+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left navigation panel, select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to the Properties section of your provisioning application. For example, if you want to export your *Workday to AD User Provisioning application* mapping navigate to the Properties section of that app.

+1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to the Properties section of your provisioning application. For example, if you want to export your *Workday to AD User Provisioning application* mapping navigate to the Properties section of that app.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an application administrator of the directory that uses Application Proxy. For example, if the tenant domain is contoso.com, the admin should be admin@contoso.com or any other admin alias on that domain.

+To use Application Proxy, install a connector on each Windows server you're using with the Application Proxy service. The connector is an agent that manages the outbound connection from the on-premises application servers to Application Proxy in Azure AD. You can install a connector on servers that also have other authentication agents installed such as Azure AD Connect.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an application administrator of the directory that uses Application Proxy. For example, if the tenant domain is `contoso.com`, the admin should be `admin@contoso.com` or any other admin alias on that domain.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator.

+- [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](application-proxy-add-on-premises-application.md)

+[Configure alternate access mappings for SharePoint 2013](/SharePoint/administration/configure-alternate-access-mappings)

+1. If you didn't in the previous section, sign in to the [Azure portal](https://portal.azure.com) as an Application Administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select **Azure Active Directory**, then select **Enterprise applications**.

+1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Authentication Policy Administrator.

+The [Azure portal](https://portal.azure.com) now has a passwordless methods wizard that will help you to select the appropriate method for each of your audiences. If you haven't yet determined the appropriate methods, see [https://aka.ms/passwordlesswizard](https://aka.ms/passwordlesswizard), then return to this article to continue planning for your selected methods. **You need administrator rights to access this wizard.**

+To manage your user's passwordless authentication methods in the [Azure portal](https://portal.azure.com), select your user account, and then select Authentication methods.

+To delete an enrolled security key, sign in to the [Azure portal](https://portal.azure.com), and then go to the **Security info** page.

+To learn more, see [What authentication and verification methods are available in Azure Active Directory?](concept-authentication-methods.md)

+If your users need help, see the [User guide for Azure AD Multi-Factor Authentication](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc).

+The following questions can be answered by the reports that exist in the [Azure portal](https://portal.azure.com):

+With the controller, you determine what level of access to provide Permissions Management.

+* Enable to grant read and write access to your environment(s). You can manage permissions and remediate through Permissions Management.

+

+* Disable to grant read-only access to your environment(s).

+This article describes how to enable the controller in Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) after onboarding is complete.

+This article also describes how to disable the controller in Microsoft Azure and Google Cloud Platform (GCP). Once you enable the controller in AWS, you can't disable it.

+> You can enable the controller in AWS if you disabled it during onboarding. Once you enable the controller, you canΓÇÖt disable it at this time.

+1. From the Azure [**Home**](https://portal.azure.com) page, select **Management groups**.

+ - **Report output type**: XSLX, PDF

+ - **Ability to collate report**: Yes (XSLX only)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Azure Active Directory** > **Security** > **Conditional Access**.

+1. Sign in to the [Azure portal](https://portal.azure.com) as your test user.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Azure Active Directory** and then **Enterprise applications**. Select **New application** and then **Create your own application**.

+1. Search for and select the user to sign in to the app. Select the **Assign** button.

+1. Sign in to the [Azure portal](https://portal.azure.com) with your administrator account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate and select the function app you previously published.

+1. Sign in to the [Azure portal](https://portal.azure.com), then navigate and select the function app you previously published.

+1. Sign in to the [Azure portal](https://portal.azure.com) with your Azure administrator account.

+- Learn more about custom claims providers with the [custom claims provider reference](custom-claims-provider-reference.md) article.

+Next, add a stage to the pipeline that deploys Azure resources. The pipeline uses an [inline script](/azure/devops/pipelines/scripts/powershell) to create the App Service instance. In a later step, the inline script creates an Azure AD app registration for App Service authentication. An Azure CLI bash script is used because Azure Resource Manager (and Azure Pipelines tasks) can't create an app registration.

+- [Deploy to App Service using Azure Pipelines](/azure/app-service/deploy-azure-pipelines)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left pane, select **Azure Active Directory**.

+- [Application types for the Microsoft identity platform](v2-app-types.md#web-apps)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com)

+# Customize claims issued in the JSON web token (JWT) for enterprise applications

+These JSON Web tokens (JWT) used by OIDC and OAuth applications contain pieces of information about the user known as *claims*. A claim is information that an identity provider states about a user inside the token they issue for that user. In an [OIDC response](v2-protocols-oidc.md), claims data is typically contained in the ID Token issued by the identity provider in the form of a JWT.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the **Attributes & Claims** section, Select **Edit** to edit the claims.

+When a user has an application open in several tabs and signs in on one of them, they can be signed into the same app open on other tabs without being prompted. To do so, you need to set the *cacheLocation* in MSAL.js configuration object to `localStorage` as shown in the following example:

+- `login_hint`, which can be retrieved from the `account` object username property or the `upn` claim in the ID token. If your app is authenticating users with B2C, see: [Configure B2C user-flows to emit username in ID tokens](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/FAQ.md#why-is-getaccountbyusername-returning-null-even-though-im-signed-in)

+- Session ID, `sid`, which can be retrieved from `idTokenClaims` of an `account` object.

+- `account`, which can be retrieved from using one the [account methods](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/login-user.md#account-apis)

+ We recommended to using the `login_hint` [optional ID token claim](optional-claims-reference.md#v10-and-v20-optional-claims-set) provided to `ssoSilent` as `loginHint` as it is the most reliable account hint of silent and interactive requests.

+#### Using a login hint

+The `login_hint` optional claim provides a hint to Azure AD about the user account attempting to sign in. To bypass the account selection prompt typically shown during interactive authentication requests, provide the `loginHint` as shown:

+const silentRequest = {

+ scopes: ["User.Read", "Mail.Read"],

+ loginHint: "user@contoso.com"

+try {

+ const loginResponse = await msalInstance.ssoSilent(silentRequest);

+ const loginResponse = await msalInstance.loginPopup(silentRequest).catch(error => {

+In this example, `loginHint` contains the user's email or UPN, which is used as a hint during interactive token requests. The hint can be passed between applications to facilitate silent SSO, where application A can sign in a user, read the `loginHint`, and then send the claim and the current tenant context to application B. Azure AD will attempt to pre-fill the sign-in form or bypass the account selection prompt and directly proceed with the authentication process for the specified user.

+If the information in the `login_hint` claim doesn't match any existing user, they're redirected to go through the standard sign-in experience, including account selection.

+#### Using a session ID

+To use a session ID, add `sid` as an [optional claim](active-directory-optional-claims.md) to your app's ID tokens. The `sid` claim allows an application to identify a user's Azure AD session independent of their account name or username. To learn how to add optional claims like `sid`, see [Provide optional claims to your app](active-directory-optional-claims.md). Use the session ID (SID) in silent authentication requests you make with `ssoSilent` in MSAL.js.

+ sid: sid,

+ try {

+- **Redirect URI** - Add a redirect URI to your application registration in the [Azure portal](https://portal.azure.com). A missing or incorrect redirect URI is a common issue encountered by developers.

+> [Register an app](quickstart-register-app.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the **User Attributes & Claims** section, select **Edit** to edit the claims.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the **User Attributes & Claims** section, select **Edit** to edit the claims.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+> [Tutorial: Prepare an application for authentication](single-page-app-tutorial-02-prepare-spa.md)

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select on **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+3. Select **New user** and create some new test users in your directory.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+> [Scenario: Daemon application that calls web APIs](scenario-daemon-overview.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+> [Tutorial: Create an ASP.NET Core project and configure the API](web-api-tutorial-02-prepare-api.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that is a global administrator in the organization. If you're trying to delete the Contoso organization that has the initial default domain `contoso.onmicrosoft.com`, sign in with a UPN such as `admin@contoso.onmicrosoft.com`.

+1. Sign in to to the [Azure portal](https://portal.azure.com) with an account that is the Global Administrator for your Azure AD organization.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+- [PowerShell examples for group-based licensing in Azure Active Directory](licensing-ps-examples.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) using a License administrator account in your Azure AD organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a License administrator account in your Azure AD organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's a Global Administrator for the Azure AD organization.

+* [View your current LinkedIn integration setting in the Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserManagementMenuBlade/UserSettings)

+1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role. A role with Guest Inviter privileges can also invite external users.

+1. Sign in to the [Azure portal](https://portal.azure.com) using one of the roles listed in the Prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that's been assigned the Global administrator or User administrator role.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

+1. Use your test user name and password to sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) as a security administrator or a Conditional Access administrator.

+1. Use your test user name and password to sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

+See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.

+- [Configure cross-tenant access settings for B2B direct connect](cross-tenant-access-settings-b2b-direct-connect.md)

+[Configure cross-tenant access settings for B2B collaboration](cross-tenant-access-settings-b2b-collaboration.md)

+1. When the app launches, copy the suggested URL *https://microsoft.com/devicelogin* from the terminal and visit it in a browser. Then, copy the device code from the terminal and [follow the prompts](./tutorial-browserless-app-dotnet-sign-in-build-app.md#sign-in-to-your-app) on *https://microsoft.com/devicelogin*.

+> [Build your own ASP.NET browserless app and sign in users >](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md)

+- Learn how to [Acquire an access token, then call a web API in your own Node.js daemon app](tutorial-daemon-node-call-api-prepare-tenant.md).

+> | .NET | • [Sign in users](how-to-browserless-app-dotnet-sample-sign-in.md) | • [Sign in users](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) |

+> | Node.js | • [Call an API](how-to-daemon-node-sample-call-api.md) | • [Call an API](tutorial-daemon-node-call-api-prepare-tenant.md) |

+> | Browserless | • [Sign in users](how-to-browserless-app-dotnet-sample-sign-in.md) | • [Sign in users](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) |

+ Title: "Tutorial: Sign in users in your .NET browserless app"

+description: Learn about how to build a .NET browserless app that signs in users by using Device Code flow.

+#Customer intent: As a dev, devops, I want to learn about how to enable authentication in my .NET browserless app with Azure Active Directory (Azure AD) for customers tenant

+# Tutorial: Sign in users to your .NET browserless application

+In this tutorial, you build your own .NET browserless app and authenticate a user using Azure Active Directory (Azure AD) for customers.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> - Configure a .NET browserless app to use it's app registration details.

+> - Build a .NET browserless app that signs in a user and acquires a token on behalf of the user.

+## Prerequisites

+- Registration details for the browserless app you created in the [prepare tenant tutorial](./tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md). You need the following details:

+ - The Application (client) ID of the .NET browserless app that you registered.

+ - The Directory (tenant) subdomain where you registered your .NET browserless app.

+- [.NET 7.0](https://dotnet.microsoft.com/download/dotnet/7.0) or later.

+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.

+## Create an ASP.NET browserless app

+1. Open your terminal and navigate to the folder where you want your project to live.

+1. Initialize a .NET console app and navigate to its root folder

+ ```dotnetcli

+ dotnet new console -o MsIdBrowserlessApp

+ cd MsIdBrowserlessApp

+ ```

+## Install packages

+Install configuration providers that help our app to read configuration data from key-value pairs in our app settings file. These configuration abstractions provide the ability to bind configuration values to instances of .NET objects.

+```dotnetcli

+dotnet add package Microsoft.Extensions.Configuration

+dotnet add package Microsoft.Extensions.Configuration.Json

+dotnet add package Microsoft.Extensions.Configuration.Binder

+```

+Install Microsoft Identity Web library that simplifies adding authentication and authorization support to apps that integrate with the Microsoft identity platform.

+```dotnetcli

+dotnet add package Microsoft.Identity.Web

+```

+## Create appsettings.json file and add registration configs

+1. In your code editor, create an *appsettings.json* file in the root folder of the app.

+1. Add the following code to the *appsettings.json* file.

+

+ ```json

+ {

+ "AzureAd": {

+ "Authority": "https://<Enter_the_Tenant_Subdomain_Here>.ciamlogin.com/",

+ "ClientId": "<Enter_the_Application_Id_Here>"

+ }

+ }

+ ```

+ - Replace `Enter_the_Application_Id_Here` with the Application (client) ID of the app you registered earlier.

+ - Replace `Enter_the_Tenant_Subdomain_Here` with the Directory (tenant) subdomain.

+1. Add the following code to the *MsIdBrowserlessApp.csproj* file to instruct your app to copy the *appsettings.json* file to the output directory when the project is compiled.

+ ```xml

+ <Project Sdk="Microsoft.NET.Sdk">

+ ...

+ <ItemGroup>

+ <None Update="appsettings.json">

+ <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

+ </None>

+ <ItemGroup>

+ </Project>

+ ```

+## Add sign-in code

+1. In your code editor, open the *Program.cs* file.

+1. Clear the contents of the *Program.cs* file then add the packages and set up your configuration to read configs from the *appsettings.json* file.

+ ```csharp

+ // Import packages

+ using Microsoft.Extensions.Configuration;

+ using Microsoft.Identity.Client;

+ // Setup your configuration to read configs from appsettings.json

+ var configuration = new ConfigurationBuilder()

+ .AddJsonFile($"appsettings.json");

+

+ var config = configuration.Build();

+ var publicClientOptions = config.GetSection("AzureAd");

+ // Placeholders for the rest of the code

+ var app = PublicClientApplicationBuilder.Create(...)

+ var scopes = new string[] { };

+ var result = await app.AcquireTokenWithDeviceCode(...)

+ Console.WriteLine(...)

+ ```

+1. The browserless app is a public client application. Create an instance of the `PublicClientApplication` class and pass in the `ClientId` and `Authority` values from the *appsettings.json* file.

+ ```csharp

+ var app = PublicClientApplicationBuilder.Create(publicClientOptions.GetValue<string>("ClientId"))

+ .WithAuthority(publicClientOptions.GetValue<string>("Authority"))

+ .Build();

+ ```

+1. Add the code that helps the app acquire tokens using the device code flow. Pass in the scopes you want to request for and a callback function that is called when the device code is available. By default, MSAL attaches OIDC scopes to every token request.

+ ```csharp

+ var scopes = new string[] { }; // by default, MSAL attaches OIDC scopes to every token request

+ var result = await app.AcquireTokenWithDeviceCode(scopes, async deviceCode => {

+ Console.WriteLine($"In a broswer, navigate to the URL '{deviceCode.VerificationUrl}' and enter the code '{deviceCode.UserCode}'");

+ await Task.FromResult(0);

+ }).ExecuteAsync();

+ Console.WriteLine($"You signed in as {result.Account.Username}");

+ Console.WriteLine($"{result.Account.HomeAccountId}");

+ Console.WriteLine("\nRetrieved ID token:");

+ result.ClaimsPrincipal.Claims.ToList()

+ .ForEach(c => Console.WriteLine(c));

+ ```

+

+ The callback function displays the device code and the verification URL to the user. The user then navigates to the verification URL and enters the device code to complete the authentication process. The method then proceeds to poll for the ID token which is granted upon successful login by the user based on the device code information.

+## Sign in to your app

+1. In your terminal, navigate to the root folder of your browserless app and run the app by running the command `dotnet run` in your terminal.

+1. Open your browser, then navigate to `https://<Enter_the_Tenant_Subdomain_Here>.ciamlogin.com/common/oauth2/deviceauth`. Replace `Enter_the_Tenant_Subdomain_Here` with the Directory (tenant) subdomain. You should see a page similar to the following screenshot:

+ :::image type="content" source="media/how-to-browserless-dotnet-sign-in-sign-in/browserless-app-dotnet-enter-code.png" alt-text="Screenshot of the enter code prompt in a node browserless application using the device code flow.":::

+1. Copy the device code from the message in the terminal and paste it in the **Enter Code** prompt to authenticate. After entering the code, you'll be redirected to the sign in page as follows:

+ :::image type="content" source="media/how-to-browserless-dotnet-sign-in-sign-in/browserless-app-dotnet-sign-in-page.png" alt-text="Screenshot showing the sign in page in a node browserless application.":::

+1. At this point, you most likely don't have an account. If so, select **No account? Create one**, which starts the sign-up flow. Follow through this flow to create a new account. If you already have an account, enter your credentials and sign in.

+1. After completing the sign up flow and signing in, you see a page similar to the following screenshot:

+ :::image type="content" source="media/how-to-browserless-dotnet-sign-in-sign-in/browserless-app-dotnet-signed-in-user.png" alt-text="Screenshot showing a signed-in user in a node browserless application.":::

+1. Move back to the terminal and see your authentication information including the ID token claims.

+You can view the full code for this sample in the [code repo](https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/tree/main/1-Authentication/4-sign-in-device-code).

+## See also

+- [Authenticate users in a sample Node.js browserless application.](./sample-browserless-app-node-sign-in.md)

+- [Customize branding for your sign-in experience](./how-to-customize-branding-customers.md)

+ Title: "Tutorial: Register and configure .NET browserless app authentication details in a customer tenant"

+description: Learn how to register and configure .NET browserless app authentication details in a customer tenant so as to sign in users using Device Code flow.

+#Customer intent: As a dev, devops, I want to learn how to register and configure .NET browserless app authentication details in a customer tenant so as to sign in users using Device Code flow.

+# Tutorial: Register and configure .NET browserless app authentication details in a customer tenant

+In this article, you prepare your Azure Active Directory (Azure AD) for customers tenant for authentication. This tutorial is part of a series that guides you through the steps of building an app that authenticates users against Azure Active Directory (Azure AD) for Customers using the device code flow.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+>

+> - Register a .NET browserless app in the Microsoft Entra admin center

+> - Create a sign-in and sign-out user flow in customers tenant.

+> - Associate your browserless app with the user flow.

+## Prerequisites

+- [.NET 7.0](https://dotnet.microsoft.com/download/dotnet/7.0) or later.

+- [Visual Studio 2022](https://code.visualstudio.com/download) or another code editor.

+- Azure AD for customers tenant. If you don't already have one, [sign up for a free trial](https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl).

+## Register the browserless app

+## Enable public client flow

+## Grant API permissions

+Since this app signs-in users, add delegated permissions:

+## Create a user flow

+## Associate the browserless app with the user flow

+## Record your registration details

+The next step after this tutorial is to build a WPF desktop app that authenticates users. Ensure you have the following details:

+- The Application (client) ID of the .NET browserless app that you registered.

+- The Directory (tenant) subdomain where you registered your .NET browserless app. If your primary domain is *contoso.onmicrosoft.com*, your Directory (tenant) subdomain is *contoso*. If you don't have your primary domain, learn how to [read tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+## Next steps

+> [!div class="nextstepaction"]

+> [Sign-in users to your .NET browserless app >](./tutorial-browserless-app-dotnet-sign-in-build-app.md)

+ Title: "Tutorial: Call a web API from your Node.js daemon application"

+description: Learn about how to prepare your Node.js client daemon app, then configure it to acquire an access token for calling a web API.

+# Tutorial: Call a web API from your Node.js daemon application

+This tutorial demonstrates how to prepare your Node.js daemon client app, then configure it to acquire an access token for calling a web API. The application you build uses [Microsoft Authentication Library (MSAL) for Node](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) to simplify adding authorization to your node daemon application.

+The [OAuth 2.0 client credentials grant flow](../../develop/v2-oauth2-client-creds-grant-flow.md) permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate before calling another web service. The client credentials grant flow is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.

+In this tutorial, you'll:

+> [!div class="checklist"]

+> - Create a Node.js app, then install dependencies.

+> - Enable the Node.js app to acquire an access token for calling a web API.

+## Prerequisites

+- [Node.js](https://nodejs.org).

+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.

+- Registration details for the Node.js daemon app and web API you created in the [prepare tenant tutorial](tutorial-daemon-node-call-api-prepare-tenant.md).

+- A protected web API that is running and ready to accept requests. If you haven't created one, see the [create a protected web API tutorial](how-to-protect-web-api-dotnet-core-overview.md). Ensure this web API is using the app registration details you created in the [prepare tenant tutorial](tutorial-daemon-node-call-api-prepare-tenant.md). Make sure your web API exposes the following endpoints via https:

+ - `GET /api/todolist` to get all todos.

+ - `POST /api/todolist` to add a todo.

+## Create the Node.js daemon project

+Create a folder to host your Node.js daemon application, such as `ciam-call-api-node-daemon`:

+1. In your terminal, change directory into your Node daemon app folder, such as `cd ciam-call-api-node-daemon`, then run `npm init -y`. This command creates a default package.json file for your Node.js project. This command creates a default `package.json` file for your Node.js project.

+1. Create more folders and files to achieve the following project structure:

+ ```

+ ciam-call-api-node-daemon/

+ Γö£ΓöÇΓöÇ auth.js

+ ΓööΓöÇΓöÇ authConfig.js

+ ΓööΓöÇΓöÇ fetch.js

+ ΓööΓöÇΓöÇ index.js

+ ΓööΓöÇΓöÇ package.json

+ ```

+## Install app dependencies

+In your terminal, install `axios`, `yargs` and `@azure/msal-node` packages by running the following command:

+```console

+npm install axios yargs @azure/msal-node

+```

+## Create MSAL configuration object

+In your code editor, open *authConfig.js* file, then add the following code:

+```javascript

+require('dotenv').config();

+/**

+ * Configuration object to be passed to MSAL instance on creation.

+ * For a full list of MSAL Node configuration parameters, visit:

+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/configuration.md

+ */

+const msalConfig = {

+ auth: {

+ clientId: process.env.CLIENT_ID || 'Enter_the_Application_Id_Here', // 'Application (client) ID' of app registration in Azure portal - this value is a GUID

+ authority: process.env.AUTHORITY || 'https://Enter_the_Tenant_Subdomain_Here.ciamlogin.com/', // Replace "Enter_the_Tenant_Subdomain_Here" with your tenant subdomain

+ clientSecret: process.env.CLIENT_SECRET || 'Enter_the_Client_Secret_Here', // Client secret generated from the app

+ },

+ system: {

+ loggerOptions: {

+ loggerCallback(loglevel, message, containsPii) {

+ console.log(message);

+ },

+ piiLoggingEnabled: false,

+ logLevel: 'Info',

+ },

+ },

+};

+const protectedResources = {

+ apiToDoList: {

+ endpoint: process.env.API_ENDPOINT || 'https://localhost:44351/api/todolist',

+ scopes: [process.env.SCOPES || 'api://Enter_the_Web_Api_Application_Id_Here'],

+ },

+};

+module.exports = {

+ msalConfig,

+ protectedResources,

+};

+```

+The `msalConfig` object contains a set of configuration options that you use to customize the behavior of your authorization flow.

+In your *authConfig.js* file, replace:

+- `Enter_the_Application_Id_Here` with the Application (client) ID of the client daemon app that you registered earlier.

+- `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+- `Enter_the_Client_Secret_Here` with the client daemon app secret value that you copied earlier.

+- `Enter_the_Web_Api_Application_Id_Here` with the Application (client) ID of the web API app that you copied earlier.

+Notice that the `scopes` property in the `protectedResources` variable is the resource identifier (application ID URI) of the [web API](tutorial-daemon-node-call-api-prepare-tenant.md#register-a-web-api-application) that you registered earlier. The complete scope URI looks similar to `api://Enter_the_Web_Api_Application_Id_Here/.default`.

+## Acquire an access token

+In your code editor, open *auth.js* file, then add the following code:

+```javascript

+const msal = require('@azure/msal-node');

+const { msalConfig, protectedResources } = require('./authConfig');

+/**

+ * With client credentials flows permissions need to be granted in the portal by a tenant administrator.

+ * The scope is always in the format '<resource-appId-uri>/.default'. For more, visit:

+ * https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

+ */

+const tokenRequest = {

+ scopes: [`${protectedResources.apiToDoList.scopes}/.default`],

+};

+const apiConfig = {

+ uri: protectedResources.apiToDoList.endpoint,

+};

+/**

+ * Initialize a confidential client application. For more info, visit:

+ * https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/initialize-confidential-client-application.md

+ */

+const cca = new msal.ConfidentialClientApplication(msalConfig);

+/**

+ * Acquires token with client credentials.

+ * @param {object} tokenRequest

+ */

+async function getToken(tokenRequest) {

+ return await cca.acquireTokenByClientCredential(tokenRequest);

+}

+module.exports = {

+ apiConfig: apiConfig,

+ tokenRequest: tokenRequest,

+ getToken: getToken,

+};

+```

+In the code:

+- Prepare the `tokenRequest` and `apiConfig` object. The `tokenRequest` contains the scope for which you request an access token. The scope looks something like `api://Enter_the_Web_Api_Application_Id_Here/.default`. The `apiConfig` object contains the endpoint to your web API. Learn more about [OAuth 2.0 client credentials flow](../../develop/v2-oauth2-client-creds-grant-flow.md).

+- You create a confidential client instance by passing the `msalConfig` object to the [ConfidentialClientApplication](/javascript/api/@azure/msal-node/confidentialclientapplication#constructors) class' constructor.

+ ```javascript

+ const cca = new msal.ConfidentialClientApplication(msalConfig);

+ ```

+- You then use the [acquireTokenByClientCredential](/javascript/api/@azure/msal-node/confidentialclientapplication#@azure-msal-node-confidentialclientapplication-acquiretokenbyclientcredential) function to acquire an access token. You implement this logic in the `getToken` function:

+ ```javascript

+ cca.acquireTokenByClientCredential(tokenRequest);

+ ```

+Once you acquire an access token, you can proceed to call an API.

+## Call an API

+In your code editor, open *fetch.js* file, then add the following code:

+```javascript

+const axios = require('axios');

+/**

+ * Calls the endpoint with authorization bearer token.

+ * @param {string} endpoint

+ * @param {string} accessToken

+ */

+async function callApi(endpoint, accessToken) {

+ const options = {

+ headers: {

+ Authorization: `Bearer ${accessToken}`

+ }

+ };

+ console.log('request made to web API at: ' + new Date().toString());

+ try {

+ const response = await axios.get(endpoint, options);

+ return response.data;

+ } catch (error) {

+ console.log(error)

+ return error;

+ }

+};

+module.exports = {

+ callApi: callApi

+};

+```

+In this code, you make a call to the web API, by passing the access token as a bearer token in the request `Authorization` header:

+```javascript

+ Authorization: `Bearer ${accessToken}`

+```

+You use the access token that you acquired earlier in [Acquire an access token](#acquire-an-access-token).

+Once the web API receives the request, it evaluates it then determines that it's an application request. If the access token is valid, the web API returns requested data. Otherwise, the API returns a `401 Unauthorized` HTTP error.

+## Finalize your daemon app

+In your code editor, open *index.js* file, then add the following code:

+```javascript

+#!/usr/bin/env node

+// read in env settings

+require('dotenv').config();

+const yargs = require('yargs');

+const fetch = require('./fetch');

+const auth = require('./auth');

+const options = yargs

+ .usage('Usage: --op <operation_name>')

+ .option('op', { alias: 'operation', describe: 'operation name', type: 'string', demandOption: true })

+ .argv;

+async function main() {

+ console.log(`You have selected: ${options.op}`);

+ switch (yargs.argv['op']) {

+ case 'getToDos':

+ try {

+ const authResponse = await auth.getToken(auth.tokenRequest);

+ const todos = await fetch.callApi(auth.apiConfig.uri, authResponse.accessToken);

+ } catch (error) {

+ console.log(error);

+ }

+ break;

+ default:

+ console.log('Select an operation first');

+ break;

+ }

+};

+main();

+```

+This code is the entry point to your app. You use the [yargs js](https://www.npmjs.com/package/yargs) command-line argument parsing library for Node.js apps to interactively fetch an access token, then call API. You use the `getToken` and `callApi` functions you defined earlier:

+```javascript

+const authResponse = await auth.getToken(auth.tokenRequest);

+const todos = await fetch.callApi(auth.apiConfig.uri, authResponse.accessToken);

+```

+## Run and test daemon app and API

+At this point, you're ready to test your client daemon app and web API:

+1. Use the steps you learned in [Secure an ASP.NET web API](how-to-protect-web-api-dotnet-core-overview.md) tutorial to start your web API. Your web API is now ready to serve client requests. If you don't run your web API on port `44351` as specified in the *authConfig.js* file, make sure you update the *authConfig.js* file to use the correct web API's port number.

+1. In your terminal, make sure you're in the project folder that contains your daemon Node.js app such as `ciam-call-api-node-daemon`, then run the following command:

+ ```console

+ node . --op getToDos

+ ```

+If your daemon app and web API run successfully, you should find the data returned by the web API endpoint `todos` variable, similar to the following JSON array, in your console window:

+```json

+{

+ id: 1,

+ owner: '3e8....-db63-43a2-a767-5d7db...',

+ description: 'Pick up grocery'

+},

+{

+ id: 2,

+ owner: 'c3cc....-c4ec-4531-a197-cb919ed.....',

+ description: 'Finish invoice report'

+},

+{

+ id: 3,

+ owner: 'a35e....-3b8a-4632-8c4f-ffb840d.....',

+ description: 'Water plants'

+}

+```

+## Next steps

+Learn how to [Use client certificate instead of a secret for authentication in your Node.js confidential app](how-to-web-app-node-use-certificate.md).

+ Title: 'Tutorial: Prepare your customer tenant to authorize a Node.js daemon application'

+description: Learn how to prepare your customer tenant to authorize your Node.js daemon application

+# Tutorial: Prepare your customer tenant to authorize a Node.js daemon application

+In this tutorial, you learn how to acquire an access token, then call a web API in a Node.js daemon application. You enable the client daemon app to acquire an access token using its own identity. To do so, you first register your application in your Azure Active Directory (Azure AD) for customers tenant.

+In this tutorial, you'll:

+> [!div class="checklist"]

+> - Register a web API and configure app permissions in the Microsoft Entra admin center.

+> - Register a client daemon application, the grant it app permissions in the Microsoft Entra admin center.

+> - Create a client secret for your daemon application in the Microsoft Entra admin center.

+If you've already registered a client daemon application and a web API in the Microsoft Entra admin center, you can skip the steps in this tutorial, then proceed to [Acquire access token for calling an API](tutorial-daemon-node-call-api-build-app.md).

+## Prerequisites

+- An Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register a web API application

+## Configure app roles

+## Configure optional claims

+## Register the daemon app

+## Create a client secret

+## Grant API permissions to the daemon app

+## Record your app registration details

+In the next step, you prepare your daemon app application. Make sure you've the following details:

+- The Application (client) ID of the client daemon app that you registered.

+- The Directory (tenant) subdomain where you registered your daemon app. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+- The application secret value for the daemon app you created.

+- The Application (client) ID of the web API app you registered.

+## Next steps

+In the next tutorial, you prepare your daemon Node.js application.

+> [!div class="nextstepaction"]

+> [Prepare your daemon application](tutorial-daemon-node-call-api-build-app.md)

+- [Google federation](google-federation.md)

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD global administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator or User administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an Azure AD administrator.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**.

+- [Define custom attributes for user flows](user-flow-add-custom-attributes.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role.

+1. Sign in to the [Azure portal](https://portal.azure.com) using one of the appropriate roles listed above.

+description: Azure AD security defaults that help protect organizations from common identity attacks

+Security defaults make it easier to help protect your organization from identity-related attacks like password spray, replay, and phishing common in today's environments.

+Microsoft is making these preconfigured security settings available to everyone, because we know managing security can be difficult. Based on our learnings more than 99.9% of those common identity-related attacks are stopped by using multifactor authentication (MFA) and blocking legacy authentication. Our goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.

+These basic controls include:

+To help protect organizations, we're always working to improve the security of Microsoft account services. As part of this protection, customers are periodically notified for the automatic enablement of the security defaults if they:

+- Haven't enabled Conditional Access policies.

+- Don't have premium licenses.

+- ArenΓÇÖt actively using legacy authentication clients.

+After this setting is enabled, all users in the organization will need to register for multifactor authentication. To avoid confusion, refer to the email you received and alternatively you can [disable security defaults](#disabling-security-defaults) after it's enabled.

+1. Sign in to the [Azure portal](https://portal.azure.com) as a Security Administrator, Conditional Access Administrator, or Global Administrator.

+### Revoking active tokens

+As part of enabling security defaults, administrators should revoke all existing tokens to require all users to register for multifactor authentication. This revocation event forces previously authenticated users to authenticate and register for multifactor authentication. This task can be accomplished using the [Revoke-AzureADUserAllRefreshToken](/powershell/module/azuread/revoke-azureaduserallrefreshtoken) PowerShell cmdlet.

+- Global Administrator

+- Application Administrator

+- Authentication Administrator

+- Billing Administrator

+- Cloud Application Administrator

+- Conditional Access Administrator

+- Exchange Administrator

+- Helpdesk Administrator

+- Password Administrator

+- Privileged Authentication Administrator

+- Privileged Role Administrator

+- Security Administrator

+- SharePoint Administrator

+- User Administrator

+One common method to improve protection for all users is to require a stronger form of account verification, such as multifactor authentication, for everyone. After users complete registration, they'll be prompted for another authentication whenever necessary. Azure AD decides when a user is prompted for multifactor authentication, based on factors such as location, device, role and task. This functionality protects all applications registered with Azure AD including SaaS applications.

+Every organization should have at least two backup administrators configured. We call these emergency access accounts.

+You can use Conditional Access to configure policies similar to security defaults, but with more granularity. Conditional Access policies allow selecting other authentication methods and the ability to exclude users, which aren't available in security defaults. If you're using Conditional Access in your environment today, security defaults aren't available to you.

+1. Sign in to the [Azure portal](https://portal.azure.com) as a Security Administrator, Conditional Access Administrator, or Global Administrator.

+After you sign in to the [Azure portal](https://portal.azure.com), you can create a new tenant for your organization. Your new tenant represents your organization and helps you to manage a specific instance of Microsoft cloud services for your internal and external users.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+<a name='sign-in-to-the-azure-portal'></a>

+## Sign in to the [Azure portal](https://portal.azure.com)

+You must sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role.

+1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role. A role with Guest Inviter privileges can also invite external users.

+1. Sign in to the [Azure portal](https://portal.azure.com) using one of the appropriate roles.

+* [Add a custom domain](add-custom-domain.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account for the directory.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account for the directory.

+### Add members or owners of a group

+### Remove members or owners of a group

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) using a License administrator account in your Azure AD organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the Privileged Role Administrator role for the directory.

+- [Explore other user management tasks](../enterprise-users/index.yml)

+1. Sign in to the [Azure portal](https://portal.azure.com) as a user administrator, or password administrator. For more information about the available roles, see [Azure AD built-in roles](../roles/permissions-reference.md)

+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the organization.

+- [Delete Lifecycle Workflows](delete-lifecycle-workflow.md)

+- [Delete lifecycle workflows](delete-lifecycle-workflow.md)

+- [Approve or deny access requests](entitlement-management-request-approve.md)

+- [Delete a Lifecycle workflow](delete-lifecycle-workflow.md)

+- [Complete tasks in real time on an employee's last day of work by using lifecycle workflow APIs](/graph/tutorial-lifecycle-workflows-offboard-custom-workflow)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. On the right, select **Azure Active Directory**.

+3. Select **Identity Governance**.

+4. Select **Lifecycle workflows**.

+5. On the **Overview** page, select **New workflow**.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/new-workflow.png" alt-text="Screenshot of selecting a new workflow." lightbox="media/tutorial-lifecycle-workflows/new-workflow.png":::

+6. From the templates, select **select** under **Onboard pre-hire employee**.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/select-template.png" alt-text="Screenshot of selecting workflow template." lightbox="media/tutorial-lifecycle-workflows/select-template.png":::

+7. Next, you configure the basic information about the workflow. This information includes when the workflow triggers, known as **Days from event**. So in this case, the workflow triggers two days before the employee's hire date. On the onboard pre-hire employee screen, add the following settings and then select **Next: Configure Scope**.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/configure-scope.png" alt-text="Screenshot of selecting a configuration scope." lightbox="media/tutorial-lifecycle-workflows/configure-scope.png":::

+8. Next, you configure the scope. The scope determines which users this workflow runs against. In this case, it is on all users in the Sales department. On the configure scope screen, under **Rule** add the following settings and then select **Next: Review tasks**. For a full list of supported user properties, see [Supported user properties and query parameters](/graph/api/resources/identitygovernance-rulebasedsubjectset?view=graph-rest-beta&preserve-view=true#supported-user-properties-and-query-parameters).

+ :::image type="content" source="media/tutorial-lifecycle-workflows/review-tasks.png" alt-text="Screenshot of selecting review tasks." lightbox="media/tutorial-lifecycle-workflows/review-tasks.png":::

+9. On the following page, you may inspect the task if desired but no additional configuration is needed. Select **Next: Review + Create** when you're finished.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/onboard-review-create.png" alt-text="Screenshot of reviewing an on-board workflow." lightbox="media/tutorial-lifecycle-workflows/onboard-review-create.png":::

+10. On the review blade, verify the information is correct and select **Create**.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/onboard-create.png" alt-text="Screenshot of creating an onboard workflow." lightbox="media/tutorial-lifecycle-workflows/onboard-create.png":::

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. On the right, select **Azure Active Directory**.

+3. Select **Users**.

+4. Select **Melva Prince**.

+5. Select the copy sign next to the **Object ID**.

+6. Now navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+7. Sign-in to Graph Explorer with the global administrator account for your tenant.

+8. At the top, change **GET** to **PATCH** and add `https://graph.microsoft.com/v1.0/users/<id>` to the box. Replace `<id>` with the value we copied before.

+9. Copy the following in to the **Request body** and select **Run query**

+ ```Example

+ {

+ "employeeHireDate": "2022-04-15T22:10:00Z"

+ }

+ ```

+ :::image type="content" source="media/tutorial-lifecycle-workflows/update-1.png" alt-text="Screenshot of the PATCH employeeHireDate." lightbox="media/tutorial-lifecycle-workflows/update-1.png":::

+10. Verify the change by changing **PATCH** back to **GET** and **v1.0** to **beta**. Select **Run query**. You should see the attributes for Melva set.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/update-3.png" alt-text="Screenshot of the GET employeeHireDate." lightbox="media/tutorial-lifecycle-workflows/update-3.png":::

+1. Still in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+2. Make sure the top is still set to **PUT** and `https://graph.microsoft.com/v1.0/users/<id>/manager/$ref` is in the box. Change `<id>` to the ID of Melva Prince.

+3. Copy the code below in to the **Request body**

+4. Replace `<managerid>` in the following code with the value of Britta Simons ID.

+5. Select **Run query**

+ ```Example

+ {

+ }

+ ```

+ :::image type="content" source="media/tutorial-lifecycle-workflows/graph-add-manager.png" alt-text="Screenshot of Adding a manager in Graph explorer." lightbox="media/tutorial-lifecycle-workflows/graph-add-manager.png":::

+6. Now, we can verify that the manager has been set correctly by changing the **PUT** to **GET**.

+7. Make sure `https://graph.microsoft.com/v1.0/users/<id>/manager/` is in the box. The `<id>` is still that of Melva Prince.

+8. Select **Run query**. You should see Britta Simon returned in the Response.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/graph-get-manager.png" alt-text="Screenshot of getting a manager in Graph explorer." lightbox="media/tutorial-lifecycle-workflows/graph-get-manager.png":::

+### Enabling the Temporary Access Pass (TAP)

+ 1. Sign in to the [Azure portal](https://portal.azure.com).

+ 2. On the right, select **Azure Active Directory**.

+ 3. Select **Identity Governance**.

+ 4. Select **Lifecycle workflows**.

+ 5. On the **Overview** page, select **New workflow**.

+1. On the workflow screen, select the specific workflow you want to run.

+2. Select **Run on demand**.

+3. On the **select users** tab, select **add users**.

+4. Add a user.

+5. Select **Run workflow**.

+1. To begin, select the **Workflow history** tab on the left to view the user summary and associated workflow tasks and statuses.

+ :::image type="content" source="media/tutorial-lifecycle-workflows/workflow-history-post-offboard.png" alt-text="Screenshot of the workflow history summary." lightbox="media/tutorial-lifecycle-workflows/workflow-history-post-offboard.png":::

+ :::image type="content" source="media/tutorial-lifecycle-workflows/user-summary-post-offboard.png" alt-text="Screenshot of the workflow history overview." lightbox="media/tutorial-lifecycle-workflows/user-summary-post-offboard.png":::

+ :::image type="content" source="media/tutorial-lifecycle-workflows/total-tasks-post-offboard.png" alt-text="Screenshot of workflow's total tasks." lightbox="media/tutorial-lifecycle-workflows/total-tasks-post-offboard.png":::

+ :::image type="content" source="media/tutorial-lifecycle-workflows/failed-tasks-post-offboard.png" alt-text="Screenshot of workflow failed tasks." lightbox="media/tutorial-lifecycle-workflows/failed-tasks-post-offboard.png":::

+ :::image type="content" source="media/tutorial-lifecycle-workflows/canceled-tasks-post-offboard.png" alt-text="Screenshot of workflow unprocessed tasks." lightbox="media/tutorial-lifecycle-workflows/canceled-tasks-post-offboard.png":::

+Use the following steps to configure provisioning:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. Select **Azure Active Directory**

+3. Select **Azure AD Connect**

+4. Select **Manage cloud sync**

+5. Select **New Configuration**

+6. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.

+7. The configuration status should now be **Healthy**.

+ `auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable`

+1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) using the account that's associated with your Azure subscription.

+1. Sign in to the [Azure portal](https://portal.azure.com) as an admin with an Azure AD Premium P1 or P2 license.

+1. Sign in to the [Azure portal](https://portal.azure.com), then browse to **Azure Active Directory** and select **Enterprise applications**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Enterprise applications**, and then search for and select the application to which you want to assign the user or group account.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.

+2. Select **Azure Active Directory**.

+3. Select **Manage**

+4. Select **Properties**

+5. Under **Tenant properties**, select **Manage security defaults**

+6. For **Enable Security defaults**, select **Yes**

+7. Select **Save**

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

+* Manage identities and access from a single control plane, the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) using an account with Application Admin permissions.

+* Manage identities and access from one control plane, the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

+* Manage identities and access from the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

+* Manage identities and access from the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

+* Manage identities and access from the [Azure portal](https://portal.azure.com)

+1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrator permissions.

+1. Sign in to the [Azure portal](https://portal.azure.com) using an account with permissions to create VMs, such as Contributor.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory** > **Enterprise applications**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then select **View** or **Manage Azure Active Directory**.

+1. Sign in to the [Azure portal](https://portal.azure.com), then under **Manage Azure Active Directory**, select **View**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) with one of the roles listed in the prerequisites.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select the resource you want to delete.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com). For **Azure resources**, navigate to **Privileged Identity Management** and select **Azure resources** under **Manage** from the dashboard. For **Azure AD roles**, select **Azure AD roles** from the same dashboard.

+1. Sign in to the [Azure portal](https://portal.azure.com) as a user that is assigned to one of the prerequisite role(s).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) with a user that is a member of the [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator) role.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com) with Owner or User Access Administrator role permissions.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Sign in to the [Azure portal](https://portal.azure.com).

+* [Install and use the log analytics views for Azure Active Directory](howto-install-use-log-analytics-views.md)

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to **Azure Active Directory** > **App registrations**.

+* [How to use the Sign-in diagnostics](howto-use-sign-in-diagnostics.md)

+* [Create custom Azure Monitor queries using Azure PowerShell](../governance/entitlement-management-logs-and-reporting.md).

+1. Sign in to the [Azure portal](https://portal.azure.com) as Isabella Simonsen using an incorrect password.

+1. Sign in to the [Azure portal](https://portal.azure.com) as Isabella Simonsen using an incorrect password.

+## Create an alert rule

+## Add a query to a workbook template

+* [Assign Azure AD roles to groups](groups-assign-role.md)

+* A BigPanda account with the Single Sign On role set to Full Access. See [Roles and Resource Permissions](https://docs.bigpanda.io/docs/roles-management#roles-and-resource-permissions) in the BigPanda documentation for more information.

+ > These values are not real. Update these values with the actual Reply URL and Sign on URL. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the file and save it on your computer.

+ 

+1. On the **Set up BigPanda** section, copy the **Login URL**.

+To configure single sign-on on **BigPanda** side, please follow the instructions from [BigPanda documentation](https://docs.bigpanda.io/docs/azure-ad-active-directory).

+ `https://expense.certify.com`

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL based on your cloud exchange deployment. You can also contact [Netskope Cloud Exchange Administration Console support team](mailto:support@netskope.com) to get help to determine these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+To configure single sign-on on **Netskope Cloud Exchange Administration Console** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Netskope Cloud Exchange Administration Console support team](mailto:support@netskope.com). They set this setting to have the SAML SSO connection set properly on both sides

+1. Sign in to the [Azure portal](https://portal.azure.com)

+1. Search for **Verified ID** and select it.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Go to the key vault you use for this tutorial.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for *Verified ID*. Then, select **Verified ID**.

+1. Sign in to the [Azure portal](https://portal.azure.com) with your administrative account.

+Learn how to [manage a federated identity credential on a user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) in Azure Active Directory (Azure AD).

+## Input requirements

+Spatial Analysis works on videos that meet the following requirements:

+* The video must be in RTSP, rawvideo, MP4, FLV, or MKV format.

+* The video codec must be H.264, HEVC(H.265), rawvideo, VP9, or MPEG-4.

+The Document Intelligence invoice model uses powerful Optical Character Recognition (OCR) capabilities to analyze and extract key fields and line items from sales invoices, utility bills, and purchase orders. Invoices can be of various formats and quality including phone-captured images, scanned documents, and digital PDFs. The API analyzes invoice text; extracts key information such as customer name, billing address, due date, and amount due; and returns a structured JSON data representation. The model currently supports invoices in 27 languages.

+| &bullet; Czech (cs) | Czechoslovakia (cz)|

+| &bullet; Danish (da) | Denmark (dk)|

+| &bullet; Estonian (et) | Estonia (ee)|

+| &bullet; Finnish (fi) | Finland (fl)|

+| &bullet; Croation (hr) | Bosnia and Herzegovina (ba), Croatia (hr), Serbia (rs)|

+| &bullet; Hungarian (hu) | Hungary (hu)|

+| &bullet; Icelandic (is) | Iceland (is)|

+| &bullet; Japanese (ja) | Japan (ja)|

+| &bullet; Korean (ko) | Korea (kr)|

+| &bullet; Lithuanian (lt) | Lithuania (lt)|

+| &bullet; Latvian (lv) | Latvia (lv)|

+| &bullet; Malay (ms) | Malasia (ms)|

+| &bullet; Norwegian (nb) | Norway (no)|

+| &bullet; Polish (pl) | Poland (pl)|

+| &bullet; Romanian (ro) | Romania (ro)|

+| &bullet; Slovak (sk) | Slovakia (sv)|

+| &bullet; Slovenian (sl) | Slovenia (sl)|

+| &bullet; Serbian (sr-Latn) | Serbia (latn-rs)|

+| &bullet; Albanian (sq) | Albania (al)|

+| &bullet; Swedish (sv) | Sweden (se)|

+| &bullet; Chinese (simplified (zh-hans) | China (zh-hans-cn)|

+| &bullet; Chinese (traditional (zh-hant) | Hong Kong (zh-hant-hk), Taiwan (zh-hant-tw)|

+| Supported Currency Codes | Details |

+|:-|:|

+| &bullet; ARS | United States (us) |

+| &bullet; AUD | Australia (au) |

+| &bullet; BRL | United States (us) |

+| &bullet; CAD | Canada (ca) |

+| &bullet; CLP | United States (us) |

+| &bullet; CNY | United States (us) |

+| &bullet; COP | United States (us) |

+| &bullet; CRC | United States (us) |

+| &bullet; CZK | United States (us) |

+| &bullet; DKK | United States (us) |

+| &bullet; EUR | United States (us) |

+| &bullet; GBP | United Kingdom (uk) |

+| &bullet; HUF | United States (us) |

+| &bullet; IDR | United States (us) |

+| &bullet; INR | United States (us) |

+| &bullet; ISK | United States (us) |

+| &bullet; JPY | Japan (jp) |

+| &bullet; KRW | United States (us) |

+| &bullet; NOK | United States (us) |

+| &bullet; PAB | United States (us) |

+| &bullet; PEN | United States (us) |

+| &bullet; PLN | United States (us) |

+| &bullet; RON | United States (us) |

+| &bullet; RSD | United States (us) |

+| &bullet; SEK | United States (us) |

+| &bullet; TWD | United States (us) |

+| &bullet; USD | United States (us) |

+The prebuilt invoice **2022-06-30** and later releases support the optional return of key-value pairs. By defualt the return of key-value pairs is disabled. Key-value pairs are specific spans within the invoice that identify a label or key and its associated response or value. In an invoice, these pairs could be the label and the value the user entered for that field or telephone number. The AI model is trained to extract identifiable keys and values based on a wide variety of document types, formats, and structures.

+ In the abstractive conversation summarization scenario, each conversation (whether it has a provided label or not) is expected to be provided in a .json file, which is similar to the input format for our [pre-built conversation summarization service](https://learn.microsoft.com/rest/api/language/2023-04-01/analyze-conversation/submit-job?tabs=HTTP#textconversation). The following is an example conversation of three turns between two speakers (Agent and Customer).

+```json

+{

+ "conversationItems": [

+ {

+ "text": "Hello, how can I help you?",

+ "modality": "text",

+ "id": "1",

+ "participantId": "Agent",

+ "role": "Agent"

+ },

+ {

+ "text": "How do I upgrade office? I have been getting error messages all day.",

+ "modality": "text",

+ "id": "2",

+ "participantId": "Customer",

+ "role": "Customer"

+ },

+ {

+ "text": "Please press the upgrade button, then sign in and follow the instructions.",

+ "modality": "text",

+ "id": "3",

+ "participantId": "Agent",

+ "role": "Agent"

+ }

+ ],

+ "modality": "text",

+ "id": "conversation1",

+ "language": "en"

+}

+```

+## Sample mapping JSON format

+The JSON file is expected to contain the following fields:

+{

+ projectFileVersion": The version of the exported project,

+ "stringIndexType": Specifies the method used to interpret string offsets. For additional information see https://aka.ms/text-analytics-offsets,

+ "metadata": {

+ "projectKind": The project kind you need to import. Values for summarization are CustomAbstractiveSummarization and CustomConversationSummarization. Both projectKind fields must be identical.,

+ "storageInputContainerName": The name of the storage container that contains the documents/conversations and the summaries,

+ "projectName": a string project name,

+ "multilingual": A flag denoting whether this project should allow multilingual documents or not. For Summarization this option is turned off,

+ "description": a string project description,

+ "language": The default language of the project. Possible values are ΓÇ£enΓÇ¥ and ΓÇ£en-usΓÇ¥

+ },

+ "assets": {

+ "projectKind": The project kind you need to import. Values for summarization are CustomAbstractiveSummarization and CustomConversationSummarization. Both projectKind fields must be identical.,

+ "documents": a list of document-label pairs, each is defined with three fields:[

+ {

+ "summaryLocation": a string path to the summary txt (for documents) or json (for conversations) file,

+ "location": a string path to the document txt (for documents) or json (for conversations) file,

+ "language": The language of the documents. Possible values are ΓÇ£enΓÇ¥ and ΓÇ£en-usΓÇ¥

+ }

+ ]

+ }

+```

+## Custom document summarization mapping sample

+## Custom conversation summarization mapping sample

+The following is an example mapping file for the abstractive conversation summarization scenario with three documents and corresponding labels.

+```json

+{

+ "projectFileVersion": "2022-10-01-preview",

+ "stringIndexType": "Utf16CodeUnit",

+ "metadata": {

+ "projectKind": "CustomAbstractiveSummarization",

+ "storageInputContainerName": "abstractivesummarization",

+ "projectName": "sample_custom_summarization",

+ "multilingual": false,

+ "description": "Creating a custom summarization model",

+ "language": "en-us"

+ }

+ "assets": {

+ "projectKind": "CustomAbstractiveSummarization",

+ "documents": [

+ {

+ "summaryLocation": "conv1_summary.txt",

+ "location": "conv1.json",

+ "language": "en-us"

+ },

+ {

+ "summaryLocation": "conv2_summary.txt",

+ "location": "conv2.json",

+ "language": "en-us"

+ },

+ {

+ "summaryLocation": "conv3_summary.txt",

+ "location": "conv3.json",

+ "language": "en-us"

+ }

+ ]

+ }

+}

+```

+> Metrics Advisor resource administrators need to configure the Email settings, and input **SMTP related information** into Metrics Advisor before anomaly alerts can be sent. The resource group admin or subscription admin needs to assign at least one *Cognitive Services Metrics Advisor Administrator* role in the Access control tab of the Metrics Advisor resource. [Learn more about e-mail settings configuration](../faq.yml#how-to-set-up-email-settings-and-enable-alerting-by-email-).

+- A user with the subscription administrator or resource group administrator privileges needs to navigate to the Metrics Advisor resource that was created in the Azure portal, and select the Access control (IAM) tab.

+- Pick a role of 'Cognitive Services Metrics Advisor Administrator', select your account as in the image below.

+ |Cognitive Services QnA Maker Reader|

+ |Cognitive Services QnA Maker Editor|

+ |Cognitive Services User|

+| `type` | Specifies where and how to add silence. The following silence types are supported:<br/><ul><li>`Leading` ΓÇô Additional silence at the beginning of the text. The value that you set is added to the natural silence before the start of text.</li><li>`Leading-exact` ΓÇô Silence at the beginning of the text. The value is an absolute silence length.</li><li>`Tailing` ΓÇô Additional silence at the end of text. The value that you set is added to the natural silence after the last word.</li><li>`Tailing-exact` ΓÇô Silence at the end of the text. The value is an absolute silence length.</li><li>`Sentenceboundary` ΓÇô Additional silence between adjacent sentences. The actual silence length for this type includes the natural silence after the last word in the previous sentence, the value you set for this type, and the natural silence before the starting word in the next sentence.</li><li>`Sentenceboundary-exact` ΓÇô Silence between adjacent sentences. The value is an absolute silence length.</li><li>`Comma-exact` ΓÇô Silence at the comma in half-width or full-width format. The value is an absolute silence length.</li><li>`Semicolon-exact` ΓÇô Silence at the semicolon in half-width or full-width format. The value is an absolute silence length.</li><li>`Enumerationcomma-exact` ΓÇô Silence at the enumeration comma in full-width format. The value is an absolute silence length.</li></ul><br/>An absolute silence type (with the `-exact` suffix) replaces any otherwise natural leading or trailing silence. Absolute silence types take precedence over the corresponding non-absolute type. For example, if you set both `Leading` and `Leading-exact` types, the `Leading-exact` type will take effect. The [WordBoundary event](how-to-speech-synthesis.md#subscribe-to-synthesizer-events) takes precedence over punctuation-related silence settings including `Comma-exact`, `Semicolon-exact`, or `Enumerationcomma-exact`. When using both the `WordBoundary` event and punctuation-related silence settings, the punctuation-related silence settings won't take effect.| Required |

+The multilingual voices `en-US-JennyMultilingualV2Neural` and `en-US-RyanMultilingualNeural` auto-detect the language of the input text. However, you can still use the `<lang>` element to adjust the speaking language for these voices.

+|Greek|`el`|No|No|

+>

+> Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the [AKS Kubernetes release calendar](./supported-kubernetes-versions.md#aks-kubernetes-release-calendar) for information on AKS version support windows.

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM.

+>

+> |Kubernetes version | OSM version installed |

+> ||--|

+> | 1.24.0 or greater | 1.2.5 |

+> | Between 1.23.5 and 1.24.0 | 1.1.3 |

+> | Below 1.23.5 | 1.0.0 |

+>

+> Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the [AKS Kubernetes release calendar](./supported-kubernetes-versions.md#aks-kubernetes-release-calendar) for information on AKS version support windows.

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM.

+> |Kubernetes version | OSM version installed |

+> ||--|

+> | 1.24.0 or greater | 1.2.5 |

+> | Between 1.23.5 and 1.24.0 | 1.1.3 |

+> | Below 1.23.5 | 1.0.0 |

+>

+> Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the [AKS Kubernetes release calendar](./supported-kubernetes-versions.md#aks-kubernetes-release-calendar) for information on AKS version support windows.

+> Based on the version of Kubernetes your cluster is running, the OSM add-on installs a different version of OSM.

+>

+> |Kubernetes version | OSM version installed |

+> ||--|

+> | 1.24.0 or greater | 1.2.5 |

+> | Between 1.23.5 and 1.24.0 | 1.1.3 |

+> | Below 1.23.5 | 1.0.0 |

+>

+> Older versions of OSM may not be available for install or be actively supported if the corresponding AKS version has reached end of life. You can check the [AKS Kubernetes release calendar](./supported-kubernetes-versions.md#aks-kubernetes-release-calendar) for information on AKS version support windows.

+> [!NOTE]

+> Migrating control plane identity from system-assigned to user-assigned doesn't cause any downtime for control plane and agent pools. Meanwhile, control plane components will keep using old system-assigned identity for several hours until the next token refresh.

+#### [REST API](#tab/PowerShell)

+```JSON

+{

+ "properties": {

+ "loggerType": "azureEventHub",

+ "description": "adding a new logger with system assigned managed identity",

+ "credentials": {

+ "endpointAddress":"<EventHubsNamespace>.servicebus.windows.net/<EventHubName>",

+ "identityClientId":"SystemAssigned",

+ "name":"<EventHubName>"

+ }

+ }

+}

+```

+For this tutorial, you use the compose file from [Docker](https://docs.docker.com/samples/wordpress/), but you'll modify it to include Azure Database for MySQL, persistent storage, and Redis. The configuration file can be found at [Azure Samples](https://github.com/Azure-Samples/multicontainerwordpress). In the sample below, note that `depends_on` is an **unsupported option** and is ignored. For supported configuration options, see [Docker Compose options](configure-custom-container.md#docker-compose-options).

+## Latest Release (Recommended)

+July 24, 2023 - 0.4.023961 - Improved Ingress support

+## Release history

+ --version 0.4.023961 \

+ --version 0.4.023961 \

+ "Antimalware/Enable": true,

+ "Antimalware/EnableRealTimeProtection": true,

+ "Antimalware/RunScheduledScan": true,

+ "Backup/Enable": true,

+ "WindowsAdminCenter/Enable": true,

+ "GuestConfiguration/Enable": true,

+ "DefenderForCloud/Enable": true,

+ Title: Monitor GitOps (Flux v2) status and activity

+description: Learn how to monitor status, compliance, resource consumption, and reconciliation activity for GitOps with Flux v2.

+# Monitor GitOps (Flux v2) status and activity

+We provide dashboards to help you monitor status, compliance, resource consumption, and reconciliation activity for GitOps with Flux v2 in your Azure Arc-enabled Kubernetes clusters or Azure Kubernetes Service (AKS) clusters. These JSON dashboards can be imported to Grafana to help you view and analyze your data in real time.

+## Prerequisites

+To import and use these dashboards, you need:

+- One or more existing Arc-enabled Kubernetes clusters or AKS clusters.

+- The [microsoft.flux extension](extensions-release.md#flux-gitops) installed on the clusters.

+- At least one [Flux configuration](tutorial-use-gitops-flux2.md) created on the clusters.

+## Monitor deployment and compliance status

+Follow these steps to import dashboards that let you monitor Flux extension deployment and status across clusters, and the compliance status of Flux configuration on those clusters.

+> [!NOTE]

+> These steps describe the process for importing the dashboard to [Azure Managed Grafana](/azure/managed-grafana/overview). You can also [import this dashboard to any Grafana instance](https://grafana.com/docs/grafana/latest/dashboards/manage-dashboards/#import-a-dashboard). With this option, a service principal must be used; managed identity is not supported for data connection outside of Azure Managed Grafana.

+1. Create an Azure Managed Grafana instance by using the [Azure portal](/azure/managed-grafana/quickstart-managed-grafana-portal) or [Azure CLI](/azure/managed-grafana/quickstart-managed-grafana-cli). This connection lets the dashboard access Azure Resource Graph.

+1. [Create the Azure Monitor Data Source connection](https://grafana.com/docs/grafana/latest/datasources/azure-monitor/) in your Azure Managed Grafana instance.

+1. Ensure that the user account that will access the dashboard has the **Reader** role on the subscriptions and/or resource groups where the clusters are located.

+ If you're using a managed identity, follow these steps to enable this access:

+ 1. In the Azure portal, navigate to the subscription that you want to add.

+ 1. Select **Access control (IAM)**.

+ 1. Select **Add role assignment**.

+ 1. Select the **Reader** role, then select **Next**.

+ 1. On the **Members** tab, select **Managed identity**, then choose **Select members**.

+ 1. From the **Managed identity** list, select the subscription where you created your Azure Managed Grafana Instance. Then select **Azure Managed Grafana** and the name of your Azure Managed Grafana instance.

+ 1. Select **Review + Assign**.

+ If you're using a service principal, grant the **Reader** role to the service principal that you'll use for your data source connection. Follow these same steps, but select **User, group, or service principal** in the **Members** tab, then select your service principal. (If you aren't using Azure Managed Grafana, you must use a service principal for data connection access.)

+1. Download the [GitOps Flux - Application Deployments Dashboard](https://github.com/Azure/fluxv2-grafana-dashboards/blob/main/dashboards/GitOps%20Flux%20-%20Application%20Deployments%20Dashboard.json).

+1. Follow the steps to [import the JSON dashboard to Grafana](/azure/managed-grafana/how-to-create-dashboard#import-a-json-dashboard).

+After you have imported the dashboard, it will display information from the clusters that you're monitoring, with several panels that provide details. For more details on an item, select the link to visit the Azure portal, where you can find more information about configurations, errors and logs.

+The **Flux Extension Deployment Status** table lists all clusters where the Flux extension is deployed, along with current deployment status.

+The **Flux Configuration Compliance Status** table lists all Flux configurations created on the clusters, along with their compliance status. To see status and error logs for configuration objects such as Helm releases and kustomizations, select the **Non-Compliant** link from the **ComplianceState** column.

+The **Count of Flux Extension Deployments by Status** chart shows the count of clusters, based on their provisioning state.

+The **Count of Flux Configurations by Compliance Status** chart shows the count of Flux configurations, based on their compliance status with respect to the source repository.

+## Monitor resource consumption and reconciliations

+Follow these steps to import dashboards that let you monitor Flux resource consumption, reconciliations, API requests, and reconciler status.

+1. Follow the steps to [create an Azure Monitor Workspace](/azure/azure-monitor/essentials/azure-monitor-workspace-manage).

+1. Create an Azure Managed Grafana instance by using the [Azure portal](/azure/managed-grafana/quickstart-managed-grafana-portal) or [Azure CLI](/azure/managed-grafana/quickstart-managed-grafana-cli).

+1. Enable Prometheus metrics collection on the [AKS clusters](/azure/azure-monitor/essentials/azure-monitor-workspace-manage) and/or [Arc-enabled Kubernetes clusters](/azure/azure-monitor/essentials/prometheus-metrics-from-arc-enabled-cluster) that you want to monitor.

+1. Configure Azure Monitor Agent to scrape the Azure Managed Flux metrics by creating a [configmap](/azure/azure-monitor/essentials/prometheus-metrics-scrape-configuration):

+ ```yaml

+ kind: ConfigMap

+ apiVersion: v1

+ data:

+ schema-version:

+ #string.used by agent to parse config. supported versions are {v1}. Configs with other schema versions will be rejected by the agent.

+ v1

+ config-version:

+ #string.used by customer to keep track of this config file's version in their source control/repository (max allowed 10 chars, other chars will be truncated)

+ ver1

+ default-scrape-settings-enabled: |-

+ kubelet = true

+ coredns = false

+ cadvisor = true

+ kubeproxy = false

+ apiserver = false

+ kubestate = true

+ nodeexporter = true

+ windowsexporter = false

+ windowskubeproxy = false

+ kappiebasic = true

+ prometheuscollectorhealth = false

+ # Regex for which namespaces to scrape through pod annotation based scraping.

+ # This is none by default. Use '.*' to scrape all namespaces of annotated pods.

+ pod-annotation-based-scraping: |-

+ podannotationnamespaceregex = "flux-system"

+ default-targets-scrape-interval-settings: |-

+ kubelet = "30s"

+ coredns = "30s"

+ cadvisor = "30s"

+ kubeproxy = "30s"

+ apiserver = "30s"

+ kubestate = "30s"

+ nodeexporter = "30s"

+ windowsexporter = "30s"

+ windowskubeproxy = "30s"

+ kappiebasic = "30s"

+ prometheuscollectorhealth = "30s"

+ podannotations = "30s"

+ metadata:

+ name: ama-metrics-settings-configmap

+ namespace: kube-system

+ ```

+

+1. Download the [Flux Control Plane](https://github.com/Azure/fluxv2-grafana-dashboards/blob/main/dashboards/Flux%20Control%20Plane.json) and [Flux Cluster Stats](https://github.com/Azure/fluxv2-grafana-dashboards/blob/main/dashboards/Flux%20Control%20Plane.json) dashboards.

+1. Follow the steps to [import these JSON dashboards to Grafana](/azure/managed-grafana/how-to-create-dashboard#import-a-json-dashboard).

+After you have imported the dashboards, they'll display information from the clusters that you're monitoring.

+The **Flux Control Plane** dashboard shows details about status resource consumption, reconciliations at the cluster level, and Kubernetes API requests.

+The **Flux Cluster Stats** dashboard shows details about the number of reconcilers, along with the status and execution duration of each reconciler.

+## Filter dashboard data

+You can filter data in these dashboards to change the information shown. For example, you can show data for only certain subscriptions or resource groups, or limit data to a particular cluster. To do so, select the filter option from any column header.

+For example, in the **Flux Configuration Compliance Status** table on the **Application Deployments** dashboard, you can select a specific commit from the **SourceLastSyncCommit** column. By doing so, you can track the status of a configuration deployment for all of the clusters affected by that commit.

+In the **Application Deployments** dashboard, some fields in the **Flux Extension Deployment Status** and **Flux Configuration Compliance Status** panels are hidden by default (such as **SubscriptionID**, **ResourceGroupName**, and **ClusterType**). To show hidden fields, select the panel and then select **Edit**. On the **Overrides** tab, find the field you want to show, then unselect the **Hide in table** option.

+## Next steps

+- Review our tutorial on [using GitOps with Flux v2 to manage configuration and application deployment](tutorial-use-gitops-flux2.md).

+- Learn about [Azure Monitor Container Insights](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json&bc=/azure/azure-arc/kubernetes/breadcrumb/toc.json).

+ "minMessageBatchSize": 1,

+ "maxBatchWaitTime": "00:00:30",

+|**minMessageBatchSize**¹|`1`|The minimum number of messages desired in a batch. The minimum applies only when the function is receiving multiple messages and must be less than `maxMessageBatchSize`. <br/> The minimum size isn't strictly guaranteed. A partial batch is dispatched when a full batch can't be prepared before the `maxBatchWaitTime` has elapsed.|

+|**maxBatchWaitTime**¹|`00:00:30`|The maximum interval that the trigger should wait to fill a batch before invoking the function. The wait time is only considered when `minMessageBatchSize` is larger than 1 and is ignored otherwise. If less than `minMessageBatchSize` messages were available before the wait time elapses, the function is invoked with a partial batch. The longest allowed wait time is 50% of the entity message lock duration, meaning the maximum allowed is 2 minutes and 30 seconds. Otherwise, you may get lock exceptions. <br/><br/>**NOTE:** This interval is not a strict guarantee for the exact timing on which the function is invoked. There is a small magin of error due to timer precision.|

+¹ Using `minMessageBatchSize` and `maxBatchWaitTime` requires [v5.10.0](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.ServiceBus/5.10.0) of the `Microsoft.Azure.WebJobs.Extensions.ServiceBus` package, or a later version.

+In the [Azure Maps routing coverage tables], the following information is available.

+The Calculate Route service calculates a route between an origin and a destination, passing through waypoints if they're specified. For more information, see [Get Route Directions] in the REST API documentation.

+The Calculate Reachable Range service calculates a set of locations that can be reached from the origin point. For more information, see [Get Route Range] in the REST API documentation.

+The Matrix Routing service calculates travel time and distance between all possible pairs in a list of origins and destinations. It doesn't provide any detailed information about the routes. You can get one-to-many, many-to-one, or many-to-many route options simply by varying the number of origins and/or destinations. For more information, see [Matrix Routing service] in the REST API documentation.

+Delivers real-time information about traffic jams, road closures, and a detailed view of the current speed and travel times across the entire road network. For more information, see [Traffic service] in the REST API documentation.

+The Azure Maps Truck Routing API provides travel routes that take truck attributes into consideration. Truck attributes include things such as width, height, weight, turning radius and type of cargo. This is important as not all trucks can travel the same routes as other vehicles. Here are some examples:

+Azure Maps supports truck routing in the countries/regions indicated in the following tables.

+For more information about Azure Maps routing, see the [Routing service] documentation.

+- Check out coverage for [Geocoding].

+- Check out coverage for [Traffic].

+- Check out coverage for [Render].

+[Azure Maps routing coverage tables]: #azure-maps-routing-coverage-tables

+[Geocoding]: geocoding-coverage.md

+[Get Route Directions]: /rest/api/maps/route/get-route-directions

+[Get Route Range]: /rest/api/maps/route/get-route-range

+[Matrix Routing service]: /rest/api/maps/route/post-route-matrix

+[Render]: render-coverage.md

+[Routing service]: /rest/api/maps/route

+[Traffic service]: /rest/api/maps/traffic

+[Traffic]: traffic-coverage.md

+The Azure Maps Web SDK provides a [drawing tools module]. This module makes it easy to draw and edit shapes on the map using an input device such as a mouse or touch screen. The core class of this module is the [drawing manager]. The drawing manager provides all the capabilities needed to draw and edit shapes on the map. It can be used directly, and it's integrated with a custom toolbar UI. You can also use the built-in [DrawingToolbar class].

+> [DrawingToolbar class]

+[DrawingToolbar class]: /javascript/api/azure-maps-drawing-tools/atlas.control.drawingtoolbar

+The Azure Maps Web SDK provides a helper function called [atlas.isSupported]. This function detects whether a web browser has the minimum set of WebGL features required to support loading and rendering the map control. Here's an example of how to use the function:

+See also [Target legacy browsers] later in this article.

+> If you're embedding a map inside a mobile application by using a WebView control, you might prefer to use the [npm package of the Azure Maps Web SDK] instead of referencing the version of the SDK that's hosted on Azure Content Delivery Network. This approach reduces loading time because the SDK is already be on the user's device and doesn't need to be downloaded at run time.

+- Services module ([documentation] | [npm module])

+You might want to target older browsers that don't support WebGL or that have only limited support for it. In such cases, you can use Azure Maps services together with an open-source map control like [Leaflet].

+> [Map control]

+> [Services module]

+[atlas.isSupported]: /javascript/api/azure-maps-control/atlas#issupported-boolean-

+[Azure Maps community - Open-source projects]: open-source-projects.md#third-party-map-control-plugins

+[documentation]: how-to-use-services-module.md

+[Leaflet]: https://leafletjs.com

+[Map control]: how-to-use-map-control.md

+[npm module]: https://www.npmjs.com/package/azure-maps-rest

+[npm package of the Azure Maps Web SDK]: https://www.npmjs.com/package/azure-maps-control

+[Render Azure Maps in Leaflet sample source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Third%20Party%20Map%20Controls/Render%20Azure%20Maps%20in%20Leaflet/Render%20Azure%20Maps%20in%20Leaflet.html

+[Render Azure Maps in Leaflet]: https://samples.azuremaps.com/third-party-map-controls/render-azure-maps-in-leaflet

+[Services module]: how-to-use-services-module.md

+[Target legacy browsers]: #Target-Legacy-Browsers

+ Title: Localization support in Microsoft Azure Maps

+description: Lists the regions Azure Maps supports with services such as maps, search, routing, weather, and traffic incidents, and shows how to set up the View parameter.

+² Neutral Ground Truth (Latin) - Latin exonyms are used if available

+Azure Maps **View** parameter (also referred to as "user region parameter") is a two letter ISO-3166 Country Code that will show the correct maps for that country/region specifying which set of geopolitically disputed content is returned via Azure Maps services, including borders and labels displayed on the map.

+By default, the View parameter is set to **Unified**, even if you haven't defined it in the request. Determine the location of your users. Then, set the **View** parameter correctly for that location. Alternatively, you can set 'View=Auto', which returns the map data based on the IP address of the request. The **View** parameter in Azure Maps must be used in compliance with applicable laws, including those laws about mapping of the country/region where maps, images, and other data and third-party content that you're authorized to access via Azure Maps is made available.

+Azure Maps supports several different built-in map styles as described in this article.

+>The procedure in this section requires an Azure Maps account in Gen 1 or Gen 2 pricing tier. For more information on pricing tiers, see [Choose the right pricing tier in Azure Maps].

+* [Map image]

+* [Map tile]

+The **blank** and **blank_accessible** map styles provide a blank canvas for visualizing data. The **blank_accessible** style continues to provide screen reader updates with map's location details, even though the base map isn't displayed.

+* [Satellite tile]

+* [Map image]

+* [Map tile]

+* [Map tile]

+| `blank` | N/A | No | A blank canvas useful for developers who want to use their own tiles as the base map, or want to view their data without any background. The screen reader doesn't rely on the vector tiles for descriptions. |

+| `blank_accessible` | N/A | Yes | This map style continues to load the vector tiles used to render the map, but makes that data transparent. This way the data still loads, and can be used to power the screen reader. |

+| `grayscale_dark` | Partial | Yes | Primarily designed for business intelligence scenarios. Also useful for overlaying colorful layers such as weather radar imagery. |

+| `high_contrast_dark` | Yes | Yes | Fully accessible map style for users in high contrast mode with a dark setting. When the map loads, high contrast settings are automatically detected. |

+| `high_contrast_light` | Yes | Yes | Fully accessible map style for users in high contrast mode with a light setting. When the map loads, high contrast settings are automatically detected. |

+| `road` | Partial | Yes | The main colorful road map style in Azure Maps. Due to the number of different colors and possible overlapping color combinations, it's nearly impossible to make it 100% accessible. That said, this map style goes through regular accessibility testing and is improved as needed to make labels clearer to read. |

+| `road_shaded_relief` | Partial | Yes | Similar to the main road map style, but has an added tile layer in the background that adds shaded relief of mountains and land cover coloring when zoomed out. |

+| `satellite_with_roads` | No | Yes | Satellite and aerial imagery, with labels and road lines overlaid. On a global scale, there's an unlimited number of color combinations that may occur between the overlaid data and the imagery. A focus on making labels readable in most common scenarios, however, in some places the color contrast with the background imagery may make labels difficult to read. |

+> [Choose a map style]

+[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md

+[Map image]: /rest/api/maps/render/getmapimage

+[Map tile]: /rest/api/maps/render/getmaptile

+[Satellite tile]: /rest/api/maps/render/getmapimagerytilepreview

+[Choose a map style]: choose-map-style.md

+ Title: Search Categories

+When doing a [category search] for points of interest, there are over a hundred supported categories. The following list contains the category codes for supported category names. Category codes are generated for top-level categories. All sub categories share same category code. This category list is subject to change with new data releases.

+| GOVERNMENT\_OFFICE | order 5 area, order 8 area, order 9 area, order 2 area, order 7 area, order 3 area, supra national, order 4 area, order 6 area, government office, diplomatic facility, United States government establishment, local government office, customs house, customs post |

+| HOSPITAL\_POLYCLINIC | special, hospital of Chinese medicine, hospital for women, children, general, hospital/polyclinic |

+| ZOOS\_ARBORETA\_BOTANICAL\_GARDEN | wildlife park, aquatic zoo marine park, arboreta botanical gardens, zoo, zoos, arboreta botanical garden |

+[category search]: /rest/api/maps/search/getsearchpoicategory

+The Azure Maps REST APIs can be called from languages such as Python and R to enable geospatial data analysis and machine learning scenarios. Azure Maps offers a robust set of [routing APIs] that allow users to calculate routes between several data points. The calculations are based on various conditions, such as vehicle type or reachable area.

+> * Create and run a Jupyter Notebook file on [Azure Notebooks] in the cloud.

+1. Go to [Azure Notebooks] and sign in. For more information, see [Quickstart: Sign in and set a user ID].

+1. After your project is created, download this [Jupyter Notebook document file] from the [Azure Maps Jupyter Notebook repository].

+1. Download the [*requirements.txt*] file from the [Azure Maps Jupyter Notebook repository], and then upload it to your project.

+Because the company prefers to use routes that require a balance of economy and speed, the requested routeType is *eco*. The following script calls the [Get Route Range API] of the Azure Maps routing service. It uses parameters for the vehicle's consumption model. The script then parses the response to create a polygon object of the geojson format, which represents the car's maximum reachable range.

+The following script calls the Azure Maps [Post Search Inside Geometry API]. It searches for charging stations for electric vehicle, within the boundaries of the car's maximum reachable range. Then, the script parses the response to an array of reachable locations.

+It's helpful to visualize the charging stations and the boundary for the maximum reachable range of the electric vehicle on a map. To do so, upload the boundary data and charging stations data as geojson objects to Azure Maps Data service. Use the [Data Upload API].

+After you've uploaded the data to the data service, call the Azure Maps [Get Map Image service]. This service is used to render the charging points and maximum reachable boundary on the static map image by running the following script:

+The following script calls the Azure Maps [Matrix Routing API]. It returns the specified vehicle location, the travel time, and the distance to each charging station. The script in the next cell parses the response to locate the closest reachable charging station with respect to time.

+Now that you've found the closest charging station, you can call the [Get Route Directions API] to request the detailed route from the electric vehicle's current location to the charging station.

+To help visualize the route, you first upload the route data as a geojson object to Azure Maps Data service. To do so, use the Azure Maps [Data Upload API]. Then, call the rendering service, [Get Map Image API]), to render the route on the map, and visualize it.

+* [Get Route Range]

+* [Post Search Inside Geometry]

+* [Data Upload]

+* [Render - Get Map Image]

+* [Post Route Matrix]

+* [Get Route Directions]

+* [Azure Maps REST APIs]

+> [Azure Notebooks]

+[Azure Maps Jupyter Notebook repository]: https://github.com/Azure-Samples/Azure-Maps-Jupyter-Notebook

+[Azure Maps REST APIs]: ./consumption-model.md

+[Azure Notebooks]: https://notebooks.azure.com

+[Data Upload API]: /rest/api/maps/data-v2/upload

+[Data Upload]: /rest/api/maps/data-v2/upload

+[Get Map Image API]: /rest/api/maps/render/getmapimage

+[Get Map Image service]: /rest/api/maps/render/getmapimage

+[Get Route Directions API]: /rest/api/maps/route/getroutedirections

+[Get Route Directions]: /rest/api/maps/route/getroutedirections

+[Get Route Range API]: /rest/api/maps/route/getrouterange

+[Get Route Range]: /rest/api/maps/route/getrouterange

+[Jupyter Notebook document file]: https://github.com/Azure-Samples/Azure-Maps-Jupyter-Notebook/blob/master/AzureMapsJupyterSamples/Tutorials/EV%20Routing%20and%20Reachable%20Range/EVrouting.ipynb

+[Matrix Routing API]: /rest/api/maps/route/postroutematrix

+[Post Route Matrix]: /rest/api/maps/route/postroutematrix

+[Post Search Inside Geometry API]: /rest/api/maps/search/postsearchinsidegeometry

+[Post Search Inside Geometry]: /rest/api/maps/search/postsearchinsidegeometry

+[Quickstart: Sign in and set a user ID]: https://notebooks.azure.com

+[Render - Get Map Image]: /rest/api/maps/render/getmapimage

+[*requirements.txt*]: https://github.com/Azure-Samples/Azure-Maps-Jupyter-Notebook/blob/master/AzureMapsJupyterSamples/Tutorials/EV%20Routing%20and%20Reachable%20Range/requirements.txt

+[routing APIs]: /rest/api/maps/route

+[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+*A construction site manager must track equipment as it enters and leaves the perimeters of a construction area. Whenever a piece of equipment exits or enters these perimeters, an email notification is sent to the Operations Manager.*

+Azure Maps provides services to support the tracking of equipment entering and exiting the construction area. In this tutorial, you will:

+> * Upload [Geofencing GeoJSON data] that defines the construction site areas you want to monitor. You'll use the [Data Upload API] to upload geofences as polygon coordinates to your Azure Maps account.

+> * Set up two [logic apps] that, when triggered, send email notifications to the construction site operations manager when equipment enters and exits the geofence area.

+> * Use [Azure Event Grid] to subscribe to enter and exit events for your Azure Maps geofence. You set up two webhook event subscriptions that call the HTTP endpoints defined in your two logic apps. The logic apps then send the appropriate email notifications of equipment moving beyond or entering the geofence.

+> * Use [Search Geofence Get API] to receive notifications when a piece of equipment exits and enters the geofence areas.

+* This tutorial uses the [Postman] application, but you can use a different API development environment.

+>[!IMPORTANT]

+>

+> * In the URL examples, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

+The Geofence API async event requires the region property of your Azure Maps account be set to ***Global***. This setting isn't given as an option when creating an Azure Maps account in the Azure portal, however you do have several other options for creating a new Azure Maps account with the *global* region setting. This section lists the three methods that can be used to create an Azure Maps account with the region set to *global*.

+[Create your Azure Maps account using an ARM template], making sure to set `location` to `global` in the `resources` section of the ARM template.

+The Azure CLI command [az maps account create] doesnΓÇÖt have a location property, but defaults to `global`, making it useful for creating an Azure Maps account with a global region setting for use with the Geofence API async event.

+This tutorial demonstrates how to upload geofencing GeoJSON data that contains a `FeatureCollection`. The `FeatureCollection` contains two geofences that define polygonal areas within the construction site. The first geofence has no time expiration or restrictions. The second can only be queried against during business hours (9:00 AM-5:00 PM in the Pacific Time zone), and will no longer be valid after January 1, 2022. For more information on the GeoJSON format, see [Geofencing GeoJSON data].

+>You can update your geofencing data at any time. For more information, see [Data Upload API].

+5. Enter the following URL. The request should look like the following URL:

+11. Copy the value of the **Operation-Location** key, which is the `status URL`. The `status URL` is used to check the status of the GeoJSON data upload.

+5. Enter the `status URL` you copied in [Upload Geofencing GeoJSON data]. The request should look like the following URL:

+5. Enter the `resource Location URL` you copied in [Check the GeoJSON data upload status]. The request should look like the following URL:

+Next, create two [logic app] endpoints that trigger an email notification.

+1. Sign in to the [Azure portal].

+ > You can retrieve GeoJSON response data, such as `geometryId` or `deviceId`, in your email notifications. You can configure Logic Apps to read the data sent by Event Grid. For information on how to configure Logic Apps to consume and pass event data into email notifications, see [Tutorial: Send email notifications about Azure IoT Hub events using Event Grid and Logic Apps].

+Azure Maps supports [three event types]. This tutorial demonstrates how to create subscriptions to the following two events:

+Create geofence exit and enter event subscriptions:

+Next, we use the [Spatial Geofence Get API] to send email notifications to the Operations Manager when a piece of equipment enters or exits the geofences.

+The following diagram shows the five locations of the equipment over time, beginning at the *Start* location, which is somewhere outside the geofences. For the purposes of this tutorial, the *Start* location is undefined, because you don't query the device at that location.

+When you query the [Spatial Geofence Get API] with an equipment location that indicates initial geofence entry or exit, Event Grid calls the appropriate logic app endpoint to send an email notification to the Operations Manager.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the negative distance from the main site geofence means that the equipment is inside the geofence. The positive distance from the subsite geofence means that the equipment is outside the subsite geofence. Because this is the first time this device has been located inside the main site geofence, the `isEventPublished` parameter is set to `true`. The Operations Manager receives an email notification that equipment has entered the geofence.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the equipment has remained in the main site geofence and hasn't entered the subsite geofence. As a result, the `isEventPublished` parameter is set to `false`, and the Operations Manager doesn't receive any email notifications.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the equipment has remained in the main site geofence, but has entered the subsite geofence. As a result, the `isEventPublished` parameter is set to `true`. The Operations Manager receives an email notification indicating that the equipment has entered a geofence.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the equipment has remained in the main site geofence, but has exited the subsite geofence. Notice, however, that the `userTime` value is after the `expiredTime` as defined in the geofence data. As a result, the `isEventPublished` parameter is set to `false`, and the Operations Manager doesn't receive an email notification.

+5. Enter the following URL. The request should look like the following URL (replace `{udid}` with the `udid` you saved in the [Upload Geofencing GeoJSON data section]).

+In the preceding GeoJSON response, the equipment has exited the main site geofence. As a result, the `isEventPublished` parameter is set to `true`, and the Operations Manager receives an email notification indicating that the equipment has exited a geofence.

+You can also [Send email notifications using Event Grid and Logic Apps] and check [Supported Events Handlers in Event Grid] using Azure Maps.

+> [Handle content types in Azure Logic Apps]

+[Geofencing GeoJSON data]: geofence-geojson.md

+[Data Upload API]: /rest/api/maps/data-v2/upload

+[logic apps]: ../event-grid/handler-webhooks.md#logic-apps

+[Azure Event Grid]: ../event-grid/overview.md

+[Search Geofence Get API]: /rest/api/maps/spatial/getgeofence

+[Postman]: https://www.postman.com

+[Create your Azure Maps account using an ARM template]: how-to-create-template.md

+[az maps account create]: /cli/azure/maps/account?view=azure-cli-latest&preserve-view=true#az-maps-account-create

+[Upload Geofencing GeoJSON data]: #upload-geofencing-geojson-data

+[Check the GeoJSON data upload status]: #check-the-geojson-data-upload-status

+[logic app]: ../event-grid/handler-webhooks.md#logic-apps

+[Azure portal]: https://portal.azure.com

+[Tutorial: Send email notifications about Azure IoT Hub events using Event Grid and Logic Apps]: ../event-grid/publish-iot-hub-events-to-logic-apps.md

+[three event types]: ../event-grid/event-schema-azure-maps.md

+[Spatial Geofence Get API]: /rest/api/maps/spatial/getgeofence

+[Upload Geofencing GeoJSON data section]: #upload-geofencing-geojson-data

+[Send email notifications using Event Grid and Logic Apps]: ../event-grid/publish-iot-hub-events-to-logic-apps.md

+[Supported Events Handlers in Event Grid]: ../event-grid/event-handlers.md

+[Handle content types in Azure Logic Apps]: ../logic-apps/logic-apps-content-type.md

+You can access this workbook on the portal with preview enabled, or by clicking [workbook link here](https://ms.portal.azure.com/#blade/AppInsightsExtension/UsageNotebookBlade/ComponentId/Azure%20Monitor/ConfigurationId/community-Workbooks%2FAzure%20Monitor%20-%20Agents%2FAMA%20Health/Type/workbook/WorkbookTemplateName/AMA%20Health%20(Preview)). Try it out and [share your feedback](mailto:obs-agent-pms@microsoft.com) with us.

+> - Change to Workspace-based Application Insights.

+Container Insights offers the ability to collect Syslog events from Linux nodes in your [Azure Kubernetes Service (AKS)](../../aks/intro-kubernetes.md) clusters. This includes the ability to collect logs from control plane componemts like kubelet. Customers can also use Syslog for monitoring security and health events, typically by ingesting syslog into a SIEM system like [Microsoft Sentinel](https://azure.microsoft.com/products/microsoft-sentinel/#overview).

+| `Syslog | where SeverityLevel == "error"` | All Syslog records with severity of error |

+| `Syslog | summarize AggregatedValue = count() by Computer` | Count of Syslog records by computer |

+| `Syslog | summarize AggregatedValue = count() by Facility` | Count of Syslog records by facility |

+| `Syslog | where ProcessName == "kubelet"` | All Syslog records from the kubelet process |

+| `Syslog | where ProcessName == "kubelet" and SeverityLevel == "error"` | Syslog records from kubelet process with errors |

+## Demo video

+<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/eu1P_vLTZO0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

+## Support for custom images

+Azure Monitor Agent-based VM insights policy and initiative definitions have a `scopeToSupportedImages` parameter that's set to `true` by default to enable onboarding Dependency Agent on supported images only. Set this parameter to `false`to allow onboarding Dependency Agent on custom images.

+Download the [Azure Monitor agent templates](https://github.com/Azure/AzureMonitorForVMs-ArmTemplates/releases/download/vmi_ama_ga/DeployDcr.zip). You must first install the data collection rule and can then install agents to use that DCR.

+ Title: Migrate from deprecated VM insights policies

+description: This article explains how to migrate from deprecated VM insights policies to their replacement policies.

+# Migrate from deprecated VM insights policies

+We're deprecating the VM insights DCR deployment policies and replacing them with new policies because of a race condition issue. The deprecated policies will continue to work on existing assignments, but will no longer be available for new assignments. If you're using deprecated policies, we recommend you migrate to the new policies as soon as possible.

+This article explains how to migrate from deprecated VM insights policies to their replacement policies.

+## Prerequisites

+- An existing user-assigned managed identity.

+## Deprecated VM insights policies

+These policies are deprecated and will be removed in 2026. We recommend you migrate to the replacement policies as soon as possible:

+- [[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f7c4214e9-ea57-487a-b38e-310ec09bc21d)

+- [[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fa0f27bdc-5b15-4810-b81d-7c4df9df1a37)

+- [[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the virtual machine scale sets in the Resource Group](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fc7f3bf36-b807-4f18-82dc-f480ad713635)

+## New VM insights policies

+These policies replace the deprecated policies:

+- [Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f2ea82cdd-f2e8-4500-af75-67a2e084ca74)

+- [Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2feab1f514-22e3-42e3-9a1f-e1dc9199355c)

+## Migrate from deprecated VM insights policies to replacement policies

+1. [Download the Azure Monitor Agent-based VM insights data collection rule templates](https://github.com/Azure/AzureMonitorForVMs-ArmTemplates/releases/download/vmi_ama_ga/DeployDcr.zip).

+1. Deploy the VM insights data collection rule using an ARM template, as described in [Quickstart: Create and deploy ARM templates by using the Azure portal](../../azure-resource-manager/templates/quickstart-create-templates-use-the-portal.md#edit-and-deploy-the-template).

+ 1. Select **Build your own template in the editor** > **Load file** to upload the template you downloaded in the previous step.

+ - To collect only VM insights performance metrics, deploy the `ama-vmi-default-perf-dcr` data collection rule by uploading the **DeployDcr**>**PerfOnlyDcr**>**DeployDcrTemplate** file.

+ - To collect VM insights performance metrics and Service Map data, deploy the `ama-vmi-default-perfAndda-dcr` data collection rule by uploading the **DeployDcr**>**PerfAndMapDcr**>**DeployDcrTemplate** file.

+ 1. When the data collection rule deployment is complete, select **Go to resource** > **JSON View** and copy the data collection rule's **Resource ID**.

+1. Select one of the [new VM insights policies for Windows and Linux VMs](#new-vm-insights-policies).

+1. Select **Assign**.

+1. In the **Scope** field on the **Basics** tab, select your subscription and the resource group that contains the VMs you want to monitor.

+1. In the **Data Collection Rule Resource Id** field on the **Parameters** tab, paste the resource ID of the data collection rule you created in the previous step.

+1. On the **Remediation** tab:

+ 1. In the **Scope** field, select your subscription and the resource group that contains your user-assigned managed identity.

+ 2. Set **Type of managed identity** to **User Assigned Managed Identity** and select your user-assigned identity.

+## Next steps

+Learn how to:

+- [View VM insights Map](vminsights-maps.md) to see application dependencies.

+- [View Azure VM performance](vminsights-performance.md) to identify bottlenecks and overall utilization of your VM's performance.

+* Australia Central

+* Australia Central 2

+* Australia East

+* Australia Southeast

+* Brazil South

+* Canada Central

+* Central India

+* East Asia

+* East US

+* East US 2

+* France Central

+* Germany North

+* Germany West Central

+* Japan East

+* Japan West

+* Korea Central

+* North Central US

+* North Europe

+* Norway East

+* Norway West

+* Qatar Central

+* South Africa North

+* South India

+* Southeast Asia

+* Sweden Central

+* Switzerland North

+* Switzerland West

+* UAE Central

+* UAE North

+* West Europe

+* West US

+* West US 2

+* West US 3

+portal.azure.com

+reactblade.portal.azure.net

+graph.windows.net

+graph.microsoft.com

+signup.azure.com

+| Microsoft.DocumentDB/databaseAccounts | [listKeys](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/database-accounts/list-keys?tabs=HTTP) |

+| Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces | [listConnectionInfo](/rest/api/cosmos-db-resource-provider/2023-03-15-preview/notebook-workspaces/list-connection-info?tabs=HTTP) |

+param objectToFormat object = { prop: 'value' }

+output formatObject string = format('objectToFormat: {0}', objectToFormat)

+| formatTest | String | `Hello, User. Formatted number: 8,175,133` |

+| formatObject | String | `objectToFormat: {'prop':'value'}` |

+Strings are returned as-is. Other types are converted to their equivalent JSON representation.

+If you need to convert a string to JSON, i.e. quote/escape it, you can use `substring(string([value]), 1, length(string([value]) - 2)`.

+ '\'a\''

+ '"b"'

+ '\\c\\'

+param testString string = 'foo " \' \\'

+output stringOutput string = string(testString)

+output stringEscapedOutput string = substring(string([testString]), 1, length(string([testString])) - 2)

+| objectOutput | String | `{"valueA":10,"valueB":"Example Text"}` |

+| arrayOutput | String | `["'a'","\"b\"","\\c\\"]` |

+| intOutput | String | `5` |

+| stringOutput | String | `foo " ' \` |

+| stringEscapedOutput | String | `"foo \" ' \\"` |

+> The Bicep parameters file is only supported in [Bicep CLI](./install.md) version 0.18.4 or newer, and [Azure CLI](/azure/developer/azure-developer-cli/install-azd?tabs=winget-windows%2Cbrew-mac%2Cscript-linux&pivots=os-windows) version 2.47.0 or newer.

+type <userDefinedDataTypeName> = <typeExpression>

+content_well_notification:

+ - AI-contribution

+An Azure resource provider is a set of REST operations that enable functionality for a specific Azure service. For example, the Key Vault service consists of a resource provider named **Microsoft.KeyVault**. The resource provider defines [REST operations](/rest/api/keyvault/) for managing vaults, secrets, keys, and certificates.

+The resource provider defines the Azure resources you can deploy to your account. A resource type's name follows the format: **{resource-provider}/{resource-type}**. The resource type for a key vault is **Microsoft.KeyVault/vaults**.

+Before you use a resource provider, you must make sure your Azure subscription is registered for the resource provider. Registration configures your subscription to work with the resource provider.

+> Register a resource provider only when you're ready to use it. This registration step helps maintain least privileges within your subscription. A malicious user can't use unregistered resource providers.

+>

+> Registering unnecessary resource providers may result in unrecognized apps appearing in your Azure Active Directory tenant. Microsoft adds the app for a resource provider when you register it. These apps are typically added by the Windows Azure Service Management API. To prevent unnecessary apps in your tenant, only register needed resource providers.

+Other resource providers are registered automatically when you take certain actions. When you create a resource through the portal, the resource provider is typically registered for you. When you deploy an Azure Resource Manager template or Bicep file, resource providers defined in the template are registered automatically. Sometimes, a resource in the template requires supporting resources that aren't in the template. Common examples are monitoring or security resources. You need to register those resource providers manually.

+Reregister a resource provider when the resource provider supports new locations that you need to use.

+ :::image type="content" source="./media/resource-providers-and-types/search-subscriptions.png" alt-text="Screenshot of searching for subscriptions in the Azure portal.":::

+ :::image type="content" source="./media/resource-providers-and-types/select-subscription.png" alt-text="Screenshot of selecting a subscription in the Azure portal.":::

+ :::image type="content" source="./media/resource-providers-and-types/select-resource-providers.png" alt-text="Screenshot of selecting resource providers in the Azure portal.":::

+1. Find the resource provider you want to register, and select **Register**. To maintain least privileges in your subscription, only register those resource providers that you're ready to use.

+ :::image type="content" source="./media/resource-providers-and-types/register-resource-provider.png" alt-text="Screenshot of registering a resource provider in the Azure portal.":::

+ > [!IMPORTANT]

+ > As [noted earlier](#register-resource-provider), **don't block the creation of resources** for a resource provider that is in the **registering** state. By not blocking a resource provider in the registering state, your application can continue much sooner than waiting for all regions to complete.

+1. **Re-register** a resource provider to use locations that have been added since the previous registration.

+ :::image type="content" source="./media/resource-providers-and-types/re-register-resource-provider.png" alt-text="Screenshot of reregistering a resource provider in the Azure portal.":::

+1. On the Azure portal menu, select **All services**.

+1. In the **All services** box, enter **resource explorer**, and then select **Resource Explorer**.

+ :::image type="content" source="./media/resource-providers-and-types/select-resource-explorer.png" alt-text="Screenshot of selecting All services in the Azure portal to access Resource Explorer.":::

+1. Expand **Providers** by selecting the right arrow.

+ :::image type="content" source="./media/resource-providers-and-types/select-providers.png" alt-text="Screenshot of expanding the Providers section in the Azure Resource Explorer.":::

+1. Expand a resource provider and resource type that you want to view.

+ :::image type="content" source="./media/resource-providers-and-types/select-resource-type.png" alt-text="Screenshot of expanding a resource provider and resource type in the Azure Resource Explorer.":::

+1. Resource Manager is supported in all regions, but the resources you deploy might not be supported in all regions. Also, there may be limitations on your subscription that prevent you from using some regions that support the resource. The resource explorer displays valid locations for the resource type.

+ :::image type="content" source="./media/resource-providers-and-types/show-locations.png" alt-text="Screenshot of displaying valid locations for a resource type in the Azure Resource Explorer.":::

+1. The API version corresponds to a version of the resource provider's REST API operations. As a resource provider enables new features, it releases a new version of the REST API. The resource explorer displays valid API versions for the resource type.

+ :::image type="content" source="./media/resource-providers-and-types/show-api-versions.png" alt-text="Screenshot of displaying valid API versions for a resource type in the Azure Resource Explorer.":::

+Reregister a resource provider to use locations that have been added since the previous registration. To reregister, run the registration command again.

+The API version corresponds to a version of the resource provider's REST API operations. As a resource provider enables new features, it releases a new version of the REST API.

+2023-05-01

+2022-10-01

+2022-06-01

+2022-01-01

+2021-06-01

+2021-01-01

+...

+The API version corresponds to a version of the resource provider's REST API operations. As a resource provider enables new features, it releases a new version of the REST API.

+2023-05-01

+2022-10-01

+2022-06-01

+2022-01-01

+...

+## Python

+To see all resource providers in Azure, and the registration status for your subscription, use:

+```python

+import os

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.resource import ResourceManagementClient

+

+# Authentication

+credential = DefaultAzureCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+

+# Initialize Resource Management client

+resource_management_client = ResourceManagementClient(credential, subscription_id)

+

+# List available resource providers and select ProviderNamespace and RegistrationState

+providers = resource_management_client.providers.list()

+

+for provider in providers:

+ print(f"ProviderNamespace: {provider.namespace}, RegistrationState: {provider.registration_state}")

+```

+The command returns:

+```output

+ProviderNamespace: Microsoft.AlertsManagement, RegistrationState: Registered

+ProviderNamespace: Microsoft.AnalysisServices, RegistrationState: Registered

+ProviderNamespace: Microsoft.ApiManagement, RegistrationState: Registered

+ProviderNamespace: Microsoft.Authorization, RegistrationState: Registered

+ProviderNamespace: Microsoft.Batch, RegistrationState: Registered

+...

+```

+To see all registered resource providers for your subscription, use:

+```python

+# List available resource providers with RegistrationState "Registered" and select ProviderNamespace and RegistrationState

+providers = resource_management_client.providers.list()

+registered_providers = [provider for provider in providers if provider.registration_state == "Registered"]

+

+# Sort by ProviderNamespace

+sorted_registered_providers = sorted(registered_providers, key=lambda x: x.namespace)

+

+for provider in sorted_registered_providers:

+ print(f"ProviderNamespace: {provider.namespace}, RegistrationState: {provider.registration_state}")

+```

+To maintain least privileges in your subscription, only register those resource providers that you're ready to use. To register a resource provider, use:

+```python

+import os

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.resource import ResourceManagementClient

+

+# Authentication

+credential = DefaultAzureCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+

+# Initialize Resource Management client

+resource_management_client = ResourceManagementClient(credential, subscription_id)

+

+# Register resource provider

+provider_namespace = "Microsoft.Batch"

+registration_result = resource_management_client.providers.register(provider_namespace)

+

+print(f"ProviderNamespace: {registration_result.namespace}, RegistrationState: {registration_result.registration_state}")

+```

+The command returns:

+```output

+ProviderNamespace: Microsoft.Batch, RegistrationState: Registered

+```

+> [!IMPORTANT]

+> As [noted earlier](#register-resource-provider), **don't block the creation of resources** for a resource provider that is in the **registering** state. By not blocking a resource provider in the registering state, your application can continue much sooner than waiting for all regions to complete.

+Reregister a resource provider to use locations that have been added since the previous registration. To reregister, run the registration command again.

+To see information for a particular resource provider, use:

+```python

+import os

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.resource import ResourceManagementClient

+

+# Authentication

+credential = DefaultAzureCredential()

+subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

+

+# Initialize Resource Management client

+resource_management_client = ResourceManagementClient(credential, subscription_id)

+

+# Get resource provider by ProviderNamespace

+provider_namespace = "Microsoft.Batch"

+provider = resource_management_client.providers.get(provider_namespace)

+

+print(f"ProviderNamespace: {provider.namespace}, RegistrationState: {provider.registration_state}\n")

+

+# Add resource types, locations, and API versions with new lines to separate results

+for resource_type in provider.resource_types:

+ print(f"ResourceType: {resource_type.resource_type}\nLocations: {', '.join(resource_type.locations)}\nAPIVersions: {', '.join(resource_type.api_versions)}\n")

+```

+The command returns:

+```output

+ProviderNamespace: Microsoft.Batch, RegistrationState: Registered

+ResourceType: batchAccounts

+Locations: West Europe, East US, East US 2, West US, North Central US, Brazil South, North Europe, Central US, East Asia, Japan East, Australia Southeast, Japan West, Korea South, Korea Central, Southeast Asia, South Central US, Australia East, Jio India West, South India, Central India, West India, Canada Central, Canada East, UK South, UK West, West Central US, West US 2, France Central, South Africa North, UAE North, Australia Central, Germany West Central, Switzerland North, Norway East, Brazil Southeast, West US 3, Sweden Central, Qatar Central, Poland Central, East US 2 EUAP, Central US EUAP

+APIVersions: 2023-05-01, 2022-10-01, 2022-06-01, 2022-01-01, 2021-06-01, 2021-01-01, 2020-09-01, 2020-05-01, 2020-03-01-preview, 2020-03-01, 2019-08-01, 2019-04-01, 2018-12-01, 2017-09-01, 2017-05-01, 2017-01-01, 2015-12-01, 2015-09-01, 2015-07-01, 2014-05-01-privatepreview

+...

+```

+To see the resource types for a resource provider, use:

+```python

+# Get resource provider by ProviderNamespace

+provider_namespace = "Microsoft.Batch"

+provider = resource_management_client.providers.get(provider_namespace)

+

+# Get ResourceTypeName of the resource types

+resource_type_names = [resource_type.resource_type for resource_type in provider.resource_types]

+

+for resource_type_name in resource_type_names:

+ print(resource_type_name)

+```

+The command returns:

+```output

+batchAccounts

+batchAccounts/pools

+batchAccounts/detectors

+batchAccounts/certificates

+operations

+locations

+locations/quotas

+locations/checkNameAvailability

+locations/accountOperationResults

+locations/virtualMachineSkus

+locations/cloudServiceSkus

+```

+The API version corresponds to a version of the resource provider's REST API operations. As a resource provider enables new features, it releases a new version of the REST API.

+To get the available API versions for a resource type, use:

+```python

+# Get resource provider by ProviderNamespace

+provider_namespace = "Microsoft.Batch"

+provider = resource_management_client.providers.get(provider_namespace)

+

+# Filter resource type by ResourceTypeName and get its ApiVersions

+resource_type_name = "batchAccounts"

+api_versions = [

+ resource_type.api_versions

+ for resource_type in provider.resource_types

+ if resource_type.resource_type == resource_type_name

+]

+

+for api_version in api_versions[0]:

+ print(api_version)

+```

+The command returns:

+```output

+2023-05-01

+2022-10-01

+2022-06-01

+2022-01-01

+...

+```

+Resource Manager is supported in all regions, but the resources you deploy might not be supported in all regions. Also, there may be limitations on your subscription that prevent you from using some regions that support the resource.

+To get the supported locations for a resource type, use.

+```python

+# Get resource provider by ProviderNamespace

+provider_namespace = "Microsoft.Batch"

+provider = resource_management_client.providers.get(provider_namespace)

+

+# Filter resource type by ResourceTypeName and get its Locations

+resource_type_name = "batchAccounts"

+locations = [

+ resource_type.locations

+ for resource_type in provider.resource_types

+ if resource_type.resource_type == resource_type_name

+]

+

+for location in locations[0]:

+ print(location)

+```

+The command returns:

+```output

+West Europe

+East US

+East US 2

+West US

+...

+```

+* To view the operations for a resource provider, see [Azure REST API](/rest/api/).

+| Microsoft.DocumentDB/databaseAccounts | [listKeys](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/database-accounts/list-keys?tabs=HTTP) |

+| Microsoft.DocumentDB/databaseAccounts/notebookWorkspaces | [listConnectionInfo](/rest/api/cosmos-db-resource-provider/2023-03-15-preview/notebook-workspaces/list-connection-info?tabs=HTTP) |

+ :::image type="content" source="./media/template-tutorial-add-outputs/select-deployments.png" alt-text="Screenshot of the Azure portal showing the deployments link.":::

+ :::image type="content" source="./media/template-tutorial-add-outputs/show-history.png" alt-text="Screenshot of the Azure portal showing the deployment history.":::

+ :::image type="content" source="./media/template-tutorial-add-outputs/show-inputs.png" alt-text="Screenshot of the Azure portal showing the deployment inputs.":::

+ :::image type="content" source="./media/template-tutorial-add-outputs/show-outputs.png" alt-text="Screenshot of the Azure portal showing the deployment outputs.":::

+ :::image type="content" source="./media/template-tutorial-add-outputs/show-template.png" alt-text="Screenshot of the Azure portal showing the deployment template.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/resource-manager-visual-studio-code-first-template.png" alt-text="Screenshot of Visual Studio Code displaying an empty ARM template with JSON structure in the editor.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/resource-manager-deployment-provisioningstate.png" alt-text="Screenshot of PowerShell output showing the successful deployment provisioning state.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/azure-cli-provisioning-state.png" alt-text="Screenshot of Azure CLI output displaying the successful deployment provisioning state.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/deployment-status.png" alt-text="Screenshot of Azure portal showing the deployment status in the Essentials section of the resource group.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/select-from-deployment-history.png" alt-text="Screenshot of Azure portal displaying the deployment history with the blanktemplate deployment selected.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/view-deployment-summary.png" alt-text="Screenshot of Azure portal showing the deployment summary for the blanktemplate deployment.":::

+ :::image type="content" source="./media/template-tutorial-create-first-template/resource-deletion.png" alt-text="Screenshot of Azure portal with the Delete resource group option highlighted in the resource group view.":::

+ :::image type="content" source="./media/template-tutorial-export-template/resource-manager-template-export.png" alt-text="Screenshot of the Create App Service Plan page in the Azure portal.":::

+ :::image type="content" source="./media/template-tutorial-export-template/resource-manager-template-export-go-to-resource.png" alt-text="Screenshot of the Go to resource button in the Azure portal.":::

+ :::image type="content" source="./media/template-tutorial-export-template/resource-manager-template-export-template.png" alt-text="Screenshot of the Export template option in the Azure portal.":::

+ :::image type="content" source="./media/template-tutorial-export-template/resource-manager-template-exported-template.png" alt-text="Screenshot of the exported template JSON code in the Azure portal.":::

+## How does the disk backup scheduling and retention period work?

+Azure Disk Backup currently supports only the Operational Tier, which helps store backups as Disk Snapshots in your tenant that aren't moved to the vault. The backup policy defines the schedule and retention period of your backups in the Operational Tier (when the snapshots will be taken and how long they will be retained).

+By using the Azure Disk backup policy, you can define the backup schedule with Hourly frequency of 1, 2, 4, 6, 8, or 12 hours and Daily frequency. Although backups have scheduled timing as per the policy, there can be a difference in the actual start time of the backups from the scheduled one.

+The retention period of snapshots is governed by the snapshot limit for a disk. Currently, a maximum of 500 snapshots can be retained for a disk. If the limit is reached, no new snapshots can be taken, and you need to delete the older snapshots.

+The retention period for a backup also follows the maximum limit of 450 snapshots with 50 snapshots kept aside for on-demand backups.

+For example, if the scheduling frequency for backups is set as Daily, then you can set the retention period for backups at a maximum value of 450 days. Similarly, if the scheduling frequency for backups is set as Hourly with a 1-hour frequency, then you can set the retention for backups at a maximum value of 18 days.

+**Supported SQL Server versions** | SQL Server 2022, SQL Server 2019, SQL Server 2017 as detailed on the [Search product lifecycle page](https://support.microsoft.com/lifecycle/search?alpha=SQL%20server%202017), SQL Server 2016 and SPs as detailed on the [Search product lifecycle page](https://support.microsoft.com/lifecycle/search?alpha=SQL%20server%202016%20service%20pack), SQL Server 2014, SQL Server 2012, SQL Server 2008 R2, SQL Server 2008 <br/><br/> Enterprise, Standard, Web, Developer, Express.<br><br>Express Local DB versions aren't supported.

+| packetLossRate | The rate at which packets matching the destination filters will be lost, ranging from 0.0 to 1.0. |

+ "key": "packetLossRate",

+Azure Communication Services Call Automation APIs provide developers the ability to steer and control the Azure Communication Services Telephony, VoIP or WebRTC calls using real-time event triggers to perform actions based on custom business logic specific to their domain. Within the Call Automation APIs developers can use simple AI powered APIs, which can be used to play personalized greeting messages, recognize conversational voice inputs to gather information on contextual questions to drive a more self-service model with customers, use sentiment analysis to improve customer service overall. These content specific APIs are orchestrated through **Azure Cognitive Services** with support for customization of AI models without developers needing to terminate media streams on their services and streaming back to Azure for AI functionality.

+### Add a Managed Identity to the Azure Communication Services Resource

+1. Navigate to your Azure Communication Services Resource in the Azure portal.

+### Option 2: Add role through Azure Communication Services Identity tab

+1. Navigate to your Azure Communication Services resource in the Azure portal.

+Before a worker can receive offers to service a job, it must be registered first by setting `availableForOffers` to true. Next, we need to specify which queues the worker listens on and which channels it can handle. Once registered, you receive a [RouterWorkerRegistered](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterworkerregistered) event from Event Grid.

+In the following example, we register a worker to

+- Be able to handle both the voice and chat channels. In this case, the worker could either take a single `voice` job at one time or two `chat` jobs at the same time. This setting is configured by specifying the total capacity of the worker and assigning a cost per job for each channel.

+ AvailableForOffers = true,

+ QueueAssignments = { ["queue1"] = new RouterQueueAssignment(), ["queue2"] = new RouterQueueAssignment() },

+ availableForOffers = true,

+ available_for_offers = True,

+ .setAvailableForOffers(true)

+In the following example, we submit a job that

+Job Router tries to match this job to an available worker listening on `queue1` for the `chat` channel, with `English` set to `true` and `Skill` greater than `10`.

+Once a match is made, an offer is created. The distribution policy that is attached to the queue controls how many active offers there can be for a job and how long each offer is valid. [You receive][subscribe_events] an [OfferIssued Event][offer_issued_event] that would look like this:

+The [OfferIssued Event][offer_issued_event] includes details about the job, worker, how long the offer is valid and the `offerId` that you need to accept or decline the job.

+## Worker Deregistration

+If a worker would like to stop receiving offers, it can be deregistered by setting `AvailableForOffers` to `false` when updating the worker and you receive a [RouterWorkerDeregistered](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterworkerderegistered) event from Event Grid. Any existing offers for the worker are revoked and you receive a [RouterWorkerOfferRevoked](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterworkerofferrevoked) event for each offer.

+```csharp

+await client.UpdateWorkerAsync(new UpdateWorkerOptions(workerId: "worker-1") { AvailableForOffers = false });

+```

+```typescript

+await client.updateWorker("worker-1", { availableForOffers = false });

+```

+```python

+client.update_worker(worker_id = "worker-1", router_worker = RouterWorker(available_for_offers = False))

+```

+```java

+client.updateWorker(new UpdateWorkerOptions("worker-1").setAvailableForOffers(true));

+```

+> [!NOTE]

+> If a worker is registered and idle for more than 7 days, it'll be automatically deregistered.

+ QueueAssignments = { ["queue1"] = new RouterQueueAssignment() },

+ QueueAssignments = { ["queue1"] = new RouterQueueAssignment() },

+The Data Channel API enables real-time messaging during audio and video calls. With this API, you can now easily integrate data exchange functionalities into the applications, providing a seamless communication experience for users. Key features include:

+With appropriate serialization in the application, it can deliver various message types for different purposes.

+There are also other liberies or services providing the messaging functionalities.

+Each of them has its advantages and disadvantages. You should choose the suitable one for your usage scenario.

+For example, the Data Channel API offers the advantage of low-latency communication, and simplifies user management as there is no need to maintain a separate participant list.

+However, the data channel feature doesn't provide message persistence and doesn't guarantee that message won't be lost in an end-to-end manner.

+If you need the stateful messaging or guaranteed delivery, you may want to consider alternative solutions.

+This channelId can be utilized to differentiate various application uses, such as using 1000 for control messages and 1001 for image transfers.

+ QueueAssignments = { [queue.Value.Id] = new RouterQueueAssignment() },

+ QueueAssignments = { [queue.Value.Id] = new RouterQueueAssignment() },

+ QueueAssignments = { [queue.Value.Id] = new RouterQueueAssignment() },

+> [!NOTE]

+> If the job labels, queueId, channelId or worker selectors are updated, any existing offers on the job are revoked and you'll receive a [RouterWorkerOfferRevoked](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterworkerofferrevoked) event for each offer from EventGrid. The job will be re-queued and you'll receive a [RouterJobQueued](../../how-tos/router-sdk/subscribe-events.md#microsoftcommunicationrouterjobqueued) event. Job offers may also be revoked when a worker's total capacity is reduced, or the channel configurations are updated.

+You must provide the networking connection between Azure Communications Gateway and your core networks.

+description: Azure Communication Gateway optionally contains Mobile Control Point for anchoring Teams Phone Mobile calls in the Microsoft Cloud

+- [Intel® Cloud Optimization Modules for Kubeflow](#intel-kubeflow)

+### Intel® Cloud Optimization Modules for Kubeflow <a id="intel-kubeflow"></a>

+The [Intel® Cloud Optimization Modules for Kubeflow](https://github.com/intel/kubeflow-intel-azure/tree/main) provide an optimized machine learning Kubeflow Pipeline using XGBoost to predict the probability of a loan default. The reference architecture leverages the secure and confidential [Intel® Software Guard Extensions](../../articles/confidential-computing/confidential-computing-enclaves.md) virtual machines on an [Azure Kubernetes Services (AKS) cluster](../../articles/confidential-computing/confidential-containers-enclaves.md). It also enables the use of [Intel® optimizations for XGBoost](https://www.intel.com/content/www/us/en/developer/tools/oneapi/optimization-for-xgboost.html) and [Intel® daal4py](https://www.intel.com/content/www/us/en/developer/articles/guide/a-daal4py-introduction-and-getting-started-guide.html) to accelerate model training and inference in a full end-to-end machine learning pipeline.

+For CLI users, we recommend to use latest version of [Azure CLI][Azure Cloud Shell], for invoking SDK implementation. Run `az --version` to find the version.

+<!-- LINKS - External -->

+[Azure Cloud Shell]: /azure/cloud-shell/quickstart

+ --name myregistry --image myrepo:tag \

+To lock the *myrepo:tag* image in *myregistry*, run the following [az acr repository update][az-acr-repository-update] command:

+ --name myregistry --image myrepo:tag \

+To lock a *myrepo* image identified by manifest digest (SHA-256 hash, represented as `sha256:...`), run the following command. (To find the manifest digest associated with one or more image tags, run the [az acr manifest list-metadata][az-acr-manifest-list-metadata] command.)

+ --name myregistry --image myrepo@sha256:123456abcdefg \

+repo="myrepo"

+To allow the *myrepo:tag* image to be updated but not deleted, run the following command:

+ --name myregistry --image myrepo:tag \

+To prevent read (pull) operations on the *myrepo:tag* image, run the following command:

+ --name myregistry --image myrepo:tag \

+To restore the default behavior of the *myrepo:tag* image so that it can be deleted and updated, run the following command:

+ --name myregistry --image myrepo:tag \

+[Azure Cosmos DB for MongoDB](../introduction.md) provides a powerful fully managed MongoDB compatible database while seamlessly integrating with the Azure ecosystem. This allows developers to reap the benefits of Azure Cosmos DB's robust features such as global distribution, 99.999% high availability SLA, and strong security measures, while retaining the ability to use their familiar MongoDB tools and applications. Developers can remain vendor agnostic, without needing to adapt to a new set of tools or drastically change their current operations. This ensures a smooth transition and operation for MongoDB developers, making Azure Cosmos DB for MongoDB a compelling choice for a scalable, secure, and efficient database solution for their MongoDB workloads.

+| `change streams` | Yes |

+Azure Cosmos DB is a fully managed NoSQL database service provided by Microsoft. It allows you to build globally distributed and highly scalable applications with ease. This how-to guide walks you through the process of creating a Java application that uses the Azure Cosmos DB for NoSQL database and implements the Change Feed Processor for real-time data processing. The Java application communicates with the Azure Cosmos DB for NoSQL using Azure Cosmos DB Java SDK v4.

+> This tutorial is for Azure Cosmos DB Java SDK v4 only. Please view the Azure Cosmos DB Java SDK v4 [Release notes](sdk-java-v4.md), [Maven repository](https://mvnrepository.com/artifact/com.azure/azure-cosmos), [Change feed processor in Azure Cosmos DB](change-feed-processor.md), and Azure Cosmos DB Java SDK v4 [troubleshooting guide](troubleshoot-java-sdk-v4.md) for more information. If you are currently using an older version than v4, see the [Migrate to Azure Cosmos DB Java SDK v4](migrate-java-v4-sdk.md) guide for help upgrading to v4.

+* Azure Cosmos DB Account: you can create it from the [Azure portal](https://portal.azure.com/) or you can use [Azure Cosmos DB Emulator](../local-emulator.md) as well.

+* Java Development Environment: Ensure you have Java Development Kit (JDK) installed on your machine with at least 8 version.

+* [Azure Cosmos DB Java SDK V4](sdk-java-v4.md): provides the necessary features to interact with Azure Cosmos DB.

+The Azure Cosmos DB change feed provides an event-driven interface to trigger actions in response to document insertion that has many uses.

+This simple example of Java application is demonstrating real-time data processing with Azure Cosmos DB and the Change Feed Processor. The application inserts sample documents into a "feed container" to simulate a data stream. The Change Feed Processor, bound to the feed container, processes incoming changes and logs the document content. The processor automatically manages leases for parallel processing.

+## Source code

+You can clone the SDK example repo and find this example in `SampleChangeFeedProcessor.java`:

+git clone https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples.git

+cd azure-cosmos-java-sql-api-sample/src/main/java/com/azure/cosmos/examples/changefeed/

+1. Configure the [`ChangeFeedProcessorOptions`](/java/api/com.azure.cosmos.models.changefeedprocessoroptions) in a Java application using Azure Cosmos DB and Azure Cosmos DB Java SDK V4. The [`ChangeFeedProcessorOptions`](/java/api/com.azure.cosmos.models.changefeedprocessoroptions) provides essential settings to control the behavior of the Change Feed Processor during data processing.

+ [!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/changefeed/SampleChangeFeedProcessor.java?name=ChangeFeedProcessorOptions)]

+2. Initialize [`ChangeFeedProcessor`](/java/api/com.azure.cosmos.changefeedprocessor) with relevant configurations, including the host name, feed container, lease container, and data handling logic. The [`start()`](/java/api/com.azure.cosmos.changefeedprocessor#com-azure-cosmos-changefeedprocessor-start()) method initiates the data processing, enabling concurrent and real-time processing of incoming data changes from the feed container.

+ [!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/changefeed/SampleChangeFeedProcessor.java?name=StartChangeFeedProcessor)]

+3. Specify the delegate handles incoming data changes using the `handleChanges()` method. The method processes the received JsonNode documents from the Change Feed. As a developer you have two options for handling the JsonNode document provided to you by Change Feed. One option is to operate on the document in the form of a JsonNode. This is great especially if you don't have a single uniform data model for all documents. The second option - transform the JsonNode to a POJO having the same structure as the JsonNode. Then you can operate on the POJO.

+ [!code-java[](~/azure-cosmos-java-sql-api-samples/src/main/java/com/azure/cosmos/examples/changefeed/SampleChangeFeedProcessor.java?name=Delegate)]

+4. Build and run the Java application. The application starts the Change Feed Processor, insert sample documents into the feed container, and process the incoming changes.

+## Conclusion

+In this guide, you learned how to create a Java application using [Azure Cosmos DB Java SDK V4](sdk-java-v4.md) that uses the Azure Cosmos DB for NoSQL database and uses the Change Feed Processor for real-time data processing. You can extend this application to handle more complex use cases and build robust, scalable, and globally distributed applications using Azure Cosmos DB.

+## Additional resources

+* [Azure Cosmos DB Java SDK V4](sdk-java-v4.md)

+* [Additional samples on GitHub](https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples)

+## Next steps

+You can now proceed to learn more about change feed estimator in the following articles:

+* [Use the change feed estimator](how-to-use-change-feed-estimator.md)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+- [System functions](system-functions.yml)

+>[!NOTE]

+> The Enterprise Dev/Test Offer isn't available for Azure Government customers. If you're an Azure Government customer, your can't enable the Dev/Test option.

+To view detailed usage for specific accounts, download the usage detail report. Usage files may be large. If you prefer, you can use the exports feature to get the same data exported to an Azure Storage account. For more information, see [Export usage details to a storage account](../costs/tutorial-export-acm-data.md).

+| Month | The month when consumption and purchases were made. |

+| Charges against Credits | The credit applied during the specific period. |

+| Service Overage | Your organization's usage charges exceed your credit balance. |

+| Billed Separately | Charges for services that aren't eligible to use available credit. |

+| Azure Marketplace | Azure Marketplace charges that are billed separately. |

+### Understand refunded overage credits

+This section explains how the previous refunded overage credits process worked and how the new process works.

+Previously, when a reservation purchase refund occurred in a closed billing period, Microsoft updated your account retroactively, sometimes going back multiple years. The refund, if applied retroactively, could negatively affect financial reporting and cause problems.

+Now, to prevent problems with the new process, a refund is applied as a credit. The refund doesn't cause any change to a closed billing period. A refund is reimbursed to the same payment method that you used when you made the purchase. If the refund results from an overage, then a credit note is issued to you. If a refund goes toward Azure prepayment (also called Monetary Commitment (MC)), then the overage portion results in issuing a credit note. Azure prepayment is applied as an adjustment.

+> [!NOTE]

+> The reservation refund applies only to purchase refunds completed in previously closed billing periods. There's no change to refund behavior completed in an open billing period. When a refund is completed before the purchase is invoiced, then the refund is reimbursed as part of the purchase and noted on the invoice.

+#### Overage refund examples

+Let's look at a detailed overage refund example with the previous process. Assume that a reservation was bought in February 2022 with an overage credit (no Azure prepayment or Monetary Commitment was involved). You decided to return the reservation in August 2022. Refunds use the same payment method as the purchase. So, you received a credit note in August 2022 for the February 2022 billing period. However, the credit amount reflects the month of purchase. In this example, that's February 2022. The refund results in the change to the service overage and total charges.

+Here's how a refund example appeared in the Azure p