+| scope |Recommended |A space-separated list of scopes. A single scope value indicates to Azure AD both of the permissions that are being requested. Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID. The `offline_access` scope indicates that your app needs a refresh token for long-lived access to resources. You also can use the `openid` scope to request an ID token from Azure AD B2C. |

+If you are using an application in the gallery, the job generally contains the name of the app (such as zoom snowFlake or dataBricks). You can skip this documentation when using a gallery application. This primarily applies for non-gallery applications with jobID SCIM or customAppSSO.

+Following the steps below will delete your existing customappsso job and create a new SCIM job.

+1. Sign into the [Azure portal](https://portal.azure.com).

+4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.

+1. Sign into the [Azure portal](https://portal.azure.com).

+2. In the **Azure Active Directory > Enterprise Applications > Create application** section of the Azure portal, create a new **Non-gallery** application.

+4. In a new web browser window, go to https://developer.microsoft.com/graph/graph-explorer and sign in as the administrator for the Azure AD tenant where your app is added.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+> Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems, and have first-hand knowledge of how their custom attributes have been defined or if a source attribute isn't automatically displayed in the Azure portal UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable the capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true . You can then navigate to your application to view the [attribute list](#editing-the-list-of-supported-attributes).

+{

+ "schemas":[

+ "urn:ietf:params:scim:schemas:core:2.0:User",

+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"

+ ],

+ "userName":"bjensen",

+ "id": "48af03ac28ad4fb88478",

+ "externalId":"bjensen",

+ "name":{

+ "formatted":"Ms. Barbara J Jensen III",

+ "familyName":"Jensen",

+ "givenName":"Barbara"

+ },

+ "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {

+ "employeeNumber": "701984",

+ "costCenter": "4130",

+ "organization": "Universal Studios",

+ "division": "Theme Park",

+ "department": "Tour Operations",

+ "manager": {

+ "value": "26118915-6090-4610-87e4-49d8ca9f808d",

+ "$ref": "../Users/26118915-6090-4610-87e4-49d8ca9f808d",

+ "displayName": "John Smith"

+ }

+ },

+ "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User": {

+ "CustomAttribute": "701984",

+ },

+ "meta": {

+ "resourceType": "User",

+ "created": "2010-01-23T04:56:22Z",

+ "lastModified": "2011-05-13T04:42:34Z",

+ "version": "W\/\"3694e05e9dff591\"",

+ "location": "https://example.com/v2/Users/2819c223-7f76-453a-919d-413861904646"

+ }

+}

+- **SingleAppRoleAssignment**

+ 

+ ```json

+ }

+ ```

+ ```json

+ "Operations": [

+ {

+ "op": "Add",

+ "path": "roles",

+ "value": [

+ {

+ "value": "{\"id\":\"06b07648-ecfe-589f-9d2f-6325724a46ee\",\"value\":\"25\",\"displayName\":\"Role1234\"}"

+ }

+ ]

+ }

+ ]

+ ```

+- **AppRoleAssignmentsComplex**

+ - **Example output**

+ ```json

+ {

+ }

+ ```

+* `phoneNumbers[type eq "work"].value`

+* `phoneNumbers[type eq "mobile"]`.value

+* `phoneNumbers[type eq "fax"].value`

+ ```json

+ "phoneNumbers": [

+ {

+ "value": "555-555-5555",

+ "type": "work"

+ },

+ {

+ "value": "555-555-5555",

+ "type": "mobile"

+ },

+ {

+ "value": "555-555-5555",

+ "type": "fax"

+ }

+ ]

+ ```

+Let's say there is a pre-hire with employeeId "1234" in SuccessFactors Employee Central with start date on 1-June-2023. Let's further assume that this pre-hire record was first created either in Employee Central or in the Onboarding module on 15-May-2023. When the provisioning service first observes this record on 15-May-2023 (either as part of full sync or incremental sync), this record is still in pre-hire state. Due to this, SuccessFactors does not send the provisioning service all attributes (example: userNav/username) associated with the user. Only bare minimum data about the user such as `companyName`, `personIdExternal`, `firstname`, `lastname` and `startDate` is available. To process pre-hires successfully, the following pre-requisites must be met:

+To publish Tableau, you need to publish an application in the Azure portal.

+| Password not recently used | When a user changes their password, the new password should not be the same as the current password. |

+1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

+

+If the configuration is not working as expected, the first place to start to troubleshoot is to verify that the user is configured to use Azure AD MFA. Have the user sign in to the [Azure portal](https://portal.azure.com). If users are prompted for secondary verification and can successfully authenticate, you can eliminate an incorrect configuration of Azure AD MFA.

+ 1. In the **Server name** box, enter the name or IP address of the RADIUS server that you configured in the previous section.

+ 1. For the **Shared secret**, select **Change**, and then enter the shared secret password that you created and recorded earlier.

+ 1. In the **Time-out (seconds)** box, enter a value of **60**. To minimize discarded requests, we recommend that VPN servers are configured with a timeout of at least 60 seconds. If needed, or to reduce discarded requests in the event logs, you can increase the VPN server timeout value to 90 or 120 seconds.

+If the configuration is not working as expected, begin troubleshooting by verifying that the user is configured to use MFA. Have the user sign in to the [Azure portal](https://portal.azure.com). If the user is prompted for secondary authentication and can successfully authenticate, you can eliminate an incorrect configuration of MFA as an issue.

+[Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md)

+Once done, sign in to the [Azure portal](https://portal.azure.com) > **Azure Active Directory** > **Enterprise Applications** > Search for "Azure Multi-Factor Auth Client" > Check properties for this app > Confirm if the service principal is enabled or disabled > Click on the application entry > Go to Properties of the app > If the option "Enabled for users to sign-in?" is set to `No` in Properties of this app, please set it to `Yes`.

+

+* Can only change their password in their on-prem environment.

+* Can never use the secret questions and answers as a method to reset their password.

+* For a single user, remove the user from the security group

+* For a group, remove the group from SSPR configuration

+> You must be [a global administrator](../roles/permissions-reference.md), and you must opt-in for this data to be gathered for your organization. To opt in, you must visit the Reporting tab or the audit logs on the Azure portal at least once. Until then, the data doesn't collect for your organization.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+[Combined registration](./concept-registration-mfa-sspr-combined.md) security information registration and management events can be found in the audit logs under **Security** > **Authentication Methods**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+To test your policy, try to sign in to the [Azure portal](https://portal.azure.com) using your test account. You should see a dialog that requires you to accept your terms of use.

+- To delete your policy, select the ellipsis (`...`) next to your policies name, then select **Delete**.

+> > | `clientSecret` | Is the client secret created for the application in Azure portal. |

+> > | `tokenRequest` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under **Expose an API** section in Azure portal's Application Registration. |

+ Title: Deploy a web app with App Service auth in a pipeline

+description: Describes how to set up a pipeline in Azure Pipelines to build and deploy a web app to Azure and enable the Azure App Service built-in authentication. The article provides step-by-step instructions on how to configure Azure resources, build and deploy a web application, create an Azure AD app registration, and configure App Service built-in authentication using Azure Pipelines.

+# Deploy a web app in a pipeline and configure App Service authentication

+This article describes how to set up a pipeline in [Azure Pipelines](/azure/devops/pipelines/) to build and deploy a web app to Azure and enable the [Azure App Service built-in authentication](/azure/app-service/overview-authentication-authorization).

+You'll learn how to:

+- Configure Azure resources using scripts in Azure Pipelines

+- Build a web application and deploy to App Service using Azure Pipelines

+- Create an Azure AD app registration in Azure Pipelines

+- Configure App Service built-in authentication in Azure Pipelines.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An Azure DevOps organization. [Create one for free](/azure/devops/pipelines/get-started/pipelines-sign-up).

+ - To use Microsoft-hosted agents, your Azure DevOps organization must have access to Microsoft-hosted parallel jobs. [Check your parallel jobs and request a free grant](/azure/devops/pipelines/troubleshooting/troubleshooting#check-for-available-parallel-jobs).

+- An Azure Active Directory [tenant](/azure/active-directory/develop/quickstart-create-new-tenant).

+- A [GitHub account](https://github.com) and Git [setup locally](https://docs.github.com/en/get-started/quickstart/set-up-git).

+- .NET 6.0 SDK or later.

+## Create a sample ASP.NET Core web app

+Create a sample app and push it to your GitHub repo.

+### Create and clone a repo in GitHub

+[Create a new repo](https://docs.github.com/en/get-started/quickstart/create-a-repo?tool=webui) in GitHub, specify a name like "PipelinesTest". Set it to **Private** and add a *.gitignore* file with `.getignore template: VisualStudio`.

+Open a terminal window and change the current working directory to the location where you want the cloned directory:

+```

+cd c:\temp\

+```

+Enter the following command to clone the repo:

+```

+git clone https://github.com/YOUR-USERNAME/PipelinesTest

+cd PipelinesTest

+```

+### Create an ASP.NET Core web app

+1. Open a terminal window on your machine to a working directory. Create a new .NET web app using the [dotnet new webapp](/dotnet/core/tools/dotnet-new#web-options) command, and then change directories into the newly created app.

+ ```dotnetcli

+ dotnet new webapp -n PipelinesTest --framework net7.0

+ cd PipelinesTest

+ dotnet new sln

+ dotnet sln add .

+ ```

+1. From the same terminal session, run the application locally using the dotnet run command.

+ ```dotnetcli

+ dotnet run --urls=https://localhost:5001/

+ ```

+1. To verify the web app is running, open a web browser and navigate to the app at `https://localhost:5001`.

+You see the template ASP.NET Core 7.0 web app displayed in the page.

+Enter *CTRL-C* at the command line to stop running the web app.

+### Push the sample to GitHub

+Commit your changes and push to GitHub:

+```

+git add .

+git commit -m "Initial check-in"

+git push origin main

+```

+## Set up your Azure DevOps environment

+Sign in to your Azure DevOps organization (`https://dev.azure.com/{yourorganization}`).

+Create a new project:

+1. Select **New project**.

+1. Enter a **Project name**, such as "PipelinesTest".

+1. Select **Private** visibility.

+1. Select **Create**.

+## Create a new pipeline

+After the project is created, add a pipeline:

+1. In the left navigation pane, select **Pipelines**->**Pipelines**, and then select **Create Pipeline**.

+1. Select **GitHub YAML**.

+1. On the **Connect** tab, select **GitHub YAML**. When prompted, enter your GitHub credentials.

+1. When the list of repositories appears, select your `PipelinesTest` repository.

+1. You might be redirected to GitHub to install the Azure Pipelines app. If so, select **Approve & install**.

+1. In **Configure your pipeline**, select the **Starter pipeline**.

+1. A new pipeline with a basic configuration appears. The default configuration uses a Microsoft-hosted agent.

+1. When you're ready, select **Save and run**. To commit your changes to GitHub and start the pipeline, choose Commit directly to the main branch and select Save and run a second time. If prompted to grant permission with a message like **This pipeline needs permission to access a resource before this run can continue**, choose **View** and follow the prompts to permit access.

+## Add a build stage and build tasks to your pipeline

+Now that you have a working pipeline, you can add a build stage and build tasks in order to build the web app.

+Update *azure-pipelines.yml* and replace the basic pipeline configuration with the following:

+[!code-yml[](includes/deploy-web-app-authentication-pipeline/azure-pipeline-1.yml)]

+Save your changes and run the pipeline.

+A stage `Build` is defined to build the web app. Under the `steps` section, you see various tasks to build the web app and publish artifacts to the pipeline.

+- [NuGetToolInstaller@1](/azure/devops/pipelines/tasks/reference/nuget-tool-installer-v1) acquires NuGet and adds it to the PATH.

+- [NuGetCommand@2](/azure/devops/pipelines/tasks/reference/nuget-command-v2) restores NuGet packages in the solution.

+- [VSBuild@1](/azure/devops/pipelines/tasks/reference/vsbuild-v1) builds the solution with MSBuild and packages the app's build results (including its dependencies) as a .zip file into a folder.

+- [PublishBuildArtifacts@1](/azure/devops/pipelines/tasks/reference/publish-build-artifacts-v1) publishes the .zip file to Azure Pipelines.

+## Create a service connection

+Add a [service connection](/azure/devops/pipelines/library/service-endpoints) so your pipeline can connect and deploy resources to Azure:

+1. Select **Project settings**.

+1. In the left navigation pane, select **Service connections** and then **Create service connection**.

+1. Select **Azure Resource Manager** and then **Next**.

+1. Select **Service principal (automatic)** and then **Next**.

+1. Select **Subscription** for **scope level** and select your Azure subscription. Enter a service connection name such as "PipelinesTestServiceConnection" and select **Next**. The service connection name is used in the following steps.

+An application is also created in your Azure AD tenant that provides an identity for the pipeline. You need the display name of the app registration in later steps. To find the display name:

+1. Sign into the [Entra admin portal](https://entra.microsoft.com/).

+1. Select **App registrations** in the left navigation pane, and then the **All applications**.

+1. Find the display name of the app registration, which is of the form `{organization}-{project}-{guid}`.

+Grant the service connection permission to access the pipeline:

+1. In the left navigation pane, select **Project settings** and then **Service connections**.

+1. Select the **PipelinesTestServiceConnection** service connection, then the **Ellipsis**, and then **Security** from the drop-down menu.

+1. In the **Pipeline permissions** section, select **Add pipeline** and select the **PipelinesTest** service connection from the list.

+## Add a variable group

+The `DeployAzureResources` stage that you create in the next section uses several values to create and deploy resources to Azure:

+- The Azure AD tenant ID (find in the [Entra admin portal](https://entra.microsoft.com/)).

+- The region, or location, where the resources are deployed.

+- A resource group name.

+- The App Service service plan name.

+- The name of the web app.

+- The name of the service connection used to connect the pipeline to Azure. In the pipeline, this value is used for the Azure subscription.

+Create a [variable group](/azure/devops/pipelines/library/variable-groups) and add values to use as variables in the pipeline.

+Select **Library** in the left navigation pane and create a new **Variable group**. Give it the name "AzureResourcesVariableGroup".

+Add the following variables and values:

+| Variable name | Example value |

+| | |

+| LOCATION | centralus |

+| TENANTID | {tenant-id}|

+| RESOURCEGROUPNAME | pipelinetestgroup |

+| SVCPLANNAME | pipelinetestplan |

+| WEBAPPNAMETEST | pipelinetestwebapp |

+| AZURESUBSCRIPTION | PipelinesTestServiceConnection |

+Select **Save**.

+Give the pipeline permissions to access the variable group. In the variable group page, select **Pipeline permissions**, add your pipeline, and then close the window.

+Update *azure-pipelines.yml* and add the variable group to the pipeline.

+[!code-yml[](includes/deploy-web-app-authentication-pipeline/azure-pipeline-2.yml?highlight=1-2)]

+Save your changes and run the pipeline.

+## Deploy Azure resources

+Next, add a stage to the pipeline that deploys Azure resources. The pipeline uses an [inline script](/azure/devops/pipelines/scripts/powershell) to create the App Service instance. In a later step, the inline script creates an Azure AD app registration for App Service authentication. An Azure CLI bash script is used because Azure Resource Manager (and Azure pipeline tasks) can't create an app registration.

+The inline script runs in the context of the pipeline, assign the [Application.Administrator](/azure/active-directory/roles/permissions-reference#application-administrator) role to the app so the script can create app registrations:

+1. Sign into the [Entra admin portal](https://entra.microsoft.com/).

+1. In the left navigation pane, select **Roles & admins**.

+1. Select **Application Administrator** from the list of built-in roles and then **Add assignment**.

+1. Search for the pipeline app registration by display name.

+1. Select the app registration from the list and select **Add**.

+Update *azure-pipelines.yml* to add the inline script, which creates a resource group in Azure, creates an App Service plan, and creates an App Service instance.

+[!code-yml[](includes/deploy-web-app-authentication-pipeline/azure-pipeline-3.yml?highlight=40-68)]

+Save your changes and run the pipeline. In the [Azure portal](https://portal.azure.com), navigate to **Resource groups** and verify that a new resource group and App Service instance are created.

+## Deploy the web app to App Service

+Now that your pipeline is creating resources in Azure, a deployment stage to deploy the web app to App Service.

+Update *azure-pipelines.yml* to add the deployment stage.

+[!code-yml[](includes/deploy-web-app-authentication-pipeline/azure-pipeline-4.yml?highlight=70-96)]

+Save your changes and run the pipeline.

+A `DeployWebApp` stage is defined with several tasks:

+- [DownloadBuildArtifacts@1](/azure/devops/pipelines/tasks/reference/download-build-artifacts-v1) downloads the build artifacts that were published to the pipeline in a previous stage.

+- [AzureRmWebAppDeployment@4](/azure/devops/pipelines/tasks/reference/azure-rm-web-app-deployment-v4) deploys the web app to App Service.

+View the deployed website on App Service. Navigate to your App Service in Azure portal and select the instance's **Default domain**: `https://pipelinetestwebapp.azurewebsites.net`.

+The *pipelinetestwebapp* has been successfully deployed to App Service.

+## Configure App Service authentication

+Now that the pipeline is deploying the web app to App Service, you can configure the [App Service built-in authentication](/azure/app-service/overview-authentication-authorization). Modify the inline script in the `DeployAzureResources` to:

+1. Create an Azure AD app registration as an identity for your web app. To create an app registration, the service principal for running the pipeline needs Application Administrator role in the directory.

+1. Get a secret from the app.

+1. Configure the secret setting for the App Service web app.

+1. Configure the redirect URI, home page URI, and issuer settings for the App Service web app.

+1. Configure other settings on the web app.

+[!code-yml[](includes/deploy-web-app-authentication-pipeline/azure-pipeline-5.yml?highlight=68-108)]

+Save your changes and run the pipeline.

+## Verify limited access to the web app

+To verify that access to your app is limited to users in your organization, navigate to your App Service in the [Azure portal](https://portal.azure.com) and select the instance's **Default domain**: `https://pipelinetestwebapp.azurewebsites.net`.

+You should be directed to a secured sign-in page, verifying that unauthenticated users aren't allowed access to the site. Sign in as a user in your organization to gain access to the site.

+You can also start up a new browser and try to sign in by using a personal account to verify that users outside the organization don't have access.

+## Clean up resources

+Clean up your Azure resources and Azure DevOps environment so you're not charged for resources after you're done.

+### Delete the resource group

+In the Azure portal, select **Resource groups** from the menu and select the resource group that contains your deployed web app.

+Select **Delete resource group** to delete the resource group and all the resources.

+### Disable the pipeline or delete the Azure DevOps project

+You created a project that points to a GitHub repository. The pipeline is triggered to run every time you push a change to your GitHub repository, consuming free build minutes or your resources.

+#### Option 1: Disable your pipeline

+Choose this option if you want to keep your project and your build pipeline for future reference. You can re-enable your pipeline later if you need to.

+1. In your Azure DevOps project, select **Pipelines** and then select your pipeline.

+1. Select the ellipsis button at the far right, and then select **Settings**.

+1. Select **Disabled**, and then select **Save**. Your pipeline will no longer process new run requests.

+#### Option 2: Delete your project

+Choose this option if you don't need your DevOps project for future reference. This deletes your Azure DevOps project.

+1. Navigate to your Azure DevOps project.

+1. Select **Project settings** in the lower-left corner.

+1. Under **Overview**, scroll down to the bottom of the page and then select **Delete**.

+1. Type your project name in the text box, and then select **Delete**.

+### Delete app registrations in Azure AD

+In the [Entra admin center](https://entra.microsoft.com/), select **Applications** > **App registrations** > **All applications**.

+Select the application for the pipeline, the display name has the form `{organization}-{project}-{guid}`, and delete it.

+Select the application for the web app, *pipelinetestwebapp*, and delete it.

+## Next steps

+Learn more about:

+- [App Service built-in authentication](/azure/app-service/overview-authentication-authorization).

+- [Deploy to App Service using Azure Pipelines](/azure/app-service/deploy-azure-pipelines)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+> 1. Sign in to the <a href="https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/JavascriptSpaQuickstartPage/sourceType/docs" target="_blank">Azure portal - App registrations</a> quickstart experience.

+> > | `clientSecret` | Is the client secret created for the application in Azure portal. |

+> > | `tokenRequest` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under **Expose an API** section in Azure portal's Application Registration. |

+1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>. Search for and select the **Azure Active Directory** service.

+| AADSTS53003 | BlockedByConditionalAccess - Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. If this is unexpected, see the conditional access policy that applied to this request in the Azure portal or contact your administrator. For additional information, please visit [troubleshooting sign-in with Conditional Access](../conditional-access/troubleshoot-conditional-access.md). |

+| AADSTS65002 | Consent between first party application '{applicationId}' and first party resource '{resourceId}' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. A developer in your tenant may be attempting to reuse an App ID owned by Microsoft. This error prevents them from impersonating a Microsoft application to call other APIs. They must move to another app ID they register in the [Azure portal](https://portal.azure.com).|

+- To register a new application, sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal</a>.

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in to your tenant. Select **Azure Active Directory**. Select **Security** in the left navigation pane and then select **Conditional Access**.

+For more information, please check the following code sample [MSAL.js Testing Example](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-browser-samples/TestingSample).

+In a new tab or browser session, sign in to the [Azure portal](https://portal.azure.com) to access your test tenant.

+1. Sign in to the <a href="https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/WinDesktopQuickstartPage/sourceType/docs" target="_blank">Azure portal - App registrations</a> quickstart experience.

+1. Sign in to the [Azure portal](https://portal.azure.com) and select **Azure Active Directory** > **App registrations** > *\<your application\>* > **Authentication**.

+To find the OIDC configuration document in the Azure portal, sign in to the [Azure portal](https://portal.azure.com) and then:

+[Azure AD Guest accounts](/azure/active-directory/external-identities/what-is-b2b) cannot connect to Azure Bastion via Azure AD authentication.

+ Sign in with the user account in a web browser. For instance, sign in to the [Azure portal](https://portal.azure.com) in a private browsing window. If you're prompted to change the password, set a new password. Then try connecting again.

+* Simplify deployment and management ΓÇô Simplify the process of bringing devices to Azure AD with [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot), [bulk provisioning](/mem/intune/enrollment/windows-bulk-enroll), or [self-service: Out of Box Experience (OOBE)](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973). Manage devices with Mobile Device Management (MDM) tools like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), and their identities in the [Azure portal](https://portal.azure.com/).

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account in the organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account in your organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) with a User administrator account in the organization. Group owners can also bulk import members of groups they own.

+1. Sign in to the [Azure portal](https://portal.azure.com) with a User administrator account in the organization. Group owners can also bulk remove members of groups they own.

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is a Global Administrator in your Azure AD organization.

+1. Configure the expiration settings Use the New-AzureADMSGroupLifecyclePolicy cmdlet to set the lifetime for all Microsoft 365 groups in the Azure AD organization to 365 days. Renewal notifications for Microsoft 365 groups without owners will be sent to `emailaddress@contoso.com`

+1. Retrieve the existing policy Get-AzureADMSGroupLifecyclePolicy: This cmdlet retrieves the current Microsoft 365 group expiration settings that have been configured. In this example, you can see:

+1. Update the existing policy Set-AzureADMSGroupLifecyclePolicy: This cmdlet is used to update an existing policy. In the example below, the group lifetime in the existing policy is changed from 365 days to 180 days.

+1. Add specific groups to the policy Add-AzureADMSLifecyclePolicyGroup: This cmdlet adds a group to the lifecycle policy. As an example:

+1. Remove the existing Policy Remove-AzureADMSGroupLifecyclePolicy: This cmdlet deletes the Microsoft 365 group expiration settings but requires the policy ID. This cmdlet disables expiration for Microsoft 365 groups.

+To add an Azure AD organization in the Azure portal, sign in to the [Azure portal](https://portal.azure.com) with an account that is an Azure AD global administrator, and select **New**.

+When managing licenses in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products) or the [Microsoft 365 admin center](https://admin.microsoft.com), you see product names that look something like *Office 365 E3*. When you use PowerShell v1.0 cmdlets, the same product is identified using a specific but less friendly name: *ENTERPRISEPACK*. When using PowerShell v2.0 cmdlets or [Microsoft Graph](/graph/api/resources/subscribedsku), the same product is identified using a GUID value: *6fd2c87f-b296-42f0-b197-1e91e994b900*. The following table lists the most commonly used Microsoft online service products and provides their various ID values. These tables are for reference purposes in Azure Active Directory (Azure AD), part of Microsoft Entra, and are accurate only as of the date when this article was last updated. Microsoft will continue to make periodic updates to this document.

+1. Use your test user name and password to sign in to the [Azure portal](https://portal.azure.com/).

+1. Sign in to the [Azure portal](https://portal.azure.com/) as a security administrator or a Conditional Access administrator.

+1. Use your test user name and password to sign in to the [Azure portal](https://portal.azure.com/).

+ 1. Select the link in the **Domains** column.

+ 

+ 1. Next to **Domain name of federating IdP**, type the domain name, and then select **Add**. Repeat for each domain you want to add. When you're finished, select **Done**.

+ 

+1. Sign in to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**.

+ > To find your tenant ID, sign in to the [Azure portal](https://portal.azure.com). Under **Azure Active Directory**, select **Properties** and copy the **Tenant ID**.

+1. Sign in to the [Azure portal](https://portal.azure.com). On the left pane, select **Azure Active Directory**.

+ > For more information, see [Remove-AzureADMSIdentityProvider](/powershell/module/azuread/Remove-AzureADMSIdentityProvider?view=azureadps-2.0-preview&preserve-view=true).

+You can use MIM and the MIM connector for Microsoft Graph to create the guest user objects in the on-premises directory. To learn more, see [Azure AD business-to-business (B2B) collaboration with Microsoft Identity Manager (MIM) 2016 SP1 with Azure Application Proxy](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario).

+Make sure that you have the correct Client Access Licenses (CALs) or External Connectors for external guest users who access on-premises apps or whose identities are managed on-premises. For more information, see the "External Connectors" section of [Client Access Licenses and Management Licenses](https://www.microsoft.com/licensing/product-licensing/client-access-license.aspx). Consult your Microsoft representative or local reseller regarding your specific licensing needs.

+A dynamic group is a dynamic configuration of security group membership for Azure Active Directory (Azure AD) available in the [Azure portal](https://portal.azure.com). Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as [userType](user-properties.md), department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. These groups can provide access to applications or cloud resources (SharePoint sites, documents) and to assign licenses to members. Learn more about [dedicated groups in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Sign in to the [Azure portal](https://portal.azure.com) and open **Azure Active Directory**.

+* [Learn about the diagnostic data Azure identity support can access](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/)

+You can manage Microsoft Entra ID and all other Microsoft Entra solutions in the [Microsoft Entra admin center](https://entra.microsoft.com) or the [Azure portal](https://portal.azure.com).

+[](./media/recoverability/deletion-restore-application.png#lightbox)

+## December 2022

+### General Availability - Risk-based Conditional Access for workload identities

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** Identity Security & Protection

+Customers can now bring one of the most powerful forms of access control in the industry to workload identities. Conditional Access supports risk-based policies for workload identities. Organizations can block sign-in attempts when Identity Protection detects compromised apps or services. For more information, see: [Create a risk-based Conditional Access policy](../conditional-access/workload-identity.md#create-a-risk-based-conditional-access-policy).

+### General Availability - API to recover accidentally deleted Service Principals

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** Identity Lifecycle Management

+Restore a recently deleted application, group, servicePrincipal, administrative unit, or user object from deleted items. If an item was accidentally deleted, you can fully restore the item. This isn't applicable to security groups, which are deleted permanently. A recently deleted item remains available for up to 30 days. After 30 days, the item is permanently deleted. For more information, see: [servicePrincipal resource type](/graph/api/resources/serviceprincipal).

+### General Availability - Using Staged rollout to test Cert Based Authentication (CBA)

+**Type:** New feature

+**Service category:** Authentications (Logins)

+**Product capability:** Identity Security & Protection

+We're excited to announce the general availability of hybrid cloud Kerberos trust, a new Windows Hello for Business deployment model to enable a password-less sign-in experience. With this new model, weΓÇÖve made Windows Hello for Business easier to deploy than the existing key trust and certificate trust deployment models by removing the need for maintaining complicated public key infrastructure (PKI), and Azure Active Directory (AD) Connect synchronization wait times. For more information, see: [Migrate to cloud authentication using Staged Rollout](../hybrid/how-to-connect-staged-rollout.md).

+## June 2023

+### General Availability - Apply RegEx Replace to groups claim content

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** SSO

+Today, when group claims are added to tokens Azure Active Directory attempts to include all of the groups the user is a member of. In larger organizations where users are members of hundreds of groups this can often exceed the limits of what can go in the token. This feature enables more customers to connect their apps to Azure Active Directory by making connections easier and more robust through automation of the applicationΓÇÖs creation process. This specifically allows the set of groups included in the token to be limited to only those that are assigned to the application. For more information, see: [Regex-based claims transformation](../develop/saml-claims-customization.md#regex-based-claims-transformation).

+### General Availability - Azure Active Directory SSO integration with Cisco Unified Communications Manager

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** Platform

+Cisco Unified Communications Manager (Unified CM) provides reliable, secure, scalable, and manageable call control and session management. When you integrate Cisco Unified Communications Manager with Azure Active Directory, you can:

+- Control in Azure Active Directory who has access to Cisco Unified Communications Manager.

+- Enable your users to be automatically signed-in to Cisco Unified Communications Manager with their Azure AD accounts.

+- Manage your accounts in one central location - the Azure portal.

+For more information, see: [Azure Active Directory SSO integration with Cisco Unified Communications Manager](../saas-apps/cisco-unified-communications-manager-tutorial.md).

+### General Availability - Number Matching for Microsoft Authenticator notifications

+**Type:** Plan for Change

+**Service category:** Microsoft Authenticator App

+**Product capability:** User Authentication

+Microsoft Authenticator appΓÇÖs number matching feature has been Generally Available since Nov 2022! If you haven't already used the rollout controls (via Azure portal Admin UX and MSGraph APIs) to smoothly deploy number matching for users of Microsoft Authenticator push notifications, we highly encourage you to do so. We previously announced that we'll remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting February 27, 2023. After listening to customers, we'll extend the availability of the rollout controls for a few more weeks. Organizations can continue to use the existing rollout controls until May 8, 2023, to deploy number matching in their organizations. Microsoft services will start enforcing the number matching experience for all users of Microsoft Authenticator push notifications after May 8, 2023. We'll also remove the rollout controls for number matching after that date.

+If customers donΓÇÖt enable number match for all Microsoft Authenticator push notifications prior to May 8, 2023, Authenticator users may experience inconsistent sign-ins while the services are rolling out this change. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.

+For more information, see: [How to use number matching in multifactor authentication (MFA) notifications - Authentication methods policy](../authentication/how-to-mfa-number-match.md)

+> The Entitlement Management app includes the entitlement management side of MyAccess, the Entitlement Management side of Azure portal and the Entitlement Management part of MS graph. The latter two require additional permissions for access, hence won't be accessed by guests unless explicit permission is provided.

+* Use the lightweight Azure AD provisioning agent and [web services connector](/azure/active-directory/app-provisioning/on-premises-web-services-connector) to [provision users into apps such as SAP ECC](/azure/active-directory/app-provisioning/on-premises-sap-connector-configure?branch=pr-en-us-243167).

+In most cases, users are going to be provisioned to Azure AD either from an on-premises solution (such as Azure AD Connect or Cloud sync) or with an HR solution. These users have the attributes and values populated at the time of creation. Setting up the infrastructure to provision users is outside the scope of this tutorial. For information, see [Tutorial: Basic Active Directory environment](../cloud-sync/tutorial-basic-ad-azure.md) and [Tutorial: Integrate a single forest with a single Azure AD tenant](../cloud-sync/tutorial-single-forest.md)

+ ```json

+ {

+ "accountEnabled": true,

+ "displayName": "Melva Prince",

+ "mailNickname": "mprince",

+ "department": "sales",

+ "mail": "mprince@<your tenant name here>",

+ "employeeHireDate": "2022-04-15T22:10:00Z",

+ "userPrincipalName": "mprince@<your tenant name here>",

+ "passwordProfile" : {

+ "forceChangePasswordNextSignIn": true,

+ "password": "xWwvJ]6NMw+bWH-d"

+ }

+ }

+ 6. Copy the ID that is returned in the results. This is used later to assign a manager.

+ ```json

+ {

+ "accountEnabled": true,

+ "displayName": "Britta Simon",

+ "mailNickname": "bsimon",

+ "department": "sales",

+ "mail": "bsimon@<your tenant name here>",

+ "employeeHireDate": "2021-01-15T22:10:00Z",

+ "userPrincipalName": "bsimon@<your tenant name here>",

+ "passwordProfile" : {

+ "forceChangePasswordNextSignIn": true,

+ "password": "xWwvJ]6NMw+bWH-d"

+ }

+ }

+ ```

+ 11. Select **Save**.

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+ 10. Verify the change by changing **PATCH** back to **GET** and **v1.0** to **beta**. Select **Run query**. You should see the attributes for Melva set.

+- [Tutorial: Off-boarding users from your organization using Lifecycle workflows with Microsoft Graph](tutorial-offboard-custom-workflow-graph.md)

+Azure AD also supports provisioning users into applications hosted on-premises or in a virtual machine, without having to open up any firewalls. If your application supports [SCIM](https://aka.ms/scimoverview), or you've built a SCIM gateway to connect to your legacy application, you can use the Azure AD Provisioning agent to [directly connect](/azure/active-directory/app-provisioning/on-premises-scim-provisioning) with your application and automate provisioning and deprovisioning. If you have legacy applications that don't support SCIM and rely on an [LDAP](/azure/active-directory/app-provisioning/on-premises-ldap-connector-configure) user store or a [SQL](/azure/active-directory/app-provisioning/on-premises-sql-connector-configure) database, Azure AD can support those as well.

+ ```powershell

+ ```powershell

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.

+|Is there a health monitoring solution?|Not required|Agent status provided by the [Azure portal](tshoot-connect-pass-through-authentication.md)|[Azure AD Connect Health](how-to-connect-health-adfs.md)|

+If you're thinking about migrating from federated to cloud authentication, learn more about [changing the sign-in method](plan-connect-user-signin.md). To help you plan and implement the migration, use [these project deployment plans](../../fundamentals/deployment-plans.md), or consider using the new [Staged Rollout](how-to-connect-staged-rollout.md) feature to migrate federated users to using cloud authentication in a staged approach.

+<a name='configure-notification-alerts-using-azure-monitor-alerts-through-the-azure-portal'></a>

+## Configure notification alerts using Azure Monitor Alerts through the Azure portal:

+1. In the Azure portal, search for ΓÇ£MonitorΓÇ¥ in the search bar to navigate to the Azure ΓÇ£MonitorΓÇ¥ service. Select ΓÇ£AlertsΓÇ¥ from the left menu, then ΓÇ£+ New alert ruleΓÇ¥.

+1. In the Azure portal, search for Azure AD Connect Health

+This limits the evaluation of alerts by the service. You will see a banner that indicates this condition in the Azure portal under your service.

+This feature provides a graphical trend of latency of the sync operations (such as import and export) for connectors. This provides a quick and easy way to understand not only the latency of your operations (larger if you have a large set of changes occurring) but also a way to detect anomalies in the latency that may require further investigation.

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+ - Security Reader Users assigned the Conditional Access administrator role can create policies that use risk as a condition.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+- `riskyServicePrincipals`

+- `servicePrincipalRiskDetections`

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

+- [Grant tenant-wide admin consent](grant-admin-consent.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com/) and sign in as a global administrator or co-admin.

+1. Sign in to the [Azure portal](https://portal.azure.com/) and sign in as a global administrator or co-admin.

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Sign in to the [Azure portal](https://portal.azure.com) with one of the roles listed in the prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative permissions.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ 

+Azure AD provides a centralized access location to manage your migrated apps. Sign in to the [Azure portal](https://portal.azure.com/) and enable the following capabilities:

+- **Delegate admin access** using **Directory Role** to assign an admin role (such as Application administrator, Cloud Application administrator, or Application developer) to your user.

+ > If you blocked legacy authentication on Windows clients in the global or app-level sign-on policy, make a rule that enables the hybrid Azure AD join process to finish. Allow the legacy authentication stack for Windows clients. <br>To enable custom client strings on app policies, contact the [Okta Help Center](https://support.okta.com/help/).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com/).

+1. Sign in to the [Azure portal](https://portal.azure.com/). Sign in as a global administrator or co-admin.

+1. Sign in to the [Azure portal](https://portal.azure.com/). Sign in as a global administrator or co-admin.

+1. Sign in to the [Azure portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Policy**.

+1. Sign in to the [Azure portal]portal](https://portal.azure.com).

+1. Sign in to the [Azure portal]portal](https://portal.azure.com/)

+ 

+When you want to clean up the resources, sign in to the [Azure portal](https://portal.azure.com), select **Resource groups**, locate, and select the resource group that was created in the process of this tutorial (such as `mi-test`), and then use the **Delete resource group** command.

+1. Sign in to the [Azure portal]portal](https://portal.azure.com/)

+ 

+

+When you want to clean up the resources, sign in to the [Azure portal](https://portal.azure.com), select **Resource groups**, locate, and select the resource group that was created in the process of this tutorial (such as `mi-test`), and then use the **Delete resource group** command.

+1. Sign in to the [Azure portal](https://portal.azure.com/). For **Azure resources**, navigate to **Privileged Identity Management** and select **Azure resources** under **Manage** from the dashboard. For **Azure AD roles**, select **Azure AD roles** from the same dashboard.

+1. Sign in to the [Azure portal](https://portal.azure.com/) as a user that is assigned to one of the prerequisite role(s).

+1. Sign in to the [Azure portal](https://portal.azure.com/) with a user that is a member of the [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator) role.

+1. Sign in to the [Azure portal](https://portal.azure.com/) with Owner or User Access Administrator role permissions.

+1. Sign in to the [Azure portal](https://portal.azure.com) using one of the required roles.

+ > The Azure portal downloader will time out if you attempt to download large data sets. Generally, data sets smaller than 250,000 records work well with the browser download feature. If you face issues completing large downloads in the browser, you should use the [reporting API](/graph/api/resources/azure-ad-auditlog-overview) to download the data.

+To configure monitoring settings for Azure AD activity logs, first sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**. From here, you can access the diagnostic settings configuration page in two ways:

+1. Sign in to the [Azure portal](https://portal.azure.com/) as Isabella Simonsen using an incorrect password.

+1. Sign in to the [Azure portal](https://portal.azure.com/) as Isabella Simonsen using an incorrect password.

+ 1. In the toolbar, select **Add filters**.

+ 

+ 1. In the **Pick a field** list, select **User**, and then select **Apply**.

+ 1. In the **Username** textbox, type **Isabella Simonsen**, and then select **Apply**.

+ 1. In the toolbar, select **Refresh**.

+ 

+- Azure Active Directory administrator experiences for the actions in the [Entra admin center](https://entra.microsoft.com) or the [Azure portal](https://portal.azure.com)

+> If your organization uses the User Sync Tool or a UMAPI integration, you must first pause the integration. Then, add Azure AD automatic provisioning to automate user management from the Azure portal. Once Azure AD automatic provisioning is configured and running, you can completely remove the User Sync Tool or UMAPI integration.

+> If your organization uses the User Sync Tool or a UMAPI integration, you must first pause the integration. Then, add Azure AD automatic provisioning to automate user management from the Azure portal. Once Azure AD automatic provisioning is configured and running, you can completely remove the User Sync Tool or UMAPI integration.

+1. Create a [group](/azure/active-directory/fundamentals/how-to-manage-groups) that will provide all users access to the application.

+1. Create a second group in Azure AD. This group will provide access to admin permissions in AWS.

+1. Bring the group under [management in Azure AD PIM](/azure/active-directory/privileged-identity-management/groups-discover-groups).

+1. Assign your test user as [eligible for the group in PIM](/azure/active-directory/privileged-identity-management/groups-assign-member-owner) with the role set to member.

+Now any end user that was made eligible for the group in PIM can get JIT access to the group in AWS by [activating their group membership](/azure/active-directory/privileged-identity-management/groups-activate-roles#activate-a-role).

+> You may also choose to enabled SAML-based Single Sign-On for Box, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.

+* [Configure Single Sign-on](box-tutorial.md)

+> You may also choose to enable SAML-based single sign-on for Cerner Central, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features complement each other. For more information, see the [Cerner Central single sign-on tutorial](cernercentral-tutorial.md).

+> You may also choose to enabled SAML-based Single Sign-On for GoToMeeting, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.

+> You may also choose to enabled SAML-based Single Sign-On for Concur, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.

+- Confluence: 7.0.1 to 8.0.4

+> You may also choose to enabled SAML-based Single Sign-On for DocuSign, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.

+ 1. In the **Admin User Name** textbox, type a DocuSign account name that has the **System Administrator** profile in DocuSign.com assigned.

+ 1. In the **Admin Password** textbox, type the password for this account.

+1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights.

+* **Header Operation:** `Insert`

+* **Header Name:** `upn`

+* **Header Value:** `%{session.saml.last.identity}`

+* **Header Operation:** `Insert`

+* **Header Name:** `employeeid`

+* **Header Value:** `%{session.saml.last.attr.name.employeeid}`

+1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights

+See [BIG-IP APM variable assign examples]( https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference]( https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

+1. Create a [group](/azure/active-directory/fundamentals/how-to-manage-groups) that provides all users access to the application.

+1. Bring the group under [management in Azure AD PIM](/azure/active-directory/privileged-identity-management/groups-discover-groups).

+1. Assign your test user as [eligible for the group in PIM](/azure/active-directory/privileged-identity-management/groups-assign-member-owner) with the role set to member.

+Now any end user that was made eligible for the group in PIM can get JIT access to the group in Google Cloud / Google Workspace by [activating their group membership](/azure/active-directory/privileged-identity-management/groups-activate-roles#activate-a-role).

+ 1. In the **Identifier** textbox, type a value using the following pattern:

+ 1. In the **Reply URL** textbox, type a URL using the following pattern:

+ 1. In the **Sign on URL** textbox, type a URL using the following pattern:

+In the previous [Create and assign Azure AD test user](#create-and-assign-azure-ad-test-user) section, you created a user called B.Simon and assigned it to the HashiCorp Cloud Platform (HCP) app within the Azure portal. This can now be used for testing the SSO connection. You may also use any account that is already associated with the HashiCorp Cloud Platform (HCP) app in the Azure portal.

+Once you configure HashiCorp Cloud Platform (HCP) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+> You may also choose to enabled SAML-based Single Sign-On for Jive, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.

+ 1. In the **Jive Admin User Name** textbox, type a Jive account name that has the **System Administrator** profile in Jive.com assigned.

+ 1. In the **Jive Admin Password** textbox, type the password for this account.

+ 1. In the **Jive Tenant URL** textbox, type the Jive tenant URL.

+* [Configure Single Sign-on](jive-tutorial.md)

+**Tip:** You may also choose to enabled SAML-based Single Sign-On for LinkedIn Elevate, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features complement each other.

+The first step is to retrieve your LinkedIn access token. If you are an Enterprise administrator, you can self-provision an access token. In your account center, go to **Settings &gt; Global Settings** and open the **SCIM Setup** panel.

+5. Click **Generate token**. You should see your access token display under the **Access token** field.

+6. Save your access token to your clipboard or computer before leaving the page.

+ * You should see a success notification on the upper-right side of your portal.

+> You may also choose to enabled SAML-based Single Sign-On for LinkedIn Sales Navigator, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features complement each other.

+The first step is to retrieve your LinkedIn access token. If you are an Enterprise administrator, you can self-provision an access token. In your account center, go to **Settings &gt; Global Settings** and open the **SCIM Setup** panel.

+ * You should see a success notification on the upper-right side of your portal.

+ 1. In the **Sign on URL** text box, type a URL using the following pattern:

+ 1. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Menlo Security Client support team](https://www.menlosecurity.com/menlo-contact) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+ 

+ 

+ 

+ 1. Tick the checkbox **Enable user authentication using SAML**.

+ 1. Select **Allow External Access** to **Yes**.

+ 1. Under **SAML Provider**, select **Azure Active Directory**.

+ 1. **SAML 2.0 Endpoint** : Paste the **Login URL** which you have copied from Azure portal.

+ 1. **Service Identifier (Issuer)** : Paste the **Azure AD Identifier** which you have copied from Azure portal.

+ 1. **X.509 Certificate** : Open the **Certificate (Base64)** downloaded from the Azure portal in notepad and paste it in this box.

+ 1. Click **Save** to save the settings.

+* Confluence: 7.0.1 to 8.0.4.

+| 6.3.9 | Bug Fixes: | Confluence Server: 7.20.3 to 8.0.4 |

+* Confluence: 7.0.1 to 8.0.4.

+> You may also choose to enabled SAML-based Single Sign-On for Salesforce, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.

+ 1. In the **Admin Username** textbox, type a Salesforce account name that has the **System Administrator** profile in Salesforce.com assigned.

+ 1. In the **Admin Password** textbox, type the password for this account.

+>You may also choose to enabled SAML-based Single Sign-On for Salesforce Sandbox, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.

+ 1. In the **Admin Username** textbox, type a Salesforce Sandbox account name that has the **System Administrator** profile in Salesforce.com assigned.

+ 1. In the **Admin Password** textbox, type the password for this account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Click on an existing attribute mapping to update it, or click **Add new mapping** at the bottom of the screen to add new mappings. An individual attribute mapping supports these properties:

+ * **Match objects using this attribute** ΓÇô Whether or not this mapping should be used to uniquely identify users between SuccessFactors and Active Directory. This value is typically set on the Worker ID field for SuccessFactors, which is typically mapped to one of the Employee ID attributes in Active Directory.

+ * **Matching precedence** ΓÇô Multiple matching attributes can be set. When there are multiple, they are evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated.

+* [Learn how to export and import your provisioning configurations](../app-provisioning/export-import-provisioning-configuration.md)

+1. Under **Grant this role to...**, click the **Add...** button.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Click on an existing attribute mapping to update it, or click **Add new mapping** at the bottom of the screen to add new mappings. An individual attribute mapping supports these properties:

+ * **Match objects using this attribute** ΓÇô Whether or not this mapping should be used to uniquely identify users between SuccessFactors and Active Directory. This value is typically set on the Worker ID field for SuccessFactors, which is typically mapped to one of the Employee ID attributes in Active Directory.

+ * **Matching precedence** ΓÇô Multiple matching attributes can be set. When there are multiple, they are evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated.

+* [Learn how to export and import your provisioning configurations](../app-provisioning/export-import-provisioning-configuration.md)

+1. Under **Grant this role to...**, click **Add...** Button.

+1. Select **Permission Group...** from the drop-down menu, then click **Select...** to open the Groups window to search and select the group created above.

+In SAP SuccessFactors, a *picklist* is a configurable set of options from which a user can make a selection. The different types of email and phone number (such as business, personal, and other) are represented using a picklist. In this step, we will identify the picklists configured in your SuccessFactors tenant to store email and phone number values.

+1. Use the name of the email picklist captured from the previous section (such as ecEmailType) to find the email picklist.

+ > Drop the comma character when you copy over the value. For example, if the **Option ID** value is *8,448*, then set the *emailType* in Azure AD to the constant number *8448* (without the comma character).

+ > Drop the comma character when you copy over the value. For example, if the **Option ID** value is *10,606*, then set the *cellPhoneType* in Azure AD to the constant number *10606* (without the comma character).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ 1. In the **Sign on URL** text box, type a URL using the following pattern:

+ 1. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

+ 1. In the **Name** textbox, type a name for your configuration (for example: **WAADSSOTest**).

+ 1. Select **Enabled**.

+ 1. Select **Use new SSO Certificate**.

+ 1. Open your base-64 encoded certificate in notepad, copy the content of it into your clipboard, and then paste it to the **Identity Provider Certificate** textbox.

+ 1. Paste the **Azure AD Identifier** value which you have copied from Azure portal into the **Entity Id** textbox.

+ 1. Paste the **Login URL** value which you have copied from Azure portal into the **Identity Provider Login URL** textbox.

+ 1. Paste the **Logout URL** value which you have copied from Azure portal into the **Identity Provider Logout URL** textbox.

+ 1. As **SAML User ID Type**, select **Assertion contains UserΓÇÖs sprinklr.com username**.

+ 1. As **SAML User ID Location**, select **User ID is in the Name Identifier element of the Subject statement**.

+ 1. Click **Save**.

+ 1. In the **Email**, **First Name** and **Last Name** textboxes, type the information of an Azure AD user account you want to provision.

+ 1. Select **Password Disabled**.

+ 1. Select **Language**.

+ 1. Select **User Type**.

+ 1. Click **Update**.

+ 1. From the **Global** list, select **ALL_Permissions**.

+ 1. Click **Update**.

+> You may also choose to enabled SAML-based Single Sign-On for ThousandEyes, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.

+5. Under the **Admin Credentials** section, input the **OAuth Bearer Token** generated by your ThousandEyes's account (you can find and or generate a token under your ThousandEyes account **Profile** section).

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+* TonicDM supports **SP** and **IDP** initiated SSO.

+ Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+1. Perform the following step, if you wish to configure the application in **SP** initiated mode:

+ In the **Sign on URL** text box, type the URL:

+ `https://app.tonicdm.com/logon`

+ 

+ 

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to TonicDM Sign on URL where you can initiate the login flow.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the TonicDM for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the TonicDM tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the TonicDM for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+> You may also choose to enabled SAML-based Single Sign-On for Velpic, following the instructions provided in the [Azure portal](https://portal.azure.com). Single sign-on can be configured independently of automatic provisioning, though these two features compliment each other.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ * If the connection test succeeds, click the **Save** button at the top. If it fails, double-check that the Workday URL and credentials are valid in Workday.

+5. Click on an existing attribute mapping to update it, or click **Add new mapping** at the bottom of the screen to add new mappings. An individual attribute mapping supports these properties:

+ * **Expression** ΓÇô Allows you to write a custom value to the AD attribute, based on one or more Workday attributes. [For more info, see this article on expressions](../app-provisioning/functions-for-customizing-application-data.md).

+ * **Match objects using this attribute** ΓÇô Whether or not this attribute should be used to uniquely identify users between Workday and Azure AD. This value is typically set on the Worker ID field for Workday, which is typically mapped to the Employee ID attribute (new) or an extension attribute in Azure AD.

+ * **Matching precedence** ΓÇô Multiple matching attributes can be set. When there are multiple, they are evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated.

+1. Click on the ellipsis (`...`) next to the group name and from the menu, select **Security Group > Maintain Domain Permissions for Security Group**

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Click on an existing attribute mapping to update it, or click **Add new mapping** at the bottom of the screen to add new mappings. An individual attribute mapping supports these properties:

+ * **Match objects using this attribute** ΓÇô Whether or not this mapping should be used to uniquely identify users between Workday and Active Directory. This value is typically set on the Worker ID field for Workday, which is typically mapped to one of the Employee ID attributes in Active Directory.

+ * **Matching precedence** ΓÇô Multiple matching attributes can be set. When there are multiple, they are evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated.

+It is a common requirement to configure the *displayName* attribute in AD so that it also provides information about the user's department and country/region. For example, if John Smith works in the Marketing Department in US, you might want his *displayName* to show up as *Smith, John (Marketing-US)*.

+ 1. Switch **Select what this policy applies to** to **Cloud apps**.

+ 1. In **Include**, choose **Select apps**.

+ 1. From the **Select** list, choose **Workday**.

+ 1. Select **Done**.

+ 1. Select the controls to be enforced as **Grant access**.

+ 1. Select **Require device to be marked as compliant**.

+ 1. Select **Require one of the selected controls**.

+ 1. Choose **Select**.

+1. Sign in to the [Azure portal](https://portal.azure.com/), and sign in.

+1. Sign in to the [Azure portal](https://portal.azure.com/), and sign in.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ * **Admin Username** ΓÇô Enter the username of the Workday integration system account, with the tenant domain name appended. Should look something like: *username\@contoso4*

+ * Click the **Test Connection** button. If the connection test succeeds, click the **Save** button at the top. If it fails, double-check that the Workday URL and credentials are valid in Workday.

+ 

+1. Sign into the [Azure portal](https://portal.azure.com)

+>You can create multiple authorities with their own DID and private keys, these will not be visible in the UI of the Azure portal. Currently we only support having 1 authority. We have not fully tested all scenarios with multiple created authorities. If you are trying this please let us know your experience.

+ 

+> South Central US and East US are temporarily unavailable for creating new resources and deployments due to high demand.

+| `gpt-35-turbo` (0613) | East US, France Central, Japan East, North Central US, UK South | N/A | 4,096 | Sep 2021 |

+| `gpt-35-turbo-16k` (0613) | East US, France Central, Japan East, North Central US, UK South | N/A | 16,384 | Sep 2021 |

+> There are multiple ways to generate an authorization token. The easiest method for initial testing is to launch the Cloud Shell from the [Azure portal](https://portal.azure.com). Then run [`az account get-access-token`](/cli/azure/account?view=azure-cli-latest#az-account-get-access-token&preserve-view=true). You can use this token as your temporary authorization token for API testing.

+ Title: How to use function calling with Azure OpenAI Service

+description: Learn how to use function calling with the GPT-35-Turbo and GPT-4 models

+# How to use function calling with Azure OpenAI Service

+The latest versions of gpt-35-turbo and gpt-4 have been fine-tuned to work with functions and are able to both determine when and how a function should be called. If one or more functions are included in your request, the model will then determine if any of the functions should be called based on the context of the prompt. When the model determines that a function should be called, it will then respond with a JSON object including the arguments for the function.

+This provides a native way for these models to formulate API calls and structure data outputs, all based on the functions you specify. It's important to note that while the models can generate these calls, it's up to you to execute them, ensuring you remain in control.

+At a high level you can break down working with functions into three steps:

+1. Call the chat completions API with your functions and the userΓÇÖs input

+2. Use the modelΓÇÖs response to call your API or function

+3. Call the chat completions API again, including the response from your function to get a final response

+## Using function in the chat completions API

+Function calling is available in the `2023-07-01-preview` API version and works with version 0613 of gpt-35-turbo, gpt-35-turbo-16k, gpt-4, and gpt-4-32k.

+To use function calling with the Chat Completions API, you need to include two new properties in your request: `functions` and `function_call`. You can include one or more `functions` in your request and you can learn more about how to define functions in the [defining functions](#defining-functions) section below. Keep in mind that functions are injected into the system message under the hood so functions count against your token usage.

+When functions are provided, by default the `function_call` will be set to `"auto"` and the model will decide whether or not a function should be called. Alternatively, you can set the `function_call` parameter to `{"name": "<insert-function-name>"}` to force the API to call a specific function or you can set the parameter to `"none"` to prevent the model from calling any functions.

+```python

+# Note: The openai-python library support for Azure OpenAI is in preview.

+import os

+import openai

+openai.api_key = os.getenv("AZURE_OPENAI_ENDPOINT")

+openai.api_version = "2023-07-01-preview"

+openai.api_type = "azure"

+openai.api_base = os.getenv("AZURE_OPENAI_KEY")

+messages= [

+ {"role": "user", "content": "Find beachfront hotels in San Diego for less than $300 a month with free breakfast."}

+]

+functions= [

+ {

+ "name": "search_hotels",

+ "description": "Retrieves hotels from the search index based on the parameters provided",

+ "parameters": {

+ "type": "object",

+ "properties": {

+ "location": {

+ "type": "string",

+ "description": "The location of the hotel (i.e. Seattle, WA)"

+ },

+ "max_price": {

+ "type": "number",

+ "description": "The maximum price for the hotel"

+ },

+ "features": {

+ "type": "string",

+ "description": "A comma separated list of features (i.e. beachfront, free wifi, etc.)"

+ }

+ },

+ "required": ["location"],

+ },

+ }

+]

+response = openai.ChatCompletion.create(

+ engine="gpt-35-turbo-0613",

+ messages=messages,

+ functions=functions,

+ function_call="auto",

+)

+print(response['choices'][0]['message'])

+```

+The response from the API includes a `function_call` property if the model determines that a function should be called. The `function_call` property includes the name of the function to call and the arguments to pass to the function. The arguments are a JSON string that you can parse and use to call your function.

+```json

+{

+ "role": "assistant",

+ "function_call": {

+ "name": "search_hotels",

+ "arguments": "{\n \"location\": \"San Diego\",\n \"max_price\": 300,\n \"features\": \"beachfront,free breakfast\"\n}"

+ }

+}

+```

+In some cases, the model may generate both `content` and a `function_call`. For example, for the prompt above the content could say something like "Sure, I can help you find some hotels in San Diego that match your criteria" along with the function_call.

+## Working with function calling

+The following section goes into additional detail on how to effectively use functions with the Chat Completions API.

+### Defining functions

+A function has three main parameters: `name`, `description`, and `parameters`. The `description` parameter is used by the model to determine when and how to call the function so it's important to give a meaningful description of what the function does.

+`parameters` is a JSON schema object that describes the parameters that the function accepts. You can learn more about JSON schema objects in the [JSON schema reference](https://json-schema.org/understanding-json-schema/).

+If you want to describe a function that doesn't accept any parameters, use `{"type": "object", "properties": {}}` as the value for the `parameters` property.

+### Managing the flow with functions

+```python

+response = openai.ChatCompletion.create(

+ deployment_id="gpt-35-turbo-0613",

+ messages=messages,

+ functions=functions,

+ function_call="auto",

+)

+response_message = response["choices"][0]["message"]

+# Check if the model wants to call a function

+if response_message.get("function_call"):

+ # Call the function. The JSON response may not always be valid so make sure to handle errors

+ function_name = response_message["function_call"]["name"]

+ available_functions = {

+ "search_hotels": search_hotels,

+ }

+ function_args = json.loads(response_message["function_call"]["arguments"])

+ function_response = fuction_to_call(**function_args)

+ # Add the assistant response and function response to the messages

+ messages.append( # adding assistant response to messages

+ {

+ "role": response_message["role"],

+ "name": response_message["function_call"]["name"],

+ "content": response_message["function_call"]["arguments"],

+ }

+ )

+ messages.append( # adding function response to messages

+ {

+ "role": "function",

+ "name": function_name,

+ "content": function_response,

+ }

+ )

+ # Call the API again to get the final response from the model

+ second_response = openai.ChatCompletion.create(

+ messages=messages,

+ deployment_id="gpt-35-turbo-0613"

+ # optionally, you could provide functions in the second call as well

+ )

+ print(second_response["choices"][0]["message"])

+else:

+ print(response["choices"][0]["message"])

+```

+In the example above, we don't do any validation or error handling so you'll want to make sure to add that to your code.

+For a full example of working with functions, see the [sample notebook on function calling](https://aka.ms/oai/functions-samples). You can also apply more complex logic to chain multiple function calls together, which is covered in the sample as well.

+### Prompt engineering with functions

+When you define a function as part of your request, the details are injected into the system message using specific syntax that the model has been trained on. This means that functions consume tokens in your prompt and that you can apply prompt engineering techniques to optimize the performance of your function calls. The model uses the full context of the prompt to determine if a function should be called including function definition, the system message, and the user messages.

+#### Improving quality and reliability

+If the model isn't calling your function when or how you expect, there are a few things you can try to improve the quality.

+##### Provide more details in your function definition

+It's important that you provide a meaningful `description` of the function and provide descriptions for any parameter that might not be obvious to the model. For example, in the description for the `location` parameter, you could include extra details and examples on the format of the location.

+```json

+"location": {

+ "type": "string",

+ "description": "The location of the hotel. The location should include the city and the state's abbreviation (i.e. Seattle, WA or Miami, FL)"

+},

+```

+##### Provide more context in the system message

+The system message can also be used to provide more context to the model. For example, if you have a function called `search_hotels` you could include a system message like the following to instruct the model to call the function when a user asks for help with finding a hotel.

+```json

+{"role": "system", "content": "You're an AI assistant designed to help users search for hotels. When a user asks for help finding a hotel, you should call the search_hotels function."}

+```

+##### Instruct the model to ask clarifying questions

+In some cases, you may want to instruct the model to ask clarifying questions. This is helpful to prevent the model from making assumptions about what values to use with functions. For example, with `search_hotels` you would want the model to ask for clarification if the user request didn't include details on `location`. To instruct the model to ask a clarifying question, you could include content like the following in your system message.

+```json

+{"role": "system", "content": "Don't make assumptions about what values to use with functions. Ask for clarification if a user request is ambiguous."}

+```

+#### Reducing errors

+Another area where prompt engineering can be valuable is in reducing errors in function calls. The models have been trained to generate function calls matching the schema that you define, but the models may produce a function call that doesn't match the schema you defined or it may try to call a function that you didn't include.

+If you find the model is generating function calls that weren't provided, try including a sentence in the system message that says `"Only use the functions you have been provided with."`.

+## Using function calling responsibly

+Like any AI system, using function calling to integrate language models with other tools and systems presents potential risks. ItΓÇÖs important to understand the risks that function calling could present and take measures to ensure you use the capabilities responsibly.

+Here are a few tips to help you use functions safely and securely:

+* **Validate Function Calls**: Always verify the function calls generated by the model. This includes checking the parameters, the function being called, and ensuring that the call aligns with the intended action.

+* **Use Trusted Data and Tools**: Only use data from trusted and verified sources. Untrusted data in a functionΓÇÖs output could be used to instruct the model to write function calls in a way other than you intended.

+* **Follow the Principle of Least Privilege**: Grant only the minimum access necessary for the function to perform its job. This reduces the potential impact if a function is misused or exploited. For example, if youΓÇÖre using function calls to query a database, you should only give your application read-only access to the database. You also shouldnΓÇÖt depend solely on excluding capabilities in the function definition as a security control.

+* **Consider Real-World Impact**: Be aware of the real-world impact of function calls that you plan to execute, especially those that trigger actions such as executing code, updating databases, or sending notifications.

+* **Implement User Confirmation Steps**: Particularly for functions that take actions, we recommend including a step where the user confirms the action before it's executed.

+To learn more about our recommendations on how to use Azure OpenAI models responsibly, see the [Overview of Responsible AI practices for Azure OpenAI models](/legal/cognitive-services/openai/overview?context=/azure/ai-services/openai/context/context).

+## Next steps

+* [Learn more about Azure OpenAI](../overview.md).

+* For more examples on working with functions, check out the [Azure OpenAI Samples GitHub repository](https://aka.ms/oai/function-samples)

+* Get started with the GPT-35-Turbo model with [the GPT-35-Turbo quickstart](../chatgpt-quickstart.md).

+## Prerequisites

+> [!IMPORTANT]

+> Quota requires the **Cognitive Services Usages Reader** role. This role provides the minimal access necessary to view quota usage across an Azure subscription. This role can be found in the Azure portal under **Subscriptions** > **Access control (IAM)** > **Add role assignment** > search for **Cognitive Services Usages Reader**.

+## Azure OpenAI embeddings multiple input support

+OpenAI currently allows a larger number of array inputs with text-embedding-ada-002. Azure OpenAI currently supports input arrays up to 16 for text-embedding-ada-002 Version 2. Both require the max input token limit per API request to remain under 8191 for this model.

+inputs = ["A", "B", "C"]

+inputs = ["A", "B", "C"] #max array size=16

+embedding = openai.Embedding.create(

+ input=inputs,

+ deployment_id="text-embedding-ada-002"

+ #engine="text-embedding-ada-002"

+)

+- `2023-07-01-preview` [Swagger spec](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/generated.json)

+| ```messages``` | array | Required | | The collection of context messages associated with this chat completions request. Typical usage begins with a [chat message](#chatmessage) for the System role that provides instructions for the behavior of the assistant, followed by alternating messages between the User and Assistant roles.|

+|```function_call```| | Optional | | Controls how the model responds to function calls. "none" means the model does not call a function, and responds to the end-user. "auto" means the model can pick between an end-user or calling a function. Specifying a particular function via {"name": "my_function"} forces the model to call that function. "none" is the default when no functions are present. "auto" is the default if functions are present. This parameter requires API version [`2023-07-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/generated.json) |

+|```functions``` | [`FunctionDefinition[]`](#functiondefinition) | Optional | | A list of functions the model may generate JSON inputs for. This parameter requires API version [`2023-07-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/generated.json)|

+### ChatMessage

+A single, role-attributed message within a chat completion interaction.

+| Name | Type | Description |

+||||

+| content | string | The text associated with this message payload.|

+| function_call | [FunctionCall](#functioncall)| The name and arguments of a function that should be called, as generated by the model. |

+| name | string | The `name` of the author of this message. `name` is required if role is `function`, and it should be the name of the function whose response is in the `content`. May contain a-z, A-Z, 0-9, and underscores, with a maximum length of 64 characters.|

+|role | [ChatRole](#chatrole) | The role associated with this message payload |

+### ChatRole

+A description of the intended purpose of a message within a chat completions interaction.

+|Name | Type | Description |

+||||

+| assistant | string | The role that provides responses to system-instructed, user-prompted input. |

+| function | string | The role that provides function results for chat completions. |

+| system | string | The role that instructs or sets the behavior of the assistant. |

+| user | string | The role that provides input for chat completions. |

+### FunctionCall

+The name and arguments of a function that should be called, as generated by the model. This requires API version [`2023-07-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/generated.json)

+| Name | Type | Description|

+||||

+| arguments | string | The arguments to call the function with, as generated by the model in JSON format. Note that the model does not always generate valid JSON, and may fabricate parameters not defined by your function schema. Validate the arguments in your code before calling your function. |

+| name | string | The name of the function to call.|

+### FunctionDefinition

+The definition of a caller-specified function that chat completions may invoke in response to matching user input. This requires API version [`2023-07-01-preview`](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/preview/2023-07-01-preview/generated.json)

+|Name | Type| Description|

+||||

+| description | string | A description of what the function does. The model will use this description when selecting the function and interpreting its parameters. |

+| name | string | The name of the function to be called. |

+| parameters | | The parameters the functions accepts, described as a [JSON Schema](https://json-schema.org/understanding-json-schema/) object.|

+Learn about [ Models, and fine-tuning with the REST API](/rest/api/cognitiveservices/azureopenaistable/files).

+## July 2023

+### Support for function calling

+- [Azure OpenAI now supports function calling](./how-to/function-calling.md) to enable you to work with functions in the chat completions API.

+### Embedding input array increase

+- Azure OpenAI now [supports arrays with up to 16 inputs](./how-to/switching-endpoints.md#azure-openai-embeddings-multiple-input-support) per API request with text-embedding-ada-002 Version 2.

+az aks update --resource-group myResourceGroup --name myAKSCluster --disable-pod-identity

+* KMS etcd encryption doesn't work with system-assigned managed identity. The key vault access policy is required to be set before the feature is enabled. In addition, system-assigned managed identity isn't available until cluster creation. Consequently, there's a cycle dependency.

+* Azure Key Vault with Firewall enabled to allow public access isn't supported. It blocks traffic from KMS plugin to the Key Vault.

+* Using the Virtual Machine Scale Sets API to scale the nodes in the cluster down to zero deallocates the nodes, causing the cluster to go down and become unrecoverable.

+* After you disable KMS, you can't destroy the keys. Otherwise, it causes the API server to stop working.

+>

+- If the loggers configured at the two levels are different, and you need both loggers to receive telemetry (multiplexing), please contact Microsoft Support. Please note that multiplexing is not supported if you're using the same logger (Application Insights destination) at the "All APIs" level and the single API level. For multiplexing to work correctly, you must configure different loggers at the "All APIs" and individual API level and request assistance from Microsoft support to enable multiplexing for your service.

+ <set-method>...</set-method>

+- [In the Azure portal](#in-azure-portal)

+Sign in to the [Azure portal](https://portal.azure.com).

+1. To start creating a Node.js app, browse to [https://portal.azure.com/#create/Microsoft.WebSite](https://portal.azure.com/#create/Microsoft.WebSite).

+* [Using the Azure portal](create-multiple-sites-portal.md)

+Sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com).

+* To troubleshoot general problems with the feature, see [Troubleshoot Change Tracking and Inventory issues](../troubleshoot/change-tracking.md).

+Sign in to the [Azure portal](https://portal.azure.com).

+* To troubleshoot general problems with the feature, see [Troubleshoot Change Tracking and Inventory issues](../troubleshoot/change-tracking.md).

+Sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com).

+* To troubleshoot problems with the Linux update agent, see [Troubleshoot Linux update agent issues](../troubleshoot/update-agent-issues-linux.md).

+1. From your browser, sign in to the [Azure portal](https://portal.azure.com).

+* Azure Linux (CBL-Mariner) 1.0, 2.0

+* **Both primary and replica** - When both cache nodes are rebooted, Azure Cache for Redis will attempt to gracefully reboot both nodes, waiting for one to finish before rebooting the other. Typically, data loss does not occur. However, data loss can still occur do to unexpected maintenance events or failures. Rebooting your cache many times in a row increases the odds of data loss.

+To test the resiliency of your application against failure of the primary node of your cache, reboot the **Primary** node. To test the resiliency of your application against failure of the replica node, reboot the **Replica** node.

+If you reboot both the **Primary** and **Replica** nodes, all data in the cache (or in that shard when you're using a premium cache with clustering enabled) like likely be safe. However, the data may be lost in some cases. Rebooting both nodes should be taken with caution.

+ The code in `RedisConnection.cs` looks to this value when running local.

+ ```csharp

+ public const string connectionString = "redisConnectionString";

+ ```

+ - Choose **.NET 6 (LTS)** as the runtime stack

+1. In the working pane, you see **Application settings**. In the **Connection strings** section, select **New connection string**.

+1. Then, type `redisConnectionString` as the **Name**, with your connection string as the **Value**. Set **Type** to _Custom_, and select **Ok** to close the menu. Then, select **Save** on the Configuration page to confirm. The functions app restarts with the new connection string information.

+>If you're running functions apps using an unsupported runtime or language version, you may encounter issues and performance implications and will be required to upgrade before receiving support for your function app.

+|SHI, Inc.|MSFederal@shi.com|888-764-8888|

+az monitor alert-processing-rule update --resource-group RG1 --name MyRule --enabled true

+If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.15.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.15.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.15.jar"` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.15.jar" -jar <myapp.jar>

+COPY agent/applicationinsights-agent-3.4.15.jar applicationinsights-agent-3.4.15.jar

+ENTRYPOINT["java", "-javaagent:applicationinsights-agent-3.4.15.jar", "-jar", "app.jar"]

+In this example we have copied the `applicationinsights-agent-3.4.15.jar` and `applicationinsights.json` files from an `agent` folder (you can choose any folder of your machine). These two files have to be in the same folder in the Docker container.

+JAVA_OPTS="$JAVA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.15.jar"

+CATALINA_OPTS="$CATALINA_OPTS -javaagent:path/to/applicationinsights-agent-3.4.15.jar"

+If the file `<tomcat>/bin/setenv.sh` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.15.jar` to `CATALINA_OPTS`.

+set CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.15.jar

+set "CATALINA_OPTS=%CATALINA_OPTS% -javaagent:path/to/applicationinsights-agent-3.4.15.jar"

+If the file `<tomcat>/bin/setenv.bat` already exists, modify that file and add `-javaagent:path/to/applicationinsights-agent-3.4.15.jar` to `CATALINA_OPTS`.

+Locate the file `<tomcat>/bin/tomcat8w.exe`. Run that executable and add `-javaagent:path/to/applicationinsights-agent-3.4.15.jar` to the `Java Options` under the `Java` tab.

+Add `-javaagent:path/to/applicationinsights-agent-3.4.15.jar` to the existing `JAVA_OPTS` environment variable in the file `JBOSS_HOME/bin/standalone.conf` (Linux) or `JBOSS_HOME/bin/standalone.conf.bat` (Windows):

+ JAVA_OPTS="-javaagent:path/to/applicationinsights-agent-3.4.15.jar -Xms1303m -Xmx1303m ..."

+Add `-javaagent:path/to/applicationinsights-agent-3.4.15.jar` to the existing `jvm-options` in `JBOSS_HOME/domain/configuration/host.xml`:

+ <option value="-javaagent:path/to/applicationinsights-agent-3.4.15.jar"/>

+-javaagent:path/to/applicationinsights-agent-3.4.15.jar

+Add `-javaagent:path/to/applicationinsights-agent-3.4.15.jar` to the existing `jvm-options` in `glassfish/domains/domain1/config/domain.xml`:

+ -javaagent:path/to/applicationinsights-agent-3.4.15.jar>

+ -javaagent:path/to/applicationinsights-agent-3.4.15.jar

+-javaagent:path/to/applicationinsights-agent-3.4.15.jar

+Add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.15.jar"` somewhere before `-jar`, for example:

+java -javaagent:"path/to/applicationinsights-agent-3.4.15.jar" -jar <myapp.jar>

+If you're using the *exec* form, add the parameter `-javaagent:"path/to/applicationinsights-agent-3.4.15.jar"` to the parameter list somewhere before the `"-jar"` parameter, for example:

+ENTRYPOINT ["java", "-javaagent:path/to/applicationinsights-agent-3.4.15.jar", "-jar", "<myapp.jar>"]

+If you're using the *shell* form, add the JVM arg `-javaagent:"path/to/applicationinsights-agent-3.4.15.jar"` somewhere before `-jar`, for example:

+ENTRYPOINT java -javaagent:"path/to/applicationinsights-agent-3.4.15.jar" -jar <myapp.jar>

+ <version>3.4.15</version>

+By default, Application Insights Java 3.x expects the configuration file to be named `applicationinsights.json`, and to be located in the same directory as `applicationinsights-agent-3.4.15.jar`.

+If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.15.jar` is located.

+If you specify a relative path, it's resolved relative to the directory where `applicationinsights-agent-3.4.15.jar` is located.

+ <version>3.4.15</version>

+`applicationinsights-agent-3.4.15.jar` is located.

+-javaagent:path/to/applicationinsights-agent-3.4.15.jar

+```csharp

+var tracerProvider = Sdk.CreateTracerProviderBuilder()

+ .AddAzureMonitorTraceExporter(options =>

+ {

+ options.SamplingRatio = 0.1F;

+ });

+```

+This article describes how to enable and configure OpenTelemetry-based data collection to power the experiences within [Azure Monitor Application Insights](app-insights-overview.md#application-insights-overview). We walk through how to install the "Azure Monitor OpenTelemetry Distro". The Distro will [automatically collect](opentelemetry-add-modify.md#automatic-data-collection) traces, metrics, logs, and exceptions across your application and its dependencies. To learn more about collecting data using OpenTelemetry, see [Data Collection Basics](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry).

+Download the [applicationinsights-agent-3.4.15.jar](https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.4.15/applicationinsights-agent-3.4.15.jar) file.

+Point the JVM to the jar file by adding `-javaagent:"path/to/applicationinsights-agent-3.4.15.jar"` to your application's JVM args.

+ Create a configuration file named `applicationinsights.json`, and place it in the same directory as `applicationinsights-agent-3.4.15.jar` with the following content:

+You can select and drag on the chart to zoom into a section of a chart. Zooming updates the chart's time range to span your selection. If the time grain is set to Automatic, zooming selects a smaller time grain. The new time range applies to all charts in Metrics.

+When you add a metric to a chart, Metrics Explorer applies a default aggregation. The default makes sense in basic scenarios, but you can use a different aggregation to gain more insights about the metric.

+Before you use different aggregations on a chart, you should understand how Metrics Explorer handles them. Metrics are a series of measurements (or "metric values") that are captured over a time period. When you plot a chart, the values of the selected metric are separately aggregated over the *time granularity*.

+You select the size of the time grain by using Metrics Explorer's time picker panel. If you don't explicitly select the time grain, the currently selected time range is used by default. After the time grain is determined, the metric values that were captured during each time grain are aggregated on the chart, one data point per time grain.

+For example, suppose a chart shows the *Server response time* metric. It uses the *average* aggregation over time span of the *last 24 hours*. In this example:

+- If the time granularity is set to 30 minutes, the chart is drawn from 48 aggregated data points. That is, 2 data points per hour for 24 hours. The line chart connects 48 dots in the chart plot area. Each data point represents the *average* of all captured response times for server requests that occurred during each of the relevant 30-minute time periods.

+- If you switch the time granularity to 15 minutes, you get 96 aggregated data points. That is, 4 data points per hour for 24 hours.

+Metrics Explorer has five aggregation types:

+- **Sum**: The sum of all values captured during the aggregation interval. The *sum* aggregation is sometimes called the *total* aggregation.

+- **Max**: The largest value captured during the aggregation interval.

+ :::image type="content" source="media/metrics-charts/aggregations.png" alt-text="A screenshot showing the aggregation dropdown." lightbox="media/metrics-charts/aggregations.png":::

+Metrics Explorer hides the aggregations that are irrelevant and can't be used.

+For a deeper discussion of how metric aggregation works, see [Azure Monitor metrics aggregation and display explained](metrics-aggregation-explained.md).

+You can apply filters to charts whose metrics have dimensions. For example, imagine a *Transaction count* metric that has a *Response type* dimension. This dimension indicates whether the response from transactions succeeded or failed. If you filter on this dimension, a chart line is displayed for only successful or only failed transactions.

+1. Select a dimension from the **Property** dropdown to filter.

+ :::image type="content" source="./media/metrics-charts/filter-property.png" alt-text="Screenshot that shows the filter properties dropdown." lightbox="./media/metrics-charts/filter-property.png":::

+ :::image type="content" source="./media/metrics-charts/filter-operator.png" alt-text="Screenshot that shows the operator you can use with the filter." lightbox="./media/metrics-charts/filter-operator.png":::

+ :::image type="content" source="./media/metrics-charts/filter-values.png" alt-text="Screenshot that shows the filter values dropdown." lightbox="./media/metrics-charts/filter-values.png":::

+1. After selecting the filter values, click away from the filter selector to close it. The chart shows how many storage transactions have failed:

+ :::image type="content" source="./media/metrics-charts/filtered-chart.png" alt-text="Screenshot that shows the successful filtered storage transactions." lightbox="./media/metrics-charts/filtered-chart.png":::

+1. Choose dimensions on which to segment your chart:

+ :::image type="content" source="./media/metrics-charts/apply-splitting.png" alt-text="Screenshot that shows the selected dimension on which to segment the chart." lightbox="./media/metrics-charts/apply-splitting.png":::

+ The chart shows multiple lines, one for each dimension segment:

+ :::image type="content" source="./media/metrics-charts/segment-dimension.png" alt-text="Screenshot that shows multiple lines, one for each segment of dimension." lightbox="./media/metrics-charts/segment-dimension.png":::

+ :::image type="content" source="./media/metrics-charts/segment-dimension-limit.png" alt-text="Screenshot that shows split limit, which restricts the number of values after splitting." lightbox="./media/metrics-charts/segment-dimension-limit.png":::

+

+ :::image type="content" source="./media/metrics-charts/segment-dimension-sort.png" alt-text="Screenshot that shows sort order on split values." lightbox="./media/metrics-charts/segment-dimension-sort.png":::

+1. Segment by multiple segments by selecting multiple dimensions from the values dropdown. The legends shows a comma-separated list of dimension values for each segment

+ :::image type="content" source="./media/metrics-charts/segment-dimension-multiple.png" alt-text="Screenshot that shows multiple segments selected, and the corresponding chart." lightbox="./media/metrics-charts/segment-dimension-multiple.png":::

+1. Click away from the grouping selector to close it.

+ > [!TIP]

+1. To control the y-axis range, open the chart menu **...**. Then select **Chart settings** to access advanced chart settings.

+ :::image source="./media/metrics-charts/select-chart-settings.png" alt-text="Screenshot that highlights the chart settings selection." lightbox="./media/metrics-charts/select-chart-settings.png":::

+1. Modify the values in the **Y-axis range** section, or select **Auto** to revert to the default values.

+ :::image type="content" source="./media/metrics-charts/chart-settings.png" alt-text="Screenshot that shows the Y-axis range section." lightbox="./media/metrics-charts/chart-settings.png":::

+

+> [!NOTE]

+> If you lock the boundaries of the y-axis for charts that tracks count, sum, min, or max aggregations over a period of time, specify a fixed time granularity. Don't rely on the automatic defaults.

+> A fixed time granularity is chosen because chart values change when the time granularity is automatically modified when a user resizes a browser window or changes screen resolution. The resulting change in time granularity affects the appearance of the chart, invalidating the selection of the y-axis range.

+Chart lines are automatically assigned a color from a default palette.

+To change the color of a chart line, select the colored bar in the legend that corresponds to the line on the chart. Use the color picker to select the line color.

+Customized colors are preserved when you pin the chart to a dashboard. The following section shows how to pin a chart.

+After you configure a chart, you can add it to a dashboard or workbook. By adding a chart to a dashboard or workbook, you can make it accessible to your team. You can also gain insights by viewing it in the context of other monitoring information.

+To create an alert rule,

+1. Select **New alert rule** in the upper-right corner of the chart

+1. On the **Condition** tab, the **Signal name** is defaulted to the metric from your chart. You can choose a different metric.

+1. Enter a **Threshold value**. The threshold value is the value that triggers the alert. The Preview chart shows the threshold value as a horizontal line over the metric values.

+1. Select the **Details** tab.

+1. On the **Details** tab, enter a **Name** and **Description** for the alert rule.

+1. Select a **Severity** level for the alert rule. Severities include Critical, Error Warning, Informational, and Verbose.

+1. Select **Review + create** to review the alert rule, then select **Create** to create the alert rule.

+**Drill into Logs** helps you diagnose the root cause of anomalies in your metrics chart. Drilling into logs allows you to correlate spikes in your metrics chart to logs and queries.

+The following table summarizes the types of logs and queries provided:

+| Diagnostic log | Provides insight into operations that were performed within an Azure resource (the data plane). For example, getting a secret from a Key Vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. You must enable logs for the resource. |

+| Recommended log | Scenario-based queries that you can use to investigate anomalies in Metrics Explorer. |

+Currently, Drill into Logs is available for select resource providers. The following resource providers offer the complete Drill into Logs experience:

+ :::image source="./media/metrics-charts/drill-into-log-ai.png" alt-text="Screenshot that shows a spike in failures in app insights metrics pane." lightbox="./media/metrics-charts/drill-into-log-ai.png":::

+ Authorization: Bearer <your access token>

+## Permissions required

+- To view or use functions, you need `Microsoft.OperationalInsights/workspaces/query/*/read` permissions to the Log Analytics workspace, as provided by the [Log Analytics Reader built-in role](./manage-access.md#log-analytics-reader), for example.

+- To create or edit functions, you need `microsoft.operationalinsights/workspaces/savedSearches/write` permissions to the Log Analytics workspace, as provided by the [Log Analytics Reader built-in role](./manage-access.md#log-analytics-reader), for example.

+In this tutorial, you learn to write log queries in Azure Monitor. The article shows you how to:

+This query searches the `SecurityEvent` table for records that contain the phrase "Cryptographic." Of those records, 10 records are returned and displayed. If you omit the `in (SecurityEvent)` part and run only `search "Cryptographic"`, the search goes over *all* tables. The process would then take longer and be less efficient.

+* Central India

+* Switzerland West

+>[!IMPORTANT]

+>To ensure a resilient architecture, it is crucial to recognize that the cloud operates under a _shared responsibility_ model. This model encompasses the Azure cloud platform, its infrastructure services, the OS-layer, and application vendors. Each of these components plays a vital role in gracefully handling potential application disruptions that may arise during storage service maintenance events.

+>[!CAUTION]

+>Custom applications are not supported with SMB Continuous Availability and cannot be used with SMB Continuous Availability enabled volumes.

+## Get Help with a support request

+To get more help with managing the support request, go to the Azure portal and create a case for the Issue type, "Technical", choose "All Services", Service type, "Portal" and Problem type "Issue with Support Ticket Experience".

+ -Name "<deployment-stack-name>" `

+ -ResourceGroupName "<resource-group-name>" `

+ -TemplateFile "<bicep-file-name>" `

+ -DenySettingsMode "none"

+ --name '<deployment-stack-name>' \

+ --resource-group '<resource-group-name>' \

+ --template-file '<bicep-file-name>' \

+ --deny-settings-mode 'none'

+ -Name "<deployment-stack-name>" `

+ -Location "<location>" `

+ -TemplateFile "<bicep-file-name>" `

+ -DeploymentResourceGroupName "<resource-group-name>" `

+ -DenySettingsMode "none"

+ --name '<deployment-stack-name>' \

+ --location '<location>' \

+ --template-file '<bicep-file-name>' \

+ --deployment-resource-group-name' <resource-group-name>' \

+ --deny-settings-mode 'none'

+ -Name "<deployment-stack-name>" `

+ -Location "<location>" `

+ -TemplateFile "<bicep-file-name>" `

+ -DeploymentSubscriptionId "<subscription-id>" `

+ -DenySettingsMode "none"

+ --name '<deployment-stack-name>' \

+ --location '<location>' \

+ --template-file '<bicep-file-name>' \

+ --deployment-subscription-id '<subscription-id>' \

+ --deny-settings-mode 'none'

+ -ResourceGroupName "<resource-group-name>"

+ --resource-group '<resource-group-name>'

+ -ManagementGroupId "<management-group-id>"

+ --management-group-id '<management-group-id>'

+ -Name "<deployment-stack-name>" `

+ -ResourceGroupName "<resource-group-name>" `

+ -TemplateFile "<bicep-file-name>" `

+ -DenySettingsMode "none"

+ --name '<deployment-stack-name>' \

+ --resource-group '<resource-group-name>' \

+ --template-file '<bicep-file-name>' \

+ --deny-settings-mode 'none'

+ -Name "<deployment-stack-name>" `

+ -Location "<location>" `

+ -TemplateFile "<bicep-file-name>" `

+ -DeploymentResourceGroupName "<resource-group-name>" `

+ -DenySettingsMode "none"

+ --name '<deployment-stack-name>' \

+ --location '<location>' \

+ --template-file '<bicep-file-name>' \

+ --deployment-resource-group-name '<resource-group-name>' \

+ --deny-settings-mode 'none'

+ -Name "<deployment-stack-name>" `

+ -Location "<location>" `

+ -TemplateFile "<bicep-file-name>" `

+ -DeploymentSubscriptionId "<subscription-id>" `

+ -DenySettingsMode "none"

+ --name '<deployment-stack-name>' \

+ --location '<location>' \

+ --template-file '<bicep-file-name>' \

+ --deployment-subscription-id '<subscription-id>' \

+ --deny-settings-mode 'none'

+ -Name "<deployment-stack-name" `

+ -TemplateFile "<bicep-file-name>" `

+ -DenySettingsMode "none" `

+- `delete-resource-groups`: use delete rather than detach for managed resource groups only. It"s invalid to use `delete-resource-groups` by itself. `delete-resource-groups` must be used together with `delete-resources`.

+ --name '<deployment-stack-name>' `

+ --location '<location>' `

+ --template-file '<bicep-file-name>' `

+ --deny-settings-mode 'none' `

+ -name "<deployment-stack-name>" `

+ -ResourceGroupName "<resource-group-name>" `

+ --name '<deployment-stack-name>' \

+ --resource-group '<resource-group-name>' \

+ -Name "<deployment-stack-name>" `

+ --name '<deployment-stack-name>' \

+ -Name "<deployment-stack-name>" `

+ -ManagementGroupId "<management-group-id>" `

+ --name '<deployment-stack-name>' \

+ --management-group-id '<management-group-id>' \

+(Get-AzResourceGroupDeploymentStack -Name "<deployment-stack-name>" -ResourceGroupName "<resource-group-name>").Resources

+ --name '<deployment-stack-name>' \

+ --resource-group '<resource-group-name>' \

+ --output 'json'

+(Get-AzSubscriptionDeploymentStack -Name "<deployment-stack-name>").Resources

+ --name '<deployment-stack-name>' \

+ --output 'json'

+(Get-AzManagementGroupDeploymentStack -Name "<deployment-stack-name>" -ManagementGroupId "<management-group-id>").Resources

+ --name '<deployment-stack-name>' \

+ --management-group-id '<management-group-id>' \

+ --output 'json'

+ -Name "<deployment-stack-name>" `

+ -ResourceGroupName "<resource-group-name>" `

+ -TemplateFile "<bicep-file-name>" `

+ -DenySettingsMode "DenyDelete" `

+ -DenySettingsExcludedActions "Microsoft.Compute/virtualMachines/write Microsoft.StorageAccounts/delete" `

+ -DenySettingsExcludedPrincipals "<object-id>" "<object-id>"

+ --name '<deployment-stack-name>' \

+ --resource-group '<resource-group-name>' \

+ --template-file '<bicep-file-name>' \

+ --deny-settings-mode 'denyDelete' \

+ --deny-settings-excluded-actions 'Microsoft.Compute/virtualMachines/write Microsoft.StorageAccounts/delete' \

+ --deny-settings-excluded-principals '<object-id>' '<object-id>'

+ -Name "<deployment-stack-name>" `

+ -Location "<location>" `

+ -TemplateFile "<bicep-file-name>" `

+ -DenySettingsMode "DenyDelete" `

+ -DenySettingsExcludedActions "Microsoft.Compute/virtualMachines/write Microsoft.StorageAccounts/delete" `

+ -DenySettingsExcludedPrincipals "<object-id>" "<object-id>"

+ --name '<deployment-stack-name>' \

+ --location '<location>' \

+ --template-file '<bicep-file-name>' \

+ --deny-settings-mode 'denyDelete' \

+ --deny-settings-excluded-actions 'Microsoft.Compute/virtualMachines/write Microsoft.StorageAccounts/delete' \

+ --deny-settings-excluded-principals '<object-id>' '<object-id>'

+ -Name "<deployment-stack-name>" `

+ -Location "<location>" `

+ -TemplateFile "<bicep-file-name>" `

+ -DenySettingsMode "DenyDelete" `

+ -DenySettingsExcludedActions "Microsoft.Compute/virtualMachines/write Microsoft.StorageAccounts/delete" `

+ -DenySettingsExcludedPrincipals "<object-id>" "<object-id>"

+ --name '<deployment-stack-name>' \

+ --location '<location>' \

+ --template-file '<bicep-file-name>' \

+ --deny-settings-mode 'denyDelete' \

+ --deny-settings-excluded-actions 'Microsoft.Compute/virtualMachines/write Microsoft.StorageAccounts/delete' \

+ --deny-settings-excluded-principals '<object-id>' '<object-id>'

+ --name '<deployment-stack-name>' \

+ --resource-group '<resource-group-name>'

+ --name '<deployment-stack-name>'

+ --name '<deployment-stack-name>' \

+ --management-group-id '<management-group-id>'

+* When you use an Instant Restore recovery point, you must restore the VM or disks to a subscription and resource group that don't require CMK-encrypted disks via Azure Policy.

+You can use the Azure Communication Services Calling SDK to add Enhanced Emergency dialing and Public Safety Answering Point (PSAP) callback support to your applications in the United States (US), Puerto Rico (PR), the United Kingdom (GB), Canada (CA), and Denmark (DK). The capability to dial 911 (in US, PR, and CA), to dial 112 (in DK), and to dial 999 or 112 (in GB) and receive a callback might be a requirement for your application. Verify the emergency calling requirements with your legal counsel.

+Calls to an emergency number are routed over the Microsoft network. Microsoft assigns a temporary phone number as the Call Line Identity (CLI) when a user places an emergency call from US, PR, GB, CA, or DK. Microsoft temporarily maintains a mapping of the phone number to the caller's identity.

+ - Microsoft supports US, PR, GB, CA, and DK country/region codes for emergency number dialing.

+ Title: Quickstart - Call to Teams user with Azure Communication Services

+description: In this quickstart, you learn how to make a call to Teams user with the Azure Communication Calling SDK.

+zone_pivot_groups: acs-plat-web-ios-android-windows

+# Quickstart: How to make a call between your application and Teams user

+In this quickstart, you're going to learn how to start a call from Azure Communication Services user to Teams user. You're going to achieve it with the following steps:

+1. Enable federation of Azure Communication Services resource with Teams Tenant.

+2. Find Teams user ID.

+3. Start a call with Azure Communication Services Calling SDK.

+## Get the Teams user Object ID

+All Teams information could be found in [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) using email in the search.

+```console

+https://graph.microsoft.com/v1.0/users/user-email@contoso.com

+```

+In results, we be able to find "ID" field

+```json

+ "userPrincipalName": "user-email@contoso.com",

+ "id": "31a011c2-2672-4dd0-b6f9-9334ef4999db"

+```

+Or the same ID could be found in [Azure portal](https://aka.ms/portal) in Users tab:

+

+## Clean up resources

+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md#clean-up-resources).

+## Next steps

+For more information, see the following articles:

+- Check out our [calling hero sample](../../samples/calling-hero-sample.md)

+- Get started with the [UI Library](../ui-library/get-started-composites.md)

+- Learn about [Calling SDK capabilities](./getting-started-with-calling.md)

+- Learn more about [how calling works](../../concepts/voice-video-calling/about-call-types.md)

+ Title: Quickstart - Teams Auto Attendant on Azure Communication Services

+description: In this quickstart, you learn how to create and join a Teams Auto Attendant with the Azure Communication Calling SDK.

+# Quickstart: Join your calling app to a Teams Auto Attendant

+In this quickstart you are going to learn how to start a call from Azure Communication Services user to Teams Auto Attendant. You are going to achieve it with the following steps:

+1. Enable federation of Azure Communication Services resource with Teams Tenant.

+2. Select or create Teams Auto Attendant via Teams Admin Center.

+3. Get email address of Auto Attendant via Teams Admin Center.

+4. Get Object ID of the Auto Attendant via Graph API.

+5. Start a call with Azure Communication Services Calling SDK.

+If you'd like to skip ahead to the end, you can download this quickstart as a sample on [GitHub](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/add-1-on-1-cte-video-calling).

+## Create or select Teams Auto Attendant

+Teams Auto Attendant is system that provides an automated call handling system for incoming calls. It serves as a virtual receptionist, allowing callers to be automatically routed to the appropriate person or department without the need for a human operator. You can select existing or create new Auto Attendant via [Teams Admin Center](https://aka.ms/teamsadmincenter).

+Learn more about how to create Auto Attendant using Teams Admin Center [here](/microsoftteams/create-a-phone-system-auto-attendant?tabs=general-info).

+## Find Object ID for Auto Attendant

+After Auto Attendant is created, we need to find correlated Object ID to use it later for calls. Object ID is connected to Resource Account that was attached to Auto Attendant - open [Resource Accounts tab](https://admin.teams.microsoft.com/company-wide-settings/resource-accounts) in Teams Admin and find email of account.

+All required information for Resource Account can be found in [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) using this email in the search.

+```console

+https://graph.microsoft.com/v1.0/users/lab-test2-cq-@contoso.com

+```

+In results we'll are able to find "ID" field

+```json

+ "userPrincipalName": "lab-test2-cq@contoso.com",

+ "id": "31a011c2-2672-4dd0-b6f9-9334ef4999db"

+```

+## Clean up resources

+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md#clean-up-resources).

+## Next steps

+For more information, see the following articles:

+- Check out our [calling hero sample](../../samples/calling-hero-sample.md)

+- Get started with the [UI Library](../ui-library/get-started-composites.md)

+- Learn about [Calling SDK capabilities](./getting-started-with-calling.md)

+- Learn more about [how calling works](../../concepts/voice-video-calling/about-call-types.md)

+ Title: Quickstart - Teams Call Queue on Azure Communication Services

+description: In this quickstart, you learn how to create and join a Teams call queue with the Azure Communication Calling SDK.

+# Quickstart: Join your calling app to a Teams call queue

+In this quickstart you are going to learn how to start a call from Azure Communication Services user to Teams Call Queue. You are going to achieve it with the following steps:

+1. Enable federation of Azure Communication Services resource with Teams Tenant.

+2. Select or create Teams Call Queue via Teams Admin Center.

+3. Get email address of Call Queue via Teams Admin Center.

+4. Get Object ID of the Call Queue via Graph API.

+5. Start a call with Azure Communication Services Calling SDK.

+If you'd like to skip ahead to the end, you can download this quickstart as a sample on [GitHub](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/add-1-on-1-cte-video-calling).

+## Create or select Teams Call Queue

+Teams Call Queue is a feature in Microsoft Teams that efficiently distributes incoming calls among a group of designated users or agents. It's useful for customer support or call center scenarios. Calls are placed in a queue and assigned to the next available agent based on a predetermined routing method. Agents receive notifications and can handle calls using Teams' call controls. The feature offers reporting and analytics for performance tracking. It simplifies call handling, ensures a consistent customer experience, and optimizes agent productivity. You can select existing or create new Call Queue via [Teams Admin Center](https://aka.ms/teamsadmincenter).

+Learn more about how to create Auto Attendant using Teams Admin Center [here](/microsoftteams/create-a-phone-system-auto-attendant?tabs=general-info).

+## Find Object ID for Call Queue

+After Call queue is created, we need to find correlated Object ID to use it later for calls. Object ID is connected to Resource Account that was attached to call queue - open [Resource Accounts tab](https://admin.teams.microsoft.com/company-wide-settings/resource-accounts) in Teams Admin and find email.

+All required information for Resource Account can be found in [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) using this email in the search.

+```console

+https://graph.microsoft.com/v1.0/users/lab-test2-cq-@contoso.com

+```

+In results we'll are able to find "ID" field

+```json

+ "userPrincipalName": "lab-test2-cq@contoso.com",

+ "id": "31a011c2-2672-4dd0-b6f9-9334ef4999db"

+```

+## Clean up resources

+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md#clean-up-resources).

+## Next steps

+For more information, see the following articles:

+- Check out our [calling hero sample](../../samples/calling-hero-sample.md)

+- Get started with the [UI Library](../ui-library/get-started-composites.md)

+- Learn about [Calling SDK capabilities](./getting-started-with-calling.md)

+- Learn more about [how calling works](../../concepts/voice-video-calling/about-call-types.md)

+ Title: Azure Communication Services Web Calling SDK - Web push notifications

+# Azure Communication Services Web Calling SDK - Web push notifications quickstart

+Azure Communication Services Web Calling SDK - Web push notifications is in public preview and available as part of version 1.12.0-beta.2+.

+> [!NOTE]

+> You will not be able to make calls immediately. You need to complete the remaining steps in this guide before your resource is ready to handle traffic.

+## 9. Wait for provisioning to complete

+You now need to wait for your resource to be provisioned and connected to the Microsoft Teams environment. When your resource has been provisioned and connected, your onboarding team will contact you and the Provisioning Status filed on the resource overview will be "Complete". We recommend you check in periodically to see if your resource has been provisioned. This process can take up to two weeks, because updating ACLs in the Azure and Teams environments is done on a periodic basis.

+Sign in to the [Azure portal](https://portal.azure.com).

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (ASE v3 with Windows plans only) | Managed connector, which appears in the connector gallery under **Runtime** > **Shared**, and the built-in connector, which appears in the connector gallery under **Runtime** > **In-App** and is [service provider-based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). The built-in version differs in the following ways: <br><br>- The built-in version includes actions *and* triggers. <br><br>- The built-in connector can directly connect to an MQ server and access Azure virtual networks by using a connection string without an on-premises data gateway. <br><br>- The built-in version supports both server authentication and server-client authentication with TLS (SSL) encryption for data in transit, message encoding for both the send and receive operations, and Azure virtual network integration. <br><br>For more information, review the following documentation: <br><br>- [MQ managed connector reference](/connectors/mq) <br>- [MQ built-in connector reference](/azure/logic-apps/connectors/built-in/reference/mq/) <br>- [Built-in connectors in Azure Logic Apps](built-in.md) |

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | Managed connector, which appears in the connector gallery under **Runtime** > **Shared**, and the built-in connector, which appears in the connector gallery under **Runtime** > **In-App** and is [service provider-based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). The built-in connector differs in the following ways: <br><br>- The built-in connector can directly connect to an SQL database and access Azure virtual networks by using a connection string without an on-premises data gateway. <br><br>For more information, review the following documentation: <br><br>- [SQL Server managed connector reference](/connectors/sql/) <br>- [SQL Server built-in connector reference](/azure/logic-apps/connectors/built-in/reference/sql/) <br>- [Built-in connectors in Azure Logic Apps](built-in.md) |

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | Managed connector, which appears in the connector gallery under **Runtime** > **Shared**, and the built-in connector, which appears in the connector gallery under **Runtime** > **In-App** and is [service provider-based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). The built-in connector can directly connect to an SFTP server and access Azure virtual networks by using a connection string without an on-premises data gateway. For more information, review the following documentation: <br><br>- [SFTP-SSH managed connector reference](/connectors/sftpwithssh/) <br>- [SFTP built-in connector reference](/azure/logic-apps/connectors/built-in/reference/sftp/) <br><br>- [Managed connectors in Azure Logic Apps](managed.md) <br>- [Built-in connectors in Azure Logic Apps](built-in.md) |

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for the Container App resource by name.

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for the Container App resource by name.

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for the Container App resource by name.

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for the container app resource by name.

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for the container app resource by name.

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for the container app resource by name.

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for the container app resource by name.

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for the container app resource by name.

+1. Sign in to the [Azure portal](https://portal.azure.com) and search for the container app resource by name.

+| Database | Open-source PostgreSQL | Azure Database for PostgreSQL Flexible Server |

+Sign in to the [Azure portal](https://portal.azure.com).

+To configure geo-replication for your Premium registry, sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com).

+The following example shows how to get a change feed on all the rows in a API for Cassandra Keyspace table using .NET. The predicate COSMOS_CHANGEFEED_START_TIME() is used directly within CQL to query items in the change feed from a specified start time (in this case current datetime). You can download the full sample, for C# [here](https://github.com/azure-samples/azure-cosmos-db-cassandra-change-feed) and for Java [here](https://github.com/Azure-Samples/cosmos-changefeed-cassandra-java).

+|Offline|[Azure Database Migration Service](../dms/tutorial-mongodb-cosmos-db.md)| MongoDB| Azure Cosmos DB for MongoDB| &bull; Makes use of the Azure Cosmos DB bulk executor library. <br/>&bull; Suitable for large datasets and takes care of replicating live changes. <br/>&bull; Works only with other MongoDB sources.|

+description: An Azure Cosmos DB for NoSQL system function that returns a string concatenated from two or more strings.

+- This function doesn't use the index.

+ Title: DateTimeAdd

+description: An Azure Cosmos DB for NoSQL system function that returns a datetime that's the resulting of adding a number to a part of the specified datetime.

+# DateTimeAdd (NoSQL query)

+Returns a date and time string value that is the result of adding a specified number value to the provided date and time string.

+DateTimeAdd(<date_time_part>, <numeric_expr> ,<date_time>)

+| | Description |

+| | |

+| **`date_time_part`** | A string representing a part of an ISO 8601 date format specification. This part is used to indicate which aspect of the date to modify by the related numeric expression. |

+| **`numeric_expr`** | A numeric expression resulting in a signed integer. |

+| **`date_time`** | A Coordinated Universal Time (UTC) date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`. |

+> [!NOTE]

+> For more information on the ISO 8601 format, see [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601).

+## Return types

+Returns a UTC date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`.

+The following example adds various values (one year, one month, one day, one hour) to the date **July 3, 2020** at **midnight (00:00 UTC)**. The example also subtracts various values (two years, two months, two days, two hours) from the same date. Finally, this example uses an expression to modify the seconds of the same date.

+## Remarks

+- This function returns `undefined` for these reasons:

+ - The specified date and time part is invalid.

+ - The numeric expression isn't a valid integer.

+ - The date and time in the argument isn't a valid ISO 8601 date and time string.

+- The ISO 8601 date format specifies valid date and time parts to use with this function:

+ | | Format |

+ | | |

+ | **Year** | `year`, `yyyy`, `yy` |

+ | **Month** | `month`, `mm`, `m` |

+ | **Day** | `day`, `dd`, `d` |

+ | **Hour** | `hour`, `hh` |

+ | **Minute** | `minute`, `mi`, `n` |

+ | **Second** | `second`, `ss`, `s` |

+ | **Millisecond** | `millisecond`, `ms` |

+ | **Microsecond** | `microsecond`, `mcs` |

+ | **Nanosecond** | `nanosecond`, `ns` |

+- [`DateTimeBin`](datetimebin.md)

+ Title: DateTimeBin

+description: An Azure Cosmos DB for NoSQL system function that returns a date and time that's the resulting of binning (rounding) a part of the specified datetime.

+# DateTimeBin (NoSQL query)

+Returns a date and time string value that is the result of binning (or rounding) a part of the provided date and time string.

+## Syntax

+```sql

+DateTimeBin(<date_time> , <date_time_part> [, <bin_size>] [, <bin_start_date_time>])

+```

+## Arguments

+| | Description |

+| | |

+| **`date_time`** | A Coordinated Universal Time (UTC) date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`. |

+| **`date_time_part`** | A string representing a part of an ISO 8601 date format specification. This part is used to indicate which aspect of the date to bin. Specifically, this part argument represents the level of granularity for binning (or rounding). The minimum granularity for the part is **days** and the maximum granularity is **nanoseconds**. |

+| **`bin_size` *(Optional)*** | An optional numeric value specifying the size of the bin. If not specified, the default value is `1`. |

+| **`bin_start_date_time` *(Optional)*** | An optional Coordinated Universal Time (UTC) date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`. This date and time argument specifies the start date to bin from. If not specified, the default value is the Unix epoch `1970-01-01T00:00:00.000000Z`. |

+> [!NOTE]

+> For more information on the ISO 8601 format, see [ISO 8601](https://wikipedia.org/wiki/ISO_8601). For more information on the Unix epoch, see [Unix time](https://wikipedia.org/wiki/unix_time).

+## Return types

+Returns a UTC date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`.

+## Examples

+The following example bins the date **January 8, 2021** at **18:35 UTC** by various values. The example also changes the bin size, and the bin start date and time.

+## Remarks

+- This function returns `undefined` for these reasons:

+ - The specified date and time part is invalid.

+ - The bin size value isn't a valid integer, is zero, or is negative.

+ - The date and time in either argument isn't a valid ISO 8601 date and time string.

+ - The date and time for the bin start precedes the year `1601`, the Windows epoch.

+- The ISO 8601 date format specifies valid date and time parts to use with this function:

+ | | Format |

+ | | |

+ | **Day** | `day`, `dd`, `d` |

+ | **Hour** | `hour`, `hh` |

+ | **Minute** | `minute`, `mi`, `n` |

+ | **Second** | `second`, `ss`, `s` |

+ | **Millisecond** | `millisecond`, `ms` |

+ | **Microsecond** | `microsecond`, `mcs` |

+ | **Nanosecond** | `nanosecond`, `ns` |

+## Next steps

+- [System functions Azure Cosmos DB](system-functions.yml)

+- [`DateTimeAdd`](datetimeadd.md)

+ Title: DateTimeDiff

+description: An Azure Cosmos DB for NoSQL system function that returns the difference of a specific part between two date and times.

+# DateTimeDiff (NoSQL query)

+Returns the difference, as a signed integer, of the specified date and time part between two date and time values.

+DateTimeDiff(<date_time_part>, <start_date_time>, <end_date_time>)

+| | Description |

+| | |

+| **`date_time_part`** | A string representing a part of an ISO 8601 date format specification. This part is used to indicate which aspect of the date to compare. |

+| **`start_date_time`** | A Coordinated Universal Time (UTC) date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`. |

+| **`end_date_time`** | A Coordinated Universal Time (UTC) date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`. |

+> [!NOTE]

+> For more information on the ISO 8601 format, see [ISO 8601](https://wikipedia.org/wiki/ISO_8601).

+## Return types

+Returns a numeric value that is a signed integer.

+The following examples compare **February 4, 2019 16:00 UTC** and **March 5, 2018 05:00 UTC** using various date and time parts.

+## Remarks

+- This function returns `undefined` for these reasons:

+ - The specified date and time part is invalid.

+ - The date and time in either start or end argument isn't a valid ISO 8601 date and time string.

+- The ISO 8601 date format specifies valid date and time parts to use with this function:

+ | | Format |

+ | | |

+ | **Day** | `day`, `dd`, `d` |

+ | **Hour** | `hour`, `hh` |

+ | **Minute** | `minute`, `mi`, `n` |

+ | **Second** | `second`, `ss`, `s` |

+ | **Millisecond** | `millisecond`, `ms` |

+ | **Microsecond** | `microsecond`, `mcs` |

+ | **Nanosecond** | `nanosecond`, `ns` |

+- The function always returns a signed integer value. The function returns a measurement of the number of boundaries crossed for the specified date and time part, not a measurement of the time interval.

+- [`DateTimeBin`](datetimebin.md)

+ Title: DateTimeFromParts

+description: An Azure Cosmos DB for NoSQL system function that returns a date and time constructed from various numeric inputs.

+# DateTimeFromParts (NoSQL query)

+Returns a date and time string value constructed from input numeric values for various date and time parts.

+DateTimeFromParts(<numeric_year>, <numeric_month>, <numeric_day> [, <numeric_hour>] [, <numeric_minute>] [, <numeric_second>] [, <numeric_second_fraction>])

+| | Description |

+| | |

+| **`numeric_year`** | A positive numeric integer value for the **year**. This argument is in the ISO 8601 format `yyyy`. |

+| **`numeric_month`** | A positive numeric integer value for the **month**. This argument is in the ISO 8601 format `mm`. |

+| **`numeric_day`** | A positive numeric integer value for the **day**. This argument is in the ISO 8601 format `dd`. |

+| **`numeric_hour` *(Optional)*** | An optional positive numeric integer value for the **hour**. This argument is in the ISO 8601 format `hh`. If not specified, the default value is `0`. |

+| **`numeric_minute` *(Optional)*** | An optional positive numeric integer value for the **minute**. This argument is in the ISO 8601 format `mm`. If not specified, the default value is `0`. |

+| **`numeric_second` *(Optional)*** | An optional positive numeric integer value for the **second**. This argument is in the ISO 8601 format `ss`. If not specified, the default value is `0`. |

+| **`numeric_second_fraction` *(Optional)*** | An optional positive numeric integer value for the **fractional of a second**. This argument is in the ISO 8601 format `fffffffZ`. If not specified, the default value is `0`. |

+> [!NOTE]

+> For more information on the ISO 8601 format, see [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601).

+Returns a UTC date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`.

+The following example uses various combinations of the arguments to create date and time strings. This example uses the date and time **April 20, 2017 13:15 UTC**.

+## Remarks

+- If the specified integers would create an invalid date and time, the function returns `undefined`.

+- [`DateTimePart`](datetimepart.md)

+ Title: DateTimePart

+description: An Azure Cosmos DB for NoSQL system function that returns the numeric value of a specific part of a date and time.

+# DateTimePart (NoSQL query)

+Returns the value of the specified date and time part for the provided date and time.

+DateTimePart(<date_time> , <date_time_part>)

+| | Description |

+| | |

+| **`date_time`** | A Coordinated Universal Time (UTC) date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`. |

+| **`date_time_part`** | A string representing a part of an ISO 8601 date format specification. This part is used to indicate which aspect of the date to extract and return. |

+> [!NOTE]

+> For more information on the ISO 8601 format, see [ISO 8601](https://wikipedia.org/wiki/ISO_8601).

+## Return types

+Returns a numeric value that is a positive integer.

+The following example returns various parts of the date and time **May 29, 2016 08:30 UTC**.

+## Remarks

+- This function returns `undefined` for these reasons:

+ - The specified date and time part is invalid.

+ - The date and time isn't a valid ISO 8601 date and time string.

+- The ISO 8601 date format specifies valid date and time parts to use with this function:

+ | | Format |

+ | | |

+ | **Year** | `year`, `yyyy`, `yy` |

+ | **Month** | `month`, `mm`, `m` |

+ | **Day** | `day`, `dd`, `d` |

+ | **Hour** | `hour`, `hh` |

+ | **Minute** | `minute`, `mi`, `n` |

+ | **Second** | `second`, `ss`, `s` |

+ | **Millisecond** | `millisecond`, `ms` |

+ | **Microsecond** | `microsecond`, `mcs` |

+ | **Nanosecond** | `nanosecond`, `ns` |

+- This function doesn't use the index.

+- [`DateTimeFromParts`](datetimefromparts.md)

+ Title: DateTimeToTicks

+description: An Azure Cosmos DB for NoSQL system function that returns the number of ticks, or 100 nanoseconds, since the Unix epoch.

+# DateTimeToTicks (NoSQL query)

+Converts the specified DateTime to ticks. A single tick represents `100` nanoseconds or `0.000000001`of a second.

+DateTimeToTicks(<date_time>)

+| | Description |

+| | |

+| **`date_time`** | A Coordinated Universal Time (UTC) date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`. |

+> [!NOTE]

+> For more information on the ISO 8601 format, see [ISO 8601](https://wikipedia.org/wiki/ISO_8601).

+## Return types

+Returns a signed numeric value, the current number of `100`-nanosecond ticks that have elapsed since the Unix epoch (January 1, 1970).

+> [!NOTE]

+> For more information on the Unix epoch, see [Unix time](https://wikipedia.org/wiki/unix_time).

+The following example measures the ticks since the date and time **May 19, 2015 12:00 UTC**.

+## Remarks

+- This function returns `undefined` if the date and time isn't a valid ISO 8601 date and time string.

+- This function doesn't use the index.

+- [`DateTimeToTimestamp`](datetimetotimestamp.md)

+ Title: DateTimeToTimestamp

+description: An Azure Cosmos DB for NoSQL system function that returns a numeric timestamp that represents the milliseconds since the Unix epoch.

+# DateTimeToTimestamp (NoSQL query)

+Converts the specified date and time to a numeric timestamp. The timestamp is a signed numeric integer that measures the milliseconds since the Unix epoch.

+DateTimeToTimestamp(<date_time>)

+| | Description |

+| | |

+| **`date_time`** | A Coordinated Universal Time (UTC) date and time string in the ISO 8601 format `YYYY-MM-DDThh:mm:ss.fffffffZ`. |

+> [!NOTE]

+> For more information on the ISO 8601 format, see [ISO 8601](https://wikipedia.org/wiki/ISO_8601).

+## Return types

+Returns a signed numeric value, the current number of milliseconds that have elapsed since the Unix epoch (January 1, 1970).

+> [!NOTE]

+> For more information on the Unix epoch, see [Unix time](https://wikipedia.org/wiki/unix_time).

+The following example converts the date and time **May 19, 2015 12:00 UTC** to a timestamp.

+## Remarks

+- This function returns `undefined` if the date and time isn't a valid ISO 8601 date and time string.

+- [`DateTimeToTicks`](datetimetoticks.md)

+ Title: DEGREES

+description: An Azure Cosmos DB for NoSQL system function that returns the angle in degrees for a radian value.

+# DEGREES (NoSQL query)

+Returns the corresponding angle in degrees for an angle specified in radians.

+DEGREES(<numeric_expr>)

+| | Description |

+| | |

+| **`numeric_expr`** | A numeric expression. |

+Returns a numeric expression.

+The following example returns the degrees for various radian values.

+- This function doesn't use the index.

+- [`RADIANS`](radians.md)

+ENDSWITH(<string_expr_1>, <string_expr_2> [, <bool_expr>])

+| **`string_expr_1`** | A string expression. |

+| **`string_expr_2`** | A string expression to be compared to the end of `string_expr_1`. |

+ Title: EXP

+description: An Azure Cosmos DB for NoSQL system function that returns the exponential value of the specified number.

+# EXP (NoSQL query)

+Returns the exponential value of the specified numeric expression.

+EXP(<numeric_expr>)

+```

+| | Description |

+| | |

+| **`numeric_expr`** | A numeric expression. |

+Returns a numeric expression.

+The following example returns the exponential value for various numeric inputs.

+## Remarks

+- The constant `e` (`2.718281…`), is the base of natural logarithms.

+- The exponent of a number is the constant `e` raised to the power of the number. For example, `EXP(1.0) = e^1.0 = 2.71828182845905` and `EXP(10) = e^10 = 22026.4657948067`.

+- The exponential of the natural logarithm of a number is the number itself: `EXP (LOG (n)) = n`. And the natural logarithm of the exponential of a number is the number itself: `LOG (EXP (n)) = n`.

+- [`LOG`](log.md)

+ Title: GetCurrentDateTime

+description: An Azure Cosmos DB for NoSQL system function that returns an ISO 8601 date and time value.

+# GetCurrentDateTime (NoSQL query)

+GetCurrentDateTime()

+Returns the current UTC date and time string value in the **round-trip** (ISO 8601) format.

+> For more information on the round-trip format, see [.NET round-trip format](/dotnet/standard/base-types/standard-date-and-time-format-strings#the-round-trip-o-o-format-specifier). For more information on the ISO 8601 format, see [ISO 8601](https://wikipedia.org/wiki/ISO_8601).

+The following example shows how to get the current UTC date and time string.

+## Remarks

+- This function is nondeterministic.

+- The result returned is UTC (Coordinated Universal Time) with precision of seven digits and an accuracy of 100 nanoseconds.

+- This function doesn't use the index.

+- If you need to compare values to the current time, obtain the current time before query execution and use that constant string value in the `WHERE` clause.

+- [`GetCurrentDateTimeStatic`](getcurrentdatetimestatic.md)

+Returns the current UTC date and time string value in the **round-trip** (ISO 8601) format.

+> [!NOTE]

+> For more information on the round-trip format, see [.NET round-trip format](/dotnet/standard/base-types/standard-date-and-time-format-strings#the-round-trip-o-o-format-specifier). For more information on the ISO 8601 format, see [ISO 8601](https://wikipedia.org/wiki/ISO_8601).

+- [`GetCurrentDateTime`](getcurrentdatetime.md)

+ Title: GetCurrentTicks

+description: An Azure Cosmos DB for NoSQL system function that returns a nanosecond ticks value.

+# GetCurrentTicks (NoSQL query)

+Returns the number of 100-nanosecond ticks that have elapsed since `00:00:00 Thursday, 1 January 1970`.

+GetCurrentTicks()

+Returns a signed numeric value that represents the current number of 100-nanosecond ticks that have elapsed since the Unix epoch (`00:00:00 Thursday, 1 January 1970`).

+## Examples

+The following example returns the current time measured in ticks:

+## Remarks

+- This function is nondeterministic.

+- The result returned is UTC (Coordinated Universal Time).

+- This function doesn't use the index.

+- If you need to compare values to the current time, obtain the current time before query execution and use that constant string value in the `WHERE` clause.

+- [`GetCurrentTicksStatic`](getcurrentticksstatic.md)

+- [`GetCurrentTicks`](getcurrentticks.md)

+ Title: GetCurrentTimestamp

+description: An Azure Cosmos DB for NoSQL system function that returns a timestamp value.

+# GetCurrentTimestamp (NoSQL query)

+Returns the number of milliseconds that have elapsed since `00:00:00 Thursday, 1 January 1970`.

+GetCurrentTimestamp()

+```

+Returns a signed numeric value that represents the current number of milliseconds that have elapsed since the Unix epoch (`00:00:00 Thursday, 1 January 1970`).

+## Examples

+The following example shows how to get the current timestamp.

+## Remarks

+- This function is nondeterministic.

+- The result returned is UTC (Coordinated Universal Time).

+- This function doesn't use the index.

+- If you need to compare values to the current time, obtain the current time before query execution and use that constant string value in the `WHERE` clause.

+- [`GetCurrentTimestampStatic`](getcurrenttimestampstatic.md)

+- [`GetCurrentTimestamp`](getcurrenttimestamp.md)

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+Returns a 64-bit integer.

+> [!NOTE]

+> For more information, see [__int64](/cpp/cpp/int8-int16-int32-int64).

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+ Title: IS_DEFINED

+description: An Azure Cosmos DB for NoSQL system function that returns true if the property has been assigned a value.

+# IS_DEFINED (NoSQL query)

+Returns a boolean indicating if the property has been assigned a value.

+| | Description |

+| | |

+| **`expr`** | Any expression. |

+Returns a boolean expression.

+The following example checks for the presence of a property within the specified JSON document.

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+- [`IS_NULL`](is-null.md)

+## Remarks

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+## Remarks

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+ Title: IS_NUMBER

+description: An Azure Cosmos DB for NoSQL system function that returns true if the type of the specified expression is a number.

+# IS_NUMBER (NoSQL query)

+Returns a boolean value indicating if the type of the specified expression is a number.

+| | Description |

+| | |

+| **`expr`** | Any expression. |

+Returns a boolean expression.

+The following example various values to see if they're a number.

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+- [`IS_FINITE_NUMBER`](is-finite-number.md)

+ Title: IS_OBJECT

+description: An Azure Cosmos DB for NoSQL system function that returns true if the type of the specified expression is a JSON object.

+# IS_OBJECT (NoSQL query)

+Returns a boolean value indicating if the type of the specified expression is a JSON object.

+| | Description |

+| | |

+| **`expr`** | Any expression. |

+Returns a boolean expression.

+The following example various values to see if they're an object.

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+- [`IS_PRIMITIVE`](is-primitive.md)

+ Title: IS_PRIMITIVE

+description: An Azure Cosmos DB for NoSQL system function that returns true if the type of the specified expression is a primitive (string, boolean, numeric, or null).

+# IS_PRIMITIVE (NoSQL query)

+Returns a boolean value indicating if the type of the specified expression is a primitive (string, boolean, numeric, or null).

+| | Description |

+| | |

+| **`expr`** | Any expression. |

+Returns a boolean expression.

+The following example various values to see if they're a primitive.

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+- [`IS_OBJECT`](is-object.md)

+ Title: IS_STRING

+description: An Azure Cosmos DB for NoSQL system function that returns true if the type of the specified expression is a string.

+# IS_STRING (NoSQL query)

+Returns a boolean value indicating if the type of the specified expression is a string.

+| | Description |

+| | |

+| **`expr`** | Any expression. |

+Returns a boolean expression.

+The following example various values to see if they're a string.

+- This function benefits from a [range index](../../index-policy.md#includeexclude-strategy).

+- [`IS_NUMBER`](is-number.md)

+ Title: RADIANS

+description: An Azure Cosmos DB for NoSQL system function that returns a radian value for an angle in degrees.

+# RADIANS (NoSQL query)

+Returns the corresponding angle in radians for an angle specified in degrees.

+RADIANS(<numeric_expr>)

+| | Description |

+| | |

+| **`numeric_expr`** | A numeric expression. |

+Returns a numeric expression.

+The following example returns the radians for various degree values.

+- This function doesn't use the index.

+- [`DEGREES`](degrees.md)

+ Title: Migration and application development partners for Azure Cosmos DB

+| **Partner** | **Capabilities & experience** | **Supported countries/regions** |

+| | | |

+| [Striim](https://www.striim.com/) | Continuous, real-time data movement, Data migration | USA |

+| [Altoros Development LLC](https://www.altoros.com/) | IoT, Personalization Retail (inventory), Serverless architectures NoSQL migration, App development | USA |

+| [Avanade](https://www.avanade.com/) | IoT, Retail (inventory), Serverless Architecture, App development | Austria, Germany, Switzerland, Italy, Norway, Spain, UK, Canada |

+| [Accenture](https://www.accenture.com/) | IoT, Retail (inventory), Serverless Architecture, App development | Global |

+| Capax Global LLC | IoT, Personalization, Retail (inventory), Operational Analytics (Spark), Serverless architecture, App development | USA |

+| [Capgemini](https://www.capgemini.com/) | Retail (inventory), IoT, Operational Analytics (Spark), App development | USA, France, UK, Netherlands, Finland |

+| [Cognizant](https://www.cognizant.com/) | IoT, Personalization, Retail (inventory), Operational Analytics (Spark), App development | USA, Canada, UK, Denmark, Netherlands, Switzerland, Australia, Japan |

+| [Infosys](https://www.infosys.com/) | App development | USA |

+| [Lambda3 Informatics](https://www.lambda3.com.br/) | Real-time personalization, Retail inventory, App development | Brazil |

+| [Neal Analytics](https://www.nealanalytics.com/) | Personalization, Retail (inventory), Operational Analytics (Spark), App development | USA |

+| [Pragmatic Works Software Inc](https://www.pragmaticworks.com/) | NoSQL migration | USA |

+| [Ricoh Digital Experience](https://www.ricoh-europe.com/contact-us) | IoT, Real-time personalization, Retail inventory, NoSQL migration | UK, Europe |

+| [SNP Technologies](https://www.snp.com/) | NoSQL migration | USA |

+| [Solidsoft Reply](https://www.reply.com/solidsoft-reply/) | NoSQL migration | Croatia, Sweden, Denmark, Ireland, Bulgaria, Slovenia, Cyprus, Malta, Lithuania, the Czech Republic, Iceland, and Switzerland and Liechtenstein |

+| [Spanish Point Technologies](https://www.spanishpoint.ie/) | NoSQL migration | Ireland |

+| [Syone](https://www.syone.com/) | NoSQL migration | Portugal |

+| [EY](https://www.ey.com/en_gl/alliances/microsoft) | App development | USA |

+| [TCS](https://www.tcs.com/) | App development | USA, UK, France, Malaysia, Denmark, Norway, Sweden |

+| [VTeamLabs](https://www.vteamlabs.com/) | Personalization, Retail (inventory), IoT, Gaming, Operational Analytics (Spark), Serverless architecture, NoSQL Migration, App development | USA |

+| [White Duck GmbH](https://whiteduck.de/en/) | New app development, App Backend, Storage for document-based data | Germany |

+| [Xpand IT](https://www.xpand-it.com/) | New app development | Portugal, UK |

+| [Hanu](https://hanu.com/) | IoT, App development | USA |

+| [Incycle Software](https://www.incyclesoftware.com/) | NoSQL migration, Serverless architecture, App development | USA |

+| [Orion](https://www.orioninc.com/) | Personalization, Retail (inventory), Operational Analytics (Spark), IoT, App development | USA, Canada |

+- If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)

+- If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

+| BenefitId┬╣ | EA, MCA | Unique identifier for the purchased savings plan instance. |

+| BenefitName | EA, MCA | Unique identifier for the purchased savings plan instance. |

+| Location | MCA | Normalized location of the resource, if different resource locations are configured for the same regions. Purchases and Marketplace usage may be shown as blank or `unassigned`. |

+| MeterName | All | The name of the meter. Purchases and Marketplace usage may be shown as blank or `unassigned`.|

+| MeterSubCategory | All | Name of the meter subclassification category. Purchases and Marketplace usage may be shown as blank or `unassigned`.|

+| ReservationId┬╣ | EA, MCA | Unique identifier for the purchased reservation instance. |

+1. Sign in to the [Azure portal](https://portal.azure.com) with an enterprise administrator account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+To buy a reservation, you must have owner role or reservation purchaser role on an Azure subscription that's of type Enterprise (MS-AZR-0017P or MS-AZR-0148P) or Pay-As-You-Go (MS-AZR-0003P or MS-AZR-0023P) or Microsoft Customer Agreement. Cloud solution providers can use the Azure portal or [Partner Center](/partner-center/azure-reservations) to purchase Azure Reservations. You can't buy a reservation if you have a custom role that mimics owner role or reservation purchaser role on an Azure subscription. You must use the built-in Owner or built-in Reservation Purchaser role.

+- **Single resource group scope** - Applies the reservation discount to the matching resources in the selected resource group only.

+- **Single subscription scope** - Applies the reservation discount to the matching resources in the selected subscription.

+- **Shared scope** - Applies the reservation discount to matching resources in eligible subscriptions that are in the billing context. If a subscription is moved to different billing context, the benefit no longer applies to the subscription. It continues to apply to other subscriptions in the billing context.

+- **Management group** - Applies the reservation discount to the matching resource in the list of subscriptions that are a part of both the management group and billing scope. The management group scope applies to all subscriptions throughout the entire management group hierarchy. To buy a reservation for a management group, you must have at least read permission on the management group and be a reservation owner or reservation purchaser on the billing subscription.

+While Azure applies reservation discounts on your usage, it processes the reservation in the following order:

+- [Synapse Analytics - Prepurchase](synapse-analytics-pre-purchase-plan.md)

+Monthly payments aren't available for: Databricks, Synapse Analytics - Prepurchase, SUSE Linux reservations, Red Hat Plans and Azure Red Hat OpenShift Licenses.

+>[!NOTE]

+> Reservations aren't supported by the China legacy Online Service Premium Agreement (OSPA) platform. For more information, see [Azure China OSPA purchase](https://go.microsoft.com/fwlink/?linkid=2239835).

+>[!NOTE]

+> Azure savings plan isn't supported for the China legacy Online Service Premium Agreement (OSPA) platform.

+Although you can return the above offerings for a savings plan, you can't exchange a savings plan for them or for another savings plan. Due to technical limitations, you can only trade in up to 100 reservations at a time as part of a savings plan purchase.

+| [collectUnique](data-flow-expressions-usage.md#collectUnique) | Collects all values of the expression in the aggregated group into a unique array. Structures can be collected and transformed to alternate structures during this process.The number of items will be smaller or equal to the number of rows in that group and can contain null values. The number of collected items should be small. |

+Mapping data flow follows an extract, load, and transform (ELT) approach and works with *staging* datasets that are all in Azure. Currently, the following datasets can be used in a sink transformation.

+Use the stringify transformation to turn complex data types into strings. This can be useful when you need to store or send column data as a single string entity that may originate as a structure, map, or array type.

+In the stringify transformation configuration panel, you'll first pick the type of data contained in the columns that you wish to parse inline. The stringify transformation also contains the following configuration settings.

+Similar to derived columns and aggregates, this is where you'll either modify an exiting column by selecting it from the drop-down picker. Or you can type in the name of a new column here. ADF will store the stringifies source data in this column. In most cases, you'll want to define a new column that stringifies the incoming complex field type.

+![NOTE]

+> These metrics are only valid when enabling Time-To-Live in managed virtual network integration runtime.

+1. Open your Azure Data Lake Analytics via the [Azure portal](https://portal.azure.com).

+- Sign in to the [Azure portal](https://portal.azure.com).

+- Sign in to the [Azure portal](https://portal.azure.com). Ensure that your account is assigned to the [network contributor](../role-based-access-control/built-in-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json#network-contributor) role or to a [custom role](../role-based-access-control/custom-roles.md?toc=%2fazure%2fvirtual-network%2ftoc.json) that is assigned the appropriate actions listed in the how-to guide on [Permissions](manage-permissions.md).

+1. Log in to the [Azure portal](https://portal.azure.com) and go to your subscription.

+- **Image scanning with Azure Private Link** - Azure container vulnerability assessment provides the ability to scan images in container registries that are accessible via Azure Private Links. This capability requires access to trusted services and authentication with the registry. Learn how to [allow access by trusted services](/azure/container-registry/container-registry-private-link#container-registry/allow-access-trusted-services) .

+ Title: Learn about agentless scanning for VMs

+##### Manage automatic updates configuration for Linux

+In Windows, Defender for Endpoint version updates are provided via continuous knowledge base updates; in Linux you need to update the Defender for Endpoint package. When you use Defender for Servers with the `MDE.Linux` extension, automatic updates for Microsoft Defender for Endpoint are enabled by default. If you wish to manage the Defender for Endpoint version updates manually, you can disable automatic updates on your machines. To do so, add the following tag for machines onboarded with the `MDE.Linux` extension.

+- Tag name: 'ExcludeMdeAutoUpdate'

+- Tag value: 'true'

+This configuration is supported for Azure VMs and Azure Arc machines, where the `MDE.Linux` extension initiates auto-update.

+| July 20 | [Management of automatic updates to Defender for Endpoint for Linux](#management-of-automatic-updates-to-defender-for-endpoint-for-linux)

+### Management of automatic updates to Defender for Endpoint for Linux

+July 20, 2023

+By default, Defender for Cloud attempts to update your Defender for Endpoint for Linux agents onboarded with the `MDE.Linux` extension. With this release, you can manage this setting and opt-out from the default configuration to manage your update cycles manually.

+Learn how to [manage automatic updates configuration for Linux](integration-defender-for-endpoint.md#manage-automatic-updates-configuration-for-linux).

+| Supported Clouds | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/no-icon.png"::: Azure China 21Vianet | :::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure Government<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Azure China 21Vianet |

+* Configure CORS for your storage account (see details in the following sub-section).

+### Configure CORS

+You'll need to configure [CORS](/rest/api/storageservices/cross-origin-resource-sharing--cors--support-for-the-azure-storage-services) for your storage account, so that 3D Scenes Studio will be able to access your storage container.

+These CORS headers are always required:

+* Authorization

+* x-ms-version

+* x-ms-blob-type

+These additional CORS headers are required if you're planning on using private links functionality:

+* Content-Type

+* Content-Length

+* x-ms-copy-source

+* x-ms-requires-sync

+Below is the [Azure CLI](/cli/azure/what-is-azure-cli) command that will set the methods, origins, and headers listed above for CORS in your storage account. The command contains one placeholder for the name of your storage account.

+az storage cors add --services b --methods GET OPTIONS POST PUT --origins https://explorer.digitaltwins.azure.net --allowed-headers Authorization Content-Type Content-Length x-ms-version x-ms-blob-type x-ms-copy-source x-ms-requires-sync --account-name <your-storage-account>

+Sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com).

+Sign in to the [Azure portal](https://portal.azure.com).

+* Sign in to the [Azure portal](https://portal.azure.com).

+- [Support options](educator-service-desk.md)

+ Get-AzExpressRoutePortsLocation | format-list

+ Get-AzExpressRoutePortsLocation -LocationName "Equinix-San-Jose-SV1" | format-list

+1. Sign in to the [Azure portal](https://portal.azure.com).

+- It must be exportable.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+### PCI DSS requirement 1.3.4

+**ID**: PCI DSS v3.2.1 1.3.4

+**Ownership**: customer

+|Name<br />_{(Azure portal)} |Description |Effect(s) |Version<br />_(GitHub) |

+|||||

+|[Audit diagnostic setting for selected resource types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. |AuditIfNotExists |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |

+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |

+|[Storage accounts should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F37e0d2fe-28a5-43d6-a273-67d37d1f5606) |Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) |

+|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) |Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) |

+|[Audit diagnostic setting for selected resource types](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. |AuditIfNotExists |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |

+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |

+|[Accounts with owner permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3e008c3-56b9-4133-8fd7-d3347377402a) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithOwnerPermissions_Audit.json) |

+|[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) |

+|[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |

+|[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) |

+|[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) |

+|[Guest accounts with write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithWritePermissions_Audit.json) |

+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |

+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |

+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |

+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |

+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |

+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |

+|[App Service apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |

+|[Function apps should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled, Deny |[5.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |

+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |

+|[Accounts with owner permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3e008c3-56b9-4133-8fd7-d3347377402a) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithOwnerPermissions_Audit.json) |

+|[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) |

+|[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |

+|[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) |

+|[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) |

+|[Guest accounts with write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithWritePermissions_Audit.json) |

+|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) |

+|[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |

+|[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) |

+|[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) |

+|[Guest accounts with write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithWritePermissions_Audit.json) |

+|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) |

+|[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |

+|[Blocked accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0cfea604-3201-4e14-88fc-fae4c427a6c5) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithOwnerPermissions_Audit.json) |

+|[Blocked accounts with read and write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8d7e1fde-fe26-4b5f-8108-f8e432cbc2be) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveBlockedAccountsWithReadWritePermissions_Audit.json) |

+|[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) |

+|[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) |

+|[Guest accounts with write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithWritePermissions_Audit.json) |

+|[Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b054a0d-39e2-4d53-bea3-9734cad2c69b) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json) |

+|[Audit Windows machines that do not have the maximum password age set to specified number of days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ceb8dc2-559c-478b-a15b-733fbf1e3738) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json) |

+|[Audit Windows machines that do not restrict the minimum password length to specified number of characters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa2d0e922-65d0-40c4-8f87-ea6da2d307a2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json) |

+|[Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b054a0d-39e2-4d53-bea3-9734cad2c69b) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json) |

+|[Audit Windows machines that do not have the maximum password age set to specified number of days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ceb8dc2-559c-478b-a15b-733fbf1e3738) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json) |

+|[Audit Windows machines that do not restrict the minimum password length to specified number of characters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa2d0e922-65d0-40c4-8f87-ea6da2d307a2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters |AuditIfNotExists, Disabled |[2.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json) |

+|[Accounts with owner permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3e008c3-56b9-4133-8fd7-d3347377402a) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithOwnerPermissions_Audit.json) |

+|[Accounts with write permissions on Azure resources should be MFA enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F931e118d-50a1-4457-a5e4-78550e086c52) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForAccountsWithWritePermissions_Audit.json) |

+|[Audit usage of custom RBAC roles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |

+|[Guest accounts with owner permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F339353f6-2387-4a45-abe4-7f529d121046) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithOwnerPermissions_Audit.json) |

+|[Guest accounts with read permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9ac8f8e-ce22-4355-8f04-99b911d6be52) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithReadPermissions_Audit.json) |

+|[Guest accounts with write permissions on Azure resources should be removed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F94e1c2ac-cbbe-4cac-a2b5-389c812dee87) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveGuestAccountsWithWritePermissions_Audit.json) |

+ Title: Regulatory Compliance details for PCI DSS v4.0

+description: Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.

+# Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative

+The following article details how the Azure Policy Regulatory Compliance built-in initiative

+definition maps to **compliance domains** and **controls** in PCI DSS v4.0.

+For more information about this compliance standard, see

+[PCI DSS v4.0](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf). To understand

+_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and

+[Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).

+The following mappings are to the **PCI DSS v4.0** controls. Many of the controls

+are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete

+initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.

+Then, find and select the **PCI DSS v4** Regulatory Compliance built-in

+initiative definition.

+> [!IMPORTANT]

+> Each control below is associated with one or more [Azure Policy](../overview.md) definitions.

+> These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the

+> control; however, there often is not a one-to-one or complete match between a control and one or

+> more policies. As such, **Compliant** in Azure Policy refers only to the policy definitions

+> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In

+> addition, the compliance standard includes controls that aren't addressed by any Azure Policy

+> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your

+> overall compliance status. The associations between compliance domains, controls, and Azure Policy

+> definitions for this compliance standard may change over time. To view the change history, see the

+> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/PCI_DSS_V4.0.json).

+## Requirement 01: Install and Maintain Network Security Controls

+### Processes and mechanisms for installing and maintaining network security controls are defined and understood

+**ID**: PCI DSS v4.0 1.1.1

+**Ownership**: Shared

+|Name<br />_{(Azure portal)} |Description |Effect(s) |Version<br />_(GitHub) |

+|||||

+|[Review and update configuration management policies and procedures](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feb8a8df9-521f-3ccd-7e2c-3d1fcc812340) |CMA_C1175 - Review and update configuration management policies and procedures |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1175.json) |

+|[Review and update system and communications protection policies and procedures](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fadf517f3-6dcd-3546-9928-34777d0c277e) |CMA_C1616 - Review and update system and communications protection policies and procedures |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1616.json) |

+### Network security controls (NSCs) are configured and maintained

+**ID**: PCI DSS v4.0 1.2.1

+**Ownership**: Shared

+|Name<br />_{(Azure portal)} |Description |Effect(s) |Version<br />_(GitHub) |

+|||||

+|[Configure actions for noncompliant devices](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb53aa659-513e-032c-52e6-1ce0ba46582f) |CMA_0062 - Configure actions for noncompliant devices |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0062.json) |

+|[Develop and maintain baseline configurations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f20840e-7925-221c-725d-757442753e7c) |CMA_0153 - Develop and maintain baseline configurations |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0153.json) |

+|[Enforce security configuration settings](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F058e9719-1ff9-3653-4230-23f76b6492e0) |CMA_0249 - Enforce security configuration settings |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0249.json) |

+|[Establish a configuration control board](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7380631c-5bf5-0e3a-4509-0873becd8a63) |CMA_0254 - Establish a configuration control board |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0254.json) |

+|[Establish and document a configuration management plan](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F526ed90e-890f-69e7-0386-ba5c0f1f784f) |CMA_0264 - Establish and document a configuration management plan |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0264.json) |

+|[Implement an automated configuration management tool](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F33832848-42ab-63f3-1a55-c0ad309d44cd) |CMA_0311 - Implement an automated configuration management tool |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0311.json) |

+### Network security controls (NSCs) are configured and maintained

+**ID**: PCI DSS v4.0 1.2.2

+**Ownership**: Shared

+|Name<br />_{(Azure portal)} |Description |Effect(s) |Version<br />_(GitHub) |

+|||||

+|[Conduct a security impact analysis](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F203101f5-99a3-1491-1b56-acccd9b66a9e) |CMA_0057 - Conduct a security impact analysis |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0057.json) |

+|[Develop and maintain a vulnerability management standard](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055da733-55c6-9e10-8194-c40731057ec4) |CMA_0152 - Develop and maintain a vulnerability management standard |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0152.json) |

+|[Establish a risk management strategy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd36700f2-2f0d-7c2a-059c-bdadd1d79f70) |CMA_0258 - Establish a risk management strategy |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0258.json) |

+|[Establish and document change control processes](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd4dc286-2f30-5b95-777c-681f3a7913d3) |CMA_0265 - Establish and document change control processes |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0265.json) |

+|[Establish configuration management requirements for developers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8747b573-8294-86a0-8914-49e9b06a5ace) |CMA_0270 - Establish configuration management requirements for developers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0270.json) |

+|[Perform a privacy impact assessment](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd18af1ac-0086-4762-6dc8-87cdded90e39) |CMA_0387 - Perform a privacy impact assessment |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0387.json) |

+|[Perform a risk assessment](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8c5d3d8d-5cba-0def-257c-5ab9ea9644dc) |CMA_0388 - Perform a risk assessment |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0388.json) |

+|[Perform audit for configuration change control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1282809c-9001-176b-4a81-260a085f4872) |CMA_0390 - Perform audit for configuration change control |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0390.json) |

+### Network security controls (NSCs) are configured and maintained

+**ID**: PCI DSS v4.0 1.2.3

+**Ownership**: Shared

+|Name<br />_{(Azure portal)} |Description |Effect(s) |Version<br />_(GitHub) |

+|||||

+|[Check for privacy and security compliance before establishing internal connections](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab) |CMA_0053 - Check for privacy and security compliance before establishing internal connections |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0053.json) |

+### Network security controls (NSCs) are configured and maintained

+**ID**: PCI DSS v4.0 1.2.4

+**Ownership**: Shared

+|Name<br />_{(Azure portal)} |Description |Effect(s) |Version<br />_(GitHub) |

+|||||

+|[Maintain records of processing of personal data](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F92ede480-154e-0e22-4dca-8b46a74a3a51) |CMA_0353 - Maintain records of processing of personal data |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_0353.json) |

+### Network security controls (NSCs) are configured and maintained

+**ID**: PCI DSS v4.0 1.2.5

+**Ownership**: Shared

+|Name<br />_{(Azure portal)} |Description |Effect(s) |Version<br />_(GitHub) |

+|||||

+|[Identify external service providers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F46ab2c5e-6654-1f58-8c83-e97a44f39308) |CMA_C1591 - Identify external service providers |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1591.json) |

+|[Require developer to identify SDLC ports, protocols, and services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6da5cca-5795-60ff-49e1-4972567815fe) |CMA_C1578 - Require developer to identify SDLC ports, protocols, and services |Manual, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/CMA_C1578.json) |

+### Network security controls (NSCs) are configured and maintained

+**ID**: PCI DSS v4.0 1.2.8

+**Ownership**: Shared