+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left navigation panel, select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to the Properties section of your provisioning application. For example, if you want to export your *Workday to AD User Provisioning application* mapping navigate to the Properties section of that app.

+1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to the Properties section of your provisioning application. For example, if you want to export your *Workday to AD User Provisioning application* mapping navigate to the Properties section of that app.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an application administrator of the directory that uses Application Proxy. For example, if the tenant domain is contoso.com, the admin should be admin@contoso.com or any other admin alias on that domain.

+To use Application Proxy, install a connector on each Windows server you're using with the Application Proxy service. The connector is an agent that manages the outbound connection from the on-premises application servers to Application Proxy in Azure AD. You can install a connector on servers that also have other authentication agents installed such as Azure AD Connect.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an application administrator of the directory that uses Application Proxy. For example, if the tenant domain is `contoso.com`, the admin should be `admin@contoso.com` or any other admin alias on that domain.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

+- [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md)

+[Configure alternate access mappings for SharePoint 2013](/SharePoint/administration/configure-alternate-access-mappings)

+1. If you didn't in the previous section, sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select **Azure Active Directory**, then select **Enterprise applications**.

+1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Authentication Policy Administrator.

+The [Azure portal](https://portal.azure.com) now has a passwordless methods wizard that will help you to select the appropriate method for each of your audiences. If you haven't yet determined the appropriate methods, see [https://aka.ms/passwordlesswizard](https://aka.ms/passwordlesswizard), then return to this article to continue planning for your selected methods. **You need administrator rights to access this wizard.**

+To manage your user's passwordless authentication methods in the [Azure portal](https://portal.azure.com), select your user account, and then select Authentication methods.

+To delete an enrolled security key, sign in to the [Azure portal](https://portal.azure.com), and then go to the **Security info** page.

+To learn more, see [What authentication and verification methods are available in Azure Active Directory?](concept-authentication-methods.md)

+If your users need help, see the [User guide for Azure AD Multi-Factor Authentication](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc).

+The following questions can be answered by the reports that exist in the [Azure portal](https://portal.azure.com):

+With the controller, you determine what level of access to provide Permissions Management.

+* Enable to grant read and write access to your environment(s). You can manage permissions and remediate through Permissions Management.

+

+* Disable to grant read-only access to your environment(s).

+This article describes how to enable the controller in Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) after onboarding is complete.

+This article also describes how to disable the controller in Microsoft Azure and Google Cloud Platform (GCP). Once you enable the controller in AWS, you can't disable it.

+> You can enable the controller in AWS if you disabled it during onboarding. Once you enable the controller, you canΓÇÖt disable it at this time.

+1. From the Azure [**Home**](https://portal.azure.com) page, select **Management groups**.

+ - **Report output type**: XSLX, PDF

+ - **Ability to collate report**: Yes (XSLX only)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Sign in to the [Azure portal](https://portal.azure.com) as your test user.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Azure Active Directory** and then **Enterprise applications**. Select **New application** and then **Create your own application**.

+1. Search for and select the user to sign in to the app. Select the **Assign** button.

+1. Sign in to the [Azure portal](https://portal.azure.com) with your administrator account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate and select the function app you previously published.

+1. Sign in to the [Azure portal](https://portal.azure.com), then navigate and select the function app you previously published.

+1. Sign in to the [Azure portal](https://portal.azure.com) with your Azure administrator account.

+- Learn more about custom claims providers with the [custom claims provider reference](custom-claims-provider-reference.md) article.

+Next, add a stage to the pipeline that deploys Azure resources. The pipeline uses an [inline script](/azure/devops/pipelines/scripts/powershell) to create the App Service instance. In a later step, the inline script creates an Azure AD app registration for App Service authentication. An Azure CLI bash script is used because Azure Resource Manager (and Azure Pipelines tasks) can't create an app registration.

+- [Deploy to App Service using Azure Pipelines](/azure/app-service/deploy-azure-pipelines)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left pane, select **Azure Active Directory**.

+- [Application types for the Microsoft identity platform](v2-app-types.md#web-apps)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com)

+# Customize claims issued in the JSON web token (JWT) for enterprise applications

+These JSON Web tokens (JWT) used by OIDC and OAuth applications contain pieces of information about the user known as *claims*. A claim is information that an identity provider states about a user inside the token they issue for that user. In an [OIDC response](v2-protocols-oidc.md), claims data is typically contained in the ID Token issued by the identity provider in the form of a JWT.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the **Attributes & Claims** section, Select **Edit** to edit the claims.

+When a user has an application open in several tabs and signs in on one of them, they can be signed into the same app open on other tabs without being prompted. To do so, you need to set the *cacheLocation* in MSAL.js configuration object to `localStorage` as shown in the following example:

+- `login_hint`, which can be retrieved from the `account` object username property or the `upn` claim in the ID token. If your app is authenticating users with B2C, see: [Configure B2C user-flows to emit username in ID tokens](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/FAQ.md#why-is-getaccountbyusername-returning-null-even-though-im-signed-in)

+- Session ID, `sid`, which can be retrieved from `idTokenClaims` of an `account` object.

+- `account`, which can be retrieved from using one the [account methods](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/login-user.md#account-apis)

+ We recommended to using the `login_hint` [optional ID token claim](optional-claims-reference.md#v10-and-v20-optional-claims-set) provided to `ssoSilent` as `loginHint` as it is the most reliable account hint of silent and interactive requests.

+#### Using a login hint

+The `login_hint` optional claim provides a hint to Azure AD about the user account attempting to sign in. To bypass the account selection prompt typically shown during interactive authentication requests, provide the `loginHint` as shown:

+const silentRequest = {

+ scopes: ["User.Read", "Mail.Read"],

+ loginHint: "user@contoso.com"

+try {

+ const loginResponse = await msalInstance.ssoSilent(silentRequest);

+ const loginResponse = await msalInstance.loginPopup(silentRequest).catch(error => {

+In this example, `loginHint` contains the user's email or UPN, which is used as a hint during interactive token requests. The hint can be passed between applications to facilitate silent SSO, where application A can sign in a user, read the `loginHint`, and then send the claim and the current tenant context to application B. Azure AD will attempt to pre-fill the sign-in form or bypass the account selection prompt and directly proceed with the authentication process for the specified user.

+If the information in the `login_hint` claim doesn't match any existing user, they're redirected to go through the standard sign-in experience, including account selection.

+#### Using a session ID

+To use a session ID, add `sid` as an [optional claim](active-directory-optional-claims.md) to your app's ID tokens. The `sid` claim allows an application to identify a user's Azure AD session independent of their account name or username. To learn how to add optional claims like `sid`, see [Provide optional claims to your app](active-directory-optional-claims.md). Use the session ID (SID) in silent authentication requests you make with `ssoSilent` in MSAL.js.

+ sid: sid,

+ try {

+- **Redirect URI** - Add a redirect URI to your application registration in the [Azure portal](https://portal.azure.com). A missing or incorrect redirect URI is a common issue encountered by developers.

+> [Register an app](quickstart-register-app.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the **User Attributes & Claims** section, select **Edit** to edit the claims.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the **User Attributes & Claims** section, select **Edit** to edit the claims.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+> [Tutorial: Prepare an application for authentication](single-page-app-tutorial-02-prepare-spa.md)

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select on **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+3. Select **New user** and create some new test users in your directory.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+> [Scenario: Daemon application that calls web APIs](scenario-daemon-overview.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+> [Tutorial: Create an ASP.NET Core project and configure the API](web-api-tutorial-02-prepare-api.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is a global administrator in the organization. If you're trying to delete the Contoso organization that has the initial default domain `contoso.onmicrosoft.com`, sign in with a UPN such as `admin@contoso.onmicrosoft.com`.

+1. Sign in to to the [Azure portal](https://portal.azure.com) with an account that is the Global Administrator for your Azure AD organization.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+- [PowerShell examples for group-based licensing in Azure Active Directory](licensing-ps-examples.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) using a License administrator account in your Azure AD organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a License administrator account in your Azure AD organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a Global Administrator for the Azure AD organization.

+* [View your current LinkedIn integration setting in the Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserManagementMenuBlade/UserSettings)

+1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role. A role with Guest Inviter privileges can also invite external users.

+1. Sign in to the [Azure portal](https://portal.azure.com) using one of the roles listed in the Prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's been assigned the Global administrator or User administrator role.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

+1. Use your test user name and password to sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) as a security administrator or a Conditional Access administrator.

+1. Use your test user name and password to sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

+See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.

+- [Configure cross-tenant access settings for B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md)

+[Configure cross-tenant access settings for B2B collaboration](cross-tenant-access-settings-b2b-collaboration.md)

+1. When the app launches, copy the suggested URL *https://microsoft.com/devicelogin* from the terminal and visit it in a browser. Then, copy the device code from the terminal and [follow the prompts](./tutorial-browserless-app-dotnet-sign-in-build-app.md#sign-in-to-your-app) on *https://microsoft.com/devicelogin*.

+> [Build your own ASP.NET browserless app and sign in users >](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md)

+- Learn how to [Acquire an access token, then call a web API in your own Node.js daemon app](tutorial-daemon-node-call-api-prepare-tenant.md).

+> | .NET | • [Sign in users](how-to-browserless-app-dotnet-sample-sign-in.md) | • [Sign in users](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) |

+> | Node.js | • [Call an API](how-to-daemon-node-sample-call-api.md) | • [Call an API](tutorial-daemon-node-call-api-prepare-tenant.md) |

+> | Browserless | • [Sign in users](how-to-browserless-app-dotnet-sample-sign-in.md) | • [Sign in users](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) |

+ Title: "Tutorial: Sign in users in your .NET browserless app"

+description: Learn about how to build a .NET browserless app that signs in users by using Device Code flow.

+#Customer intent: As a dev, devops, I want to learn about how to enable authentication in my .NET browserless app with Azure Active Directory (Azure AD) for customers tenant

+# Tutorial: Sign in users to your .NET browserless application

+In this tutorial, you build your own .NET browserless app and authenticate a user using Azure Active Directory (Azure AD) for customers.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> - Configure a .NET browserless app to use it's app registration details.

+> - Build a .NET browserless app that signs in a user and acquires a token on behalf of the user.

+## Prerequisites

+- Registration details for the browserless app you created in the [prepare tenant tutorial](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md). You need the following details:

+ - The Application (client) ID of the .NET browserless app that you registered.

+ - The Directory (tenant) subdomain where you registered your .NET browserless app.

+- [.NET 7.0](https://dotnet.microsoft.com/download/dotnet/7.0) or later.

+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.

+## Create an ASP.NET browserless app

+1. Open your terminal and navigate to the folder where you want your project to live.

+1. Initialize a .NET console app and navigate to its root folder

+ ```dotnetcli

+ dotnet new console -o MsIdBrowserlessApp

+ cd MsIdBrowserlessApp

+ ```

+## Install packages

+Install configuration providers that help our app to read configuration data from key-value pairs in our app settings file. These configuration abstractions provide the ability to bind configuration values to instances of .NET objects.

+```dotnetcli

+dotnet add package Microsoft.Extensions.Configuration

+dotnet add package Microsoft.Extensions.Configuration.Json

+dotnet add package Microsoft.Extensions.Configuration.Binder

+```

+Install Microsoft Identity Web library that simplifies adding authentication and authorization support to apps that integrate with the Microsoft identity platform.

+```dotnetcli

+dotnet add package Microsoft.Identity.Web

+```

+## Create appsettings.json file and add registration configs

+1. In your code editor, create an *appsettings.json* file in the root folder of the app.

+1. Add the following code to the *appsettings.json* file.

+

+ ```json

+ {

+ "AzureAd": {

+ "Authority": "https://<Enter_the_Tenant_Subdomain_Here>.ciamlogin.com/",

+ "ClientId": "<Enter_the_Application_Id_Here>"

+ }

+ }

+ ```

+ - Replace `Enter_the_Application_Id_Here` with the Application (client) ID of the app you registered earlier.

+ - Replace `Enter_the_Tenant_Subdomain_Here` with the Directory (tenant) subdomain.

+1. Add the following code to the *MsIdBrowserlessApp.csproj* file to instruct your app to copy the *appsettings.json* file to the output directory when the project is compiled.

+ ```xml

+ <Project Sdk="Microsoft.NET.Sdk">

+ ...

+ <ItemGroup>

+ <None Update="appsettings.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ </None>

+ <ItemGroup>

+ </Project>

+ ```

+## Add sign-in code

+1. In your code editor, open the *Program.cs* file.

+1. Clear the contents of the *Program.cs* file then add the packages and set up your configuration to read configs from the *appsettings.json* file.

+ ```csharp

+ // Import packages

+ using Microsoft.Extensions.Configuration;

+ using Microsoft.Identity.Client;

+ // Setup your configuration to read configs from appsettings.json

+ var configuration = new ConfigurationBuilder()

+ .AddJsonFile($"appsettings.json");

+

+ var config = configuration.Build();

+ var publicClientOptions = config.GetSection("AzureAd");

+ // Placeholders for the rest of the code

+ var app = PublicClientApplicationBuilder.Create(...)

+ var scopes = new string[] { };

+ var result = await app.AcquireTokenWithDeviceCode(...)

+ Console.WriteLine(...)

+ ```

+1. The browserless app is a public client application. Create an instance of the `PublicClientApplication` class and pass in the `ClientId` and `Authority` values from the *appsettings.json* file.

+ ```csharp

+ var app = PublicClientApplicationBuilder.Create(publicClientOptions.GetValue<string>("ClientId"))

+ .WithAuthority(publicClientOptions.GetValue<string>("Authority"))

+ .Build();

+ ```

+1. Add the code that helps the app acquire tokens using the device code flow. Pass in the scopes you want to request for and a callback function that is called when the device code is available. By default, MSAL attaches OIDC scopes to every token request.

+ ```csharp

+ var scopes = new string[] { }; // by default, MSAL attaches OIDC scopes to every token request

+ var result = await app.AcquireTokenWithDeviceCode(scopes, async deviceCode => {

+ Console.WriteLine($"In a broswer, navigate to the URL '{deviceCode.VerificationUrl}' and enter the code '{deviceCode.UserCode}'");

+ await Task.FromResult(0);

+ }).ExecuteAsync();

+ Console.WriteLine($"You signed in as {result.Account.Username}");

+ Console.WriteLine($"{result.Account.HomeAccountId}");

+ Console.WriteLine("\nRetrieved ID token:");

+ result.ClaimsPrincipal.Claims.ToList()

+ .ForEach(c => Console.WriteLine(c));

+ ```

+

+ The callback function displays the device code and the verification URL to the user. The user then navigates to the verification URL and enters the device code to complete the authentication process. The method then proceeds to poll for the ID token which is granted upon successful login by the user based on the device code information.

+## Sign in to your app

+1. In your terminal, navigate to the root folder of your browserless app and run the app by running the command `dotnet run` in your terminal.

+1. Open your browser, then navigate to `https://<Enter_the_Tenant_Subdomain_Here>.ciamlogin.com/common/oauth2/deviceauth`. Replace `Enter_the_Tenant_Subdomain_Here` with the Directory (tenant) subdomain. You should see a page similar to the following screenshot:

+ :::image type="content" source="media/how-to-browserless-dotnet-sign-in-sign-in/browserless-app-dotnet-enter-code.png" alt-text="Screenshot of the enter code prompt in a node browserless application using the device code flow.":::

+1. Copy the device code from the message in the terminal and paste it in the **Enter Code** prompt to authenticate. After entering the code, you'll be redirected to the sign in page as follows:

+ :::image type="content" source="media/how-to-browserless-dotnet-sign-in-sign-in/browserless-app-dotnet-sign-in-page.png" alt-text="Screenshot showing the sign in page in a node browserless application.":::

+1. At this point, you most likely don't have an account. If so, select **No account? Create one**, which starts the sign-up flow. Follow through this flow to create a new account. If you already have an account, enter your credentials and sign in.

+1. After completing the sign up flow and signing in, you see a page similar to the following screenshot:

+ :::image type="content" source="media/how-to-browserless-dotnet-sign-in-sign-in/browserless-app-dotnet-signed-in-user.png" alt-text="Screenshot showing a signed-in user in a node browserless application.":::

+1. Move back to the terminal and see your authentication information including the ID token claims.

+You can view the full code for this sample in the [code repo](https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/tree/main/1-Authentication/4-sign-in-device-code).

+## See also

+- [Authenticate users in a sample Node.js browserless application.](./sample-browserless-app-node-sign-in.md)

+- [Customize branding for your sign-in experience](./how-to-customize-branding-customers.md)

+ Title: "Tutorial: Register and configure .NET browserless app authentication details in a customer tenant"

+description: Learn how to register and configure .NET browserless app authentication details in a customer tenant so as to sign in users using Device Code flow.

+#Customer intent: As a dev, devops, I want to learn how to register and configure .NET browserless app authentication details in a customer tenant so as to sign in users using Device Code flow.

+# Tutorial: Register and configure .NET browserless app authentication details in a customer tenant

+In this article, you prepare your Azure Active Directory (Azure AD) for customers tenant for authentication. This tutorial is part of a series that guides you through the steps of building an app that authenticates users against Azure Active Directory (Azure AD) for Customers using the device code flow.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> - Register a .NET browserless app in the Microsoft Entra admin center

+> - Create a sign-in and sign-out user flow in customers tenant.

+> - Associate your browserless app with the user flow.

+## Prerequisites

+- [.NET 7.0](https://dotnet.microsoft.com/download/dotnet/7.0) or later.

+- [Visual Studio 2022](https://code.visualstudio.com/download) or another code editor.

+- Azure AD for customers tenant. If you don't already have one, [sign up for a free trial](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl).

+## Register the browserless app

+## Enable public client flow

+## Grant API permissions

+Since this app signs-in users, add delegated permissions:

+## Create a user flow

+## Associate the browserless app with the user flow

+## Record your registration details

+The next step after this tutorial is to build a WPF desktop app that authenticates users. Ensure you have the following details:

+- The Application (client) ID of the .NET browserless app that you registered.

+- The Directory (tenant) subdomain where you registered your .NET browserless app. If your primary domain is *contoso.onmicrosoft.com*, your Directory (tenant) subdomain is *contoso*. If you don't have your primary domain, learn how to [read tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+## Next steps

+> [!div class="nextstepaction"]

+> [Sign-in users to your .NET browserless app >](./tutorial-browserless-app-dotnet-sign-in-build-app.md)

+ Title: "Tutorial: Call a web API from your Node.js daemon application"

+description: Learn about how to prepare your Node.js client daemon app, then configure it to acquire an access token for calling a web API.

+# Tutorial: Call a web API from your Node.js daemon application

+This tutorial demonstrates how to prepare your Node.js daemon client app, then configure it to acquire an access token for calling a web API. The application you build uses [Microsoft Authentication Library (MSAL) for Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) to simplify adding authorization to your node daemon application.

+The [OAuth 2.0 client credentials grant flow](../../develop/v2-oauth2-client-creds-grant-flow.md) permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate before calling another web service. The client credentials grant flow is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.

+In this tutorial, you'll:

+> [!div class="checklist"]

+> - Create a Node.js app, then install dependencies.

+> - Enable the Node.js app to acquire an access token for calling a web API.

+## Prerequisites

+- [Node.js](https://nodejs.org).

+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.

+- Registration details for the Node.js daemon app and web API you created in the [prepare tenant tutorial](tutorial-daemon-node-call-api-prepare-tenant.md).

+- A protected web API that is running and ready to accept requests. If you haven't created one, see the [create a protected web API tutorial](how-to-protect-web-api-dotnet-core-overview.md). Ensure this web API is using the app registration details you created in the [prepare tenant tutorial](tutorial-daemon-node-call-api-prepare-tenant.md). Make sure your web API exposes the following endpoints via https:

+ - `GET /api/todolist` to get all todos.

+ - `POST /api/todolist` to add a todo.

+## Create the Node.js daemon project

+Create a folder to host your Node.js daemon application, such as `ciam-call-api-node-daemon`:

+1. In your terminal, change directory into your Node daemon app folder, such as `cd ciam-call-api-node-daemon`, then run `npm init -y`. This command creates a default package.json file for your Node.js project. This command creates a default `package.json` file for your Node.js project.

+1. Create more folders and files to achieve the following project structure:

+ ```

+ ciam-call-api-node-daemon/

+ Γö£ΓöÇΓöÇ auth.js

+ ΓööΓöÇΓöÇ authConfig.js

+ ΓööΓöÇΓöÇ fetch.js

+ ΓööΓöÇΓöÇ index.js

+ ΓööΓöÇΓöÇ package.json

+ ```

+## Install app dependencies

+In your terminal, install `axios`, `yargs` and `@azure/msal-node` packages by running the following command:

+```console

+npm install axios yargs @azure/msal-node

+```

+## Create MSAL configuration object

+In your code editor, open *authConfig.js* file, then add the following code:

+```javascript

+require('dotenv').config();

+/**

+ * Configuration object to be passed to MSAL instance on creation.

+ * For a full list of MSAL Node configuration parameters, visit:

+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/configuration.md

+ */

+const msalConfig = {

+ auth: {

+ clientId: process.env.CLIENT_ID || 'Enter_the_Application_Id_Here', // 'Application (client) ID' of app registration in Azure portal - this value is a GUID

+ authority: process.env.AUTHORITY || 'https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/', // Replace "Enter_the_Tenant_Subdomain_Here" with your tenant subdomain

+ clientSecret: process.env.CLIENT_SECRET || 'Enter_the_Client_Secret_Here', // Client secret generated from the app

+ },

+ system: {

+ loggerOptions: {

+ loggerCallback(loglevel, message, containsPii) {

+ console.log(message);

+ },

+ piiLoggingEnabled: false,

+ logLevel: 'Info',

+ },

+ },

+};

+const protectedResources = {

+ apiToDoList: {

+ endpoint: process.env.API_ENDPOINT || 'https://localhost:44351/api/todolist',

+ scopes: [process.env.SCOPES || 'api://Enter_the_Web_Api_Application_Id_Here'],

+ },

+};

+module.exports = {

+ msalConfig,

+ protectedResources,

+};

+```

+The `msalConfig` object contains a set of configuration options that you use to customize the behavior of your authorization flow.

+In your *authConfig.js* file, replace:

+- `Enter_the_Application_Id_Here` with the Application (client) ID of the client daemon app that you registered earlier.

+- `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+- `Enter_the_Client_Secret_Here` with the client daemon app secret value that you copied earlier.

+- `Enter_the_Web_Api_Application_Id_Here` with the Application (client) ID of the web API app that you copied earlier.

+Notice that the `scopes` property in the `protectedResources` variable is the resource identifier (application ID URI) of the [web API](tutorial-daemon-node-call-api-prepare-tenant.md#register-a-web-api-application) that you registered earlier. The complete scope URI looks similar to `api://Enter_the_Web_Api_Application_Id_Here/.default`.

+## Acquire an access token

+In your code editor, open *auth.js* file, then add the following code:

+```javascript

+const msal = require('@azure/msal-node');

+const { msalConfig, protectedResources } = require('./authConfig');

+/**

+ * With client credentials flows permissions need to be granted in the portal by a tenant administrator.

+ * The scope is always in the format '<resource-appId-uri>/.default'. For more, visit:

+ * https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

+ */

+const tokenRequest = {

+ scopes: [`${protectedResources.apiToDoList.scopes}/.default`],

+};

+const apiConfig = {

+ uri: protectedResources.apiToDoList.endpoint,

+};

+/**

+ * Initialize a confidential client application. For more info, visit:

+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md

+ */

+const cca = new msal.ConfidentialClientApplication(msalConfig);

+/**

+ * Acquires token with client credentials.

+ * @param {object} tokenRequest

+ */

+async function getToken(tokenRequest) {

+ return await cca.acquireTokenByClientCredential(tokenRequest);

+}

+module.exports = {

+ apiConfig: apiConfig,

+ tokenRequest: tokenRequest,

+ getToken: getToken,

+};

+```

+In the code:

+- Prepare the `tokenRequest` and `apiConfig` object. The `tokenRequest` contains the scope for which you request an access token. The scope looks something like `api://Enter_the_Web_Api_Application_Id_Here/.default`. The `apiConfig` object contains the endpoint to your web API. Learn more about [OAuth 2.0 client credentials flow](../../develop/v2-oauth2-client-creds-grant-flow.md).

+- You create a confidential client instance by passing the `msalConfig` object to the [ConfidentialClientApplication](/javascript/api/@azure/msal-node/confidentialclientapplication#constructors) class' constructor.

+ ```javascript

+ const cca = new msal.ConfidentialClientApplication(msalConfig);

+ ```

+- You then use the [acquireTokenByClientCredential](/javascript/api/@azure/msal-node/confidentialclientapplication#@azure-msal-node-confidentialclientapplication-acquiretokenbyclientcredential) function to acquire an access token. You implement this logic in the `getToken` function:

+ ```javascript

+ cca.acquireTokenByClientCredential(tokenRequest);

+ ```

+Once you acquire an access token, you can proceed to call an API.

+## Call an API

+In your code editor, open *fetch.js* file, then add the following code:

+```javascript

+const axios = require('axios');

+/**

+ * Calls the endpoint with authorization bearer token.

+ * @param {string} endpoint

+ * @param {string} accessToken

+ */

+async function callApi(endpoint, accessToken) {

+ const options = {

+ headers: {

+ Authorization: `Bearer ${accessToken}`

+ }

+ };

+ console.log('request made to web API at: ' + new Date().toString());

+ try {

+ const response = await axios.get(endpoint, options);

+ return response.data;

+ } catch (error) {

+ console.log(error)

+ return error;

+ }

+};

+module.exports = {

+ callApi: callApi

+};

+```

+In this code, you make a call to the web API, by passing the access token as a bearer token in the request `Authorization` header:

+```javascript

+ Authorization: `Bearer ${accessToken}`

+```

+You use the access token that you acquired earlier in [Acquire an access token](#acquire-an-access-token).

+Once the web API receives the request, it evaluates it then determines that it's an application request. If the access token is valid, the web API returns requested data. Otherwise, the API returns a `401 Unauthorized` HTTP error.

+## Finalize your daemon app

+In your code editor, open *index.js* file, then add the following code:

+```javascript

+#!/usr/bin/env node

+// read in env settings

+require('dotenv').config();

+const yargs = require('yargs');

+const fetch = require('./fetch');

+const auth = require('./auth');

+const options = yargs

+ .usage('Usage: --op <operation_name>')

+ .option('op', { alias: 'operation', describe: 'operation name', type: 'string', demandOption: true })

+ .argv;

+async function main() {

+ console.log(`You have selected: ${options.op}`);

+ switch (yargs.argv['op']) {

+ case 'getToDos':

+ try {

+ const authResponse = await auth.getToken(auth.tokenRequest);

+ const todos = await fetch.callApi(auth.apiConfig.uri, authResponse.accessToken);

+ } catch (error) {

+ console.log(error);

+ }

+ break;

+ default:

+ console.log('Select an operation first');

+ break;

+ }

+};

+main();

+```

+This code is the entry point to your app. You use the [yargs js](https://www.npmjs.com/package/yargs) command-line argument parsing library for Node.js apps to interactively fetch an access token, then call API. You use the `getToken` and `callApi` functions you defined earlier:

+```javascript

+const authResponse = await auth.getToken(auth.tokenRequest);

+const todos = await fetch.callApi(auth.apiConfig.uri, authResponse.accessToken);

+```

+## Run and test daemon app and API

+At this point, you're ready to test your client daemon app and web API:

+1. Use the steps you learned in [Secure an ASP.NET web API](how-to-protect-web-api-dotnet-core-overview.md) tutorial to start your web API. Your web API is now ready to serve client requests. If you don't run your web API on port `44351` as specified in the *authConfig.js* file, make sure you update the *authConfig.js* file to use the correct web API's port number.

+1. In your terminal, make sure you're in the project folder that contains your daemon Node.js app such as `ciam-call-api-node-daemon`, then run the following command:

+ ```console

+ node . --op getToDos

+ ```

+If your daemon app and web API run successfully, you should find the data returned by the web API endpoint `todos` variable, similar to the following JSON array, in your console window:

+```json

+{

+ id: 1,

+ owner: '3e8....-db63-43a2-a767-5d7db...',

+ description: 'Pick up grocery'

+},

+{

+ id: 2,

+ owner: 'c3cc....-c4ec-4531-a197-cb919ed.....',

+ description: 'Finish invoice report'

+},

+{

+ id: 3,

+ owner: 'a35e....-3b8a-4632-8c4f-ffb840d.....',

+ description: 'Water plants'

+}

+```

+## Next steps

+Learn how to [Use client certificate instead of a secret for authentication in your Node.js confidential app](how-to-web-app-node-use-certificate.md).

+ Title: 'Tutorial: Prepare your customer tenant to authorize a Node.js daemon application'

+description: Learn how to prepare your customer tenant to authorize your Node.js daemon application

+# Tutorial: Prepare your customer tenant to authorize a Node.js daemon application

+In this tutorial, you learn how to acquire an access token, then call a web API in a Node.js daemon application. You enable the client daemon app to acquire an access token using its own identity. To do so, you first register your application in your Azure Active Directory (Azure AD) for customers tenant.

+In this tutorial, you'll:

+> [!div class="checklist"]

+> - Register a web API and configure app permissions in the Microsoft Entra admin center.

+> - Register a client daemon application, the grant it app permissions in the Microsoft Entra admin center.

+> - Create a client secret for your daemon application in the Microsoft Entra admin center.

+If you've already registered a client daemon application and a web API in the Microsoft Entra admin center, you can skip the steps in this tutorial, then proceed to [Acquire access token for calling an API](tutorial-daemon-node-call-api-build-app.md).

+## Prerequisites

+- An Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register a web API application

+## Configure app roles

+## Configure optional claims

+## Register the daemon app

+## Create a client secret

+## Grant API permissions to the daemon app

+## Record your app registration details

+In the next step, you prepare your daemon app application. Make sure you've the following details:

+- The Application (client) ID of the client daemon app that you registered.

+- The Directory (tenant) subdomain where you registered your daemon app. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+- The application secret value for the daemon app you created.

+- The Application (client) ID of the web API app you registered.

+## Next steps

+In the next tutorial, you prepare your daemon Node.js application.

+> [!div class="nextstepaction"]

+> [Prepare your daemon application](tutorial-daemon-node-call-api-build-app.md)

+- [Google federation](google-federation.md)

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD global administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or User administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+- [Define custom attributes for user flows](user-flow-add-custom-attributes.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role.

+1. Sign in to the [Azure portal](https://portal.azure.com) using one of the appropriate roles listed above.

+description: Azure AD security defaults that help protect organizations from common identity attacks

+Security defaults make it easier to help protect your organization from identity-related attacks like password spray, replay, and phishing common in today's environments.

+Microsoft is making these preconfigured security settings available to everyone, because we know managing security can be difficult. Based on our learnings more than 99.9% of those common identity-related attacks are stopped by using multifactor authentication (MFA) and blocking legacy authentication. Our goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

+These basic controls include:

+To help protect organizations, we're always working to improve the security of Microsoft account services. As part of this protection, customers are periodically notified for the automatic enablement of the security defaults if they:

+- Haven't enabled Conditional Access policies.

+- Don't have premium licenses.

+- ArenΓÇÖt actively using legacy authentication clients.

+After this setting is enabled, all users in the organization will need to register for multifactor authentication. To avoid confusion, refer to the email you received and alternatively you can [disable security defaults](#disabling-security-defaults) after it's enabled.

+1. Sign in to the [Azure portal](https://portal.azure.com) as a Security Administrator, Conditional Access Administrator, or Global Administrator.

+### Revoking active tokens

+As part of enabling security defaults, administrators should revoke all existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication. This task can be accomplished using the [Revoke-AzureADUserAllRefreshToken](/powershell/module/azuread/revoke-azureaduserallrefreshtoken) PowerShell cmdlet.

+- Global Administrator

+- Application Administrator

+- Authentication Administrator

+- Billing Administrator

+- Cloud Application Administrator

+- Conditional Access Administrator

+- Exchange Administrator

+- Helpdesk Administrator

+- Password Administrator

+- Privileged Authentication Administrator

+- Privileged Role Administrator

+- Security Administrator

+- SharePoint Administrator

+- User Administrator

+One common method to improve protection for all users is to require a stronger form of account verification, such as multifactor authentication, for everyone. After users complete registration, they'll be prompted for another authentication whenever necessary. Azure AD decides when a user is prompted for multifactor authentication, based on factors such as location, device, role and task. This functionality protects all applications registered with Azure AD including SaaS applications.

+Every organization should have at least two backup administrators configured. We call these emergency access accounts.

+You can use Conditional Access to configure policies similar to security defaults, but with more granularity. Conditional Access policies allow selecting other authentication methods and the ability to exclude users, which aren't available in security defaults. If you're using Conditional Access in your environment today, security defaults aren't available to you.

+1. Sign in to the [Azure portal](https://portal.azure.com) as a Security Administrator, Conditional Access Administrator, or Global Administrator.

+After you sign in to the [Azure portal](https://portal.azure.com), you can create a new tenant for your organization. Your new tenant represents your organization and helps you to manage a specific instance of Microsoft cloud services for your internal and external users.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+<a name='sign-in-to-the-azure-portal'></a>

+## Sign in to the [Azure portal](https://portal.azure.com)

+You must sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role.

+1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role. A role with Guest Inviter privileges can also invite external users.

+1. Sign in to the [Azure portal](https://portal.azure.com) using one of the appropriate roles.

+* [Add a custom domain](add-custom-domain.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account for the directory.

+### Add members or owners of a group

+### Remove members or owners of a group

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a License administrator account in your Azure AD organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the Privileged Role Administrator role for the directory.

+- [Explore other user management tasks](../enterprise-users/index.yml)

+1. Sign in to the [Azure portal](https://portal.azure.com) as a user administrator, or password administrator. For more information about the available roles, see [Azure AD built-in roles](../roles/permissions-reference.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the organization.

+- [Delete Lifecycle Workflows](delete-lifecycle-workflow.md)

+- [Delete lifecycle workflows](delete-lifecycle-workflow.md)

+- [Approve or deny access requests](entitlement-management-request-approve.md)

+- [Delete a Lifecycle workflow](delete-lifecycle-workflow.md)

+- [Complete tasks in real time on an employee's last day of work by using lifecycle workflow APIs](/graph/tutorial-lifecycle-workflows-offboard-custom-workflow)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. On the right, select **Azure Active Directory**.

+3. Select **Identity Governance**.

+4. Select **Lifecycle workflows**.

+5. On the **Overview** page, select **New workflow**.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/new-workflow.png" alt-text="Screenshot of selecting a new workflow." lightbox="media/tutorial-lifecycle-workflows/new-workflow.png":::

+6. From the templates, select **select** under **Onboard pre-hire employee**.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/select-template.png" alt-text="Screenshot of selecting workflow template." lightbox="media/tutorial-lifecycle-workflows/select-template.png":::

+7. Next, you configure the basic information about the workflow. This information includes when the workflow triggers, known as **Days from event**. So in this case, the workflow triggers two days before the employee's hire date. On the onboard pre-hire employee screen, add the following settings and then select **Next: Configure Scope**.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/configure-scope.png" alt-text="Screenshot of selecting a configuration scope." lightbox="media/tutorial-lifecycle-workflows/configure-scope.png":::

+8. Next, you configure the scope. The scope determines which users this workflow runs against. In this case, it is on all users in the Sales department. On the configure scope screen, under **Rule** add the following settings and then select **Next: Review tasks**. For a full list of supported user properties, see [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta&preserve-view=true#supported-user-properties-and-query-parameters).

+ :::image type="content" source="media/tutorial-lifecycle-workflows/review-tasks.png" alt-text="Screenshot of selecting review tasks." lightbox="media/tutorial-lifecycle-workflows/review-tasks.png":::

+9. On the following page, you may inspect the task if desired but no additional configuration is needed. Select **Next: Review + Create** when you're finished.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/onboard-review-create.png" alt-text="Screenshot of reviewing an on-board workflow." lightbox="media/tutorial-lifecycle-workflows/onboard-review-create.png":::

+10. On the review blade, verify the information is correct and select **Create**.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/onboard-create.png" alt-text="Screenshot of creating an onboard workflow." lightbox="media/tutorial-lifecycle-workflows/onboard-create.png":::

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. On the right, select **Azure Active Directory**.

+3. Select **Users**.

+4. Select **Melva Prince**.

+5. Select the copy sign next to the **Object ID**.

+6. Now navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+7. Sign-in to Graph Explorer with the global administrator account for your tenant.

+8. At the top, change **GET** to **PATCH** and add `https://graph.microsoft.com/v1.0/users/<id>` to the box. Replace `<id>` with the value we copied before.

+9. Copy the following in to the **Request body** and select **Run query**

+ ```Example

+ {

+ "employeeHireDate": "2022-04-15T22:10:00Z"

+ }

+ ```

+ :::image type="content" source="media/tutorial-lifecycle-workflows/update-1.png" alt-text="Screenshot of the PATCH employeeHireDate." lightbox="media/tutorial-lifecycle-workflows/update-1.png":::

+10. Verify the change by changing **PATCH** back to **GET** and **v1.0** to **beta**. Select **Run query**. You should see the attributes for Melva set.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/update-3.png" alt-text="Screenshot of the GET employeeHireDate." lightbox="media/tutorial-lifecycle-workflows/update-3.png":::

+1. Still in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+2. Make sure the top is still set to **PUT** and `https://graph.microsoft.com/v1.0/users/<id>/manager/$ref` is in the box. Change `<id>` to the ID of Melva Prince.

+3. Copy the code below in to the **Request body**

+4. Replace `<managerid>` in the following code with the value of Britta Simons ID.

+5. Select **Run query**

+ ```Example

+ {

+ }

+ ```

+ :::image type="content" source="media/tutorial-lifecycle-workflows/graph-add-manager.png" alt-text="Screenshot of Adding a manager in Graph explorer." lightbox="media/tutorial-lifecycle-workflows/graph-add-manager.png":::

+6. Now, we can verify that the manager has been set correctly by changing the **PUT** to **GET**.

+7. Make sure `https://graph.microsoft.com/v1.0/users/<id>/manager/` is in the box. The `<id>` is still that of Melva Prince.

+8. Select **Run query**. You should see Britta Simon returned in the Response.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/graph-get-manager.png" alt-text="Screenshot of getting a manager in Graph explorer." lightbox="media/tutorial-lifecycle-workflows/graph-get-manager.png":::

+### Enabling the Temporary Access Pass (TAP)

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+ 2. On the right, select **Azure Active Directory**.

+ 3. Select **Identity Governance**.

+ 4. Select **Lifecycle workflows**.

+ 5. On the **Overview** page, select **New workflow**.

+1. On the workflow screen, select the specific workflow you want to run.

+2. Select **Run on demand**.

+3. On the **select users** tab, select **add users**.

+4. Add a user.

+5. Select **Run workflow**.

+1. To begin, select the **Workflow history** tab on the left to view the user summary and associated workflow tasks and statuses.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/workflow-history-post-offboard.png" alt-text="Screenshot of the workflow history summary." lightbox="media/tutorial-lifecycle-workflows/workflow-history-post-offboard.png":::

+ :::image type="content" source="media/tutorial-lifecycle-workflows/user-summary-post-offboard.png" alt-text="Screenshot of the workflow history overview." lightbox="media/tutorial-lifecycle-workflows/user-summary-post-offboard.png":::

+ :::image type="content" source="media/tutorial-lifecycle-workflows/total-tasks-post-offboard.png" alt-text="Screenshot of workflow's total tasks." lightbox="media/tutorial-lifecycle-workflows/total-tasks-post-offboard.png":::

+ :::image type="content" source="media/tutorial-lifecycle-workflows/failed-tasks-post-offboard.png" alt-text="Screenshot of workflow failed tasks." lightbox="media/tutorial-lifecycle-workflows/failed-tasks-post-offboard.png":::

+ :::image type="content" source="media/tutorial-lifecycle-workflows/canceled-tasks-post-offboard.png" alt-text="Screenshot of workflow unprocessed tasks." lightbox="media/tutorial-lifecycle-workflows/canceled-tasks-post-offboard.png":::

+Use the following steps to configure provisioning:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Select **Azure Active Directory**

+3. Select **Azure AD Connect**

+4. Select **Manage cloud sync**

+5. Select **New Configuration**

+6. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.

+7. The configuration status should now be **Healthy**.

+ `auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable`

+1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an admin with an Azure AD Premium P1 or P2 license.

+1. Sign in to the [Azure portal](https://portal.azure.com), then browse to **Azure Active Directory** and select **Enterprise applications**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Enterprise applications**, and then search for and select the application to which you want to assign the user or group account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.

+2. Select **Azure Active Directory**.

+3. Select **Manage**

+4. Select **Properties**

+5. Under **Tenant properties**, select **Manage security defaults**

+6. For **Enable Security defaults**, select **Yes**

+7. Select **Save**

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

+* Manage identities and access from a single control plane, the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) using an account with Application Admin permissions.

+* Manage identities and access from one control plane, the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

+* Manage identities and access from the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

+* Manage identities and access from the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

+* Manage identities and access from the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrator permissions.

+1. Sign in to the [Azure portal](https://portal.azure.com) using an account with permissions to create VMs, such as Contributor.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory** > **Enterprise applications**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **View** or **Manage Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then under **Manage Azure Active Directory**, select **View**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) with one of the roles listed in the prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select the resource you want to delete.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com). For **Azure resources**, navigate to **Privileged Identity Management** and select **Azure resources** under **Manage** from the dashboard. For **Azure AD roles**, select **Azure AD roles** from the same dashboard.

+1. Sign in to the [Azure portal](https://portal.azure.com) as a user that is assigned to one of the prerequisite role(s).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) with a user that is a member of the [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator) role.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) with Owner or User Access Administrator role permissions.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+* [Install and use the log analytics views for Azure Active Directory](howto-install-use-log-analytics-views.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Azure Active Directory** > **App registrations**.

+* [How to use the Sign-in diagnostics](howto-use-sign-in-diagnostics.md)

+* [Create custom Azure Monitor queries using Azure PowerShell](../governance/entitlement-management-logs-and-reporting.md).

+1. Sign in to the [Azure portal](https://portal.azure.com) as Isabella Simonsen using an incorrect password.

+1. Sign in to the [Azure portal](https://portal.azure.com) as Isabella Simonsen using an incorrect password.

+## Create an alert rule

+## Add a query to a workbook template

+* [Assign Azure AD roles to groups](groups-assign-role.md)

+* A BigPanda account with the Single Sign On role set to Full Access. See [Roles and Resource Permissions](https://docs.bigpanda.io/docs/roles-management#roles-and-resource-permissions) in the BigPanda documentation for more information.

+ > These values are not real. Update these values with the actual Reply URL and Sign on URL. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the file and save it on your computer.

+ 

+1. On the **Set up BigPanda** section, copy the **Login URL**.

+To configure single sign-on on **BigPanda** side, please follow the instructions from [BigPanda documentation](https://docs.bigpanda.io/docs/azure-ad-active-directory).

+ `https://expense.certify.com`

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL based on your cloud exchange deployment. You can also contact [Netskope Cloud Exchange Administration Console support team](mailto:support@netskope.com) to get help to determine these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+To configure single sign-on on **Netskope Cloud Exchange Administration Console** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Netskope Cloud Exchange Administration Console support team](mailto:support@netskope.com). They set this setting to have the SAML SSO connection set properly on both sides

+1. Sign in to the [Azure portal](https://portal.azure.com)

+1. Search for **Verified ID** and select it.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to the key vault you use for this tutorial.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for *Verified ID*. Then, select **Verified ID**.

+1. Sign in to the [Azure portal](https://portal.azure.com) with your administrative account.

+Learn how to [manage a federated identity credential on a user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) in Azure Active Directory (Azure AD).

+## Input requirements

+Spatial Analysis works on videos that meet the following requirements:

+* The video must be in RTSP, rawvideo, MP4, FLV, or MKV format.

+* The video codec must be H.264, HEVC(H.265), rawvideo, VP9, or MPEG-4.

+The Document Intelligence invoice model uses powerful Optical Character Recognition (OCR) capabilities to analyze and extract key fields and line items from sales invoices, utility bills, and purchase orders. Invoices can be of various formats and quality including phone-captured images, scanned documents, and digital PDFs. The API analyzes invoice text; extracts key information such as customer name, billing address, due date, and amount due; and returns a structured JSON data representation. The model currently supports invoices in 27 languages.

+| &bullet; Czech (cs) | Czechoslovakia (cz)|

+| &bullet; Danish (da) | Denmark (dk)|

+| &bullet; Estonian (et) | Estonia (ee)|

+| &bullet; Finnish (fi) | Finland (fl)|

+| &bullet; Croation (hr) | Bosnia and Herzegovina (ba), Croatia (hr), Serbia (rs)|

+| &bullet; Hungarian (hu) | Hungary (hu)|

+| &bullet; Icelandic (is) | Iceland (is)|

+| &bullet; Japanese (ja) | Japan (ja)|

+| &bullet; Korean (ko) | Korea (kr)|

+| &bullet; Lithuanian (lt) | Lithuania (lt)|

+| &bullet; Latvian (lv) | Latvia (lv)|

+| &bullet; Malay (ms) | Malasia (ms)|

+| &bullet; Norwegian (nb) | Norway (no)|

+| &bullet; Polish (pl) | Poland (pl)|

+| &bullet; Romanian (ro) | Romania (ro)|

+| &bullet; Slovak (sk) | Slovakia (sv)|

+| &bullet; Slovenian (sl) | Slovenia (sl)|

+| &bullet; Serbian (sr-Latn) | Serbia (latn-rs)|

+| &bullet; Albanian (sq) | Albania (al)|

+| &bullet; Swedish (sv) | Sweden (se)|

+| &bullet; Chinese (simplified (zh-hans) | China (zh-hans-cn)|

+| &bullet; Chinese (traditional (zh-hant) | Hong Kong (zh-hant-hk), Taiwan (zh-hant-tw)|

+| Supported Currency Codes | Details |

+|:-|:|

+| &bullet; ARS | United States (us) |

+| &bullet; AUD | Australia (au) |

+| &bullet; BRL | United States (us) |

+| &bullet; CAD | Canada (ca) |

+| &bullet; CLP | United States (us) |

+| &bullet; CNY | United States (us) |

+| &bullet; COP | United States (us) |

+| &bullet; CRC | United States (us) |

+| &bullet; CZK | United States (us) |

+| &bullet; DKK | United States (us) |

+| &bullet; EUR | United States (us) |

+| &bullet; GBP | United Kingdom (uk) |

+| &bullet; HUF | United States (us) |

+| &bullet; IDR | United States (us) |

+| &bullet; INR | United States (us) |

+| &bullet; ISK | United States (us) |

+| &bullet; JPY | Japan (jp) |

+| &bullet; KRW | United States (us) |

+| &bullet; NOK | United States (us) |

+| &bullet; PAB | United States (us) |

+| &bullet; PEN | United States (us) |

+| &bullet; PLN | United States (us) |

+| &bullet; RON | United States (us) |

+| &bullet; RSD | United States (us) |

+| &bullet; SEK | United States (us) |

+| &bullet; TWD | United States (us) |

+| &bullet; USD | United States (us) |

+The prebuilt invoice **2022-06-30** and later releases support the optional return of key-value pairs. By defualt the return of key-value pairs is disabled. Key-value pairs are specific spans within the invoice that identify a label or key and its associated response or value. In an invoice, these pairs could be the label and the value the user entered for that field or telephone number. The AI model is trained to extract identifiable keys and values based on a wide variety of document types, formats, and structures.

+ In the abstractive conversation summarization scenario, each conversation (whether it has a provided label or not) is expected to be provided in a .json file, which is similar to the input format for our [pre-built conversation summarization service](https://learn.microsoft.com/rest/api/language/2023-04-01/analyze-conversation/submit-job?tabs=HTTP#textconversation). The following is an example conversation of three turns between two speakers (Agent and Customer).

+```json

+{

+ "conversationItems": [

+ {

+ "text": "Hello, how can I help you?",

+ "modality": "text",

+ "id": "1",

+ "participantId": "Agent",

+ "role": "Agent"

+ },

+ {

+ "text": "How do I upgrade office? I have been getting error messages all day.",

+ "modality": "text",

+ "id": "2",

+ "participantId": "Customer",

+ "role": "Customer"

+ },

+ {

+ "text": "Please press the upgrade button, then sign in and follow the instructions.",

+ "modality": "text",

+ "id": "3",

+ "participantId": "Agent",

+ "role": "Agent"

+ }

+ ],

+ "modality": "text",

+ "id": "conversation1",

+ "language": "en"

+}

+```

+## Sample mapping JSON format

+The JSON file is expected to contain the following fields:

+{

+ projectFileVersion": The version of the exported project,

+ "stringIndexType": Specifies the method used to interpret string offsets. For additional information see https://aka.ms/text-analytics-offsets,

+ "metadata": {

+ "projectKind": The project kind you need to import. Values for summarization are CustomAbstractiveSummarization and CustomConversationSummarization. Both projectKind fields must be identical.,

+ "storageInputContainerName": The name of the storage container that contains the documents/conversations and the summaries,

+ "projectName": a string project name,

+ "multilingual": A flag denoting whether this project should allow multilingual documents or not. For Summarization this option is turned off,

+ "description": a string project description,

+ "language": The default language of the project. Possible values are ΓÇ£enΓÇ¥ and ΓÇ£en-usΓÇ¥

+ },

+ "assets": {

+ "projectKind": The project kind you need to import. Values for summarization are CustomAbstractiveSummarization and CustomConversationSummarization. Both projectKind fields must be identical.,

+ "documents": a list of document-label pairs, each is defined with three fields:[

+ {

+ "summaryLocation": a string path to the summary txt (for documents) or json (for conversations) file,

+ "location": a string path to the document txt (for documents) or json (for conversations) file,

+ "language": The language of the documents. Possible values are ΓÇ£enΓÇ¥ and ΓÇ£en-usΓÇ¥

+ }

+ ]

+ }

+```

+## Custom document summarization mapping sample

+## Custom conversation summarization mapping sample

+The following is an example mapping file for the abstractive conversation summarization scenario with three documents and corresponding labels.

+```json

+{

+ "projectFileVersion": "2022-10-01-preview",

+ "stringIndexType": "Utf16CodeUnit",

+ "metadata": {

+ "projectKind": "CustomAbstractiveSummarization",

+ "storageInputContainerName": "abstractivesummarization",

+ "projectName": "sample_custom_summarization",

+ "multilingual": false,

+ "description": "Creating a custom summarization model",

+ "language": "en-us"

+ }

+ "assets": {

+ "projectKind": "CustomAbstractiveSummarization",

+ "documents": [

+ {

+ "summaryLocation": "conv1_summary.txt",

+ "location": "conv1.json",

+ "language": "en-us"

+ },

+ {

+ "summaryLocation": "conv2_summary.txt",

+ "location": "conv2.json",

+ "language": "en-us"

+ },

+ {

+ "summaryLocation": "conv3_summary.txt",

+ "location": "conv3.json",

+ "language": "en-us"

+ }

+ ]

+ }

+}

+```

+> Metrics Advisor resource administrators need to configure the Email settings, and input **SMTP related information** into Metrics Advisor before anomaly alerts can be sent. The resource group admin or subscription admin needs to assign at least one *Cognitive Services Metrics Advisor Administrator* role in the Access control tab of the Metrics Advisor resource. [Learn more about e-mail settings configuration](../faq.yml#how-to-set-up-email-settings-and-enable-alerting-by-email-).

+- A user with the subscription administrator or resource group administrator privileges needs to navigate to the Metrics Advisor resource that was created in the Azure portal, and select the Access control (IAM) tab.

+- Pick a role of 'Cognitive Services Metrics Advisor Administrator', select your account as in the image below.

+ |Cognitive Services QnA Maker Reader|

+ |Cognitive Services QnA Maker Editor|

+ |Cognitive Services User|

+| `type` | Specifies where and how to add silence. The following silence types are supported:<br/><ul><li>`Leading` ΓÇô Additional silence at the beginning of the text. The value that you set is added to the natural silence before the start of text.</li><li>`Leading-exact` ΓÇô Silence at the beginning of the text. The value is an absolute silence length.</li><li>`Tailing` ΓÇô Additional silence at the end of text. The value that you set is added to the natural silence after the last word.</li><li>`Tailing-exact` ΓÇô Silence at the end of the text. The value is an absolute silence length.</li><li>`Sentenceboundary` ΓÇô Additional silence between adjacent sentences. The actual silence length for this type includes the natural silence after the last word in the previous sentence, the value you set for this type, and the natural silence before the starting word in the next sentence.</li><li>`Sentenceboundary-exact` ΓÇô Silence between adjacent sentences. The value is an absolute silence length.</li><li>`Comma-exact` ΓÇô Silence at the comma in half-width or full-width format. The value is an absolute silence length.</li><li>`Semicolon-exact` ΓÇô Silence at the semicolon in half-width or full-width format. The value is an absolute silence length.</li><li>`Enumerationcomma-exact` ΓÇô Silence at the enumeration comma in full-width format. The value is an absolute silence length.</li></ul><br/>An absolute silence type (with the `-exact` suffix) replaces any otherwise natural leading or trailing silence. Absolute silence types take precedence over the corresponding non-absolute type. For example, if you set both `Leading` and `Leading-exact` types, the `Leading-exact` type will take effect. The [WordBoundary event](how-to-speech-synthesis.md#subscribe-to-synthesizer-events) takes precedence over punctuation-related silence settings including `Comma-exact`, `Semicolon-exact`, or `Enumerationcomma-exact`. When using both the `WordBoundary` event and punctuation-related silence settings, the punctuation-related silence settings won't take effect.| Required |

+The multilingual voices `en-US-JennyMultilingualV2Neural` and `en-US-RyanMultilingualNeural` auto-detect the language of the input text. However, you can still use the `<lang>` element to adjust the speaking language for these voices.

+|Greek|`el`|No|No|

+>

+> Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the [AKS Kubernetes release calendar](./supported-kubernetes-versions.md#aks-kubernetes-release-calendar) for information on AKS version support windows.

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM.

+>

+> |Kubernetes version | OSM version installed |

+> ||--|

+> | 1.24.0 or greater | 1.2.5 |

+> | Between 1.23.5 and 1.24.0 | 1.1.3 |

+> | Below 1.23.5 | 1.0.0 |

+>

+> Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the [AKS Kubernetes release calendar](./supported-kubernetes-versions.md#aks-kubernetes-release-calendar) for information on AKS version support windows.

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM.

+> |Kubernetes version | OSM version installed |

+> ||--|

+> | 1.24.0 or greater | 1.2.5 |

+> | Between 1.23.5 and 1.24.0 | 1.1.3 |

+> | Below 1.23.5 | 1.0.0 |

+>

+> Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the [AKS Kubernetes release calendar](./supported-kubernetes-versions.md#aks-kubernetes-release-calendar) for information on AKS version support windows.

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM.

+>

+> |Kubernetes version | OSM version installed |

+> ||--|

+> | 1.24.0 or greater | 1.2.5 |

+> | Between 1.23.5 and 1.24.0 | 1.1.3 |

+> | Below 1.23.5 | 1.0.0 |

+>

+> Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the [AKS Kubernetes release calendar](./supported-kubernetes-versions.md#aks-kubernetes-release-calendar) for information on AKS version support windows.

+> [!NOTE]

+> Migrating control plane identity from system-assigned to user-assigned doesn't cause any downtime for control plane and agent pools. Meanwhile, control plane components will keep using old system-assigned identity for several hours until the next token refresh.

+#### [REST API](#tab/PowerShell)

+```JSON

+{

+ "properties": {

+ "loggerType": "azureEventHub",

+ "description": "adding a new logger with system assigned managed identity",

+ "credentials": {

+ "endpointAddress":"<EventHubsNamespace>.servicebus.windows.net/<EventHubName>",

+ "identityClientId":"SystemAssigned",

+ "name":"<EventHubName>"

+ }

+ }

+}

+```

+For this tutorial, you use the compose file from [Docker](https://docs.docker.com/samples/wordpress/), but you'll modify it to include Azure Database for MySQL, persistent storage, and Redis. The configuration file can be found at [Azure Samples](https://github.com/Azure-Samples/multicontainerwordpress). In the sample below, note that `depends_on` is an **unsupported option** and is ignored. For supported configuration options, see [Docker Compose options](configure-custom-container.md#docker-compose-options).

+## Latest Release (Recommended)

+July 24, 2023 - 0.4.023961 - Improved Ingress support

+## Release history

+ --version 0.4.023961 \

+ --version 0.4.023961 \

+ "Antimalware/Enable": true,

+ "Antimalware/EnableRealTimeProtection": true,

+ "Antimalware/RunScheduledScan": true,

+ "Backup/Enable": true,

+ "WindowsAdminCenter/Enable": true,

+ "GuestConfiguration/Enable": true,

+ "DefenderForCloud/Enable": true,

+ Title: Monitor GitOps (Flux v2) status and activity

+description: Learn how to monitor status, compliance, resource consumption, and reconciliation activity for GitOps with Flux v2.

+# Monitor GitOps (Flux v2) status and activity

+We provide dashboards to help you monitor status, compliance, resource consumption, and reconciliation activity for GitOps with Flux v2 in your Azure Arc-enabled Kubernetes clusters or Azure Kubernetes Service (AKS) clusters. These JSON dashboards can be imported to Grafana to help you view and analyze your data in real time.

+## Prerequisites

+To import and use these dashboards, you need:

+- One or more existing Arc-enabled Kubernetes clusters or AKS clusters.

+- The [microsoft.flux extension](extensions-release.md#flux-gitops) installed on the clusters.

+- At least one [Flux configuration](tutorial-use-gitops-flux2.md) created on the clusters.

+## Monitor deployment and compliance status

+Follow these steps to import dashboards that let you monitor Flux extension deployment and status across clusters, and the compliance status of Flux configuration on those clusters.

+> [!NOTE]

+> These steps describe the process for importing the dashboard to [Azure Managed Grafana](/azure/managed-grafana/overview). You can also [import this dashboard to any Grafana instance](https://grafana.com/docs/grafana/latest/dashboards/manage-dashboards/#import-a-dashboard). With this option, a service principal must be used; managed identity is not supported for data connection outside of Azure Managed Grafana.

+1. Create an Azure Managed Grafana instance by using the [Azure portal](/azure/managed-grafana/quickstart-managed-grafana-portal) or [Azure CLI](/azure/managed-grafana/quickstart-managed-grafana-cli). This connection lets the dashboard access Azure Resource Graph.

+1. [Create the Azure Monitor Data Source connection](https://grafana.com/docs/grafana/latest/datasources/azure-monitor/) in your Azure Managed Grafana instance.

+1. Ensure that the user account that will access the dashboard has the **Reader** role on the subscriptions and/or resource groups where the clusters are located.

+ If you're using a managed identity, follow these steps to enable this access:

+ 1. In the Azure portal, navigate to the subscription that you want to add.

+ 1. Select **Access control (IAM)**.

+ 1. Select **Add role assignment**.

+ 1. Select the **Reader** role, then select **Next**.

+ 1. On the **Members** tab, select **Managed identity**, then choose **Select members**.

+ 1. From the **Managed identity** list, select the subscription where you created your Azure Managed Grafana Instance. Then select **Azure Managed Grafana** and the name of your Azure Managed Grafana instance.

+ 1. Select **Review + Assign**.

+ If you're using a service principal, grant the **Reader** role to the service principal that you'll use for your data source connection. Follow these same steps, but select **User, group, or service principal** in the **Members** tab, then select your service principal. (If you aren't using Azure Managed Grafana, you must use a service principal for data connection access.)

+1. Download the [GitOps Flux - Application Deployments Dashboard](https://github.com/Azure/fluxv2-grafana-dashboards/blob/main/dashboards/GitOps%20Flux%20-%20Application%20Deployments%20Dashboard.json).

+1. Follow the steps to [import the JSON dashboard to Grafana](/azure/managed-grafana/how-to-create-dashboard#import-a-json-dashboard).

+After you have imported the dashboard, it will display information from the clusters that you're monitoring, with several panels that provide details. For more details on an item, select the link to visit the Azure portal, where you can find more information about configurations, errors and logs.

+The **Flux Extension Deployment Status** table lists all clusters where the Flux extension is deployed, along with current deployment status.

+The **Flux Configuration Compliance Status** table lists all Flux configurations created on the clusters, along with their compliance status. To see status and error logs for configuration objects such as Helm releases and kustomizations, select the **Non-Compliant** link from the **ComplianceState** column.

+The **Count of Flux Extension Deployments by Status** chart shows the count of clusters, based on their provisioning state.

+The **Count of Flux Configurations by Compliance Status** chart shows the count of Flux configurations, based on their compliance status with respect to the source repository.

+## Monitor resource consumption and reconciliations

+Follow these steps to import dashboards that let you monitor Flux resource consumption, reconciliations, API requests, and reconciler status.

+1. Follow the steps to [create an Azure Monitor Workspace](/azure/azure-monitor/essentials/azure-monitor-workspace-manage).

+1. Create an Azure Managed Grafana instance by using the [Azure portal](/azure/managed-grafana/quickstart-managed-grafana-portal) or [Azure CLI](/azure/managed-grafana/quickstart-managed-grafana-cli).

+1. Enable Prometheus metrics collection on the [AKS clusters](/azure/azure-monitor/essentials/azure-monitor-workspace-manage) and/or [Arc-enabled Kubernetes clusters](/azure/azure-monitor/essentials/prometheus-metrics-from-arc-enabled-cluster) that you want to monitor.

+1. Configure Azure Monitor Agent to scrape the Azure Managed Flux metrics by creating a [configmap](/azure/azure-monitor/essentials/prometheus-metrics-scrape-configuration):

+ ```yaml

+ kind: ConfigMap

+ apiVersion: v1

+ data:

+ schema-version:

+ #string.used by agent to parse config. supported versions are {v1}. Configs with other schema versions will be rejected by the agent.

+ v1

+ config-version:

+ #string.used by customer to keep track of this config file's version in their source control/repository (max allowed 10 chars, other chars will be truncated)

+ ver1

+ default-scrape-settings-enabled: |-

+ kubelet = true

+ coredns = false

+ cadvisor = true

+ kubeproxy = false

+ apiserver = false

+ kubestate = true

+ nodeexporter = true

+ windowsexporter = false

+ windowskubeproxy = false

+ kappiebasic = true

+ prometheuscollectorhealth = false

+ # Regex for which namespaces to scrape through pod annotation based scraping.

+ # This is none by default. Use '.*' to scrape all namespaces of annotated pods.

+ pod-annotation-based-scraping: |-

+ podannotationnamespaceregex = "flux-system"

+ default-targets-scrape-interval-settings: |-

+ kubelet = "30s"

+ coredns = "30s"

+ cadvisor = "30s"

+ kubeproxy = "30s"

+ apiserver = "30s"

+ kubestate = "30s"

+ nodeexporter = "30s"

+ windowsexporter = "30s"

+ windowskubeproxy = "30s"

+ kappiebasic = "30s"

+ prometheuscollectorhealth = "30s"

+ podannotations = "30s"

+ metadata:

+ name: ama-metrics-settings-configmap

+ namespace: kube-system

+ ```

+

+1. Download the [Flux Control Plane](https://github.com/Azure/fluxv2-grafana-dashboards/blob/main/dashboards/Flux%20Control%20Plane.json) and [Flux Cluster Stats](https://github.com/Azure/fluxv2-grafana-dashboards/blob/main/dashboards/Flux%20Control%20Plane.json) dashboards.

+1. Follow the steps to [import these JSON dashboards to Grafana](/azure/managed-grafana/how-to-create-dashboard#import-a-json-dashboard).

+After you have imported the dashboards, they'll display information from the clusters that you're monitoring.

+The **Flux Control Plane** dashboard shows details about status resource consumption, reconciliations at the cluster level, and Kubernetes API requests.

+The **Flux Cluster Stats** dashboard shows details about the number of reconcilers, along with the status and execution duration of each reconciler.

+## Filter dashboard data

+You can filter data in these dashboards to change the information shown. For example, you can show data for only certain subscriptions or resource groups, or limit data to a particular cluster. To do so, select the filter option from any column header.

+For example, in the **Flux Configuration Compliance Status** table on the **Application Deployments** dashboard, you can select a specific commit from the **SourceLastSyncCommit** column. By doing so, you can track the status of a configuration deployment for all of the clusters affected by that commit.

+In the **Application Deployments** dashboard, some fields in the **Flux Extension Deployment Status** and **Flux Configuration Compliance Status** panels are hidden by default (such as **SubscriptionID**, **ResourceGroupName**, and **ClusterType**). To show hidden fields, select the panel and then select **Edit**. On the **Overrides** tab, find the field you want to show, then unselect the **Hide in table** option.

+## Next steps

+- Review our tutorial on [using GitOps with Flux v2 to manage configuration and application deployment](tutorial-use-gitops-flux2.md).

+- Learn about [Azure Monitor Container Insights](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json&bc=/azure/azure-arc/kubernetes/breadcrumb/toc.json).

+ "minMessageBatchSize": 1,

+ "maxBatchWaitTime": "00:00:30",

+|**minMessageBatchSize**¹|`1`|The minimum number of messages desired in a batch. The minimum applies only when the function is receiving multiple messages and must be less than `maxMessageBatchSize`. <br/> The minimum size isn't strictly guaranteed. A partial batch is dispatched when a full batch can't be prepared before the `maxBatchWaitTime` has elapsed.|

+|**maxBatchWaitTime**¹|`00:00:30`|The maximum interval that the trigger should wait to fill a batch before invoking the function. The wait time is only considered when `minMessageBatchSize` is larger than 1 and is ignored otherwise. If less than `minMessageBatchSize` messages were available before the wait time elapses, the function is invoked with a partial batch. The longest allowed wait time is 50% of the entity message lock duration, meaning the maximum allowed is 2 minutes and 30 seconds. Otherwise, you may get lock exceptions. <br/><br/>**NOTE:** This interval is not a strict guarantee for the exact timing on which the function is invoked. There is a small magin of error due to timer precision.|

+¹ Using `minMessageBatchSize` and `maxBatchWaitTime` requires [v5.10.0](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.ServiceBus/5.10.0) of the `Microsoft.Azure.WebJobs.Extensions.ServiceBus` package, or a later version.

+In the [Azure Maps routing coverage tables], the following information is available.

+The Calculate Route service calculates a route between an origin and a destination, passing through waypoints if they're specified. For more information, see [Get Route Directions] in the REST API documentation.

+The Calculate Reachable Range service calculates a set of locations that can be reached from the origin point. For more information, see [Get Route Range] in the REST API documentation.

+The Matrix Routing service calculates travel time and distance between all possible pairs in a list of origins and destinations. It doesn't provide any detailed information about the routes. You can get one-to-many, many-to-one, or many-to-many route options simply by varying the number of origins and/or destinations. For more information, see [Matrix Routing service] in the REST API documentation.

+Delivers real-time information about traffic jams, road closures, and a detailed view of the current speed and travel times across the entire road network. For more information, see [Traffic service] in the REST API documentation.

+The Azure Maps Truck Routing API provides travel routes that take truck attributes into consideration. Truck attributes include things such as width, height, weight, turning radius and type of cargo. This is important as not all trucks can travel the same routes as other vehicles. Here are some examples:

+Azure Maps supports truck routing in the countries/regions indicated in the following tables.

+For more information about Azure Maps routing, see the [Routing service] documentation.

+- Check out coverage for [Geocoding].

+- Check out coverage for [Traffic].

+- Check out coverage for [Render].

+[Azure Maps routing coverage tables]: #azure-maps-routing-coverage-tables

+[Geocoding]: geocoding-coverage.md

+[Get Route Directions]: /rest/api/maps/route/get-route-directions

+[Get Route Range]: /rest/api/maps/route/get-route-range

+[Matrix Routing service]: /rest/api/maps/route/post-route-matrix

+[Render]: render-coverage.md

+[Routing service]: /rest/api/maps/route

+[Traffic service]: /rest/api/maps/traffic

+[Traffic]: traffic-coverage.md

+The Azure Maps Web SDK provides a [drawing tools module]. This module makes it easy to draw and edit shapes on the map using an input device such as a mouse or touch screen. The core class of this module is the [drawing manager]. The drawing manager provides all the capabilities needed to draw and edit shapes on the map. It can be used directly, and it's integrated with a custom toolbar UI. You can also use the built-in [DrawingToolbar class].

+> [DrawingToolbar class]

+[DrawingToolbar class]: /javascript/api/azure-maps-drawing-tools/atlas.control.drawingtoolbar

+The Azure Maps Web SDK provides a helper function called [atlas.isSupported]. This function detects whether a web browser has the minimum set of WebGL features required to support loading and rendering the map control. Here's an example of how to use the function:

+See also [Target legacy browsers] later in this article.

+> If you're embedding a map inside a mobile application by using a WebView control, you might prefer to use the [npm package of the Azure Maps Web SDK] instead of referencing the version of the SDK that's hosted on Azure Content Delivery Network. This approach reduces loading time because the SDK is already be on the user's device and doesn't need to be downloaded at run time.

+- Services module ([documentation] | [npm module])

+You might want to target older browsers that don't support WebGL or that have only limited support for it. In such cases, you can use Azure Maps services together with an open-source map control like [Leaflet].

+> [Map control]

+> [Services module]

+[atlas.isSupported]: /javascript/api/azure-maps-control/atlas#issupported-boolean-

+[Azure Maps community - Open-source projects]: open-source-projects.md#third-party-map-control-plugins

+[documentation]: how-to-use-services-module.md

+[Leaflet]: https://leafletjs.com

+[Map control]: how-to-use-map-control.md

+[npm module]: https://www.npmjs.com/package/azure-maps-rest

+[npm package of the Azure Maps Web SDK]: https://www.npmjs.com/package/azure-maps-control

+[Render Azure Maps in Leaflet sample source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Third%20Party%20Map%20Controls/Render%20Azure%20Maps%20in%20Leaflet/Render%20Azure%20Maps%20in%20Leaflet.html

+[Render Azure Maps in Leaflet]: https://samples.azuremaps.com/third-party-map-controls/render-azure-maps-in-leaflet

+[Services module]: how-to-use-services-module.md

+[Target legacy browsers]: #Target-Legacy-Browsers

+ Title: Localization support in Microsoft Azure Maps

+description: Lists the regions Azure Maps supports with services such as maps, search, routing, weather, and traffic incidents, and shows how to set up the View parameter.

+² Neutral Ground Truth (Latin) - Latin exonyms are used if available

+Azure Maps **View** parameter (also referred to as "user region parameter") is a two letter ISO-3166 Country Code that will show the correct maps for that country/region specifying which set of geopolitically disputed content is returned via Azure Maps services, including borders and labels displayed on the map.

+By default, the View parameter is set to **Unified**, even if you haven't defined it in the request. Determine the location of your users. Then, set the **View** parameter correctly for that location. Alternatively, you can set 'View=Auto', which returns the map data based on the IP address of the request. The **View** parameter in Azure Maps must be used in compliance with applicable laws, including those laws about mapping of the country/region where maps, images, and other data and third-party content that you're authorized to access via Azure Maps is made available.

+Azure Maps supports several different built-in map styles as described in this article.

+>The procedure in this section requires an Azure Maps account in Gen 1 or Gen 2 pricing tier. For more information on pricing tiers, see [Choose the right pricing tier in Azure Maps].

+* [Map image]

+* [Map tile]

+The **blank** and **blank_accessible** map styles provide a blank canvas for visualizing data. The **blank_accessible** style continues to provide screen reader updates with map's location details, even though the base map isn't displayed.

+* [Satellite tile]

+* [Map image]

+* [Map tile]

+* [Map tile]

+| `blank` | N/A | No | A blank canvas useful for developers who want to use their own tiles as the base map, or want to view their data without any background. The screen reader doesn't rely on the vector tiles for descriptions. |

+| `blank_accessible` | N/A | Yes | This map style continues to load the vector tiles used to render the map, but makes that data transparent. This way the data still loads, and can be used to power the screen reader. |

+| `grayscale_dark` | Partial | Yes | Primarily designed for business intelligence scenarios. Also useful for overlaying colorful layers such as weather radar imagery. |

+| `high_contrast_dark` | Yes | Yes | Fully accessible map style for users in high contrast mode with a dark setting. When the map loads, high contrast settings are automatically detected. |

+| `high_contrast_light` | Yes | Yes | Fully accessible map style for users in high contrast mode with a light setting. When the map loads, high contrast settings are automatically detected. |

+| `road` | Partial | Yes | The main colorful road map style in Azure Maps. Due to the number of different colors and possible overlapping color combinations, it's nearly impossible to make it 100% accessible. That said, this map style goes through regular accessibility testing and is improved as needed to make labels clearer to read. |

+| `road_shaded_relief` | Partial | Yes | Similar to the main road map style, but has an added tile layer in the background that adds shaded relief of mountains and land cover coloring when zoomed out. |

+| `satellite_with_roads` | No | Yes | Satellite and aerial imagery, with labels and road lines overlaid. On a global scale, there's an unlimited number of color combinations that may occur between the overlaid data and the imagery. A focus on making labels readable in most common scenarios, however, in some places the color contrast with the background imagery may make labels difficult to read. |

+> [Choose a map style]

+[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md

+[Map image]: /rest/api/maps/render/getmapimage

+[Map tile]: /rest/api/maps/render/getmaptile

+[Satellite tile]: /rest/api/maps/render/getmapimagerytilepreview

+[Choose a map style]: choose-map-style.md

+ Title: Search Categories

+When doing a [category search] for points of interest, there are over a hundred supported categories. The following list contains the category codes for supported category names. Category codes are generated for top-level categories. All sub categories share same category code. This category list is subject to change with new data releases.

+| GOVERNMENT\_OFFICE | order 5 area, order 8 area, order 9 area, order 2 area, order 7 area, order 3 area, supra national, order 4 area, order 6 area, government office, diplomatic facility, United States government establishment, local government office, customs house, customs post |

+| HOSPITAL\_POLYCLINIC | special, hospital of Chinese medicine, hospital for women, children, general, hospital/polyclinic |

+| ZOOS\_ARBORETA\_BOTANICAL\_GARDEN | wildlife park, aquatic zoo marine park, arboreta botanical gardens, zoo, zoos, arboreta botanical garden |

+[category search]: /rest/api/maps/search/getsearchpoicategory

+The Azure Maps REST APIs can be called from languages such as Python and R to enable geospatial data analysis and machine learning scenarios. Azure Maps offers a robust set of [routing APIs] that allow users to calculate routes between several data points. The calculations are based on various conditions, such as vehicle type or reachable area.

+> * Create and run a Jupyter Notebook file on [Azure Notebooks] in the cloud.

+1. Go to [Azure Notebooks] and sign in. For more information, see [Quickstart: Sign in and set a user ID].

+1. After your project is created, download this [Jupyter Notebook document file] from the [Azure Maps Jupyter Notebook repository].

+1. Download the [*requirements.txt*] file from the [Azure Maps Jupyter Notebook repository], and then upload it to your project.

+Because the company prefers to use routes that require a balance of economy and speed, the requested routeType is *eco*. The following script calls the [Get Route Range API] of the Azure Maps routing service. It uses parameters for the vehicle's consumption model. The script then parses the response to create a polygon object of the geojson format, which represents the car's maximum reachable range.

+The following script calls the Azure Maps [Post Search Inside Geometry API]. It searches for charging stations for electric vehicle, within the boundaries of the car's maximum reachable range. Then, the script parses the response to an array of reachable locations.

+It's helpful to visualize the charging stations and the boundary for the maximum reachable range of the electric vehicle on a map. To do so, upload the boundary data and charging stations data as geojson objects to Azure Maps Data service. Use the [Data Upload API].

+After you've uploaded the data to the data service, call the Azure Maps [Get Map Image service]. This service is used to render the charging points and maximum reachable boundary on the static map image by running the following script:

+The following script calls the Azure Maps [Matrix Routing API]. It returns the specified vehicle location, the travel time, and the distance to each charging station. The script in the next cell parses the response to locate the closest reachable charging station with respect to time.

+Now that you've found the closest charging station, you can call the [Get Route Directions API] to request the detailed route from the electric vehicle's current location to the charging station.

+To help visualize the route, you first upload the route data as a geojson object to Azure Maps Data service. To do so, use the Azure Maps [Data Upload API]. Then, call the rendering service, [Get Map Image API]), to render the route on the map, and visualize it.

+* [Get Route Range]

+* [Post Search Inside Geometry]

+* [Data Upload]

+* [Render - Get Map Image]

+* [Post Route Matrix]

+* [Get Route Directions]

+* [Azure Maps REST APIs]

+> [Azure Notebooks]

+[Azure Maps Jupyter Notebook repository]: https://github.com/Azure-Samples/Azure-Maps-Jupyter-Notebook

+[Azure Maps REST APIs]: ./consumption-model.md

+[Azure Notebooks]: https://notebooks.azure.com

+[Data Upload API]: /rest/api/maps/data-v2/upload

+[Data Upload]: /rest/api/maps/data-v2/upload

+[Get Map Image API]: /rest/api/maps/render/getmapimage

+[Get Map Image service]: /rest/api/maps/render/getmapimage

+[Get Route Directions API]: /rest/api/maps/route/getroutedirections

+[Get Route Directions]: /rest/api/maps/route/getroutedirections

+[Get Route Range API]: /rest/api/maps/route/getrouterange

+[Get Route Range]: /rest/api/maps/route/getrouterange

+[Jupyter Notebook document file]: https://github.com/Azure-Samples/Azure-Maps-Jupyter-Notebook/blob/master/AzureMapsJupyterSamples/Tutorials/EV%20Routing%20and%20Reachable%20Range/EVrouting.ipynb

+[Matrix Routing API]: /rest/api/maps/route/postroutematrix

+[Post Route Matrix]: /rest/api/maps/route/postroutematrix

+[Post Search Inside Geometry API]: /rest/api/maps/search/postsearchinsidegeometry

+[Post Search Inside Geometry]: /rest/api/maps/search/postsearchinsidegeometry

+[Quickstart: Sign in and set a user ID]: https://notebooks.azure.com

+[Render - Get Map Image]: /rest/api/maps/render/getmapimage

+[*requirements.txt*]: https://github.com/Azure-Samples/Azure-Maps-Jupyter-Notebook/blob/master/AzureMapsJupyterSamples/Tutorials/EV%20Routing%20and%20Reachable%20Range/requirements.txt

+[routing APIs]: /rest/api/maps/route

+[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+*A construction site manager must track equipment as it enters and leaves the perimeters of a construction area. Whenever a piece of equipment exits or enters these perimeters, an email notification is sent to the Operations Manager.*

+Azure Maps provides services to support the tracking of equipment entering and exiting the construction area. In this tutorial, you will:

+> * Upload [Geofencing GeoJSON data] that defines the construction site areas you want to monitor. You'll use the [Data Upload API] to upload geofences as polygon coordinates to your Azure Maps account.

+> * Set up two [logic apps] that, when triggered, send email notifications to the construction site operations manager when equipment enters and exits the geofence area.

+> * Use [Azure Event Grid] to subscribe to enter and exit events for your Azure Maps geofence. You set up two webhook event subscriptions that call the HTTP endpoints defined in your two logic apps. The logic apps then send the appropriate email notifications of equipment moving beyond or entering the geofence.

+> * Use [Search Geofence Get API] to receive notifications when a piece of equipment exits and enters the geofence areas.

+* This tutorial uses the [Postman] application, but you can use a different API development environment.

+>[!IMPORTANT]

+>

+> * In the URL examples, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

+The Geofence API async event requires the region property of your Azure Maps account be set to ***Global***. This setting isn't given as an option when creating an Azure Maps account in the Azure portal, however you do have several other options for creating a new Azure Maps account with the *global* region setting. This section lists the three methods that can be used to create an Azure Maps account with the region set to *global*.

+[Create your Azure Maps account using an ARM template], making sure to set `location` to `global` in the `resources` section of the ARM template.

+The Azure CLI command [az maps account create] doesnΓÇÖt have a location property, but defaults to `global`, making it useful for creating an Azure Maps account with a global region setting for use with the Geofence API async event.

+This tutorial demonstrates how to upload geofencing GeoJSON data that contains a `FeatureCollection`. The `FeatureCollection` contains two geofences that define polygonal areas within the construction site. The first geofence has no time expiration or restrictions. The second can only be queried against during business hours (9:00 AM-5:00 PM in the Pacific Time zone), and will no longer be valid after January 1, 2022. For more information on the GeoJSON format, see [Geofencing GeoJSON data].

+>You can update your geofencing data at any time. For more information, see [Data Upload API].

+5. Enter the following URL. The request should look like the following URL:

+11. Copy the value of the **Operation-Location** key, which is the `status URL`. The `status URL` is used to check the status of the GeoJSON data upload.

+5. Enter the `status URL` you copied in [Upload Geofencing GeoJSON data]. The request should look like the following URL:

+5. Enter the `resource Location URL` you copied in [Check the GeoJSON data upload status]. The request should look like the following URL:

+Next, create two [logic app] endpoints that trigger an email notification.

+1. Sign in to the [Azure portal].

+ > You can retrieve GeoJSON response data, such as `geometryId` or `deviceId`, in your email notifications. You can configure Logic Apps to read the data sent by Event Grid. For information on how to configure Logic Apps to consume and pass event data into email notifications, see [Tutorial: Send email notifications about Azure IoT Hub events using Event Grid and Logic Apps].

+Azure Maps supports [three event types]. This tutorial demonstrates how to create subscriptions to the following two events:

+Create geofence exit and enter event subscriptions:

+Next, we use the [Spatial Geofence Get API] to send email notifications to the Operations Manager when a piece of equipment enters or exits the geofences.

+The following diagram shows the five locations of the equipment over time, beginning at the *Start* location, which is somewhere outside the geofences. For the purposes of this tutorial, the *Start* location is undefined, because you don't query the device at that location.

+When you query the [Spatial Geofence Get API] with an equipment location that indicates initial geofence entry or exit, Event Grid calls the appropriate logic app endpoint to send an email notification to the Operations Manager.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the negative distance from the main site geofence means that the equipment is inside the geofence. The positive distance from the subsite geofence means that the equipment is outside the subsite geofence. Because this is the first time this device has been located inside the main site geofence, the `isEventPublished` parameter is set to `true`. The Operations Manager receives an email notification that equipment has entered the geofence.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the equipment has remained in the main site geofence and hasn't entered the subsite geofence. As a result, the `isEventPublished` parameter is set to `false`, and the Operations Manager doesn't receive any email notifications.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the equipment has remained in the main site geofence, but has entered the subsite geofence. As a result, the `isEventPublished` parameter is set to `true`. The Operations Manager receives an email notification indicating that the equipment has entered a geofence.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the equipment has remained in the main site geofence, but has exited the subsite geofence. Notice, however, that the `userTime` value is after the `expiredTime` as defined in the geofence data. As a result, the `isEventPublished` parameter is set to `false`, and the Operations Manager doesn't receive an email notification.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the equipment has exited the main site geofence. As a result, the `isEventPublished` parameter is set to `true`, and the Operations Manager receives an email notification indicating that the equipment has exited a geofence.

+You can also [Send email notifications using Event Grid and Logic Apps] and check [Supported Events Handlers in Event Grid] using Azure Maps.

+> [Handle content types in Azure Logic Apps]

+[Geofencing GeoJSON data]: geofence-geojson.md

+[Data Upload API]: /rest/api/maps/data-v2/upload

+[logic apps]: ../event-grid/handler-webhooks.md#logic-apps

+[Azure Event Grid]: ../event-grid/overview.md

+[Search Geofence Get API]: /rest/api/maps/spatial/getgeofence

+[Postman]: https://www.postman.com

+[Create your Azure Maps account using an ARM template]: how-to-create-template.md

+[az maps account create]: /cli/azure/maps/account?view=azure-cli-latest&preserve-view=true#az-maps-account-create

+[Upload Geofencing GeoJSON data]: #upload-geofencing-geojson-data

+[Check the GeoJSON data upload status]: #check-the-geojson-data-upload-status

+[logic app]: ../event-grid/handler-webhooks.md#logic-apps

+[Azure portal]: https://portal.azure.com

+[Tutorial: Send email notifications about Azure IoT Hub events using Event Grid and Logic Apps]: ../event-grid/publish-iot-hub-events-to-logic-apps.md

+[three event types]: ../event-grid/event-schema-azure-maps.md

+[Spatial Geofence Get API]: /rest/api/maps/spatial/getgeofence

+[Upload Geofencing GeoJSON data section]: #upload-geofencing-geojson-data

+[Send email notifications using Event Grid and Logic Apps]: ../event-grid/publish-iot-hub-events-to-logic-apps.md

+[Supported Events Handlers in Event Grid]: ../event-grid/event-handlers.md

+[Handle content types in Azure Logic Apps]: ../logic-apps/logic-apps-content-type.md

+You can access this workbook on the portal with preview enabled, or by clicking [workbook link here](https://ms.portal.azure.com/#blade/AppInsightsExtension/UsageNotebookBlade/ComponentId/Azure%20Monitor/ConfigurationId/community-Workbooks%2FAzure%20Monitor%20-%20Agents%2FAMA%20Health/Type/workbook/WorkbookTemplateName/AMA%20Health%20(Preview)). Try it out and [share your feedback](mailto:obs-agent-pms@microsoft.com) with us.

+> - Change to Workspace-based Application Insights.

+Container Insights offers the ability to collect Syslog events from Linux nodes in your [Azure Kubernetes Service (AKS)](../../aks/intro-kubernetes.md) clusters. This includes the ability to collect logs from control plane componemts like kubelet. Customers can also use Syslog for monitoring security and health events, typically by ingesting syslog into a SIEM system like [Microsoft Sentinel](https://azure.microsoft.com/products/microsoft-sentinel/#overview).

+| `Syslog | where SeverityLevel == "error"` | All Syslog records with severity of error |

+| `Syslog | summarize AggregatedValue = count() by Computer` | Count of Syslog records by computer |

+| `Syslog | summarize AggregatedValue = count() by Facility` | Count of Syslog records by facility |

+| `Syslog | where ProcessName == "kubelet"` | All Syslog records from the kubelet process |

+| `Syslog | where ProcessName == "kubelet" and SeverityLevel == "error"` | Syslog records from kubelet process with errors |

+## Demo video

+<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/eu1P_vLTZO0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

+## Support for custom images

+Azure Monitor Agent-based VM insights policy and initiative definitions have a `scopeToSupportedImages` parameter that's set to `true` by default to enable onboarding Dependency Agent on supported images only. Set this parameter to `false`to allow onboarding Dependency Agent on custom images.

+Download the [Azure Monitor agent templates](https://github.com/Azure/AzureMonitorForVMs-ArmTemplates/releases/download/vmi_ama_ga/DeployDcr.zip). You must first install the data collection rule and can then install agents to use that DCR.

+ Title: Migrate from deprecated VM insights policies

+description: This article explains how to migrate from deprecated VM insights policies to their replacement policies.

+# Migrate from deprecated VM insights policies

+We're deprecating the VM insights DCR deployment policies and replacing them with new policies because of a race condition issue. The deprecated policies will continue to work on existing assignments, but will no longer be available for new assignments. If you're using deprecated policies, we recommend you migrate to the new policies as soon as possible.

+This article explains how to migrate from deprecated VM insights policies to their replacement policies.

+## Prerequisites

+- An existing user-assigned managed identity.

+## Deprecated VM insights policies

+These policies are deprecated and will be removed in 2026. We recommend you migrate to the replacement policies as soon as possible:

+- [[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f7c4214e9-ea57-487a-b38e-310ec09bc21d)

+- [[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fa0f27bdc-5b15-4810-b81d-7c4df9df1a37)

+- [[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the virtual machine scale sets in the Resource Group](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fc7f3bf36-b807-4f18-82dc-f480ad713635)

+## New VM insights policies

+These policies replace the deprecated policies:

+- [Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f2ea82cdd-f2e8-4500-af75-67a2e084ca74)

+- [Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2feab1f514-22e3-42e3-9a1f-e1dc9199355c)

+## Migrate from deprecated VM insights policies to replacement policies

+1. [Download the Azure Monitor Agent-based VM insights data collection rule templates](https://github.com/Azure/AzureMonitorForVMs-ArmTemplates/releases/download/vmi_ama_ga/DeployDcr.zip).

+1. Deploy the VM insights data collection rule using an ARM template, as described in [Quickstart: Create and deploy ARM templates by using the Azure portal](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md#edit-and-deploy-the-template).

+ 1. Select **Build your own template in the editor** > **Load file** to upload the template you downloaded in the previous step.

+ - To collect only VM insights performance metrics, deploy the `ama-vmi-default-perf-dcr` data collection rule by uploading the **DeployDcr**>**PerfOnlyDcr**>**DeployDcrTemplate** file.

+ - To collect VM insights performance metrics and Service Map data, deploy the `ama-vmi-default-perfAndda-dcr` data collection rule by uploading the **DeployDcr**>**PerfAndMapDcr**>**DeployDcrTemplate** file.

+ 1. When the data collection rule deployment is complete, select **Go to resource** > **JSON View** and copy the data collection rule's **Resource ID**.

+1. Select one of the [new VM insights policies for Windows and Linux VMs](#new-vm-insights-policies).

+1. Select **Assign**.

+1. In the **Scope** field on the **Basics** tab, select your subscription and the resource group that contains the VMs you want to monitor.

+1. In the **Data Collection Rule Resource Id** field on the **Parameters** tab, paste the resource ID of the data collection rule you created in the previous step.

+1. On the **Remediation** tab:

+ 1. In the **Scope** field, select your subscription and the resource group that contains your user-assigned managed identity.

+ 2. Set **Type of managed identity** to **User Assigned Managed Identity** and select your user-assigned identity.

+## Next steps

+Learn how to:

+- [View VM insights Map](vminsights-maps.md) to see application dependencies.

+- [View Azure VM performance](vminsights-performance.md) to identify bottlenecks and overall utilization of your VM's performance.

+* Australia Central

+* Australia Central 2

+* Australia East

+* Australia Southeast

+* Brazil South

+* Canada Central

+* Central India

+* East Asia

+* East US

+* East US 2

+* France Central

+* Germany North

+* Germany West Central

+* Japan East

+* Japan West

+* Korea Central

+* North Central US

+* North Europe

+* Norway East

+* Norway West

+* Qatar Central

+* South Africa North

+* South India

+* Southeast Asia

+* Sweden Central

+* Switzerland North

+* Switzerland West

+* UAE Central

+* UAE North

+* West Europe

+* West US

+* West US 2

+* West US 3

+portal.azure.com

+reactblade.portal.azure.net

+graph.windows.net

+graph.microsoft.com

+signup.azure.com

+| Microsoft.DocumentDB/databaseAccounts | [listKeys](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/database-accounts/list-keys?tabs=HTTP) |

+| Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces | [listConnectionInfo](/rest/api/cosmos-db-resource-provider/2023-03-15-preview/notebook-workspaces/list-connection-info?tabs=HTTP) |

+param objectToFormat object = { prop: 'value' }

+output formatObject string = format('objectToFormat: {0}', objectToFormat)

+| formatTest | String | `Hello, User. Formatted number: 8,175,133` |

+| formatObject | String | `objectToFormat: {'prop':'value'}` |

+Strings are returned as-is. Other types are converted to their equivalent JSON representation.

+If you need to convert a string to JSON, i.e. quote/escape it, you can use `substring(string([value]), 1, length(string([value]) - 2)`.

+ '\'a\''

+ '"b"'

+ '\\c\\'

+param testString string = 'foo " \' \\'

+output stringOutput string = string(testString)

+output stringEscapedOutput string = substring(string([testString]), 1, length(string([testString])) - 2)

+| objectOutput | String | `{"valueA":10,"valueB":"Example Text"}` |

+| arrayOutput | String | `["'a'","\"b\"","\\c\\"]` |

+| intOutput | String | `5` |

+| stringOutput | String | `foo " ' \` |

+| stringEscapedOutput | String | `"foo \" ' \\"` |

+> The Bicep parameters file is only supported in [Bicep CLI](./install.md) version 0.18.4 or newer, and [Azure CLI](/azure/developer/azure-developer-cli/install-azd?tabs=winget-windows%2Cbrew-mac%2Cscript-linux&pivots=os-windows) version 2.47.0 or newer.

+type <userDefinedDataTypeName> = <typeExpression>

+content_well_notification:

+ - AI-contribution

+An Azure resource provider is a set of REST operations that enable functionality for a specific Azure service. For example, the Key Vault service consists of a resource provider named **Microsoft.KeyVault**. The resource provider defines [REST operations](/rest/api/keyvault/) for managing vaults, secrets, keys, and certificates.

+The resource provider defines the Azure resources you can deploy to your account. A resource type's name follows the format: **{resource-provider}/{resource-type}**. The resource type for a key vault is **Microsoft.KeyVault/vaults**.

+Before you use a resource provider, you must make sure your Azure subscription is registered for the resource provider. Registration configures your subscription to work with the resource provider.

+> Register a resource provider only when you're ready to use it. This registration step helps maintain least privileges within your subscription. A malicious user can't use unregistered resource providers.

+>

+> Registering unnecessary resource providers may result in unrecognized apps appearing in your Azure Active Directory tenant. Microsoft adds the app for a resource provider when you register it. These apps are typically added by the Windows Azure Service Management API. To prevent unnecessary apps in your tenant, only register needed resource providers.

+Other resource providers are registered automatically when you take certain actions. When you create a resource through the portal, the resource provider is typically registered for you. When you deploy an Azure Resource Manager template or Bicep file, resource providers defined in the template are registered automatically. Sometimes, a resource in the template requires supporting resources that aren't in the template. Common examples are monitoring or security resources. You need to register those resource providers manually.

+Reregister a resource provider when the resource provider supports new locations that you need to use.

+ :::image type="content" source="./media/resource-providers-and-types/search-subscriptions.png" alt-text="Screenshot of searching for subscriptions in the Azure portal.":::

+ :::image type="content" source="./media/resource-providers-and-types/select-subscription.png" alt-text="Screenshot of selecting a subscription in the Azure portal.":::

+ :::image type="content" source="./media/resource-providers-and-types/select-resource-providers.png" alt-text="Screenshot of selecting resource providers in the Azure portal.":::

+1. Find the resource provider you want to register, and select **Register**. To maintain least privileges in your subscription, only register those resource providers that you're ready to use.

+ :::image type="content" source="./media/resource-providers-and-types/register-resource-provider.png" alt-text="Screenshot of registering a resource provider in the Azure portal.":::

+ > [!IMPORTANT]

+ > As [noted earlier](#register-resource-provider), **don't block the creation of resources** for a resource provider that is in the **registering** state. By not blocking a resource provider in the registering state, your application can continue much sooner than waiting for all regions to complete.

+1. **Re-register** a resource provider to use locations that have been added since the previous registration.

+ :::image type="content" source="./media/resource-providers-and-types/re-register-resource-provider.png" alt-text="Screenshot of reregistering a resource provider in the Azure portal.":::

+1. On the Azure portal menu, select **All services**.

+1. In the **All services** box, enter **resource explorer**, and then select **Resource Explorer**.

+ :::image type="content" source="./media/resource-providers-and-types/select-resource-explorer.png" alt-text="Screenshot of selecting All services in the Azure portal to access Resource Explorer.":::

+1. Expand **Providers** by selecting the right arrow.

+ :::image type="content" source="./media/resource-providers-and-types/select-providers.png" alt-text="Screenshot of expanding the Providers section in the Azure Resource Explorer.":::

+1. Expand a resource provider and resource type that you want to view.

+ :::image type="content" source="./media/resource-providers-and-types/select-resource-type.png" alt-text="Screenshot of expanding a resource provider and resource type in the Azure Resource Explorer.":::

+1. Resource Manager is supported in all regions, but the resources you deploy might not be supported in all regions. Also, there may be limitations on your subscription that prevent you from using some regions that support the resource. The resource explorer displays valid locations for the resource type.

+ :::image type="content" source="./media/resource-providers-and-types/show-locations.png" alt-text="Screenshot of displaying valid locations for a resource type in the Azure Resource Explorer.":::

+1. The API version corresponds to a version of the resource provider's REST API operations. As a resource provider enables new features, it releases a new version of the REST API. The resource explorer displays valid API versions for the resource type.

+ :::image type="content" source="./media/resource-providers-and-types/show-api-versions.png" alt-text="Screenshot of displaying valid API versions for a resource type in the Azure Resource Explorer.":::

+Reregister a resource provider to use locations that have been added since the previous registration. To reregister, run the registration command again.

+The API version corresponds to a version of the resource provider's REST API operations. As a resource provider enables new features, it releases a new version of the REST API.

+2023-05-01

+2022-10-01

+2022-06-01

+2022-01-01

+2021-06-01

+2021-01-01

+...

+The API version corresponds to a version of the resource provider's REST API operations. As a resource provider enables new features, it releases a new version of the REST API.

+2023-05-01

+2022-10-01

+2022-06-01

+2022-01-01

+...

+## Python

+To see all resource providers in Azure, and the registration status for your subscription, use:

+```python

+import os

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.resource import ResourceManagementClient

+

+# Authentication

+credential = DefaultAzureCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+

+# Initialize Resource Management client

+resource_management_client = ResourceManagementClient(credential, subscription_id)

+

+# List available resource providers and select ProviderNamespace and RegistrationState

+providers = resource_management_client.providers.list()

+

+for provider in providers:

+ print(f"ProviderNamespace: {provider.namespace}, RegistrationState: {provider.registration_state}")

+```

+The command returns:

+```output

+ProviderNamespace: Microsoft.AlertsManagement, RegistrationState: Registered

+ProviderNamespace: Microsoft.AnalysisServices, RegistrationState: Registered

+ProviderNamespace: Microsoft.ApiManagement, RegistrationState: Registered

+ProviderNamespace: Microsoft.Authorization, RegistrationState: Registered

+ProviderNamespace: Microsoft.Batch, RegistrationState: Registered

+...

+```

+To see all registered resource providers for your subscription, use:

+```python

+# List available resource providers with RegistrationState "Registered" and select ProviderNamespace and RegistrationState

+providers = resource_management_client.providers.list()

+registered_providers = [provider for provider in providers if provider.registration_state == "Registered"]

+

+# Sort by ProviderNamespace

+sorted_registered_providers = sorted(registered_providers, key=lambda x: x.namespace)

+

+for provider in sorted_registered_providers:

+ print(f"ProviderNamespace: {provider.namespace}, RegistrationState: {provider.registration_state}")

+```

+To maintain least privileges in your subscription, only register those resource providers that you're ready to use. To register a resource provider, use:

+```python

+import os

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.resource import ResourceManagementClient

+

+# Authentication

+credential = DefaultAzureCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+

+# Initialize Resource Management client

+resource_management_client = ResourceManagementClient(credential, subscription_id)

+

+# Register resource provider

+provider_namespace = "Microsoft.Batch"

+registration_result = resource_management_client.providers.register(provider_namespace)

+

+print(f"ProviderNamespace: {registration_result.namespace}, RegistrationState: {registration_result.registration_state}")

+```

+The command returns:

+```output

+ProviderNamespace: Microsoft.Batch, RegistrationState: Registered

+```

+> [!IMPORTANT]

+> As [noted earlier](#register-resource-provider), **don't block the creation of resources** for a resource provider that is in the **registering** state. By not blocking a resource provider in the registering state, your application can continue much sooner than waiting for all regions to complete.

+Reregister a resource provider to use locations that have been added since the previous registration. To reregister, run the registration command again.

+To see information for a particular resource provider, use:

+```python

+import os

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.resource import ResourceManagementClient

+

+# Authentication

+credential = DefaultAzureCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+

+# Initialize Resource Management client

+resource_management_client = ResourceManagementClient(credential, subscription_id)

+

+# Get resource provider by ProviderNamespace

+provider_namespace = "Microsoft.Batch"

+provider = resource_management_client.providers.get(provider_namespace)

+

+print(f"ProviderNamespace: {provider.namespace}, RegistrationState: {provider.registration_state}\n")

+

+# Add resource types, locations, and API versions with new lines to separate results

+for resource_type in provider.resource_types:

+ print(f"ResourceType: {resource_type.resource_type}\nLocations: {', '.join(resource_type.locations)}\nAPIVersions: {', '.join(resource_type.api_versions)}\n")

+```

+The command returns:

+```output

+ProviderNamespace: Microsoft.Batch, RegistrationState: Registered

+ResourceType: batchAccounts

+Locations: West Europe, East US, East US 2, West US, North Central US, Brazil South, North Europe, Central US, East Asia, Japan East, Australia Southeast, Japan West, Korea South, Korea Central, Southeast Asia, South Central US, Australia East, Jio India West, South India, Central India, West India, Canada Central, Canada East, UK South, UK West, West Central US, West US 2, France Central, South Africa North, UAE North, Australia Central, Germany West Central, Switzerland North, Norway East, Brazil Southeast, West US 3, Sweden Central, Qatar Central, Poland Central, East US 2 EUAP, Central US EUAP

+APIVersions: 2023-05-01, 2022-10-01, 2022-06-01, 2022-01-01, 2021-06-01, 2021-01-01, 2020-09-01, 2020-05-01, 2020-03-01-preview, 2020-03-01, 2019-08-01, 2019-04-01, 2018-12-01, 2017-09-01, 2017-05-01, 2017-01-01, 2015-12-01, 2015-09-01, 2015-07-01, 2014-05-01-privatepreview

+...

+```

+To see the resource types for a resource provider, use:

+```python

+# Get resource provider by ProviderNamespace

+provider_namespace = "Microsoft.Batch"

+provider = resource_management_client.providers.get(provider_namespace)

+

+# Get ResourceTypeName of the resource types

+resource_type_names = [resource_type.resource_type for resource_type in provider.resource_types]

+

+for resource_type_name in resource_type_names:

+ print(resource_type_name)

+```

+The command returns:

+```output

+batchAccounts

+batchAccounts/pools

+batchAccounts/detectors

+batchAccounts/certificates

+operations

+locations

+locations/quotas

+locations/checkNameAvailability

+locations/accountOperationResults

+locations/virtualMachineSkus

+locations/cloudServiceSkus

+```

+The API version corresponds to a version of the resource provider's REST API operations. As a resource provider enables new features, it releases a new version of the REST API.

+To get the available API versions for a resource type, use:

+```python

+# Get resource provider by ProviderNamespace

+provider_namespace = "Microsoft.Batch"

+provider = resource_management_client.providers.get(provider_namespace)

+

+# Filter resource type by ResourceTypeName and get its ApiVersions

+resource_type_name = "batchAccounts"

+api_versions = [

+ resource_type.api_versions

+ for resource_type in provider.resource_types

+ if resource_type.resource_type == resource_type_name

+]

+

+for api_version in api_versions[0]:

+ print(api_version)

+```

+The command returns:

+```output

+2023-05-01

+2022-10-01

+2022-06-01

+2022-01-01

+...

+```

+Resource Manager is supported in all regions, but the resources you deploy might not be supported in all regions. Also, there may be limitations on your subscription that prevent you from using some regions that support the resource.

+To get the supported locations for a resource type, use.

+```python

+# Get resource provider by ProviderNamespace

+provider_namespace = "Microsoft.Batch"

+provider = resource_management_client.providers.get(provider_namespace)

+

+# Filter resource type by ResourceTypeName and get its Locations

+resource_type_name = "batchAccounts"

+locations = [

+ resource_type.locations

+ for resource_type in provider.resource_types

+ if resource_type.resource_type == resource_type_name

+]

+

+for location in locations[0]:

+ print(location)

+```

+The command returns:

+```output

+West Europe

+East US

+East US 2

+West US

+...

+```

+* To view the operations for a resource provider, see [Azure REST API](/rest/api/).

+| Microsoft.DocumentDB/databaseAccounts | [listKeys](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/database-accounts/list-keys?tabs=HTTP) |

+| Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces | [listConnectionInfo](/rest/api/cosmos-db-resource-provider/2023-03-15-preview/notebook-workspaces/list-connection-info?tabs=HTTP) |

+ :::image type="content" source="./media/template-tutorial-add-outputs/select-deployments.png" alt-text="Screenshot of the Azure portal showing the deployments link.":::

+ :::image type="content" source="./media/template-tutorial-add-outputs/show-history.png" alt-text="Screenshot of the Azure portal showing the deployment history.":::

+ :::image type="content" source="./media/template-tutorial-add-outputs/show-inputs.png" alt-text="Screenshot of the Azure portal showing the deployment inputs.":::

+ :::image type="content" source="./media/template-tutorial-add-outputs/show-outputs.png" alt-text="Screenshot of the Azure portal showing the deployment outputs.":::

+ :::image type="content" source="./media/template-tutorial-add-outputs/show-template.png" alt-text="Screenshot of the Azure portal showing the deployment template.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/resource-manager-visual-studio-code-first-template.png" alt-text="Screenshot of Visual Studio Code displaying an empty ARM template with JSON structure in the editor.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/resource-manager-deployment-provisioningstate.png" alt-text="Screenshot of PowerShell output showing the successful deployment provisioning state.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/azure-cli-provisioning-state.png" alt-text="Screenshot of Azure CLI output displaying the successful deployment provisioning state.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/deployment-status.png" alt-text="Screenshot of Azure portal showing the deployment status in the Essentials section of the resource group.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/select-from-deployment-history.png" alt-text="Screenshot of Azure portal displaying the deployment history with the blanktemplate deployment selected.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/view-deployment-summary.png" alt-text="Screenshot of Azure portal showing the deployment summary for the blanktemplate deployment.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/resource-deletion.png" alt-text="Screenshot of Azure portal with the Delete resource group option highlighted in the resource group view.":::

+ :::image type="content" source="./media/template-tutorial-export-template/resource-manager-template-export.png" alt-text="Screenshot of the Create App Service Plan page in the Azure portal.":::

+ :::image type="content" source="./media/template-tutorial-export-template/resource-manager-template-export-go-to-resource.png" alt-text="Screenshot of the Go to resource button in the Azure portal.":::

+ :::image type="content" source="./media/template-tutorial-export-template/resource-manager-template-export-template.png" alt-text="Screenshot of the Export template option in the Azure portal.":::

+ :::image type="content" source="./media/template-tutorial-export-template/resource-manager-template-exported-template.png" alt-text="Screenshot of the exported template JSON code in the Azure portal.":::

+## How does the disk backup scheduling and retention period work?

+Azure Disk Backup currently supports only the Operational Tier, which helps store backups as Disk Snapshots in your tenant that aren't moved to the vault. The backup policy defines the schedule and retention period of your backups in the Operational Tier (when the snapshots will be taken and how long they will be retained).

+By using the Azure Disk backup policy, you can define the backup schedule with Hourly frequency of 1, 2, 4, 6, 8, or 12 hours and Daily frequency. Although backups have scheduled timing as per the policy, there can be a difference in the actual start time of the backups from the scheduled one.

+The retention period of snapshots is governed by the snapshot limit for a disk. Currently, a maximum of 500 snapshots can be retained for a disk. If the limit is reached, no new snapshots can be taken, and you need to delete the older snapshots.

+The retention period for a backup also follows the maximum limit of 450 snapshots with 50 snapshots kept aside for on-demand backups.

+For example, if the scheduling frequency for backups is set as Daily, then you can set the retention period for backups at a maximum value of 450 days. Similarly, if the scheduling frequency for backups is set as Hourly with a 1-hour frequency, then you can set the retention for backups at a maximum value of 18 days.

+**Supported SQL Server versions** | SQL Server 2022, SQL Server 2019, SQL Server 2017 as detailed on the [Search product lifecycle page](https://support.microsoft.com/lifecycle/search?alpha=SQL%20server%202017), SQL Server 2016 and SPs as detailed on the [Search product lifecycle page](https://support.microsoft.com/lifecycle/search?alpha=SQL%20server%202016%20service%20pack), SQL Server 2014, SQL Server 2012, SQL Server 2008 R2, SQL Server 2008 <br/><br/> Enterprise, Standard, Web, Developer, Express.<br><br>Express Local DB versions aren't supported.

+| packetLossRate | The rate at which packets matching the destination filters will be lost, ranging from 0.0 to 1.0. |

+ "key": "packetLossRate",

+Azure Communication Services Call Automation APIs provide developers the ability to steer and control the Azure Communication Services Telephony, VoIP or WebRTC calls using real-time event triggers to perform actions based on custom business logic specific to their domain. Within the Call Automation APIs developers can use simple AI powered APIs, which can be used to play personalized greeting messages, recognize conversational voice inputs to gather information on contextual questions to drive a more self-service model with customers, use sentiment analysis to improve customer service overall. These content specific APIs are orchestrated through **Azure Cognitive Services** with support for customization of AI models without developers needing to terminate media streams on their services and streaming back to Azure for AI functionality.

+### Add a Managed Identity to the Azure Communication Services Resource

+1. Navigate to your Azure Communication Services Resource in the Azure portal.

+### Option 2: Add role through Azure Communication Services Identity tab

+1. Navigate to your Azure Communication Services resource in the Azure portal.

+Before a worker can receive offers to service a job, it must be registered first by setting `availableForOffers` to true. Next, we need to specify which queues the worker listens on and which channels it can handle. Once registered, you receive a [RouterWorkerRegistered](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterworkerregistered) event from Event Grid.

+In the following example, we register a worker to

+- Be able to handle both the voice and chat channels. In this case, the worker could either take a single `voice` job at one time or two `chat` jobs at the same time. This setting is configured by specifying the total capacity of the worker and assigning a cost per job for each channel.

+ AvailableForOffers = true,

+ QueueAssignments = { ["queue1"] = new RouterQueueAssignment(), ["queue2"] = new RouterQueueAssignment() },

+ availableForOffers = true,

+ available_for_offers = True,

+ .setAvailableForOffers(true)

+In the following example, we submit a job that

+Job Router tries to match this job to an available worker listening on `queue1` for the `chat` channel, with `English` set to `true` and `Skill` greater than `10`.

+Once a match is made, an offer is created. The distribution policy that is attached to the queue controls how many active offers there can be for a job and how long each offer is valid. [You receive][subscribe_events] an [OfferIssued Event][offer_issued_event] that would look like this:

+The [OfferIssued Event][offer_issued_event] includes details about the job, worker, how long the offer is valid and the `offerId` that you need to accept or decline the job.

+## Worker Deregistration

+If a worker would like to stop receiving offers, it can be deregistered by setting `AvailableForOffers` to `false` when updating the worker and you receive a [RouterWorkerDeregistered](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterworkerderegistered) event from Event Grid. Any existing offers for the worker are revoked and you receive a [RouterWorkerOfferRevoked](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterworkerofferrevoked) event for each offer.

+```csharp

+await client.UpdateWorkerAsync(new UpdateWorkerOptions(workerId: "worker-1") { AvailableForOffers = false });

+```

+```typescript

+await client.updateWorker("worker-1", { availableForOffers = false });

+```

+```python

+client.update_worker(worker_id = "worker-1", router_worker = RouterWorker(available_for_offers = False))

+```

+```java

+client.updateWorker(new UpdateWorkerOptions("worker-1").setAvailableForOffers(true));

+```

+> [!NOTE]

+> If a worker is registered and idle for more than 7 days, it'll be automatically deregistered.

+ QueueAssignments = { ["queue1"] = new RouterQueueAssignment() },

+ QueueAssignments = { ["queue1"] = new RouterQueueAssignment() },

+The Data Channel API enables real-time messaging during audio and video calls. With this API, you can now easily integrate data exchange functionalities into the applications, providing a seamless communication experience for users. Key features include:

+With appropriate serialization in the application, it can deliver various message types for different purposes.

+There are also other liberies or services providing the messaging functionalities.

+Each of them has its advantages and disadvantages. You should choose the suitable one for your usage scenario.

+For example, the Data Channel API offers the advantage of low-latency communication, and simplifies user management as there is no need to maintain a separate participant list.

+However, the data channel feature doesn't provide message persistence and doesn't guarantee that message won't be lost in an end-to-end manner.

+If you need the stateful messaging or guaranteed delivery, you may want to consider alternative solutions.

+This channelId can be utilized to differentiate various application uses, such as using 1000 for control messages and 1001 for image transfers.

+ QueueAssignments = { [queue.Value.Id] = new RouterQueueAssignment() },

+ QueueAssignments = { [queue.Value.Id] = new RouterQueueAssignment() },

+ QueueAssignments = { [queue.Value.Id] = new RouterQueueAssignment() },

+> [!NOTE]

+> If the job labels, queueId, channelId or worker selectors are updated, any existing offers on the job are revoked and you'll receive a [RouterWorkerOfferRevoked](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterworkerofferrevoked) event for each offer from EventGrid. The job will be re-queued and you'll receive a [RouterJobQueued](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterjobqueued) event. Job offers may also be revoked when a worker's total capacity is reduced, or the channel configurations are updated.

+You must provide the networking connection between Azure Communications Gateway and your core networks.

+description: Azure Communication Gateway optionally contains Mobile Control Point for anchoring Teams Phone Mobile calls in the Microsoft Cloud

+- [Intel® Cloud Optimization Modules for Kubeflow](#intel-kubeflow)

+### Intel® Cloud Optimization Modules for Kubeflow <a id="intel-kubeflow"></a>

+The [Intel® Cloud Optimization Modules for Kubeflow](https://github.com/intel/kubeflow-intel-azure/tree/main) provide an optimized machine learning Kubeflow Pipeline using XGBoost to predict the probability of a loan default. The reference architecture leverages the secure and confidential [Intel® Software Guard Extensions](../../articles/confidential-computing/confidential-computing-enclaves.md) virtual machines on an [Azure Kubernetes Services (AKS) cluster](../../articles/confidential-computing/confidential-containers-enclaves.md). It also enables the use of [Intel® optimizations for XGBoost](https://www.intel.com/content/www/us/en/developer/tools/oneapi/optimization-for-xgboost.html) and [Intel® daal4py](https://www.intel.com/content/www/us/en/developer/articles/guide/a-daal4py-introduction-and-getting-started-guide.html) to accelerate model training and inference in a full end-to-end machine learning pipeline.

+For CLI users, we recommend to use latest version of [Azure CLI][Azure Cloud Shell], for invoking SDK implementation. Run `az --version` to find the version.

+<!-- LINKS - External -->

+[Azure Cloud Shell]: /azure/cloud-shell/quickstart

+ --name myregistry --image myrepo:tag \

+To lock the *myrepo:tag* image in *myregistry*, run the following [az acr repository update][az-acr-repository-update] command:

+ --name myregistry --image myrepo:tag \

+To lock a *myrepo* image identified by manifest digest (SHA-256 hash, represented as `sha256:...`), run the following command. (To find the manifest digest associated with one or more image tags, run the [az acr manifest list-metadata][az-acr-manifest-list-metadata] command.)

+ --name myregistry --image myrepo@sha256:123456abcdefg \

+repo="myrepo"

+To allow the *myrepo:tag* image to be updated but not deleted, run the following command:

+ --name myregistry --image myrepo:tag \

+To prevent read (pull) operations on the *myrepo:tag* image, run the following command:

+ --name myregistry --image myrepo:tag \

+To restore the default behavior of the *myrepo:tag* image so that it can be deleted and updated, run the following command:

+ --name myregistry --image myrepo:tag \

+[Azure Cosmos DB for MongoDB](../introduction.md) provides a powerful fully managed MongoDB compatible database while seamlessly integrating with the Azure ecosystem. This allows developers to reap the benefits of Azure Cosmos DB's robust features such as global distribution, 99.999% high availability SLA, and strong security measures, while retaining the ability to use their familiar MongoDB tools and applications. Developers can remain vendor agnostic, without needing to adapt to a new set of tools or drastically change their current operations. This ensures a smooth transition and operation for MongoDB developers, making Azure Cosmos DB for MongoDB a compelling choice for a scalable, secure, and efficient database solution for their MongoDB workloads.

+| `change streams` | Yes |

+Azure Cosmos DB is a fully managed NoSQL database service provided by Microsoft. It allows you to build globally distributed and highly scalable applications with ease. This how-to guide walks you through the process of creating a Java application that uses the Azure Cosmos DB for NoSQL database and implements the Change Feed Processor for real-time data processing. The Java application communicates with the Azure Cosmos DB for NoSQL using Azure Cosmos DB Java SDK v4.

+> This tutorial is for Azure Cosmos DB Java SDK v4 only. Please view the Azure Cosmos DB Java SDK v4 [Release notes](sdk-java-v4.md), [Maven repository](https://mvnrepository.com/artifact/com.azure/azure-cosmos), [Change feed processor in Azure Cosmos DB](change-feed-processor.md), and Azure Cosmos DB Java SDK v4 [troubleshooting guide](troubleshoot-java-sdk-v4.md) for more information. If you are currently using an older version than v4, see the [Migrate to Azure Cosmos DB Java SDK v4](migrate-java-v4-sdk.md) guide for help upgrading to v4.

+* Azure Cosmos DB Account: you can create it from the [Azure portal](https://portal.azure.com/) or you can use [Azure Cosmos DB Emulator](../local-emulator.md) as well.

+* Java Development Environment: Ensure you have Java Development Kit (JDK) installed on your machine with at least 8 version.

+* [Azure Cosmos DB Java SDK V4](sdk-java-v4.md): provides the necessary features to interact with Azure Cosmos DB.

+The Azure Cosmos DB change feed provides an event-driven interface to trigger actions in response to document insertion that has many uses.

+This simple example of Java application is demonstrating real-time data processing with Azure Cosmos DB and the Change Feed Processor. The application inserts sample documents into a "feed container" to simulate a data stream. The Change Feed Processor, bound to the feed container, processes incoming changes and logs the document content. The processor automatically manages leases for parallel processing.

+## Source code

+You can clone the SDK example repo and find this example in `SampleChangeFeedProcessor.java`:

+git clone https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples.git

+cd azure-cosmos-java-sql-api-sample/src/main/java/com/azure/cosmos/examples/changefeed/

+1. Configure the [`ChangeFeedProcessorOptions`](/java/api/com.azure.cosmos.models.changefeedprocessoroptions) in a Java application using Azure Cosmos DB and Azure Cosmos DB Java SDK V4. The [`ChangeFeedProcessorOptions`](/java/api/com.azure.cosmos.models.changefeedprocessoroptions) provides essential settings to control the behavior of the Change Feed Processor during data processing.

+ [!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/changefeed/SampleChangeFeedProcessor.java?name=ChangeFeedProcessorOptions)]

+2. Initialize [`ChangeFeedProcessor`](/java/api/com.azure.cosmos.changefeedprocessor) with relevant configurations, including the host name, feed container, lease container, and data handling logic. The [`start()`](/java/api/com.azure.cosmos.changefeedprocessor#com-azure-cosmos-changefeedprocessor-start()) method initiates the data processing, enabling concurrent and real-time processing of incoming data changes from the feed container.

+ [!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/changefeed/SampleChangeFeedProcessor.java?name=StartChangeFeedProcessor)]

+3. Specify the delegate handles incoming data changes using the `handleChanges()` method. The method processes the received JsonNode documents from the Change Feed. As a developer you have two options for handling the JsonNode document provided to you by Change Feed. One option is to operate on the document in the form of a JsonNode. This is great especially if you don't have a single uniform data model for all documents. The second option - transform the JsonNode to a POJO having the same structure as the JsonNode. Then you can operate on the POJO.

+ [!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/changefeed/SampleChangeFeedProcessor.java?name=Delegate)]

+4. Build and run the Java application. The application starts the Change Feed Processor, insert sample documents into the feed container, and process the incoming changes.

+## Conclusion

+In this guide, you learned how to create a Java application using [Azure Cosmos DB Java SDK V4](sdk-java-v4.md) that uses the Azure Cosmos DB for NoSQL database and uses the Change Feed Processor for real-time data processing. You can extend this application to handle more complex use cases and build robust, scalable, and globally distributed applications using Azure Cosmos DB.

+## Additional resources

+* [Azure Cosmos DB Java SDK V4](sdk-java-v4.md)

+* [Additional samples on GitHub](https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples)

+## Next steps

+You can now proceed to learn more about change feed estimator in the following articles:

+* [Use the change feed estimator](how-to-use-change-feed-estimator.md)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+>[!NOTE]

+> The Enterprise Dev/Test Offer isn't available for Azure Government customers. If you're an Azure Government customer, your can't enable the Dev/Test option.

+To view detailed usage for specific accounts, download the usage detail report. Usage files may be large. If you prefer, you can use the exports feature to get the same data exported to an Azure Storage account. For more information, see [Export usage details to a storage account](../costs/tutorial-export-acm-data.md).

+| Month | The month when consumption and purchases were made. |

+| Charges against Credits | The credit applied during the specific period. |

+| Service Overage | Your organization's usage charges exceed your credit balance. |

+| Billed Separately | Charges for services that aren't eligible to use available credit. |

+| Azure Marketplace | Azure Marketplace charges that are billed separately. |

+### Understand refunded overage credits

+This section explains how the previous refunded overage credits process worked and how the new process works.

+Previously, when a reservation purchase refund occurred in a closed billing period, Microsoft updated your account retroactively, sometimes going back multiple years. The refund, if applied retroactively, could negatively affect financial reporting and cause problems.

+Now, to prevent problems with the new process, a refund is applied as a credit. The refund doesn't cause any change to a closed billing period. A refund is reimbursed to the same payment method that you used when you made the purchase. If the refund results from an overage, then a credit note is issued to you. If a refund goes toward Azure prepayment (also called Monetary Commitment (MC)), then the overage portion results in issuing a credit note. Azure prepayment is applied as an adjustment.

+> [!NOTE]

+> The reservation refund applies only to purchase refunds completed in previously closed billing periods. There's no change to refund behavior completed in an open billing period. When a refund is completed before the purchase is invoiced, then the refund is reimbursed as part of the purchase and noted on the invoice.

+#### Overage refund examples

+Let's look at a detailed overage refund example with the previous process. Assume that a reservation was bought in February 2022 with an overage credit (no Azure prepayment or Monetary Commitment was involved). You decided to return the reservation in August 2022. Refunds use the same payment method as the purchase. So, you received a credit note in August 2022 for the February 2022 billing period. However, the credit amount reflects the month of purchase. In this example, that's February 2022. The refund results in the change to the service overage and total charges.

+Here's how a refund example appeared in the Azure portal for the previous refund process. The following points explain the refund.

+- After the reservation return in August 2022, you get $400 as a credit note for the refund amount.

+### Purchase refund with overage and monetary credit examples

+In the previous refund process, assume that you bought a reservation June 2022 using overage and monetary credit. Later, you returned some reservations in July 2022 after you received your invoice.

+#### Example of the previous refund process

+Refunds use the same payment methods used for the purchase. In July 2022, your monetary credit is adjusted with the relative credit amount. In August 2022, you also receive a credit for the overage portion of the refund. The credit amount and adjustment appears in the Azure portal for June 2022. The adjustment for the month of return (June 2022) results in a change as service overage. You can view the total charges on the **Usage + charges** page. You can see the **Credit applied towards charges** value shown on the **Credits + Commitments** page.

+- After the reservation return was completed for July 2022, you're entitled to $200 of credits. You receive the credit note for the refund amount of $100. The other $100 goes back to monetary credit under **Adjustments**.

+- The adjustment changes the service overage for June 2022. The adjustment also changes the total charges. They no longer reconcile with the invoice received for June 2022. And, it changes the credits applied for charges in June 2022.

+- The return line items are shown for the return month (July 2022) in the usage details file.

+#### Example of the current refund process

+In the current refund process, totals in the purchase month overage, total charges, and **Credits applied towards Charges** don't change (for example, June 2022). Credits given for that month are shown under **Refunded overage credits**. Adjustments are shown for the refund month on the **Credits + Commitments** page.

+- After the reservation return completed for July 2022, you're entitled to $100 credit. You receive the credit note for the refund amount. You can view it on the **Invoices** page. The same credit appears under **Refunded overage credits** on the **Usage & Charges** page. The $100 of adjustments are shown on the **Credits + Commitments** page. There's no change for adjustments shown on the **Credits + Commitments** page.

+- There are no changes to the June 2022 service overage, total charges, and Credits applied towards charges after as refund. You can reconcile your totals with the usage details file and with the invoice.

+- The return line items continue to appear for the month of return (for example, July 2022) in the usage details file. There's no behavior or process change.

+> When there are adjustment charges, back-dated credits, or discounts for the account that result in an invoice getting rebilled, it resets the refund behavior. Refunds are shown in the rebilled invoice for the rebilled period.

+Question: Does the new behavior apply to all refunds that happened previously?<br>

+Answer: No, it only applies to overage refunds that happen in the future. Refunded overage credits appear as `0` for previous months.

+Question: Why do I see some overage refunds going back to the purchase month?<br>

+Answer: If the refund is a combination of Overage and monetary credit, then refunds that were completed by August 1 still go back to the purchase month.

+Question: Why do I see some refunds that aren't included in *Refunded Overage credits*?<br>

+Answer: If the refund happened before the purchase is invoiced, then it appears on the invoice and it reduces the purchase charge. The invoice date cut-off is the fifth day of every month (UTC 12:00 am). Any refunds that happen between the first and fifth day are considered as being on the previous month's invoice because the purchase isn't invoiced yet.

+Question: How do I reconcile the reservation-related credits provided as *adjustments*?<br>

+Answer:

+1. Go to the **Reservation Transactions** page and look in the **MC** column at the refund amount for the month you want to reconcile.

+ :::image type="content" source="./media/direct-ea-azure-usage-charges-invoices/reservation-transactions-refund.png" alt-text="Screenshot showing the MC refund amount for Reservation transactions." lightbox="./media/direct-ea-azure-usage-charges-invoices/reservation-transactions-refund.png" :::

+1. Navigate to the **Credits + Commitments** page and look at the value shown in **Adjustments**. It shows all refunds applied to the **MC** balance for the month.

+ :::image type="content" source="./media/direct-ea-azure-usage-charges-invoices/credits-commitments-refund.png" alt-text="Screenshot showing the MC refund amount Credits + Commitments." lightbox="./media/direct-ea-azure-usage-charges-invoices/credits-commitments-refund.png" :::

+> [!NOTE]

+> Savings plan refunds aren't shown on the **Reservation Transactions** page. However, **Refunded Overage Credits** shows the sum of reservations and savings plans.

+ Title: Capture changed data with schema evolution using change data capture resource

+description: This tutorial provides step-by-step instructions on how to capture changed data with schema evolution from Azure SQL DB to Delta sink using a change data capture resource.

+# How to capture changed data with Schema evolution from Azure SQL DB to Delta sink using a Change Data Capture (CDC) resource

+In this tutorial, you will use the Azure Data Factory user interface (UI) to create a new Change Data Capture (CDC) resource that picks up changed data from an Azure SQL Database source to Delta Lake stored in Azure Data Lake Storage (ADLS) Gen2 in real-time showcasing the support of schema evolution. The configuration pattern in this tutorial can be modified and expanded upon.

+In this tutorial, you follow these steps:

+* Create a Change Data Capture resource.

+* Make dynamic schema changes to source table.

+* Validate schema changes at target Delta sink.

+## Prerequisites

+* **Azure subscription.** If you don't have an Azure subscription, create a free Azure account before you begin.

+* **Azure SQL Database.** You use Azure SQL DB as a source data store. If you donΓÇÖt have an Azure SQL DB, create one in the Azure portal first before continuing the tutorial.

+* **Azure storage account.** You use delta lake stored in ADLS Gen 2 storage as a target data store. If you don't have a storage account, see Create an Azure storage account for steps to create one.

+## Create a change data capture artifact

+1. Navigate to the **Author** blade in your data factory. You see a new top-level artifact below **Pipelines** called **Change Data Capture (preview)**.

+

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-100.png" alt-text="Screenshot of new top level artifact shown under Factory resources panel." lightbox="media/adf-cdc/change-data-capture-resource-100.png":::

+

+2. To create a new **Change Data Capture**, hover over **Change Data Capture (preview)** until you see 3 dots appear. Select on the **Change Data Capture (preview) Actions**.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-101.png" alt-text="Screenshot of Change Data Capture (preview) Actions after hovering on the new top-level artifact." lightbox="media/adf-cdc/change-data-capture-resource-101.png":::

+3. Select **New CDC (preview)**. This opens a flyout to begin the guided process.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-102.png" alt-text="Screenshot of a list of Change Data Capture actions." lightbox="media/adf-cdc/change-data-capture-resource-102.png":::

+

+4. You are prompted to name your CDC resource. By default, the name is set to ΓÇ£adfcdcΓÇ¥ and continue to increment up by 1. You can replace this default name with your own.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-103.png" alt-text="Screenshot of the text box to update the name of the resource.":::

+

+5. Use the drop-down selection list to choose your data source. For this tutorial, we use **Azure SQL Database**.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-104.png" alt-text="Screenshot of the guided process flyout with source options in a drop-down selection menu.":::

+6. You will then be prompted to select a linked service. Create a new linked service or select an existing one.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-105.png" alt-text="Screenshot of the selection box to choose or create a new linked service.":::

+7. Once the linked service is selected, you will be prompted for selection of the source table. Use the checkbox to select the source table(s) then select the **Incremental column** using the drop-down selection.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-106.png" alt-text="Screenshot of the selection box to choose source table(s) and selection of incremental column.":::

+> [!NOTE]

+> Only table(s) with supported incremental column data types are listed here.

+> [!NOTE]

+> To enable Change Data Capture (CDC) with schema evolution in SQL Azure Database source, we should choose watermark column-based tables rather than native SQL CDC enabled tables.

+8. Once youΓÇÖve selected a folder path, select **Continue** to set your data target.

+

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-107.png" alt-text="Screenshot of the continue button in the guided process to proceed to select data targets.":::

+9. Then, select a **Target type** using the drop-down selection. For this tutorial, we select **Delta**.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-108.png" alt-text="Screenshot of a drop-down selection menu of all data target types.":::

+10. You are prompted to select a linked service. Create a new linked service or select an existing one.

+

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-109.png" alt-text="Screenshot of the selection box to choose or create a new linked service to your data target.":::

+11. Use the **Browse** button to select your target data folder.

+

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-110.png" alt-text="Screenshot of a folder icon to browse for a folder path.":::

+> [!NOTE]

+> You can either use **Browse** button under Target base path which helps you to auto-populate the browse path for all the new table(s) selected for source (or) use **Browse** button outside to individually select the folder path.

+12. Once youΓÇÖve selected a folder path, select **Continue** button.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-111.png" alt-text="Screenshot of the continue button in the guided process to proceed to next step.":::

+13. You automatically land in a new change data capture tab, where you can configure your new resource.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-112.png" alt-text="Screenshot of the change data capture studio." lightbox="media/adf-cdc/change-data-capture-resource-112.png":::

+

+14. A new mapping will automatically be created for you. You can update the **Source** and **Target** selections for your mapping by using the drop-down selection lists.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-113.png" alt-text="Screenshot of the source to target mapping in the change data capture studio." lightbox="media/adf-cdc/change-data-capture-resource-113.png":::

+15. Once youΓÇÖve selected your tables, you should see that their columns are auto mapped by default with the **Auto map** toggle on. Auto map automatically maps the columns by name in the sink, picks up new column changes when source schema evolves and flows this to the supported sink types.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-114.png" alt-text="Screenshot of default Auto map toggle set to on." lightbox="media/adf-cdc/change-data-capture-resource-114.png":::

+> [!NOTE]

+> Schema evolution works with Auto map toggle set to on only. If you want to know how to edit column mappings or include transformations, please refer [Capture changed data with a change data capture resource](how-to-change-data-capture-resource.md)

+16. You can click the **Keys** link and select the Keys column to be used for tracking the delete operations.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-115.png" alt-text="Screenshot of Keys link to enable Keys column selection." lightbox="media/adf-cdc/change-data-capture-resource-115.png":::

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-116.png" alt-text="Screenshot of selecting a Keys column for the selected source.":::

+17. Once your mappings are complete, set your CDC latency using the **Set Latency** button.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-117.png" alt-text="Screenshot of the set frequency button at the top of the canvas." lightbox="media/adf-cdc/change-data-capture-resource-117.png":::

+

+18. Select the latency of your CDC and select **Apply** to make the changes. By default, it is set to **15 minutes**. For this tutorial, we select the **Real-time** latency. Real-time latency will continuously keep picking up changes in your source data in a less than 1-minute interval.

+ For other latencies, say if you select 15 minutes, every 15 minutes, your change data capture will process your source data and pick up any changed data since the last processed time.

+19. Once everything has been finalized, select the **Publish All** to publish your changes.

+> [!NOTE]

+> If you do not publish your changes, you will not be able to start your CDC resource. The start button will be greyed out.

+20. Select **Start** to start running your **Change Data Capture**.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-120.png" alt-text="Screenshot of the start button at the top of the canvas." lightbox="media/adf-cdc/change-data-capture-resource-120.png":::

+21. Using monitoring page, you can see how many changes (insert/update/delete) were read and written and other diagnostic information.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-121.png" alt-text="Screenshot of the monitoring page of a selected change data capture." lightbox="media/adf-cdc/change-data-capture-resource-121.png":::

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-122.png" alt-text="Screenshot of the monitoring page of a selected change data capture with detailed view." lightbox="media/adf-cdc/change-data-capture-resource-122.png":::

+22. You can validate that the change data has landed onto the Delta Lake stored in Azure Data Lake Storage (ADLS) Gen2 in delta format

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-123.png" alt-text="Screenshot of the target delta folder." lightbox="media/adf-cdc/change-data-capture-resource-123.png":::

+

+23. You can validate schema of the change data that has landed.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-124.png" alt-text="Screenshot of actual delta file." lightbox="media/adf-cdc/change-data-capture-resource-124.png":::

+## Make dynamic schema changes at source

+1. Now you can proceed to make schema level changes to the source tables. For this tutorial, we will use the Alter table T-SQL to add a new column to the source table.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-125.png" alt-text="Screenshot of Alter command in Azure Data Studio.":::

+2. You can validate that the new column as been added to the existing table.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-126.png" alt-text="Screenshot of the new table design.":::

+

+## Validate schema changes at target Delta

+1. Validate change data with schema changes have landed at the Delta sink. For this tutorial, you can see the new column has been added to the sink.

+ :::image type="content" source="media/adf-cdc/change-data-capture-resource-128.png" alt-text="Screenshot of actual Delta file with schema change." lightbox="media/adf-cdc/change-data-capture-resource-128.png":::

+## Next steps

+- [Learn more about the change data capture resource](concepts-change-data-capture-resource.md)

+

+ - To see to which workspace the existing extension is sending data to, run the *TestCloudConnection.exe* tool to validate connectivity with Microsoft Defender for Cloud, as described in [Verify Log Analytics Agent connectivity](/services-hub/health/assessments-troubleshooting#verify-log-analytics-agent-connectivity). Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.

+The free foundational cloud security posture management (CSPM) features for AWS and GCP machines don't require Azure Arc. For full functionality, we recommend that you *do* have Azure Arc running on AWS or GCP machines.

+The [cloud security explorer](concept-attack-path.md#what-is-cloud-security-explorer) enables you to proactively identify potential security risks within your cloud environment. It does so by querying the [cloud security graph](concept-attack-path.md#what-is-cloud-security-graph), which is the context engine of Defender for Cloud. The cloud security explorer allows your security team to prioritize any concerns, while also considering the specific context and conventions of your organization.

+[Defender for Servers](#defender-for-servers)

+| [Update naming format of Azure Center for Internet Security standards in regulatory compliance](#update-naming-format-of-azure-center-for-internet-security-standards-in-regulatory-compliance) | August 2023 |

+| [Defender for Cloud plan and strategy for the Log Analytics agent deprecation](#defender-for-cloud-plan-and-strategy-for-the-log-analytics-agent-deprecation) | August 2024 |

+### Defender for Cloud plan and strategy for the Log Analytics agent deprecation

+**Estimated date for change: August 2024**

+The Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024.](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/) As a result, features of the two Defender for Cloud plans that rely on the Log Analytics agent are impacted, and they have updated strategies: [Defender for Servers](#defender-for-servers) and [Defender for SQL Server on machines](#defender-for-sql-server-on-machines).

+#### Key strategy points

+- The Azure monitoring Agent (AMA) wonΓÇÖt be a requirement of the Defender for Servers offering, but will remain required as part of Defender for SQL.

+- Defender for Servers MMA-based features and capabilities will be deprecated in their Log Analytics version in August 2024, and delivered over alternative infrastructures, before the MMA deprecation date.

+- In addition, the currently shared autoprovisioning process that provides the installation and configuration of both agents (MMA/AMA), will be adjusted accordingly.

+#### Defender for Servers

+The following table explains how each capability will be provided after the Log Analytics agent retirement:

+| **Feature** | **Support** | **Alternative** |

+| | | |

+| Defender for Endpoint/Defender for Cloud integration for down level machines (Windows Server 2012 R2, 2016) | Defender for Endpoint integration that uses the legacy Defender for Endpoint sensor and the Log Analytics agent (for Windows Server 2016 and Windows Server 2012 R2 machines) wonΓÇÖt be supported after August 2024. | Enable the GA [unified agent](/microsoft-365/security/defender-endpoint/configure-server-endpoints#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution) integration to maintain support for machines, and receive the full extended feature set. For more information, see [Enable the Microsoft Defender for Endpoint integration](integration-defender-for-endpoint.md#windows). |

+| OS-level threat detection (agent-based) | OS-level threat detection based on the Log Analytics agent wonΓÇÖt be available after August 2024. A full list of deprecated detections will be provided soon. | OS-level detections are provided by Defender for Endpoint integration and are already GA. |

+| Adaptive application controls | The [current GA version](adaptive-application-controls.md) based on the Log Analytics agent will be deprecated in August 2024, along with the preview version based on the Azure monitoring agent. | The next generation of this feature is currently under evaluation, further information will be provided soon. |

+| Endpoint protection discovery recommendations | The current [GA and preview recommendations](endpoint-protection-recommendations-technical.md) to install endpoint protection and fix health issues in the detected solutions will be deprecated in August 2024. | A new agentless version will be provided for discovery and configuration gaps by April 2024. As part of this upgrade, this feature will be provided as a component of Defender for Servers plan 2 and Defender for CSPM, and wonΓÇÖt cover on-premises or Arc-connected machines. |

+| Missing OS patches (system updates) | Recommendations to apply system updates based on the Log Analytics agent wonΓÇÖt be available after August 2024. | [New recommendations](release-notes.md#two-recommendations-related-to-missing-operating-system-os-updates-were-released-to-ga), based on integration with Update Management Center, are already in GA, with no agent dependencies. |

+| OS misconfigurations (Azure Security Benchmark recommendations) | The [current GA version](apply-security-baseline.md) based on the Log Analytics agent wonΓÇÖt be available after August 2024. The current preview version that uses the Guest Configuration agent will be deprecated as the Microsoft Defender Vulnerability Management integration becomes available. | A new version, based on integration with Premium Microsoft Defender Vulnerability Management, will be available early in 2024, as part of Defender for Servers plan 2. |

+| File integrity monitoring | The [current GA version](file-integrity-monitoring-enable-log-analytics.md) based on the Log Analytics agent wonΓÇÖt be available after August 2024. | A new version of this feature, either agent-based or agentless, will be available by April 2024. |

+| The [500-MB benefit](faq-defender-for-servers.yml#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-) for data ingestion | The [500-MB benefit](faq-defender-for-servers.yml#is-the-500-mb-of-free-data-ingestion-allowance-applied-per-workspace-or-per-machine-) for data ingestion over the defined tables will remain supported via the AMA agent for the machines under subscriptions covered by Defender for Servers P2. Every machine is eligible for the benefit only once, even if both Log Analytics agent and Azure Monitor agent are installed on it. | |

+##### Log analytics and Azure Monitoring agents autoprovisioning experience

+- The MMA autoprovisioning mechanism and its related policy initiative will remain optional until August 2024.

+- In October 2023, the current shared Log Analytics agent/Azure Monitor agent autoprovisioning mechanism will be updated and applied to the Log Analytics agent only. The Azure Monitor agent related (Public Preview) policy initiatives will be deprecated.

+- The AMA autoprovisioning mechanism will still serve current customers with the Public Preview policy initiative enabled, but they won't be eligible for support. To disable the Azure Monitor agent provisioning, manually remove the policy initiative.

+- If MMA autoprovisioning is enabled and AMA agents are already installed on the machines, MMA wonΓÇÖt be provisioned. However, AMA will remain functional.

+To ensure the security of your servers and receive all the security updates from Defender for Servers, make sure to have [Defender for Endpoint integration](integration-defender-for-endpoint.md) and [agentless disk scanning](concept-agentless-data-collection.md) enabled on your subscriptions. This will also keep your servers up-to-date with the alternative deliverables.

+#### Defender for SQL Server on machines

+The Defender for SQL Server on machines plan relies on the Log Analytics agent (MMA) / Azure monitoring agent (AMA) to provide Vulnerability Assessment and Advanced Threat Protection to IaaS SQL Server instances. The plan supports Log Analytics agent autoprovisioning in GA, and Azure Monitoring agent autoprovisioning in Public Preview.

+The following section describes the planned introduction of a new and improved SQL Server-targeted Azure monitoring agent (AMA) autoprovisioning process and the deprecation procedure of the Log Analytics agent (MMA). On-premises SQL servers using MMA will require the Azure Arc agent when migrating to the new process due to AMA requirements. Customers who use the new autoprovisioning process will benefit from a simple and seamless agent configuration, reducing onboarding errors and providing broader protection coverage.

+| Milestone | Date | More information |

+| | - | |

+| SQL-targeted AMA autoprovisioning Public Preview release | October 2023 | The new autoprovisioning process will only target Azure registered SQL servers (SQL Server on Azure VM/ Arc-enabled SQL Server). The current AMA autoprovisioning process and its related policy initiative will be deprecated. It can still be used customers, but they won't be eligible for support. |

+| SQL-targeted AMA autoprovisioning GA release | December 2023 | GA release of a SQL-targeted AMA autoprovisioning process. Following the release, it will be defined as the default option for all new customers. |

+| MMA deprecation | August 2024 | The current MMA autoprovisioning process and its related policy initiative will be deprecated. It can still be used customers, but they won't be eligible for support. |

+Existing customers of Defender for Key-Vault, Defender for Azure Resource Manager, and Defender for DNS will keep their current business model and pricing unless they actively choose to switch to the new business model and price.

+- **Defender for Azure Resource Manager**: This plan will have a fixed price per subscription per month. Customers will have the option to switch to the new business model by selecting the Defender for Azure Resource Manager new per-subscription model.

+### Update naming format of Azure Center for Internet Security standards in regulatory compliance

+**Estimated date for change: August 2023**

+The naming format of Azure CIS (Center for Internet Security) foundations benchmarks in the compliance dashboard is set for change from `[Cloud] CIS [version number]` to `CIS [Cloud] Foundations v[version number]`. Refer to the following table:

+| Current Name | New Name |

+|--|--|

+| Azure CIS 1.1.0 | CIS Azure Foundations v1.1.0 |

+| Azure CIS 1.3.0 | CIS Azure Foundations v1.3.0 |

+| Azure CIS 1.4.0 | CIS Azure Foundations v1.4.0 |

+| AWS CIS 1.2.0 | CIS AWS Foundations v1.2.0 |

+| AWS CIS 1.5.0 | CIS AWS Foundations v1.5.0 |

+| GCP CIS 1.1.0 | CIS GCP Foundations v1.1.0 |

+| GCP CIS 1.2.0 | CIS GCP Foundations v1.2.0 |

+Learn how to [improve your regulatory compliance](regulatory-compliance-dashboard.md).

+| Communication with possible phishing domain (Preview) | DNS_PhishingDomain|

+| Possible data exfiltration via DNS tunnel (Preview) | DNS_DataExfiltration |

+| Communication with suspicious algorithmically generated domain (Preview) | DNS_DomainGenerationAlgorithm |

+Starting on September 18, 2023 the Log Analytics Daily Cap will no longer exclude the following set of data types:

+## How are compliance standards represented in Defender for Cloud?

+By default:

+- Azure subscriptions get the Microsoft cloud security benchmark assigned. This is the Microsoft-authored, cloud specific guidelines for security and compliance best practices based on common compliance frameworks. [Learn more about Microsoft cloud security benchmark](/security/benchmark/azure/introduction).

+- AWS accounts get the AWS Foundational Security Best Practices assigned. This is the AWS-specific guideline for security and compliance best practices based on common compliance frameworks.

+- GCP projects get the "GCP Default" standard assigned.

+If a subscription, account, or project has *any* Defender plan enabled, additional standards can be applied.

+**Available regulatory standards**:

+| Standards for Azure subscriptions | Standards for AWS accounts | Standards for GCP projects |

+| | - | |

+| - PCI-DSS v3.2.1 **(deprecated)** | - CIS 1.2.0 | - CIS 1.1.0, 1.2.0 |

+| - PCI DSS v4 | - CIS 1.5.0 | - PCI DSS 3.2.1 |

+| - SOC TSP | - PCI DSS 3.2.1 | - NIST 800 53 |

+| - SOC 2 Type 2 | - AWS Foundational Security Best Practices | - ISO 27001 |

+| - ISO 27001:2013 |||

+| - Azure CIS 1.1.0 |||

+| - Azure CIS 1.3.0 |||

+| - Azure CIS 1.4.0 |||

+| - NIST SP 800-53 R4 |||

+| - NIST SP 800-53 R5 |||

+| - NIST SP 800 171 R2 |||

+| - CMMC Level 3 |||

+| - FedRAMP H |||

+| - FedRAMP M |||

+| - HIPAA/HITRUST |||

+| - SWIFT CSP CSCF v2020 |||

+| - UK OFFICIAL and UK NHS |||

+| - Canada Federal PBMM |||

+| - New Zealand ISM Restricted |||

+| - New Zealand ISM Restricted v3.5 |||

+| - Australian Government ISM Protected |||

+| - RMIT Malaysia |||

+> Standards are added to the dashboard as they become available. This table might not contain recently added standards.

+### Add a standard to your Azure subscriptions

+1. From Defender for Cloud's menu, select **Regulatory compliance** to open the regulatory compliance dashboard. Here you'll see the compliance standards assigned to the currently selected subscriptions.

+### Add a standard to your AWS accounts

+ - You must create the image using these three sysprep options: `/mode:vm flag: Sysprep /generalize /oobe /mode:vm`. </br>

+The Visual Studio and Microsoft 365 images that Dev Box provides in the Azure Marketplace are already configured to support hibernation. You don't need to enable hibernation on these images, they're ready to use.

+```azurecli

+az sig image-definition create

+--resource-group <resourcegroupname> --gallery-name <galleryname> --gallery-image-definition <imageName> --location <location>

+--publisher <publishername> --offer <offername> --sku <skuname> --os-type windows --os-state Generalized

+--features "IsHibernateSupported=true SecurityType=TrustedLaunch" --hyper-v-generation V2

+```

+If you're using sysprep and a generalized VM to create a custom image, capture your image using the Azure CLI:

+```azurecli

+az sig image-version create

+--resource-group <resourcegroupname> --gallery-name <galleryname> --gallery-image-definition <imageName>

+--gallery-image-version <versionNumber> --virtual-machine <VMResourceId>

+```azurecli

+az devcenter admin devbox-definition update

+--dev-box-definition-name <DevBoxDefinitionName> -ΓÇôdev-center-name <devcentername> --resource-group <resourcegroupname> ΓÇô-hibernateSupport enabled

+```azurecli

+az devcenter admin devbox-definition update

+--dev-box-definition-name <DevBoxDefinitionName> -ΓÇôdev-center-name <devcentername> --resource-group <resourcegroupname> ΓÇô-hibernateSupport disabled

+ Title: MySQL to Azure Database for MySQL Data Migration - MySQL Login Migration

+description: Learn how to use the Azure Database for MySQL Data Migration - MySQL Login Migration

+# MySQL to Azure Database for MySQL Data Migration - MySQL Login Migration

+MySQL Login Migration is a new feature that allows users to migrate user account and privileges, including users with no passwords. With this feature, businesses can now migrate a subset of the data in the ΓÇÿmysqlΓÇÖ system database from the source to the target for both offline and online migration scenarios. This login migration experience automates manual tasks such as the synchronization of logins with their corresponding user mappings and replicating server permissions and server roles.

+## Current implementation

+In the current implementation, users can select the **Migrate user account and privileges** checkbox in the **Select databases** tab under **Select Server Objects** section when configuring the DMS migration project.

+Additionally, any corresponding databases that have related grants must also be selected for migration in the **Select Databases** section.

+The progress and overall migration summary can be viewed in the **Initial Load** tab. On the **migration summary** blade, users can click into the **ΓÇÿmysqlΓÇÖ** system database to review the results of migrating server level objects, like users and grants.

+### How Login Migration works

+As part of Login migration, we migrate a subset of the tables in the ΓÇÿmysqlΓÇÖ system database depending on the version of your source. The tables we migrate for all versions are: user, db, tables_priv, columns_priv, and procs_priv. For 8.0 sources we also migrate the following tables: role_edges, default_roles, and global_grants.

+Users without password

+## Limitations

+* Static privileges such as "CREATE TABLESPACE", "FILE", "SHUTDOWN" and "SUPER" aren't supported by Azure Database for MySQL - Flexible Server and hence not supported by login migration.

+* Only users configured with the mysql_native_password, caching_sha2_password and sha256_password authentication plug-ins are migrated to the target server. Users relying on other plug-ins aren't supported.

+* The account_locked field from the user table isn't migrated. If the account is locked on the source server, it isn't locked on the target server after migration.

+* The proxies_priv grant table and password_history grant table aren't migrated.

+* The password_expired field from user table isn't migrated.

+* Migration of global_grants table only migrates the following grants: xa_recover_admin, role_admin.

+* AAD logins migration isn't supported.

+## Next steps

+* [Tutorial: Migrate MySQL to Azure Database for MySQL offline using DMS](tutorial-mysql-azure-mysql-offline-portal.md)

+ Title: MySQL to Azure Database for MySQL Data Migration - MySQL Replicate Changes

+description: Learn how to use the Azure Database for MySQL Data Migration - MySQL Replicate Changes

+# MySQL to Azure Database for MySQL Data Migration - MySQL Replicate Changes

+Running a Replicate changes Migration, with our offline scenario with "Enable Transactional Consistency," enables businesses to migrate their databases to Azure while the databases remain operational. In other words, migrations can be completed with minimum downtime for critical applications, limiting the impact on service level availability and inconvenience to their end customers.

+> [!NOTE]

+> This article contains references to the term *slave*, a term that Microsoft no longer uses. When the term is removed from the software, weΓÇÖll remove it from this article.

+## Current implementation

+You must run an offline migration scenario with "Enable Transactional Consistency" to get the bin log file and position to replicate the incoming changes. The DMS portal UI shows the binary log filename and position aligned to the time the locks were obtained on the source for the consistent snapshot. You can use this value in our replicate changes migration to stream the incoming changes.

+While running the replicate changes migration, when your target is almost caught up with the source server, stop all incoming transactions to the source database and wait until all pending transactions have been applied to the target database. To confirm that the target database is up-to-date on the source server, run the query 'SHOW MASTER STATUS;', then compare that position to the last committed binlog event (displayed under Migration Progress). When the two positions are the same, the target has caught up with all changes, and you can start the cutover.

+### How Replicate Changes works

+The current implementation is based on streaming binlog changes from the source server and applying them to the target server. Like Data-in replication, this is easier to set up and doesn't require a physical connection between the source and the target servers.

+The server can send Binlog as a stream that contains binary data as documented [here](https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_replication.html). The client can specify the initial log position to start the stream with. The log file name describes the log position, the position within that file, and optionally GTID (Global Transaction ID) if gtid mode is enabled at the source.

+The data changes are sent as "row" events, which contain data for individual rows (prior and/or after the change depending on the operation type, which is insert, delete, or update). The row events are then applied in their raw format using a BINLOG statement: [MySQL 8.0 Reference Manual :: 13.7.8.1 BINLOG Statement](https://dev.mysql.com/doc/refman/8.0/en/binlog.html).

+## Prerequisites

+To complete the replicate changes migration successfully, ensure that the following prerequisites are in place:

+- Use the MySQL command line tool of your choice to determine whether **log_bin** is enabled on the source server. The Binlog isn't always turned on by default, so verify that it's enabled before starting the migration. To determine whether log_bin is enabled on the source server, run the command: **SHOW VARIABLES LIKE 'log_bin'**

+- Ensure that the user has **"REPLICATION_APPLIER"** or **"BINLOG_ADMIN"** permission on target server for applying the bin log.

+- Ensure that the user has **"REPLICATION SLAVE"** permission on the target server.

+- Ensure that the user has **"REPLICATION CLIENT"** and **"REPLICATION SLAVE"** permission on the source server for reading and applying the bin log.

+- Run an offline migration scenario with "**Enable Transactional Consistency"** to get the bin log file and position.

+- If you're targeting a replicate changes migration, configure the **binlog_expire_logs_seconds** parameter on the source server to ensure that binlog files aren't purged before the replica commits the changes. We recommend at least two days, to begin with. After a successful cutover, the value can be reset.

+## Limitations

+- When performing a replicate changes migration, the name of the database on the target server must be the same as the name on the source server.

+- Support is limited to the ROW binlog format.

+- DDL changes replication is supported only when you have selected the option for migrating entire server on DMS UI.

+## Next steps

+- [Tutorial: Migrate MySQL to Azure Database for MySQL offline using DMS](tutorial-mysql-azure-mysql-offline-portal.md)

+ Title: MySQL to Azure Database for MySQL Data Migration - MySQL Schema Migration

+description: Learn how to use the Azure Database for MySQL Data Migration - MySQL Schema Migration

+# MySQL to Azure Database for MySQL Data Migration - MySQL Schema Migration

+MySQL Schema Migration is a new feature that allows users to migrate the schema for objects such as databases, tables, views, triggers, events, stored procedures, and functions. This feature is useful for automating some of work required to prepare the target database prior to starting a migration.

+## Current implementation

+In the current implementation, users can select the **server objects (views, triggers, events, routines)** that they want to migrate in **Select databases** tab under **Select Server Objects** section when configuring the DMS migration project. Additionally, they can select the databases under **Select databases** section whose schema is to be migrated.

+To migrate the schema for table objects, navigate to the **Select tables** tab. Before the tab populates, DMS fetches the tables from the selected database(s) on the source and target, and then determines whether the table exists and contains data. If you select a table in the source database that doesn't exist on the target database, the box under **Migrate schema** is selected by default. For tables that do exist in the target database, a note indicates that the selected table already contains and will be truncated. In addition, if the schema of a table on the target server doesn't match the schema on the source, the table will be dropped before the migration continues.

+ :::image type="content" source="media/tutorial-mysql-to-azure-mysql-online/17-select-tables.png" alt-text="Screenshot of a Select Tables.":::

+When you continue to the next tab, DMS validates your inputs and confirms that the tables selected match if they were selected without the schema migration input. Once the validation passes, you can begin the migration scenario.

+After you begin the migration and as the migration progresses, each table is created prior to migrating its data from the source to the target. Except for triggers and views, which are migrated after data migration is complete, other objects are created for tables prior to the data migration.

+### How Schema Migration works

+Schema migration is supported by MySQLΓÇÖs **ΓÇ£SHOW CREATEΓÇ¥** syntax to gather schema information for objects from the source. When migrating the schema for the objects from the source to the target, DMS processes the input and individually migrates the objects. DMS also wraps the collation, character set, and other relevant information that is provided by the ΓÇ£SHOW CREATEΓÇ¥ query to the create query that is then processed on to the target.

+**Routines** and **Events** are migrated before any data is migrated. The schema for each individual **table** is migrated immediately prior to data movement starting for the table. **Triggers** are migrated after the data migration portion. For **views**, since MySQL validates the contents of views and they can depend on other tables, DMS first creates tables for views before the start of database data movement and then drops the temporary table and creates the view.

+When querying the source and target, if a transient error occurs, DMS **retries** the queries. However, if an error occurs that DMS can't recover from ΓÇô as an example, an invalid syntax when performing a version upgrade migration ΓÇô DMS fails and report that error message on completion. If the failure occurs when creating a table, the data for that table isn't migrated, but the data and schema migration for the other selected tables is attempted. If an unrecoverable error occurs for events, routines, or when creating the temporary table for views, the migration fails prior to running the migration for the selected tables and the objects that are migrated following the data migration portion.

+Since a temporary table is created for views, if there's a failure migrating a view, the temporary table is left on the target. After the underlying issue is fixed and the migration is retried, DMS deletes that table prior to creating the view. Alternatively, if electing not to use schema migration for views in a future migration, the temporary table needs to be manually deleted prior to manually migrating the view.

+## Prerequisites

+To complete a schema migration successfully, ensure that the following prerequisites are in place.

+* ΓÇ£READΓÇ¥ privilege on the source database.

+* ΓÇ£SELECTΓÇ¥ privilege for the ability to select objects from the database

+* If migrating views, the user must have the ΓÇ£SHOW VIEWΓÇ¥ privilege.

+* If migrating triggers, the user must have the ΓÇ£TRIGGERΓÇ¥ privilege.

+* If migrating routines (procedures and/or functions), the user must be named in the definer clause of the routine. Alternatively, based on version, the user must have the following privilege:

+ * For 5.7, have ΓÇ£SELECTΓÇ¥ access to the ΓÇ£mysql.procΓÇ¥ table.

+ * For 8.0, have ΓÇ£SHOW_ROUTINEΓÇ¥ privilege or have the ΓÇ£CREATE ROUTINE,ΓÇ¥ ΓÇ£ALTER ROUTINE,ΓÇ¥ or ΓÇ£EXECUTEΓÇ¥ privilege granted at a scope that includes the routine.

+* If migrating events, the user must have the ΓÇ£EVENTΓÇ¥ privilege for the database from which the events are to be shown.

+## Limitations

+* When migrating non table objects, DMS doesn't support renaming databases.

+* When migrating to a target server that has bin_log enabled, log_bin_trust_function_creators should be enabled to allow for creation of routines and triggers.

+* Currently there's no support for migrating the DEFINER clause for objects. All object types with definers on source get dropped and after the migration the default definer for tables are set to the login used to run the migration.

+* Some version upgrades aren't supported if there are breaking changes in version compatibility. Refer to the MySQL docs for more information on version upgrades.

+* Currently we can only migrate schema as part of data movement. If nothing is selected for data movement, no schema migration happens. If a table is selected for schema migration, it is selected for data movement.

+## Next steps

+- Learn more about [Data-in Replication](../mysql/concepts-data-in-replication.md)

+- [Tutorial: Migrate MySQL to Azure Database for MySQL offline using DMS](tutorial-mysql-azure-mysql-offline-portal.md)

+One or more incompatible SQL modes can cause many different errors. Below is an example error along with server modes that should be looked at if this error occurs.

+- **Error**: An error occurred while preparing the table '{table}' in database '{database}' on server '{server}' for migration during activity '{activity}'. As a result, this table won't be migrated.

+ | When the default value for a date on a table or the data is 0000-00-00 on the source, and the target server has the NO_ZERO_DATE SQL mode set, the schema and/or data migration will fail. There are two possible workarounds, the first is to change the default values of the columns to be NULL or a valid date. The second option is to remove the NO_ZERO_DATE SQL mode from the global SQL mode variable. | When running migrations from MySQL source server 5.7 to MySQL target server 8.0 that are doing **schema migration of routines**, it will run into errors if no_auto_create_user SQL mode is set on MySQL source server 5.7. |

+- **Error**: Fatal error reading binlog. This error may indicate that the binlog file name and/or the initial position were specified incorrectly.

+ **Workaround**: Ensure that the selected tables aren't locked or that no long running transactions are running on them.

+ **Limitation**: This error likely occurs when there are too many tables to migrate (>10k). There's a 4 MB limit for each call to the Azure Storage service.

+ **Workaround**: Reach out to support by [creating a support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot) and we can provide custom scripts to access our REST APIs directly.

+## Duplicate key entry issue

+- **Error**: The error is often a symptom of timeouts, network issues or target scaling.

+ **Potential error message**: A batch couldn't be written to the table '{table}' due to a SQL error raised by the target server. For context, the batch contained a subset of rows returned by the following source query.

+ **Limitation**: This error can be caused by timeout or broken connection to the target, resulting in duplicate primary keys. It may also be related to multiple migrations to the target running at the same time, or the user having test workloads running on the target while the migration is running. Additionally, the target may require primary keys to be unique, even though they aren't required to be so on the source.

+ **Workaround**: To resolve this issue, ensure that there are no duplicate migrations running and that the source primary keys are unique. If error persists, reach out to support by [creating a support request](https://ms.portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview?DMC=troubleshoot) and we can provide custom scripts to access our REST APIs directly.

+## Replicated operation had mismatched rows error

+- **Error**: Online Migration Fails to Replicate Expected Number of Changes.

+ **Potential error message**: An error occurred applying records to the target server which were read from the source server's binary log. The changes started at binary log '{mysql-bin.log}' and position '{position}' and ended at binary log '{mysql-bin.log}' and position '{position}'. All records on the source server prior to position '{position}' in binary log '{mysql-bin.log}' have been committed to the target.

+ **Limitation**: On the source, there were insert and delete statements into a table, and the deletions were by an apparent unique index.

+ **Workaround**: We recommend migrating the table manually.

+## Table data truncated error

+- **Error**: Enum column has a null value in one or more rows and the target SQL mode is set to strict.

+ **Potential error message**: A batch couldn't be written to the table '{table}' due to a data truncation error. Please ensure that the data isn't too large for the data type of the MySQL table column. If the column type is an enum, make sure SQL Mode isn't set as TRADITIONAL, STRICT_TRANS_TABLES or STRICT_ALL_TABLES and is the same on source and target.

+ **Limitation**: The error occurs when historical data was written to the source server when they had certain setting, but when it's changed, data cannot move.

+ **Workaround**: To resolve the issue, we recommend changing the target SQL mode to non-strict or changing all null values to be valid values.

+## Creating object failure

+- **Error**: An error occurred after view validation failed.

+ **Limitation**: The error occurs when trying to migrate a view and the table that the view is supposed to be referencing cannot be found.

+ **Workaround**: We recommend migrating views manually.

+## Unable to find table

+- **Error**: An error occurred as referencing table cannot be found.

+ **Potential error message**: The pipeline was unable to create the schema of object '{object}' for activity '{activity}' using strategy MySqlSchemaMigrationViewUsingTableStrategy because of a query execution.

+ **Limitation**: The error can occur when the view is referring to a table that has been deleted or renamed, or when the view was created with incorrect or incomplete information.

+ **Workaround**: We recommend migrating views manually.

+## All pooled connections broken

+- **Error**: All connections on the source server were broken.

+ **Limitation**: The error occurs when all the connections that are acquired at the start of initial load are lost due to server restart, network issues, heavy traffic on the source server or other transient problems. This error isn't recoverable.

+ **Workaround**: The migration must be restarted, and we recommend increasing the performance of the source server. Another issue is scripts that kill long running connections, prevents these scripts from working.

+## Consistent snapshot broken

+ **Limitation**: The error occurs when the customer performs DDL during the initial load of the migration instance.

+ **Workaround**: To resolve this issue, we recommend refraining from making DDL changes during the Initial Load.

+## Foreign key constraint

+- **Error**: The error occurs when there is a change in the referenced foreign key type from the table.

+ **Potential error message**: Referencing column '{pk column 1}' and referenced column '{fk column 1}' in foreign key constraint '{key}' are incompatible.

+ **Limitation**: The error can cause schema migration of a table to fail, as the PK column in table 1 may not be compatible with the FK column in table 2.

+ **Workaround**: To resolve this issue, we recommend dropping the foreign key and re-creating it after the migration process is completed.

+ Title: MySQL to Azure Database for MySQL Data Migration - MySQL Consistent Backup

+# MySQL to Azure Database for MySQL Data Migration - MySQL Consistent Backup

+In the current implementation, users can enable the **Make Source Server Read Only** option during offline migration. Selecting this option maintains the data integrity of the target database as the source is migrated by preventing Write/Delete operations on the source server during migration. When you make the source server read only as part of the migration process, the selection applies to all the source serverΓÇÖs databases, regardless of whether they are selected for migration.

+When you initiate a migration, the service flushes all tables on the source server with a **read** lock to obtain the point-in-time snapshot. This flushing is done because a global lock is more reliable than attempting to lock individual databases or tables. As a result, even if you are not migrating all databases in a server, they are locked as part of setting up the migration process. The migration service initiates a repeatable read and combines the current table state with contents of the undo log for the snapshot. The **snapshot** is generated after obtaining the server wide lock and spawning several connections for the migration. After the creation of all connections used for the migration, the locks on the table are released.

+The migration threads are used to perform the migration with repeatable read enabled for all transactions and the source server hides all new changes from the offline migration. Clicking on the specific database in the Azure Database Migration Service (DMS) Portal UI during the migration displays the migration status of all the tables - completed or in progress - in the migration. If there are connection issues, the status of the database changes to **Retrying** and the error information is displayed if the migration fails.

+Repeatable reads are enabled to keep the undo logs accessible during the migration, which increase the storage required on the source because of long running connections. It is important to note that the longer a migration runs the more table changes that occur, the undo log's history of changes become more extensive. The longer a migration, the more slowly it runs as the undo logs to retrieve the unmodified data becomes longer. This could also increase the compute requirements and load on the source server.

+The [binary log (or binlog)](https://dev.mysql.com/doc/refman/8.0/en/binary-log.html) is an artifact that is reported to the user after the offline migration is complete. As the service spawns threads for migration during read lock, the migration service records the initial binlog position because the binlog position could change after the server is unlocked. While the migration service attempts to obtain the locks and set up the migration, the bin log position displays the status **Waiting for data movement to start...**.

+The binary log is deleted periodically, so the user must take necessary precautions if Change Data Capture (CDC) is used later to migrate the post-migration updates at the source. Configure the **binlog_expire_logs_seconds** parameter on the source server to ensure that binlogs are not purged before the replica commits the changes. If non-zero, binary logs are purged after **binlog_expire_logs_seconds** seconds. Post successful cut-over, you can reset the value. Users need to leverage the changes in the binlog to carry out the online migration. Users can take advantage of DMS to provide the initial seeding of the data and then stitch that together with the CDC solution of their choice to implement a minimal downtime migration.

+> With Azure Database for MySQL Single Server, which supports up to 4TB, this is not enabled by default. However, if you promote a read replica for the source server and then delete read replica, the parameter is set to ON.

+After a successful installation of Step, you should open a command prompt in your user profile folder (Win+R type %USERPROFILE%).

+1. To create root and intermediate certificates, run the following command. Remember the password, which needs to be used in the next step.

+2. Using the CA files generated to create certificate for the client. Ensure to use the correct path for the cert and secrets files in the command.

+3. To view the thumbprint, run the Step command.

+After a successful installation of Step, you should open a command prompt in your user profile folder (Win+R type %USERPROFILE%).

+1. To create root and intermediate certificates, run the following command. Remember the password, which needs to be used in the next step.

+```powershell

+step ca init --deployment-type standalone --name MqttAppSamplesCA --dns localhost --address 127.0.0.1:443 --provisioner MqttAppSamplesCAProvisioner

+```

+2. Using the CA files generated to create certificate for the client. Ensure to use the correct path for the cert and secrets files in the command.

+```powershell

+step certificate create client1-authnID client1-authnID.pem client1-authnID.key --ca .step/certs/intermediate_ca.crt --ca-key .step/secrets/intermediate_ca_key --no-password --insecure --not-after 2400h

+```

+```powershell

+step certificate fingerprint client1-authnID.pem

+```

+An easy way to explore Avro files is by using the [Avro Tools][Avro Tools] jar from Apache. You can also use [Apache Spark][Apache Spark] to perform complex distributed processing on the ingested data.

+ > [!NOTE]

+ > * If HTTPS is enabled, certificate provisioning and propagation may take a few minutes because propagation is being done to all edge locations.

+ > * If your domain CNAME is indirectly pointed to a Front Door endpoint, for example, using Azure Traffic Manager for multi-CDN failover, the **DNS state** column shows as **CNAME/Alias record currently not detected**. Azure Front Door can't guarantee 100% detection of the CNAME record in this case. If you've configured an Azure Front Door endpoint to Azure Traffic Manager and still see this message, it doesnΓÇÖt mean you didn't set up correctly, therefore further no action is neccessary from your side.

+|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aka.ms/appservice-vnet-service-endpoint](https://aka.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

+|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aka.ms/appservice-vnet-service-endpoint](https://aka.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

+|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aka.ms/appservice-vnet-service-endpoint](https://aka.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

+|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aka.ms/appservice-vnet-service-endpoint](https://aka.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

+|[App Service apps should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit [https://aka.ms/appservice-vnet-service-endpoint](https://aka.ms/appservice-vnet-service-endpoint). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |

+## **July 2023**

+**Feature enhancement: Change to the exported file name format**

+FHIR service enables customers to export data with $export operation. Export can be conducted across various levels, such as System, Patient and Group of patients. There are name changes with exported file and default storage account name.

+* Exported file names will follow the format \<FHIR Resource Name\>-\<Number\>- \<Number\>.ndjson. The order of the files is not guaranteed to correspond to any ordering of the resources in the database.

+* Default storage account name is updated to Export-\<Number\>.

+There is no change to number of resources added in individual exported files.

+By default, the DICOM service supports querying on the DICOM tags specified in the [conformance statement](dicom-services-conformance-statement-v2.md#searchable-attributes). By enabling extended query tags, the list of tags can easily be expanded based on the application's needs.

+The [Status](#extended-query-tag-status) of extended query tag indicates current status. When an extended query tag is first added, its status is set to `Adding`, and a long-running operation is kicked off to reindex existing DICOM instances. After the operation is completed, the tag status is updated to `Ready`. The extended query tag can now be used in [QIDO](dicom-services-conformance-statement-v2.md#search-qido-rs).

+ Title: DICOM Service API v2 Changes - Azure Health Data Services

+description: This guide gives an overview of the changes in the v2 API for the DICOM service.

+# DICOM Service API v2 Changes

+This reference guide provides you with a summary of the changes in the V2 API of the DICOM service. To see the full set of capabilities in v2, see the [DICOM Conformance Statement v2](dicom-services-conformance-statement-v2.md).

+## Summary of changes in v2

+### Store

+#### Lenient validation of optional attributes

+In previous versions, a Store request would fail if any of the [required](dicom-services-conformance-statement-v2.md#store-required-attributes) or [searchable attributes](dicom-services-conformance-statement-v2.md#searchable-attributes) failed validation. Beginning with v2, the request fails only if **required attributes** fail validation.

+Failed validation of attributes not required by the API results in the file being stored with a warning in the response. Warnings result in an HTTP return code of `202 Accepted` and the response payload will contain the `WarningReason` tag (`0008, 1196`).

+A warning is given about each failing attribute per instance. When a sequence contains an attribute that fails validation, or when there are multiple issues with a single attribute, only the first failing attribute reason is noted.

+There are some notable behaviors for optional attributes that fail validation:

+ * Searches for the attribute that failed validation will not return the study/series/instance.

+ * The attributes are not returned when retrieving metadata via WADO `/metadata` endpoints.

+

+Retrieving a study/series/instance will always return the original binary files with the original attributes, even if those attributes failed validation.

+If an attribute is padded with nulls, the attribute is indexed when searchable and is stored as is in dicom+json metadata. No validation warning is provided.

+### Retrieve

+#### Single frame retrieval support

+Single frame retrieval is supported by adding the following `Accept` header:

+* `application/octet-stream; transfer-syntax=*`

+### Search

+#### Search results may be incomplete for extended query tags with validation warnings

+In the v1 API and continued for v2, if an [extended query tag](dicom-extended-query-tags-overview.md) has any errors, because one or more of the existing instances had a tag value that couldn't be indexed, then subsequent search queries containing the extended query tag return `erroneous-dicom-attributes` as detailed in the [documentation](dicom-extended-query-tags-overview.md#tag-query-status). However, tags (also known as attributes) with validation warnings from STOW-RS are **not** included in this header. If a store request results in validation warnings on [searchable tags](dicom-services-conformance-statement-v2.md#searchable-attributes), subsequent searches containing these tags won't consider any DICOM SOP instance that produced a warning. This behavior may result in incomplete search results. To correct an attribute, delete the stored instance and upload the corrected data.

+#### Fewer Study, Series, and Instance attributes are returned by default

+The set of attributes returned by default has been reduced to improve performance. See the detailed list in the [search response](./dicom-services-conformance-statement-v2.md#search-response) documentation.

+#### Null padded attributes can be searched for with or without padding

+When an attribute was stored using null padding, it can be searched for with or without the null padding in uri encoding. Results retrieved will be for attributes stored both with and without null padding.

+### Operations

+#### The `completed` status has been renamed to `succeeded`

+To align with [Microsoft's REST API guidelines](https://github.com/microsoft/api-guidelines/blob/vNext/Guidelines.md), the `completed` status has been renamed to `succeeded`.

+### Change Feed

+#### Change feed now accepts a time range

+The Change Feed API now accepts optional `startTime` and `endTime` parameters to help scope the results. Changes within a time range can still be paginated using the existing `offset` and `limit` parameters. The offset is relative to the time window defined by `startTime` and `endTime`. For example, the fifth change feed entry starting from 7/24/2023 at 09:00 AM UTC would use the query string `?startTime=2023-07-24T09:00:00Z&offset=5`.

+For v2, it's recommended to always include a time range to improve performance.

+> API version 2 is the latest API version. For a list of changes in v2 compared to v1, see [DICOM Service API v2 Changes](dicom-service-v2-api-changes.md)

+| `includefield=` | `{attributeID}`<br/>`all` | 0...N | The other attributes to return in the response. Both, public and private tags are supported.<br/>When `all` is provided, refer to [Search Response](#search-response) for more information about which attributes are returned for each query type.<br/>If a mixture of `{attributeID}` and `all` is provided, the server defaults to using `all`. |

+| Range Query | `StudyDate`/`PatientBirthDate` | `{attributeID}={value1}-{value2}`. For date/ time values, we support an inclusive range on the tag. This range is mapped to `attributeID >= {value1} AND attributeID <= {value2}`. If `{value1}` isn't specified, all occurrences of dates/times prior to and including `{value2}` are matched. Likewise, if `{value2}` isn't specified, all occurrences of `{value1}` and subsequent dates/times are matched. However, one of these values has to be present. `{attributeID}={value1}-` and `{attributeID}=-{value2}` are valid, however, `{attributeID}=-` is invalid. |

+* The query API doesn't return `413 (request entity too large)`. If the requested query response limit is outside of the acceptable range, a bad request is returned. Anything requested within the acceptable range will be resolved.

+* Paged results are optimized to return matched _newest_ instance first, possibly resulting in duplicate records in subsequent pages if newer data matching the query was added.

+This transaction only succeeds against Workitems in the `SCHEDULED` state. Any user can claim ownership of a Workitem by setting its Transaction UID and changing its state to `IN PROGRESS`. From then on, a user can only modify the Workitem by providing the correct Transaction UID. While UPS defines Watch and Event SOP classes that allow cancellation requests and other events to be forwarded, this DICOM service doesn't implement these classes, and so cancellation requests on workitems that are `IN PROGRESS` will return failure. An owned Workitem can be canceled via the [Change Workitem State](#change-workitem-state) transaction.

+The request payload contains a dataset with the changes to be applied to the target Workitem. When a sequence is modified, the request must include all Items in the sequence, not just the Items to be modified.

+| `includefield=` | `{attributeID}`<br/>`all` | 0...N | The other attributes to return in the response. Only top-level attributes can be specified to be included - not attributes that are part of sequences. Both public and private tags are supported. When `all` is provided, see [Search Response](#search-response) for more information about which attributes will be returned for each query type. If a mixture of `{attributeID}` and `all` is provided, the server defaults to using 'all'. |

+| Range Query | `ScheduledΓÇïProcedureΓÇïStepΓÇïStartΓÇïDateΓÇïTime` | `{attributeID}={value1}-{value2}`. For date/time values, we support an inclusive range on the tag. This range will be mapped to `attributeID >= {value1} AND attributeID <= {value2}`. If `{value1}` isn't specified, all occurrences of dates/times prior to and including `{value2}` will be matched. Likewise, if `{value2}` isn't specified, all occurrences of `{value1}` and subsequent dates/times will be matched. However, one of these values has to be present. `{attributeID}={value1}-` and `{attributeID}=-{value2}` are valid, however, `{attributeID}=-` is invalid. |

+The query API won't return `413 (request entity too large)`. If the requested query response limit is outside of the acceptable range, a bad request is returned. Anything requested within the acceptable range, will be resolved.

+> [!NOTE]

+> API version 2 is the latest API version and should be used in place of v1. See the [DICOM Conformance Statement v2](dicom-services-conformance-statement-v2.md) for details.

+| `404 (Not Found)` | The specified DICOM resource couldn't be found, or for rendered request the instance didn't contain pixel data. |

+| `includefield=` | `{attributeID}`<br/>`all` | 0...N | The other attributes to return in the response. Both, public and private tags are supported.<br/>When `all` is provided, refer to [Search Response](#search-response) for more information about which attributes are returned for each query type.<br/>If a mixture of `{attributeID}` and `all` is provided, the server defaults to using `all`. |

+The DICOM service supports the Push and Pull SOPs of the [Worklist Service (UPS-RS)](https://dicom.nema.org/medical/dicom/current/output/html/part18.html#chapter_11). The Worklist service provides access to one Worklist containing Workitems, each of which represents a Unified Procedure Step (UPS).

+If the Workitem exists on the origin server, the Workitem shall be returned in an Acceptable Media Type. The returned Workitem shall not contain the Transaction UID (0008,1195) Attribute. This is necessary to preserve the attribute's role as an access lock.

+The request payload contains a dataset with the changes to be applied to the target Workitem. When a sequence is modified, the request must include all Items in the sequence, not just the Items to be modified.

+The query API won't return `413 (request entity too large)`. If the requested query response limit is outside of the acceptable range, a bad request is returned. Anything requested within the acceptable range, will be resolved.

+The DICOM service is a managed service within [Azure Health Data Services](../healthcare-apis-overview.md) that ingests and persists DICOM objects at multiple thousands of images per second. It facilitates communication and transmission of imaging data with any DICOMweb&trade; enabled systems or applications via DICOMweb Standard APIs like [Store (STOW-RS)](dicom-services-conformance-statement-v2.md#store-stow-rs), [Search (QIDO-RS)](dicom-services-conformance-statement-v2.md#search-qido-rs), [Retrieve (WADO-RS)](dicom-services-conformance-statement-v2.md#retrieve-wado-rs). It's backed by a managed Platform-as-a Service (PaaS) offering in the cloud with complete [PHI](https://www.hhs.gov/answers/hipaa/what-is-phi/https://docsupdatetracker.net/index.html) compliance that you can upload PHI data to the DICOM service and exchange it through secure networks.

+- **Extended Query Tags**: Additionally index DICOM studies, series, and instances on both standard and private DICOM tags by expanding list of tags that are already specified within [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md).

+> Refer to the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md#supported-search-parameters) for supported DICOM attributes.

+For more information about the supported DICOM attributes, see the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md).

+For more information about the supported DICOM attributes, see the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md).

+For more information about the supported DICOM attributes, see the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md).

+For more information about the supported DICOM attributes, see the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md).

+For more information about the supported DICOM attributes, see the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md).

+For more information about the supported DICOM attributes, see the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md)

+Refer to the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md#supported-search-parameters) document for supported DICOM attributes.

+* [Store (STOW-RS)](dicom-services-conformance-statement-v2.md#store-stow-rs)

+* [Retrieve (WADO-RS)](dicom-services-conformance-statement-v2.md#retrieve-wado-rs)

+* [Search (QIDO-RS)](dicom-services-conformance-statement-v2.md#search-qido-rs)

+* [Delete](dicom-services-conformance-statement-v2.md#delete)

+To learn more about our support of DICOM Web Standard APIs, see the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md) reference document.

+Because DICOM service is exposed as a REST API, you can access it using any modern development language. For language-agnostic information on working with the service, see [DICOM Services Conformance Statement](dicom-services-conformance-statement-v2.md).

+ Title: Get started using DICOM data in analytics workloads - Azure Health Data Services

+description: This guide demonstrates how to use Azure Data Factory and Microsoft Fabric to perform analytics on DICOM data.

+# Get Started using DICOM Data in Analytics Workloads

+This article details how to get started using DICOM data in analytics workloads with Azure Data Factory and Microsoft Fabric.

+## Prerequisites

+Before getting started, ensure you have done the following steps:

+* Deploy an instance of the [DICOM Service](deploy-dicom-services-in-azure.md).