run `docker` commands without providing credentials. For example, run [docker pull][docker-pull] to pull the `aci-helloworld:v1` image, specifying the login server name of your registry. The login server name consists of your container registry name (all lowercase) followed by `.azurecr.io` - for example, `mycontainerregistry.azurecr.io`.

+```

+docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1

+```

+### [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+### [Azure PowerShell](#tab/azure-powershell)

+The following [Update-AzVM][update-azvm] command configures your Docker VM with a system-assigned identity:

+```azurepowershell-interactive

+$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myDockerVM

+Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType SystemAssigned

+```

+Use the [Get-AzVM][get-azvm] command to set a variable to the value of `principalId` (the service principal ID) of the VM's identity, to use in later steps.

+```azurepowershell-interactive

+$spID = (Get-AzVM -ResourceGroupName myResourceGroup -Name myDockerVM).Identity.PrincipalId

+```

+### [Azure CLI](#tab/azure-cli)

+```azurecli-interactive

+Use the [az role assignment create][az-role-assignment-create] command to assign the AcrPull role to the identity. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the AcrPush role.

+```azurecli-interactive

+### [Azure PowerShell](#tab/azure-powershell)

+Now configure the identity to access your container registry. First use the [[Get-AzContainerRegistry][get-azcontainerregistry] command to get the resource ID of the registry:

+```azurepowershell-interactive

+$resourceID = (Get-AzContainerRegistry -ResourceGroupName myResourceGroup -Name myContainerRegistry).Id

+```

+Use the [New-AzRoleAssignment][new-azroleassignment] cmdlet to assign the AcrPull role to the identity. This role provides [pull permissions](container-registry-roles.md) to the registry. To provide both pull and push permissions, assign the AcrPush role.

+```azurepowershell-interactive

+New-AzRoleAssignment -ObjectId $spID -Scope $resourceID -RoleDefinitionName AcrPull

+```

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+SSH into the Docker virtual machine that's configured with the identity. Run the following Azure PowerShell commands, using the Azure PowerShell installed on the VM.

+First, authenticate the Azure PowerShell with [Connect-AzAccount][connect-azaccount], using the system-assigned identity on the VM.

+```azurepowershell

+Connect-AzAccount -Identity

+```

+Then, authenticate to the registry with [Connect-AzContainerRegistry][connect-azcontainerregistry]. When you use this command, the PowerShell uses the Active Directory token created when you ran `Connect-AzAccount` to seamlessly authenticate your session with the container registry. (Depending on your VM's setup, you might need to run this command and docker commands with `sudo`.)

+```azurepowershell

+sudo pwsh -command Connect-AzContainerRegistry -Name myContainerRegistry

+```

+You should see a `Login succeeded` message. You can then run `docker` commands without providing credentials. For example, run [docker pull][docker-pull] to pull the `aci-helloworld:v1` image, specifying the login server name of your registry. The login server name consists of your container registry name (all lowercase) followed by `.azurecr.io` - for example, `mycontainerregistry.azurecr.io`.

+```

+docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1

+```

+[connect-azaccount]: /powershell/module/az.accounts/connect-azaccount

+[connect-azcontainerregistry]: /powershell/module/az.containerregistry/connect-azcontainerregistry

+[get-azcontainerregistry]: /powershell/module/az.containerregistry/get-azcontainerregistry

+[new-azvm]: /powershell/module/az.compute/new-azvm

+[get-azvm]: /powershell/module/az.compute/get-azvm

+[az-identity-create]: /cli/azure/identity#az_identity_create

+[new-azuserassignedidentity]: /powershell/module/az.managedserviceidentity/new-azuserassignedidentity

+[update-azvm]: /powershell/module/az.compute/update-azvm

+[new-azroleassignment]: /powershell/module/az.resources/new-azroleassignment

+[get-azuserassignedidentity]: /powershell/module/az.managedserviceidentity/get-azuserassignedidentity

+[azure-cli-install]: /cli/azure/install-azure-cli

+[azure-powershell-install]: /powershell/azure/install-az-ps

+[powershell-install]: /powershell/scripting/install/install-ubuntu

+Use the [az acr show-usage](/cli/azure/acr#az-acr-show-usage) command in the Azure CLI, [Get-AzContainerRegistryUsage](/powershell/module/az.containerregistry/get-azcontainerregistryusage) in Azure PowerShell, or the [List Usages](/rest/api/containerregistry/registries/list-usages) REST API, to get a snapshot of your registry's current consumption of storage and other resources, compared with the limits for that registry's service tier. Storage usage also appears on the registry's **Overview** page in the portal.

+az acr update --name myContainerRegistry --sku Premium

+```

+### Azure PowerShell

+To move between service tiers in Azure PowerShell, use the [Update-AzContainerRegistry][update-azcontainerregistry] cmdlet. For example, to switch to Premium:

+```azurepowershell

+Update-AzContainerRegistry -ResourceGroupName myResourceGroup -Name myContainerRegistry -Sku Premium

+[update-azcontainerregistry]: /powershell/module/az.containerregistry/update-azcontainerregistry

+Follow the instructions from the [AKS support doc](/troubleshoot/azure/azure-kubernetes/cannot-pull-image-from-acr-to-aks-cluster) if you fail to pull images from ACR to the AKS cluster.

+* [Open a support ticket](https://azure.microsoft.com/support/create-ticket/) - based on information you provide, a quick diagnostic might be run for authentication failures in your registry

+> * Install, create and sign in to [ORAS artifact enabled registry](./container-registry-oras-artifacts.md#create-oras-artifact-enabled-registry)

+> * Create or use an [Azure Key Vault](../key-vault/general/quick-create-cli.md)

+ Spark connector is used to connect to Azure Cosmos DB Cassandra API. Identify and use the version of the connector located in [Maven central](https://mvnrepository.com/artifact/com.datastax.spark/spark-cassandra-connector-assembly) that is compatible with the Spark and Scala versions of your Spark environment. We recommend an environment that supports Spark 3.2.1 or higher, and the spark connector available at maven coordinates `com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0`. If using Spark 2.x, we recommend an environment with Spark version 2.4.5, using spark connector at maven coordinates `com.datastax.spark:spark-cassandra-connector_2.11:2.4.3`.

+ If you're using a version Spark 2.x, then in addition to the Spark connector, you need another library called [azure-cosmos-cassandra-spark-helper]( https://search.maven.org/artifact/com.microsoft.azure.cosmosdb/azure-cosmos-cassandra-spark-helper/1.2.0/jar) with maven coordinates `com.microsoft.azure.cosmosdb:azure-cosmos-cassandra-spark-helper:1.2.0` from Azure Cosmos DB in order to handle [rate limiting](./scale-account-throughput.md#handling-rate-limiting-429-errors). This library contains custom connection factory and retry policy classes.

+ The retry policy in Azure Cosmos DB is configured to handle HTTP status code 429("Request Rate Large") exceptions. The Azure Cosmos DB Cassandra API translates these exceptions into overloaded errors on the Cassandra native protocol, and you can retry with back-offs. Because Azure Cosmos DB uses provisioned throughput model, request rate limiting exceptions occur when the ingress/egress rates increase. The retry policy protects your spark jobs against data spikes that momentarily exceed the throughput allocated for your container. If using the Spark 3.x connector, implementing this library isn't required.

+The optimal value of these configurations depends on four factors:

+- The average latency of each request to Cosmos DB, if you're collocated in the same Data Center. Assume this value to be 10 ms for writes and 3 ms for reads.

+As an example, if we have five workers and a value of `spark.cassandra.output.concurrent.writes`= 1, and a value of `spark.cassandra.connection.remoteConnectionsPerExecutor` = 1, then we have five workers that are concurrently writing into the table, each with one thread. If it takes 10 ms to perform a single write, then we can send 100 requests (1000 milliseconds divided by 10) per second, per thread. With five workers, this would be 500 writes per second. At an average cost of five request units (RUs) per write, the target table would need a minimum 2500 request units provisioned (5 RUs x 500 writes per second).

+The Cassandra Spark connector will saturate throughput in Azure Cosmos DB efficiently. As a result, even with effective retries, you'll need to ensure you have sufficient throughput (RUs) provisioned at the table or keyspace level to prevent rate limiting related errors. The minimum setting of 400 RUs in a given table or keyspace won't be sufficient. Even at minimum throughput configuration settings, the Spark connector can write at a rate corresponding to around **6000 request units** or more.

+| spark.cassandra.connection.connections_per_executor_max (Spark 2.x) spark.cassandra.connection.remoteConnectionsPerExecutor (Spark 3.x) | None | Maximum number of connections per node per executor. 10*n is equivalent to 10 connections per node in an n-node Cassandra cluster. So, if you require five connections per node per executor for a five node Cassandra cluster, then you should set this configuration to 25. Modify this value based on the degree of parallelism or the number of executors that your spark jobs are configured for. |

+Adjust the throughput and degree of parallelism of these parameters based on the workload you expect for your spark jobs, and the throughput you've provisioned for your Cosmos DB account.

+The following commands detail how to connect to Azure Cosmos DB Cassandra API from cqlsh. This is useful for validation as you run through the samples in Spark.<br>

+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com

+ spark.cassandra.connection.port 10350

+ spark.cassandra.connection.ssl.enabled true

+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME

+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY

+// if using Spark 2.x

+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory

+//Throughput-related...adjust as needed

+ spark.cassandra.output.batch.size.rows 1

+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x

+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x

+ spark.cassandra.output.concurrent.writes 1000

+ spark.cassandra.concurrent.reads 512

+ spark.cassandra.output.batch.grouping.buffer.size 1000

+ spark.cassandra.connection.keep_alive_ms 600000000

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription.

+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)

+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)

+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription.

+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription.

+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)

+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio). Or [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription.

+> [Import Cassandra data into Azure Cosmos DB](migrate-data.md)

+Install Azure CLI as mentioned at [How to install the Azure CLI | Microsoft Docs](/cli/azure/install-azure-cli) and log on using the below:

+You can use the documentation [here](../how-to-setup-cmk.md) to configure your Cosmos DB Cassandra account with customer managed keys and setup managed identity access to the key Vault. Make sure you follow all the steps in [Using a managed identity in Azure key vault access policy](../how-to-setup-managed-identity.md). The next step to enable materializedViews on the account.

+Set below spark configuration in your notebook cluster. It's one time activity.

+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com

+ spark.cassandra.connection.port 10350

+ spark.cassandra.connection.ssl.enabled true

+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME

+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY

+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory

+ spark.cassandra.output.batch.size.rows 1

+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x

+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x

+ spark.cassandra.output.concurrent.writes 1000

+ spark.cassandra.concurrent.reads 512

+ spark.cassandra.output.batch.grouping.buffer.size 1000

+ spark.cassandra.connection.keep_alive_ms 600000000

+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).

+> [!WARNING]

+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.

+import org.apache.spark.sql.cassandra._

+//Spark connector

+import com.datastax.spark.connector._

+import com.datastax.spark.connector.cql.CassandraConnector

+import org.apache.spark.sql.functions._

+//if using Spark 2.x, CosmosDB library for multiple retry

+//import com.microsoft.azure.cosmosdb.cassandra

+* MEMORY_ONLY: It's the default storage option. Stores RDD as deserialized Java objects in the JVM. If the RDD doesn't fit in memory, some partitions won't be cached, and they're recomputed on the fly each time they're needed.

+* MEMORY_AND_DISK: Stores RDD as deserialized Java objects in the JVM. If the RDD doesn't fit in memory, store the partitions that don't fit on disk, and whenever required, read them from the location they're stored.

+* MEMORY_ONLY_SER (Java/Scala): Stores RDD as serialized Java objects- 1-byte array per partition. This option is space-efficient when compared to deserialized objects, especially when using a fast serializer, but more CPU-intensive to read.

+Set below spark configuration in your notebook cluster. It's one time activity.

+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com

+ spark.cassandra.connection.port 10350

+ spark.cassandra.connection.ssl.enabled true

+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME

+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY

+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory

+ spark.cassandra.output.batch.size.rows 1

+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x

+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x

+ spark.cassandra.output.concurrent.writes 1000

+ spark.cassandra.concurrent.reads 512

+ spark.cassandra.output.batch.grouping.buffer.size 1000

+ spark.cassandra.connection.keep_alive_ms 600000000

+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).

+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.

+import org.apache.spark.sql.cassandra._

+//Spark connector

+import com.datastax.spark.connector._

+import com.datastax.spark.connector.cql.CassandraConnector

+//if using Spark 2.x, CosmosDB library for multiple retry

+//import com.microsoft.azure.cosmosdb.cassandra

+### Create an RDD with sample data

+import com.datastax.oss.driver.api.core.ConsistencyLevel

+ The connector for Cassandra API requires the Cassandra connection details to be initialized as part of the spark context. When you launch a Databricks notebook, the spark context is already initialized, and it isn't advisable to stop and reinitialize it. One solution is to add the Cassandra API instance configuration at a cluster level, in the cluster spark configuration. It's one-time activity per cluster. Add the following code to the Spark configuration as a space separated key value pair:

+ * Review the Databricks runtime version, the Spark version. Then find the [maven coordinates](https://mvnrepository.com/artifact/com.datastax.spark/spark-cassandra-connector-assembly) that are compatible with the Cassandra Spark connector, and attach it to the cluster. See ["Upload a Maven package or Spark package"](https://docs.databricks.com/user-guide/libraries.html) article to attach the connector library to the cluster. We recommend selecting Databricks runtime version 10.4 LTS, which supports Spark 3.2.1. To add the Apache Spark Cassandra Connector, your cluster, select **Libraries** > **Install New** > **Maven**, and then add `com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0` in Maven coordinates. If using Spark 2.x, we recommend an environment with Spark version 2.4.5, using spark connector at maven coordinates `com.datastax.spark:spark-cassandra-connector_2.11:2.4.3`.

+* **Azure Cosmos DB Cassandra API-specific library:** - If you're using Spark 2.x, a custom connection factory is required to configure the retry policy from the Cassandra Spark connector to Azure Cosmos DB Cassandra API. Add the `com.microsoft.azure.cosmosdb:azure-cosmos-cassandra-spark-helper:1.2.0`[maven coordinates](https://search.maven.org/artifact/com.microsoft.azure.cosmosdb/azure-cosmos-cassandra-spark-helper/1.2.0/jar) to attach the library to the cluster.

+> If you are using Spark 3.x, you do not need to install the Cosmos DB Cassandra API-specific library mentioned above.

+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.

+A list of Azure Databricks [sample notebooks](https://github.com/Azure-Samples/azure-cosmos-db-cassandra-api-spark-notebooks-databricks/tree/main/notebooks/scala) is available in GitHub repo for you to download. These samples include how to connect to Azure Cosmos DB Cassandra API from Spark and perform different CRUD operations on the data. You can also [import all the notebooks](https://github.com/Azure-Samples/azure-cosmos-db-cassandra-api-spark-notebooks-databricks/tree/main/dbc) into your Databricks cluster workspace and run it.

+ The connector for Cassandra API requires the Cassandra connection details to be initialized as part of the spark context. When you launch a notebook, the spark context is already initialized, and it isn't advisable to stop and reinitialize it. One solution is to add the Cassandra API instance configuration at a cluster level, in the cluster spark configuration. It's one-time activity per cluster. Add the following code to the Spark configuration as a space separated key value pair:

+ //Throughput-related...adjust as needed

+ spark.cassandra.output.batch.size.rows 1

+ // spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x

+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x

+ spark.cassandra.output.concurrent.writes 1000

+ spark.cassandra.concurrent.reads 512

+ spark.cassandra.output.batch.grouping.buffer.size 1000

+ spark.cassandra.connection.keep_alive_ms 600000000

+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).

+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.1**. Later versions of Spark and/or the Cassandra connector may not function as expected.

+Provisioned throughput and default TTL values aren't shown in the output of the previous command, you can get these values from the portal.

+* [Table copy operations](spark-table-copy-operations.md)

+Set below spark configuration in your notebook cluster. It's one time activity.

+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com

+ spark.cassandra.connection.port 10350

+ spark.cassandra.connection.ssl.enabled true

+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME

+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY

+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory

+ spark.cassandra.output.batch.size.rows 1

+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x

+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x

+ spark.cassandra.output.concurrent.writes 1000

+ spark.cassandra.concurrent.reads 512

+ spark.cassandra.output.batch.grouping.buffer.size 1000

+ spark.cassandra.connection.keep_alive_ms 600000000

+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).

+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.

+We'll use this code fragment to generate sample data:

+import org.apache.spark.sql.cassandra._

+//Spark connector

+import com.datastax.spark.connector._

+import com.datastax.spark.connector.cql.CassandraConnector

+//if using Spark 2.x, CosmosDB library for multiple retry

+//import com.microsoft.azure.cosmosdb.cassandra

+Set below spark configuration in your notebook cluster. It's one time activity.

+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com

+ spark.cassandra.connection.port 10350

+ spark.cassandra.connection.ssl.enabled true

+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME

+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY

+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory

+ spark.cassandra.output.batch.size.rows 1

+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x

+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x

+ spark.cassandra.output.concurrent.writes 1000

+ spark.cassandra.concurrent.reads 512

+ spark.cassandra.output.batch.grouping.buffer.size 1000

+ spark.cassandra.connection.keep_alive_ms 600000000

+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).

+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.

+import org.apache.spark.sql.cassandra._

+//Spark connector

+import com.datastax.spark.connector._

+import com.datastax.spark.connector.cql.CassandraConnector

+//if using Spark 2.x, CosmosDB library for multiple retry

+//import com.microsoft.azure.cosmosdb.cassandra

+Set below spark configuration in your notebook cluster. It's one time activity.

+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com

+ spark.cassandra.connection.port 10350

+ spark.cassandra.connection.ssl.enabled true

+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME

+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY

+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory

+ spark.cassandra.output.batch.size.rows 1

+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x

+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x

+ spark.cassandra.output.concurrent.writes 1000

+ spark.cassandra.concurrent.reads 512

+ spark.cassandra.output.batch.grouping.buffer.size 1000

+ spark.cassandra.connection.keep_alive_ms 600000000

+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).

+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.

+import org.apache.spark.sql.cassandra._

+//Spark connector

+import com.datastax.spark.connector._

+import com.datastax.spark.connector.cql.CassandraConnector

+//if using Spark 2.x, CosmosDB library for multiple retry

+//import com.microsoft.azure.cosmosdb.cassandra

+### Copy data between tables (destination table doesn't exist)

+Set below spark configuration in your notebook cluster. It's one time activity.

+ spark.cassandra.connection.host YOUR_ACCOUNT_NAME.cassandra.cosmosdb.azure.com

+ spark.cassandra.connection.port 10350

+ spark.cassandra.connection.ssl.enabled true

+ spark.cassandra.auth.username YOUR_ACCOUNT_NAME

+ spark.cassandra.auth.password YOUR_ACCOUNT_KEY

+// spark.cassandra.connection.factory com.microsoft.azure.cosmosdb.cassandra.CosmosDbConnectionFactory

+ spark.cassandra.output.batch.size.rows 1

+// spark.cassandra.connection.connections_per_executor_max 10 // Spark 2.x

+ spark.cassandra.connection.remoteConnectionsPerExecutor 10 // Spark 3.x

+ spark.cassandra.output.concurrent.writes 1000

+ spark.cassandra.concurrent.reads 512

+ spark.cassandra.output.batch.grouping.buffer.size 1000

+ spark.cassandra.connection.keep_alive_ms 600000000

+> If you are using Spark 3.x, you do not need to install the Cosmos DB helper and connection factory. You should also use `remoteConnectionsPerExecutor` instead of `connections_per_executor_max` for the Spark 3 connector (see above).

+> The Spark 3 samples shown in this article have been tested with Spark **version 3.2.1** and the corresponding Cassandra Spark Connector **com.datastax.spark:spark-cassandra-connector-assembly_2.12:3.2.0**. Later versions of Spark and/or the Cassandra connector may not function as expected.

+import org.apache.spark.sql.cassandra._

+//Spark connector

+import com.datastax.spark.connector._

+import com.datastax.spark.connector.cql.CassandraConnector

+//if using Spark 2.x, CosmosDB library for multiple retry

+//import com.microsoft.azure.cosmosdb.cassandra

+Create a new .NET application in an empty folder using your preferred terminal. Use the [``dotnet new console``](/dotnet/core/tools/dotnet-new) to create a new console app.

+> [Migrate MongoDB to Azure Cosmos DB API for MongoDB offline](../../dms/tutorial-mongodb-cosmos-db.md?toc=%2fazure%2fcosmos-db%2ftoc.json%3ftoc%3d%2fazure%2fcosmos-db%2ftoc.json)

+- [Lock resources to prevent unexpected changes](../../../../azure-resource-manager/management/lock-resources.md)

+- [Azure Cosmos DB CLI GitHub repository](https://github.com/Azure-Samples/azure-cli-samples/tree/master/cosmosdb)

+* You can [try Azure Cosmos DB for free](../try-free.md) without an Azure subscription, free of charge and commitments. Or, you can use the [Azure Cosmos DB Emulator](../local-emulator.md) with the `https://localhost:8081` endpoint. The Primary Key is provided in [Authenticating requests](../local-emulator.md#authenticate-requests).

+[Table API reference documentation](../../storage/tables/index.yml) | [Azure.Data.Tables Package (NuGet)](https://www.nuget.org/packages/Azure.Data.Tables/)

+> You can also query items using [OData](/rest/api/storageservices/querying-tables-and-entities) syntax. You can see an example of this approach in the [Query Data](./tutorial-query-table.md) tutorial.

+> [Get started with Azure Cosmos DB Table API and .NET](./how-to-dotnet-get-started.md)

+| **Meter** | Break down costs by usage meter. | Purchases and Marketplace usage will show as **unassigned** or **No meter**. Refer to **Charge type** to identify purchases and **Publisher type** to identify Marketplace charges. |

+ Title: Cast transformation in mapping data flow

+description: Learn how to use a mapping data flow cast transformation to easily change column data types in Azure Data Factory or Synapse Analytics pipelines.

+# Cast transformation in mapping data flow

+Use the cast transformation to easily modify the data types of individual columns in a data flow. The cast transformation also enables an easy way to check for casting errors.

+## Configuration

+To modify the data type for columns in your data flow, add columns to "Cast settings" using the plus (+) sign.

+**Column name:** Pick the column you wish to cast from your list of metadata columns.

+**Type:** Choose the data type to cast your column to. If you pick "complex", you can then select "Define complex type" and define structures, arrays, and maps inside the expression builder.

+**Format:** Some data types, like decimal and dates, will allow for additional formatting options.

+**Assert type check:** The cast transformation allows for type checking. If the casting fails, the row will be marked as an assertion error that you can trap later in the stream.

+## Data flow script

+### Syntax

+```

+<incomingStream>

+ cast(output(

+ AddressID as integer,

+ AddressLine1 as string,

+ AddressLine2 as string,

+ City as string

+ ),

+ errors: true) ~> <castTransformationName<>

+```

+## Next steps

+Modify existing columns and new columns using the [derived column transformation](data-flow-derived-column.md).

+| [Cast](data-flow-cast.md) | Schema modifier | Change column data types with type checking. |

+| [Flowlet](concepts-data-flow-flowlet.md) | Flowlets | Build and include custom re-usable transformation logic. |

+zone_pivot_groups: data-box-shipping

+## Ship Data Box back

+Based on the region where you're shipping the device, the procedure is different. In many countries/regions, you can use Microsoft managed shipping or [self-managed shipping](#self-managed-shipping).

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Americas

+### US & Canada

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Europe

+### [EU](#tab/in-europe)

+### [UK](#tab/in-uk)

+### [Norway](#tab/in-norway)

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Asia

+### [Japan](#tab/in-japan)

+### [Singapore](#tab/in-singapore)

+### [Hong Kong](#tab/in-hk)

+### [Korea](#tab/in-korea)

+### [UAE](#tab/in-uae)

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Australia

+### Australia

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Africa

+### S Africa

+## Self-managed shipping

+### Shipping in Brazil

+To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:

+```

+Subject: Request Azure Data Box Disk drop-off for order: <ordername>

+- Order name

+- Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)

+- Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)

+```

+ Title: Tutorial to return Azure Data Box

+description: In this tutorial, learn how to return Azure Data Box, including shipping the device, verifying data upload to Azure, and erasing data from Data Box.

+zone_pivot_groups: data-box-shipping

+# Tutorial: Return Azure Data Box and verify data has been uploaded to Azure

+* You've completed the [Tutorial: Prepare to ship Azure Data Box](data-box-deploy-prepare-to-ship.md).

+* The data copy to the device completed and the **Prepare to ship** run was successful.

+## Ship Data Box back

+Based on the region where you're shipping the device, the procedure is different. In many countries/regions, you can use Microsoft managed shipping or [self-managed shipping](#self-managed-shipping).

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Americas

+### US & Canada

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Europe

+### [EU](#tab/in-europe)

+### [UK](#tab/in-uk)

+### [Norway](#tab/in-norway)

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Asia

+### [Japan](#tab/in-japan)

+### [Singapore](#tab/in-singapore)

+### [Hong Kong](#tab/in-hk)

+### [Korea](#tab/in-korea)

+### [UAE](#tab/in-uae)

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Australia

+### Australia

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Africa

+### S Africa

+## Self-managed shipping

+Self-managed shipping is available as an option when you [Order Azure Data Box](data-box-disk-deploy-ordered.md). For detailed steps, see [Use self-managed shipping](data-box-portal-customer-managed-shipping.md).

+### Shipping in Brazil

+To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:

+```

+Subject: Request Azure Data Box Disk drop-off for order: <ordername>

+- Order name

+- Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)

+- Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)

+```

+## Verify data has been uploaded to Azure

+## Data erasure from Data Box

+## Verify data has uploaded to Azure

+ Title: Tutorial to ship Azure Data Box

+description: In this tutorial, learn how to prepare to ship Data Box for return.

+# Customer intent: As an IT admin, I need to be able to return a Data Box to upload on-premises data from my server onto Azure.

+# Tutorial: Prepare to ship Azure Data Box

+This tutorial describes how to prepare your Azure Data Box to ship.

+In this tutorial, you will learn about topics such as:

+> [!div class="checklist"]

+>

+> * Prerequisites

+> * Prepare to ship

+## Prerequisites

+Before you begin, make sure:

+* You've have completed the [Tutorial: Copy data to Azure Data Box and verify](data-box-deploy-copy-data.md).

+* Copy jobs are complete and there are no errors on the **Connect and copy** page. **Prepare to ship** can't run if copy jobs are in progress or there are errors in the **Connect and copy** page.

+## Prepare to ship

+After the data copy is complete, you prepare and ship the device. When the device reaches Azure datacenter, data is automatically uploaded to Azure.

+## Prepare to ship

+Before you prepare to ship, make sure that copy jobs are complete.

+1. Go to **Prepare to ship** page in the local web UI and start the ship preparation.

+2. Turn off the device from the local web UI. Remove the cables from the device.

+The next steps are determined by where you're returning the device.

+## Next steps

+In this tutorial, you learned about Azure Data Box topics such as:

+> [!div class="checklist"]

+> * Prerequisites

+> * Prepare to ship

+Advance to the following article to learn how to ship your Azure Data Box and verify the data uploaded to Azure.

+> [!div class="nextstepaction"]

+> [Tutorial: Return Azure Data Box and verify data upload to Azure](data-box-deploy-picked-up.md)

+zone_pivot_groups: data-box-shipping

+The next steps are determined by where you are returning the device. In many countries/regions, you can use Microsoft managed shipping or [self-managed shipping](#self-managed-shipping).

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Americas

+### US & Canada

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Europe

+### EU & UK

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Australia

+### Australia

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Asia

+If using Microsoft managed shipping, follow these steps.

+## Shipping in Africa

+## Self-managed shipping

+ Self-managed shipping is available as an option when you [Order Azure Data Box](data-box-disk-deploy-ordered.md). For detailed steps, see [Use self-managed shipping](data-box-disk-portal-customer-managed-shipping.md).

+Self-managed shipping is available in the following regions:

+| Region | Region | Region | Region | Region |

+||-|-|--|--|

+| US Government | United Kingdom | West Europe | Japan | Singapore |

+| Korea | India | South Africa | Australia | Brazil |

+If you are using Data Box Disk and have selected the self-managed shipping option during order creation, follow these instructions.

+2. Send an email to the Azure Data Box Operations team using the following template when you're ready to return the device.

+### Shipping in Brazil

+To schedule a device return in Brazil, send an email to [adbops@microsoft.com](mailto:adbops@microsoft.com) with the following information:

+```

+Subject: Request Azure Data Box Disk drop-off for order: <ordername>

+- Order name

+- Contact name of the person who will drop off the Data Box Disk (A government-issued photo ID will be required to validate the contactΓÇÖs identity upon arrival.)

+- Inbound Nota Fiscal (A copy of the inbound Nota Fiscal will be required at drop-off.)

+```

+

+

+ If you're returning a Data Box Disk in Brazil, see [Return Azure Data Box Disk](data-box-deploy-picked-up.md) for detailed instructions.

+ If you're returning a Data Box in Brazil, see [Return Azure Data Box](data-box-deploy-picked-up.md) for detailed instructions.

+9. After the device is picked up, copy data to the Data Box at your site. After the data copy is complete, you can prepare to ship the Data Box. For more information, see [Prepare to ship](data-box-deploy-prepare-to-ship.md#prepare-to-ship).

+- [Verify data upload to Azure](data-box-deploy-picked-up.md#verify-data-has-uploaded-to-azure)

+ Title: Adaptive network hardening in Microsoft Defender for Cloud

+ Title: Alert validation in Microsoft Defender for Cloud

+- **ARC only** - Ensure the Defender extension is installed.

+ Title: Cross-tenant management in Microsoft Defender for Cloud

+ Title: Create custom security policies in Microsoft Defender for Cloud

+ Title: Microsoft Defender for Cloud data security

+You can learn more about the different [benefits for each server plan](#benefits-of-the-defender-for-servers-plans) .

+The subscription to [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) allows you to deploy Defender for Endpoint to your servers. Defender for Endpoint includes the following capabilities:

+Plan 2 includes all of the benefits included with Plan 1. However, plan 2 also includes all of the following features:

+- Security Policy and Regulatory Compliance

+- Log-analytics (500 MB free)

+- [Vulnerability Assessment using Qualys](#vulnerability-scanner-powered-by-qualys)

+- Threat detections: OS level, network layer, control plane

+- [Adaptive application controls](#adaptive-application-controls-aac)

+- [File integrity monitoring](#file-integrity-monitoring-fim)

+- [Just-in time VM access](#just-in-time-jit-virtual-machine-vm-access)

+- [Adaptive network hardening](#adaptive-network-hardening-anh)

+You can select your plan when you [Enable enhanced security features on your subscriptions and workspaces](enable-enhanced-security.md#enable-enhanced-security-features-from-the-azure-portal). By default, plan 2 is selected when you set the Defender for Servers plan to **On**.

+### Included in plan 1 & plan 2

+### Included in plan 2 only

+A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Defender for Cloud regularly checks your connected machines to ensure they're running vulnerability assessment tools.

+When a machine is found that doesn't have a vulnerability assessment solution deployed, Defender for Cloud generates the security recommendation: **Machines should have a vulnerability assessment solution**.

+Defender for Cloud includes vulnerability scanning for your machines at no extra cost. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud. This page provides details of this scanner and instructions for how to deploy it.

+> [!TIP]

+> The integrated vulnerability assessment solution supports both Azure virtual machines and hybrid machines. To deploy the vulnerability assessment scanner to your on-premises and multicloud machines, connect them to Azure first with Azure Arc as described in [Connect your non-Azure machines to Defender for Cloud](quickstart-onboard-machines.md).

+>

+> Defender for Cloud's integrated vulnerability assessment solution works seamlessly with Azure Arc. When you've deployed Azure Arc, your machines will appear in Defender for Cloud and no Log Analytics agent is required.

+Deploy the vulnerability assessment solution that best meets your needs and budget:

+If you don't want to use the vulnerability assessment powered by Qualys, you can use [Microsoft Defender for Endpoint's threat and vulnerability management](deploy-vulnerability-assessment-tvm.md) or [deploy a BYOL solution](deploy-vulnerability-assessment-byol-vm.md) with your own Qualys license, Rapid7 license, or another vulnerability assessment solution.

+ - **Healthy resources** ΓÇô Defender for Cloud has detected a vulnerability assessment solution running on these machines.

+ - **Unhealthy resources** ΓÇô A vulnerability scanner extension can be deployed to these machines.

+ - **Not applicable resources** ΓÇô these machines [aren't supported for the vulnerability scanner extension](#why-does-my-machine-show-as-not-applicable-in-the-recommendation).

+ > If your machine is in a region in an Azure European geography (such as Europe, UK, Germany), its artifacts will be processed in Qualys' European data center. Artifacts for virtual machines located elsewhere are sent to the US data center.

+## FAQ

+- [Are there any additional charges for the Qualys license?](#are-there-any-additional-charges-for-the-qualys-license)

+- [What prerequisites and permissions are required to install the Qualys extension?](#what-prerequisites-and-permissions-are-required-to-install-the-qualys-extension)

+- [Can I remove the Defender for Cloud Qualys extension?](#can-i-remove-the-defender-for-cloud-qualys-extension)

+- [How does the extension get updated?](#how-does-the-extension-get-updated)

+- [Why does my machine show as "not applicable" in the recommendation?](#why-does-my-machine-show-as-not-applicable-in-the-recommendation)

+- [Can the built-in vulnerability scanner find vulnerabilities on the VMs network?](#can-the-built-in-vulnerability-scanner-find-vulnerabilities-on-the-vms-network)

+- [Does the scanner integrate with my existing Qualys console?](#does-the-scanner-integrate-with-my-existing-qualys-console)

+- [How quickly will the scanner identify newly disclosed critical vulnerabilities?](#how-quickly-will-the-scanner-identify-newly-disclosed-critical-vulnerabilities)

+During setup, Defender for Cloud checks to ensure that the machine can communicate over HTTPS (default port 443) with the following two Qualys data centers:

+* On Linux, the extension is called "LinuxAgent.AzureSecurityCenter" and the publisher name is "Qualys".

+* On Windows, the extension is called "WindowsAgent.AzureSecurityCenter" and the provider name is "Qualys".

+If you have machines in the **not applicable** resources group, Defender for Cloud can't deploy the vulnerability scanner extension on those machines because:

+- The vulnerability scanner included with Microsoft Defender for Cloud is only available for machines protected by [Microsoft Defender for Servers](defender-for-servers-introduction.md).

+- It's a PaaS resource, such as an image in an AKS cluster or part of a virtual machine scale set.

+### Can the built-in vulnerability scanner find vulnerabilities on the VMs network?

+No. The scanner runs on your machine to look for vulnerabilities of the machine itself, not for your network.

+- SQL databases - [Explore vulnerability assessment reports in the vulnerability assessment dashboard](defender-for-sql-on-machines-vulnerability-assessment.md#explore-vulnerability-assessment-reports)

+- Azure Container Registry images - [Use Defender for Containers to scan your ACR images for vulnerabilities](defender-for-containers-usage.md)

+ Title: Configure auto provisioning of agents for Microsoft Defender for Cloud

+Microsoft Defender for Cloud collects data from your resources using the relevant agent or extensions for that resource and the type of data collection you've enabled. Use the procedures below to auto-provision the necessary agents and extensions used by Defender for Cloud to your resources.

+When auto provisioning is on for the Log Analytics agent, Defender for Cloud deploys the agent on all supported Azure VMs and any new ones created. For the list of supported platforms, see [Supported platforms in Microsoft Defender for Cloud](security-center-os-coverage.md).

+ - **None** ΓÇô Disable security event storage. (Default)

+1. To enable auto provisioning of an extension other than the Log Analytics agent:

+When you select a data collection tier in Microsoft Defender for Cloud, the security events of the selected tier are stored in your Log Analytics workspace so that you can investigate, search, and audit the events in your workspace. The Log Analytics agent also collects and analyzes the security events required for Defender for CloudΓÇÖs threat protection.

+### Requirements

+You maybe charged for storing data in Log Analytics. For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+Security events collection within the context of a single workspace can be configured from either Microsoft Defender for Cloud or Microsoft Sentinel, but not both. If you want to add Microsoft Sentinel to a workspace that already gets alerts from Microsoft Defender for Cloud and to collect Security Events, you can either:

+- Leave the Security Events collection in Microsoft Defender for Cloud as is. You'll be able to query and analyze these events in both Microsoft Sentinel and Defender for Cloud. If you want to monitor the connector's connectivity status or change its configuration in Microsoft Sentinel, consider the second option.

+- Disable Security Events collection in Microsoft Defender for Cloud and then add the Security Events connector in Microsoft Sentinel. You'll be able to query and analyze events in both Microsoft Sentinel, and Defender for Cloud, but you'll also be able to monitor the connector's connectivity status or change its configuration in - and only in - Microsoft Sentinel. To disable Security Events collection in Defender for Cloud, set **Windows security events** to **None** in the configuration of your Log Analytics agent.

+### What event types are stored for "Common" and "Minimal"?

+The **Common** and **Minimal** event sets were designed to address typical scenarios based on customer and industry standards for the unfiltered frequency of each event and their usage.

+- **Minimal** - This set is intended to cover only events that might indicate a successful breach and important events with low volume. Most of the data volume of this set is successful user logon (event ID 4625), failed user logon events (event ID 4624), and process creation events (event ID 4688). Sign out events are important for auditing only and have relatively high volume, so they aren't included in this event set.

+- **Common** - This set is intended to provide a full user audit trail, including events with low volume. For example, this set contains both user logon events (event ID 4624) and user logoff events (event ID 4634). We include auditing actions like security group changes, key domain controller Kerberos operations, and other events that are recommended by industry organizations.

+Here's a complete breakdown of the Security and App Locker event IDs for each set:

+## Auto provisioning in cases of a pre-existing agent installation <a name="preexisting"></a>

+The following use cases explain how auto provisioning works in cases when there's already an agent or extension installed.

+- **Log Analytics agent is installed on the machine, but not as an extension (Direct agent)** - If the Log Analytics agent is installed directly on the VM (not as an Azure extension), Defender for Cloud will install the Log Analytics agent extension and might upgrade the Log Analytics agent to the latest version. The installed agent will continue to report to its already configured workspaces and to the workspace configured in Defender for Cloud. (Multi-homing is supported on Windows machines.)

+ If the Log Analytics is configured with a user workspace and not Defender for Cloud's default workspace, you'll need to install the "Security" or "SecurityCenterFree" solution on it for Defender for Cloud to start processing events from VMs and computers reporting to that workspace.

+ For Linux machines, Agent multi-homing isn't yet supported. If an existing agent installation is detected, the Log Analytics agent won't be auto provisioned.

+ For existing machines on subscriptions onboarded to Defender for Cloud before 17 March 2019, when an existing agent will be detected, the Log Analytics agent extension won't be installed and the machine won't be affected. For these machines, see to the "Resolve monitoring agent health issues on your machines" recommendation to resolve the agent installation issues on these machines.

+- **System Center Operations Manager agent is installed on the machine** - Defender for Cloud will install the Log Analytics agent extension side by side to the existing Operations Manager. The existing Operations Manager agent will continue to report to the Operations Manager server normally. The Operations Manager agent and Log Analytics agent share common run-time libraries, which will be updated to the latest version during this process. If Operations Manager agent version 2012 is installed, **do not** enable auto provisioning.

+ - When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud doesn't override existing connections to user workspaces. Defender for Cloud will store security data from the VM in the workspace already connected, if the "Security" or "SecurityCenterFree" solution has been installed on it. Defender for Cloud may upgrade the extension version to the latest version in this process.

+When you disable auto provisioning, agents won't be provisioned on new VMs.

+To turn off auto provisioning of an agent:

+1. Select **Save**. When auto provisioning is disabled, the default workspace configuration section isn't displayed:

+> Disabling auto provisioning does not remove the Log Analytics agent from Azure VMs where the agent was provisioned. For information on removing the OMS extension, see [How do I remove OMS extensions installed by Defender for Cloud](./faq-data-collection-agents.yml#how-do-i-remove-oms-extensions-installed-by-defender-for-cloud-).

+This page explained how to enable auto provisioning for the Log Analytics agent and other Defender for Cloud extensions. It also described how to define a Log Analytics workspace in which to store the collected data. Both operations are required to enable data collection. Data storage in a new or existing Log Analytics workspace might incur more charges for data storage. For pricing details in your local currency or region, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+Get started with Defender for Cloud by using it's enhanced security features to protect you hybrid and multicloud environments.

+In this quickstart you will learn how to enable the enhanced security features by enabling the different Defender for Cloud plans through the Azure portal.

+To learn more about the benefits of enhanced security features, see [Microsoft Defender for Cloud's enhanced security features](enhanced-security-features-overview.md).

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). For pricing details in your local currency or region, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+- You must have [enabled Defender for Cloud](get-started.md) on your Azure subscription.

+To enable all Defender for Cloud features including threat protection capabilities, you must enable enhanced security features on the subscription containing the applicable workloads.

+If you only enable Defender for Cloud at the workspace level, Defender for Cloud will not enable just-in-time VM access, adaptive application controls, and network detections for Azure resources. In addition, the only Microsoft Defender plans available at the workspace level are Microsoft Defender for Servers and Microsoft Defender for SQL servers on machines.

+> [!NOTE]

+> - You can enable **Microsoft Defender for Storage accounts** at either the subscription level or resource level.

+> - You can enable **Microsoft Defender for SQL** at either the subscription level or resource level.

+> - You can enable **Microsoft Defender for open-source relational databases** at the resource level only.

+You can protect an entire Azure subscription with Defender for Cloud's enhanced security features and the protections will be inherited by all resources within the subscription.

+**To enable enhanced security features on one subscription**:

+1. Sign in to the [Azure portal](https://ms.portal.azure.com).

+1. Search for and select **Microsoft Defender for Cloud**.

+1. From Defender for Cloud's main menu, select **Environment settings**.

+1. Select the subscription or workspace that you want to protect.

+1. Select **Enable all** to enable all of the plans for Defender for Cloud.

+ :::image type="content" source="./media/enhanced-security-features-overview/pricing-tier-page.png" alt-text="Screenshot of the Defender for Cloud's pricing page in the Azure portal." lightbox="media/enhanced-security-features-overview/pricing-tier-page.png":::

+1. Select **Save**.

+**To enable enhanced security on multiple subscriptions or workspaces**:

+1. Sign in to the [Azure portal](https://ms.portal.azure.com).

+1. Search for and select **Microsoft Defender for Cloud**.

+1. From Defender for Cloud's menu, select **Getting started**.

+ The Upgrade tab lists subscriptions and workspaces eligible for onboarding.

+ :::image type="content" source="./media/enable-enhanced-security/get-started-upgrade-tab.png" alt-text="Screenshot of the upgrade tab of the getting started page." lightbox="media/enable-enhanced-security/get-started-upgrade-tab.png":::

+1. Select the desired subscriptions and workspace from the list.

+1. Select **Upgrade**.

+ :::image type="content" source="./media/enable-enhanced-security/upgrade-selected-workspaces-and-subscriptions.png" alt-text="Screenshot that shows where the upgrade button is located on the screen." lightbox="media/enable-enhanced-security/upgrade-selected-workspaces-and-subscriptions.png":::

+ > [!NOTE]

+ > - If you select subscriptions and workspaces that aren't eligible for trial, the next step will upgrade them and charges will begin.

+ > - If you select a workspace that's eligible for a free trial, the next step will begin a trial.

+## Customize plans

+Certain plans allow you to customize your protection.

+You can learn about the differences between the [Defender for Servers plans](defender-for-servers-introduction.md#available-defender-for-server-plans) to help you choose which one you would like to apply to your subscription.

+Defender for Databases allows you to [select which type of resources you want to protect](quickstart-enable-database-protections.md). You can learn about the different types of protections offered.

+Defender for Containers is available on hybrid and multicloud environments. You can learn more about the [enablement process](defender-for-containers-enable.md) for Defender for Containers for each environment type.

+If you choose to disable the enhanced security features for a subscription, you will just need to change the plan to **Off**.

+**To disable enhanced security features**:

+1. Sign in to the [Azure portal](https://ms.portal.azure.com).

+1. Search for and select **Microsoft Defender for Cloud**.

+1. From Defender for Cloud's menu, select **Environment settings**.

+1. Select the relevant subscriptions and workspaces.

+1. Find the plan you wish to turn off and select **Off**.

+ :::image type="content" source="./media/enable-enhanced-security/disable-plans.png" alt-text="Screenshot that shows you how to enable or disable Defender for Cloud's enhanced security features." lightbox="media/enable-enhanced-security/disable-plans.png":::

+ Title: Understand the basic and extended security features of Microsoft Defender for Cloud

+# Microsoft Defender for Cloud's basic and enhanced security features

+Defender for Cloud offers a number of enhanced security features that can help protect your organization against threats and attacks.

+- **Basic security features** (Free) - When you open Defender for Cloud in the Azure portal for the first time or if you enable it through the API, Defender for Cloud is enabled for free on all your Azure subscriptions. By default, Defender for Cloud provides the [secure score](secure-score-security-controls.md), [security policy and basic recommendations](security-policy-concept.md), and [network security assessment](protect-network-resources.md) to help you protect your Azure resources.

+ If you want to try out the enhanced security features, [enable enhanced security features](enable-enhanced-security.md) for free for the first 30 days. At the end of 30 days, if you decide to continue using the service, we'll automatically start charging for usage. For pricing details in your local currency or region, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+- **Enhanced security features** (Paid) - When you enable the enhanced security features, Defender for Cloud can provide unified security management and threat protection across your hybrid cloud workloads, including:

+ - **Access and application controls** - Block malware and other unwanted applications by applying machine learning powered recommendations adapted to your specific workloads to create allowlists and blocklists. Reduce the network attack surface with just-in-time, controlled access to management ports on Azure VMs. Access and application controls drastically reduce exposure to brute force and other network attacks.

+- [If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Defender for Servers?](#if-i-already-have-a-license-for-microsoft-defender-for-endpoint-can-i-get-a-discount-for-defender-for-servers)

+- [If a Log Analytics agent reports to multiple workspaces, is the 500-MB free data ingestion available on all of them?](#if-a-log-analytics-agent-reports-to-multiple-workspaces-is-the-500-mb-free-data-ingestion-available-on-all-of-them)

+- [Is the 500-MB free data ingestion calculated for an entire workspace or strictly per machine?](#is-the-500-mb-free-data-ingestion-calculated-for-an-entire-workspace-or-strictly-per-machine)

+- [What data types are included in the 500-MB data daily allowance?](#what-data-types-are-included-in-the-500-mb-data-daily-allowance)

+### If I already have a license for Microsoft Defender for Endpoint, can I get a discount for Defender for Servers?

+| Stopping | This state is transitional. When completed, it will show as Stopped. | Billed |

+| Deallocating | This state is transitional. When completed, the VM will show as Deallocated. | Not billed |

+When you enable the Servers plan on the subscription level, Defender for Cloud will enable the Servers plan on your default workspace(s) automatically when auto-provisioning is enabled. Enable auto-provisioning on the Auto provisioning page by selecting **Connect Azure VMs to the default workspace(s) created by Defender for Cloud** option and selecting **Apply**.

+However, if you're using a custom workspace in place of the default workspace, you'll need to enable the Servers plan on all of your custom workspaces that don't have it enabled.

+If you're using a custom workspace and enable the plan on the subscription level only, the `Microsoft Defender for servers should be enabled on workspaces` recommendation will appear on the Recommendations page. This recommendation will give you the option to enable the servers plan on the workspace level with the Fix button. You're charged for all VMs in the subscription even if the Servers plan isn't enabled for the workspace. The VMs won't benefit from features that depend on the Log Analytics workspace, such as Microsoft Defender for Endpoint, VA solution (TVM/Qualys), and Just-in-Time VM access.

+Enabling the Servers plan on both the subscription and its connected workspaces, won't incur a double charge. The system will identify each unique VM.

+If you enable the Servers plan on cross-subscription workspaces, connected VMs from all subscriptions will be billed, including subscriptions that don't have the Servers plan enabled.

+Yes. When you enable [Microsoft Defender for Servers](defender-for-servers-introduction.md) on a subscription, you're charged for all machines in the subscription, including Azure virtual machines, Azure virtual machine scale sets instances, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.

+### If a Log Analytics agent reports to multiple workspaces, is the 500-MB free data ingestion available on all of them?

+Yes. If you configure your Log Analytics agent to send data to two or more different Log Analytics workspaces (multi-homing), you'll get 500-MB free data ingestion for each workspace. It's calculated per node, per reported workspace, per day, and available for every workspace that has a 'Security' or 'AntiMalware' solution installed. You'll be charged for any data ingested over the 500-MB limit.

+### Is the 500-MB free data ingestion calculated for an entire workspace or strictly per machine?

+You'll get 500-MB free data ingestion per day, for every VM connected to the workspace. Specifically for the [security data types](#what-data-types-are-included-in-the-500-mb-data-daily-allowance) that are directly collected by Defender for Cloud.

+This data is a daily rate averaged across all nodes. Your total daily free limit is equal to **[number of machines] x 500 MB**. So even if some machines send 100 MB and others send 800 MB, if the total doesn't exceed your total daily free limit, you won't be charged extra.

+### What data types are included in the 500-MB data daily allowance?

+Based on your usage, you won't be billed until you've used your daily allowance. If you're receiving a bill, it's only for the data used after the 500-MB limit is reached, or for other service that doesn't fall under the coverage of Defender for Cloud.

+ Title: Remediate security recommendations with governance

+description: Learn about the new governance feature in Defender for Cloud, and how to drive security posture improvement.

+# Remediate security recommendations with governance

+**Episode description**: In this episode of Defender for Cloud in the Field, Amit Biton joins Yuri Diogenes to talk about the new governance feature in Defender for Cloud. Amit explains the rationale behind this feature. Amit explains why it's important to have governance in place in order to drive security posture improvement and how this feature can help with that. Amit demonstrates how to create governance rules, how to monitor and take action to improve the secure score.

+<br>

+<br>

+<iframe src="https://aka.ms/docs/player?id=ceb3ef0e-257a-466a-9e90-dcfb08f54f8e" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe>

+- [01:14](/shows/mdc-in-the-field/remediate-security-with-governance#time=01m14s) - What is the Governance feature?

+- [05:54](/shows/mdc-in-the-field/remediate-security-with-governance#time=05m54s) - What are the permissions required to configure Governance rules?

+- [06:51](/shows/mdc-in-the-field/remediate-security-with-governance#time=06m51s) - How workload owners receive notifications

+- [10:13](/shows/mdc-in-the-field/remediate-security-with-governance#time=10m13s) - Understanding grace period

+- [15:20](/shows/mdc-in-the-field/remediate-security-with-governance#time=15m20s) - Enabling Governance at scale

+- [16:25](/shows/mdc-in-the-field/remediate-security-with-governance#time=16m25s) - Demonstration

+## Recommended resources

+

+[Driving your organization to remediate security issues with recommendation governance in Microsoft Defender for Cloud](governance-rules.md).

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa0ZoTml2Qm9kZ2pjRzNMUXFqVUwyNl80YVNtd3xBQ3Jtc0trVm9QM2Z0NlpOeC1KSUE2UEd1cVJ5aHQ0MTN6WjJEYmNlOG9rWC1KZ1ZqaTNmcHdOOHMtWXRLSGhUTVBhQlhhYzlUc2xmTHZtaUpkd1c4LUQzLWt1YmRTbkVQVE5EcTJIM0Foc042SGdQZU5acVRJbw&q=https%3A%2F%2Faka.ms%2FSubscribeMicrosoftSecurity)

+- Follow us on social media:

+ [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ [Twitter](https://twitter.com/msftsecurity)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+## Next steps

+> [!div class="nextstepaction"]

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+> [Remediate Security Recommendations with Governance](episode-fifteen.md)

+You can learn more by watching this video from the Defender for Cloud in the Field video series:

+- [Remediate Security Recommendations with Governance](episode-fifteen.md)

+ Title: Implement security recommendations in Microsoft Defender for Cloud

+ Title: Manage security incidents in Microsoft Defender for Cloud

+ Title: Just-in-time virtual machine access in Microsoft Defender for Cloud

+ Title: Manage security alerts in Microsoft Defender for Cloud

+Defender for Cloud collects, analyzes, and integrates log data from your Azure resources, the network, and connected partner solutions, such as firewalls and endpoint agents. Defender for Cloud uses the log data to detect real threats and reduce false positives. A list of prioritized security alerts is shown in Defender for Cloud along with the information you need to quickly investigate the problem and steps to take to remediate an attack.

+ The list updates according to the filtering options you've selected. For example, you might you want to address security alerts that occurred in the last 24 hours because you are investigating a potential breach in the system.

+ The left pane of the security alert page shows high-level information regarding the security alert: title, severity, status, activity time, description of the suspicious activity, and the affected resource. The Azure tags for the affected resource helps you to understand the organizational context of the resource.

+ :::image type="content" source="media/managing-and-responding-alerts/processing-alerts-bulk-filter.png" alt-text="Screenshot of filtering the alerts to show related alerts.":::

+ Title: Platforms supported by Microsoft Defender for Cloud

+ Title: Integrate security solutions in Microsoft Defender for Cloud

+Learn more about the integration of [vulnerability scanning tools from Qualys](deploy-vulnerability-assessment-vm.md), including a built-in scanner available to customers that enable Microsoft Defender for Servers.

+- Azure Container Registry images - see [Use Microsoft Defender for container registries to scan your images for vulnerabilities](defender-for-containers-usage.md)

+In this article, you learned how to integrate partner solutions in Defender for Cloud. To learn how to set up an integration with Microsoft Sentinel, or any other SIEM, see [Continuously export Defender for Cloud data](continuous-export.md).

+ Title: Permissions in Microsoft Defender for Cloud

+ Title: Manage user data in Microsoft Defender for Cloud

+With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same. Microsoft Defender for Cloud protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

+To protect your AWS-based resources, you can connect an AWS account with either:

+- **Native cloud connector** (recommended) - Provides an agentless connection to your AWS account that you can extend with Defender for Cloud's Defender plans to secure your AWS resources:

+ - [**Cloud Security Posture Management (CSPM)**](overview-page.md) assesses your AWS resources according to AWS-specific security recommendations and reflects your security posture in your secure score. The [asset inventory](asset-inventory.md) gives you one place to see all of your protected AWS resources. The [regulatory compliance dashboard](regulatory-compliance-dashboard.md) shows your compliance with built-in standards specific to AWS, including AWS CIS, AWS PCI DSS, and AWS Foundational Security Best Practices.

+ - [**Microsoft Defender for Servers**](defender-for-servers-introduction.md) brings threat detection and advanced defenses to [supported Windows and Linux EC2 instances](supported-machines-endpoint-solutions-clouds-servers.md?tabs=tab/features-multicloud).

+ - [**Microsoft Defender for Containers**](defender-for-containers-introduction.md) brings threat detection and advanced defenses to [supported Amazon EKS clusters](supported-machines-endpoint-solutions-clouds-containers.md).

+ - [**Microsoft Defender for SQL**](defender-for-sql-introduction.md) brings threat detection and advanced defenses to your SQL Servers running on AWS EC2, AWS RDS Custom for SQL Server.

+- **Classic cloud connector** - Requires configuration in your AWS account to create a user that Defender for Cloud can use to connect to your AWS environment. If you have classic cloud connectors, we recommend that you [delete these connectors](#remove-classic-connectors) and use the native connector to reconnect to the account. Using both the classic and native connectors can produce duplicate recommendations.

+The native cloud connector requires:

+**To connect your AWS account to Defender for Cloud with a native connector**:

+1. If you have any classic connectors, [remove them](#remove-classic-connectors).

+ Using both the classic and native connectors can produce duplicate recommendations.

+### Remove 'classic' connectors

+If you have any existing connectors created with the classic cloud connectors experience, remove them first:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Defender for Cloud** > **Environment settings**.

+1. Select the option to switch back to the classic connectors experience.

+ :::image type="content" source="media/quickstart-onboard-gcp/classic-connectors-experience.png" alt-text="Switching back to the classic cloud connectors experience in Defender for Cloud.":::

+1. For each connector, select the three dot button **…** at the end of the row, and select **Delete**.

+1. On AWS, delete the role ARN, or the credentials created for the integration.

+| API Gateway | `apigateway:GET` |

+| Application Auto Scaling | `application-autoscaling:Describe*` |

+| Auto scaling | `autoscaling-plans:Describe*` <br> `autoscaling:Describe*` |

+| Certificate manager | `acm-pca:Describe*` <br> `acm-pca:List*` <br> `acm:Describe* <br>acm:List*` |

+| CloudFormation | `cloudformation:Describe*` <br> `cloudformation:List*` |

+| CloudFront | `cloudfront:DescribeFunction` <br> `cloudfront:GetDistribution` <br> `cloudfront:GetDistributionConfig` <br> `cloudfront:List*` |

+| CloudTrail | `cloudtrail:Describe*` <br> `cloudtrail:GetEventSelectors` <br> `cloudtrail:List*` <br> `cloudtrail:LookupEvents` |

+| CloudWatch | `cloudwatch:Describe*` <br> `cloudwatch:List*` |

+| CloudWatch logs | `logs:DescribeLogGroups` <br> `logs:DescribeMetricFilters` |

+| CodeBuild | `codebuild:DescribeCodeCoverages` <br> `codebuild:DescribeTestCases` <br> `codebuild:List*` |

+| Config Service | `config:Describe*` <br> `config:List*` |

+| DMS ΓÇô database migration service | `dms:Describe*` <br> `dms:List*` |

+| DAX | `dax:Describe*` |

+| DynamoDB | `dynamodb:Describe*` <br> `dynamodb:List*` |

+| Ec2 | `ec2:Describe*` <br> `ec2:GetEbsEncryptionByDefault` |

+| ECR | `ecr:Describe*` <br> `ecr:List*` |

+| ECS | `ecs:Describe*` <br> `ecs:List*` |

+| EFS | `elasticfilesystem:Describe*` |

+| EKS | `eks:Describe*` <br> `eks:List*` |

+| Elastic Beanstalk | `elasticbeanstalk:Describe*` <br> `elasticbeanstalk:List*` |

+| ELB ΓÇô elastic load balancing (v1/2) | `elasticloadbalancing:Describe*` |

+| Elastic search | `es:Describe*` <br> `es:List*` |

+| EMR ΓÇô elastic map reduce | `elasticmapreduce:Describe*` <br> `elasticmapreduce:GetBlockPublicAccessConfiguration` <br> `elasticmapreduce:List*` <br> `elasticmapreduce:View*` |

+| GuardDute | `guardduty:DescribeOrganizationConfiguration` <br> `guardduty:DescribePublishingDestination` <br> `guardduty:List*` |

+| IAM | `iam:Generate*` <br> `iam:Get*` <br> `iam:List*` <br> `iam:Simulate*` |

+| KMS | `kms:Describe*` <br> `kms:List*` |

+| LAMDBA | `lambda:GetPolicy` <br> `lambda:List*` |

+| Network firewall | `network-firewall:DescribeFirewall` <br> `network-firewall:DescribeFirewallPolicy` <br> `network-firewall:DescribeLoggingConfiguration` <br> `network-firewall:DescribeResourcePolicy` <br> `network-firewall:DescribeRuleGroup` <br> `network-firewall:DescribeRuleGroupMetadata` <br> `network-firewall:ListFirewallPolicies` <br> `network-firewall:ListFirewalls` <br> `network-firewall:ListRuleGroups` <br> `network-firewall:ListTagsForResource` |

+| RDS | `rds:Describe*` <br> `rds:List*` |

+| RedShift | `redshift:Describe*` |

+| S3 and S3Control | `s3:DescribeJob` <br> `s3:GetEncryptionConfiguration` <br> `s3:GetBucketPublicAccessBlock` <br> `s3:GetBucketTagging` <br> `s3:GetBucketLogging` <br> `s3:GetBucketAcl` <br> `s3:GetBucketLocation` <br> `s3:GetBucketPolicy` <br> `s3:GetReplicationConfiguration` <br> `s3:GetAccountPublicAccessBlock` <br> `s3:GetObjectAcl` <br> `s3:GetObjectTagging` <br> `s3:List*` |

+| SageMaker | `sagemaker:Describe*` <br> `sagemaker:GetSearchSuggestions` <br> `sagemaker:List*` <br> `sagemaker:Search` |

+| Secret manager | `secrets

+| Simple notification service ΓÇô SNS | `sns:Check*` <br> `sns:List*` |

+| SSM | `ssm:Describe*` <br> `ssm:List*` |

+| SQS | `sqs:List*` <br> `sqs:Receive*` |

+| STS | `sts:GetCallerIdentity` |

+| WAF | `waf-regional:Get*` <br> `waf-regional:List*` <br> `waf:List*` <br> `wafv2:CheckCapacity` <br> `wafv2:Describe*` <br> `wafv2:List*` |

+With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same. Microsoft Defender for Cloud protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

+To protect your GCP-based resources, you can connect a GCP project with either:

+- **Native cloud connector** (recommended) - Provides an agentless connection to your GCP account that you can extend with Defender for Cloud's Defender plans to secure your GCP resources:

+ - [**Cloud Security Posture Management (CSPM)**](overview-page.md) assesses your GCP resources according to GCP-specific security recommendations and reflects your security posture in your secure score. The resources are shown in Defender for Cloud's [asset inventory](asset-inventory.md) and are assessed for compliance with built-in standards specific to GCP.

+ - [**Microsoft Defender for Servers**](defender-for-servers-introduction.md) brings threat detection and advanced defenses to [supported Windows and Linux EC2 instances](supported-machines-endpoint-solutions-clouds-servers.md?tabs=tab/features-multicloud). This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.

+ - [**Microsoft Defender for Containers**](defender-for-containers-introduction.md) brings threat detection and advanced defenses to [supported Amazon EKS clusters](supported-machines-endpoint-solutions-clouds-containers.md). This plan includes Kubernetes threat protection, behavioral analytics, Kubernetes best practices, admission control recommendations and more.

+ - [**Microsoft Defender for SQL**](defender-for-sql-introduction.md) brings threat detection and advanced defenses to your SQL Servers running on GCP compute engine instances, including the advanced threat protection and vulnerability assessment scanning.

+- **Classic cloud connector** - Requires configuration in your GCP project to create a user that Defender for Cloud can use to connect to your GCP environment. If you have classic cloud connectors, we recommend that you [delete these connectors](#remove-classic-connectors) and use the native connector to reconnect to the account. Using both the classic and native connectors can produce duplicate recommendations.

+**To connect your GCP project to Defender for Cloud with a native connector**:

+By default, all plans are `On`. You can disable plans that you don't need.

+### Remove 'classic' connectors

+If you have any existing connectors created with the classic cloud connectors experience, remove them first:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Defender for Cloud** > **Environment settings**.

+1. Select the option to switch back to the classic connectors experience.

+ :::image type="content" source="media/quickstart-onboard-gcp/classic-connectors-experience.png" alt-text="Switching back to the classic cloud connectors experience in Defender for Cloud.":::

+1. For each connector, select the three dot button at the end of the row, and select **Delete**.

+You can [deploy the Defender profile](./defender-for-containers-enable.md?pivots=defender-for-container-aks&tabs=aks-deploy-portal%2ck8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc%2caks-removeprofile-api#deploy-the-defender-profile) today on your AKS clusters.

+Following our recent announcement [Native CSPM for GCP and threat protection for GCP compute instances](#native-cspm-for-gcp-and-threat-protection-for-gcp-compute-instances), Microsoft Defender for Containers has extended its Kubernetes threat protection, behavioral analytics, and built-in admission control policies to Google's Kubernetes Engine (GKE) Standard clusters. You can easily onboard any existing, or new GKE Standard clusters to your environment through our Automatic onboarding capabilities. Check out [Container security with Microsoft Defender for Cloud](defender-for-containers-introduction.md#vulnerability-assessment), for a full list of available features.

+ Title: Defender for Cloud Readiness Roadmap

+ Title: Microsoft Defender for Cloud threat intelligence report

+ Title: Microsoft Defender for Cloud troubleshooting guide

+ Title: Working with security policies

+ Title: Workflow automation in Microsoft Defender for Cloud

+1. Create a virtual disk in Hyper-V Manager (Fixed size, as required by the hardware profile).

+1. Enter the required size [according to your organization's needs](../ot-appliance-sizing.md) (select Fixed Size disk type).

+1. Specify the memory allocation [according to your organization's needs](../ot-appliance-sizing.md), in standard RAM denomination (eg. 8192, 16384, 32768). Do not enable **Dyanmic Memory**.

+1. Configure the network adaptor according to your server network topology. Under the "Hardware Acceleration" blade, disable "Virtual Machine Queue" for the monitoring (SPAN) network interface.

+1. In the Hardware list, under the Network Adapter drop-down list, select **Hardware Acceleration** and disable "Virtual Machine Queue" for the monitoring (SPAN) network interface.

+1. In the Hardware list, under the Network Adapter drop-down list, select **Advanced Features**. Under the Port Mirroring section, select **Destination** as the mirroring mode for the new virtual interface.

+For more information, see [Azure roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).

+- [Microsoft Defender for IoT architecture](architecture.md)

+- [Create an additional Azure subscription](../../cost-management-billing/manage/create-subscription.md)

+- [Upgrade your Azure subscription](../../cost-management-billing/manage/upgrade-azure-subscription.md)

+- [Investigate all enterprise sensor detections in a device inventory](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md)

+1. Delete any private IoT Hubs that are no longer needed. For more information, see the [IoT Hub documentation](../../iot-hub/iot-hub-create-through-portal.md).

+- [Troubleshoot the sensor and on-premises management console](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md)

+- [Kusto Query Language (KQL) documentation](/azure/data-explorer/kusto/query/)

+* Integrate with the Azure AI and Cognitive Services [Multivariate Anomaly Detector](../cognitive-services/anomaly-detector/overview-multivariate.md), to quickly connect your Azure Digital Twins data with a downstream AI/machine learning solution that specializes in anomaly detection. The [Azure Digital Twins Multivariate Anomaly Detection Toolkit](/samples/azure-samples/digital-twins-mvad-integration/adt-mvad-integration/) is a sample project that provides a workflow for training multiple Multivariate Anomaly Detector models for several scenario analyses, based on historical digital twin data. It then leverages the trained models to detect abnormal operations and anomalies in modeled Azure Digital Twins environments, in near real-time.

+* [Ingest telemetry from IoT Hub](how-to-ingest-iot-hub-data.md)

+After establishing a data pipeline to send time series data from Azure Digital Twins to Time Series Insights, you might want to think about how to translate asset models designed for Azure Digital Twins into asset models for Time Series Insights. For a tutorial on this next step in the integration process, see [Model synchronization between Azure Digital Twins and Time Series Insights Gen2](../time-series-insights/tutorials-model-sync.md).

+ Title: Send Blob storage events to web endpoint - Bicep

+description: Use Azure Event Grid and a Bicep file to create Blob storage account, subscribe to events, and send events to a Webhook.

+# Quickstart: Route Blob storage events to web endpoint by using Bicep

+Azure Event Grid is an eventing service for the cloud. In this article, you use a Bicep file to create a Blob storage account, subscribe to events for that blob storage, and trigger an event to view the result. Typically, you send events to an endpoint that processes the event data and takes actions. However, to simplify this article, you send the events to a web app that collects and displays the messages.

+## Prerequisites

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+### Create a message endpoint

+Before subscribing to the events for the Blob storage, let's create the endpoint for the event message. Typically, the endpoint takes actions based on the event data. To simplify this quickstart, you deploy a [pre-built web app](https://github.com/Azure-Samples/azure-event-grid-viewer) that displays the event messages. The deployed solution includes an App Service plan, an App Service web app, and source code from GitHub.

+1. Select **Deploy to Azure** to deploy the solution to your subscription. In the Azure portal, provide values for the parameters.

+ [Deploy to Azure](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure-Samples%2Fazure-event-grid-viewer%2Fmaster%2Fazuredeploy.json)

+1. The deployment may take a few minutes to complete. After the deployment has succeeded, view your web app to make sure it's running. In a web browser, navigate to:

+`https://<your-site-name>.azurewebsites.net`

+1. You see the site but no events have been posted to it yet.

+ 

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.eventgrid/event-grid-subscription-and-storage).

+Two Azure resources are defined in the Bicep file:

+* [**Microsoft.Storage/storageAccounts**](/azure/templates/microsoft.storage/storageaccounts): create an Azure Storage account.

+* [**Microsoft.EventGrid/systemTopics**](/azure/templates/microsoft.eventgrid/systemtopics): create a system topic with the specified name for the storage account.

+* [**Microsoft.EventGrid/systemTopics/eventSubscriptions**](/azure/templates/microsoft.eventgrid/systemtopics/eventsubscriptions): create an Azure Event Grid subscription for the system topic.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters endpoint=<endpoint>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -endpoint "<endpoint>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<endpoint \>** with the URL of your web app and append `api/updates` to the URL.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+> [!NOTE]

+> You can find more Azure Event Grid template samples [here](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Eventgrid&pageNumber=1&sort=Popular).

+## Validate the deployment

+View your web app again, and notice that a subscription validation event has been sent to it. Select the eye icon to expand the event data. Event Grid sends the validation event so the endpoint can verify that it wants to receive event data. The web app includes code to validate the subscription.

+

+Now, let's trigger an event to see how Event Grid distributes the message to your endpoint.

+You trigger an event for the Blob storage by uploading a file. The file doesn't need any specific content. The articles assumes you have a file named testfile.txt, but you can use any file.

+When you upload the file to the Azure Blob storage, Event Grid sends a message to the endpoint you configured when subscribing. The message is in the JSON format and it contains an array with one or more events. In the following example, the JSON message contains an array with one event. View your web app and notice that a blob created event was received.

+

+## Clean up resources

+When no longer needed, [delete the resource group](../azure-resource-manager/management/delete-resource-group.md?tabs=azure-portal#delete-resource-group

+).

+## Next steps

+For more information about Azure Resource Manager templates and Bicep, see the following articles:

+* [Azure Resource Manager documentation](../azure-resource-manager/index.yml)

+* [Define resources in Azure Resource Manager templates](/azure/templates/)

+* [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/)

+* [Azure Event Grid templates](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Eventgrid).

+- using [Availability zone aware ExpressRoute Virtual Network Gateways](../vpn-gateway/about-zone-redundant-vnet-gateways.md)

+[AS Path Pre]: ./expressroute-optimize-routing.md#solution-use-as-path-prepending

+| **BSNL** |Supported |Supported | Chennai, Mumbai |

+>[!NOTE]

+> To maintain reliability of the service, Microsoft often performs platform or OS maintenance on the gateway service. During this time, this metric may fluctuate and report inaccurately.

+>

+ Title: 'Quickstart: Create an Azure Firewall and a firewall policy - Bicep'

+description: In this quickstart, you deploy an Azure Firewall and a firewall policy using Bicep.

+# Quickstart: Create an Azure Firewall and a firewall policy - Bicep

+In this quickstart, you use Bicep to create an Azure Firewall and a firewall policy. The firewall policy has an application rule that allows connections to `www.microsoft.com` and a rule that allows connections to Windows Update using the **WindowsUpdate** FQDN tag. A network rule allows UDP connections to a time server at 13.86.101.172.

+Also, IP Groups are used in the rules to define the **Source** IP addresses.

+For information about Azure Firewall Manager, see [What is Azure Firewall Manager?](overview.md).

+For information about Azure Firewall, see [What is Azure Firewall?](../firewall/overview.md).

+For information about IP Groups, see [IP Groups in Azure Firewall](../firewall/ip-groups.md).

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Review the Bicep file

+This Bicep file creates a hub virtual network, along with the necessary resources to support the scenario.

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/azurefirewall-create-with-firewallpolicy-apprule-netrule-ipgroups/).

+Multiple Azure resources are defined in the Bicep file:

+- [**Microsoft.Network/ipGroups**](/azure/templates/microsoft.network/ipGroups)

+- [**Microsoft.Network/firewallPolicies**](/azure/templates/microsoft.network/firewallPolicies)

+- [**Microsoft.Network/firewallPolicies/ruleCollectionGroups**](/azure/templates/microsoft.network/firewallPolicies/ruleCollectionGroups)

+- [**Microsoft.Network/azureFirewalls**](/azure/templates/microsoft.network/azureFirewalls)

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks)

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses)

+## Deploy the Bicep file

+1. Save the Bicep file as `main.bicep` to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters firewallName=<firewall-name>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -firewallName "<firewall-name>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<firewall-name\>** with the name of the Azure Firewall.

+

+When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Review deployed resources

+Use Azure CLI or Azure PowerShell to review the deployed resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az resource list --resource-group exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Get-AzResource -ResourceGroupName exampleRG

+```

+## Clean up resources

+When you no longer need the resources that you created with the firewall, delete the resource group. This removes the firewall and all the related resources.

+# [CLI](#tab/CLI)

+```azurecli-interactive

+az group delete --name exampleRG

+```

+# [PowerShell](#tab/PowerShell)

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name exampleRG

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Azure Firewall Manager policy overview](policy-overview.md)

+|Outbound SMTP traffic on TCP port 25 is blocked|Outbound email messages that are sent directly to external domains (like `outlook.com` and `gmail.com`) on TCP port 25 can be blocked by Azure platform. This is the default platform behavior in Azure, Azure Firewall does not introduce any additional specific restriction. |Use authenticated SMTP relay services, which typically connect through TCP port 587, but also supports other ports. For more information, see [Troubleshoot outbound SMTP connectivity problems in Azure](../virtual-network/troubleshoot-outbound-smtp-connectivity.md). Currently, Azure Firewall may be able to communicate to public IPs by using outbound TCP 25, but it's not guaranteed to work, and it's not supported for all subscription types. For private IPs like virtual networks, VPNs, and Azure ExpressRoute, Azure Firewall supports an outbound connection of TCP port 25.

+|Rule name | IP Address | VNet or Subnet IP Address | TCP | 1688 | IP address | 20.118.99.244, 40.83.235.53 (azkms.core.windows.net)|

+> **Try it now**: Azure Functions lets you run your code without having to sign up for an Azure account. Try it now at and create your first Azure Function.

+As developers, we like to dive right into the code and try to get started as fast as possible with making our applications run. We certainly want to encourage you to start working in Azure as easily as possible. To help make it easy, Azure offers a [free trial](https://azure.microsoft.com/free/). Some services even have a "Try it for free" functionality, like Azure App Service, which doesn't require you to even create an account. As fun as it is to dive into coding and deploying your application to Azure, it's also important to take some time to understand how Azure works. Specifically, you should understand how it works from a standpoint of user accounts, subscriptions, and billing.

+* For backward compatibility when connecting devices that do not support TLS 1.2, you can configure Edge Hub to still accept TLS 1.0 or 1.1 via the [SslProtocols environment variable](https://github.com/Azure/iotedge/blob/main/doc/EnvironmentVariables.md#edgehub).  Please note that support for [TLS 1.0 and 1.1 in IoT Hub is considered legacy](../iot-hub/iot-hub-tls-support.md) and may also be removed from Edge Hub in future releases.  To avoid future issues, use TLS 1.2 as the only TLS version when connecting to Edge Hub or IoT Hub.

+| BootEFIB | 8 MB | Firmware partition B for future GRUBless boot |

+| BootB | 192 MB | Contains the bootloader for B partition |

+> To run this container in the cloud, build the image and [push the image to Azure Container Registry](../container-registry/container-registry-get-started-portal.md). Then, follow the [quickstart to deploy to Azure Container Instance](../container-instances/container-instances-quickstart-portal.md).

+* To learn more about certificates, see [Understand how Azure IoT Edge uses certificates](iot-edge-certs.md).

+ - For any 'rc' i.e. release candidate agent versions from [Artifacts](https://github.com/Azure/iot-hub-device-update/releases) : Download the .deb file to the machine you want to install the Device Update agent on, then:

+ sudo apt-get install -y ./"<PATH TO FILE>"/"<.DEB FILE NAME>"

+To watch a video discussing this integration, see [Azure IoT Hub integration with Azure Event Grid](/shows/internet-of-things-show/iot-devices-and-event-grid).

+The Event Grid integration is available for IoT hubs located in the regions where Event Grid is supported. For the latest list of regions, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=event-grid&regions=all).

+### Device telemetry schema

+Device telemetry messages must be in a valid JSON format with the contentType set to **application/json** and contentEncoding set to **UTF-8** in the message [system properties](iot-hub-devguide-routing-query-syntax.md#system-properties). Both of these properties are case insensitive. If the content encoding is not set, then IoT Hub will write the messages in base 64 encoded format.

+You can enrich device telemetry events before they are published to Event Grid by selecting the endpoint as Event Grid. For more information, see [message enrichments](iot-hub-message-enrichments-overview.md).

+> *Twin data* associated with a device creation event is a default configuration and shouldn't be relied on for actual `authenticationType` and other device properties in a newly created device. For `authenticationType` and other device properties in a newly created device, use the register manager API provided in the Azure IoT SDKs.

+Event Grid enables [filtering](../event-grid/event-filtering.md) on event types, subjects, and data content. While creating the Event Grid subscription, you can choose to subscribe to selected IoT events.

+- Event type: For the list of IoT Hub event types, see [event types](#event-types).

+- Subject: For IoT Hub events, the subject is the device name. The subject takes the format `devices/{deviceId}`. You can filter subjects based on **Begins With** (prefix) and **Ends With** (suffix) matches. The filter uses an `AND` operator, so events with a subject that match both the prefix and suffix are delivered to the subscriber.

+- Data content: The data content is populated by IoT Hub using the message format. You can choose what events are delivered based on the contents of the telemetry message. For examples, see [advanced filtering](../event-grid/event-filtering.md#advanced-filtering). For filtering on the telemetry message body, you must set the contentType to **application/json** and contentEncoding to **UTF-8** in the message [system properties](./iot-hub-devguide-routing-query-syntax.md#system-properties). Both of these properties are case insensitive.

+### Device state events

+### Device state interval

+IoT Hub does not report each individual device connect and disconnect action, but rather publishes the current connection state taken at a periodic 60 second snapshot. Receiving either the same connection state event with different sequence numbers or different connection state events both mean that there was a change in the device connection state during the 60 second window.

+

+> These attributes format are protocol-specific and are translated by IoT Hub into the relative System Properties as described [here](./iot-hub-devguide-routing-query-syntax.md#system-properties)

+* [Deploying AI to edge devices with Azure IoT Edge](../iot-edge/quickstart-linux.md)

+At Microsoft, we value, protect, and defend privacy. We believe in transparency, so that people and organizations can control their data and have meaningful choices in how it is used. We empower and defend the privacy choices of every person who uses our products and services. In this blog, we will take a deep dive on MicrosoftΓÇÖs [Azure Key Vault Managed HSMΓÇÖs](./overview.md) security controls for encryption and how it provides additional safeguards and technical measures to help our customers meet compliance. Encryption is one of the key technical measures to achieve sole control of your data.

+For added assurance, AKV Premium and AKV Managed HSM support importing HSM-protected keys from an on-premises HSM commonly referred to as [*Bring your own key (BYOK)*](../keys/hsm-protected-keys-byok.md)

+See [Azure Key Vault Concepts](../general/basic-concepts.md) and [Azure Key Vault REST API overview](https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/key-vault/general/about-keys-secrets-certificates.md) for details.

+ - [Business continuity management program](../../availability-zones/business-continuity-management-program.md)

+ - [Azure Site Recovery](../../site-recovery/index.yml)

+ - [Azure backup](../../backup/index.yml) - Planned integration with the Managed HSM

+- [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/install-az-ps).

+This quickstart assumes you're running [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/install-az-ps) in a Linux terminal window.

+This quickstart is using Azure Identity library with Azure CLI or Azure PowerShell to authenticate user to Azure Services. Developers can also use Visual Studio or Visual Studio Code to authenticate their calls, for more information, see [Authenticate the client with Azure Identity client library](/python/api/overview/azure/identity-readme).

+### [Azure CLI](#tab/azure-cli)

+1. Run the `az login` command.

+ ```azurecli

+### [Azure PowerShell](#tab/azure-powershell)

+1. Run the `Connect-AzAccount` command.

+ ```azurepowershell

+ Connect-AzAccount

+ ```

+ If the PowerShell can open your default browser, it will do so and load an Azure sign-in page.

+ Otherwise, open a browser page at [https://aka.ms/devicelogin](https://aka.ms/devicelogin) and enter the

+ authorization code displayed in your terminal.

+2. Sign in with your account credentials in the browser.

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell

+Set-AzKeyVaultAccessPolicy -VaultName "<your-unique-keyvault-name>" -UserPrincipalName "user@domain.com" -PermissionsToSecrets delete,get,list,set

+```

+- If you encounter permissions errors, make sure you ran the [`az keyvault set-policy` or `Set-AzKeyVaultAccessPolicy` command](#grant-access-to-your-key-vault).

+You can also retrieve a secret with the Azure CLI command [az keyvault secret show](/cli/azure/keyvault/secret?#az-keyvault-secret-show) or the Azure PowerShell command [Get-AzKeyVaultSecret](/powershell/module/az.keyvault/get-azkeyvaultsecret).

+You can verify that the secret had been removed with the Azure CLI command [az keyvault secret show](/cli/azure/keyvault/secret?#az-keyvault-secret-show) or the Azure PowerShell command [Get-AzKeyVaultSecret](/powershell/module/az.keyvault/get-azkeyvaultsecret).

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+```azurepowershell

+Remove-AzResourceGroup -Name myResourceGroup

+```

+For information about costs to store images and their replications, see [billing in an Azure Compute Gallery](../virtual-machines/shared-image-galleries.md).

+- [Manage costs for labs](cost-management-guide.md)

+- Role assignments from Azure Lighthouse are not shown under Access Control (IAM) or with CLI tools such as `az role assignment list`. They are only visible in Azure Lighthouse under the Delegations section.

+> Prior to migration, a landing zone must be deployed to provision the foundation infrastructure resources and prepare the subscription to which virtual machines will be migrated. To access or create some resources in this landing zone, the Owner built-in role may be required, which is not currently supported in Azure Lighthouse. With these scenarios, the customer may need to provide [guest access](../../active-directory/external-identities/what-is-b2b.md) or delegate admin access via the [Cloud Solution Provider (CSP) subscription model](/partner-center/customers-revoke-admin-privileges). For an approach to creating multi-tenant landing zones, see the [Multi-tenant-Landing-Zones demo solution](https://github.com/Azure/Multi-tenant-Landing-Zones) on GitHub.

+- Learn about other [cross-tenant management experiences](../concepts/cross-tenant-management-experience.md) supported by Azure Lighthouse.

+# Gateway Load Balancer

+* Gateway Load Balancer does not currently support zone-redundant frontends due to a known issue. All frontends configured as zone-redundant will be allocated no-zone or non-zonal IPs. Frontends configured in Portal will automatically be created as no-zone.

+To compare and understand the differences between Basic and Standard SKU, see the following table. For more information, see [Azure Standard Load Balancer overview](./load-balancer-overview.md). For information on Gateway SKU - catered for third-party network virtual appliances (NVAs), see [Gateway Load Balancer overview](gateway-overview.md)

+| SKU | [Gateway Load Balancer now generally available](https://azure.microsoft.com/updates/generally-available-azure-gateway-load-balancer/) | Gateway Load Balancer is a new SKU of Azure Load Balancer targeted for scenarios requiring transparent NVA (network virtual appliance) insertion. Learn more about [Gateway Load Balancer](gateway-overview.md) or our supported [third party partners](gateway-partners.md). | July 2022 |