+- Learn more about multifactor authentication in [Enable multifactor authentication in Azure Active Directory B2C](multi-factor-authentication.md?pivots=b2c-custom-policy)

+- Learn how to validate a TOTP code in [Define an Azure AD MFA technical profile](multi-factor-auth-technical-profile.md).

+- Explore a sample [Azure AD B2C MFA with TOTP using any Authenticator app custom policy in GitHub](https://github.com/azure-ad-b2c/samples/tree/master/policies/totp).

+- Update your [page layout] to version `2.1.14`. For more information, see [Select a page layout](contentdefinitions.md#select-a-page-layout).

+> * Create a sign-up and sign in user flow

+If you've configured a legacy per-user **Enabled/Enforced Azure AD Multi-Factor Authentication** setting and you see the error above, you can resolve the problem by removing the per-user MFA setting through these commands:

+```

+# Get StrongAuthenticationRequirements configure on a user

+(Get-MsolUser -UserPrincipalName username@contoso.com).StrongAuthenticationRequirements

+

+# Clear StrongAuthenticationRequirements from a user

+$mfa = @()

+Set-MsolUser -UserPrincipalName username@contoso.com -StrongAuthenticationRequirements $mfa

+

+# Verify StrongAuthenticationRequirements are cleared from the user

+(Get-MsolUser -UserPrincipalName username@contoso.com).StrongAuthenticationRequirements

+```

+You can enable collaboration across Microsoft clouds such as Microsoft Azure China 21Vianet or Microsoft Azure Government with additional configuration. Determine if any of your collaboration partners reside in a different Microsoft cloud. If so, you should [enable collaboration with these partners using Cross Tenant Access Settings](/azure/active-directory/external-identities/cross-cloud-settings).

+9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)

+For more information, see [Learn more about cloud-native endpoints](/mem/cloud-native-endpoints-overview)

+ Title: 'Tutorial: Configure AWS IAM Identity Center (successor to AWS Single Sign-On) for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to AWS IAM Identity Center.

+# Tutorial: Configure AWS IAM Identity Center (successor to AWS Single Sign-On) for automatic user provisioning

+This tutorial describes the steps you need to perform in both AWS IAM Identity Center (successor to AWS Single Sign-On) and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [AWS IAM Identity Center](https://console.aws.amazon.com/singlesignon) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+> * Create users in AWS IAM Identity Center

+> * Remove users in AWS IAM Identity Center when they no longer require access

+> * Keep user attributes synchronized between Azure AD and AWS IAM Identity Center

+> * Provision groups and group memberships in AWS IAM Identity Center

+> * [Single Sign-On](aws-single-sign-on-tutorial.md) to AWS IAM Identity Center

+* A SAML connection from your Azure AD account to AWS IAM Identity Center, as described in Tutorial

+3. Determine what data to [map between Azure AD and AWS IAM Identity Center](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure AWS IAM Identity Center to support provisioning with Azure AD

+1. Open the [AWS IAM Identity Center](https://console.aws.amazon.com/singlesignon).

+3. In **Settings**, click on Enable in the Automatic provisioning section.

+ 

+4. In the Inbound automatic provisioning dialog box, copy and save the **SCIM endpoint** and **Access Token** (visible after clicking on Show Token). These values will be entered in the **Tenant URL** and **Secret Token** field in the Provisioning tab of your AWS IAM Identity Center application in the Azure portal.

+ 

+## Step 3. Add AWS IAM Identity Center from the Azure AD application gallery

+Add AWS IAM Identity Center from the Azure AD application gallery to start managing provisioning to AWS IAM Identity Center. If you have previously setup AWS IAM Identity Center for SSO, you can use the same application. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 5. Configure automatic user provisioning to AWS IAM Identity Center

+### To configure automatic user provisioning for AWS IAM Identity Center in Azure AD:

+2. In the applications list, select **AWS IAM Identity Center**.

+ 

+5. Under the **Admin Credentials** section, input your AWS IAM Identity Center **Tenant URL** and **Secret Token** retrieved earlier in Step 2. Click **Test Connection** to ensure Azure AD can connect to AWS IAM Identity Center.

+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to AWS IAM Identity Center**.

+9. Review the user attributes that are synchronized from Azure AD to AWS IAM Identity Center in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in AWS IAM Identity Center for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the AWS IAM Identity Center API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to AWS IAM Identity Center**.

+11. Review the group attributes that are synchronized from Azure AD to AWS IAM Identity Center in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in AWS IAM Identity Center for update operations. Select the **Save** button to commit any changes.

+13. To enable the Azure AD provisioning service for AWS IAM Identity Center, change the **Provisioning Status** to **On** in the **Settings** section.

+14. Define the users and/or groups that you would like to provision to AWS IAM Identity Center by choosing the desired values in **Scope** in the **Settings** section.

+Currently AWS IAM Identity Center is not allowing some other characters that Azure AD supports like tab (\t), new line (\n), return carriage (\r), and characters such as " <|>|;|:% ".

+You can also check the AWS IAM Identity Center troubleshooting tips [here](https://docs.aws.amazon.com/singlesignon/latest/userguide/azure-ad-idp.html#azure-ad-troubleshooting) for more troubleshooting tips

+ Title: 'Tutorial: Azure AD SSO integration with AWS Single Sign-On'

+description: Learn how to configure single sign-on between Azure Active Directory and AWS Single Sign-On.

+# Tutorial: Azure AD SSO integration with AWS Single Sign-On

+In this tutorial, you'll learn how to integrate AWS Single Sign-On with Azure Active Directory (Azure AD). When you integrate AWS Single Sign-On with Azure AD, you can:

+* Control in Azure AD who has access to AWS Single Sign-On.

+* Enable your users to be automatically signed-in to AWS Single Sign-On with their Azure AD accounts.

+* AWS Single Sign-On enabled subscription.

+* AWS Single Sign-On supports **SP and IDP** initiated SSO.

+* AWS Single Sign-On supports [**Automated user provisioning**](./aws-single-sign-on-provisioning-tutorial.md).

+## Add AWS Single Sign-On from the gallery

+To configure the integration of AWS Single Sign-On into Azure AD, you need to add AWS Single Sign-On from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **AWS Single Sign-On** in the search box.

+1. Select **AWS Single Sign-On** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for AWS Single Sign-On

+Configure and test Azure AD SSO with AWS Single Sign-On using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AWS Single Sign-On.

+To configure and test Azure AD SSO with AWS Single Sign-On, perform the following steps:

+1. **[Configure AWS Single Sign-On SSO](#configure-aws-single-sign-on-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create AWS Single Sign-On test user](#create-aws-single-sign-on-test-user)** - to have a counterpart of B.Simon in AWS Single Sign-On that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **AWS Single Sign-On** application integration page, find the **Manage** section and select **single sign-on**.

+ b. Click on **folder logo** to select metadata file, which is explained to download in **[Configure AWS Single Sign-On SSO](#configure-aws-single-sign-on-sso)** section and click **Add**.

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [AWS Single Sign-On Client support team](mailto:aws-sso-partners@amazon.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. AWS Single Sign-On application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ > If ABAC is enabled in AWS Single Sign-On, the additional attributes may be passed as session tags directly into AWS accounts.

+1. On the **Set up AWS Single Sign-On** section, copy the appropriate URL(s) based on your requirement.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to AWS Single Sign-On.

+1. In the applications list, select **AWS Single Sign-On**.

+## Configure AWS Single Sign-On SSO

+1. To automate the configuration within AWS Single Sign-On, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.

+2. After adding extension to the browser, click on **Set up AWS Single Sign-On** will direct you to the AWS Single Sign-On application. From there, provide the admin credentials to sign into AWS Single Sign-On. The browser extension will automatically configure the application for you and automate steps 3-10.

+3. If you want to setup AWS Single Sign-On manually, in a different web browser window, sign in to your AWS Single Sign-On company site as an administrator.

+1. Go to the **Services -> Security, Identity, & Compliance -> AWS Single Sign-On**.

+3. On the **Settings** page, find **Identity source** and click on **Change**.

+4. On the Change identity source, choose **External identity provider**.

+ a. In the **Service provider metadata** section, find **AWS SSO SAML metadata** and select **Download metadata file** to download the metadata file and save it on your computer and use this metadata file to upload on Azure portal.

+ b. Copy **AWS SSO Sign-in URL** value, paste this value into the **Sign on URL** text box in the **Basic SAML Configuration section** in the Azure portal.

+ c. In the **Identity provider metadata** section, choose **Browse** to upload the metadata file, which you have downloaded from the Azure portal.

+### Create AWS Single Sign-On test user

+1. Open the **AWS SSO console**.

+ c. In the **Confirm email address** field, reenter the email address from the previous step.

+ g. Choose **Next: Groups**.

+ > Make sure the username entered in AWS SSO matches the userΓÇÖs Azure AD sign-in name. This will you help avoid any authentication problems.

+AWS SSO console, choose **AWS accounts**.

+about permission sets, see the AWS SSO **Permission Sets** page.

+> AWS Single Sign-On also supports automatic user provisioning, you can find more details [here](./aws-single-sign-on-provisioning-tutorial.md) on how to configure automatic user provisioning.

+* Click on **Test this application** in Azure portal. This will redirect to AWS Single Sign-On sign-in URL where you can initiate the login flow.

+* Go to AWS Single Sign-On sign-in URL directly and initiate the login flow from there.

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the AWS Single Sign-On for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the AWS Single Sign-On tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AWS Single Sign-On for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+Once you configure AWS Single Sign-On you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+> [!IMPORTANT]

+> When running this command using the PowerShell in Azure Cloud Shell or from your local computer,

+> the double-quote string value for the *--api-server-authorized-ip-rangers* argument needs to be [enclosed

+> in single quotes](/powershell/module/microsoft.powershell.core/about/about_quoting_rules#including-quote-characters-in-a-string).

+> Otherwise, an error message is returned indicating an expected argument is missing.

+### Azure Files CSI storage driver fails to mount a volume with a secret not in default namespace

+If you have configured an Azure Files CSI driver persistent volume or storage class with a storage

+access secrete in a namespace other than *default*, the pod does not search in its own namespace

+and returns an error when trying to mount the volume.

+This issue has been fixed in the 2022041 release. To mitigate this issue, you have two options:

+1. Upgrade the agent node image to the latest release.

+1. Specify the *secretNamespace* setting when configuring the persistent volume configuration.

+Follow steps 1-10 in the preceding method to upload the correct trusted root certificate to Application Gateway.

+## Trusted root certificate

+If you select HTTPS as the back-end protocol, the Application Gateway requires a trusted root certificate to trust the back-end pool for end-to-end SSL. By default, the **Use well known CA certificate** option is set to **No**. If you plan to use a self-signed certificate, or a certificate signed by an internal Certificate Authority, then you must provide the Application Gateway the matching public certificate that the back-end pool will be using. This certificate must be uploaded directly to the Application Gateway in .CER format.

+If you plan to use a certificate on the back-end pool that is signed by a trusted public Certificate Authority, then you can set the **Use well known CA certificate** option to **Yes** and skip uploading a public certificate.

+| Proxy NTML authentication | &#x2713; | |

+1. Within your **Application Gateways** properties blade, obtain and make a note of the **Resource ID**, you will require this if setting up a Private Endpoint within a diffrerent Azure AD tenant

+> [!Note]

+> If you are setting up the **Private Endpoint** from within another tenant, you will need to utilise the Azure Application Gateway Resource ID, along with sub-resource as either _appGwPublicFrontendIp_ or _appGwPrivateFrontendIp_, depending upon your Azure Application Gateway Private Link Frontend IP Configuration.

+ --servers "$address1" "$address2" \

+ --priority 100

+* Migrating to availability zones or changing the availability zone configuration will trigger a public [IP address change](../api-management/api-management-howto-ip-addresses.md#changes-to-the-ip-addresses).

+> [Azure Services that support Availability Zones](az-region.md)

+## Multitenant applications in App Configuration

+A multitenant application is built on an architecture where a shared instance of your application serves multiple customers or tenants. For example, you may have an email service that offers your users separate accounts and customized experiences. Your application usually manages different configurations for each tenant. Here are some architectural considerations for [using App Configuration in a multitenant application](/azure/architecture/guide/multitenant/service/app-configuration).

+| VMware | [Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid) | TKGm 1.5.3; upstream K8s v1.22.8+vmware.1 <br>TKGm 1.4.0; upstream K8s v1.21.2+vmware.1 <br>TKGm 1.3.1; upstream K8s v1.20.5_vmware.2 <br>TKGm 1.2.1; upstream K8s v1.19.3+vmware.1 |

+| Canonical | [Charmed Kubernetes](https://ubuntu.com/kubernetes) | [1.24](https://ubuntu.com/kubernetes/docs/1.24/components) |

+| Kublr | [Kublr Managed K8s](https://kublr.com/managed-kubernetes/) Distribution | Upstream K8s Version: 1.22.10 <br> Upstream K8s Version: 1.21.3 |

+| Wind River | [Wind River Cloud Platform](https://www.windriver.com/studio/operator/cloud-platform) | Wind River Cloud Platform 22.06; Upstream K8s version: 1.23.1 <br>Wind River Cloud Platform 21.12; Upstream K8s version: 1.21.8 <br>Wind River Cloud Platform 21.05; Upstream K8s version: 1.18.1 |

+ You should see the below output:

+ ```

+ Resource Name : <server name>

+ [...]

+ Dependent Service Status

+ Agent Service (himds) : running

+ GC Service (gcarcservice) : running

+ Extension Service (extensionservice) : running

+ ```

+ If instead you see `Agent Status: Disconnected` or any other status, [file a ticket](#file-a-ticket) with **Summary** as 'Arc agent or extensions service not working' and **Problem type** as 'I need help with Azure Monitor Windows Agent'.

+ - `transformKql`: Specifies a [transformation](../logs/../essentials//data-collection-transformations.md) to apply to the incoming data before it's sent to the workspace.

+- Support for stateful (preview) and 1-minute log alerts.

+ import io.opentelemetry.api.trace.Tracer;

+ Tracer tracer = GlobalOpenTelemetry.getTracer("myApp");

+> [!TIP]

+> The tracer name ideally describes the source of the telemetry, in this case your application,

+> but currently Application Insights Java is not reporting this name to the backend.

+> [!TIP]

+> Tracers are thread-safe, so it's generally best to store them into static fields in order to

+> avoid the performance overhead of creating lots of new tracer objects.

+|ForwardingRuleCount|No|Forwarding Rule Count|Count|Maximum|This metric indicates the number of forwarding rules present in each DNS forwarding ruleset.|No Dimensions|

+|VirtualNetworkLinkCount|No|Virtual Network Link Count|Count|Maximum|This metric indicates the number of associated virtual network links to a DNS forwarding ruleset.|No Dimensions|

+|InboundEndpointCount|No|Inbound Endpoint Count|Count|Maximum|This metric indicates the number of inbound endpoints created for a DNS Resolver.|No Dimensions|

+|OutboundEndpointCount|No|Outbound Endpoint Count|Count|Maximum|This metric indicates the number of outbound endpoints created for a DNS Resolver.|No Dimensions|

+| Microsoft.MachineLearningServices/workspaces/computes | [listKeys](/rest/api/azureml/2022-05-01/compute/list-keys) |

+| Microsoft.MachineLearningServices/workspaces/computes | [listNodes](/rest/api/azureml/2022-05-01/compute/list-nodes) |

+| Microsoft.MachineLearningServices/workspaces | [listKeys](/rest/api/azureml/2022-05-01/workspaces/list-keys) |

+| Microsoft.MachineLearningServices/workspaces/computes | [listKeys](/rest/api/azureml/2022-05-01/compute/list-keys) |

+| Microsoft.MachineLearningServices/workspaces/computes | [listNodes](/rest/api/azureml/2022-05-01/compute/list-nodes) |

+| Microsoft.MachineLearningServices/workspaces | [listKeys](/rest/api/azureml/2022-05-01/workspaces/list-keys) |

+In this article you'll learn how to access the HCX over a Public IP address using Azure VMware Solution. You'll also learn how to pair HCX sites, and create service mesh from on-premises to Azure VMware Solutions private cloud using Public IP. The service mesh allows you to migrate a workload from an on-premises datacenter to Azure VMware Solutions private cloud over the public internet. This solution is useful where the customer isn't using Express Route or VPN connectivity with the Azure cloud.

+> The on-premises HCX appliance should be reachable from the internet to establish HCX communication from on-premises to Azure VMware Solution private cloud.

+1. Browse the NSX-T Manger, paste the admin password in the password field, and select **Login**.

+1. Under the **Networking** section, select **Connectivity** and **Segments**, and then select **ADD SEGMENT**.

+1. Provide Segment name, select Tier-1 router as connected gateway, and provide the public segment under subnets.

+1. Sign in to NSX-T manager and select **Networking**.

+1. Sign in to NSX-T Manager and select **Networking**.

+1. Under IP pools, enter the **IP Ranges** for HCX uplink, **Prefix Length**, and **Gateway** of public IP segment.

+1. Sign in to the **Source** site HCX Manager.

+1. Review the Transport Zone information, and then select **Continue**.

+1. Under the **Network Extension** section, select the site for which you want to extend the network, and then select **EXTEND NETWORKS**.

+ - _User4_ is a Backup Operator. It has the permission to enable backup, trigger on-demand backup, trigger restores, along with the capabilities of a Backup Reader. However, in this scenario, its scope is limited only to Subscription2.

+* [Frequently Asked Questions](backup-azure-backup-faq.yml)

+**Supported operating systems** | Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 (all versions), Windows Server 2008 R2 SP1 <br/><br/> Linux isn't currently supported.

+- Register the **Microsoft.Workloads** Resource Provider on the subscription in which you are deploying the SAP system.

+- Register the **Microsoft.Workloads** Resource Provider in the subscription where you have the SAP system.

+6. Only one URL can be refreshed at a time.

+>[!IMPORTANT]

+>Azure Communication Services direct routing supports only TLS 1.2 (or a later version), make sure that the cipher suites you're using on an SBC are supported by Azure Front Door. Microsoft 365 and Azure Front Door have slight differences in cipher suite support. For details, see [What are the current cipher suites supported by Azure Front Door?](/azure/frontdoor/concept-end-to-end-tls#supported-cipher-suites).

+- **sip.pstnhub.microsoft.com** ΓÇö Global FQDN ΓÇö must be tried first. When the SBC sends a request to resolve this name, the Microsoft Azure DNS servers return an IP address that points to the primary Azure datacenter assigned to the SBC. The assignment is based on performance metrics of the datacenters and geographical proximity to the SBC. The IP address returned corresponds to the primary FQDN.

+- **sip2.pstnhub.microsoft.com** ΓÇö Secondary FQDN ΓÇö geographically maps to the second priority region.

+- **sip3.pstnhub.microsoft.com** ΓÇö Tertiary FQDN ΓÇö geographically maps to the third priority region.

+from azure.confidentialledger.certificate import ConfidentialLedgerCertificateClient

+identity_client = ConfidentialLedgerCertificateClient(identity_url)

+We are prepared to write to the ledger. We will do so using the `create_ledger_entry` function.

+append_result = ledger_client.create_ledger_entry(entry_contents="Hello world!")

+latest_entry = ledger_client.get_current_ledger_entry(transaction_id=append_result.transaction_id)

+print(f"Current entry (transaction id = {latest_entry['transactionId']}) in collection {latest_entry['collectionId']}: {latest_entry['contents']}")

+from azure.confidentialledger.certificate import ConfidentialLedgerCertificateClient

+confidential_ledger_mgmt.ledger.begin_create(rg, ledger_name, ledger_properties)

+identity_client = ConfidentialLedgerCertificateClient(identity_url)

+append_result = ledger_client.create_ledger_entry(entry_contents="Hello world!")

+entry = ledger_client.get_current_ledger_entry(transaction_id=append_result.transaction_id)

+print(f"Current entry (transaction id = {latest_entry['transactionId']}) in collection {latest_entry['collectionId']}: {latest_entry['contents']}")

+var bson = new BsonDocument

+{

+ { "customAction", "CreateCollection" },

+ { "collection", "<CollectionName>" },//update CollectionName

+ { "shardKey", "<ShardKeyName>" }, //update ShardKey

+ { "offerThroughput", 400} //update Throughput

+};

+var shellCommand = new BsonDocumentCommand<BsonDocument>(bson);

+// Create a collection with a partition key by using Mongo Driver:

+db.RunCommand(shellCommand);

+<tr><td><b>Monitoring</b></td><td> Rerun pipeline with new parameters</td><td>You can now rerun pipelines with new parameter values in Azure Data Factory.<br><a href="monitor-visually.md#rerun-pipelines-and-activities">Learn more</a></td></tr>

+<tr><td><b>Orchestration</b></td><td>ΓÇÿturnOffAsync' property is available in Web activity</td><td>Web activity supports an async request-reply pattern that invokes HTTP GET on the Location field in the response header of an HTTP 202 Response. It helps web activity automatically poll the monitoring end-point till the job runs. ΓÇÿturnOffAsync' property is supported to disable this behavior in cases where polling isn't needed<br><a href="control-flow-web-activity.md#type-properties">Learn more</a></td></tr>

+

+The metadata can be copied with Windows and Linux data copy tools. Metadata isn't preserved when transferring data to blob storage. Metadata is also not transferred when copying data over NFS.

+| **Unusual access denied - User accessing high volume of key vaults denied**<br>(KV_AccountVolumeAccessDeniedAnomaly) | A user or service principal has attempted access to anomalously high volume of key vaults in the last 24 hours. This anomalous access pattern may be legitimate activity. Though this attempt was unsuccessful, it could be an indication of a possible attempt to gain access of key vault and the secrets contained within it. We recommend further investigations. | Discovery | Low |

+With this feature, you can add your own *custom* initiatives. Although custom initiatives aren't included in the secure score, you'll receive recommendations if your environment doesn't follow the policies you create. Any custom initiatives you create are shown in the list of all recommendations and you can filter by initiative to see the recommendations for your initiative. They're also shown with the built-in initiatives in the regulatory compliance dashboard, as described in the tutorial [Improve your regulatory compliance](regulatory-compliance-dashboard.md).

+You can view your custom initiatives organized by controls, similar to the controls in the compliance standard. To learn how to create policy groups within the custom initiatives and organize them in your initiative, follow the guidance provided in the [policy definitions groups](../governance/policy/concepts/initiative-definition-structure.md).

+ 1. In the Add custom initiatives page, select refresh. Your new initiative will be available.

+1. To see the resulting recommendations for your policy, select **Recommendations** from the sidebar to open the recommendations page. The recommendations will appear with a "Custom" label and be available within approximately one hour.

+As part of the native integration with Azure Policy, Microsoft Defender for Cloud enables you to take advantage Azure PolicyΓÇÖs REST API to create policy assignments. The following instructions walk you through creation of policy assignments, and customization of existing assignments.

+> [Defender for Servers integration with Microsoft Defender for Endpoint](episode-sixteen.md)

+ Title: Defender for Servers integration with Microsoft Defender for Endpoint

+description: Learn about the integration between Defender for Servers and Microsoft Defender for Endpoint

+# Defender for Servers integration with Microsoft Defender for Endpoint

+**Episode description**: In this episode of Defender for Cloud in the Field, Erel Hansav joins Yuri Diogenes to talk about the latest updates regarding the Defender for Servers integration with Microsoft Defender for Endpoint. Erel explains the architecture of this integration for the different versions of Windows Servers, how this integration takes place in the backend, the deployment options for Windows and Linux and the deployment at scale using Azure Policy.

+<iframe src="https://aka.ms/docs/player?id=aaf5dbcd-9a29-40c2-b355-8c832b27baa5" width="1080" height="530" allowFullScreen="true" frameBorder="0"></iframe>

+- [01:14](/shows/mdc-in-the-field/servers-med-integration#time=00m00s) - Introduction

+- [05:54](/shows/mdc-in-the-field/servers-med-integration#time=02m13s) - Understanding Microsoft Defender for Endpoint's integration with Defender for Servers

+- [06:51](/shows/mdc-in-the-field/servers-med-integration#time=15m30s) - Onboarding flow

+- [10:13](/shows/mdc-in-the-field/servers-med-integration#time=20m05s) - Options to deploy at scale

+## Recommended resources

+

+[Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](integration-defender-for-endpoint.md)

+- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa0ZoTml2Qm9kZ2pjRzNMUXFqVUwyNl80YVNtd3xBQ3Jtc0trVm9QM2Z0NlpOeC1KSUE2UEd1cVJ5aHQ0MTN6WjJEYmNlOG9rWC1KZ1ZqaTNmcHdOOHMtWXRLSGhUTVBhQlhhYzlUc2xmTHZtaUpkd1c4LUQzLWt1YmRTbkVQVE5EcTJIM0Foc042SGdQZU5acVRJbw&q=https%3A%2F%2Faka.ms%2FSubscribeMicrosoftSecurity)

+- Follow us on social media:

+ [LinkedIn](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbFk5TXZuQld2NlpBRV9BQlJqMktYSm95WWhCZ3xBQ3Jtc0tsQU13MkNPWGNFZzVuem5zc05wcnp0VGxybHprVTkwS2todWw0b0VCWUl4a2ZKYVktNGM1TVFHTXpmajVLcjRKX0cwVFNJaDlzTld4MnhyenBuUGRCVmdoYzRZTjFmYXRTVlhpZGc4MHhoa3N6ZDhFMA&q=https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F)

+ [Twitter](https://twitter.com/msftsecurity)

+- Join our [Tech Community](https://aka.ms/SecurityTechCommunity)

+- For more about [Microsoft Security](https://msft.it/6002T9HQY)

+## Next steps

+> [!div class="nextstepaction"]

+> [New AWS Connector in Microsoft Defender for Cloud](episode-one.md)

+You can learn about Defender for Cloud's integration with Microsoft Defender for Endpoint by watching this video from the Defender for Cloud in the Field video series: [Defender for Servers integration with Microsoft Defender for Endpoint](episode-sixteen.md)

+The Microsoft Defender for Cloud's overview page is an interactive dashboard that provides a unified view into the security posture of your hybrid cloud workloads. Additionally, it shows security alerts, coverage information, and more.

+> When you're facing an issue or need advice from our support team, the **Diagnose and solve problems** section of the Azure portal is good place to look for solutions:

+## Use the Audit Log to investigate issues

+The first place to look for troubleshooting information is the [Audit Log records](../azure-monitor/essentials/platform-logs-overview.md) records for the failed component. In the audit logs, you can see details including:

+- Which operations were performed

+- Who initiated the operation

+- When the operation occurred

+- The status of the operation

+The audit log contains all write operations (PUT, POST, DELETE) performed on your resources, but not read operations (GET).

+## Troubleshooting the native multicloud connector

+Defender for Cloud uses connectors to collect monitoring data from AWS accounts and GCP projects. If youΓÇÖre experiencing issues with the connector or you don't see data from AWS or GCP, we recommend that you review these troubleshooting tips:

+Common connector issues:

+- Make sure that the subscription associated with the connector is selected in the **subscriptions filter**, located in the **Directories + subscriptions** section of the Azure portal.

+- Standards should be assigned on the security connector. To check, go to the **Environment settings** in the Defender for Cloud left menu, select the connector, and select **Settings**. There should be standards assigned. You can select the three dots to check if you have permissions to assign standards.

+- Connector resource should be present in Azure Resource Graph (ARG). Use the following ARG query to check: `resources | where ['type'] =~ "microsoft.security/securityconnectors"`

+- Make sure that sending Kubernetes audit logs is enabled on the AWS or GCP connector so that you can get [threat detection alerts for the control plane](alerts-reference.md#alerts-k8scluster).

+- Make sure that Azure Arc and the Azure Policy Arc extension were installed successfully.

+- Make sure that the agent is installed to your Elastic Kubernetes Service (EKS) clusters. You can install the agent with the **Azure Policy add-on for Kubernetes should be installed and enabled on your clusters** recommendation, or **Azure policy extension for Kubernetes should be installed and enabled on your clusters** recommendations. Download the given script provided in the recommendation and run it on your cluster. The recommendation should disappear within an hour of when the script is run.

+- If youΓÇÖre experiencing issues with deleting the AWS or GCP connector, check if you have a lock (in this case there might be an error in the Azure Activity log, hinting at the presence of a lock).

+- Check that workloads exist in the AWS account or GCP project.

+AWS connector issues:

+- Make sure that the CloudFormation template deployment completed successfully.

+- You need to wait at least 12 hours since the AWS root account was created.

+- Make sure that EKS clusters are successfully connected to Arc-enabled Kubernetes.

+- If you don't see AWS data in Defender for Cloud, make sure that the AWS resources required to send data to Defender for Cloud exist in the AWS account.

+GCP connector issues:

+- Make sure that the GCP Cloud Shell script completed successfully.

+- Make sure that GKE clusters are successfully connected to Arc-enabled Kubernetes.

+- Make sure that Azure Arc endpoints are in the firewall allowlist. The GCP connector makes API calls to these endpoints to fetch the necessary onboarding files.

+- If the onboarding of GCP projects failed, make sure you have ΓÇ£compute.regions.listΓÇ¥ permission and Azure AD permission to create the service principle used as part of the onboarding process. Make sure that the GCP resources `WorkloadIdentityPoolId`, `WorkloadIdentityProviderId`, and `ServiceAccountEmail` are created in the GCP project.

+## Troubleshooting the Log Analytics agent

+Defender for Cloud uses the Log Analytics agent to [collect and store data](./enable-data-collection.md). The information in this article represents Defender for Cloud functionality after transition to the Log Analytics agent.

+- The Azure activity logs and the enable diagnostic logs on the attack resource.

+Customers can share feedback for the alert description and relevance. Navigate to the alert itself, select the **Was This Useful** button, select the reason, and then enter a comment to explain the feedback. We consistently monitor this feedback channel to improve our alerts.

+### Check the Log Analytics agent processes and versions

+Just like the Azure Monitor, Defender for Cloud uses the Log Analytics agent to collect security data from your Azure virtual machines. After data collection is enabled and the agent is correctly installed in the target machine, the `HealthService.exe` process should be running.

+Open the services management console (services.msc), to make sure that the Log Analytics agent service running as shown below:

+To see which version of the agent you have, open **Task Manager**, in the **Processes** tab locate the **Log Analytics agent Service**, right-click on it and select **Properties**. In the **Details** tab, look the file version as shown below:

+### Log Analytics agent installation scenarios

+- **Agent installed automatically by Defender for Cloud**: You can view the alerts in Defender for Cloud and Log search. You'll receive email notifications to the email address that was configured in the security policy for the subscription the resource belongs to.

+- **Agent manually installed on a VM located in Azure**: in this scenario, if you're using agents downloaded and installed manually prior to February 2017, you can view the alerts in the Defender for Cloud portal only if you filter on the subscription the workspace belongs to. If you filter on the subscription the resource belongs to, you won't see any alerts. You'll receive email notifications to the email address that was configured in the security policy for the subscription the workspace belongs to.

+### Monitoring agent network connectivity issues

+For agents to connect to and register with Defender for Cloud, they must have access to the DNS addresses and network ports for Azure network resources.

+- When you use proxy servers, you need to make sure that the appropriate proxy server resources are configured correctly in the [agent settings](../azure-monitor/agents/agent-windows.md).

+- You need to configure your network firewalls to permit access to Log Analytics.

+The Azure network resources are:

+If you're having trouble onboarding the Log Analytics agent, make sure to read [how to troubleshoot Operations Management Suite onboarding issues](https://support.microsoft.com/help/3126513/how-to-troubleshoot-operations-management-suite-onboarding-issues).

+## Antimalware protection isn't working properly

+The guest agent is the parent process of everything the [Microsoft Antimalware](../security/fundamentals/antimalware.md) extension does. When the guest agent process fails, the Microsoft Antimalware protection that runs as a child process of the guest agent may also fail.

+Here are some other troubleshooting tips:

+- If the target VM was created from a custom image, make sure that the creator of the VM installed guest agent.

+- If the target is a Linux VM, then installing the Windows version of the antimalware extension will fail. The Linux guest agent has specific OS and package requirements.

+- If the VM was created with an old version of guest agent, the old agents might not have the ability to auto-update to the newer version. Always use the latest version of guest agent when you create your own images.

+- Some third-party administration software may disable the guest agent, or block access to certain file locations. If third-party administration software is installed on your VM, make sure that the antimalware agent is on the exclusion list.

+- Make sure that firewall settings and Network Security Group (NSG) aren't blocking network traffic to and from guest agent.

+- Make sure that there are no Access Control Lists (ACLs) that prevent disk access.

+- The guest agent requires sufficient disk space in order to function properly.

+By default the Microsoft Antimalware user interface is disabled, but you can [enable the Microsoft Antimalware user interface](/archive/blogs/azuresecurity/enabling-microsoft-antimalware-user-interface-post-deployment) on Azure Resource Manager VMs.

+If you experience issues loading the workload protection dashboard, make sure that the user that first enabled Defender for Cloud on the subscription and the user that want to turn on data collection have the *Owner* or *Contributor* role on the subscription. If that is the case, users with the *Reader* role on the subscription can see the dashboard, alerts, recommendations, and policy.

+You can also find troubleshooting information for Defender for Cloud at the [Defender for Cloud Q&A page](/answers/topics/azure-security-center.html). If you need further troubleshooting, you can open a new support request using **Azure portal** as shown below:

+In this page, you learned about troubleshooting steps for Defender for Cloud. To learn more about Microsoft Defender for Cloud:

+- Learn how to [manage and respond to security alerts](managing-and-responding-alerts.md) in Microsoft Defender for Cloud

+- [Alert validation](alert-validation.md) in Microsoft Defender for Cloud

+- Review [frequently asked questions](faq-general.yml) about using Microsoft Defender for Cloud

+Before you can configure a WEM scan from your sensor, you need to configure WMI domain scanning on the Windows machine you'll be scanning.

+- [Configure DNS servers for reverse lookup resolution for OT monitoring](configure-reverse-dns-lookup.md)

+ Title: Detect Windows workstations and servers with a local script

+description: Learn about how to detect Windows workstations and servers on your network using a local script.

+# Detect Windows workstations and servers with a local script

+In addition to detecting OT devices on your network, use Defender for IoT to discover Microsoft Windows workstations and servers. Same as other detected devices, detected Windows workstations and servers are displayed in the Device inventory. The **Device inventory** pages on the sensor and on-premises management console show enriched data about Windows devices, including data about the Windows operating system and applications installed, patch-level data, open ports, and more.

+This article describes how to configure Defender for IoT to detect Windows workstations and servers with local surveying, performed by distributing and running a script on each device. While you can use active scanning and scheduled WMI scans to obtain this data, working with local scripts bypasses the risks of running WMI polling on an endpoint. Running a local script is also useful for regulated networks that have waterfalls and one-way elements.

+For more information, see [Configure Windows Endpoint Monitoring](configure-windows-endpoint-monitoring.md).

+## Supported operating systems

+The script described in this article is supported for the following Windows operating systems:

+- Windows XP

+- Windows 2000

+- Windows NT

+- Windows 7

+- Windows 10

+- Windows Server 2003/2008/2012/2016

+## Prerequisites

+Before you start, make sure that you have:

+- Administrator permissions on any devices where you intend to run the script

+- A Defender for IoT OT sensor already monitoring the network where the device is connected

+If an OT network sensor has already learned the device, running the script will retrieve its information and enrichment data.

+## Run the script

+This procedure describes how to obtain, deploy, and run the script on the Windows workstation and servers that you want to monitor in Defender for IoT.

+The script you run to detect enriched Windows data is run as a utility and not as an installed program. Running the script doesn't affect the endpoint.

+1. To acquire the script, [contact customer support](mailto:support.microsoft.com).

+1. Deploy the script once, or using ongoing automation, using standard automated deployment methods and tools.

+1. Copy the script to a local drive and unzip it. The following files appear:

+ - `start.bat`

+ - `settings.json`

+ - `data.bin`

+ - `run.bat`

+1. Run the `run.bat` file.

+ After the script runs to probe the registry, a CX-snapshot file appears with the registry information. The filename indicates the system name, date, and time of the snapshot with the following syntax: `CX-snaphot_SystemName_Month_Year_Time`

+Files generated by the script:

+- Remain on the local drive until you delete them.

+- Must remain in the same location. Do not separate the generated files.

+- Are overwritten if you run the script again.

+## Import device details

+After having run the script as described [earlier](#run-the-script), import the generated data to your sensor to view the device details in the **Device inventory**.

+**To import device details to your sensor**:

+1. Use standard, automated methods and tools to move the generated files from each Windows endpoint to a location accessible from your OT sensors.

+ Do not update filenames or separate the files from each other.

+1. On your OT sensor console, select **System Settings** > **Import Settings** > **Windows Information**.

+1. Select **Import File**, and then select all the files (Ctrl+A).

+1. Select **Close**. The device registry information is imported and a successful confirmation message is shown

+ If there's a problem uploading one of the files, you'll be informed which file upload failed.

+## Next steps

+For more information, see [View detected devices on-premises](how-to-investigate-sensor-detections-in-a-device-inventory.md).

+| **Locally managed** | Apply a new activation file to locally managed sensors every year. After a sensor's activation file has expired, the sensor will continue to monitor your network, but you'll see a warning message when signing in to the sensor. |

+| Device inventory | The Device inventory displays a list of device attributes that this sensor detects. Options are available to: <br /> - Sort, or filter the information according to the table fields, and see the filtered information displayed. <br /> - Export information to a CSV file. <br /> - Import Windows registry details. For more information, see [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md).|

+Defender for IoT administrators have permission to use forwarding rules.

+- Disconnected sensors

+- Remote backup failures

+Relevant information is sent to partner systems when forwarding rules are created in the sensor console or the [on-premises management console](how-to-work-with-alerts-on-premises-management-console.md#create-forwarding-rules).

+ Title: Manage your OT device inventory from an on-premises management console

+description: Learn how to view and manage OT devices (assets) from the Device inventory page on an on-premises management console.

+# Manage your OT device inventory from an on-premises management console

+Use the **Device inventory** page from an on-premises management console to manage all OT and IT devices detected by sensors connected to that console. Identify new devices detected, devices that might need troubleshooting, and more.

+For more information, see [What is a Defender for IoT committed device?](architecture.md#what-is-a-defender-for-iot-committed-device).

+> [!TIP]

+> Alternately, view your device inventory from a [the Azure portal](how-to-manage-device-inventory-for-organizations.md), or from an [OT sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md).

+>

+## View the device inventory

+To view detected devices in the **Device Inventory** page in an on-premises management console, sign-in to your on-premises management console, and then select **Device Inventory**.

+For example:

+Use any of the following options to modify or filter the devices shown:

+|Option |Steps |

+|||

+| **Sort devices** | To sort the grid by a specific column, select the **Sort** :::image type="icon" source="media/how-to-work-with-asset-inventory-information/alphabetical-order-icon.png" border="false"::: button in the column you want to sort by. Use the arrow buttons that appear to sort ascending or descending. |

+|**Filter devices shown** | 1. In the column that you want to filter, select the **Filter** button :::image type="icon" source="media/how-to-work-with-asset-inventory-information/filter-a-column-icon.png" border="false":::.<br>2. In the **Filter** box, define your filter value. <br><br>Filters aren't saved when you refresh the **Device Inventory** page. |

+| **Save a filter** | To save the current set of filters, select the **Save As** button that appears in the filter row.|

+| **Load a saved filter** | Saved filters are listed on the left, in the **Groups** pane. <br><br>1. Select the **Options** :::image type="icon" source="media/how-to-work-with-asset-inventory-information/options-menu.png"border="false"::: button in the toolbar to display the **Groups** pane. <br>2. In the **Device Inventory Filters** list, select the saved filter you want to load. |

+For more information, see [Device inventory column reference](#device-inventory-column-reference).

+## Export the device inventory to CSV

+Export your device inventory to a CSV file to manage or share data outside of the OT sensor.

+To export device inventory data, select the **Import/Export file** :::image type="icon" source="media/how-to-work-with-asset-inventory-information/menu-icon-device-inventory.png" border="false"::: button, and then select one of the following:

+- **Export Device Inventory View**: Exports only the devices currently displayed, with the current filter applied

+- **Export All Device Inventory**: Exports the entire device inventory, with no filtering

+Save the exported file locally.

+## Enhance device inventory data

+Enhance the data in your device inventory with information from other sources, such as CMDBs, DNS, firewalls, and Web APIs. Use enhanced data to learn things such as:

+- Device purchase dates and end-of-warranty dates

+- Users responsible for each device

+- Opened tickets for devices

+- The last date when the firmware was upgraded

+- Devices allowed access to the internet

+- Devices running active antivirus applications

+- Users signed in to devices

+Enhancement data is shown as extra columns in the on-premises management console **Device inventory** page.

+Enhance data by adding it manually or by running customized scripts from Defender for IoT. You can also work with Defender for IoT support to set up your system to receive Web API queries.

+For example, the following image shows an example of how you might use enhanced data in the device inventory:

+# [Add data manually](#tab/manually)

+To enhance your data manually:

+1. Sign in to your on-premises management console, and select **Device inventory**.

+1. On the top-right, select the **Settings** :::image type="icon" source="media/how-to-work-with-asset-inventory-information/menu-icon.png" border="false"::: button to open the **Device Inventory Settings** dialog.

+1. In the **Device Inventory Settings** dialog box, select **ADD CUSTOM COLUMN**.

+1. In the **Add Custom Column** dialog box, add the new column name using up to 250 UTF characters.

+1. Select **Manual** > **SAVE**. The new item appears in the **Device Inventory Settings** dialog box.

+1. In the upper-right corner of the **Device Inventory** window, select the **Import/Export file** :::image type="icon" source="media/how-to-work-with-asset-inventory-information/menu-icon-device-inventory.png" border="false"::: button > **Export All Device Inventory**.

+ A CSV file is generated with the data displayed.

+1. Download and open the CSV file for editing, and manually add your information to the new column.

+1. Back in the **Device inventory** page, at the top-right, select the **Import/Export file** :::image type="icon" source="media/how-to-work-with-asset-inventory-information/menu-icon-device-inventory.png" border="false"::: button again > **Import Manual Input Columns**. Browse to and select your edited CSV file.

+The new data appears in the **Device Inventory** grid.

+# [Add data using automation](#tab/automation)

+To enhance your data using automation scripts:

+1. Contact [Microsoft Support](https://support.serviceshub.microsoft.com/supportforbusiness/create?sapId=82c88f35-1b8e-f274-ec11-c6efdd6dd099) to obtain the relevant scripts.

+1. Sign in to your on-premises management console, and select **Device inventory**.

+1. On the side, select the **Settings** :::image type="icon" source="media/how-to-work-with-asset-inventory-information/menu-icon.png" border="false"::: button to open the **Device Inventory Settings** dialog.

+1. In the **Device Inventory Settings** dialog box, select **ADD CUSTOM COLUMN**.

+1. In the **Add Custom Column** dialog box, add the new column name using up to 250 UTF characters.

+1. Select **Automatic**. When the **UPLOAD SCRIPT** and **TEST SCRIPT** buttons appear, upload and then test the script you'd received from [Microsoft Support](https://support.serviceshub.microsoft.com/supportforbusiness/create?sapId=82c88f35-1b8e-f274-ec11-c6efdd6dd099).

+The new data appears in the **Device Inventory** grid.

+## Retrieve device inventory data via API

+You can retrieve an extensive range of device information detected by managed sensors and integrate that information with partner systems.

+For example:

+1. Retrieve sensor, zone, site ID, IP address, MAC address, firmware, protocol, and vendor information.

+1. Filter that information based on any of the following values:

+ - Authorized and unauthorized devices.

+ - Devices associated with specific sites.

+ - Devices associated with specific zones.

+ - Devices associated with specific sensors.

+For more information, see [Defender for IoT sensor and management console APIs](references-work-with-defender-for-iot-apis.md).

+## Device inventory column reference

+The following table describes the device properties shown in the **Device inventory** page on an on-premises management console.

+| Name | Description |

+|--|--|

+| **Unacknowledged Alerts** | The number of unhandled alerts associated with this device. |

+| **Business Unit** | The business unit that contains this device. |

+| **Region** | The region that contains this device. |

+| **Site** | The site that contains this device. |

+| **Zone** | The zone that contains this device. |

+| **Appliance** | The Microsoft Defender for IoT sensor that protects this device. |

+| **Name** | The name of this device as Defender for IoT discovered it. |

+| **Type** | The type of device, such as PLC or HMI. |

+| **Vendor** | The name of the device's vendor, as defined in the MAC address. |

+| **Operating System** | The OS of the device. |

+| **Firmware** | The device's firmware. |

+| **IP Address** | The IP address of the device. |

+| **VLAN** | The VLAN of the device. |

+| **MAC Address** | The MAC address of the device. |

+| **Protocols** | The protocols that the device uses. |

+| **Unacknowledged Alerts** | The number of unhandled alerts associated with this device. |

+| **Is Authorized** | The authorization status of the device:<br />- **True**: The device has been authorized.<br />- **False**: The device hasn't been authorized. |

+| **Is Known as Scanner** | Whether this device performs scanning-like activities in the network. |

+| **Is Programming Device** | Whether the device is a programming device:<br />- **True**: The device performs programming activities for PLCs, RTUs, and controllers, which are relevant to engineering stations.<br />- **False**: The device isn't a programming device. |

+| **Groups** | Groups in which this device participates. |

+| **Last Activity** | The last activity that the device performed. |

+| **Discovered** | When this device was first seen in the network. |

+| **PLC mode (preview)** | The PLC operating mode includes the Key state (physical) and run state (logical). Possible **Key** states include, Run, Program, Remote, Stop, Invalid, Programming Disabled.Possible Run. The possible **Run** states are Run, Program, Stop, Paused, Exception, Halted, Trapped, Idle, Offline. if both states are the same, only one state is presented. |

+For more information, see:

+- [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)

+- [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md)

+ Title: Manage your OT device inventory from a sensor console

+description: Learn how to view and manage OT devices (assets) from the Device inventory page on a sensor console.

+# Manage your OT device inventory from a sensor console

+Use the **Device inventory** page from a sensor console to manage all OT and IT devices detected by that console. Identify new devices detected, devices that might need troubleshooting, and more.

+For more information, see [What is a Defender for IoT committed device?](architecture.md#what-is-a-defender-for-iot-committed-device).

+> [!TIP]

+> Alternately, view your device inventory from a [the Azure portal](how-to-manage-device-inventory-for-organizations.md), or from an [on-premises management console](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md).

+>

+## View the device inventory

+This procedure describes how to view detected devices in the **Device inventory** page in an OT sensor console.

+1. Sign-in to your OT sensor console, and then select **Device inventory**.

+ :::image type="content" source="media/how-to-work-with-asset-inventory-information/sensor-device-inventory.png" alt-text="Screenshot of the sensor console's Device inventory page." lightbox="media/how-to-work-with-asset-inventory-information/sensor-device-inventory.png":::

+ Use any of the following options to modify or filter the devices shown:

+ |Option |Steps |

+ |||

+ | **Sort devices** | Select a column header to sort the devices by that column. |

+ |**Filter devices shown** | Select **Add filter** to filter the devices shown. <br><br>In the **Add filter** box, define your filter by column name, operator, and filter value. Select **Apply** to apply your filter.<br><br>You can apply multiple filters at the same time. Search results and filters aren't saved when you refresh the **Device inventory** page. |

+ | **Save a filter** | To save the current set of filters:<br><br>1. Select **+Save Filter**. <br>2. In the **Create New Device Inventory Filter** pane on the right, enter a name for your filter, and then select **Submit**. <br><br>Saved filters are also saved as **Device map** groups, and provides extra granularity when [viewing network devices](how-to-work-with-the-sensor-device-map.md) on the **Device map** page. |

+ | **Load a saved filter** | If you have predefined filters saved, load them by selecting the **show side pane** :::image type="icon" source="media/how-to-inventory-sensor/show-side-pane.png" border="false"::: button, and then select the filter you want to load. |

+ |**Modify columns shown** | Select **Edit Columns** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/edit-columns-icon.png" border="false":::. In the **Edit columns** pane:<br><br> - Select **Add Column** to add new columns to the grid<br> - Drag and drop fields to change the columns order.<br>- To remove a column, select the **Delete** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/trashcan-icon.png" border="false"::: icon to the right.<br>- To reset the columns to their default settings, select **Reset** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/reset-icon.png" border="false":::. <br><br>Select **Save** to save any changes made. |

+1. Select a device row to view more details about that device. Initial details are shown in a pane on the right, where you can also select **View full details** to drill down more.

+ For example:

+ :::image type="content" source="media/how-to-inventory-sensor/sensor-inventory-view-details.png" alt-text="Screenshot of the Device inventory page on an OT sensor console." lightbox="media/how-to-inventory-sensor/sensor-inventory-view-details.png":::

+For more information, see [Device inventory column reference](#device-inventory-column-reference).

+## Edit device details

+As you manage your network devices, you may need to update their details. For example, you may want to modify security value as assets change, or personalize the inventory to better identify devices, or if a device was classified incorrectly.

+**To edit device details**:

+1. Select one or more devices in the grid, and then select **View full details** in the pane on the right.

+1. In the device details page, select **Edit Properties**.

+1. In the **Edit** pane on the right, modify the device fields as needed, and then select **Save** when you're done.

+Editable fields include:

+- Authorized status

+- Device name

+- Device type

+- OS

+- Purdue layer

+- Description

+For more information, see [Device inventory column reference](#device-inventory-column-reference).

+## Export the device inventory to CSV

+Export your device inventory to a CSV file to manage or share data outside of the OT sensor.

+To export device inventory data, on the **Device inventory** page, select **Export** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/export-button.png" border="false":::.

+The device inventory is exported with any filters currently applied, and you can save the file locally.

+## Delete a device

+If you have devices no longer in use, delete them from the device inventory so that they're no longer connected to Defender for IoT.

+Devices might be inactive because of misconfigured SPAN ports, changes in network coverage, or because the device was unplugged from the network.

+Delete inactive devices to maintain a correct representation of current network activity, better understand your committed devices when managing your Defender for IoT plans, and to reduce clutter on your screen.

+Devices you delete from the Inventory are removed from the map and won't be calculated when generating Defender for IoT reports, for example Data Mining, Risk Assessment, and Attack Vector reports.

+> [!NOTE]

+> Devices must be inactive for 7 days or more in order for you to be able to delete them.

+>

+**To delete inactive devices**:

+1. On the **Device inventory** page, filter the grid by the **Last Activity** field. In the **Filter** field, select one of the following time periods:

+ - for seven days or more

+ - for 14 days or more

+ - 30 days or more

+ - 90 days or more

+1. Select **Delete Inactive Devices**. In the prompt displayed, enter the reason you're deleting the devices, and then select **Delete**.

+ All devices detected within the range of the selected filter are deleted. If there are a large number of devices to delete, the process may take a few minutes.

+## Device inventory column reference

+The following table describes the device properties shown in the **Device inventory** page on a sensor console.

+| Name | Description |

+|--|--|

+| **Description** | A description of the device |

+| **Discovered** | When this device was first seen in the network. |

+| **Firmware version** | The device's firmware, if detected. |

+| **FQDN** | The device's FQDN value |

+| **FQDN lookup time** | The device's FQDN lookup time |

+| **Groups** | The groups that this device participates in. |

+| **IP Address** | The IP address of the device. |

+| **Is Authorized** | The authorization status defined by the user:<br />- **True**: The device has been authorized.<br />- **False**: The device hasn't been |

+| **Is Known as Scanner** | Defined as a network scanning device by the user. |

+| **Is Programming device** | Defined as an authorized programming device by the user. <br />- **True**: The device performs programming activities for PLCs, RTUs, and controllers, which are relevant to engineering stations. <br />- **False**: The device isn't a programming device. |

+| **Last Activity** | The last activity that the device performed. |

+| **MAC Address** | The MAC address of the device. |

+| **Name** | The name of the device as the sensor discovered it, or as entered by the user. |

+| **Operating System** | The OS of the device, if detected. |

+| **PLC mode** (preview) | The PLC operating mode includes the Key state (physical) and run state (logical). Possible **Key** states include, Run, Program, Remote, Stop, Invalid, Programming Disabled.Possible Run. The possible **Run** states are Run, Program, Stop, Paused, Exception, Halted, Trapped, Idle, Offline. If both states are the same, only one state is presented. |

+| **Protocols** | The protocols that the device uses. |

+| **Type** | The type of device as determined by the sensor, or as entered by the user. |

+| **Unacknowledged Alerts** | The number of unacknowledged alerts associated with this device. |

+| **Vendor** | The name of the device's vendor, as defined in the MAC address. |

+| **VLAN** | The VLAN of the device. For more information, see [Define VLAN names](how-to-manage-the-on-premises-management-console.md#define-vlan-names). |

+- [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)

+- [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md)

+ Title: Manage your device inventory from the Azure portal

+description: Learn how to view and manage OT and IoT devices (assets) from the Device inventory page in the Azure portal.

+# Manage your device inventory from the Azure portal

+Use the **Device inventory** page in the Azure portal to manage all network devices detected by cloud-connected sensors, including OT, IoT, and IT. Identify new devices detected, devices that might need troubleshooting, and more.

+For more information, see [What is a Defender for IoT committed device?](architecture.md#what-is-a-defender-for-iot-committed-device).

+> Alternately, view device inventory from a [specific sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md), or from an [on-premises management console](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md).

+This procedure describes how to view detected devices in the **Device inventory** page in the Azure portal.

+1. In Defender for IoT in the Azure portal, select **Device inventory**.

+ :::image type="content" source="media/how-to-manage-device-inventory-on-the-cloud/device-inventory.png" alt-text="Screenshot of the Device inventory page in the Azure portal." lightbox="media/how-to-manage-device-inventory-on-the-cloud/device-inventory.png":::

+ Use any of the following options to modify or filter the devices shown:

+ |Option |Steps |

+ |||

+ | **Sort devices** | Select a column header to sort the devices by that column. Select it again to change the sort direction. |

+ |**Filter devices shown** | Either use the **Search** box to search for specific device details, or select **Add filter** to filter the devices shown. <br><br>In the **Add filter** box, define your filter by column name, operator, and value. Select **Apply** to apply your filter.<br><br>You can apply multiple filters at the same time. Search results and filters aren't saved when you refresh the **Device inventory** page.|

+ |**Modify columns shown** | Select **Edit columns** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/edit-columns-icon.png" border="false":::. In the **Edit columns** pane:<br><br> - Select the **+ Add Column** button to add new columns to the grid.<br> - Drag and drop fields to change the columns order.<br>- To remove a column, select the **Delete** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/trashcan-icon.png" border="false"::: icon to the right.<br>- To reset the columns to their default settings, select **Reset** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/reset-icon.png" border="false":::. <br><br>Select **Save** to save any changes made. |

+ | **Group devices** | From the **Group by** above the gird, select either **Type** or **Class** to group the devices shown. Inside each group, devices retain the same column sorting. To remove the grouping, select **No grouping**. |

+1. Select a device row to view more details about that device. Initial details are shown in a pane on the right, where you can also select **View full details** to drill down more.

+ For example:

+ :::image type="content" source="media/how-to-manage-device-inventory-on-the-cloud/device-information-window.png" alt-text="Screenshot of a device details pane and the View full details button in the Azure portal." lightbox="media/how-to-manage-device-inventory-on-the-cloud/device-information-window.png":::

+For more information, see [Device inventory column reference](#device-inventory-column-reference).

+### Identify devices that aren't connecting successfully

+If you suspect that certain devices aren't actively communicating with Azure, we recommend that you verify whether those devices have communicated with Azure recently at all. For example:

+1. In the **Device inventory** page, make sure that the **Last activity** column is shown.

+ Select **Edit columns** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/edit-columns-icon.png" border="false"::: > **Add column** > **Last Activity** > **Save**.

+1. Select the **Last activity** column to sort the grid by that column.

+1. Filter the grid to show active devices during a specific time period:

+ 1. Select **Add filter**.

+ 1. In the **Column** field, select **Last activity**.

+ 1. Select a predefined time range, or define a custom range to filter for.

+ 1. Select **Apply**.

+1. Search for the devices you're verifying in the filtered list of devices.

+As you manage your network devices, you may need to update their details. For example, you may want to modify security value as assets change, or personalize the inventory to better identify devices, or if a device was classified incorrectly.

+**To edit device details**:

+1. Select one or more devices in the grid, and then select **Edit** :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/edit-device-details.png" border="false":::.

+1. If you've selected multiple devices, select **Add field type** and add the fields you want to edit, for all selected devices.

+1. Modify the device fields as needed, and then select **Save** when you're done.

+For more information, see [Device inventory column reference](#device-inventory-column-reference).

+### Reference of editable fields

+The following device fields are supported for editing in the **Device inventory** page:

+| **General information** | |

+| **Settings** |

+For more information, see [Device inventory column reference](#device-inventory-column-reference).

+## Export the device inventory to CSV

+Export your device inventory to a CSV file to manage or share data outside of the Azure portal. You can export a maximum of 30,000 devices at a time.

+**To export device inventory data**:

+On the **Device inventory page**, select **Export** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/export-button.png" border="false":::.

+The device inventory is exported with any filters currently applied, and you can save the file locally.

+Devices might be inactive because of misconfigured SPAN ports, changes in network coverage, or because the device was unplugged from the network.

+Delete inactive devices to maintain a correct representation of current network activity, better understand your committed devices when managing your Defender for IoT plans, and to reduce clutter on your screen.

+The following table describes the device properties shown in the **Device inventory** page on the Azure portal.

+|**Authorized Device** |Editable. Determines whether or not the device is *authorized*. This value may change as device security changes. |

+|**Business Function** | Editable. Describes the device's business function. |

+| **Class** | Editable. The class of the device. <br>Default: `IoT`|

+| **Description** | Editable. The description of the device. |

+| **Firmware vendor** | Editable. The vendor of the device's firmware. |

+| **Firmware version** |Editable. The version of the firmware. |

+|**Hardware Model** | Editable. Determines the device's hardware model. |

+|**Hardware Vendor** |Editable. Determines the device's hardware vendor. |

+| **Importance** | Editable. The level of importance of the device. |

+| **Location** | Editable. The physical location of the device. |

+| **Name** | Mandatory, and editable. The name of the device as the sensor discovered it, or as entered by the user. |

+| **OS architecture** | Editable. The architecture of the operating system. |

+| **OS distribution** | Editable. The distribution of the operating system, such as Android, Linux, and Haiku. |

+| **OS platform** | Editable. The OS of the device, if detected. |

+| **OS version** | Editable. The version of the operating system, such as Windows 10 and Ubuntu 20.04.1. |

+|**Programming device** | Editable. Determines whether the device is a *Programming Device*. |

+| **Purdue level** | Editable. The Purdue level in which the device exists. |

+| **Subtype** | Editable. The subtype of the device, such as speaker and smart tv. <br>**Default**: `Managed Device` |

+| **Tags** | Editable. Tagging data for each device. |

+| **Type** | Editable. The type of device, such as communication, and industrial. <br>**Default**: `Miscellaneous` |

+For more information, see:

+- [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)

+- [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md)

+ 1. Remove the primary domain from the list of trusted hosts. Run:

+## Download the SNMP MIB file

+Download the SNMP MIB file from Defender for IoT in the Azure portal. Select **Sites and sensors > More actions > Download SNMP MIB file**.

+For more information, see:

+- [Manage your device inventory from the Azure portal](how-to-manage-device-inventory-for-organizations.md)

+- [Manage your OT device inventory from a sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md)

+- [Manage your OT device inventory from an on-premises management console](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md)

+

+1. Select which notifications you want to forward:

+

+ - **Report system notifications:** disconnected sensors, remote backup failures.

+ - **Report alert notifications:** date and time of alert, alert title, alert severity, source and destination name and IP, suspicious traffic and engine that detected the event.

+### View filtered information as a map group

+You can display devices from saved filters in the Device map. For more information, see [View the device inventory](how-to-investigate-sensor-detections-in-a-device-inventory.md#view-the-device-inventory).

+**To view devices in the map:**

+1. After creating and saving an Inventory filter, navigate to the Device map.

+1. In the map page, open the Groups pane on the left.

+1. Scroll down to the **Asset Inventory Filters** group. The groups you saved from the Inventory appear.

+- [Manage your device inventory from the Azure portal](how-to-manage-device-inventory-for-organizations.md)

+- [Manage your OT device inventory from an on-premises management console](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md)

+Open a local **console window** and navigate into the *digital-twins-samples-main\AdtSampleApp\SampleClientApp* folder. Run the *SampleClientApp* project with this dotnet command:

+The function app is part of the sample project you downloaded, located in the *digital-twins-samples-main\AdtSampleApp\SampleFunctionsApp* folder.

+ 1. Open a console window on your machine, and navigate into the *digital-twins-samples-main\AdtSampleApp\SampleFunctionsApp* folder inside your downloaded sample project.

+# @name getAADToken

+ Title: Create copies of the MedTech service device and FHIR destination mappings - Azure Health Data Services

+description: This article helps users create copies of their MedTech service device and FHIR destination mappings.

+# How to create copies of device and FHIR destination mappings

+This article provides steps for creating copies of your MedTech service's device and Fast Healthcare Interoperability Resources (FHIR&#174;) destination mappings that can be used outside of Azure. These copies can be used for editing, troubleshooting, and archiving.

+> Check out the [IoMT Connector Data Mapper](https://github.com/microsoft/iomt-fhir/tree/master/tools/data-mapper) tool for editing, testing, and troubleshooting MedTech service device and FHIR destination mappings. Export mappings for uploading to the MedTech service in the Azure portal or use with the [open-source version](https://github.com/microsoft/iomt-fhir) of the MedTech service.

+> When opening an [Azure Technical Support](https://azure.microsoft.com/support/create-ticket/) ticket for the MedTech service, include copies of your device and FHIR destination mappings to assist in the troubleshooting process.

+ :::image type="content" source="media/iot-troubleshoot/iot-connector-blade.png" alt-text="Screenshot of select MedTech service." lightbox="media/iot-troubleshoot/iot-connector-blade.png":::

+2. Select the name of the **MedTech service** that you'll be copying the device and FHIR destination mappings from.

+ :::image type="content" source="media/iot-troubleshoot/map-files-select-connector-with-box.png" alt-text="Screenshoot of select the MedTech service that you will be making mappings copies from." lightbox="media/iot-troubleshoot/map-files-select-connector-with-box.png":::

+ > This process may also be used for copying and saving the contents of the **"Destination"** FHIR destination mapping.

+ :::image type="content" source="media/iot-troubleshoot/map-files-select-device-json-with-box.png" alt-text="Screenshot of select and copy contents of the mapping." lightbox="media/iot-troubleshoot/map-files-select-device-json-with-box.png":::

+4. Do a paste operation (for example: Press **Ctrl + V**) into a new file within an editor like Microsoft Visual Studio Code or Notepad. Make sure to save the file with the **.json** extension.

+In this article, you learned how to make copies of the MedTech service device and FHIR destination mappings. To learn how to troubleshoot device and FHIR destination mappings, see

+>[Troubleshoot the MedTech service device and FHIR destination mappings](iot-troubleshoot-mappings.md)

+(FHIR&#174;) is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

+| [Managed identity](#managed-identity-authentication) | **Consumption logic app**: <br><br>- **Built-in**: Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP Webhook <p><p>- **Managed connector**: Azure AD, Azure AD Identity Protection, Azure App Service, Azure Automation, Azure Blob Storage, Azure Container Instance, Azure Cosmos DB, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure Event Hubs, Azure IoT Central V2, Azure IoT Central V3, Azure Key Vault, Azure Log Analytics, Azure Queues, Azure Resource Manager, Azure Service Bus, Azure Sentinel, Azure VM, HTTP with Azure AD, SQL Server <p><p>___________________________________________________________________________________________<p><p>**Standard logic app**: <p><p>- **Built-in**: HTTP, HTTP Webhook <p><p>- **Managed connector**: Azure AD, Azure AD Identity Protection, Azure App Service, Azure Automation, Azure Blob Storage, Azure Container Instance, Azure Cosmos DB, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure Event Hubs, Azure IoT Central V2, Azure IoT Central V3, Azure Key Vault, Azure Log Analytics, Azure Queues, Azure Resource Manager, Azure Service Bus, Azure Sentinel, Azure VM, HTTP with Azure AD, SQL Server |

+The Azure CLI [extension v1 for machine learning](reference-azure-machine-learning-cli.md) provides the [az ml workspace update](/cli/azure/ml(v1)/workspace#az-ml(v1)-workspace-update) command. To disable the parameter for a workspace, add the parameter `--v1-legacy-mode False`.

+```azurecli

+az ml workspace update -g <myresourcegroup> -w <myworkspace> --v1-legacy-mode False

+```

+* [Create private link for managing Azure resources](../azure-resource-manager/management/create-private-link-access-portal.md).

+- **component_src**: This is the source code directory for a specific component. It contains the source code that will be executed in the component. You can use your preferred language(Python, R...). The code must be executed by a shell command. The source code can take a few inputs from shell command line to control how this step is going to be executed. For example, a training step may take training data, learning rate, number of epochs to control the training process. The argument of a shell command is used to pass inputs and outputs to the code.

+One common scenario is to read and write data in your pipeline. In AzureML, we use the same schema to [read and write data](how-to-read-write-data-v2.md) for all type of jobs (pipeline job, command job, and sweep job). Below are pipeline job examples of using data for common scenarios.

+|name|**Required**. Name of the component. Must be unique across the AzureML workspace. Must start with lowercase letter. Allow lowercase letters, numbers and underscore(_). Maximum length is 255 characters.|

+|is_deterministic|Whether to reuse the previous job's result if the component inputs did not change. Default value is `true`, also known as reuse by default. The common scenario when set as `false` is to force reload data from a cloud storage or URL.|

+You have **Flask 2** installed in your python environment but are running a server (< 0.7.0) that does not support Flask 2. To resolve, please upgrade to the latest version of server.

+1. If your compute cluster or compute instance uses a public IP address, you must [Allow inbound communication](how-to-secure-training-vnet.md#required-public-internet-access) so that management services can submit jobs to your compute resources.

+For single-node training (including single-node multi-GPU), you can run your code on Azure ML without needing to specify a `distributed_job_config`.

+To run an experiment using multiple nodes with multiple GPUs, there are 2 options:

+- Using PyTorch configuration (recommended): Define `PyTorchConfiguration` and specify `communication_backend="Nccl"`, `node_count`, and `process_count` (note that this is the total number of processes, ie, `num_nodes * process_count_per_node`). In Lightning Trainer module, specify both `num_nodes` and `gpus` to be consistent with `PyTorchConfiguration`. For example, `num_nodes = node_count` and `gpus = process_count_per_node`.

+- Using MPI Configuration:

+ - Define `MpiConfiguration` and specify both `node_count` and `process_count_per_node`. In Lightning Trainer, specify both `num_nodes` and `gpus` to be respectively the same as `node_count` and `process_count_per_node` from `MpiConfiguration`.

+ - For multi-node training with MPI, Lightning requires the following environment variables to be set on each node of your training cluster:

+ - MASTER_ADDR

+ - MASTER_PORT

+ - NODE_RANK

+ - LOCAL_RANK

+

+ Manually set these environment variables that Lightning requires in the main training scripts:

+ from argparse import ArgumentParser

+ def set_environment_variables_for_mpi(num_nodes, gpus_per_node, master_port=54965):

+ if num_nodes > 1:

+ os.environ["MASTER_ADDR"], os.environ["MASTER_PORT"] = os.environ["AZ_BATCH_MASTER_NODE"].split(":")

+ os.environ["MASTER_PORT"] = str(master_port)

+ os.environ["NODE_RANK"] = str(int(os.environ.get("OMPI_COMM_WORLD_RANK")) // gpus_per_node)

+

+ if __name__ == "__main__":

+ parser = ArgumentParser()

+ parser.add_argument("--num_nodes", type=int, required=True)

+ parser.add_argument("--gpus_per_node", type=int, required=True)

+ args = parser.parse_args()

+ set_environment_variables_for_mpi(args.num_nodes, args.gpus_per_node)

+

+ trainer = Trainer(

+ num_nodes=args.num_nodes,

+ gpus=args.gpus_per_node

+ )

+ Lightning handles computing the world size from the Trainer flags `--gpus` and `--num_nodes`.

+ gpus_per_node = 4

+ args = ['--max_epochs', 50, '--gpus_per_node', gpus_per_node, '--accelerator', 'ddp', '--num_nodes', nnodes]

+ distr_config = MpiConfiguration(node_count=nnodes, process_count_per_node=gpus_per_node)

+## Before you begin

+Before you can publish an Azure application offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+Before you can publish an Azure Container offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+Before you can publish an Azure Container offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+To publish your offers to [Microsoft AppSource](https://appsource.microsoft.com/) or [Azure Marketplace](https://azuremarketplace.microsoft.com/), you need to have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. This article covers how to create a commercial marketplace account to the commercial marketplace program. To verify that your account is enrolled in the commercial marketplace program, see [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+To publish a consulting service offer, you must:

+- Have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+- Meet certain eligibility requirements to demonstrate expertise in your field.

+If you havenΓÇÖt already done so, read [Plan a consulting service offer](./plan-consulting-service-offer.md). It describes the prerequisites and assets youΓÇÖll need to create a consulting service offer in Partner Center.

+## Before you begin

+To publish a Managed Service offer, you must meet the following prerequisites:

+- Have earned a Gold or Silver Microsoft Competency in Cloud Platform. If you havenΓÇÖt already done so, read [Plan a Managed Service offer for the commercial marketplace](./plan-managed-service-offer.md). It will help you prepare the assets you need when you create the offer in Partner Center.

+- Have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+Before you can publish a SaaS offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+1. If you do not have published Office add-in, Teams app, or SharePoint Framework solutions that work with your SaaS offer, select **No**.

+1. If you have published Office add-in, Teams app, or SharePoint Framework solutions that work with your SaaS offer, select **Yes**, then select **+Add another AppSource link** to add new links.

+Before you can publish a Dynamics 365 Business Central offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+This article describes how to create a _Dynamics 365 apps on Dataverse and Power Apps_ offer.

+Before you can publish a Dynamics 365 apps on Dataverse and Power Apps offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+Before you can publish a Dynamics 365 Operations Apps offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+Before you can publish an IoT Edge Module offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+This article explains the requirements and guidelines for listing new offers and services on Azure Marketplace. All offers must meet the listing requirements described in this article. Use the links on the right to navigate to additional requirements and checklists for specific offer types.

+## Listing requirements for most offers

+| 9 | Learn more | Links at the bottom (under the description, not Azure Marketplace links on the left) lead to more information about the solution and are publicly available and displaying correctly. | Links to specific items (for example, spec pages on the partner site) and not just the partner home page. |

+| 10 | Solution support and help | Provide at least one of the following: <br>- Telephone numbers [1]<br>- Email support [2] |- All support methods are listed.<br>- Paid support is offered free during the *Trial* or *Test Drive* period. |

+[1] DoesnΓÇÖt apply to Consulting service and Power BI app offers

+[2] DoesnΓÇÖt apply to Consulting service offers

+## Listing requirements for trial offers

+| No. | Listing element | Base requirement | Optimal requirement |

+| | List status (Listing option) | The link must lead to a customer-led *Trial* experience. | Other listing options (for example, *Buy Now*) are also available. |

+## Listing requirements for SaaS applications

+| No. | Listing element | Base requirement | Optimal requirement |

+## Listing requirements for Container offers

+## Listing requirements for Consulting service offers

+After the technical setup is in place, incorporate these leads into your current sales and marketing strategy and operational processes.

+We're interested in better understanding your overall sales process and want to work closely with you to provide high-quality leads and enough data to make you successful. We welcome your feedback on how we can optimize and enhance the leads we send you with additional data to help make these customers successful. Please share your feedback via the smile icon on the top right corner of Partner center. [Login](https://partner.microsoft.com/dashboard/home) to partner center.

+Before you can publish a Power BI app offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+Before you can publish a Power BI visual offer, you must have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+To publish your offers to [Microsoft AppSource](https://appsource.microsoft.com/) or [Azure Marketplace](https://azuremarketplace.microsoft.com/), you need to have a commercial marketplace account in Partner Center and ensure your account is enrolled in the commercial marketplace program. See [Create a commercial marketplace account in Partner Center](create-account.md) and [Verify your account information when you enroll in a new Partner Center program](/partner-center/verification-responses#checking-your-verification-status).

+**PowerShell support** | PowerShell is not supported. We recommend using the Azure Portal or REST APIs for leveraging Azure Migrate Private Link support.

+- It's important to configure settings manually before you begin migration. Some of the changes may affect VM boot up, or connectivity to the VM may not be established. If you migrate the VM before you make the change, the VM might not boot up in Azure.

+For other versions, prepare machines as summarized in the table.

+> [!Note]

+> Some changes may affect the VM boot up, or connectivity to the VM may not be established.

+> [!NOTE]

+> This article contains references to the term *slave*, a term that Microsoft no longer uses. When the term is removed from the software, we'll remove it from this article.

+|Host CPU percent|cpu_percent|Percent|Host CPU percent is total utilization of CPU to process all the tasks on your server over a selected period. This metric includes workload of your Azure Database for MySQL Flexible Server and Azure MySQL process. High CPU percent can help you find if your database server has more workload than it can handle. This metric is equivalent to total CPU utilization similar to utilization of CPU on any virtual machine.|

+|Host Network In |network_bytes_ingress|Bytes|Total sum of incoming network traffic on the server for a selected period. This metric includes traffic to your database and to Azure MySQL features like monitoring, logs etc.|

+|Host Network out|network_bytes_egress|Bytes|Total sum of outgoing network traffic on the server for a selected period. This metric includes traffic from your database and from Azure MySQL features like monitoring, logs etc.|

+|Replication Lag|replication_lag|Seconds|Replication lag is the number of seconds the replica is behind in replaying the transactions received from the source server. This metric is calculated from "Seconds_behind_Master" from the command "SHOW SLAVE STATUS" and is available for replica servers only. For more information, see "[Monitor replication latency](../single-server/how-to-troubleshoot-replication-latency.md)"|

+|Active Connections|active_connection|Count|The number of active connections to the server. Active connections are the total number of [threads connected](https://dev.mysql.com/doc/refman/8.0/en/server-status-variables.html#statvar_Threads_connected) to your server, which also includes threads from [azure_superuser](../single-server/how-to-create-users.md).|

+|IO percent|io_consumption_percent|Percent|The percentage of IO in use over selected period. IO percent is for both read and write IOPS.|

+|Host Memory Percent|memory_percent|Percent|The total percentage of memory in use on the server, including memory utilization from both database workload and other Azure MySQL processes. This metric shows total consumption of memory of underlying host similar to consumption of memory on any virtual machine.|

+|Total connections|total_connections|Count|The number of client connections to your Azure Database for MySQL Flexible server. Total Connections is sum of connections by clients using TCP/IP protocol over a selected period.|

+|Aborted Connections|aborted_connections|Count|Total number of failed attempts to connect to your MySQL server, for example, failed connection due to bad credentials. For more information on aborted connections, you can refer to this [documentation](https://dev.mysql.com/doc/refman/5.7/en/communication-errors.html).|

+|Queries|queries|Count|Total number of queries executed per minute on your server. Total count of queries per minute on your server from your database workload and Azure MySQL processes.|

+The following example describes a conversion that successfully generated an arrAsset.

+ {"conversionId":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"},

+> [!NOTE]

+> The `conversionId` is an internal Id that does not correlate with the Id that was used to create the conversion.

+To fix, make sure the provided _HybridRenderingPipeline_ asset is used:

+

+..as described in more detail in the [Unity tutorial to set up the project](./../tutorials/unity/view-remote-models/view-remote-models.md#adjust-the-project-settings).

+### Prerequisites for Active Directory sync via MDI

+- Your tenant must be onboarded to Microsoft Defender for Identity.

+- You must have the MDI sensor installed.

+In Microsoft Sentinel, select **Data connectors**, select **Microsoft 365 Defender (Preview)** from the gallery and select **Open connector page**.

+The **Configuration** section has three parts:

+1. [**Connect incidents and alerts**](#connect-incidents-and-alerts) enables the basic integration between Microsoft 365 Defender and Microsoft Sentinel, synchronizing incidents and their alerts between the two platforms.

+1. [**Connect entities**](#connect-entities) enables the integration of on-premises Active Directory user identities into Microsoft Sentinel through Microsoft Defender for Identity.

+1. [**Connect events**](#connect-events) enables the collection of raw advanced hunting events from Defender components.

+These are explained in greater detail below. See [Microsoft 365 Defender integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md) for more information.

+### Connect incidents and alerts

+Select the **Connect incidents & alerts** button to connect Microsoft 365 Defender incidents to your Microsoft Sentinel incidents queue.

+If you see a check box labeled **Turn off all Microsoft incident creation rules for these products. Recommended**, mark it to avoid duplication of incidents.

+> [!NOTE]

+> When you enable the Microsoft 365 Defender connector, all of the Microsoft 365 Defender componentsΓÇÖ connectors (the ones mentioned at the beginning of this article) are automatically connected in the background. In order to disconnect one of the componentsΓÇÖ connectors, you must first disconnect the Microsoft 365 Defender connector.

+To query Microsoft 365 Defender incident data, use the following statement in the query window:

+```kusto

+SecurityIncident

+| where ProviderName == "Microsoft 365 Defender"

+```

+### Connect entities

+Use Microsoft Defender for Identity to sync user entities from your on-premises Active Directory to Microsoft Sentinel.

+Verify that you've satisfied the [prerequisites](#prerequisites-for-active-directory-sync-via-mdi) for syncing on-premises Active Directory users through Microsoft Defender for Identity (MDI).

+1. Select the **Go the UEBA configuration page** link.

+1. In the **Entity behavior configuration** page, if you haven't yet enabled UEBA, then at the top of the page, move the toggle to **On**.

+1. Mark the **Active Directory (Preview)** check box and select **Apply**.

+ :::image type="content" source="media/connect-microsoft-365-defender/ueba-configuration-page.png" alt-text="Screenshot of UEBA configuration page for connecting user entities to Sentinel.":::

+### Connect events

+1. Go to the **Entity behavior configuration** page. There are three ways to get to this page:

+ - Select **Entity behavior** from the Microsoft Sentinel navigation menu, then select **Entity behavior settings** from the top menu bar.

+ - Select **Settings** from the Microsoft Sentinel navigation menu, select the **Settings** tab, then under the **Entity behavior analytics** expander, select **Set UEBA**.

+ - From the Microsoft 365 Defender data connector page, select the **Go the UEBA configuration page** link.

+ :::image type="content" source="media/enable-entity-behavior-analytics/ueba-configuration.png" alt-text="Screenshot of UEBA configuration settings.":::

+1. Mark the check boxes next to the Active Directory source types from which you want to synchronize user entities with Microsoft Sentinel.

+ - **Active Directory** on-premises (Preview)

+ - **Azure Active Directory**

+ To sync user entities from on-premises Active Directory, your Azure tenant must be onboarded to Microsoft Defender for Identity (either standalone or as part of Microsoft 365 Defender) and you must have the MDI sensor installed on your Active Directory domain controller. See [Microsoft Defender for Identity prerequisites](/defender-for-identity/prerequisites) for more information.

+1. Select **Apply**. If you accessed this page through the **Entity behavior** page, you will be returned there.

+The user entity information that Microsoft Sentinel uses to build its user profiles comes from your Azure Active Directory (and/or your on-premises Active Directory, now in Preview). When you enable UEBA, it synchronizes your Azure Active Directory with Microsoft Sentinel, storing the information in an internal database visible through the *IdentityInfo* table in Log Analytics.

+Now in preview, you can also sync your on-premises Active Directory user entity information as well, using Microsoft Defender for Identity.

+See [Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](enable-entity-behavior-analytics.md) to learn how to enable UEBA and synchronize user identities.

+| **BlastRadius** | string | A calculation based on the position of the user in the org tree and the user's Azure Active Directory roles and permissions. <br>Possible values: *Low, Medium, High* |

+| **ChangeSource** | string | The source of the latest change to the entity. <br>Possible values:<br>- *AzureActiveDirectory*<br>- *ActiveDirectory*<br>- *UEBA*<br>- *Watchlist*<br>- *FullSync* |

+| **SourceSystem** | string | The system where the user is managed. <br>Possible values:<br>- *AzureActiveDirectory*<br>- *ActiveDirectory*<br>- *Hybrid* |

+| **UserAccountControl** | dynamic | Security attributes of the user account in the AD domain. <br> Possible values (may contain more than one):<br>- *AccountDisabled*<br>- *HomedirRequired*<br>- *AccountLocked*<br>- *PasswordNotRequired*<br>- *CannotChangePassword*<br>- *EncryptedTextPasswordAllowed*<br>- *TemporaryDuplicateAccount*<br>- *NormalAccount*<br>- *InterdomainTrustAccount*<br>- *WorkstationTrustAccount*<br>- *ServerTrustAccount*<br>- *PasswordNeverExpires*<br>- *MnsLogonAccount*<br>- *SmartcardRequired*<br>- *TrustedForDelegation*<br>- *DelegationNotAllowed*<br>- *UseDesKeyOnly*<br>- *DontRequirePreauthentication*<br>- *PasswordExpired*<br>- *TrustedToAuthenticationForDelegation*<br>- *PartialSecretsAccount*<br>- *UseAesKeys* |

+| **UserState** | string | The current state of the user account in Azure AD.<br>Possible values:<br>- *Active*<br>- *Disabled*<br>- *Dormant*<br>- *Lockout* |

+- [Enable UEBA in Microsoft Sentinel](enable-entity-behavior-analytics.md).

+The Reliable Actors service allows a client to enumerate metadata about the actors that the service is hosting. Because the actor service is a partitioned stateful service, enumeration is performed per partition. Because each partition might contain many actors, the enumeration is returned as a set of paged results. The pages are looped over until all pages are read. The following example shows how to create a list of all [active](service-fabric-reliable-actors-lifecycle.md) actors in one partition of an actor service:

+description: We're updating the Azure Service Health portal experience to let users engage with service events and manage actions to maintain the business continuity of impacted applications.

+We're updating the Azure Service Health portal experience. The new experience lets users engage with service events and manage actions to maintain the business continuity of impacted applications.

+> [!NOTE]

+> Setting the access tier is only allowed on Block Blobs. They are not supported for Append and Page Blobs.

+Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard [Server Message Block (SMB) protocol](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview), [Network File System (NFS) protocol](https://en.wikipedia.org/wiki/Network_File_System), and [Azure Files REST API](/rest/api/storageservices/file-service-rest-api). Azure file shares can be mounted concurrently by cloud or on-premises deployments. SMB Azure file shares are accessible from Windows, Linux, and macOS clients. NFS Azure file shares are accessible from Linux or macOS clients. Additionally, SMB Azure file shares can be cached on Windows servers with [Azure File Sync](../file-sync/file-sync-introduction.md) for fast access near where the data is being used.

+ Azure Files can be used to replace or supplement traditional on-premises file servers or network-attached storage (NAS) devices. Popular operating systems such as Windows, macOS, and Linux can directly mount Azure file shares wherever they are in the world. SMB Azure file shares can also be replicated with Azure File Sync to Windows servers, either on-premises or in the cloud, for performance and distributed caching of the data. With [Azure Files AD Authentication](storage-files-active-directory-overview.md), SMB Azure file shares can work with Active Directory Domain Services (AD DS) hosted on-premises for access control.

+ Azure Files can also be used to simplify new cloud development projects. For example:

+ A common pattern for distributed applications is to have configuration files in a centralized location where they can be accessed from many application instances. Application instances can load their configuration through the [Azure Files REST API](/rest/api/storageservices/file-service-rest-api), and humans can access them by mounting the share locally.

+* **Easy to use**. When an Azure file share is mounted on your computer, you don't need to do anything special to access the data: just navigate to the path where the file share is mounted and open/modify a file.

+* **Shared access**. Azure file shares support the industry standard SMB and NFS protocols, meaning you can seamlessly replace your on-premises file shares with Azure file shares without worrying about application compatibility. Being able to share a file system across multiple machines, applications, and application instances is a significant advantage for applications that need shareability.

+* **Scripting and tooling**. PowerShell cmdlets and Azure CLI can be used to create, mount, and manage Azure file shares as part of the administration of Azure applications. You can create and manage Azure file shares using Azure portal and Azure Storage Explorer.

+* **Familiar programmability**. Applications running in Azure can access data in the share via file [system I/O APIs](/dotnet/api/system.io.file). Developers can therefore leverage their existing code and skills to migrate existing applications. In addition to System IO APIs, you can use [Azure Storage Client Libraries](/previous-versions/azure/dn261237(v=azure.100)) or the [Azure Files REST API](/rest/api/storageservices/file-service-rest-api).

+* Organizations across the world are leveraging Azure Files and Azure File Sync to optimize file access and storage. [Check out their case studies here](azure-files-case-study.md).

+To use an Azure file share with Windows, you must either mount it, which means assigning it a drive letter or mount point path, or [access it via its UNC path](#access-an-azure-file-share-via-its-unc-path).

+A common pattern for lifting and shifting line-of-business (LOB) applications that expect an SMB file share to Azure is to use an Azure file share as an alternative for running a dedicated Windows file server in an Azure VM. One important consideration for successfully migrating an LOB application to use an Azure file share is that many applications run under the context of a dedicated service account with limited system permissions rather than the VM's administrative account. Therefore, you must ensure that you mount/save the credentials for the Azure file share from the context of the service account rather than your administrative account.

+### Access an Azure file share via its UNC path

+You don't need to mount the Azure file share to a particular drive letter to use it. You can directly access your Azure file share using the [UNC path](/windows/win32/fileio/naming-a-file) by entering the following into File Explorer. Be sure to replace *storageaccountname* with your storage account name and *myfileshare* with your file share name:

+\\storageaccountname.file.core.windows.net\myfileshare

+You'll be asked to sign in with your network credentials. Sign in with the Azure subscription under which you've created the storage account and file share.

+For Azure Government Cloud, simply change the servername to:

+\\storageaccountname.file.core.usgovcloudapi.net\myfileshare

+Synapse allows users to set the linked service for a particular storage account. This makes it possible to read/write data from **multiple storage accounts** in a single spark application/query. Once we set **spark.storage.synapse.{source_full_storage_account_name}.linkedServiceName** for each storage account that will be used, Synapse figures out which linked service to use for a particular read/write operation. However if our spark job only deals with a single storage account, we can simply omit the storage account name and use **spark.storage.synapse.linkedServiceName**

+val source_full_storage_account_name = "teststorage.dfs.core.windows.net"

+spark.conf.set(f"spark.storage.synapse.{source_full_storage_account_name}.linkedServiceName", "<LINKED SERVICE NAME>")

+spark.conf.set(f"fs.azure.account.auth.type.{source_full_storage_account_name}", "SAS")

+spark.conf.set(f"fs.azure.sas.token.provider.type.{source_full_storage_account_name}", "com.microsoft.azure.synapse.tokenlibrary.LinkedServiceBasedSASProvider")

+val source_full_storage_account_name = "teststorage.dfs.core.windows.net"

+spark.conf.set(f"spark.storage.synapse.{source_full_storage_account_name}.linkedServiceName", "<lINKED SERVICE NAME>")

+spark.conf.set(f"fs.azure.account.auth.type.{source_full_storage_account_name}", "SAS")

+spark.conf.set(f"fs.azure.sas.token.provider.type.{source_full_storage_account_name}", "com.microsoft.azure.synapse.tokenlibrary.LinkedServiceBasedSASProvider")

+val source_full_storage_account_name = "teststorage.dfs.core.windows.net"

+spark.conf.set(f"spark.storage.synapse.{source_full_storage_account_name}.linkedServiceName", "<LINKED SERVICE NAME>")

+spark.conf.set(f"fs.azure.account.oauth.provider.type.{source_full_storage_account_name}", "com.microsoft.azure.synapse.tokenlibrary.LinkedServiceBasedTokenProvider")

+val source_full_storage_account_name = "teststorage.dfs.core.windows.net"

+spark.conf.set(f"spark.storage.synapse.{source_full_storage_account_name}.linkedServiceName", "<LINKED SERVICE NAME>")

+spark.conf.set(f"fs.azure.account.oauth.provider.type.{source_full_storage_account_name}", "com.microsoft.azure.synapse.tokenlibrary.LinkedServiceBasedTokenProvider")

+## Runtime patching

+Azure Synapse runtime for Apache Spark patches are rolled out monthly containing bug, feature and security fixes to the Apache Spark core engine, language environments, connectors and libraries.

+The patch policy differs based on the [runtime lifecycle stage](./runtime-for-apache-spark-lifecycle-and-supportability.md):

+1. Generally Available (GA) runtime: Receive no upgrades on major versions (i.e. 3.x -> 4.x). And will upgrade a minor version (i.e. 3.x -> 3.y) as long as there are no deprecation/regression impacts.

+2. Preview runtime: No major version upgrades unless strictly necessary. Minor versions (3.x -> 3.y) will be upgraded to add latest features to a runtime.

+3. Long Term Support (LTS) runtime will be patched with security fixes only.

+4. End of life announced (EOLA) runtime will not have bug and feature fixes. Security fixes will be backported based on risk assessment.

+The Apache Spark project usually releases minor versions about __every 6 months__. Once released, the Azure Synapse team aims to provide a __preview runtime within approximately 90 days__, if possible.

+The following chart captures a typical lifecycle path for a Synapse runtime for Apache Spark.

+| Runtime release stage | Typical Lifecycle* | Notes |

+| Preview | 3 months* | Microsoft Azure Preview terms apply. See here for details: [Preview Terms Of Use | Microsoft Azure](https://azure.microsoft.com/support/legal/preview-supplemental-terms/?cdn=disable) |

+| Generally Available (GA) | 12 months* | Generally available (GA) runtimes are open to all eligible customers and are ready for production use. <br/> A GA runtime may not be elected to move into an LTS stage at Microsoft discretion. |

+| Long Term Support (LTS) | 12 months* | Long term support (LTS) runtimes are open to all eligible customers and are ready for production use, but customers are encouraged to expedite validation and workload migration to latest GA runtimes. |

+| End of Life announced (EOLA) | 12 months* for GA or LTS runtimes.<br/>1 month* for Preview runtimes. | Prior to the end of a given runtime's lifecycle, we aim to provide 12 months notice to customers as an exit ramp to migrate workloads to a GA runtime. |

+| End of Life (EOL) | - | At this stage, the runtime is retired and no longer supported. |

+\* *Expected duration of a runtime in each stage. These timelines are provided as an example for a given runtime, and may vary depending on various factors. Lifecycle timelines are subject to change at Microsoft discretion.*

+> * The above timelines are provided as examples based on current Apache Spark releases. If the Apache Spark project changes the lifecycle of a specific version affecting a Synapse runtime, changes to the stage dates will be noted on the [release notes](./apache-spark-version-support.md).

+> * Both GA and LTS runtimes may be moved into EOL stage faster based on outstanding security risks and usage rates criteria at Microsoft discretion.

+> * Please refer to [Lifecycle FAQ - Microsoft Azure](https://docs.microsoft.com/lifecycle/faq/azure) for information about Azure lifecycle policies.

+Azure Synapse Analytics provides previews to give you a chance to evaluate and share feedback on features before they become generally available (GA).

+At the end of the Preview lifecycle for the runtime, Microsoft will assess if the runtime will move into a Generally Availability (GA) based on customer usage, security and stability criteria.

+If not eligible for GA stage, the Preview runtime will move into the retirement cycle.

+Once a runtime is Generally Available, only security fixes will be backported. In addition, new components or features will be introduced if they do not change underlying dependencies or component versions.

+At the end of the GA lifecycle for the runtime, Microsoft will assess if the runtime will have an extended lifecycle (LTS) based on customer usage, security and stability criteria.

+If not eligible for LTS stage, the GA runtime will move into the retirement cycle.

+For runtimes that are covered by Long term support (LTS) customers are encouraged to expedite validation and migration of code base and workloads to the latest GA runtimes. We recommend that customers do not onboard new workloads using an LTS runtime. Security fixes and stability improvements may be backported, but no new components or features will be introduced into the runtime at this stage.

+Prior to the end of the runtime lifecycle at any stage, an end of life announcement (EOLA) is performed.

+Support SLAs are applicable for EOL announced runtimes, but all customers must migrate to a GA stage runtime no later than the EOL date.

+Existing pools will work as expected, but __no new Synapse Spark pools of such a version can be created, as the runtime version will not be listed on Azure Synapse Studio, Synapse API, or Azure Portal.__

+If necessary due to outstanding security issues, runtime usage, or other factors, Microsoft may expedite moving a runtime into the final EOL stage at any time, at Microsoft's discretion.

+As of the applicable EOL date, runtimes are considered retired.

+* Spark Pools definitions will be deleted from the Synapse workspace in 90 days after the applicable EOL date.

+| Maximum number of Azure Synapse workspaces per subscription | [See limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-synapse-limits-for-workspaces). |

+For shared premium SSD disks, in addition to cost of the disk's tier, there's an extra charge that increases with each VM the SSD is mounted to. See [managed disks pricing](https://azure.microsoft.com/pricing/details/managed-disks/) for details.

+ Title: Exposing SAP legacy middleware with Azure PaaS securely

+description: Learn about securely exposing SAP Process Orchestration on Azure.

+# Exposing SAP legacy middleware with Azure PaaS securely

+Enabling internal systems and external partners to interact with SAP backends is a common requirement. Existing SAP landscapes often rely on the legacy middleware [SAP Process Orchestration](https://help.sap.com/docs/SAP_NETWEAVER_750/bbd7c67c5eb14835843976b790024ec6/8e995afa7a8d467f95a473afafafa07e.html)(PO) or [Process Integration](https://help.sap.com/docs/SAP_NETWEAVER_750/bbd7c67c5eb14835843976b790024ec6/8e995afa7a8d467f95a473afafafa07e.html)(PI) for their integration and transformation needs. For simplicity the term "SAP Process Orchestration" will be used in this article but associated with both offerings.

+This article describes configuration options on Azure with emphasis on Internet-facing implementations.

+> [!NOTE]

+> SAP mentions [SAP IntegrationSuite](https://discovery-center.cloud.sap/serviceCatalog/integration-suite?region=all) - specifically [SAP CloudIntegration](https://help.sap.com/docs/CLOUD_INTEGRATION/368c481cd6954bdfa5d0435479fd4eaf/9af2f05c7eb04457aee5906fd8553e00.html) - running on [Business TechnologyPlatform](https://www.sap.com/products/business-technology-platform.html)(BTP) as the successor for SAP PO/PI. Both the BTP platform and the services are available on Azure. For more information, see [SAP DiscoveryCenter](https://discovery-center.cloud.sap/serviceCatalog/integration-suite?region=all&tab=service_plan&provider=azure). See SAP OSS note [1648480](https://launchpad.support.sap.com/#/notes/1648480) for more info about the maintenance support timeline for the legacy component.

+## Overview

+Existing implementations based on SAP middleware often relied on SAP's proprietary dispatching technology called [SAP WebDispatcher](https://help.sap.com/docs/ABAP_PLATFORM_NEW/683d6a1797a34730a6e005d1e8de6f22/488fe37933114e6fe10000000a421937.html). It operates on layer 7 of the [OSI model](https://en.wikipedia.org/wiki/OSI_model), acts as a reverse-proxy and addresses load balancing needs for the downstream SAP application workloads like SAP ERP, SAP Gateway, or SAP Process Orchestration.

+Dispatching approaches range from traditional reverse proxies like Apache, to Platform-as-a-Service (PaaS) options like the [Azure Load Balancer](../../../load-balancer/load-balancer-overview.md), or the opinionated SAP WebDispatcher. The overall concepts described in this article apply to the options mentioned. Have a look at SAP's [wiki](https://wiki.scn.sap.com/wiki/display/SI/Can+I+use+a+different+load+balancer+instead+of+SAP+Web+Dispatcher) for their guidance on using non-SAP load balancers.

+> [!NOTE]

+> All described setups in this article assume a hub-spoke networking topology, where shared services are deployed into the hub. Given the criticality of SAP, even more isolation may be desirable.

+## Primary Azure services used

+[Azure Application Gateway](../../../application-gateway/how-application-gateway-works.md) handles public [internet-based](../../../application-gateway/configuration-front-end-ip.md) and/or [internal private](../../../application-gateway/configuration-front-end-ip.md) http routing and [encrypted tunneling across Azure subscriptions](../../../application-gateway/private-link.md), [security](../../../application-gateway/features.md), and [auto-scaling](../../../application-gateway/application-gateway-autoscaling-zone-redundant.md) for instance. Workloads in other virtual networks (VNet) or even Azure Subscriptions that shall communicate with SAP through the app gateway can be connected via [private links](../../../application-gateway/private-link-configure.md). Azure Application Gateway is focused on exposing web applications, hence offers a Web Application Firewall.

+[Azure Firewall](../../../firewall/overview.md) handles public internet-based and/or internal private routing for traffic types on Layer 4-7 of the OSI model. It offers filtering and threat intelligence, which feeds directly from Microsoft Cyber Security.

+[Azure API Management](../../../api-management/api-management-key-concepts.md) handles public internet-based and/or internal private routing specifically for APIs. It offers request throttling, usage quota and limits, governance features like policies, and API keys to slice and dice services per client.

+[VPN Gateway](../../../vpn-gateway/vpn-gateway-about-vpngateways.md) and [Azure ExpressRoute](../../../expressroute/expressroute-introduction.md) serve as entry points to on-premises networks. Both components are abbreviated on the diagrams as VPN and XR.

+## Setup considerations

+Integration architecture needs differ depending on the interface used. SAP-proprietary technologies like [intermediate Document framework](https://help.sap.com/docs/SAP_DATA_SERVICES/e54136ab6a4a43e6a370265bf0a2d744/577710e16d6d1014b3fc9283b0e91070.html) (ALE/iDoc), [Business Application Programming Interface](https://help.sap.com/docs/SAP_ERP/c5a8d544836649a1af6eaef358d08e3f/4dc89000ebfc5a9ee10000000a42189b.html) (BAPI), [transactional Remote Function Calls](https://help.sap.com/docs/SAP_NETWEAVER_700/108f625f6c53101491e88dc4cf51a6cc/4899b963ee2b73e7e10000000a42189b.html) (tRFC), or plain [RFC](https://help.sap.com/docs/SAP_ERP/be79bfef64c049f88262cf6cb5de1c1f/0502cbfa1c2f184eaa6ba151d1aaf4fe.html) require a specific runtime environment and operate on layer 4-7 of the OSI model, unlike modern APIs that typically rely on http-based communication (layer 7 of the OSI model). Because of that the interfaces can't be treated the same way.

+This article focuses on modern APIs and http (that includes integration scenarios like [AS2](https://wikipedia.org/wiki/AS2)). [FTP](https://wikipedia.org/wiki/File_Transfer_Protocol) will serve as an example to handle `non-http` integration needs. For more information about the different Microsoft load balancing solutions, see [this article](/azure/architecture/guide/technology-choices/load-balancing-overview).

+> [!NOTE]

+> SAP publishes dedicated [connectors](https://support.sap.com/en/product/connectors.html) for their proprietary interfaces. Check SAP's documentation for [Java](https://support.sap.com/en/product/connectors/jco.html), and [.NET](https://support.sap.com/en/product/connectors/msnet.html) for example. They are supported by [Microsoft Gateways](/azure/data-factory/connector-sap-table?tabs=data-factory#prerequisites) too. Be aware that iDocs can also be posted via [http](https://blogs.sap.com/2012/01/14/post-idoc-to-sap-erp-over-http-from-any-application/).

+Security concerns require the usage of [Firewalls](../../../firewall/features.md) for lower-level protocols and [Web Application Firewalls](../../../web-application-firewall/overview.md) (WAF) to address http-based traffic with [Transport Layer Security](https://wikipedia.org/wiki/Transport_Layer_Security) (TLS). To be effective, TLS sessions need to be terminated at the WAF level. Supporting zero-trust approaches, it's advisable to [re-encrypt](../../../application-gateway/ssl-overview.md) again afterwards to ensure end-to-encryption.

+Integration protocols such as AS2 may raise alerts by standard WAF rules. We recommend using our [Application Gateway WAF triage workbook](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Workbook%20-%20AppGw%20WAF%20Triage%20Workbook) to identify and better understand why the rule is triggered, so you can remediate effectively and securely. The standard rules are provided by Open Web Application Security Project (OWASP). For more information, see the [SAP on Azure webcast](https://www.youtube.com/watch?v=kAnWTqKlGGo) for a detailed video session on this topic with emphasis on SAP Fiori exposure.

+In addition, security can be further enhanced with [mutual TLS](../../../application-gateway/mutual-authentication-overview.md) (mTLS) - also referred to as mutual authentication. Unlike normal TLS, it also verifies the client identity.

+> [!NOTE]

+> VM pools require a load balancer. For better readability it is not shown explicitly on the diagrams below.

+> [!NOTE]

+> In case SAP specific balancing features provided by the SAP WebDispatcher aren't required, they can be replaced by an Azure Load Balancer giving the benefit of a managed PaaS offering compared to an Infrastructure-as-a-Service setup.

+## Scenario 1.A: Inbound http connectivity focused

+The SAP WebDispatcher **doesn't** offer a Web Application Firewall. Because of that Azure Application Gateway is recommended for a more secure setup. The WebDispatcher and "Process Orchestration" remain in charge to protect the SAP backend from request overload with [sizing guidance](https://help.sap.com/docs/ABAP_PLATFORM_NEW/683d6a1797a34730a6e005d1e8de6f22/489ab14248c673e8e10000000a42189b.html) and [concurrent request limits](https://help.sap.com/docs/ABAP_PLATFORM/683d6a1797a34730a6e005d1e8de6f22/3a450194bf9c4797afb6e21b4b22ad2a.html). There's **no** throttling capability available in the SAP workloads.

+Unintentional access can be avoided through [Access Control Lists](https://help.sap.com/docs/ABAP_PLATFORM_NEW/683d6a1797a34730a6e005d1e8de6f22/0c39b84c3afe4d2d9f9f887a32914ecd.html) on the SAP WebDispatcher.

+One of the scenarios for SAP Process Orchestration communication is inbound flow. Traffic may originate from On-premises, external apps/users or an internal system. See below an example with focus on https.

+## Scenario 1.B: Outbound http connectivity focused

+For the reverse communication direction "Process Orchestration" may leverage the VNet routing to reach workloads on-premises or Internet-based targets via the Internet breakout. Azure Application Gateway acts as a reverse proxy in such scenarios. For `non-http` communication, consider adding Azure Firewall. For more information, see [Scenario 4](#scenario-4-file-based) and [Comparing Gateway components](#comparing-gateway-setups).

+The outbound scenario below shows two possible methods. One using HTTPS via the Azure Application Gateway calling a Webservice (for example SOAP adapter) and the other using SFTP (FTP over SSH) via the Azure Firewall transferring files to a business partner's S/FTP server.

+## Scenario 2: API Management focused

+Compared to scenario 1, the introduction of [Azure API Management (APIM) in internal mode](../../../api-management/api-management-using-with-internal-vnet.md) (private IP only and VNet integration) adds built-in capabilities like:

+- [Throttling](../../../api-management/api-management-sample-flexible-throttling.md),

+- [API governance](/azure/architecture/example-scenario/devops/automated-api-deployments-apiops),

+- Additional security options like [modern authentication flows](../../../api-management/api-management-howto-protect-backend-with-aad.md),

+- [Azure Active Directory](../../../active-directory/develop/active-directory-v2-protocols.md) integration and

+- The opportunity to add the SAP APIs to a central company-wide API solution.

+When a web application firewall isn't required, Azure API Management can be deployed in external mode (using a public IP). That simplifies the setup, while keeping the throttling and API governance capabilities. [Basic protection](/azure/cloud-services/cloud-services-configuration-and-management-faq#what-are-the-features-and-capabilities-that-azure-basic-ips-ids-and-ddos-provides-) is implemented for all Azure PaaS offerings.

+## Scenario 3: Global reach

+Azure Application Gateway is a region-bound service. Compared to the above scenarios [Azure Front Door](../../../frontdoor/front-door-overview.md) ensures cross-region global routing including a web application firewall. Look at [this comparison](/azure/architecture/guide/technology-choices/load-balancing-overview) for more details about the differences.

+> [!NOTE]

+> Condensed SAP WebDispatcher, Process Orchestration, and backend into single image for better readability.

+## Scenario 4: File-based

+`Non-http` protocols like FTP can't be addressed with Azure API Management, Application Gateway, or Front Door like shown in scenarios beforehand. Instead the managed Azure Firewall or equivalent Network Virtual Appliance (NVA) takes over the role of securing inbound requests.

+Files need to be stored before they can be processed by SAP. It's recommended to use [SFTP](../../../storage/blobs/secure-file-transfer-protocol-support.md). Azure Blob Storage supports SFTP natively.

+> [!NOTE]

+> At the time of writing this article [the feature](../../../storage/blobs/secure-file-transfer-protocol-support.md) is still in preview.

+There are alternative SFTP options available on the Azure Marketplace if necessary.

+See below a variation with integration targets externally and on-premises. Different flavors of secure FTP illustrate the communication path.

+For more information, see the [Azure Files docs](../../../storage/files/files-nfs-protocol.md) for insights into NFS file shares as alternative to Blob Storage.

+## Scenario 5: SAP RISE specific

+SAP RISE deployments are technically identical to the scenarios described before with the exception that the target SAP workload is managed by SAP itself. The concepts described can be applied here as well.

+Below diagrams describe two different setups as examples. For more information, see our [SAP RISE reference guide](../../../virtual-machines/workloads/sap/sap-rise-integration.md#virtual-network-peering-with-sap-riseecs).

+> [!IMPORTANT]

+> Contact SAP to ensure communications ports for your scenario are allowed and opened in Network Security Groups.

+### Scenario 5.A: Http inbound

+In the first setup, the integration layer including "SAP Process Orchestration" and the complete inbound path is governed by the customer. Only the final SAP target runs on the RISE subscription. Communication to the RISE hosted workload is configured through virtual network peering - typically over the hub. A potential integration could be iDocs posted to the SAP ERP Webservice `/sap/bc/idoc_xml` by an external party.

+This second example shows a setup, where SAP RISE runs the whole integration chain except for the API Management layer.

+### Scenario 5.B: File outbound

+In this scenario, the SAP-managed "Process Orchestration" instance writes files to the customer managed file share on Azure or to a workload sitting on-premises. The breakout needs to be handled by the customer.

+> [!NOTE]

+> At the time of writing this article the [Azure Blob Storage SFTP feature](../../../storage/blobs/secure-file-transfer-protocol-support.md) is still in preview.

+## Comparing gateway setups

+> [!NOTE]

+> Performance and cost metrics assume production grade tiers. For more information, see the [Azure Pricing Calculator](https://azure.microsoft.com/pricing/calculator/) and Azure docs for [Azure Firewall](../../../firewall/firewall-performance.md), [Azure Application Gateway (incl. Web Application Firewall - WAF)](../../../application-gateway/high-traffic-support.md), and [Azure API Management](../../../api-management/api-management-capacity.md).

+Depending on the integration protocols required you may need multiple components. Find more details about the benefits of the various combinations of chaining Azure Application Gateway with Azure Firewall [here](/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall).

+## Integration rule of thumb

+Which integration flavor described in this article fits your requirements best, needs to be evaluated on a case-by-case basis. Consider enabling the following capabilities:

+- [Request throttling](../../../api-management/api-management-sample-flexible-throttling.md) using API Management

+- [Concurrent request limits](https://help.sap.com/docs/ABAP_PLATFORM/683d6a1797a34730a6e005d1e8de6f22/3a450194bf9c4797afb6e21b4b22ad2a.html) on the SAP WebDispatcher

+- [Mutual TLS](../../../application-gateway/mutual-authentication-overview.md) to verify client and receiver

+- Web Application Firewall and [re-encrypt after TLS-termination](../../../application-gateway/ssl-overview.md)

+- A [Firewall](../../../firewall/features.md) for `non-http` integrations

+- [High-availability](../../../virtual-machines/workloads/sap/sap-high-availability-architecture-scenarios.md) and [disaster recovery](/azure/cloud-adoption-framework/scenarios/sap/eslz-business-continuity-and-disaster-recovery) for the VM-based SAP integration workloads

+- Modern [authentication mechanisms like OAuth2](/azure/api-management/sap-api?#production-considerations) where applicable

+- Utilize a managed key store like [Azure Key Vault](../../../key-vault/general/overview.md) for all involved credentials, certificates, and keys

+## Alternatives to SAP Process Orchestration with Azure Integration Services

+The integration scenarios covered by SAP Process Orchestration can be addressed with the [Azure Integration Service portfolio](https://azure.microsoft.com/product-categories/integration/) natively. Have a look at the [Azure Logic Apps connectors](../../../logic-apps/logic-apps-using-sap-connector.md) for your desired SAP interfaces to get started. The connector guide contains more details for [AS2](../../../logic-apps/logic-apps-enterprise-integration-as2.md), [EDIFACT](../../../logic-apps/logic-apps-enterprise-integration-edifact.md) etc. too. See [this blog series](https://blogs.sap.com/2018/09/25/your-sap-on-azure-part-9-easy-integration-using-azure-logic-apps/) for a concrete example of iDoc processing with AS2 via Logic Apps.

+## Next steps

+[Protect APIs with Application Gateway and API Management](/azure/architecture/reference-architectures/apis/protect-apis)

+[Integrate API Management in an internal virtual network with Application Gateway](/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway)

+[Deploy the Application Gateway WAF triage workbook to better understand SAP related WAF alerts](https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Workbook%20-%20AppGw%20WAF%20Triage%20Workbook)

+[Understand Azure Application Gateway and Web Application Firewall for SAP](https://blogs.sap.com/2020/12/03/sap-on-azure-application-gateway-web-application-firewall-waf-v2-setup-for-internet-facing-sap-fiori-apps/)

+[Understand implication of combining Azure Firewall and Azure Application Gateway](/azure/architecture/example-scenario/gateway/firewall-application-gateway#application-gateway-before-firewall)

+[Work with SAP OData APIs in Azure API Management](/azure/api-management/sap-api)