+This table shows support for authenticating Azure Active Directory (Azure AD) and Microsoft Accounts (MSA). Microsoft accounts are created by consumers for services such as Xbox, Skype, or Outlook.com.

+| OS | Chrome | Edge | Firefox | Safari |

+|::|::|:-:|:-:|::|

+| **Windows** | ✅ | ✅ | ✅ | N/A |

+| **macOS** | ✅ | ✅ | ✅ | ✅ |

+| **ChromeOS** | ✅ | N/A | N/A | N/A |

+| **Linux** | ✅ | ❌ | ❌ | N/A |

+| **iOS** | ✅ | ✅ | ✅ | ✅ |

+| **Android** | ❌ | ❌ | ❌ | N/A |

+>This is the view for web support. Authentication for native apps in iOS and Android isn't available yet.

+## Browser support for each platform

+The following tables show which transports are supported for each platform. Supported device types include **USB**, near-field communication (**NFC**), and bluetooth low energy (**BLE**).

+### Windows

+| Browser | USB | NFC | BLE |

+|||--|--|

+| Edge | ✅ | ✅ | ✅ |

+| Chrome | ✅ | ✅ | ✅ |

+| Firefox | ✅ | ✅ | ✅ |

+### macOS

+| Browser | USB | NFC¹ | BLE¹ |

+|||--|--|

+| Edge | ✅ | N/A | N/A |

+| Chrome | ✅ | N/A | N/A |

+| Firefox² | ✅ | N/A | N/A |

+| Safari² | ✅ | N/A | N/A |

+¹NFC and BLE security keys aren't supported on macOS by Apple.

+²New security key registration doesn't work on these macOS browsers because they don't prompt to set up biometrics or PIN.

+### ChromeOS

+| Browser¹ | USB | NFC | BLE |

+|||--|--|

+| Chrome | ✅ | ❌ | ❌ |

+¹Security key registration isn't supported on ChromeOS or Chrome browser.

+### Linux

+| Browser | USB | NFC | BLE |

+|||--|--|

+| Edge | ❌ | ❌ | ❌ |

+| Chrome | ✅ | ❌ | ❌ |

+| Firefox | ❌ | ❌ | ❌ |

+### iOS

+| Browser¹ | Lightning | NFC | BLE² |

+|||--|--|

+| Edge | ✅ | ✅ | N/A |

+| Chrome | ✅ | ✅ | N/A |

+| Firefox | ✅ | ✅ | N/A |

+| Safari | ✅ | ✅ | N/A |

+¹New security key registration doesn't work on iOS browsers because they don't prompt to set up biometrics or PIN.

+²BLE security keys aren't supported on iOS by Apple.

+### Android

+| Browser¹ | USB | NFC | BLE |

+|||--|--|

+| Edge | ❌ | ❌ | ❌ |

+| Chrome | ❌ | ❌ | ❌ |

+| Firefox | ❌ | ❌ | ❌ |

+¹Security key biometrics or PIN for user verficiation isn't currently supported on Android by Google. Azure AD requires user verification for all FIDO2 authentications.

+¹All versions of the new Chromium-based Microsoft Edge support FIDO2. Support on Microsoft Edge legacy was added in 1903.

+# Block legacy authentication with Azure AD Conditional Access

+Based on Microsoft's analysis more than 97 percent of credential stuffing attacks use legacy authentication and more than 99 percent of password spray attacks use legacy authentication protocols. These attacks would stop with basic authentication disabled or blocked.

+This article explains how you can configure Conditional Access policies that block legacy authentication for all workloads within your tenant.

+Before you can block legacy authentication in your directory, you need to first understand if your users have client apps that use legacy authentication.

+#### Sign-in log indicators

+Filtering shows you sign-in attempts made by legacy authentication protocols. Clicking on each individual sign-in attempt shows you more details. The **Client App** field under the **Basic Info** tab indicates which legacy authentication protocol was used.

+These logs indicate where users are using clients that are still depending on legacy authentication. For users that don't appear in these logs and are confirmed to not be using legacy authentication, implement a Conditional Access policy for these users only.

+Many clients that previously only supported legacy authentication now support modern authentication. Clients that support both legacy and modern authentication may require configuration update to move from legacy to modern authentication. If you see **modern mobile**, **desktop client** or **browser** for a client in the Sign-in logs, it's using modern authentication. If it has a specific client or protocol name, such as **Exchange ActiveSync**, it's using legacy authentication. The client types in Conditional Access, Sign-in logs, and the legacy authentication workbook distinguish between modern and legacy authentication clients for you.

+> **Exchange Active Sync with Certificate-based authentication (CBA)**

+If your organization isn't ready to block legacy authentication completely, you should ensure that sign-ins using legacy authentication aren't bypassing policies that require grant controls like multifactor authentication. During authentication, legacy authentication clients don't support sending MFA, device compliance, or join state information to Azure AD. Therefore, apply policies with grant controls to all client applications so that legacy authentication based sign-ins that canΓÇÖt satisfy the grant controls are blocked. With the general availability of the client apps condition in August 2020, newly created Conditional Access policies apply to all client apps by default.

+- [Determine effect using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include** > **Select apps**, choose **Microsoft Azure Management**, and select **Select**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include** > **Select apps**, choose **Microsoft Azure Management**, and select **Select**.

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+ Title: Secure your resources with Conditional Access policy templates

+description: Deploy recommended Conditional Access policies from easy to use templates.

+# Conditional Access templates

+Conditional Access templates provide a convenient method to deploy new policies aligned with Microsoft recommendations. These templates are designed to provide maximum protection aligned with commonly used policies across various customer types and locations.

+## Template categories

+The 16 Conditional Access policy templates are organized into the following categories:

+# [Secure foundation](#tab/secure-foundation)

+Microsoft recommends these policies as the base for all organizations. We recommend these policies be deployed as a group.

+- [Require multifactor authentication for admins](howto-conditional-access-policy-admin-mfa.md)

+- [Securing security info registration](howto-conditional-access-policy-registration.md)

+- [Block legacy authentication](howto-conditional-access-policy-block-legacy.md)

+- [Require multifactor authentication for all users](howto-conditional-access-policy-all-users-mfa.md)

+- [Require multifactor authentication for Azure management](howto-conditional-access-policy-azure-management.md)

+- [Require compliant or hybrid Azure AD joined device or multifactor authentication for all users](howto-conditional-access-policy-compliant-device.md)

+# [Zero Trust](#tab/zero-trust)

+These policies as a group help support a [Zero Trust architecture](/security/zero-trust/deploy/identity).

+- [Require multifactor authentication for admins](howto-conditional-access-policy-admin-mfa.md)

+- [Securing security info registration](howto-conditional-access-policy-registration.md)

+- [Block legacy authentication](howto-conditional-access-policy-block-legacy.md)

+- [Require multifactor authentication for all users](howto-conditional-access-policy-all-users-mfa.md)

+- [Require multifactor authentication for guest access](howto-policy-guest-mfa.md)

+- [Require multifactor authentication for Azure management](howto-conditional-access-policy-azure-management.md)

+- [Require multifactor authentication for risky sign-ins](howto-conditional-access-policy-risk.md) **Requires Azure AD Premium P2**

+- [Require password change for high-risk users](howto-conditional-access-policy-risk-user.md) **Requires Azure AD Premium P2**

+- [Require approved client apps or app protection policies](howto-policy-approved-app-or-app-protection.md)

+- [Require multifactor authentication for admins accessing Microsoft admin portals](how-to-policy-mfa-admin-portals.md)

+# [Remote work](#tab/remote-work)

+These policies help secure organizations with remote workers.

+- [Securing security info registration](howto-conditional-access-policy-registration.md)

+- [Block legacy authentication](howto-conditional-access-policy-block-legacy.md)

+- [Require multifactor authentication for all users](howto-conditional-access-policy-all-users-mfa.md)

+- [Require multifactor authentication for risky sign-ins](howto-conditional-access-policy-risk.md) **Requires Azure AD Premium P2**

+- [Require compliant or hybrid Azure AD joined device for administrators](howto-conditional-access-policy-compliant-device-admin.md)

+- [Block access for unknown or unsupported device platform](howto-policy-unknown-unsupported-device.md)

+- [No persistent browser session](howto-policy-persistent-browser-session.md)

+- [Require approved client apps or app protection policies](howto-policy-approved-app-or-app-protection.md)

+# [Protect administrator](#tab/protect-administrator)

+These policies are directed at highly privileged administrators in your environment, where compromise may cause the most damage.

+- [Require multifactor authentication for admins](howto-conditional-access-policy-admin-mfa.md)

+- [Block legacy authentication](howto-conditional-access-policy-block-legacy.md)

+- [Require multifactor authentication for Azure management](howto-conditional-access-policy-azure-management.md)

+- [Require compliant or hybrid Azure AD joined device for administrators](howto-conditional-access-policy-compliant-device-admin.md)

+- [Require phishing-resistant multifactor authentication for administrators](how-to-policy-phish-resistant-admin-mfa.md)

+# [Emerging threats](#tab/emerging-threats)

+Policies in this category provide new ways to protect against compromise.

+- [Require phishing-resistant multifactor authentication for administrators](how-to-policy-phish-resistant-admin-mfa.md)

+Find these templates in the **[Microsoft Entra admin center](https://entra.microsoft.com)** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Create new policy from templates**. Select **Show more** to see all policy templates in each category.

+> [!IMPORTANT]

+> Conditional Access template policies will exclude only the user creating the policy from the template. If your organization needs to [exclude other accounts](../roles/security-emergency-access.md), you will be able to modify the policy once they are created. Simply navigate to **Microsoft Entra admin center** > **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Policies**, select the policy to open the editor and modify the excluded users and groups to select accounts you want to exclude.

+By default, each policy is created in [report-only mode](concept-conditional-access-report-only.md), we recommended organizations test and monitor usage, to ensure intended result, before turning on each policy.

+Organizations can select individual policy templates and:

+- View a summary of the policy settings.

+- Edit, to customize based on organizational needs.

+- Export the JSON definition for use in programmatic workflows.

+ - These JSON definitions can be edited and then imported on the main Conditional Access policies page using the **Upload policy file** option.

+1. Under **Target resources**, select the following options:

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Determine effect using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Under **Target resources** > **Cloud apps** > **Include** > **Select apps**

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+- [Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+ Title: Require multifactor authentication for Microsoft admin portals

+description: Create a Conditional Access policy requiring multifactor authentication for admins accessing Microsoft admin portals.

+# Common Conditional Access policy: Require multifactor authentication for admins accessing Microsoft admin portals

+Microsoft recommends securing access to any Microsoft admin portals like Microsoft Entra, Microsoft 365, Exchange, and Azure. Using the [Microsoft Admin Portals (Preview)](concept-conditional-access-cloud-apps.md#microsoft-admin-portals-preview) app organizations can control interactive access to Microsoft admin portals.

+## User exclusions

+## Create a Conditional Access policy

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Include**, select **Directory roles** and choose built-in roles like:

+ - Global Administrator

+ - Application Administrator

+ - Authentication Administrator

+ - Billing Administrator

+ - Cloud Application Administrator

+ - Conditional Access Administrator

+ - Exchange Administrator

+ - Helpdesk Administrator

+ - Password Administrator

+ - Privileged Authentication Administrator

+ - Privileged Role Administrator

+ - Security Administrator

+ - SharePoint Administrator

+ - User Administrator

+

+ > [!WARNING]

+ > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../roles/admin-units-assign-roles.md) or [custom roles](../roles/custom-create.md).

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.

+1. Under **Target resources** > **Cloud apps** > **Include**, **Select apps**, select **Microsoft Admin Portals (Preview)**.

+1. Under **Access controls** > **Grant**, select **Grant access**, **Require authentication strength**, select **Multifactor authentication**, then select **Select**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+## Next steps

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+ Title: Require phishing-resistant multifactor authentication for Azure AD administrator roles

+description: Create a Conditional Access policy requiring stronger authentication methods for highly privileged roles in your organization.

+# Common Conditional Access policy: Require phishing-resistant multifactor authentication for administrators

+Accounts that are assigned highly privileged administrative rights are frequent targets of attackers. Requiring phishing-resistant multifactor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.

+> [!CAUTION]

+> Before creating a policy requiring phishing-resistant multifactor authentication, ensure your administrators have the appropriate methods registered. If you enable this policy without completing this step you risk locking yourself out of your tenant.

+Microsoft recommends you require phishing-resistant multifactor authentication on the following roles at a minimum:

+- Global Administrator

+- Application Administrator

+- Authentication Administrator

+- Billing Administrator

+- Cloud Application Administrator

+- Conditional Access Administrator

+- Exchange Administrator

+- Helpdesk Administrator

+- Password Administrator

+- Privileged Authentication Administrator

+- Privileged Role Administrator

+- Security Administrator

+- SharePoint Administrator

+- User Administrator

+Organizations can choose to include or exclude roles as they see fit.

+## User exclusions

+## Create a Conditional Access policy

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Include**, select **Directory roles** and choose built-in roles like:

+ - Global Administrator

+ - Application Administrator

+ - Authentication Administrator

+ - Billing Administrator

+ - Cloud Application Administrator

+ - Conditional Access Administrator

+ - Exchange Administrator

+ - Helpdesk Administrator

+ - Password Administrator

+ - Privileged Authentication Administrator

+ - Privileged Role Administrator

+ - Security Administrator

+ - SharePoint Administrator

+ - User Administrator

+

+ > [!WARNING]

+ > Conditional Access policies support built-in roles. Conditional Access policies are not enforced for other role types including [administrative unit-scoped](../roles/admin-units-assign-roles.md) or [custom roles](../roles/custom-create.md).

+ 1. Under **Exclude**, select **Users and groups** and choose your organization's emergency access or break-glass accounts.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+1. Under **Access controls** > **Grant**, select **Grant access**, **Require authentication strength**, select **Phishing-resistant MFA**, then select **Select**.

+1. Confirm your settings and set **Enable policy** to **Report-only**.

+1. Select **Create** to create to enable your policy.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+## Next steps

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+- Global Administrator

+- Application Administrator

+- Authentication Administrator

+- Billing Administrator

+- Cloud Application Administrator

+- Conditional Access Administrator

+- Exchange Administrator

+- Helpdesk Administrator

+- Password Administrator

+- Privileged Authentication Administrator

+- Security Administrator

+- SharePoint Administrator

+- User Administrator

+The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multifactor authentication. Some organizations may be ready to move to stronger authentication methods for their administrators. These organizations may choose to implement a policy like the one described in the article [Require phishing-resistant multifactor authentication for administrators](how-to-policy-phish-resistant-admin-mfa.md).

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+ - Application Administrator

+ - Billing Administrator

+ - Cloud Application Administrator

+ - Exchange Administrator

+ - Helpdesk Administrator

+ - Password Administrator

+ - Privileged Authentication Administrator

+ - Security Administrator

+ - SharePoint Administrator

+ - User Administrator

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+The guidance in this article helps your organization create an MFA policy for your environment.

+The following steps help create a Conditional Access policy to require all users do multifactor authentication.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+In the previous example policy, an organization may choose to not require multifactor authentication if accessing a cloud app from their corporate network. In this case they could add the following configuration to the policy:

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps**, under **Include** or **Exclude**, select any applications you want to include in or exclude from the authentication strength requirements.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include** > **Select apps**, choose **Microsoft Azure Management**, and select **Select**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps**, select the following options:

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include** > **Select apps**, choose **Office 365**, and select **Select**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Determine effect using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates](concept-conditional-access-policy-common.md#conditional-access-templates).

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Determine effect using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Determine effect using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access** > **Named locations**.

+1. Choose the type of location to create.

+ 1. **Countries location** or **IP ranges location**.

+1. Provide the **IP ranges** or select the **Countries/Regions** for the location you're specifying.

+ - If you select IP ranges, you can optionally **Mark as trusted location**.

+ - If you choose Countries/Regions, you can optionally choose to include unknown areas.

+1. Select **Create**

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Determine effect using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates](concept-conditional-access-policy-common.md#conditional-access-templates).

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **User actions**, check **Register security information**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **User actions**, check **Register security information**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Determine effect using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates](concept-conditional-access-policy-common.md#conditional-access-templates).

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+- [Determine effect using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+- [Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates](concept-conditional-access-policy-common.md#conditional-access-templates).

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+- [Determine effect using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)

+- [Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps**, select the following options:

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+Organizations can choose to deploy this policy using the steps outlined below or using the [Conditional Access templates](concept-conditional-access-policy-common.md#conditional-access-templates).

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **Select apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+[Conditional Access templates](concept-conditional-access-policy-common.md)

+[Use report-only mode for Conditional Access to determine the results of new policy decisions.](concept-conditional-access-report-only.md)

+- Locations marked as trusted can't be deleted. Remove the trusted designation before attempting to delete.

+Organizations with access to Global Secure Access preview features have an another location listed that is made up of users and devices that comply with your organization's security policies. For more information, see the section [Enable Global Secure Access signaling for Conditional Access](../../global-secure-access/how-to-compliant-network.md#enable-global-secure-access-signaling-for-conditional-access). It can be used with Conditional Access policies to perform a compliant network check for access to resources.

+> [!NOTE]

+> IPv6 addresses from service endpoints may appear in the sign-in logs with failures due to the way they handle traffic. It's important to note that [service endpoints are not supported](/azure/virtual-network/virtual-network-service-endpoints-overview#limitations). If users are seeing these IPv6 addresses, remove the service endpoint from their virtual network subnet configuration.

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**

+After administrators confirm the settings using [report-only mode](howto-conditional-access-insights-reporting.md), they can move the **Enable policy** toggle from **Report-only** to **On**.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**. The policy applies only when a service principal requests a token.

+1. Sign in to the **[Microsoft Entra admin center](https://entra.microsoft.com)** as a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+1. Browse to **Microsoft Entra ID (Azure AD)** > **Protection** > **Conditional Access**.

+1. Select **Create new policy**.

+1. Under **Target resources** > **Cloud apps** > **Include**, select **All cloud apps**. The policy applies only when a service principal requests a token.

+ Adhere to the [Branding guidelines for applications](/azure/active-directory/develop/howto-add-branding-in-apps).

+After enabling collaboration with an organization from a different Microsoft cloud, cross-cloud Azure AD guest users can now sign in to your multi-tenant or Microsoft first-party apps by using a [common endpoint](redemption-experience.md#redemption-process-and-sign-in-through-a-common-endpoint) (in other words, a general app URL that doesn't include your tenant context). During the sign-in process, the guest user chooses **Sign-in options**, and then selects **Sign in to an organization**. The user then types the name of your organization and continues signing in using their Azure AD credentials.

+## Extension app

+You might find an app named **b2c-extensions-app** in the application list. This app is created automatically inside the new directory, and it contains all extension attributes for your customer tenant.

+If you want to collect information beyond the built-in attributes, you can create [custom user attributes](how-to-define-custom-attributes.md) and add them to your sign-up user flow. Custom attributes are also known as directory extension attributes, as they extend the user profile information stored in your customer directory. All extension attributes for your customer tenant are stored in the **b2c-extensions-app**. Do not delete this app.

+You can learn more about this app [here](/azure/active-directory-b2c/extensions-app).

+### Configure idtyp token claim

+**Cause**: This error occurs when you try to delete a customer tenant but you haven't deleted the **b2c-extensions-app**.

+Custom attributes are also known as directory extension attributes expand the user profile information stored in your customer directory. All extension attributes for your customer tenant are stored in the app named **b2c-extensions-app**.

+## 3. Configure idtyp token claim

+## Configure idtyp token claim

+SAML/WS-Fed IdP federation guest users can now sign in to your multi-tenant or Microsoft first-party apps by using a [common endpoint](redemption-experience.md#redemption-process-and-sign-in-through-a-common-endpoint) (in other words, a general app URL that doesn't include your tenant context). During the sign-in process, the guest user chooses **Sign-in options**, and then selects **Sign in to an organization**. The user then types the name of your organization and continues signing in using their own credentials.

+Google guest users can now sign in to your multi-tenant or Microsoft first-party apps by using a [common endpoint](redemption-experience.md#redemption-process-and-sign-in-through-a-common-endpoint) (in other words, a general app URL that doesn't include your tenant context). During the sign-in process, the guest user chooses **Sign-in options**, and then selects **Sign in to an organization**. The user then types the name of your organization and continues signing in using their Google credentials.

+Invitation emails are a critical component to bring partners on board as B2B collaboration users in Azure AD. ItΓÇÖs [not required that you send an email to invite someone using B2B collaboration](redemption-experience.md#redemption-process-through-a-direct-link), but it gives the user all the information they need to decide if they accept your invite or not. It also gives them a link they can always refer to in the future when they need to return to your resources.

+Email one-time passcode guest users can now sign in to your multi-tenant or Microsoft first-party apps by using a [common endpoint](redemption-experience.md#redemption-process-and-sign-in-through-a-common-endpoint) (in other words, a general app URL that doesn't include your tenant context). During the sign-in process, the guest user chooses **Sign-in options**, and then selects **Sign in to an organization**. The user then types the name of your organization and continues signing in using one-time passcode.

+Your existing guest users won't be affected if you enable email one-time passcode, as your existing users are already past the point of redemption. Enabling email one-time passcode will only affect future redemption process activities where new guest users are redeeming into the tenant.

+For more information about the different redemption process pathways, see [B2B collaboration invitation redemption](redemption-experience.md).

+## Redemption process and sign-in through a common endpoint

+## Redemption process through a direct link

+## Redemption process through the invitation email

+## Redemption process limitation with conflicting Contact object

+- Signing back into an application after redemption process using [SAML/WS-Fed IdP](./direct-federation.md) and [Google Federation](./google-federation.md) accounts.

+1. Azure AD performs user-based discovery to determine if the user already exists in a managed Azure AD tenant. (Unmanaged Azure AD accounts can no longer be used for the redemption flow.) If the userΓÇÖs User Principal Name ([UPN](../hybrid/plan-connect-userprincipalname.md#what-is-userprincipalname)) matches both an existing Azure AD account and a personal MSA, the user is prompted to choose which account they want to redeem with.

+### Automatic redemption process setting

+## The user that I invited is receiving an error during the redemption process

+Sometimes, the external guest user you're inviting conflicts with an existing [Contact object](/graph/api/resources/contact). When this occurs, the guest user is created without a proxyAddress. This means that the user won't be able to redeem this account using [just-in-time redemption](redemption-experience.md#redemption-process-through-a-direct-link) or [email one-time passcode authentication](one-time-passcode.md#user-experience-for-one-time-passcode-guest-users). Also, if the contact object you're synchronizing from on-premises AD conflicts with an existing guest user, the conflicting proxyAddress is removed from the existing guest user.

+- Extend user profiles, such as add Hourly Salary to all my employees.

+- Ensure every machine has a unique local administrator password. For more information, see [Local Administrator Password Solution (Windows LAPS)](/windows-server/identity/laps/laps-overview) can configure unique random passwords on each workstation and server store them in Active Directory protected by an ACL. Only eligible authorized users can read or request the reset of these local administrator account passwords. Additional guidance for operating an environment with Windows LAPS and privileged access workstations (PAWs) can be found in [Operational standards based on clean source principle](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#operational-standards-based-on-clean-source-principle).

+##### CloudPasswordPolicyForPasswordSyncedUsersEnabled

+If there are synchronized users that only interact with Azure AD integrated services and must also comply with a password expiration policy, you can force them to comply with your Azure AD password expiration policy by enabling the *CloudPasswordPolicyForPasswordSyncedUsersEnabled* feature (in the deprecated MSOnline PowerShell module it was called *EnforceCloudPasswordPolicyForPasswordSyncedUsers*).

+When *CloudPasswordPolicyForPasswordSyncedUsersEnabled* is disabled (which is the default setting), Azure AD Connect sets the PasswordPolicies attribute of synchronized users to "DisablePasswordExpiration". This is done every time a user's password is synchronized and instructs Azure AD to ignore the cloud password expiration policy for that user. You can check the value of the attribute using the Azure AD PowerShell module with the following command:

+`(Get-MgUser -UserId <User Object ID> -Property PasswordPolicies).PasswordPolicies`

+To enable the CloudPasswordPolicyForPasswordSyncedUsersEnabled feature, run the following commands using the Graph PowerShell module as shown below:

+$OnPremSync = Get-MgDirectoryOnPremiseSynchronization

+$OnPremSync.Features.CloudPasswordPolicyForPasswordSyncedUsersEnabled = $true

+Update-MgDirectoryOnPremiseSynchronization `

+ -OnPremisesDirectorySynchronizationId $OnPremSync.Id `

+ -Features $OnPremSync.Features

+After the *CloudPasswordPolicyForPasswordSyncedUsersEnabled* feature is enabled, new users are provisioned without a PasswordPolicies value.

+>It is recommended to enable *CloudPasswordPolicyForPasswordSyncedUsersEnabled* prior to enabling password hash sync, so that the initial sync of password hashes does not add the `DisablePasswordExpiration` value to the PasswordPolicies attribute for the users.

+The default Azure AD password policy requires users to change their passwords every 90 days. If your policy in AD is also 90 days, the two policies should match. However, if the AD policy is not 90 days, you can update the Azure AD password policy to match by using the Update-MgDomain PowerShell command (previously: Set-MsolPasswordPolicy).

+`Update-MgUser -UserID <User Object ID> -PasswordPolicies "DisablePasswordExpiration"`

+> Neither the Update-MgDomain, nor the deprecated Set-MsolPasswordPolicy PowerShell commands will work on federated domains.

+> Neither the Set-MgUser, nor the deprecated Set-AzureADUser PowerShell commands will work on federated domains.

+- While users are in Staged Rollout with Password Hash Synchronization (PHS), by default no password expiration is applied. Password expiration can be applied by enabling "CloudPasswordPolicyForPasswordSyncedUsersEnabled". When "CloudPasswordPolicyForPasswordSyncedUsersEnabled" is enabled, password expiration policy is set to 90 days from the time password was set on-prem with no option to customize it. Programmatically updating PasswordPolicies attribute is not supported while users are in Staged Rollout. To learn how to set 'CloudPasswordPolicyForPasswordSyncedUsersEnabled' see [Password expiration policy](./how-to-connect-password-hash-synchronization.md#cloudpasswordpolicyforpasswordsyncedusersenabled).

+> Currently only builds 2.1.16.0 (release August 8th 2022) or later are supported.

+| `*.digicert.cn` |HTTP/80 |Used to verify certificates. |

+Organizations can choose to deploy risk-based policies in Conditional Access using the steps outlined below or using the [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md#conditional-access-templates).

+Microsoft 365 application launcher is the recommended app launching solution for organizations using Microsoft 365.

+[Learn more](/Viva/engage/eac-key-admin-roles-permissions)

+- [Assign a user as an administrator of an Azure subscription](../../role-based-access-control/role-assignments-portal-subscription-admin.md)

+The objective of this tutorial is to demonstrate the steps to be performed in Figma and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision user accounts to Figma.

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+> For more information on how to configure the SSO at MURAL, please follow [this](https://support.mural.co/s/article/configure-sso-with-mural-and-azure-ad) support page.

+Once you configure Mural Identity you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)

+- `AZURE_TENANT_ID` the **Directory (tenant) ID**. Learn [how to find your Azure Active Directory tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name).

+| Language | Language detection | Profanity | OCR | Auto-correction |

+| - |-|--|--|-|

+|Afrikaans | |✔️ | | |

+|Albanian | |✔️ | | |

+|Amharic | |✔️ | | |

+|Arabic | |✔️ |✔️ | ✔️|

+|Arabic (Romanized) |✔️ | | | |

+|Armenian | |✔️ | | |

+|Assamese | |✔️ | | |

+|Azerbaijani | |✔️ | | |

+|Bangla - Bangladesh | |✔️ | | |

+|Bangla - India | |✔️ | | |

+|Balinese |✔️ | | | |

+|Basque | |✔️ | | |

+|Belarusian | |✔️ | | |

+|Bengali | ✔️| | | |

+|Bosnian - Cyrillic | |✔️ | | |

+|Bosnian - Latin | |✔️ | | |

+|Buginese |✔️ | | | |

+|Buhid |✔️ | | | |

+|Bulgarian | |✔️ | | |

+|Breton (non-GeoPol) | |✔️ | | |

+|Carian |✔️ | | | |

+|Catalan | |✔️ | | |

+|Central Kurdish | |✔️ | | |

+|Cherokee | |✔️ | | |

+|Chinese (Simplified) |✔️ |✔️ |✔️ | |

+|Chinese (Traditional) |✔️ | |✔️ | |

+|Chinese (Traditional) - Hong Kong SAR | |✔️ | | |

+|Chinese (Traditional) - Taiwan | |✔️ | | |

+|Church (Slavic) |✔️ | | | |

+|Coptic |✔️ | | | |

+|Croatian | |✔️ | | |

+|Czech |✔️ |✔️ |✔️ | |

+|Danish | |✔️ |✔️ |✔️ |

+|Dari |✔️ |✔️ | | |

+|Dhivehi |✔️ | | | |

+|Dutch |✔️ |✔️ |✔️ |✔️ |

+|English | |✔️ |✔️ |✔️ |

+|English (Creole) |✔️ | | | |

+|Estonian | |✔️ | | |

+|Filipino | |✔️ | | |

+|Finnish | |✔️ |✔️ |✔️ |

+|French | ✔️|✔️ |✔️ |✔️ |

+|Georgian | |✔️ | | |

+|German |✔️ |✔️ |✔️ | |

+|Greek |✔️ |✔️ | | |

+|Greek (modern) | | |✔️ |✔️ |

+|Gujarati | |✔️ | | |

+|Haitian |✔️ | | | |

+|Hausa | |✔️ | | |

+|Hebrew |✔️ |✔️ | | |

+|Hindi |✔️ |✔️ | | |

+|Hmong |✔️ | | | |

+|Hungarian |✔️ |✔️ |✔️ | |

+|Icelandic | |✔️ | | |

+|Igbo | |✔️ | | |

+|Indonesian | |✔️ | | |

+|Inuktitut | |✔️ | | |

+|Irish | |✔️ | | |

+|isiXhosa | |✔️ | | |

+|isiZulu | |✔️ | | |

+|Italian |✔️ |✔️ |✔️ |✔️ |

+|Japanese |✔️ |✔️ |✔️ | |

+|Kannada | |✔️ | | |

+|Kazakh | |✔️ | | |

+|Khmer | |✔️ | | |

+|K'iche | |✔️ | | |

+|Kinyarwanda | |✔️ | | |

+|Kiswahili | |✔️ | | |

+|Konkani | |✔️ | | |

+|Korean |✔️ |✔️ |✔️ |✔️ |

+|Kurdish (Arabic) |✔️ | | | |

+|Kurdish (Latin) |✔️ | | | |

+|Kyrgyz | |✔️ | | |

+|Lao | |✔️ | | |

+|Latvian | |✔️ | | |

+|Lepcha |✔️ | | | |

+|Limbu |✔️ | | | |

+|Lithuanian | |✔️ | | |

+|Lu |✔️ | | | |

+|Luxembourgish | |✔️ | | |

+|Lycian |✔️ | | | |

+|Lydian |✔️ | | | |

+|Macedonian | |✔️ | | |

+|Malay | |✔️ | | |

+|Malayalam | |✔️ | | |

+|Maltese | |✔️ | | |

+|Maori | |✔️ | | |

+|Marathi | |✔️ | | |

+|Mongolian | |✔️ | | |

+|Mycenaean (Greek) |✔️ | | | |

+|Nepali | |✔️ | | |

+|Nko |✔️ | | | |

+|Norwegian | | |✔️ |✔️ |

+|Norwegian (Bokmal) |✔️ |✔️ | | |

+|Norwegian (Nynorsk) |✔️ |✔️ | | |

+|Odia | |✔️ | | |

+|Pashto |✔️ |✔️ | | |

+|Persian |✔️ |✔️ | | |

+|Polish |✔️ |✔️ |✔️ |✔️ |

+|Portuguese - Brazil |✔️ |✔️ |✔️ |✔️ |

+|Portuguese - Portugal |✔️ |✔️ |✔️ |✔️ |

+|Pulaar | |✔️ | | |

+|Punjabi |✔️ |✔️ | | |

+|Punjabi (Pakistan) | |✔️ | | |

+|Quechua (Peru) | |✔️ | | |

+|Rejang |✔️ | | | |

+|Romanian | |✔️ |✔️ |✔️ |

+|Russian |✔️ |✔️ |✔️ |✔️ |

+|Santali |✔️ | | | |

+|Sasak |✔️ | | | |

+|Saurashtra |✔️ | | | |

+|Serbian (Cyrillic) |✔️ |✔️ |✔️ | |

+|Serbian (Cyrillic, Bosnia and Herzegovina) | |✔️ | | |

+|Serbian (Latin) |✔️ |✔️ |✔️ | |

+|Sesotho | |✔️ | | |

+|Sesotho sa Leboa | |✔️ | | |

+|Setswana | |✔️ | | |

+|Sindhi | |✔️ | | |

+|Sinhala |✔️ |✔️ | | |

+|Slovak | |✔️ |✔️ |✔️ |

+|Slovenian |✔️ |✔️ | | |

+|Spanish |✔️ |✔️ |✔️ |✔️ |

+|Swedish |✔️ |✔️ |✔️ | |

+|Sylheti |✔️ | | | |

+|Syriac |✔️ | | | |

+|Tagbanwa |✔️ | | | |

+|Tai (Nua) |✔️ | | | |

+|Tajik | |✔️ | | |

+|Tamashek |✔️ | | | |

+|Tamil | |✔️ | | |

+|Tatar | |✔️ | | |

+|Telugu | |✔️ | | |

+|Thai | |✔️ | | |

+|Tigrinya | |✔️ | | |

+|Turkish |✔️ |✔️ |✔️ |✔️ |

+|Turkmen | |✔️ | | |

+|Ugaritic |✔️ | | | |

+|Ukrainian | |✔️ | | |

+|Urdu | |✔️ | | |

+|Uyghur | |✔️ | | |

+|Uzbek (Cyrillic) |✔️ |✔️ | | |

+|Uzbek (Latin) |✔️ |✔️ | | |

+|Valencian | |✔️ | | |

+|Vai |✔️ | | | |

+|Vietnamese | |✔️ | | |

+|Wolof | |✔️ | | |

+|Yi |✔️ | | | |

+|Yoruba | |✔️ | | |

+|Zhuang, Chuang |✔️ | | | |

+> Due to high demand:

+>

+> - South Central US is temporarily unavailable for creating new resources and deployments.

+> - East US is temporarily unavailable for new deployments of GPT-4 version 0314 models.

+| `gpt-35-turbo` (0613) | Canada East, East US, France Central, Japan East, North Central US, UK South | N/A | 4,096 | Sep 2021 |

+| `gpt-35-turbo-16k` (0613) | Canada East, East US, France Central, Japan East, North Central US, UK South | N/A | 16,384 | Sep 2021 |

+| text-embedding-ada-002 (version 2) | Canada East, East US, South Central US, West Europe | N/A |8,191 | Sep 2021 |

+### New Regions

+- Azure OpenAI is now also available in the Canada East, Japan East, and North Central US regions. Check the [models page](concepts/models.md), for the latest information on model availability in each region.

+ Title: "Deploy Quarkus on Azure Kubernetes Service"

+description: Shows how to quickly stand up Quarkus on Azure Kubernetes Service.

+#CustomerIntent: As a developer, I want deploy a simple CRUD Quarkus app on AKS so that can start iterating it into a proper LOB app.

+# external contributor: danieloh30

+# Deploy a Java application with Quarkus on an Azure Kubernetes Service cluster

+This article shows you how to quickly deploy Red Hat Quarkus on Azure Kubernetes Service (AKS) with a simple CRUD application. The application is a "to do list" with a JavaScript front end and a REST endpoint. Azure Database for PostgreSQL provides the persistence layer for the app. The article shows you how to test your app locally and deploy it to AKS.

+## Prerequisites

+- [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]

+- Azure Cloud Shell has all of these prerequisites preinstalled. For more, see [Quickstart for Azure Cloud Shell](/azure/cloud-shell/quickstart).

+- If you're running the commands in this guide locally (instead of using Azure Cloud Shell), complete the following steps:

+ - Prepare a local machine with Unix-like operating system installed (for example, Ubuntu, macOS, or Windows Subsystem for Linux).

+ - Install a Java SE implementation (for example, [Microsoft build of OpenJDK](/java/openjdk)).

+ - Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher.

+ - Install [Docker](https://docs.docker.com/get-docker/) or [Podman](https://podman.io/docs/installation) for your OS.

+ - Install [jq](https://jqlang.github.io/jq/download/).

+ - Install [cURL](https://curl.se/download.html).

+ - Install the [Quarkus CLI](https://quarkus.io/guides/cli-tooling).

+- Azure CLI for Unix-like environments. This article requires only the Bash variant of Azure CLI.

+ - [!INCLUDE [azure-cli-login](../../includes/azure-cli-login.md)]

+ - This article requires at least version 2.31.0 of Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+## Create the app project

+Use the following command to clone the sample Java project for this article. The sample is on [GitHub](https://github.com/Azure-Samples/quarkus-azure).

+```bash

+git clone https://github.com/Azure-Samples/quarkus-azure

+cd quarkus-azure

+git checkout 2023-07-17

+cd aks-quarkus

+```

+If you see a message about being in *detached HEAD* state, this message is safe to ignore. Because this article doesn't require any commits, detached HEAD state is appropriate.

+## Test your Quarkus app locally

+The steps in this section show you how to run the app locally.

+Quarkus supports the automatic provisioning of unconfigured services in development and test mode. Quarkus refers to this capability as dev services. Let's say you include a Quarkus feature, such as connecting to a database service. You want to test the app, but haven't yet fully configured the connection to a real database. Quarkus automatically starts a stub version of the relevant service and connects your application to it. For more information, see [Dev Services Overview](https://quarkus.io/guides/dev-services#databases) in the Quarkus documentation.

+Make sure your container environment, Docker or Podman, is running and use the following command to enter Quarkus dev mode:

+```azurecli-interactive

+quarkus dev

+```

+Instead of `quarkus dev`, you can accomplish the same thing with Maven by using `mvn quarkus:dev`.

+You may be asked if you want to send telemetry of your usage of Quarkus dev mode. If so, answer as you like.

+Quarkus dev mode enables live reload with background compilation. If you modify any aspect of your app source code and refresh your browser, you can see the changes. If there are any issues with compilation or deployment, an error page lets you know. Quarkus dev mode listens for a debugger on port 5005. If you want to wait for the debugger to attach before running, pass `-Dsuspend` on the command line. If you donΓÇÖt want the debugger at all, you can use `-Ddebug=false`.

+The output should look like the following example:

+```output

+__ ____ __ _____ ___ __ ____ ______

+ --/ __ \/ / / / _ | / _ \/ //_/ / / / __/

+ -/ /_/ / /_/ / __ |/ , _/ ,< / /_/ /\ \

+--\___\_\____/_/ |_/_/|_/_/|_|\____/___/

+INFO [io.quarkus] (Quarkus Main Thread) quarkus-todo-demo-app-aks 1.0.0-SNAPSHOT on JVM (powered by Quarkus 3.2.0.Final) started in 3.377s. Listening on: http://localhost:8080

+INFO [io.quarkus] (Quarkus Main Thread) Profile dev activated. Live Coding activated.

+INFO [io.quarkus] (Quarkus Main Thread) Installed features: [agroal, cdi, hibernate-orm, hibernate-orm-panache, hibernate-validator, jdbc-postgresql, narayana-jta, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, vertx]

+--

+Tests paused

+Press [e] to edit command line args (currently ''), [r] to resume testing, [o] Toggle test output, [:] for the terminal, [h] for more options>

+```

+Press <kbd>w</kbd> on the terminal where Quarkus dev mode is running. The <kbd>w</kbd> key opens your default web browser to show the `Todo` application. You can also access the application GUI at `http://localhost:8080` directly.

+Try selecting a few todo items in the todo list. The UI indicates selection with a strikethrough text style. You can also add a new todo item to the todo list by typing *Verify Todo apps* and pressing <kbd>ENTER</kbd>, as shown in the following screenshot:

+Access the RESTful API (`/api`) to get all todo items that store in the local PostgreSQL database:

+```azurecli-interactive

+curl --verbose http://localhost:8080/api | jq .

+```

+The output should look like the following example:

+```output

+* Connected to localhost (127.0.0.1) port 8080 (#0)

+> GET /api HTTP/1.1

+> Host: localhost:8080

+> User-Agent: curl/7.88.1

+> Accept: */*

+>

+< HTTP/1.1 200 OK

+< content-length: 664

+< Content-Type: application/json;charset=UTF-8

+<

+{ [664 bytes data]

+100 664 100 664 0 0 13278 0 --:--:-- --:--:-- --:--:-- 15441

+* Connection #0 to host localhost left intact

+[

+ {

+ "id": 1,

+ "title": "Introduction to Quarkus Todo App",

+ "completed": false,

+ "order": 0,

+ "url": null

+ },

+ {

+ "id": 2,

+ "title": "Quarkus on Azure App Service",

+ "completed": false,

+ "order": 1,

+ "url": "https://learn.microsoft.com/en-us/azure/developer/java/eclipse-microprofile/deploy-microprofile-quarkus-java-app-with-maven-plugin"

+ },

+ {

+ "id": 3,

+ "title": "Quarkus on Azure Container Apps",

+ "completed": false,

+ "order": 2,

+ "url": "https://learn.microsoft.com/en-us/training/modules/deploy-java-quarkus-azure-container-app-postgres/"

+ },

+ {

+ "id": 4,

+ "title": "Quarkus on Azure Functions",

+ "completed": false,

+ "order": 3,

+ "url": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-first-quarkus"

+ },

+ {

+ "id": 5,

+ "title": "Verify Todo apps",

+ "completed": false,

+ "order": 5,

+ "url": null

+ }

+]

+```

+Press <kbd>q</kbd> to exit Quarkus dev mode.

+## Create the Azure resources to run the Quarkus app

+The steps in this section show you how to create the following Azure resources to run the Quarkus sample app:

+- Azure Database for PostgreSQL

+- Azure Container Registry (ACR)

+- Azure Kubernetes Service (AKS)

+Some of these resources must have unique names within the scope of the Azure subscription. To ensure this uniqueness, you can use the *initials, sequence, date, suffix* pattern. To apply this pattern, name your resources by listing your initials, some sequence number, today's date, and some kind of resource specific suffix - for example, `rg` for "resource group". Use the following commands to define some environment variables to use later:

+```azurecli-interactive

+export UNIQUE_VALUE=<your unique value, such as ejb010717>

+export RESOURCE_GROUP_NAME=${UNIQUE_VALUE}rg

+export LOCATION=<your desired Azure region for deploying your resources. For example, eastus>

+export REGISTRY_NAME=${UNIQUE_VALUE}reg

+export DB_SERVER_NAME=${UNIQUE_VALUE}db

+export CLUSTER_NAME=${UNIQUE_VALUE}aks

+export AKS_NS=${UNIQUE_VALUE}ns

+```

+### Create an Azure Database for PostgreSQL

+Azure Database for PostgreSQL is a managed service to run, manage, and scale highly available PostgreSQL databases in the Azure cloud. This section directs you to a separate quickstart that shows you how to create a single Azure Database for PostgreSQL server and connect to it. However, when you follow the steps in the quickstart, you need to use the settings in the following table to customize the database deployment for the sample Quarkus app. Replace the environment variables with their actual values when filling out the fields in the Azure portal.

+| Setting | Value | Description |

+|:|:-|:-|

+| Resource group | `${RESOURCE_GROUP_NAME}` | Select **Create new**. The deployment creates this new resource group. |

+| Server name | `${DB_SERVER_NAME}` | This value forms part of the hostname for the database server. |

+| Location | `${LOCATION}` | Select a location from the dropdown list. Take note of the location. You must use this same location for other Azure resources you create. |

+| Admin username | *quarkus* | The sample code assumes this value. |

+| Password | *Secret123456* | The sample code assumes this value. |

+With these value substitutions in mind, follow the steps in [Quickstart: Create an Azure Database for PostgreSQL server by using the Azure portal](/azure/postgresql/quickstart-create-server-database-portal) up to the "Configure a firewall rule" section. Then, in the "Configure a firewall rule" section, be sure to select **Yes** for **Allow access to Azure services**, then select **Save**. If you neglect to do this, your Quarkus app can't access the database and simply fails to ever start.

+After you complete the steps in the quickstart through the "Configure a firewall rule" section, including the step to allow access to Azure services, return to this article.

+### Create a Todo database in PostgreSQL

+The PostgreSQL server that you created earlier is empty. It doesn't have any database that you can use with the Quarkus application. Create a new database called `todo` by using the following command:

+```azurecli-interactive

+az postgres db create \

+ --resource-group ${RESOURCE_GROUP_NAME} \

+ --name todo \

+ --server-name ${DB_SERVER_NAME}

+```

+You must use `todo` as the name of the database because the sample code assumes that database name.

+If the command is successful, the output looks similar to the following example:

+```output

+{

+ "charset": "UTF8",

+ "collation": "English_United States.1252",

+ "id": "/subscriptions/REDACTED/resourceGroups/ejb010718rg/providers/Microsoft.DBforPostgreSQL/servers/ejb010718db/databases/todo",

+ "name": "todo",

+ "resourceGroup": "ejb010718rg",

+ "type": "Microsoft.DBforPostgreSQL/servers/databases"

+}

+```

+### Create a Microsoft Azure Container Registry instance

+Because Quarkus is a cloud native technology, it has built-in support for creating containers that run in Kubernetes. Kubernetes is entirely dependent on having a container registry from which it finds the container images to run. AKS has built-in support for Azure Container Registry (ACR).

+Use the [az acr create](/cli/azure/acr#az-acr-create) command to create the ACR instance. The following example creates an ACR instance named with the value of your environment variable `${REGISTRY_NAME}`:

+```azurecli-interactive

+az acr create \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --location ${LOCATION} \

+ --name $REGISTRY_NAME \

+ --sku Basic \

+ --admin-enabled

+```

+After a short time, you should see JSON output that contains the following lines:

+```output

+ "provisioningState": "Succeeded",

+ "publicNetworkAccess": "Enabled",

+ "resourceGroup": "<YOUR_RESOURCE_GROUP>",

+```

+### Connect your docker to the ACR instance

+Sign in to the ACR instance. Signing in lets you push an image. Use the following commands to verify the connection:

+```azurecli-interactive

+export LOGIN_SERVER=$(az acr show \

+ --name $REGISTRY_NAME \

+ --query 'loginServer' \

+ --output tsv)

+echo $LOGIN_SERVER

+export USER_NAME=$(az acr credential show \

+ --name $REGISTRY_NAME \

+ --query 'username' \

+ --output tsv)

+echo $USER_NAME

+export PASSWORD=$(az acr credential show \

+ --name $REGISTRY_NAME \

+ --query 'passwords[0].value' \

+ --output tsv)

+echo $PASSWORD

+docker login $LOGIN_SERVER -u $USER_NAME -p $PASSWORD

+```

+If you're using Podman instead of Docker, make the necessary changes to the command.

+If you've signed into the ACR instance successfully, you should see `Login Succeeded` at the end of command output.

+### Create an AKS cluster

+Use the [az aks create](/cli/azure/aks#az-aks-create) command to create an AKS cluster. The following example creates a cluster named with the value of your environment variable `${CLUSTER_NAME}` with one node. The cluster is connected to the ACR instance you created in a preceding step. This command takes several minutes to complete.

+```azurecli-interactive

+az aks create \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --location ${LOCATION} \

+ --name $CLUSTER_NAME \

+ --attach-acr $REGISTRY_NAME \

+ --node-count 1 \

+ --generate-ssh-keys \

+ --enable-managed-identity

+```

+After a few minutes, the command completes and returns JSON-formatted information about the cluster, including the following output:

+```output

+ "nodeResourceGroup": "MC_<your resource_group_name>_<your cluster name>_<your region>",

+ "privateFqdn": null,

+ "provisioningState": "Succeeded",

+ "resourceGroup": "<your resource group name>",

+```

+### Connect to the AKS cluster

+To manage a Kubernetes cluster, you use `kubectl`, the Kubernetes command-line client. If you use Azure Cloud Shell, `kubectl` is already installed. To install `kubectl` locally, use the [az aks install-cli](/cli/azure/aks#az-aks-install-cli) command, as shown in the following example:

+```azurecli-interactive

+az aks install-cli

+```

+For more information about `kubectl`, see [Command line tool (kubectl)](https://kubernetes.io/docs/reference/kubectl/overview/) in the Kubernetes documentation.

+To configure `kubectl` to connect to your Kubernetes cluster, use the [az aks get-credentials](/cli/azure/aks#az-aks-get-credentials) command, as shown in the following example. This command downloads credentials and configures the Kubernetes CLI to use them.

+```azurecli-interactive

+az aks get-credentials \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --name $CLUSTER_NAME \

+ --overwrite-existing \

+ --admin

+```

+Successful output includes text similar to the following example:

+```output

+Merged "ejb010718aks-admin" as current context in /Users/edburns/.kube/config

+```

+You might find it useful to alias `k` to `kubectl`. If so, use the following command:

+```azurecli-interactive

+alias k=kubectl

+```

+To verify the connection to your cluster, use the `kubectl get` command to return a list of the cluster nodes, as shown in the following example:

+```azurecli-interactive

+kubectl get nodes

+```

+The following example output shows the single node created in the previous steps. Make sure that the status of the node is **Ready**:

+```output

+NAME STATUS ROLES AGE VERSION

+aks-nodepool1-xxxxxxxx-yyyyyyyyyy Ready agent 76s v1.23.8

+```

+### Create a new namespace in AKS

+Use the following command to create a new namespace in your Kubernetes service for your Quarkus app:

+```azurecli-interactive

+kubectl create namespace ${AKS_NS}

+```

+The output should look like the following example:

+```output

+namespace/<your namespace> created

+```

+### Customize the cloud native configuration

+As a cloud native technology, Quarkus offers the ability to automatically configure resources for standard Kubernetes, Red Hat OpenShift, and Knative. For more information, see the [Quarkus Kubernetes guide](https://quarkus.io/guides/deploying-to-kubernetes#kubernetes), [Quarkus OpenShift guide](https://quarkus.io/guides/deploying-to-kubernetes#openshift) and [Quarkus Knative guide](https://quarkus.io/guides/deploying-to-kubernetes#knative). Developers can deploy the application to a target Kubernetes cluster by applying the generated manifests.

+To generate the appropriate Kubernetes resources, use the following command to add the `quarkus-kubernetes` and `container-image-jib` extensions in your local terminal:

+```azurecli-interactive

+quarkus ext add kubernetes container-image-jib

+```

+Quarkus modifies the POM to ensure these extensions are listed as `<dependencies>`. If asked to install something called `JBang`, answer *yes* and allow it to be installed.

+The output should look like the following example:

+```output

+[SUCCESS] ✅ Extension io.quarkus:quarkus-kubernetes has been installed

+[SUCCESS] ✅ Extension io.quarkus:quarkus-container-image-jib has been installed

+```

+To verify the extensions are added, you can run `git diff` and examine the output.

+As a cloud native technology, Quarkus supports the notion of configuration profiles. Quarkus has the following three built-in profiles:

+- `dev` - Activated when in development mode

+- `test` - Activated when running tests

+- `prod` - The default profile when not running in development or test mode

+Quarkus supports any number of named profiles, as needed.

+The remaining steps in this section direct you to uncomment and customize values in the *src/main/resources/application.properties* file. Ensure that all lines starting with `# %prod.` are uncommented by removing the leading `#`.

+The `prod.` prefix indicates that these properties are active when running in the `prod` profile. For more information on configuration profiles, see the [Quarkus documentation](https://access.redhat.com/search/?q=Quarkus+Using+configuration+profiles).

+#### Database configuration

+Add the following database configuration variables. Replace the values of `<DB_SERVER_NAME_VALUE>` with the actual values of the `${DB_SERVER_NAME}` environment variable.

+```yaml

+# Database configurations

+%prod.quarkus.datasource.db-kind=postgresql

+%prod.quarkus.datasource.jdbc.url=jdbc:postgresql://<DB_SERVER_NAME_VALUE>.postgres.database.azure.com:5432/todo

+%prod.quarkus.datasource.jdbc.driver=org.postgresql.Driver

+%prod.quarkus.datasource.username=quarkus@<DB_SERVER_NAME_VALUE>

+%prod.quarkus.datasource.password=Secret123456

+%prod.quarkus.hibernate-orm.database.generation=drop-and-create

+```

+#### Kubernetes configuration

+Add the following Kubernetes configuration variables. Make sure to set `service-type` to `load-balancer` to access the app externally.

+```yaml

+# AKS configurations

+%prod.quarkus.kubernetes.deployment-target=kubernetes

+%prod.quarkus.kubernetes.service-type=load-balancer

+```

+#### Container image configuration

+As a cloud native technology, Quarkus supports generating OCI container images compatible with Docker and Podman. Add the following container-image variables. Replace the values of `<LOGIN_SERVER_VALUE>` and `<USER_NAME_VALUE>` with the values of the actual values of the `${LOGIN_SERVER}` and `${USER_NAME}` environment variables, respectively.

+```yaml

+# Container Image Build

+%prod.quarkus.container-image.build=true

+%prod.quarkus.container-image.registry=<LOGIN_SERVER_VALUE>

+%prod.quarkus.container-image.group=<USER_NAME_VALUE>

+%prod.quarkus.container-image.name=todo-quarkus-aks

+%prod.quarkus.container-image.tag=1.0

+```

+### Build the container image and push it to ACR

+Now, use the following command to build the application itself. This command uses the Kubernetes and Jib extensions to build the container image.

+```azurecli-interactive

+quarkus build --no-tests

+```

+The output should end with `BUILD SUCCESS`. The Kubernetes manifest files are generated in *target/kubernetes*, as shown in the following example:

+```output

+tree target/kubernetes

+target/kubernetes

+Γö£ΓöÇΓöÇ kubernetes.json

+ΓööΓöÇΓöÇ kubernetes.yml

+0 directories, 2 files

+```

+You can verify whether the container image is generated as well using `docker` or `podman` command line (CLI). Output looks similar to the following example:

+```output

+docker images | grep todo

+<LOGIN_SERVER_VALUE>/<USER_NAME_VALUE>/todo-quarkus-aks 1.0 b13c389896b7 18 minutes ago 420MB

+```

+Push the container images to ACR by using the following command:

+```azurecli-interactive

+export TODO_QUARKUS_TAG=$(docker images | grep todo-quarkus-aks | head -n1 | cut -d " " -f1)

+echo ${TODO_QUARKUS_TAG}

+docker push ${TODO_QUARKUS_TAG}:1.0

+```

+The output should look similar to the following example:

+```output

+The push refers to repository [<LOGIN_SERVER_VALUE>/<USER_NAME_VALUE>/todo-quarkus-aks]

+dfd615499b3a: Pushed

+56f5cf1aa271: Pushed

+4218d39b228e: Pushed

+b0538737ed64: Pushed

+d13845d85ee5: Pushed

+60609ec85f86: Pushed

+1.0: digest: sha256:0ffd70d6d5bb3a4621c030df0d22cf1aa13990ca1880664d08967bd5bab1f2b6 size: 1995

+```

+Now that you've pushed the app to ACR, you can tell AKS to run the app.

+## Deploy the Quarkus app to AKS

+The steps in this section show you how to run the Quarkus sample app on the Azure resources you've created.

+### Use kubectl apply to deploy the Quarkus app to AKS

+Deploy the Kubernetes resources using `kubectl` on the command line, as shown in the following example:

+```azurecli-interactive

+kubectl apply -f target/kubernetes/kubernetes.yml -n ${AKS_NS}

+```

+The output should look like the following example:

+```output

+deployment.apps/quarkus-todo-demo-app-aks created

+```

+Verify the app is running by using the following command:

+```azurecli-interactive

+kubectl -n $AKS_NS get pods

+```

+If the value of the `STATUS` field shows anything other than `Running`, troubleshoot and resolve the problem before continuing. It may help to examine the pod logs by using the following command:

+```azurecli-interactive

+kubectl -n $AKS_NS logs $(kubectl -n $AKS_NS get pods | grep quarkus-todo-demo-app-aks | cut -d " " -f1)

+```

+Get the `EXTERNAL-IP` to access the Todo application by using the following command:

+```azurecli-interactive

+kubectl get svc -n ${AKS_NS}

+```

+The output should look like the following example:

+```output

+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

+quarkus-todo-demo-app-aks LoadBalancer 10.0.236.101 20.12.126.200 80:30963/TCP 37s

+```

+You can use the following command to save the value of `EXTERNAL-IP` to an environment variable as a fully qualified URL:

+```azurecli-interactive

+export QUARKUS_URL=http://$(kubectl get svc -n ${AKS_NS} | grep quarkus-todo-demo-app-aks | cut -d " " -f10)

+echo $QUARKUS_URL

+```

+Open a new web browser to the value of `${QUARKUS_URL}`. Then, add a new todo item with the text `Deployed the Todo app to AKS`. Also, select the `Introduction to Quarkus Todo App` item as complete.

+Access the RESTful API (`/api`) to get all todo items stored in the Azure PostgreSQL database, as shown in the following example:

+```azurecli-interactive

+curl --verbose ${QUARKUS_URL}/api | jq .

+```

+The output should look like the following example:

+```output

+* Connected to 20.237.68.225 (20.237.68.225) port 80 (#0)

+> GET /api HTTP/1.1

+> Host: 20.237.68.225

+> User-Agent: curl/7.88.1

+> Accept: */*

+>

+< HTTP/1.1 200 OK

+< content-length: 828

+< Content-Type: application/json;charset=UTF-8

+<

+[

+ {

+ "id": 2,

+ "title": "Quarkus on Azure App Service",

+ "completed": false,

+ "order": 1,

+ "url": "https://learn.microsoft.com/en-us/azure/developer/java/eclipse-microprofile/deploy-microprofile-quarkus-java-app-with-maven-plugin"

+ },

+ {

+ "id": 3,

+ "title": "Quarkus on Azure Container Apps",

+ "completed": false,

+ "order": 2,

+ "url": "https://learn.microsoft.com/en-us/training/modules/deploy-java-quarkus-azure-container-app-postgres/"

+ },

+ {

+ "id": 4,

+ "title": "Quarkus on Azure Functions",

+ "completed": false,

+ "order": 3,

+ "url": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-first-quarkus"

+ },

+ {

+ "id": 5,

+ "title": "Deployed the Todo app to AKS",

+ "completed": false,

+ "order": 5,

+ "url": null

+ },

+ {

+ "id": 1,

+ "title": "Introduction to Quarkus Todo App",

+ "completed": true,

+ "order": 0,

+ "url": null

+ }

+]

+```

+### Verify the database has been updated using Azure Cloud Shell

+Open Azure Cloud Shell in the Azure portal by selecting the **Cloud Shell** icon, as shown in the following screenshot:

+Run the following command locally and paste the result into Azure Cloud Shell:

+```azurecli-interactive

+echo psql --host=${DB_SERVER_NAME}.postgres.database.azure.com --port=5432 --username=quarkus@${DB_SERVER_NAME} --dbname=todo

+```

+When asked for the password, use the value you used when you created the database.

+Use the following query to get all the todo items:

+```azurecli-interactive

+select * from todo;

+```

+The output should look similar to the following example, and should include the same items in the Todo app GUI shown previously:

+If you see `MORE` in the output, type <kbd>q</kbd> to exit the pager.

+Enter *\q* to exit from the `psql` program and return to the Cloud Shell.

+## Clean up resources

+To avoid Azure charges, you should clean up unneeded resources. When the cluster is no longer needed, use the [az group delete](/cli/azure/group#az-group-delete) command to remove the resource group, container service, container registry, and all related resources.

+```azurecli-interactive

+git reset --hard

+docker rmi ${TODO_QUARKUS_TAG}:1.0

+docker rmi postgres

+az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait

+```

+You may also want to use `docker rmi` to delete the container images `postgres` and `testcontainers` generated by Quarkus dev mode.

+## Next steps

+- [Azure Kubernetes Service](https://azure.microsoft.com/free/services/kubernetes-service/)

+- [Deploy serverless Java apps with Quarkus on Azure Functions](/azure/azure-functions/functions-create-first-quarkus)

+- [Quarkus](https://quarkus.io/)

+- [Jakarta EE on Azure](/azure/developer/java/ee)

+Alternatively, customers can collect kubelet logs using the [syslog collection feature in Azure Monitor - Container Insights](https://aka.ms/CISyslog).

+ The variable should contain the Issuer URL similar to the following example:

+ ```output

+ https://eastus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/00000000-0000-0000-0000-000000000000/

+ ```

+ By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com`, where the value for `{region}` matches the location the AKS cluster is deployed in.

+>

+> For more information, you can refer to [Azure Kubelogin Known Issues][azure-kubelogin-known-issues].

+[azure-kubelogin-known-issues]: https://azure.github.io/kubelogin/known-issues.html

+ resources:

+ requests:

+ cpu: 20m

+ memory: 46Mi

+ limits:

+ cpu: 30m

+ memory: 50Mi

+ resources:

+ requests:

+ cpu: 20m

+ memory: 46Mi

+ limits:

+ cpu: 30m

+ memory: 50Mi

+ :::image type="content" source="media/ai-walkthrough/ai-generate-description.png" alt-text="Screenshot of how to use openAI to generate a product description.":::

+

+ :::image type="content" source="media/ai-walkthrough/new-product-store-admin.png" alt-text="Screenshot viewing the new product in the store admin page.":::

+

+ :::image type="content" source="media/ai-walkthrough/new-product-store-front.png" alt-text="Screenshot viewing the new product in the store front page.":::

+> [!IMPORTANT]

+> After enabling OIDC issuer on the cluster, it's not supported to disable it.

+By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com`, where the value for `{region}` matches the location the AKS cluster is deployed in.

+## Check the OIDC keys

+By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com/{uuid}`, where the value for `{region}` matches the location the AKS cluster is deployed in. The value `{uuid}` represents the OIDC key.

+To get the discovery document, copy the URL `https://(OIDC issuer URL).well-known/openid-configuration` and open it in browser.

+- Ultra disks can't be used with some features and functionality, such as availability sets or Azure Disk Encryption. Review the [Ultra disk limitations][ultra-disk-limitations] for the latest information.

+The variable should contain the Issuer URL similar to the following example:

+```output

+https://eastus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/00000000-0000-0000-0000-000000000000/

+```

+By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com/{uuid}`, where the value for `{region}` matches the location the AKS cluster is deployed in. The value `{uuid}` represents the OIDC key.

+ The variable should contain the Issuer URL similar to the following example:

+ ```output

+ https://eastus.oic.prod-aks.azure.com/00000000-0000-0000-0000-000000000000/00000000-0000-0000-0000-000000000000/

+ ```

+ By default, the Issuer is set to use the base URL `https://{region}.oic.prod-aks.azure.com/{uuid}`, where the value for `{region}` matches the location the AKS cluster is deployed in. The value `{uuid}` represents the OIDC key.

+July 25, 2023 - 0.4.023971 - Ingress + Gateway co-existence improvements

+July 24, 2023 - 0.4.023961 - Improved Ingress support

+ --version 0.4.023971 \

+ --version 0.4.023971 \

+Once your Application Gateway WAF is operational, you can enable logs to inspect what is happening with each request. Firewall logs give insight to what the WAF is evaluating, matching, and blocking. With Log Analytics, you can examine the data inside the firewall logs to give even more insights. For more information about log queries, see [Overview of log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md).

+## Prerequisites

+* An Azure account with an active subscription is required. If you don't already have an account, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An Azure Web Application Firewall with logs enabled. For more information, see [Azure Web Application Firewall on Azure Application Gateway](../web-application-firewall/ag/ag-overview.md).

+* A Log Analytics workspace. For more information about creating a Log Analytics workspace, see [Create a Log Analytics workspace in the Azure portal](../azure-monitor/logs/quick-create-workspace.md).

+This looks similar to the following query:

+5. Adjust the profile with the desired services and settings and select **Create**.

+The following ARM template creates an Automanage custom profile. Details on the ARM template and steps on how to deploy are located in the ARM template deployment [section](#arm-template-deployment).

+ "DefenderForCloud/Enable": true,

+This ARM template creates a custom configuration profile that you can assign to your specified machine.

+* ApplyAndAutoCorrect : This setting applies the Azure security baseline through the Guest Configuration extension, and if any setting within the baseline drifts, we'll auto-remediate the setting so it stays compliant.

+* ApplyAndMonitor : This setting applies the Azure security baseline through the Guest Configuration extention when you first assign this profile to each machine. After it's applied, the Guest Configuration service will monitor the server baseline and report any drift from the desired state. However, it will not auto-remdiate.

+* Audit : This setting installs the Azure security baseline using the Guest Configuration extension. You're able to see where your machine is out of compliance with the baseline, but noncompliance isn't automatically remediated.

+Specify your existing workspace in the `LogAnalytics/Workspace` line. Set the `LogAnalytics/Reprovision` setting to true if you would like this log analytics workspace to be used in all cases. Any machine with this custom profile then uses this workspace, even it's already connected to one. By default, the `LogAnalytics/Reprovision` is set to false. If your machine is already connected to a workspace, then that workspace is still used. If it's not connected to a workspace, then the workspace specified in `LogAnalytics\Workspace` will be used.

+The `Tags/Behavior` can be set either to Preserve or Replace. If the resource you're tagging already has the same tag key in the key/value pair, you can replace that key with the specified value in the configuration profile by using the *Replace* behavior. By default, the behavior is set to *Preserve*, meaning that the tag key that is already associated with that resource is retained and not overwritten by the key/value pair specified in the configuration profile.

+| [PowerFlex](https://www.dell.com/en-us/dt/storage/powerflex.htm) |1.25.0 | 1.21.0_2023-07-11 | 16.0.5100.7242 | 14.5 (Ubuntu 20.04) |

+| [OpenShift 4.13.4](https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html) | 1.26.5 | 1.21.0_2023-07-11 | 16.0.5100.7242 | 14.5 (Ubuntu 20.04) |

+| RedHat | [OpenShift Container Platform](https://www.openshift.com/products/container-platform) | [4.9.43](https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html), [4.10.23](https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html), 4.11.0-rc.6, [4.13.4](https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html) |

+| [Azure Queues][queue-sdk-types] | **Generally Available** | _Input binding does not exist_ | _SDK types not recommended.¹_ |

+| [Azure Event Hubs][eventhub-sdk-types] | **Generally Available** | _Input binding does not exist_ | _SDK types not recommended.¹_ |

+zone_pivot_groups: programming-languages-set-functions-lang-workers

+This article explains how return values work inside a function. In languages that have a return value, you can bind a function [output binding](./functions-triggers-bindings.md#binding-direction) to the return value.

+Set the `name` property in *function.json* to `$return`. If there are multiple output bindings, use the return value for only one of them.

+How return values are used depends on the C# mode you're using in your function app:

+# [In-process](#tab/in-process)

+In a C# class library, apply the output binding attribute to the method return value. In C# and C# script, alternative ways to send data to an output binding are `out` parameters and [collector objects](functions-reference-csharp.md#writing-multiple-output-values).

+# [Isolated process](#tab/isolated-process)

+See [Output bindings in the .NET worker guide](./dotnet-isolated-process-guide.md#output-bindings) for details and examples.

+Apply the output binding annotation to the function method. If there are multiple output bindings, use the return value for only one of them.

+This article discusses the differences between version 3 and version 4 of the Node.js programming model and how to upgrade an existing v3 app. If you want to create a new v4 app instead of upgrading an existing v3 app, see the tutorial for either [Visual Studio Code (VS Code)](./create-first-function-cli-node.md) or [Azure Functions Core Tools](./create-first-function-vs-code-node.md). This article uses "tip" alerts to highlight the most important concrete actions that you should take to upgrade your app.

+Version 4 is designed to provide Node.js developers with the following benefits:

+- Provide a familiar and intuitive experience to Node.js developers.

+- Make the file structure flexible with support for full customization.

+- Switch to a code-centric approach for defining function configuration.

+## Enable the v4 programming model

+To indicate that your function code is using the v4 model, you need to set the `EnableWorkerIndexing` flag on the `AzureWebJobsFeatureFlags` application setting. When you're running locally, add `AzureWebJobsFeatureFlags` with a value of `EnableWorkerIndexing` to your *local.settings.json* file. When you're running in Azure, you add this application setting by using the tool of your choice.

+1. Make sure you have the [Azure Functions extension for VS Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) installed.

+1. Select the <kbd>F1</kbd> key to open the command palette. In the command palette, search for and select **Azure Functions: Add New Setting**.

+1. Choose your subscription and function app when prompted.

+1. For the name, type **AzureWebJobsFeatureFlags** and select the <kbd>Enter</kbd> key.

+1. For the value, type **EnableWorkerIndexing** and select the <kbd>Enter</kbd> key.

+In v4, the [`@azure/functions`](https://www.npmjs.com/package/@azure/functions) npm package contains the primary source code that backs the Node.js programming model. In previous versions, that code shipped directly in Azure and the npm package had only the TypeScript types. You now need to include this package for both TypeScript and JavaScript apps. You _can_ include the package for existing v3 apps, but it isn't required.

+> Make sure the `@azure/functions` package is listed in the `dependencies` section (not `devDependencies`) of your *package.json* file. You can install v4 by using the following command:

+In v4 of the programming model, you can structure your code however you want. The only files that you need at the root of your app are *host.json* and *package.json*.

+Otherwise, you define the file structure by setting the `main` field in your *package.json* file. You can set the `main` field to a single file or multiple files by using a [glob pattern](https://wikipedia.org/wiki/Glob_(programming)). Common values for the `main` field might be:

+- TypeScript:

+ - `dist/src/index.js`

+ - `dist/src/functions/*.js`

+- JavaScript:

+ - `src/index.js`

+ - `src/functions/*.js`

+> Make sure you define a `main` field in your *package.json* file.

+The trigger input, instead of the invocation context, is now the first argument to your function handler. The invocation context, now the second argument, is simplified in v4 and isn't as required as the trigger input. You can leave it off if you aren't using it.

+> Switch the order of your arguments. For example, if you're using an HTTP trigger, switch `(context, request)` to either `(request, context)` or just `(request)` if you aren't using the context.

+You no longer have to create and maintain those separate *function.json* configuration files. You can now fully define your functions directly in your TypeScript or JavaScript files. In addition, many properties now have defaults so that you don't have to specify them every time.

+> Move the configuration from your *function.json* file to your code. The type of the trigger corresponds to a method on the `app` object in the new model. For example, if you use an `httpTrigger` type in *function.json*, call `app.http()` in your code to register the function. If you use `timerTrigger`, call `app.timer()`.

+In v4, the `context` object is simplified to reduce duplication and to make writing unit tests easier. For example, we streamlined the primary input and output so that they're accessed only as the argument and return value of your function handler.

+You can't access the primary input and output on the `context` object anymore, but you must still access _secondary_ inputs and outputs on the `context` object. For more information about secondary inputs and outputs, see the [Node.js developer guide](./functions-reference-node.md#extra-inputs-and-outputs).

+The primary input is also called the *trigger* and is the only required input or output. You must have one (and only one) trigger.

+Version 4 supports only one way of getting the trigger input, as the first argument:

+Version 3 supports several ways of getting the trigger input:

+Version 4 supports only one way of setting the primary output, through the return value:

+Version 3 supports several ways of setting the primary output:

+// Option 4, if "name" in function.json is "res":

+// Option 5, if "name" in function.json is "$return":

+> Make sure you always return the output in your function handler, instead of setting it with the `context` object.

+Version 3 doesn't support creating an invocation context outside the Azure Functions runtime, so authoring unit tests can be difficult. Version 4 allows you to create an instance of the invocation context, although the information during tests isn't detailed unless you add it yourself.

+The HTTP request and response types are now a subset of the [fetch standard](https://developer.mozilla.org/docs/Web/API/fetch). They're no longer unique to Azure Functions.

+The types use the [`undici`](https://undici.nodejs.org/) package in Node.js. This package follows the fetch standard and is [currently being integrated](https://github.com/nodejs/undici/issues/1737) into Node.js core.

+- *Body*. You can access the body by using a method specific to the type that you want to receive:

+ ```javascript

+- *Header*:

+- *Query parameter*:

+- *Body*. You can access the body in several ways, but the type returned isn't always consistent:

+- *Header*. You can retrieve a header in several ways:

+- *Query parameter*:

+- *Status*:

+- *Body*:

+- *Header*. You can set the header in two ways, depending on whether you're using the `HttpResponse` class or the `HttpResponseInit` interface:

+- *Status*. You can set a status in several ways:

+- *Body*. You can set a body in several ways:

+- *Header*. You can set a header in several ways:

+> Update any logic by using the HTTP request or response types to match the new methods. If you're using TypeScript, you'll get build errors if you use old methods.

+## Troubleshoot

+If you get the following error, make sure that you [set the `EnableWorkerIndexing` flag](#enable-the-v4-programming-model) and that you're using the minimum version of all [requirements](#requirements):

+If you get the following error, make sure that you're using Node.js version 18.x:

+For any other problems or to give feedback, file an issue in the [Azure Functions Node.js repository](https://github.com/Azure/azure-functions-nodejs-library/issues).

+You can use a method return value for an output binding, by using the name `$return` in *function.json*.

+```json

+{

+ "name": "$return",

+ "type": "blob",

+ "direction": "out",

+ "path": "output-container/{id}"

+}

+```

+Here's the C# script code using the return value, followed by an async example:

+```csharp

+public static string Run(WorkItem input, ILogger log)

+{

+ string json = string.Format("{{ \"id\": \"{0}\" }}", input.Id);

+ log.LogInformation($"C# script processed queue message. Item={json}");

+ return json;

+}

+```

+```csharp

+public static Task<string> Run(WorkItem input, ILogger log)

+{

+ string json = string.Format("{{ \"id\": \"{0}\" }}", input.Id);

+ log.LogInformation($"C# script processed queue message. Item={json}");

+ return Task.FromResult(json);

+}

+```

+## How an F# script works

+The folder structure for an F# script project adheres to the following pattern:

+The binding extensions required in [version 2.x and later versions](functions-versions.md) of the Functions runtime are defined in the `extensions.csproj` file, with the actual library files in the `bin` folder. When you're developing locally, you must [register binding extensions](./functions-bindings-register.md#extension-bundles). When you're developing functions in the Azure portal, this registration is done for you.

+You can use a method return value for an output binding, by using the name `$return` in *function.json*:

+```json

+{

+ "name": "$return",

+ "type": "blob",

+ "direction": "out",

+ "path": "output-container/{id}"

+}

+```

+Here's the F# code that uses the return value:

+```fsharp

+let Run(input: WorkItem, log: ILogger) =

+ let json = String.Format("{{ \"id\": \"{0}\" }}", input.Id)

+ log.LogInformation(sprintf "F# script processed queue message '%s'" json)

+ json

+```

+To log output to your [streaming logs](../app-service/troubleshoot-diagnostic-logs.md) in F#, your function should take an argument of type [`ILogger`](/dotnet/api/microsoft.extensions.logging.ilogger). For consistency, we recommend this argument is named `log`. For example:

+In addition, the following assemblies are special cased and may be referenced by simple name (e.g. `#r "AssemblyName"`):

+An editor that supports F# Compiler Services won't be aware of the namespaces and assemblies that Azure Functions automatically includes. As such, it can be useful to include a prelude that helps the editor find the assemblies you're using, and to explicitly open namespaces. For example:

+To use NuGet packages in an F# function, add a `project.json` file to the function's folder in the function app's file system. Here's an example `project.json` file that adds a NuGet package reference to `Microsoft.ProjectOxford.Face` version 1.1.0:

+2. To upload a `project.json` file, use one of the methods described in [how to update function app files](functions-reference.md#fileupdate). If you're using [Continuous Deployment for Azure Functions](functions-continuous-deployment.md), you can add a `project.json` file to your staging branch in order to experiment with it before adding it to your deployment branch.

+3. After the `project.json` file is added, you'll see output similar to the following example in your function's streaming log:

+## Reusing F# script code

+Paths provided to the `#load` directive are relative to the location of your `.fsx` file.

+| [Azure OpenAI](../../ai-services/openai/index.yml) | &#x2705; | &#x2705; |

+While Microsoft Azure offers a cloud infrastructure with a wide range of integrated cloud services to meet your business needs, in some cases, you may need to run services on Azure large servers without a virtualization layer. You may also require root access and control over the operating system (OS). To meet these needs, Azure offers Azure Large Instances for several high-value, mission-critical applications.

+> Remember, Azure Large Instances is a BYOL model. Microsoft loads base image with RHEL 8.4, but customers can choose to upgrade to newer versions in collaboration with Microsoft team.

+The following screenshot shows the above code overlaying a web-mapping tile service of imagery from the U.S. Geological Survey (USGS) National Map on top of a map, below the roads and labels.

+The following screenshot shows the above code overlaying a web-mapping tile service of imagery from the U.S. Geological Survey (USGS) National Map on top of a map, below the roads and labels.

+The following screenshot shows the WMTS Tile Layer sample overlaying a web-mapping tile service of imagery from the U.S. Geological Survey (USGS) National Map on top of a map, below roads and labels.

+[U.S. Geological Survey (USGS) National Map]:https://viewer.nationalmap.gov/services

+ Title: 'Tutorial: Implement IoT spatial analytics'

+>[!IMPORTANT]

+> In the URL examples, replace `{Your-Azure-Maps-Subscription-key}` with your Azure Maps subscription key.

+To store car violation tracking data, create a [general-purpose v2 storage account] in your resource group. If you haven't created a resource group, follow the directions in [create resource groups][resource group]. Name your resource group *ContosoRental*.

+Next, use the [Postman] app to [upload the geofence] to Azure Maps. The geofence defines the authorized geographical area for our rental vehicle. Use the geofence in your Azure function to determine whether a car has moved outside the geofence area.

+2. Select the **POST** HTTP method in the builder tab, and enter the following URL to upload the geofence to the Data Upload API.

+5. To check the status of the API call, create a **GET** HTTP request on the `status URL`. Add your subscription key to the URL for authentication. The **GET** request should like the following URL:

+IoT Hub enables secure and reliable bi-directional communication between an IoT application and the devices it manages. For this tutorial, you want to get information from your in-vehicle device to determine the location of the rental car. In this section, you create an IoT hub within the *ContosoRental* resource group. This hub is responsible for publishing your device telemetry events.

+Devices can't connect to the IoT hub unless they're registered in the IoT hub identity registry. Create a single device with the name, *InVehicleDevice*. To create and register the device within your IoT hub, follow the steps in [register a new device in the IoT hub]. Make sure to copy the primary connection string of your device. You'll need it later.

+A function is triggered by a certain event. Create a function triggered by an Event Grid trigger. Create the relationship between trigger and function by creating an event subscription for IoT Hub device telemetry events. When a device telemetry event occurs, your function is called as an endpoint, and receives the relevant data for the device you previously registered in IoT Hub.

+Here's the [C# script] code that your function contains.

+1. Give the function a name. In this tutorial, use the name *GetGeoFunction*, but in general you can use any name you like. Select **Create function**.

+When your Azure function is running, you can now send telemetry data to the IoT hub, which routes it to Event Grid. Use a C# application to simulate location data for an in-vehicle device of a rental car. To run the application, you need [.NET Core SDK 3.1] on your development computer. Follow these steps to send simulated telemetry data to the IoT hub:

+ Your local terminal should look like the following screenshot.

+> [Send telemetry from a device]

+[.NET Core SDK 3.1]: https://dotnet.microsoft.com/download/dotnet/3.1

+[Azure certified devices]: https://devicecatalog.azure.com/

+[Azure Functions]: ../azure-functions/functions-overview.md

+[Azure Maps REST APIs]: /rest/api/maps/spatial/getgeofence

+[C# script]: https://github.com/Azure-Samples/iothub-to-azure-maps-geofencing/blob/master/src/Azure%20Function/run.csx

+[create a storage account]: ../storage/common/storage-account-create.md?tabs=azure-portal

+[Create an Azure storage account]: #create-an-azure-storage-account

+[create an IoT hub]: ../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp#create-an-iot-hub

+[Get Geofence]: /rest/api/maps/spatial/getgeofence

+[Get Search Address Reverse]: /rest/api/maps/search/getsearchaddressreverse

+[IoT Hub message routing]: ../iot-hub/iot-hub-devguide-routing-query-syntax.md

+[IoT Plug and Play]: ../iot-develop/index.yml

+[Plug and Play schema for geospatial data]: https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v1-preview/schemas/geospatial.md

+[Postman]: https://www.postman.com/

+[rentalCarSimulation]: https://github.com/Azure-Samples/iothub-to-azure-maps-geofencing/tree/master/src/rentalCarSimulation

+[resource group]: ../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups

+[Search Address Reverse]: /rest/api/maps/search/getsearchaddressreverse

+[Send telemetry from a device]: ../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp

+[Spatial Geofence Get API]: /rest/api/maps/spatial/getgeofence

+[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+[upload the geofence]: ./geofence-geojson.md

+This tutorial shows you how to use the Azure Maps [Route service API] and [Map control] to display route directions from start to end point. This tutorial demonstrates how to:

+>

+> * Create and display the Map control on a web page.

+ :::image type="content" source="./media/tutorial-route-location/basic-map.png" alt-text="A screenshot showing the most basic map that you can make by calling `atlas.Map` using your Azure Maps account key.":::

+In this tutorial, the route is rendered using a line layer. The start and end points are rendered using a symbol layer. For more information on adding line layers, see [Add a line layer to a map]. To learn more about symbol layers, see [Add a symbol layer to a map].

+ * This code implements the Map control's `ready` event handler. The rest of the code in this tutorial is placed inside the `ready` event handler.

+ Next, a symbol layer is created and attached to the data source. This layer specifies how the start and end points are rendered. Expressions have been added to retrieve the icon image and text label information from properties on each point object. To learn more about expressions, see [Data-driven style expressions].

+2. Next, set the start point at Microsoft, and the end point at a gas station in Seattle. Start and points are created by appending the following code in the Map control's `ready` event handler:

+> [Find routes for different modes of travel]

+[Add a line layer to a map]: map-add-line-layer.md

+[atlas.Map]: /javascript/api/azure-maps-control/atlas.map

+[atlas]: /javascript/api/azure-maps-control/atlas

+[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

+[Find routes for different modes of travel]: tutorial-prioritized-routes.md

+[Get Route directions API]: /rest/api/maps/route/getroutedirections

+[Line layers]: map-add-line-layer.md

+[Map control]: ./how-to-use-map-control.md

+[Route service API]: /rest/api/maps/route

+[Route to a destination]: https://samples.azuremaps.com/?sample=route-to-a-destination

+[route tutorial]: https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/Samples/Tutorials/Route

+[setCamera(CameraOptions | CameraBoundsOptions & AnimationOptions)]: /javascript/api/azure-maps-control/atlas.map#setcamera-cameraoptionscameraboundsoptionsanimationoptions-

+[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+[Symbol layers]: map-add-pin.md

+ * The core of the `GetMap` function, which initializes the Map Control API for your Azure Maps account key.

+ :::image type="content" source="./media/tutorial-search-location/basic-map.png" alt-text="A screenshot showing the most basic map that you can make by calling atlas.Map using your Azure Maps account key.":::

+ * A symbol layer is created and attached to the data source. This layer specifies how the result data in the data source should be rendered. In this case, the result is rendered with a dark blue round pin icon, centered over the results coordinate that allows other icons to overlap.

+ :::image type="content" source="./media/tutorial-search-location/pins-map.png" alt-text="A screenshot showing the map resulting from the search, which is a map showing Seattle with round-blue pins at locations of gas stations.":::

+1. Add the following lines of code in the map `ready` event handler after the code to query the fuzzy search service. This code creates an instance of a Popup and adds a mouseover event to the symbol layer.

+ :::image type="content" source="./media/tutorial-search-location/popup-map.png" alt-text="A screenshot of a map with information popups that appear when you hover over a search pin.":::

+> [Route to a destination]

+[Fuzzy Search service]: /rest/api/maps/search/get-search-fuzzy

+[Route to a destination]: tutorial-route-location.md

+[Search for points of interest]: https://samples.azuremaps.com/?sample=search-for-points-of-interest

+[search tutorial]: https://github.com/Azure-Samples/AzureMapsCodeSamples/tree/master/Samples/Tutorials/Search

+[searchURL]: /javascript/api/azure-maps-rest/atlas.service.searchurl

+[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+omsagent | 1.16.0 | The Log Analytics agent for Linux.

+omsconfig | 1.2.0 | Configuration agent for the Log Analytics agent.

+omi | 1.7.1 | Open Management Infrastructure (OMI), a lightweight CIM Server. *OMI requires root access to run a cron job necessary for the functioning of the service*.

+scx | 1.7.1 | OMI CIM providers for operating system performance metrics.

+| Oracle Linux 6.4+ | | | X |

+| Red Hat Enterprise Linux Server 6.7+ | | | X |

+| June 2023| **Windows** <ul><li>Add new file path column to custom logs table</li><li>Config setting to disable custom IMDS endpoint in Tenant.json file</li><li>FluentBit binaries signed with Microsoft customer Code Sign cert</li><li>Minimize number of retries on calls to refresh tokens</li><li>Don't overwrite resource ID with empty string</li><li>AzSecPack updated to version 4.27</li><li>AzureProfiler and AzurePerfCollector updated to version 1.0.0.990</li><li>MetricsExtension updated to version 2.2023.513.10</li><li>Troubleshooter updated to version 1.5.0</li></ul>**Linux** <ul><li>Add new column CollectorHostName to syslog table to identify forwarder/collector machine</li><li>Link OpenSSL dynamically</li><li>**Fixes**<ul><li>Allow uploads soon after AMA start up</li><li>Run LocalSink GC on a dedicated thread to avoid thread pool scheduling issues</li><li>Fix upgrade restart of disabled services</li><li>Handle Linux Hardening where sudo on root is blocked</li><li>CEF processing fixes for noncomliant RFC 5424 logs</li><li>ASA tenant can fail to start up due to config-cache directory permissions</li><li>Fix auth proxy in AMA</li><li>Fix to remove null characters in agentlauncher.log after log rotation</li><li>Fix for authenticated proxy(1.27.3)</li><li>Fix regression in VM Insights(1.27.4)</ul></li></ul>|1.17.0 |1.27.4|

+If after checking basic troubleshooting steps you don't see the Azure Monitor Agent emitting logs or find **'Failed to get MSI token from IMDS endpoint'** errors in `/var/opt/microsoft/azuremonitoragent/log/mdsd.err` log file, it's likely `syslog` user isn't a member of the group `himds`. Add `syslog` user to `himds` user group if the user isn't a member of this group. Create user `syslog` and the group `syslog`, if necessary, and make sure that the user is in that group. For more information check out Azure Arc-enabled server authentication requirements [here](../../azure-arc/servers/managed-identity-authentication.md).

+4. To install with custom file paths, [network proxy settings](./azure-monitor-agent-overview.md#proxy-configuration), or on a Non-Public Cloud use the command below with the values from the following table:

+ | CLOUDENV | Set to Cloud. "Azure Commercial", "Azure China", "Azure US Gov", "Azure USNat", or "Azure USSec

+6. Verify successful installation:

+7. Proceed to create the monitored object that you'll associate data collection rules to, for the agent to actually start operating.

+Starting with version 8.0 or higher of [Azure PowerShell](https://learn.microsoft.com/powershell/azure/what-is-azure-powershell), you can use the `Update-AzApplicationInsights` PowerShell command to migrate a classic Application Insights resource to workspace based.

+To use this cmdlet, you need to specify the name and resource group of the Application Insights resource that you want to update. Use the `IngestionMode` and `WorkspaceResoruceId` parameters to migrate your classic instance to workspace-based. For more information on the parameters and syntax of this cmdlet, see [Update-AzApplicationInsights](https://learn.microsoft.com/powershell/module/az.applicationinsights/update-azapplicationinsights).

+#### Example

+```powershell

+# Get the resource ID of the Log Analytics workspace

+$workspaceResourceId = (Get-AzOperationalInsightsWorkspace -ResourceGroupName "rgName" -Name "laName").ResourceId

+# Update the Application Insights resource with the workspace parameter

+Update-AzApplicationInsights -Name "aiName" -ResourceGroupName "rgName" -IngestionMode LogAnalytics -WorkspaceResourceId $workspaceResourceId

+```

+The following example shows how to track the [Azure Storage queue](/azure/storage/queues/storage-quickstart-queues-dotnet?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli) operations and correlate telemetry between the producer, the consumer, and Azure Storage.

+> Don't use both a connection string and an instrumentation key. The latter one set supersedes the other, and could result in telemetry not appearing on the portal. [missing data](#missing-data).

+The following OpenTelemetry Instrumentation libraries are included as part of the Azure Monitor Application Insights Distro. See [this](https://github.com/microsoft/ApplicationInsights-Python/tree/main/azure-monitor-opentelemetry#officially-supported-instrumentations) for more details.

+Telemetry emitted by Azure SDKS is automatically [collected](https://github.com/microsoft/ApplicationInsights-Python/tree/main/azure-monitor-opentelemetry#azure-core-distributed-tracing) by default.

+- <a name="FOOTNOTEFOUR">4</a>: By default, logging is only collected when that logging is performed at the WARNING level or higher.

+To add a community instrumentation library (not officially supported/included in Azure Monitor distro), you can instrument directly with the instrumentations. The list of community instrumentation libraries can be found [here](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation).

+> [!NOTE]

+> Instrumenting a [supported instrumentation library](.\opentelemetry-add-modify.md?tabs=python#included-instrumentation-libraries) manually with `instrument()` in conjunction with the distro `configure_azure_monitor()` is not recommended. This is not a supported scenario and you may get undesired behavior for your telemetry.

+```python

+from azure.monitor.opentelemetry import configure_azure_monitor

+from opentelemetry.instrumentation.sqlalchemy import SQLAlchemyInstrumentor

+from sqlalchemy import create_engine, text

+configure_azure_monitor()

+engine = create_engine("sqlite:///:memory:")

+# SQLAlchemy instrumentation is not officially supported by this package

+# However, you can use the OpenTelemetry instrument() method manually in

+# conjunction with configure_azure_monitor

+SQLAlchemyInstrumentor().instrument(

+ engine=engine,

+)

+# Database calls using the SqlAlchemy library will be automatically captured

+with engine.connect() as conn:

+ result = conn.execute(text("select 'hello world'"))

+ print(result.all())

+```

+The Python [logging](https://docs.python.org/3/howto/logging.html) library is [autoinstrumented](.\opentelemetry-add-modify.md?tabs=python#included-instrumentation-libraries). You can attach custom dimensions to your logs by passing a dictionary into the `extra` argument of your logs.

+> Metrics and Logs are unaffected by sampling.

+For more information about OpenTelemetry SDK configuration, see the [OpenTelemetry documentation](https://opentelemetry.io/docs/concepts/sdk-configuration). For additional details, see [Azure monitor Distro Usage](https://github.com/microsoft/ApplicationInsights-Python/tree/main/azure-monitor-opentelemetry#usage).

+using Azure.Monitor.OpenTelemetry.AspNetCore;

+- [Analyze logs in Azure Monitor with KQL](/training/modules/analyze-logs-with-kql/)

+> Appends to blobs are written based on the "TimeGenerated" field and occur when receiving source data. Data arriving to Azure Monitor with delay, or retried following destinations throttling, is written to blobs according to its TimeGenerated.

+For more information on how to connect your own storage account, see [Customer-owned storage accounts for log ingestion](private-storage.md) and specifically [Use private links](private-storage.md#private-links) and [Link storage accounts to your Log Analytics workspace](private-storage.md#link-storage-accounts-to-your-log-analytics-workspace).

+ Title: Use customer-managed storage accounts in Azure Monitor Logs

+description: Use your own Azure Storage account to ingest logs into Azure Monitor Logs.

+# Use customer-managed storage accounts in Azure Monitor Logs

+Azure Monitor Logs relies on Azure Storage in various scenarios. Azure Monitor typically manages this type of storage automatically, but some cases require you to provide and manage your own storage account, also known as a customer-managed storage account. This article describes the use cases and requirements for setting up customer-managed storage for Azure Monitor Logs and explains how to link a storage account to a Log Analytics workspace.

+> We recommend that you don't take a dependency on the contents that Azure Monitor Logs uploads to customer-managed storage because formatting and content might change.

+## Private links

+### Workspace requirements

+When you connect to Azure Monitor over a private link, Azure Monitor Agent can only send logs to workspaces accessible over a private link. This requirement means you should:

+### Storage account requirements

+For the storage account to connect to your private link, it must:

+* Allow Azure Monitor to access the storage account. To allow only specific networks to access your storage account, select the exception **Allow trusted Microsoft services to access this storage account**.

+Coordinate the TLS version between the agents and the storage account. We recommend that you send data to Azure Monitor Logs by using TLS 1.2 or higher. Review the [platform-specific guidance](./data-security.md#sending-data-securely-using-tls-12). If necessary, [configure your agents to use TLS 1.2](../agents/agent-windows.md#configure-agent-to-use-tls-12). If that's not possible, configure the storage account to accept TLS 1.0.

+## Customer-managed key data encryption

+Azure Storage encrypts all data at rest in a storage account. By default, it uses Microsoft-managed keys (MMKs) to encrypt the data. However, Azure Storage also allows you to use customer-managed keys (CMKs) from Azure Key Vault to encrypt your storage data. You can either import your own keys into Key Vault or use the Key Vault APIs to generate keys.

+### CMK scenarios that require a customer-managed storage account

+### Apply CMKs to customer-managed storage accounts

+#### Storage account requirements

+#### Apply CMKs to your storage accounts

+When you link a storage account to a workspace, Azure Monitor Logs starts using it instead of the storage account owned by the service. You can:

+To stop using a storage account, unlink the storage from the workspace. When you unlink all storage accounts from a workspace, Azure Monitor Logs uses service-managed storage accounts. If your network has limited access to the internet, these storage accounts might not be available and any scenario that relies on storage will fail.

+When you use your own storage account, retention is up to you. Azure Monitor Logs doesn't delete logs stored on your private storage. Instead, you should set up a policy to handle the load according to your preferences.

+You're charged for storage accounts based on the volume of stored data, the type of storage, and the type of redundancy. For more information, see [Block blob pricing](https://azure.microsoft.com/pricing/details/storage/blobs) and [Azure Table Storage pricing](https://azure.microsoft.com/pricing/details/storage/tables).

+- Include the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package version 1.4.2 or above in your app.

+When you add the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package to your application, the `SnapshotCollectorTelemetryProcessor` should be added automatically to the `TelemetryProcessors` section of [ApplicationInsights.config](../app/configuration-with-applicationinsights-config.md).

+If you don't see `SnapshotCollectorTelemetryProcessor` in ApplicationInsights.config, or if you want to customize the Snapshot Debugger configuration, you may edit it by hand. However, these edits may get overwritten if you later upgrade to a newer version of the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package.

+ <Add Type="Microsoft.ApplicationInsights.SnapshotCollector.SnapshotCollectorTelemetryProcessor, Microsoft.ApplicationInsights.SnapshotCollector">

+ </Add>

+## Configure snapshot collection for ASP.NET Core applications or Worker Services

+Your application should already reference one of the following Application Insights NuGet packages:

+- [Microsoft.ApplicationInsights.AspNetCore](https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore)

+- [Microsoft.ApplicationInsights.WorkerService](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService)

+### Add the NuGet package

+Add the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package to your app.

+### Update the services collection

+In your application's startup code, where services are configured, add a call to the `AddSnapshotCollector` extension method. It's a good idea to add this line immediately after the call to `AddApplicationInsightsTelemetry`. For example:

+// Add services to the container.

+builder.Services.AddSnapshotCollector();

+```

+### Configure the Snapshot Collector

+For most situations, the default settings are sufficient. If not, customize the settings by adding the following code before the call to `AddSnapshotCollector()`

+```csharp

+using Microsoft.ApplicationInsights.SnapshotCollector;

+...

+builder.Services.Configure<SnapshotCollectorConfiguration>(builder.Configuration.GetSection("SnapshotCollector"));

+Next, add a `SnapshotCollector` section to *appsettings.json* where you can override the defaults. The following example shows a configuration equivalent to the default configuration:

+ "SnapshotCollector": {

+If you need to customize the Snapshot Collector's behavior manually, without using *appsettings.json*, use the overload of `AddSnapshotCollector` that takes a delegate. For example:

+```csharp

+builder.Services.AddSnapshotCollector(config => config.IsEnabledInDeveloperMode = true);

+```

+Snapshots are collected only on exceptions that are reported to Application Insights. For ASP.NET and ASP.NET Core applications, the Application Insights SDK automatically reports unhandled exceptions that escape a controller method or endpoint route handler. For other applications, you might need to modify your code to report them. The exception handling code depends on the structure of your application. Here's an example:

+* [Migrate Product Lifecycle Management (PLM) to Azure](/industry/manufacturing/architecture/ra-migrate-plm-azure)

+ If a resource group's region is temporarily unavailable, you can't update resources in the resource group because the metadata is unavailable. The resources in other regions will still function as expected, but you can't update them.

+### <a name="shareable-links-domains"></a>Are custom domains supported with Bastion shareable links?

+No, custom domains are not supported with Bastion shareable links. Users will receive a certificate error upon trying to add specific domains in the CN/SAN of the Bastion host certificate.

+- Scaling based on queue messaging threshold is supported. For more information, see [Get started with Azure Queue storage](/azure/storage/queues/storage-quickstart-queues-dotnet?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli).

+- Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).

+* You can scale based on a queue message threshold. For more information about how to use queues, see [How to use the Queue Storage Service](/azure/storage/queues/storage-quickstart-queues-dotnet?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli).

+A [storage service](../storage/common/storage-account-create.md) gives you access to Azure [blobs](../storage/blobs/storage-quickstart-blobs-python.md), [tables](../cosmos-db/table-storage-how-to-use-python.md), and [queues](/azure/storage/queues/storage-quickstart-queues-python?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli). To create a storage service, you need a name for the service (between 3 and 24 lowercase characters and unique within Azure). You also need a description, a label (up to 100 characters, automatically encoded to base64), and a location. The following example shows how to create a storage service by specifying a location:

+* [Queue Service](/azure/storage/queues/storage-quickstart-queues-python?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli)

+- Download our [Java](https://github.com/Azure-Samples/communication-services-java-quickstarts/tree/main/ServerRecording) call recording sample app

+- Download our [Java](https://github.com/Azure-Samples/communication-services-java-quickstarts/tree/main/ServerRecording), [Python](https://github.com/Azure-Samples/communication-services-python-quickstarts/tree/main/call-recording), and [JavaScript](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/call-recording) call recording sample apps

+ Title: Manage an enterprise in Azure Communications Gateway's Number Management Portal

+description: Learn how to manage enterprises and numbers for Operator Connect and Teams Phone Mobile with Azure Communication Gateway's API Bridge Number Management Portal.

+# Manage an enterprise in Azure Communications Gateway's Number Management Portal

+Azure Communications Gateway's Number Management Portal enables you to manage enterprise customers and their numbers through the Azure portal.

+The Operator Connect and Teams Phone Mobile programs don't allow you to use the Operator Connect portal for provisioning after you've launched your service in the Teams Admin Center. The Number Management Portal is a simple alternative that you can use until you've finished integrating with the Operator Connect APIs.

+> [!IMPORTANT]

+> You must have selected Azure Communications Gateway's API Bridge option to use the Number Management Portal.

+## Prerequisites

+Confirm that you have [!INCLUDE [project-synergy-nmp-permissions](includes/communications-gateway-nmp-project-synergy-permissions.md)] permissions for the Project Synergy enterprise application and **Reader** access to the Azure portal for your subscription. If you don't have these permissions, ask your administrator to set them up by following [Set up user roles for Azure Communications Gateway](provision-user-roles.md).

+If you're assigning new numbers to an enterprise customer:

+* You must know the numbers you need to assign (as E.164 numbers). Each number must:

+ * Contain only digits (0-9), with an optional `+` at the start.

+ * Include the country code.

+ * Be up to 19 characters long.

+* You must have completed any internal procedures for assigning numbers.

+* You need to know the following information for each range of numbers.

+|Information for each range of numbers |Notes |

+|||

+|Calling profile |One of the Calling Profiles created by Microsoft for you.|

+|Intended usage | Individuals (calling users), applications or conference calls.|

+|Capabilities |Which types of call to allow (for example, inbound calls or outbound calls).|

+|Civic address | A physical location for emergency calls. The enterprise must have configured this address in the Teams Admin Center. Only required for individuals (calling users) and only if you don't allow the enterprise to update the address.|

+|Location | A description of the location for emergency calls. The enterprise must have configured this location in the Teams Admin Center. Only required for individuals (calling users) and only if you don't allow the enterprise to update the address.|

+|Whether the enterprise can update the civic address or location | If you don't allow the enterprise to update the civic address or location, you must specify a civic address or location. You can specify an address or location and also allow the enterprise to update it.|

+|Country | The country for the number. Only required if you're uploading a North American Toll-Free number, otherwise optional.|

+|Ticket number (optional) |The ID of any ticket or other request that you want to associate with this range of numbers. Up to 64 characters. |

+## 1. Go to your Communications Gateway resource

+1. Sign in to the [Azure portal](https://azure.microsoft.com/).

+1. In the search bar at the top of the page, search for your Communications Gateway resource.

+1. Select your Communications Gateway resource.

+## 2. Select an enterprise customer to manage

+When an enterprise customer uses the Teams Admin Center to request service, the Operator Connect APIs create a **consent**. This consent represents the relationship between you and the enterprise.

+The Number Management Portal allows you to update the status of these consents. Finding the consent for an enterprise is also the easiest way to manage numbers for an enterprise.

+1. From the overview page for your Communications Gateway resource, select **Consents** in the sidebar.

+1. Find the enterprise that you want to manage.

+1. If you need to change the status of the relationship, select **Update Relationship Status** from the menu for the enterprise. Set the new status. For example, if you're agreeing to provide service to a customer, set the status to **Agreement signed**. If you set the status to **Consent Declined** or **Contract Terminated**, you must provide a reason.

+## 3. Manage numbers for the enterprise

+Assigning numbers to an enterprise allows IT administrators at the enterprise to allocate those numbers to their users.

+1. Go to the number management page for the enterprise.

+ * If you followed [2. Select an enterprise customer to manage](#2-select-an-enterprise-customer-to-manage), select **Manage numbers** from the menu.

+ * Otherwise, select **Numbers** in the sidebar and search for the enterprise using the enterprise's Azure Active Directory tenant ID.

+1. To add new numbers for an enterprise:

+ 1. Select **Upload numbers**.

+ 1. Fill in the fields based on the information you determined in [Prerequisites](#prerequisites). These settings apply to all the numbers you upload in the **Telephone numbers** section.

+ 1. In **Telephone numbers**, upload the numbers, as a comma-separated list.

+ 1. Select **Review + upload** and **Upload**. Uploading creates an order for uploading numbers over the Operator Connect API.

+ 1. Wait 30 seconds, then refresh the order status. When the order status is **Complete**, the numbers are available to the enterprise. You might need to refresh more than once.

+1. To remove numbers from an enterprise:

+ 1. Select the numbers.

+ 1. Select **Release numbers**.

+ 1. 1. Wait 30 seconds, then refresh the order status. When the order status is **Complete**, the numbers have been removed.

+## 4. View civic addresses for an enterprise

+You can view civic addresses for an enterprise. The enterprise configures the details of each civic address, so you can't configure these details.

+1. Go to the civic address page for the enterprise.

+ * If you followed [2. Select an enterprise customer to manage](#2-select-an-enterprise-customer-to-manage), select **Civic addresses** from the menu.

+ * Otherwise, select **Civic addresses** in the sidebar and search for the enterprise using the enterprise's Azure Active Directory tenant ID.

+1. View the civic addresses. You can see the address, the company name, the description and whether the address was validated when the enterprise configured the address.

+1. Optionally, select an individual address to view additional information provided by the enterprise (for example, the ELIN information).

+## Next steps

+Learn more about [the metrics you can use to monitor calls](monitoring-azure-communications-gateway-data-reference.md).

+Operator Connect and Teams Phone Mobile require API integration between your IT systems and Microsoft Teams for flow-through provisioning and automation. After your deployment has been certified and launched, you must not use the Operator Connect portal for provisioning. You can use Azure Communications Gateway's Number Management Portal instead. This Azure portal feature enables you to pass the certification process and sell Operator Connect or Teams Phone Mobile services while you carry out a custom API integration project.

+|Using the API Bridge Number Management Portal| [!INCLUDE [project-synergy-nmp-permissions](includes/communications-gateway-nmp-project-synergy-permissions.md)] permissions for the Project Synergy enterprise application and **Reader** permissions to the Azure portal for your subscription|

+1. If you're managing access to the API Bridge Number Management Portal, follow [Assign users and groups to an application](../active-directory/manage-apps/assign-user-or-group-access-portal.md) to assign [!INCLUDE [project-synergy-nmp-permissions](includes/communications-gateway-nmp-project-synergy-permissions.md)] permissions for each user in the Project Synergy application.

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | Managed connector (Azure-hosted) and built-in connector, which is [service provider based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). The built-in version usually provides better performance, capabilities, pricing, and so on. <br><br>**Note**: Service Bus built-in connector triggers follow the [*polling trigger*](introduction.md#triggers) pattern, which means that the trigger continually checks for messages in the queue or topic subscription. <br><br>For more information, review the following documentation: <br><br>- [Service Bus managed connector reference](/connectors/servicebus/) <br>- [Service Bus built-in connector operations](/azure/logic-apps/connectors/built-in/reference/servicebus) <br>- [Built-in connectors in Azure Logic Apps](built-in.md) |

+<a name="built-in-connector-app-settings"></a>

+## Service Bus built-in connector app settings

+In a Standard logic app resource, the Service Bus built-in connector includes app settings that control various thresholds, such as timeout for sending messages and number of message senders per processor core in the message pool. For more information, review [Reference for app settings - local.settings.json](../logic-apps/edit-app-settings-host-settings.md#reference-local-settings-json).

+<a name="read-messages-dead-letter-queues"></a>

+## Read messages from dead-letter queues with Service Bus built-in triggers

+In Standard workflows, to read a message from a dead-letter queue in a queue or a topic subscription, follow these steps using the specified triggers:

+1. In your blank workflow, based on your scenario, add the Service Bus *built-in* connector trigger named **When messages are available in a queue** or **When a message are available in a topic subscription (peek-lock)**.

+1. In the trigger, set the following parameter values to specify your queue or topic subscription's default dead-letter queue, which you can access like any other queue:

+ * **When messages are available in a queue** trigger: Set the **Queue name** parameter to **queuename/$deadletterqueue**.

+ * **When a message are available in a topic subscription (peek-lock)** trigger: Set the **Topic name** parameter to **topicname/Subscriptions/subscriptionname/$deadletterqueue**.

+ For more information, see [Service Bus dead-letter queues overview](../service-bus-messaging/service-bus-dead-letter-queues.md#path-to-the-dead-letter-queue).

+| `peerAuthentication` | How to enable mTLS encryption. | Object | No |

+You can configure your app to support client certificates (mTLS) for authentication and traffic encryption. For more information, see [Configure client certificates](client-certificate-authorization.md).

+For details on how to use mTLS for environment level network encryption, see the [networking overview](./networking.md#mtls).

+ - You can disable this by setting `allowInsecure` to `true` in the ingress configuration

+- TLS terminates at the ingress

+ - You can enable [Environment level network encryption](networking.md#mtls) for full end-to-end encryption for requests between the ingress and an app and between different apps

+## <a name="mtls"></a> Environment level network encryption - preview

+Azure Container Apps supports environment level network encryption using mutual transport layer security (mTLS). When end-to-end encryption is required, mTLS will encrypt data transmitted between applications within an environment. Applications within a Container Apps environment are automatically authenticated. However, Container Apps currently does not support authorization for access control between applications using the built-in mTLS.

+When your apps are communicating with a client outside of the environment, two-way authentication with mTLS is supported, to learn more see [configure client certificates](client-certificate-authorization.md).

+> [!NOTE]

+> Enabling mTLS for your applications may increase response latency and reduce maximum throughput in high-load scenarios.

+# [Azure CLI](#tab/azure-cli)

+You can enable mTLS using the following commands.

+On create:

+```azurecli

+az containerapp env create \

+ --name <environment-name> \

+ --resource-group <resource-group> \

+ --location <location> \

+ --enable-mtls

+```

+For an existing container app:

+```azurecli

+az containerapp env update \

+ --name <environment-name> \

+ --resource-group <resource-group> \

+ --enable-mtls

+```

+# [ARM template](#tab/arm-template)

+You can enable mTLS in the ARM template for Container Apps environments using the following configuration.

+```json

+{

+ ...

+ "properties": {

+ "peerAuthentication":{

+ "mtls": {

+ "enabled": "true|false"

+ }

+ }

+ ...

+}

+```

+The feed streams could be built using [Azure App ServicesΓÇÖ](https://azure.microsoft.com/services/app-service/) background processes: [Webjobs](../app-service/webjobs-create.md). Once a post is created, background processing can be triggered by using [Azure Storage](https://azure.microsoft.com/services/storage/) [Queues](/azure/storage/queues/storage-quickstart-queues-dotnet?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli) and Webjobs triggered using the [Azure Webjobs SDK](https://github.com/Azure/azure-webjobs-sdk/wiki), implementing the post propagation inside streams based on your own custom logic.

+# How to capture changed data with schema evolution from Azure SQL DB to Delta sink using a Change Data Capture (CDC) resource

+8. Once youΓÇÖve selected the source table(s), select **Continue** to set your data target.

+1. Now you can proceed to make schema level changes to the source tables. For this tutorial, we will use the Alter table T-SQL to add a new column "PersonalEmail" to the source table.

+2. You can validate that the new column "PersonalEmail" has been added to the existing table.

+1. Validate change data with schema changes have landed at the Delta sink. For this tutorial, you can see the new column "PersonalEmail" has been added to the sink.

+Data Lake Storage Gen1 provides a command-line tool, AdlCopy, to copy data from the following sources:

+* **AdlCopy tool**. Install the AdlCopy tool.

+| **Anonymity network activity**<br>(AzureDNS_DarkWeb) | Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools. | Exfiltration | Low |

+| **Anonymity network activity using web proxy**<br>(AzureDNS_DarkWebProxy) | Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behavior, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools. | Exfiltration | Low |

+| **Attempted communication with suspicious sinkholed domain**<br>(AzureDNS_SinkholedDomain) | Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools. | Exfiltration | Medium |

+| **Communication with possible phishing domain**<br>(AzureDNS_PhishingDomain) | Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service. | Exfiltration | Low |

+| **Communication with suspicious algorithmically generated domain**<br>(AzureDNS_DomainGenerationAlgorithm) | Analysis of DNS transactions from %{CompromisedEntity} detected possible usage of a domain generation algorithm. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools. | Exfiltration | Low |

+| **Communication with suspicious random domain name**<br>(AzureDNS_RandomizedDomain) | Analysis of DNS transactions from %{CompromisedEntity} detected usage of a suspicious randomly generated domain name. Such activity, while possibly benign, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools. | Exfiltration | Low |

+| **Digital currency mining activity**<br>(AzureDNS_CurrencyMining) | Analysis of DNS transactions from %{CompromisedEntity} detected digital currency mining activity. Such activity, while possibly legitimate user behavior, is frequently performed by attackers following compromise of resources. Typical related attacker activity is likely to include the download and execution of common mining tools. | Exfiltration | Low |

+| **Network intrusion detection signature activation**<br>(AzureDNS_SuspiciousDomain) | Analysis of DNS transactions from %{CompromisedEntity} detected a known malicious network signature. Such activity, while possibly legitimate user behavior, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools. | Exfiltration | Medium |

+| **Possible data download via DNS tunnel**<br>(AzureDNS_DataInfiltration) | Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools. | Exfiltration | Low |

+| **Possible data exfiltration via DNS tunnel**<br>(AzureDNS_DataExfiltration) | Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools. | Exfiltration | Low |

+| **Possible data transfer via DNS tunnel**<br>(AzureDNS_DataObfuscation) | Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behavior, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools. | Exfiltration | Low |

+| Instance and disk types: | **Azure**<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Standard VMs<br>:::image type="icon" source="./media/icons/no-icon.png"::: Unmanaged disks<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Virtual machine scale set - Flex<br>:::image type="icon" source="./media/icons/no-icon.png"::: Virtual machine scale set - Uniform<br><br>**AWS**<br>:::image type="icon" source="./media/icons/yes-icon.png"::: EC2<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Auto Scale instances<br>:::image type="icon" source="./media/icons/no-icon.png"::: Instances with a ProductCode (Paid AMIs) |

+- Learn more about how to [enable agentless scanning for VMs](enable-vulnerability-assessment-agentless.md).

+| [Changes to the Defender for DevOps recommendations environment source and resource ID](#changes-to-the-defender-for-devops-recommendations-environment-source-and-resource-id) | August 2023 |

+| [DevOps Resource Deduplication for Defender for DevOps](#devops-resource-deduplication-for-defender-for-devops) | August 2023 |

+### General Availability (GA) release of Agentless Container Posture in Defender CSPM

+The new Agentless Container Posture capabilities are set for General Availability (GA) as part of the Defender CSPM (Cloud Security Posture Management) plan.

+Learn more about [Agentless Containers Posture in Defender CSPM](concept-agentless-containers.md).

+### Changes to the Defender for DevOps recommendations environment source and resource ID

+**Estimated date for change: August 2023**

+**Estimated date for change: August 2023**

+- Azure subscriptions get the **Microsoft cloud security benchmark** assigned. This is the Microsoft-authored, cloud specific guidelines for security and compliance best practices based on common compliance frameworks. [Learn more about Microsoft cloud security benchmark](/security/benchmark/azure/introduction).

+- AWS accounts get the **AWS Foundational Security Best Practices** standard assigned. This is the AWS-specific guideline for security and compliance best practices based on common compliance frameworks.

+- GCP projects get the **GCP Default** standard assigned.

+| Standards for Azure subscriptions | Standards for AWS accounts | Standards for GCP projects |

+| -| | |

+| PCI-DSS v3.2.1 **(deprecated)** | CIS 1.2.0 | CIS 1.1.0 |

+| PCI DSS v4 | CIS 1.5.0 | CIS 1.2.0 |

+| SOC TSP | PCI DSS v3.2.1 | PCI DSS v3.2.1 |

+| SOC 2 Type 2 | | NIST 800-53 |

+| ISO 27001:2013 | | ISO 27001 |

+| Azure CIS 1.1.0 |||

+| Azure CIS 1.3.0 |||

+| Azure CIS 1.4.0 |||

+| NIST SP 800-53 R4 |||

+| NIST SP 800-53 R5 |||

+| NIST SP 800 171 R2 |||

+| CMMC Level 3 |||

+| FedRAMP H |||

+| FedRAMP M |||

+| HIPAA/HITRUST |||

+| SWIFT CSP CSCF v2020 |||

+| UK OFFICIAL and UK NHS |||

+| Canada Federal PBMM |||

+| New Zealand ISM Restricted |||

+| New Zealand ISM Restricted v3.5 |||

+| Australian Government ISM Protected |||

+| RMIT Malaysia |||

+This diagram shows the key components of Deployment Environments and how they relate to each other. You can learn more about each component in the following sections.

+The managed identity that's attached to the dev center needs to be granted appropriate access to connect to the catalogs. You should grant owner access to the target deployment subscriptions that are configured at the project level. The Azure Deployment Environments service uses the specific managed identity to perform the deployment on behalf of the developer.

+You can define the types of environments that development teams can create: for example, dev, test, sandbox, preproduction, or production. Azure Deployment Environments provides the flexibility to name the environment types according to the nomenclature that your enterprise uses. You can configure settings for various environment types based on the specific needs of the development teams.

+- The [managed identity](concept-environments-key-concepts.md#identities) that is used to perform the deployment.

+An environment definition is a combination of an IaC template and a manifest file. The template defines the environment, and the manifest provides metadata about the template. Your development teams use the items that you provide in the catalog to create environments in Azure.

+### ARM templates

+A platform engineering team typically sets up a dev center, attaches external catalogs to the dev center, creates projects, and provides access to development teams. Development teams create [environments](concept-environments-key-concepts.md#environments) by using [environment definitions](concept-environments-key-concepts.md#environment-definitions), connect to individual resources, and deploy applications. To learn more about the components of Azure Deployment Environments, see [Key concepts for Azure Deployment Environments](concept-environments-key-concepts.md).

+The following diagram shows the steps you perform in the [Create and configure a project quickstart](quickstart-create-and-configure-projects.md) to configure a project associated with a dev center for Deployment Environments.

+| Bluware | Bluware enables you to explore the full value of seismic data for exploration, carbon capture, wind farms, and geothermal workflows. Bluware technology on Azure Data Manager for Energy is increasing workflow productivity utilizing the power of Azure. Bluware's flagship seismic deep learning solution, InteractivAI&trade; drastically improves the effectiveness of interpretation workflows. The interactive experience reduces seismic interpretation time by ten times from weeks to hours and provides full control over interpretation results. | [Bluware technologies on Azure](https://go.bluware.com/bluware-on-azure-markeplace) [Bluware Products and Evaluation Packages](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bluwarecorp1581537274084.bluwareazurelisting)|

+| Katalyst | Katalyst Data Management&reg; provides the only integrated, end-to-end subsurface data management solution for the oil and gas industry. Over 160 employees operate in North America, Europe, and Asia-Pacific, dedicated to enabling digital transformation and optimizing the value of geotechnical information for exploration, production, and M&A activity. |[Katalyst Data Management solution](https://www.katalystdm.com/seismic-news/katalyst-announces-sub-surface-data-management-solution-powered-by-microsoft-energy-data-services/) |

+| Interica | Interica OneView&trade; harnesses the power of application connectors to extract rich metadata from live projects discovered across the organization. IOV scans automatically discover content and extract detailed metadata at the sub-element level. Quickly and easily discover data across multiple file systems and data silos and determine which projects contain selected data objects to inform business decisions. Live data discovery enables businesses to see a holistic view of subsurface project landscapes for improved time to decisions, more efficient data search, and effective storage management. | [Accelerate Azure Data Manager for Energy adoption with Interica OneView&trade;](https://www.petrosys.com.au/interica-oneview-connecting-to-microsoft-data-services/) [Interica OneView&trade;](https://www.petrosys.com.au/assets/Interica_OneView_Accelerate_MEDS_Azure_adoption.pdf) [Interica OneView&trade; connecting to Microsoft Data Services](https://youtu.be/uPEOo3H01w4)|

+|Aspentech|AspenTech and Microsoft are working together to accelerate your digital transformation by optimizing assets to run safer, greener, longer, and faster. With MicrosoftΓÇÖs end-to-end solutions and AspenTechΓÇÖs deep domain expertise, we provide capital-intensive industries with a scalable, trusted data environment that delivers the insights you need to optimize assets, performance, and reliability. As partners, we are innovating to achieve operational excellence and empowering the workforce by unlocking new efficiency, safety, sustainability, and profitability levels.|[Help your energy customers transform with new Microsoft Azure Data Manager for Energy](https://blogs.partner.microsoft.com/partner/help-your-energy-customers-transform-with-new-microsoft-energy-data-services/)|

+> [What is Azure Data Manager for Energy?](overview-microsoft-energy-data-services.md)

+If you don't already have a certificate, you can create a sample certificate using the [step CLI](https://smallstep.com/docs/step-cli/installation/). Consider installing manually for Windows.

+## Event Hubs for Apache Kafka

+[Event Hubs for Apache Kafka ecosystems](azure-event-hubs-kafka-overview.md) furthermore enables [Apache Kafka (1.0 and later)](https://kafka.apache.org/) clients and applications to talk to Event Hubs. You don't need to set up, configure, and manage your own Kafka and Zookeeper clusters or use some Kafka-as-a-Service offering not native to Azure.

+## Schema Registry in Azure Event Hubs

+[Azure Schema Registry](schema-registry-overview.md) in Event Hubs provides a centralized repository for managing schemas of events streaming applications. Azure Schema Registry comes free with every Event Hubs namespace, and it integrates seamlessly with you Kafka applications or Event Hubs SDK based applications.

+It ensures data compatibility and consistency across event producers and consumers, enabling seamless schema evolution, validation, and governance, and promoting efficient data exchange and interoperability.

+The Azure Firewall engineering team updates the firewall on an as-needed basis (usually every month), generally during night time hours in the local time-zone for that region. Updates include security patches, bug fixes, and new feature roll outs that are applied by configuring the firewall in a [rolling update mode](https://blog.itaysk.com/2017/11/20/deployment-strategies-defined#rolling-upgrade). The firewall instances are put in a drain mode before reimaging them to give short-lived sessions time to drain. Long running sessions remaining on an instance after the drain period are dropped during the restart.

+ > **Get started**: Choose from one of these types of storage: [blobs](../../storage/blobs/storage-quickstart-blobs-dotnet.md), [tables](../../cosmos-db/tutorial-develop-table-dotnet.md), [queues](/azure/storage/queues/storage-quickstart-queues-dotnet?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli), or [files](../../storage/files/storage-dotnet-how-to-use-files.md).

+For more information, see [Get started with Azure Queue storage](/azure/storage/queues/storage/queues/storage-quickstart-queues-dotnet?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli).

+### VM types that support disk encryption

+| Size | vCPU | Memory: GiB |

+|-|--|-|

+| Standard_D4a_v4 | 4 | 16

+| Standard_D8a_v4 | 8 | 32

+| Standard_D16a_v4 | 16 | 64

+| Standard_D32a_v4 | 32 | 128

+| Standard_D48a_v4 | 48 | 192

+| Standard_D64a_v4 | 64 | 256

+| Standard_D96a_v4 | 96 | 384

+| Standard_E64is_v3 | 64 | 432

+| Standard_E20s_V3 | 20 | 160

+| Standard_E2s_V3 | 2 | 16

+| Standard_E2a_v4 | 2 | 16

+| Standard_E4a_v4 | 4 | 32

+| Standard_E8a_v4 | 8 | 64

+| Standard_E16a_v4 | 16 | 128

+| Standard_E20a_v4 | 20 | 160

+| Standard_E32a_v4 | 32 | 256

+| Standard_E48a_v4 | 48 | 384

+| Standard_E64a_v4 | 64 | 512

+| Standard_E96a_v4 | 96 | 672

+| Standard_DS3_v2 | 4 | 14

+| Standard_DS4_v2 | 8 | 28

+| Standard_DS5_v2 | 16 | 56

+| Standard_DS12_v2 | 4 | 28

+| Standard_DS13_v2 | 8 | 56

+| Standard_DS14_v2 | 16 | 112

+### Manage Ranger audit logs

+To prevent Ranger audit logs from consuming too much disk space on your hn0 headnode, you can change the number of days to retain the logs.

+1. Sign in to the **Ambari UI**.

+2. Navigate to **Services** > **Ranger** > **Configs** > **Advanced** > **Advanced ranger-solr-configuration**.

+3. Change the 'Max Retention Days' to 7 days or less.

+4. Select **Save** and restart affected components for the change to take effect.

+### Use a custom Ranger DB

+We recommend deploying an external Ranger DB to use with your ESP cluster for high availability of Ranger metadata, which ensures that policies are available even if the cluster is unavailable. Since an external database is customer-managed, you'll also have the ability to tune the DB size and share the database across multiple ESP clusters. You can specify your [external Ranger DB during the ESP cluster creation](/azure/hdinsight/hdinsight-hadoop-provision-linux-clusters) process using the Azure portal, Azure Resource Manager, Azure CLI, etc.

+### Set Ranger user sync to run daily

+HDInsight ESP clusters are configured for Ranger to synchronize AD users automatically every hour. The Ranger sync is a user sync and can cause extra load on the AD instance. For this reason, we recommend that you change the Ranger user sync interval to 24 hours.

+1. Sign in to the **Ambari UI**.

+2. Navigate to **Services** > **Ranger** > **Configs** > **Advanced** > **ranger-ugsync-site**

+3. Set property **ranger.usersync.sleeptimeinmillisbetweensynccycle** to 86400000 (24h in milliseconds).

+4. Select **Save** and restart affected components for the change to take effect.

+### Choose correct Azure AD DS SKU

+When creating your managed domain, [you can choose from different SKUs](/azure/active-directory-domain-services/administration-concepts#azure-ad-ds-skus) that offer varying levels of performance and features. The amount of ESP clusters and other applications that will be using the Azure AD-DS instance for authentication requests determines which SKU is appropriate for your organization. If you notice high CPU on your managed domain or your business requirements change, you can upgrade your SKU.

+### Consider Azure AD DS replica sets

+When you create an Azure AD DS managed domain, you define a unique namespace, and two domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set. [Adding additional replica sets](/azure/active-directory-domain-services/tutorial-create-replica-set) will provide resiliency and ensure availability of authentication services, which is critical for Azure HDInsight clusters.

+### Configure scoped user/group synchronization

+When you enable [Azure Active Directory Domain Services (Azure AD DS) for your ESP cluster](/azure/hdinsight/domain-joined/apache-domain-joined-create-configure-enterprise-security-cluster), you can choose to synchronize all users and groups from Azure AD or scoped groups and their members. We recommend that you choose "Scoped" synchronization for the best performance.

+[Scoped synchronization](/azure/active-directory-domain-services/scoped-synchronization) can be modified with different group selections or converted to "All" users and groups if needed. You can't change the synchronization type from "All" to "Scoped" unless you delete and recreate the Azure AD DS instance.

+### Set Ambari LDAP sync to run daily

+The process of syncing new LDAP users to Ambari is automatically configured to run every hour. Running this every hour can cause excess load on the cluster's headnodes and the AD instance. For improved performance, we recommend changing the /opt/startup_scripts/start_ambari_ldap_sync.py script that runs the Ambari LDAP sync to run once a day. This script is run through a crontab job, and it is stored the in the directory "/etc/cron.hourly/" on the cluster headnodes.

+To make it run once a day, perform the following steps:

+1. ssh to hn0

+2. Move the script to the cron daily folder: `sudo mv /etc/cron.hourly/ambarildapsync /etc/cron.daily/ambarildapsync`

+3. Apply the change in the crontab job: `sudo service cron reload`

+4. ssh to hn1 and repeat stepts 1 - 3

+If needed, you can [use the Ambari REST API to manually synchronize new users and groups](/azure/hdinsight/hdinsight-sync-aad-users-to-cluster#use-the-apache-ambari-rest-api-to-synchronize-users) immediately.

+### Generate domain user keytab(s)

+All service keytabs are automatically generated for you during the ESP cluster creation process. To enable secure communication between the cluster and other services and/or jobs that require authentication, you can generate a keytab for your domain username.

+Use the ktutil on one of the cluster VMs to create a Kerberos keytab:

+```

+ktutil

+ktutil: addent -password -p <username>@<DOMAIN.COM> -k 1 -e aes256-cts-hmac-sha1-96

+Password for <username>@<DOMAIN.COM>: <password>

+ktutil: wkt <username>.keytab

+ktutil: q

+```

+If your TenantName & DomainName are different, you need to add a SALT value using the -s option. Check the HDInsight FAQ page to [determine the proper SALT value when creating a Kerberos keytab](/azure/hdinsight/hdinsight-faq#how-do-i-create-a-keytab-for-an-hdinsight-esp-cluster-).

+### LDAP certificate renewal

+HDInsight will automatically renew the certificates for the managed identities you use for clusters with the Enterprise Security Package (ESP). However, there is a limitation when different managed identities are used for Azure AD DS and ADLS Gen2 that could cause the renewal process to fail. Follow the 2 recommendations below to ensure we are able to renew your certificates successfully:

+- If you use different managed identities for ADLS Gen2 and Azure AD DS clusters, then both of them should have the **Storage blob data Owner** and **HDInsight Domain Services Contributor** roles assigned to them.

+- HDInsight clusters require public IPs for certificate updates and other maintenance so **any policies that deny public IP on the cluster should be removed**.

+## Verify Accelerated Writes feature was enabled

+You can use the Azure portal to verify if the Accelerated Writes feature is enabled on an HBASE cluster.

+1. Search for your HBASE cluster in the Azure portal.

+2. Select the **Cluster Size** blade.

+3. **Premium disks per worker node** will be displayed.

+## Scaling HBASE clusters

+This article describes troubleshooting steps and possible resolutions for issues when interacting with Azure HDInsight clusters. If you are using hbase-2.x, see [How to use Apache HBase HBCK2 tool](./how-to-use-hbck2-tool.md)

+## Scenario: `Master startup cannot progress, in holding-pattern until region comes online`

+HMaster checks the WAL directory on the region servers before bringing back the **OPEN** regions online. In this case, if that directory wasn't present, it was not getting started

+If you're using hbase-2.x, see more information in [how to use hbck2 to assign namespace and meta table](how-to-use-hbck2-tool.md#assign-and-unassign)

+Check the call stack and try to determine which folder might be causing the problem (for instance, it might be the WAL folder or the .tmp folder). Then, in Azure Storage Explorer or by using HDFS commands, try to locate the problem file. Usually, this file is called `*-renamePending.json`. (The `*-renamePending.json` file is a journal file that's used to implement the atomic rename operation in the WASB driver. Due to bugs in this implementation, these files can be left over after process crashes, and so on.) Force-delete this file either in Cloud Explorer or by using HDFS commands.

+Sometimes, there might also be a temporary file named something like `$$$.$$$` at this location. You have to use HDFS `ls` command to see this file; you can't see the file in Azure Storage Explorer. To delete this file, use the HDFS command `hdfs dfs -rm /\<path>\/\$\$\$.\$\$\$`.

+You might see a message that indicates that the `hbase: meta` table isn't online. Running `hbck` might report that `hbase: meta table replicaId 0 is not found on any region.` In the HMaster logs, you might see the message: `No server address listed in hbase: meta for region hbase: backup <region name>`.

+HMaster couldn't initialize after restarting HBase.

+## Scenario: `java.io.IOException: Timedout`

+You might experience this issue if you have many tables and regions that haven't been flushed when you restart your HMaster services. The time-out is a known defect with HMaster. General cluster startup tasks can take a long time. HMaster shuts down if the namespace table isnΓÇÖt yet assigned. The lengthy startup tasks happen where large amount of unflushed data exists and a timeout of five minutes isn't sufficient.

+Long `regionserver` JVM GC pause. The pause causes `regionserver` to be unresponsive and not able to send heart beat to HMaster within the zookeeper session timeout 40s. HMaster believes `regionserver` is dead, aborts the `regionserver` and restarts.

+If you created an HDInsight cluster with Data Lake Storage as additional storage and Azure Storage Blob as default storage, you should first copy over some sample data to the Data Lake Storage account. You can use the sample data from the Azure Storage Blob associated with the HDInsight cluster.

+# Selectable search parameter capability

+ "PatientId": "patient1",

+ > To avoid device spoofing in device-to-cloud (D2C) messages, Azure IoT Hub enriches all device messages with additional properties before routing them to the event hub. For example: **SystemProperties**: `iothub-connection-device-id` and **Properties**: `iothub-creation-time-utc`. For more information, see [Anti-spoofing properties](../../iot-hub/iot-hub-devguide-messages-construct.md#anti-spoofing-properties) and [How to use IotJsonPathContent templates with the MedTech service device mapping](how-to-use-iotjsonpathcontent-templates.md).

+ "HeartRate": "78"

+## IotJsonPathContent

+[Single device message into multiple resources](https://github.com/Azure-Samples/azure-health-data-services-samples/tree/main/samples/medtech-service-mappings/iotjsonpathcontent/single-device-message-into-multiple-resources)

+[Azure Policy](../../governance/policy/index.yml) is a governance tool that gives users the ability to audit and manage their Azure environment at scale. Azure Policy provides the ability to place guardrails on Azure resources to ensure they're compliant with assigned policy rules. It allows users to perform audit, real-time enforcement, and remediation of their Azure environment. The results of audits performed by policy will be available to users in a compliance dashboard where they'll be able to see a drill down of which resources and components are compliant and which aren't. For more information, see the [Overview of the Azure Policy service](../../governance/policy/overview.md).

+- You want to improve the security posture of your company by implementing requirements around minimum key sizes and maximum validity periods of certificates in your company's key vaults but you don't know which teams will be compliant and which aren't.

+- You currently don't have a solution to perform an audit across your organization, or you're conducting manual audits of your environment by asking individual teams within your organization to report their compliance. You're looking for a way to automate this task, perform audits in real time, and guarantee the accuracy of the audit.

+- You're relying on a 3rd party solution for auditing your environment and you want to use an internal Microsoft offering.

+When enforcing a policy, you can determine its effect over the resulting evaluation. Each policy definition allows you to choose one of multiple effects. Therefore, policy enforcement may behave differently depending on the type of operation you're evaluating. In general, the effects for policies that integrate with Key Vault include:

+- [**Audit**](../../governance/policy/concepts/effects.md#audit): when the effect of a policy is set to `Audit`, the policy won't cause any breaking changes to your environment. It will only alert you to components such as certificates that don't comply with the policy definitions within a specified scope, by marking these components as non-compliant in the policy compliance dashboard. Audit is default if no policy effect is selected.

+- [**Deny**](../../governance/policy/concepts/effects.md#deny): when the effect of a policy is set to `Deny`, the policy will block the creation of new components such as certificates as well as block new versions of existing components that don't comply with the policy definition. Existing non-compliant resources within a key vault aren't affected. The 'audit' capabilities will continue to operate.

+- [**Disabled**](../../governance/policy/concepts/effects.md#disabled): when the effect of a policy is set to `Disabled`, the policy will still be evaluated but enforcement won't take effect, thus being compliant for the condition with `Disabled` effect. This is useful to disable the policy for a specific condition as opposed to all conditions.

+- [**Modify**](../../governance/policy/concepts/effects.md#modify): when the effect of a policy is set to `Modify`, you can perform addition of resource tags, such as adding the `Deny` tag to a network. This is useful to disable access to a public network for Azure Key Vault managed HSM. It's necessary to [configure a manage identity](../../governance/policy/how-to/remediate-resources.md?tabs=azure-portal#configure-the-managed-identity) for the policy definition via the `roleDefinitionIds` parameter to utilize the `Modify` effect.

+- [**DeployIfNotExists**](../../governance/policy/concepts/effects.md#deployifnotexists): when the effect of a policy is set to `DeployIfNotExists`, a deployment template is executed when the condition is met. This can be used to configure diagnostic settings for Key Vault to log analytics workspace. It's necessary to [configure a manage identity](../../governance/policy/how-to/remediate-resources.md?tabs=azure-portal#configure-the-managed-identity) for the policy definition via the `roleDefinitionIds` parameter to utilize the `DeployIfNotExists` effect.

+- [**AuditIfNotExists**](../../governance/policy/concepts/effects.md#deployifnotexists): when the effect of a policy is set to `AuditIfNotExists`, you can identify resources that lack the properties specified in the details of the policy condition. This is useful to identify key vaults that have no resource logs enabled. It's necessary to [configure a manage identity](../../governance/policy/how-to/remediate-resources.md?tabs=azure-portal#configure-the-managed-identity) for the policy definition via the `roleDefinitionIds` parameter to utilize the `DeployIfNotExists` effect.

+Reduce the risk of data leakage by restricting public network access, enabling [Azure Private Link](https://azure.microsoft.com/products/private-link/) connections, creating private DNS zones to override DNS resolution for a private endpoint, and enabling [firewall protection](network-security.md) so that the key vault isn't accessible by default to any public IP.

+> It's recommended to apply [the certificate expiration policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff772fb64-8e40-40ad-87bc-7706e1949427) multiple times with different expiration thresholds, for example, at 180, 90, 60, and 30-day thresholds.

+An HSM is a hardware security module that stores keys. An HSM provides a physical layer of protection for cryptographic keys. The cryptographic key can't leave a physical HSM which provides a greater level of security than a software key. Some organizations have compliance requirements that mandate the use of HSM keys. You can use this policy to audit any keys stored in your Key Vault that isn't HSM backed. You can also use this policy to block the creation of new keys that aren't HSM backed. This policy will apply to all key types, including RSA and ECC.

+With lifecycle management built-ins you can flag or block keys that don't have an expiration date, get alerts whenever delays in key rotation may result in an outage, prevent the creation of new keys that are close to their expiration date, limit the lifetime and active status of keys to drive key rotation, and preventing keys from being active for more than a specified number of days.

+| [Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd8cf8476-a2ec-4916-896e-992351803c44) | Audit (_Default_), Disabled

+Restrict the type of your Key Vault's keys to be RSA, ECC, or HSM-backed. If you use elliptic curve cryptography or ECC keys, you can customize and select curve names such as P-256, P-256K, P-384, and P-521. If you use RSA keys, you can mandate the use of a minimum key size for current and new keys to be 2048 bits, 3072 bits, or 4096 bits. Keep in mind that using RSA keys with smaller key sizes isn't a secure design practice, thus it is recommended to block the creation of new keys that don't meet the minimum size requirement.

+With lifecycle management built-ins you can flag or block secrets that don't have an expiration date, get alerts whenever delays in secret rotation may result in an outage, prevent the creation of new keys that are close to their expiration date, limit the lifetime and active status of keys to drive key rotation, and preventing keys from being active for more than a specified number of days.

+1. You contact the owners of these certificates and communicate the new security requirement that certificates can't be valid for longer than 2 years. Some teams respond and 15 of the certificates were renewed with a maximum validity period of 2 years or less. Other teams don't respond, and you still have 5 non-compliant certificates in your key vault.

+1. You change the effect of the policy you assigned to "deny". The 5 non-compliant certificates aren't revoked, and they continue to function. However, they can't be renewed with a validity period that is greater than 2 years.

+- The policy valuation hasn't completed yet. Initial evaluation latency can take up to 2 hours in the worst-case scenario.

+[Azure Key Vault](overview.md) is automatically tied to the default [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) tenant ID for the subscription in which it is created. You can find tenant ID associated with your subscription by following this [guide](/azure/active-directory-b2c/tenant-management-read-tenant-name). All access policy entries and roles assignments are also tied to this tenant ID. If you move your Azure subscription from tenant A to tenant B, your existing key vaults will be inaccessible by the service principals (users and applications) in tenant B. To fix this issue, you need to:

+- [How to find tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name)

+## July 2023

+Built-in policy to govern the key rotation configuration in Azure Key Vault. With this policy, you can audit existing keys in key vaults to ensure that all keys are configured for rotation and comply with your organization's standards.

+For more information, see [Configure key rotation governance](../keys/how-to-configure-key-rotation.md#configure-key-rotation-policy-governance)

+## Configure key rotation policy governance

+Using the Azure Policy service, you can govern the key lifecycle and ensure that all keys are configured to rotate within a specified number of days.

+### Create and assign policy definition

+1. Navigate to Policy resource

+1. Select **Assignments** under **Authoring** on the left side of the Azure Policy page.

+1. Select **Assign policy** at the top of the page. This button opens to the Policy assignment page.

+1. Enter the following information:

+ - Define the scope of the policy by choosing the subscription and resource group over which the policy will be enforced. Select by clicking the three-dot button at on **Scope** field.

+ - Select the name of the policy definition: "[Keys should have a rotation policy ensuring that their rotation is scheduled within the specified number of days after creation.

+](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd8cf8476-a2ec-4916-896e-992351803c44)"

+ - Go to the **Parameters** tab at the top of the page and define the desired effect of the policy (Audit, or Disabled).

+1. Fill out any additional fields. Navigate the tabs clicking on **Previous** and **Next** buttons at the bottom of the page.

+1. Select **Review + create**

+1. Select **Create**

+Once the built-in policy is assigned, it can take up to 24 hours to complete the scan. After the scan is completed, you can see compliance results like below.

+> Importing RSA 1,024-bit keys is not supported. Importing EC-HSM P256K keys is supported.

+> US Central, US East, West US 2, Switzerland North, West Europe, Central India, Canada Central, Canada East, Japan West, Qatar Central, Poland Central and US West Central cannot be extended as a secondary region at this time.

+The [Azure Private Link feature](private-link.md) allows you to access the Managed HSM service over a private endpoint in your virtual network. You would configure private endpoint on the Managed HSM in the primary region just as you would when not using the multi-region replication feature. For the Managed HSM in the secondary region, it is recommended to create another private endpoint once the Managed HSM in the primary region is replicated to the Managed HSM in the secondary region. This will redirect client requests to the Managed HSM closest to the client location.

+>[!IMPORTANT]

+>For load tests with more than 45 engine instances or a greater than 3-hour test run duration, the results file will not be available for download. You can configure a [JMeter Backend Listener](#export-test-results-using-jmeter-backend-listeners) to export the results to a data store of your choice.

+## Export test results using JMeter Backend Listeners

+You can use [JMeter Backend Listeners](https://jmeter.apache.org/usermanual/component_reference.html#Backend_Listener) to export test results to databases like InfluxDB, MySQL or monitoring tools like AppInsights.

+You can use the backend listeners available by default in JMeter, backend listeners from [jmeter-plugins.org](https://jmeter-plugins.org), or a custom backend listener in the form of a Java archive (JAR) file.

+A sample JMeter script that uses a [backend listener for Azure Application Insights](https://github.com/adrianmo/jmeter-backend-azure) is available [here](https://github.com/Azure-Samples/azure-load-testing-samples/tree/main/jmeter-backend-listeners).

+The following code snippet shows an example of a backend listener, for Azure Application Insights, in a JMX file:

+| Listeners | Azure Load Testing ignores all [Results Collectors](https://jmeter.apache.org/api/org/apache/jmeter/reporters/ResultCollector.html), which includes visualizers such as the [results tree](https://jmeter.apache.org/usermanual/component_reference.html#View_Results_Tree) or [graph results](https://jmeter.apache.org/usermanual/component_reference.html#Graph_Results). | |

+| Engine instances per test run | 1-45 <sup>1</sup> | 400 |

+| Test duration | 3 hours <sup>2</sup> | 24 |

+1. Open your Application Insights resource in the Azure Portal. The __Overview__ tab may or may not have a Workspace property. If it _doesn't_ have the property, perform step 2. If it _does_, then you can proceed directly to step 3.

+ > [!TIP]

+ > New workspaces create a workspace-based Application Insights resource by default. If your workspace was recently created, then you would not need to perform step 2.

+

+1. Upgrade the Application Insights instance for your workspace. For steps on how to upgrade, see [Migrate to workspace-based Application Insights resources](/azure/azure-monitor/app/convert-classic-resource).

+As with CQLSH, connecting from an application using one of the supported [Apache Cassandra client drivers](https://cassandra.apache.org/doc/latest/cassandra/getting_started/drivers.html) requires SSL encryption to be enabled, and certification verification to be disabled. See samples for connecting to Azure Managed Instance for Apache Cassandra using [Java](https://github.com/Azure-Samples/azure-cassandra-mi-java-v4-getting-started), [.NET](https://github.com/Azure-Samples/azure-cassandra-mi-dotnet-core-getting-started), and [Python](https://github.com/Azure-Samples/azure-cassandra-mi-python-v4-getting-started).

+As with CQLSH, connecting from an application using one of the supported [Apache Cassandra client drivers](https://cassandra.apache.org/doc/latest/cassandra/getting_started/drivers.html) requires SSL encryption to be enabled, and certification verification to be disabled. See samples for connecting to Azure Managed Instance for Apache Cassandra using [Java](https://github.com/Azure-Samples/azure-cassandra-mi-java-v4-getting-started), [.NET](https://github.com/Azure-Samples/azure-cassandra-mi-dotnet-core-getting-started), and [Python](https://github.com/Azure-Samples/azure-cassandra-mi-python-v4-getting-started).

+ UnifiedAgent.exe /Role "MS" /Platform "VmWare" /Silent /CSType CSLegacy

+ sudo ./install -r MS -v VmWare -q -c CSLegacy

+ /usr/local/ASR/Vx/bin/UnifiedAgentConfigurator.sh -i <replication appliance IP address> -P <Passphrase File Path> -c CSLegacy

+> [!IMPORTANT]

+>When using CLI for creating in-region read replica from a source server with private access, the source server network settings are carried over. The private access input parameters, such as "private-dns-zone", "subnet" and "vnet" are ignored and in-region read-replica is created with same private access settings as the source server

+ Title: Monitor network connectivity using Azure Monitor agent

+description: Learn how to use Azure Monitor agent to monitor network connectivity with Network Watcher connection monitor.

+# Monitor network connectivity using Azure Monitor agent with connection monitor

+Connection monitor supports the Azure Monitor agent extension, which eliminates any dependency on the legacy Log Analytics agent.

+Azure Monitor agent consolidates all the features necessary to address connectivity logs and metrics data collection needs across Azure and on-premises machines compared to running various monitoring agents.

+Azure Monitor agent provides the following benefits:

+For more information, see [Azure Monitor agent](../azure-monitor/agents/agents-overview.md).

+To start using connection monitor for monitoring, follow these steps:

+The following sections provide details on the installation of monitoring agents. For more information, see [Monitor network connectivity using Connection monitor](connection-monitor-overview.md).

+Connection monitor relies on lightweight executable files to run connectivity checks. It supports connectivity checks from both Azure and on-premises environments. The executable file that you use depends on whether your virtual machine (VM) is hosted on Azure or on-premises.

+To install agents for Azure virtual machines and Virtual Machine Scale Sets, see the "Agents for Azure virtual machines and Virtual Machine Scale Sets" section of [Monitor network connectivity using Connection monitor](connection-monitor-overview.md#agents-for-azure-virtual-machines-and-virtual-machine-scale-sets).

+To make connection monitor recognize your on-premises machines as sources for monitoring, follow these steps:

+ This agent doesn't deliver any other functionality, and it doesn't replace Azure Monitor agent. The Azure Connected Machine agent simply enables you to manage the Windows and Linux machines that are hosted outside of Azure on your corporate network or other cloud providers.

+* [Install Azure Monitor agent](../azure-monitor/agents/agents-overview.md) to enable the Network Watcher extension.

+ The agent collects monitoring logs and data from the hybrid sources and delivers them to Azure Monitor.

+### Enable the Network Performance Monitor solution for on-premises machines

+To enable the Network Performance Monitor solution for on-premises machines, follow these steps:

+1. In the Azure portal, go to **Network Watcher**.

+1. Under **Monitoring**, select **Network Performance Monitor**. A list of workspaces with Network Performance Monitor solution enabled is displayed, filtered by **Subscriptions**.

+1. To add the Network Performance Monitor solution in a new workspace, select **Add NPM**.

+1. In **Enable Non-Azure**, select the subscription and workspace in which you want to enable the solution, and then select **Create**.

+

+ After you've enabled the solution, the workspace takes a couple of minutes to be displayed.

+Unlike Log Analytics agents, the Network Performance Monitor solution can be configured to send data only to a single Log Analytics workspace.

+If you wish to escape the installation process for enabling the Network Watcher extension, you can proceed with the creation of connection monitor and allow auto enablement of monitoring solution on your on-premises machines.

+Azure Monitor agent can coexist with, or run side by side on the same machine with, the legacy Log Analytics agent. You can continue to use their existing functionality during evaluation or migration.

+Although this coexistence allows you to begin the transition, there are certain limitations that you need to consider:

+* Don't collect duplicate data, because it could alter query results and affect downstream features such as alerts, dashboards, or workbooks.

+ For example, the VM insights feature uses the Log Analytics agent to send performance data to a Log Analytics workspace. You might also have configured the workspace to collect Windows events and Syslog events from agents. If you install Azure Monitor agent and create a data collection rule for the same events and performance data, it will result in duplicate data. Ensure that you're not collecting the same data from both agents. If you're collecting duplicate data, make sure that it's coming from different machines or going to separate destinations.

+ If you need to add Network Performance Monitor to your workspace, get it from Azure Marketplace. For information about how to add Network Performance Monitor, see [Monitoring solutions in Azure Monitor](/previous-versions/azure/azure-monitor/insights/solutions). For information about how to configure agents for on-premises machines, see [Agents for on-premises machines](connection-monitor-overview.md#agents-for-on-premises-machines).

+$nw = Get-AzResource | Where {$_.ResourceType -eq "Microsoft.Network/networkWatchers" -and $_.Location -eq "WestCentralUS" }

+$networkWatcher = Get-AzNetworkWatcher -Name $nw.Name -ResourceGroupName $nw.ResourceGroupName

+You have the flexibility to choose between managed modem or virtual RF functionality using the Azure Orbital Ground Station service. These operational modes are specified on a per-channel basis in the contact profile. See [ground station contact profile](concepts-contact-profile.md) to learn more about channels and links.

+We recommend taking advantage of Azure Orbital Ground Station's managed modem functionality, if possible. The modem is managed by the service and is inserted between your endpoint and the incoming or outgoing virtual RF stream for each pass. You can specify the modem setup using your modem configuration file or apply one of the in-built named modem configurations for commonly used public satellites such as Aqua.

+Virtual RF delivery can be used if you wish to have tighter control on the modem setup or bring your own modem to the Azure resource group. Azure Orbital Ground Station will connect to your channel endpoint that is specified in the contact profile.

+> The endpoint specified for the channel will apply to whichever option is selected. Please review [how to prepare network](prepare-network.md) for more details on setting up endpoints.

+### Full-duplex cases

+You can enter your existing modem config when creating a contact profile object or add it in later. Modifications to existing modem configs are also allowed.

+#### Entering the modem config using the Azure Orbital Ground Station API

+#### Entering the modem config using the Azure Portal

+We currently support the following named modem configurations:

+| Aqua Direct Broadcast | aqua_direct_broadcast | This is NASA Aqua 15-Mbps direct broadcast service |

+| Aqua Direct Playback | aqua_direct_playback | This is NASA Aqua 150-Mbps direct broadcast service |

+| Terra Direct Broadcast | terra_direct_broadcast | This is NASA Terra 13.125-Mbps direct broadcast service |

+> Azure Orbital Ground Station does not have control over the downlink schedules for these public satellites. NASA conducts their own operations which may interrupt downlink availabilities.

+#### Specifying a named modem configuration using the Azure Orbital Ground Station API

+#### Specifying a named modem configuration using the Azure Portal

+If the offer isn't displayed, contact [Confluent support](https://support.confluent.io). Your Azure Active Directory tenant ID must be on the list of allowed tenants. To learn how to find your tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name).

+See [Peering Service partners](location-partners.md) for a complete list of Peering Service providers.

+## Frequently asked questions (FAQ)

+|SKU Name |Storage Size in GiB |32 |64 |128 |256 |512 |1,024|2,048|4,096|8,192 |16,384|32767 |

+|SKU Name |Storage Size, GiB |32 |64 |128 |256 |512 |1,024 |2,048 |4,096 |8,192 |16,384|32,767|

+> Using custom RBAC role to restart server please make sure that in addition to Microsoft.DBforPostgreSQL/flexibleServers/restart/action permission this role also has Microsoft.DbforPostgreSQL/servers/read permission granted to it.

+ | 1 | Local Dashboards | When a web proxy is enabled on the Azure Stack Edge appliance that the packet core is running on and Azure Active Directory is used to authenticate access to AP5GC Local Dashboards, the traffic to Azure Active Directory does not transmit via the web proxy. If there is a firewall blocking traffic that does not go via the web proxy then enabling Azure Active Directory will cause the packet core install to fail. | Disable Azure Active Directory and use password based authentication to authenticate access to AP5GC Local Dashboards instead. |

+General information about running SAP Business Suite on Oracle can be found in the [<u>SAP on Oracle community page</u>](https://www.sap.com/community/topic/oracle.html). SAP on Oracle on Azure is only supported on Oracle Linux (and not Suse or Red Hat) for application and database servers.

+ASCS/ERS servers can use RHEL/SUSE because Oracle client isn't installed or used on these VMs. Application Servers (PAS/AAS) shouldn't be installed on these VMs. Refer to SAP Note [3074643 - OLNX: FAQ: if Pacemaker for Oracle Linux is supported in SAP Environment](https://me.sap.com/notes/3074643). Oracle RAC isn't supported on Azure because RAC would require Multicast networking.

+ is used and not UDEV. UDEV is required for multiple SANs, a scenario that doesn't exist on Azure

+Disk performance can be monitored from inside Oracle Enterprise Manager and via external tools. Documentation, which might help is available here:

+Oracle DBAs that aren't familiar with Oracle ASM follow the training materials and resources here:

+- [Oracle for SAP Development Update (May 2022)](https://www.oracle.com/a/ocom/docs/sap-on-oracle-dev-update.pdf)

+ASM is the default recommendation from Oracle for all SAP systems of any size on Azure. Performance, Reliability and Support are better for customers using ASM. Oracle provides documentation and training for DBAs to transition to ASM and every customer who has migrated to ASM has been pleased with the benefits. In cases where the Oracle DBA team doesn't follow the recommendation from Oracle, Microsoft and SAP to use ASM the following LVM configuration should be used.

+2. There's no support for ASM on Windows. Windows Storage Spaces should be used to aggregate disks for optimal performance

+At the time, of writing ASM for Windows customers on Azure isn't supported. SWPM for Windows doesn't support ASM currently. VLDB SAP on Oracle migrations to Azure have required ASM and have therefore selected Oracle Linux.

+- July 25, 2023: Adding reference to SAP Note #3074643 to [Azure Virtual Machines Oracle DBMS deployment for SAP workload](./dbms-guide-oracle.md)

+- July 13, 2023: Replaced links in ANF section of [Azure Virtual Machines Oracle DBMS deployment for SAP workload](./dbms-guide-oracle.md) to new ANF related documentation

+| [Vector search sample](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/search/Azure.Search.Documents/samples/Sample07_VectorSearch.md) | Shows you how to index a vector field and perform vector search using the Azure SDK for .NET. Vector search is in preview. A beta version of azure.search.documents provides support for this preview feature. |

+| [DotNetHowToEncryptionUsingCMK](https://github.com/Azure-Samples/search-dotnet-getting-started/tree/master/DotNetHowToEncryptionUsingCMK) | [How to configure customer-managed keys for data encryption](search-security-manage-encryption-keys.md) | Shows how to create objects that are encrypted with a Customer Key. |

+## Accelerators

+An accelerator is an end-to-end solution that includes code and documentation that you can adapt for your own implementation of a specific scenario.

+| Samples | Repository | Description |

+|||-|

+| [Search + QnA Maker Accelerator](https://github.com/Azure-Samples/search-qna-maker-accelerator) | [search-qna-maker-accelerator](https://github.com/Azure-Samples/search-qna-maker-accelerator)| A [solution](https://techcommunity.microsoft.com/t5/azure-ai/qna-with-azure-cognitive-search/ba-p/2081381) combining the power of Search and QnA Maker. See the live [demo site](https://aka.ms/qnaWithAzureSearchDemo). |

+| [Knowledge Mining Solution Accelerator](/samples/azure-samples/azure-search-knowledge-mining/azure-search-knowledge-mining/) | [azure-search-knowledge-mining](https://github.com/azure-samples/azure-search-knowledge-mining/tree/main/) | Includes templates, support files, and analytical reports to help you prototype an end-to-end knowledge mining solution. |

+## Demos

+A demo repo provides proof-of-concept source code for examples or scenarios shown in demonstrations. Demo solutions aren't designed for adaptation by customers.

+| Samples | Repository | Description |

+|||-|

+| [Covid-19 search app](https://github.com/liamc) | [covid19search](https://github.com/liamca/covid19search) | Source code repository for the Cognitive Search based [Covid-19 Search App](https://covid19search.azurewebsites.net/) |

+| [JFK demo](https://github.com/Microsoft/AzureSearch_JFK_Files/blob/master/README.md) | [AzureSearch_JFK_Files](https://github.com/Microsoft/AzureSearch_JFK_Files) | Learn more about the [JFK solution](https://www.microsoft.com/ai/ai-lab-jfk-files). |

+| Samples | Repository | Description |

+|||-|

+| [Check storage](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/check-storage-usage/README.md) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | Invokes an Azure function that checks search service storage on a schedule. |

+| [Export an index](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/export-dat) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | C# console app that partitions and export a large index. |

+| [Backup and restore an index](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/index-backup-restore/README.md) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | C# console app that copies an index from one service to another, and in the process, creates JSON files on your computer with the index schema and documents.|

+| [Index Data Lake Gen2 using Azure AD](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | Source code demonstrating indexer connections and indexing of Azure Data Lake Gen2 files and folders that are secured through Azure AD and role-based access controls. |

+| [Search aggregations](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/search-aggregations/README.md) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | Proof-of-concept source code that demonstrates how to obtain aggregations from a search index and then filter by them. |

+| [Query multiple services](https://github.com/Azure-Samples/azure-search-dotnet-samples/tree/main/multiple-search-services) | [azure-search-dotnet-samples](https://github.com/Azure-Samples/azure-search-dotnet-samples) | Issue a single query across multiple search services and combine the results into a single page. |

+| [Power Skills](https://github.com/Azure-Samples/azure-search-power-skills/blob/main/README.md) | [azure-search-power-skills](https://github.com/Azure-Samples/azure-search-power-skills) | Source code for consumable custom skills that you can incorporate in your won solutions. |

+For a code sample in C#, see [Index Data Lake Gen2 using Azure AD](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md) on GitHub.

+> For a code example in C#, see [Index Data Lake Gen2 using Azure AD](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md) on GitHub.

+* [C# Example: Index Data Lake Gen2 using Azure AD (GitHub)](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md)

+| Switch tiers | In-place upgrades aren't supported. If you require more capacity, you must create a new service and rebuild your indexes from scratch. To help automate this process, you can use the **index-backup-restore** sample code in this [Azure Cognitive Search .NET sample repo](https://github.com/Azure-Samples/azure-search-dotnet-utilities). This app will back up your index to a series of JSON files, and then recreate the index in a search service you specify.|

+A business continuity strategy for the data layer usually includes a restore-from-backup step. Because Azure Cognitive Search isn't a primary data storage solution, Microsoft doesn't provide a formal mechanism for self-service backup and restore. However, you can use the **index-backup-restore** sample code in this [Azure Cognitive Search .NET sample repo](https://github.com/Azure-Samples/azure-search-dotnet-utilities) to back up your index definition and snapshot to a series of JSON files, and then use these files to restore the index, if needed. This tool can also move indexes between service tiers.

+Once he clicks on the analysis view from the icon menu selection (file with magnifying glass), he is taken to a list of generated threats the Threat Modeling Tool found based on the default template, which uses the SDL approach called **[STRIDE (Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service and Elevation of Privilege)](https://en.wikipedia.org/wiki/STRIDE_(security))**. The idea is that software comes under a predictable set of threats, which can be found using these 6 categories.

+Send your questions, comments and concerns to tmtextsupport@microsoft.com. **[Download](https://aka.ms/threatmodelingtool)** the Threat Modeling Tool to get started.

+For Microsoft Sentinel feature availability in Azure, Azure Government, and Azure China 21 Vianet, see [Microsoft Sentinel feature support for Azure clouds](../../sentinel/feature-availability.md).

+1. Type your Microsoft tenant ID. Learn how to [find your tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name).

+[Learn more about the integration](https://argos-security.io/faq/)

+ - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: ``` https://CustomerId.ods.opinsights.azure.us ```.

+ [Follow these instructions](https://support.holmsecurity.com/knowledge/how-do-i-set-up-an-api-token) to create an API authentication token.

+ Title: Microsoft Sentinel feature support for Azure clouds

+# Microsoft Sentinel feature support for Azure clouds

+This article describes the features available in Microsoft Sentinel across different Azure environments. Features are listed as GA (generally available), public preview, or shown as not available.

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Analytics rules health](monitor-analytics-rule-integrity.md) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[MITRE ATT&CK dashboard](mitre-coverage.md) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[NRT rules](near-real-time-rules.md) |Public preview |&#x2705; |&#x2705; |&#x2705; |

+|[Recommendations](detection-tuning.md) |Public preview |&#x2705; |&#x2705; |&#10060; |

+|[Scheduled](detect-threats-built-in.md) and [Microsoft rules](create-incidents-from-alerts.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Content hub](sentinel-solutions.md) and [solutions](sentinel-solutions-catalog.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Repositories](ci-cd.md?tabs=github) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[Workbooks](monitor-your-data.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Amazon Web Services](connect-aws.md?tabs=ct) |GA |&#x2705; |&#10060; |&#10060; |

+|[Amazon Web Services S3 (Preview)](connect-aws.md?tabs=s3) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[Azure Active Directory](connect-azure-active-directory.md) |GA |&#x2705; |&#x2705;|&#x2705; <sup>[1](#logsavailable)</sup> |

+|[Azure Active Directory Identity Protection](connect-services-api-based.md) |GA |&#x2705;| &#x2705; |&#10060; |

+|[Azure Activity](data-connectors/azure-activity.md) |GA |&#x2705;| &#x2705;|&#x2705; |

+|[Azure DDoS Protection](connect-services-diagnostic-setting-based.md) |GA |&#x2705;| &#x2705;|&#10060; |

+|[Azure Firewall](data-connectors/azure-firewall.md) |GA |&#x2705;| &#x2705;|&#x2705; |

+|[Azure Information Protection (Preview)](data-connectors/azure-information-protection.md) |Deprecated |&#10060; |&#10060; |&#10060; |

+|[Azure Key Vault](data-connectors/azure-key-vault.md) |Public preview |&#x2705; |&#x2705;|&#x2705; |

+|[Azure Kubernetes Service (AKS)](data-connectors/azure-kubernetes-service-aks.md) |Public preview |&#x2705;| &#x2705;|&#x2705; |

+|[Azure SQL Databases](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-sql-solution-query-deep-dive/ba-p/2597961) |GA |&#x2705; |&#x2705;|&#x2705; |

+|[Azure Web Application Firewall (WAF)](data-connectors/azure-web-application-firewall-waf.md) |GA |&#x2705; |&#x2705;|&#x2705; |

+|[Cisco ASA](data-connectors/cisco-asa.md) |GA |&#x2705; |&#x2705;|&#x2705; |

+|[Codeless Connectors Platform](create-codeless-connector.md?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal) |Public preview |&#x2705; |&#10060;|&#10060; |

+|[Common Event Format (CEF)](connect-common-event-format.md) |GA |&#x2705; |&#x2705;|&#x2705; |

+|[Common Event Format (CEF) via AMA (Preview)](connect-cef-ama.md) |Public preview |&#x2705;|&#10060; |&#x2705; |

+|[DNS](data-connectors/dns.md) |Public preview |&#x2705;| &#10060; |&#x2705; |

+|[GCP Pub/Sub Audit Logs](connect-google-cloud-platform.md) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[Microsoft 365 Defender](connect-microsoft-365-defender.md?tabs=MDE) |GA |&#x2705;| &#x2705;|&#10060; |

+|[Microsoft Purview Insider Risk Management (Preview)](sentinel-solutions-catalog.md#domain-solutions) |Public preview |&#x2705; |&#x2705;|&#10060; |

+|[Microsoft Defender for Cloud](connect-defender-for-cloud.md) |GA |&#x2705; |&#x2705; |&#x2705;|

+|[Microsoft Defender for IoT](connect-services-api-based.md) |GA |&#x2705;|&#x2705;|&#10060; |

+|[Microsoft Power BI (Preview)](data-connectors/microsoft-powerbi.md) |Public preview |&#x2705; |&#x2705;|&#10060; |

+|[Microsoft Project (Preview)](data-connectors/microsoft-project.md) |Public preview |&#x2705; |&#x2705;|&#10060; |

+|[Microsoft Purview (Preview)](connect-services-diagnostic-setting-based.md) |Public preview |&#x2705;|&#10060; |&#10060; |

+|[Microsoft Purview Information Protection](connect-microsoft-purview.md) |Public preview |&#x2705;| &#10060;|&#10060; |

+|[Office 365](connect-services-api-based.md) |GA |&#x2705;|&#x2705; |&#x2705; |

+|[Security Events via Legacy Agent](connect-services-windows-based.md#log-analytics-agent-legacy) |GA |&#x2705; |&#x2705;|&#x2705; |

+|[Syslog](connect-syslog.md) |GA |&#x2705;| &#x2705;|&#x2705; |

+|[Windows DNS Events via AMA (Preview)](connect-dns-ama.md) |Public preview |&#x2705; |&#10060;|&#10060; |

+|[Windows Firewall](data-connectors/windows-firewall.md) |GA |&#x2705; |&#x2705;|&#x2705; |

+|[Windows Forwarded Events](connect-services-windows-based.md) |GA |&#x2705;|&#x2705; |&#x2705; |

+|[Windows Security Events via AMA](connect-services-windows-based.md) |GA |&#x2705; |&#x2705;|&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Bookmarks](bookmarks.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Hunts](hunts.md) |Public preview|&#x2705; |&#10060; |&#10060; |

+|[Livestream](livestream.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Queries](hunts.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Restore historical data](restore.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Search large datasets](search-jobs.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Add entities to threat intelligence](add-entity-to-threat-intelligence.md?tabs=incidents) |Public preview |&#x2705; |&#x2705; |&#10060; |

+|[Advanced and/or conditions](add-advanced-conditions-to-automation-rules.md) |GA |&#x2705; |&#x2705;| &#x2705; |

+|[Automation rules](automate-incident-handling-with-automation-rules.md) |GA |&#x2705; |&#x2705;| &#x2705; |

+|[Automation rules health](monitor-automation-health.md) |Public preview |&#x2705; |&#x2705;| &#10060; |

+|[Create incidents manually](create-incident-manually.md) |GA |&#x2705; |&#x2705;| &#x2705; |

+|[Cross-tenant/Cross-workspace incidents view](multiple-workspace-view.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Incident advanced search](investigate-cases.md#search-for-incidents) |GA |&#x2705; |&#x2705;| &#x2705; |

+|[Incident tasks](incident-tasks.md) |Public preview |&#x2705; |&#x2705;| &#x2705; |

+|[Microsoft 365 Defender incident integration](microsoft-365-defender-sentinel-integration.md#working-with-microsoft-365-defender-incidents-in-microsoft-sentinel-and-bi-directional-sync) |GA |&#x2705; |&#x2705;| &#10060; |

+|[Microsoft Teams integrations](collaborate-in-microsoft-teams.md) |Public preview |&#x2705; |&#x2705;| &#10060; |

+|[Playbook template gallery](use-playbook-templates.md) |Public preview |&#x2705; |&#x2705;| &#10060; |

+|[Run playbooks on entities](respond-threats-during-investigation.md) |Public preview |&#x2705; |&#x2705; |&#10060; |

+|[Run playbooks on incidents](automate-responses-with-playbooks.md) |Public preview |&#x2705; |&#x2705;| &#x2705; |

+|[SOC incident audit metrics](manage-soc-with-incident-metrics.md) |GA |&#x2705; |&#x2705;| &#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Anomalous RDP login detection - built-in ML detection](configure-connector-login-detection.md) |Public preview |&#x2705; |&#x2705; |&#10060; |

+|[Anomalous SSH login detection - built-in ML detection](connect-syslog.md#configure-the-syslog-connector-for-anomalous-ssh-login-detection) |Public preview |&#x2705; |&#x2705; |&#10060; |

+|[Fusion](fusion.md) - advanced multistage attack detections <sup>[1](#partialga)</sup> |GA |&#x2705; |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Advanced Security Information Model (ASIM)](normalization.md) |Public preview |&#x2705; |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Notebooks](notebooks.md) |GA |&#x2705;|&#x2705; |&#x2705; |

+|[Notebook integration with Azure Synapse](notebooks-with-synapse.md) |Public preview |&#x2705;|&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Threat protection for SAP](sap/deployment-overview.md)</sup> |GA |&#x2705;|&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[GeoLocation and WhoIs data enrichment](work-with-threat-indicators.md) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[Import TI from flat file](indicators-bulk-file-import.md) |Public preview |&#x2705; |&#x2705; |&#x2705; |

+|[Threat Intelligence Platform data connector](understand-threat-intelligence.md) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[Threat Intelligence Research page](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-threat-intelligence-menu-item-in-public-preview/ba-p/1646597) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Threat Intelligence - TAXII data connector](understand-threat-intelligence.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Microsoft Defender for Threat Intelligence connector](connect-mdti-data-connector.md) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[Microsoft Defender Threat intelligence matching analytics](use-matching-analytics-to-detect-threats.md) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[Threat Intelligence workbook](/azure/architecture/example-scenario/data/sentinel-threat-intelligence) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[URL detonation](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/using-the-new-built-in-url-detonation-in-azure-sentinel/ba-p/996229) |Public preview |&#x2705;|&#10060; |&#10060; |

+|[Threat Intelligence Upload Indicators API](connect-threat-intelligence-upload-api.md) |Public preview |&#x2705; |&#10060; |&#10060; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Active Directory sync via MDI](enable-entity-behavior-analytics.md#how-to-enable-user-and-entity-behavior-analytics) |Public preview |&#x2705; |&#x2705; |&#10060; |

+|[Azure resource entity pages](entity-pages.md) |Public preview |&#x2705; |&#x2705; |&#10060; |

+|[Entity insights](identify-threats-with-entity-behavior-analytics.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Entity pages](entity-pages.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Identity info table data ingestion](investigate-with-ueba.md) |GA |&#x2705;|&#x2705; |&#x2705; |

+|[IoT device entity page](/azure/defender-for-iot/organizations/iot-advanced-threat-monitoring#investigate-further-with-iot-device-entities) |Public preview |&#x2705;|&#x2705; |&#10060; |

+|[Peer/Blast radius enrichments](identify-threats-with-entity-behavior-analytics.md#what-is-user-and-entity-behavior-analytics-ueba) |Public preview |&#x2705;|&#10060; |&#10060; |

+|[SOC-ML anomalies](soc-ml-anomalies.md#what-are-customizable-anomalies) |GA |&#x2705; |&#x2705; |&#10060; |

+|[UEBA anomalies](soc-ml-anomalies.md#ueba-anomalies) |GA |&#x2705; |&#x2705; |&#10060; |

+|[UEBA enrichments\insights](investigate-with-ueba.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|Feature |Feature stage |Azure commercial |Azure Government |Azure China 21Vianet |

+||||||

+|[Large watchlists from Azure Storage](watchlists.md) |Public preview |&#x2705; |&#10060; |&#10060; |

+|[Watchlists](watchlists.md) |GA |&#x2705; |&#x2705; |&#x2705; |

+|[Watchlist templates](watchlist-schemas.md) |Public preview |&#x2705;|&#10060; |&#10060; |

+**nonprimary node types** can be used to define application roles (such as *front-end* and *back-end* services) and to physically isolate services within a cluster. Service Fabric clusters can have zero or more nonprimary node types.

+The number of initial nodes types depends upon the purpose of your cluster and the applications and services running on it. Consider the following questions:

+ Typical applications contain a front-end gateway service that receives input from a client, and one or more back-end services that communicate with the front-end services, with separate networking between the front-end and back-end services. These cases typically require three node types: one primary node type, and two nonprimary node types (one each for the front and back-end service).

+ Often, front-end service can run on smaller VMs (VM sizes like D2) that have ports open to the internet. Computationally intensive back-end services might need to run on larger VMs (with VM sizes like D4, D6, D15) that aren't internet-facing. Defining different node types for these services allow you to make more efficient and secure use of underlying Service Fabric VMs, and enables them to scale them independently. For more on estimating the amount of resources you'll need, see [Capacity planning for Service Fabric applications](service-fabric-capacity-planning.md)

+When determining the number and properties of node types for the initial creation of your cluster, keep in mind that you can always add, modify, or remove (nonprimary) node types once your cluster is deployed. [Primary node types can also be scaled up or down](service-fabric-scale-up-primary-node-type.md) in running clusters, though to do so you'll need to create a new node type, move the workload over, and then remove the original primary node type.

+| Gold | 5 | Full-node sizes dedicated to a single customer - [available VM sizes](../virtual-machines/isolation.md) | Can be delayed until approved by the Service Fabric cluster | Can be paused for 2 hours per upgrade domain to allow additional time for replicas to recover from earlier failures |

+| Silver | 5 | VMs of single core or above with at least 50 GB of local SSD | Can be delayed until approved by the Service Fabric cluster | Can't be delayed for any significant period of time |

+| Bronze | 1 | VMs with at least 50 GB of local SSD | Will not be delayed by the Service Fabric cluster | Can't be delayed for any significant period of time |

+> The above mentioned minimum number of VMs is a necessary requirement for each durability level. We have validations in-place which will prevent creation or modification of existing virtual machine scalesets which don't meet these requirements.

+Use Silver or Gold durability for all node types that host stateful services you expect to scale-in frequently, and where you wish deployment operations be delayed and capacity to be reduced in favor of simplifying the process. Scale-out scenarios shouldn't affect your choice of the durability tier.

+* Takes nodes out of service for periods of time while Azure platform software updates or hardware maintenance activities are occurring. You may see nodes with status Disabling/Disabled during these activities. This reduces the capacity of your cluster temporarily, but shouldn't impact the availability of your cluster or applications.

+* Maintain a minimum count of five nodes for any virtual machine scale set that has durability level of Gold or Silver enabled. Your cluster will enter error state if you scale in below this threshold, and you'll need to manually clean up the state (`Remove-ServiceFabricNodeState`) for the removed nodes.

+* Don't delete random VM instances, always use virtual machine scale set scale in feature. The deletion of random VM instances has a potential of creating imbalances in the VM instance spread across [upgrade domains](service-fabric-cluster-resource-manager-cluster-description.md#upgrade-domains) and [fault domains](service-fabric-cluster-resource-manager-cluster-description.md#fault-domains). This imbalance could adversely affect the systems ability to properly load balance among the service instances/Service replicas.

+* If using Autoscale, set the rules such that scale in (removing of VM instances) operations are done only one node at a time. Scaling in more than one instance at a time isn't safe.

+* Downgrading node types with durability level of Gold to Silver isn't supported.

+Here's the recommendation on choosing the reliability tier. The number of seed nodes is also set to the minimum number of nodes for a reliability tier.

+| 1 | *Don't specify the `reliabilityLevel` parameter: the system calculates it.* |

+By default, local SSD is configured to 64 GB. The size can be configured in the MaxDiskQuotaInMB setting of the Diagnostics section of cluster settings.

+- Partial / single core VM sizes like Standard A0 aren't supported.

+- *A-series* VM sizes aren't supported for performance reasons.

+- Low-priority VMs aren't supported.

+- [B-Series Burstable SKUs](../virtual-machines/sizes-b-series-burstable.md) aren't supported.

+**Test workloads** in Azure can run a minimum of one or three primary nodes. To configure a one node cluster, be sure that the `reliabilityLevel` setting is omitted in your Resource Manager template (specifying empty string value for `reliabilityLevel` isn't sufficient). If you set up the one node cluster set up with Azure portal, this configuration is done automatically.

+> One-node clusters run with a special configuration without reliability and where scale out isn't supported.

+#### nonprimary node types

+The minimum number of nodes for a nonprimary node type depends on the specific [durability level](#durability-characteristics-of-the-cluster) of the node type. You should plan the number of nodes (and durability level) based on the number of replicas of applications or services that you want to run for the node type, and depending on whether the workload is stateful or stateless. Keep in mind you can increase or decrease the number of VMs in a node type anytime after you have deployed the cluster.

+For stateless production workloads, the minimum supported nonprimary node type size is three to maintain quorum, however a node type size of five is recommended.

+- **Dynamic** ΓÇô Changes to a dynamic configuration don't cause any process restarts of either Service Fabric processes or your service host processes.

+- **Static** ΓÇô Changes to a static configuration cause the Service Fabric node to restart in order to consume the change. Services on the nodes is restarted.

+|ApplicationCertificateValidationPolicy|string, default is "None"|Static| This doesn't validate the server certificate; succeed the request. Refer to config ServiceCertificateThumbprints for the comma-separated list of thumbprints of the remote certs that the reverse proxy can trust. Refer to config ServiceCommonNameAndIssuer for the subject name and issuer thumbprint of the remote certs that the reverse proxy can trust. To learn more, see [Reverse proxy secure connection](service-fabric-reverseproxy-configure-secure-communication.md#secure-connection-establishment-between-the-reverse-proxy-and-services). |

+|ForwardClientCertificate|bool, default is FALSE|Dynamic|When set to false, reverse proxy won't request for the client certificate. When set to true, reverse proxy requests for the client certificate during the TLS handshake and forward the base64 encoded PEM format string to the service in a header named X-Client-Certificate. The service can fail the request with appropriate status code after inspecting the certificate data. If this is true and client doesn't present a certificate, reverse proxy forwards an empty header and let the service handle the case. Reverse proxy acts as a transparent layer. To learn more, see [Set up client certificate authentication](service-fabric-reverseproxy-configure-secure-communication.md#setting-up-client-certificate-authentication-through-the-reverse-proxy). |

+|GatewayX509CertificateFindValue | string, default is "" |Dynamic| Search filter value used to locate the http app gateway certificate. This certificate is configured on the https endpoint and can also be used to verify the identity of the app if needed by the services. FindValue is looked up first; and if that doesn't exist; FindValueSecondary is looked up. |

+|GatewayX509CertificateFindValueSecondary | string, default is "" |Dynamic|Search filter value used to locate the http app gateway certificate. This certificate is configured on the https endpoint and can also be used to verify the identity of the app if needed by the services. FindValue is looked up first; and if that doesn't exist; FindValueSecondary is looked up.|

+|RemoveServiceResponseHeaders|string, default is "Date; Server"|Static|Semi colon/ comma-separated list of response headers that is removed from the service response; before forwarding it to the client. If this is set to empty string; pass all the headers returned by the service as-is. i.e don't overwrite the Date and Server |

+|SecretMonitoringInterval|TimeSpan, default is Common::TimeSpan::FromMinutes(15) |Static |The rate at which Service Fabric polls Key Vault for changes when using Managed KeyVaultReferences. This rate is a best effort, and changes in Key Vault may be reflected in the cluster earlier or later than the interval. For more information, see [KeyVaultReference support for Azure-deployed Service Fabric Applications](./service-fabric-keyvault-references.md) |

+|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This reduces network traffic.|

+|InfrastructureTaskHealthCheckRetryTimeout | Time in seconds, default is 60 |Dynamic|Specify timespan in seconds. The amount of time to spend retrying failed health checks while post-processing an infrastructure task. Observing a passed health check resets this timer. |

+|InfrastructureTaskHealthCheckStableDuration | Time in seconds, default is 0|Dynamic| Specify timespan in seconds. The amount of time to observe consecutive passed health checks before post-processing of an infrastructure task finishes successfully. Observing a failed health check resets this timer. |

+|SkipRollbackUpdateDefaultService | Bool, default is false |Dynamic|The CM skips reverting updated default services during application upgrade rollback. |

+|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This reduces network traffic.|

+|EnableAuxiliaryReplicas |Bool, default is false |Dynamic|Enable creation or update of auxiliary replicas on services. If true; upgrades from SF version 8.1+ to lower targetVersion is blocked. |

+|AdminOnlyHttpAudit |Bool, default is true | Dynamic | Exclude HTTP requests which doesn't impact the state of the cluster from auditing. Currently; only requests of "GET" type are excluded; but this is subject to change. |

+|CaptureHttpTelemetry|Bool, default is true | Dynamic | Turn HTTP telemetry on or off. The purpose of telemetry is for Service Fabric to be able to capture telemetry data to help plan future work and identify problem areas. Telemetry doesn't record any personal data or the request body. Telemetry captures all HTTP requests unless otherwise configured. |

+|PartitionPrefix|string, default is "--"|Static|Controls the partition prefix string value in DNS queries for partitioned services. The value: <ul><li>Should be RFC-compliant as it will be part of a DNS query.</li><li>Shouldn't contain a dot, '.', as dot interferes with DNS suffix behavior.</li><li>Shouldn't be longer than 5 characters.</li><li>Cannot be an empty string.</li><li>If the PartitionPrefix setting is overridden, then PartitionSuffix must be overridden, and vice-versa.</li></ul>For more information, see [Service Fabric DNS Service.](service-fabric-dnsservice.md).|

+|PartitionSuffix|string, default is ""|Static|Controls the partition suffix string value in DNS queries for partitioned services. The value: <ul><li>Should be RFC-compliant as it will be part of a DNS query.</li><li>Shouldn't contain a dot, '.', as dot interferes with DNS suffix behavior.</li><li>Shouldn't be longer than 5 characters.</li><li>If the PartitionPrefix setting is overridden, then PartitionSuffix must be overridden, and vice-versa.</li></ul>For more information, see [Service Fabric DNS Service.](service-fabric-dnsservice.md). |

+|RecursiveQueryParallelMaxAttempts|Int, default is 0|Static|The number of times parallel queries are attempted. Parallel queries are executed after the max attempts for serial queries have been exhausted.|

+|RecursiveQuerySerialMaxAttempts|Int, default is 2|Static|The number of serial queries that are attempted, at most. If this number is higher than the number of forwarding DNS servers, querying stops once all the servers have been attempted exactly once.|

+|ActivationRetryBackoffInterval |Time in seconds, default is 5 |Dynamic|Specify timespan in seconds. Backoff interval on every activation failure; On every continuous activation failure the system will retry the activation for up to the MaxActivationFailureCount. The retry interval on every try is a product of continuous activation failure and the activation back-off interval. |

+|ReplicationBatchSize|uint, default is 1|Static|Specifies the number of operations to be sent between primary and secondary replicas. If zero the primary sends one record per operation to the secondary. Otherwise the primary replica aggregates log records until the config value is reached. This reduces network traffic.|

+|StoredActionCleanupIntervalInSeconds | Int, default is 3600 |Static|This is how often the store is cleaned up. Only actions in a terminal state; and that completed at least CompletedActionKeepDurationInSeconds ago will be removed. |

+|GenerateV1CommonNameAccount| bool, default is TRUE|Static|Specifies whether to generate an account with user name V1 generation algorithm. Starting with Service Fabric version 6.1; an account with v2 generation is always created. The V1 account is necessary for upgrades from/to versions that don't support V2 generation (prior to 6.1).|

+|ContainerServiceArguments|string, default is "-H localhost:2375 -H npipe://"|Static|Service Fabric (SF) manages docker daemon (except on windows client machines like Win10). This configuration allows user to specify custom arguments that should be passed to docker daemon when starting it. When custom arguments are specified, Service Fabric doesn't pass any other argument to Docker engine except '--pidfile' argument. Hence users shouldn't specify '--pidfile' argument as part of their customer arguments. Also, the custom arguments should ensure that docker daemon listens on default name pipe on Windows (or Unix domain socket on Linux) for Service Fabric to be able to communicate with it.|

+|ContainerImagesToSkip|string, image names separated by vertical line character, default is ""|Static|Name of one or more container images that shouldn't be deleted. Used with the PruneContainerImages parameter.|

+|DisableDockerRequestRetry|bool, default is FALSE |Dynamic| By default SF communicates with DD (docker dameon) with a timeout of 'DockerRequestTimeout' for each http request sent to it. If DD doesn't responds within this time period; SF resends the request if top level operation still has remaining time. With Hyper-V container; DD sometimes take much more time to bring up the container or deactivate it. In such cases DD request times out from SF perspective and SF retries the operation. Sometimes this seems to add more pressure on DD. This config allows you to disable this retry and wait for DD to respond. |

+|DnsServerListTwoIps | Bool, default is FALSE | Static | This flag adds the local dns server twice to help alleviate intermittent resolve issues. |

+|NTLMAuthenticationPasswordSecret|SecureString, default is Common::SecureString("")|Static|Is an encryption that is used to generate the password for NTLM users. Has to be set if NTLMAuthenticationEnabled is true. Validated by the deployer. |

+|PruneContainerImages|bool, default is FALSE|Dynamic| Remove unused application container images from nodes. When an ApplicationType is unregistered from the Service Fabric cluster, the container images that were used by this application will be removed on nodes where it was downloaded by Service Fabric. The pruning runs every hour, so it may take up to one hour (plus time to prune the image) for images to be removed from the cluster.<br>Service Fabric will never download or remove images not related to an application. Unrelated images that were downloaded manually or otherwise must be removed explicitly.<br>Images that shouldn't be deleted can be specified in the ContainerImagesToSkip parameter.|

+|HttpStrictTransportSecurityHeader|string, default is ""|Dynamic| Specify the HTTP Strict Transport Security header value to be included in every response sent by the HttpGateway. When set to empty string; this header will not be included in the gateway response.|

+|AutomaticMemoryConfiguration |Int, default is 1 |Dynamic|Flag that indicates if the memory settings should be automatically and dynamically configured. If zero then the memory configuration settings are used directly and don't change based on system conditions. If one then the memory settings are configured automatically and may change based on system conditions. |

+|IsEnabled|bool, default is FALSE|Static|Flag controlling the presence and status of the Managed Identity Token Service in the cluster; this is a prerequisite for using the managed identity functionality of Service Fabric applications.|

+|CleanupUnusedApplicationTypes|Bool, default is FALSE |Dynamic|This configuration if enabled, allows you to automatically unregister unused application type versions skipping the latest three unused versions, thereby trimming the disk space occupied by image store. The automatic cleanup will be triggered at the end of successful provision for that specific app type and also runs periodically once a day for all the application types. Number of unused versions to skip is configurable using parameter "MaxUnusedAppTypeVersionsToKeep". <br/> *Best practice is to use `true`.*

+|PropertyGroup|KeyDoubleValueMap, default is None|Dynamic|Determines the part of the load that sticks with replica when swapped. It takes value between 0 (load doesn't stick with replica) and 1 (load sticks with replica - default) |

+|BalancingDelayAfterNewNode | Time in seconds, default is 120 |Dynamic|Specify timespan in seconds. Don't start balancing activities within this period after adding a new node. |

+|BalancingDelayAfterNodeDown | Time in seconds, default is 120 |Dynamic|Specify timespan in seconds. Don't start balancing activities within this period after a node down event. |

+|ConstraintFixPartialDelayAfterNewNode | Time in seconds, default is 120 |Dynamic| Specify timespan in seconds. Don't Fix FaultDomain and UpgradeDomain constraint violations within this period after adding a new node. |

+|ConstraintFixPartialDelayAfterNodeDown | Time in seconds, default is 120 |Dynamic| Specify timespan in seconds. Don't Fix FaultDomain and UpgradeDomain constraint violations within this period after a node down event. |

+|PreferUpgradedUDs|bool, default is FALSE|Dynamic|Turns on and off logic which prefers moving to already upgraded UDs. Starting with SF 7.0, the default value for this parameter is changed from TRUE to FALSE.|

+|SubclusteringReportingPolicy| Int, default is 1 |Dynamic|Defines how and if the subclustering health reports are sent: 0: Don't report; 1: Warning; 2: OK |

+|UseSeparateAuxiliaryLoad | Bool, default is true | Dynamic|Setting which determines if PLB should use different load for auxiliary on each node. If UseSeparateAuxiliaryLoad is turned off: - Reported load for auxiliary on one node will result in overwriting load for each auxiliary (on all other nodes) If UseSeparateAuxiliaryLoad is turned on: - Reported load for auxiliary on one node will take effect only on that auxiliary (no effect on auxiliaries on other nodes) - If replica crash happens - new replica is created with average load of all the rest auxiliaries - If PLB moves existing replica - load goes with it. |

+|UseSeparateAuxiliaryMoveCost | Bool, default is false | Dynamic|Setting which determines if PLB should use different move cost for auxiliary on each node. If UseSeparateAuxiliaryMoveCost is turned off: - Reported move cost for auxiliary on one node will result in overwriting move cost for each auxiliary (on all other nodes) If UseSeparateAuxiliaryMoveCost is turned on: - Reported move cost for auxiliary on one node will take effect only on that auxiliary (no effect on auxiliaries on other nodes) - If replica crash happens - new replica is created with default move cost specified on service level - If PLB moves existing replica - move cost goes with it. |

+|UseSeparateSecondaryMoveCost | Bool, default is true | Dynamic|Setting which determines if PLB should use different move cost for secondary on each node. If UseSeparateSecondaryMoveCost is turned off: - Reported move cost for secondary on one node will result in overwriting move cost for each secondary (on all other nodes) If UseSeparateSecondaryMoveCost is turned on: - Reported move cost for secondary on one node will take effect only on that secondary (no effect on secondaries on other nodes) - If replica crash happens - new replica is created with default move cost specified on service level - If PLB moves existing replica - move cost goes with it. |

+|BatchAcknowledgementInterval|TimeSpan, default is Common::TimeSpan::FromMilliseconds(15)|Static|Specify timespan in seconds. Determines the amount of time that the replicator waits after receiving an operation before sending back an acknowledgment. Other operations received during this time period will have their acknowledgments sent back in a single message-> reducing network traffic but potentially reducing the throughput of the replicator.|

+|AdminClientCertThumbprints|string, default is ""|Dynamic|Thumbprints of certificates used by clients in admin role. It's a comma-separated name list. |

+|AdminClientIdentities|string, default is ""|Dynamic|Windows identities of fabric clients in admin role; used to authorize privileged fabric operations. It's a comma-separated list; each entry is a domain account name or group name. For convenience; the account that runs fabric.exe is automatically assigned admin role; so is group ServiceFabricAdministrators. |

+|ClientCertThumbprints|string, default is ""|Dynamic|Thumbprints of certificates used by clients to talk to the cluster; cluster uses this to authorize incoming connection. It's a comma-separated name list. |

+|ClientIdentities|string, default is ""|Dynamic|Windows identities of FabricClient; naming gateway uses this to authorize incoming connections. It's a comma-separated list; each entry is a domain account name or group name. For convenience; the account that runs fabric.exe is automatically allowed; so are group ServiceFabricAllowedUsers and ServiceFabricAdministrators. |

+|ClusterIdentities|string, default is ""|Dynamic|Windows identities of cluster nodes; used for cluster membership authorization. It's a comma-separated list; each entry is a domain account name or group name |

+|ClusterSpn|string, default is ""|Not Allowed|Service principal name of the cluster; when fabric runs as a single domain user (gMSA/domain user account). It's the SPN of lease listeners and listeners in fabric.exe: federation listeners; internal replication listeners; runtime service listener and naming gateway listener. This should be left empty when fabric runs as machine accounts; in which case connecting side compute listener SPN from listener transport address. |

+|DisableFirewallRuleForDomainProfile| bool, default is TRUE |Static| Indicates if firewall rule shouldn't be enabled for domain profile |

+|DisableFirewallRuleForPrivateProfile| bool, default is TRUE |Static| Indicates if firewall rule shouldn't be enabled for private profile |

+|DisableFirewallRuleForPublicProfile| bool, default is TRUE | Static|Indicates if firewall rule shouldn't be enabled for public profile |

+|FabricHostSpn| string, default is "" |Static| Service principal name of FabricHost; when fabric runs as a single domain user (gMSA/domain user account) and FabricHost runs under machine account. It's the SPN of IPC listener for FabricHost; which by default should be left empty since FabricHost runs under machine account |

+|ServerCertThumbprints|string, default is ""|Dynamic|Thumbprints of server certificates used by cluster to talk to clients; clients use this to authenticate the cluster. It's a comma-separated name list. |

+|CancelTestCommand |string, default is "Admin" |Dynamic| Cancels a specific TestCommand - if it's in flight. |

+|InvokeContainerApi|string, default is "Admin"|Dynamic|Invoke container API |

+|StartChaos |string, default is "Admin" |Dynamic| Starts Chaos - if it's not already started. |

+|SkipFirewallConfiguration |Bool, default is false | Dynamic |Specifies if firewall settings need to be set by the system or not. This applies only if you're using windows firewall. If you're using third party firewalls, then you must open the ports for the system and applications to use |

+|BatchAcknowledgementInterval | Time in seconds, default is 0.015 | Static | Specify timespan in seconds. Determines the amount of time that the replicator waits after receiving an operation before sending back an acknowledgment. Other operations received during this time period will have their acknowledgments sent back in a single message-> reducing network traffic but potentially reducing the throughput of the replicator. |

+|ShouldAbortCopyForTruncation |bool, default is FALSE | Static | Allow pending log truncation to go through during copy. With this enabled the copy stage of builds can be canceled if the log is full and they are block truncation. |

+|MessageErrorCheckingEnabled|bool, default is TRUE|Static|Default setting for error checking on message header and body in non-secure mode; component setting overrides this. |

+|PropertyGroup| UserServiceMetricCapacitiesMap, default is None | Static | A collection of user services resource governance limits Needs to be static as it affects Auto-Detection logic |

+[Rollup 67](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | 9.54.6682.1 | 9.54.6682.1 / 5.1.8095.0 | 9.54.6682.1 | 5.23.0428.1 (VMware) & 5.1.8095.0 (Hyper-V) | 2.0.9261.0 (VMware) & 2.0.9260.0 (Hyper-V)

+ .\UnifiedAgentInstaller.exe /Platform vmware /Silent /Role MS /InstallLocation "C:\Program Files (x86)\Microsoft Azure Site Recovery"

+ "C:\Program Files (x86)\Microsoft Azure Site Recovery\agent\UnifiedAgentConfigurator.exe" /SourceConfigFilePath "config.json" /CredentialLessDiscovery true

+`/CSType`| Optional. Used to define modernized or classic architecture. By default, modernized architecture would be launched. (CSPrime or CSLegacy)

+`/CSType` | Optional. Used to define modernized or legacy architecture. By default, modernized architecture would be launched. (CSPrime or CSLegacy).

+ sudo ./install -q -r MS -v VmWare

+ <InstallLocation>/Vx/bin/UnifiedAgentConfigurator.sh -S config.json -q

+ Syntax | `./install -q -r MS -v VmWare`

+ `-c` | Optional. Used to define modernized or legacy architecture. By default, modernized architecture would be launched. (CSPrime or CSLegacy).

+ Syntax | `<InstallLocation>/Vx/bin/UnifiedAgentConfigurator.sh -S config.json -q -D true`

+ `-c` | Optional. Used to define modernized and legacy architecture. By default, modernized architecture would be launched. (CSPrime or CSLegacy).

+ UnifiedAgent.exe /Role "MS" /InstallLocation "C:\Program Files (x86)\Microsoft Azure Site Recovery" /Platform "VmWare" /Silent /CSType CSLegacy

+Syntax | `UnifiedAgent.exe /Role \<MS/MT> /InstallLocation \<Install Location> /Platform "VmWare" /Silent /CSType CSLegacy`

+` /CSType` | Required. Used to define modernized or classic architecture. By default, modernized architecture would be launched. (CSPrime or CSLegacy)

+ sudo ./install -r MS -v VmWare -d <Install Location> -q -c CSLegacy

+Syntax | `./install -r MS -v VmWare [-d <Install Location>] [-q] -c CSLegacy`

+`-c` | Required. Used to define modernized or classic architecture. By default, modernized architecture would be launched. (CSPrime or CSLegacy)

+Syntax | `cd /usr/local/ASR/Vx/bin`</br> `UnifiedAgentConfigurator.sh -i \<CSIP> -P \<PassphraseFilePath> -c CSLegacy`

+`-c` | Required. Used to define modernized or classic architecture. By default, modernized architecture would be launched.(CSPrime or CSLegacy)

+Current doc score: 96 (2038 words and 10 false-positive issues)

+The Azure Storage Mover service utilizes agents to perform the migration jobs you configure in the service. An agent is a virtual machine-based migration appliance that runs on a virtualization host. Ideally, your virtualization host is located as near as possible to the source storage to be migrated. Storage Mover can support multiple agents.

+Because an agent is essentially a migration appliance, you interact with it through an agent-local administrative shell. The shell limits the operations you can perform on this machine, though network configuration and troubleshooting tasks are accessible.

+- A capable Windows Hyper-V host on which to run the agent VM.<br/> See the [Recommended compute and memory resources](#recommended-compute-and-memory-resources) section in this article for details about resource requirements for the agent VM.

+Although no single network configuration option works for every environment, the simplest configuration involves the deployment of an external virtual switch. The external switch type is connected to a physical adapter and allows your host operating system (OS) to share its connection with all your virtual machines (VMs). This switch allows communication between your physical network, the management operating system, and the virtual adapters on your virtual machines. This approach may be acceptable for a test environment, but is likely not sufficient for a production server.

+> While agent VMs below minimal specs may work for your migration, they may not perform optimally and are not supported.

+## Download the agent VM image

+The image is hosted on Microsoft Download Center as a zip file. Download the file at [https://aka.ms/StorageMover/agent](https://aka.ms/StorageMover/agent) and extract the agent virtual hard disk (VHD) image to your virtualization host.

+Take time to consider the amount of bandwidth a new machine uses before you deploy it to your network. An Azure Storage Mover agent communicates with a source share using the local network, and the Azure Storage service on the wide area network (WAN) link. In both cases, the agent uses all available network bandwidth.

+If bandwidth throttling is important to you, create a local virtual network (VNet) with network quality of service (QoS) settings and an internet connection. This approach allows you to expose the agent through the VNet, and to locally configure an unauthenticated network proxy server on the agent if needed.

+When you no longer need a specific storage mover agent, you can decommission it. Decommissioning is a two-step process:

+1. Unregister the agent from the storage mover resource.

+1. Stop the agent VM on your virtualization host and then delete it.

+5) Collect support bundle

+6) Restart agent

+7) Disk Cleanup

+Current doc score: 100 (1669 words and 0 issues)

+The Azure Storage Mover service utilizes agents that carry out the migration jobs you configure in the service. The agent is a virtual machine-based appliance that you run on a virtualization host, close to the source storage.

+You can connect to an Azure VNET from other networks, such as an on-premises corporate network. This type of connection is made through a VPN connection such as Azure Express Route. To learn more about this approach, refer to the [Azure ExpressRoute](/azure/expressroute/) and [Azure Private Link](/azure/private-link) documentation.

+> [!IMPORTANT]

+> Currently, Storage Mover can be configured to route migration data from the agent to the destination storage account over Private Link. Hybrid Compute heartbeats and certificates can also be routed to a private Azure Arc service endpoint in your virtual network (VNet). Some Storage Mover traffic can't be routed through Private Link and is routed over the public endpoint of a storage mover resource. This data includes control messages, progress telemetry, and copy logs.

+There are two prerequisites to be completed before you can register an Azure Storage Mover agent:

+1. **You need to have an Azure Storage Mover resource deployed.** <br />Follow the steps in the *[Create a storage mover resource](storage-mover-create.md)* article to deploy this resource in an Azure subscription and region of your choice.

+1. **You need to deploy the Azure Storage Mover agent VM.** <br /> Follow the steps in the [Azure Storage Mover agent VM deployment](agent-deploy.md) article to create the agent VM and to connect it to the internet.

+The agent registration process creates a trust between the agent and the Storage Mover cloud resource. The trust allows you to remotely manage the agent and to assign it migration jobs to execute.

+The agent VM is an appliance. It offers an administrative shell that limits the operations you can perform on this machine. When you connect to the agent, the shell loads and provides you with options that allow you to interact with it directly. However, the agent VM is a Linux based appliance, and copy and paste functionality often doesn't work within the default Hyper-V window.

+Rather than use the Hyper-V window, use an SSH connection instead. This approach provides the following advantages:

+Your agent needs to be connected to the internet.

+Azure Storage logs in Azure Monitor can be enabled through the Azure portal, PowerShell, the Azure CLI, and Azure Resource Manager templates. For at-scale deployments, Azure Policy can be used with full support for remediation tasks. For more information, see [ciphertxt/AzureStoragePolicy](https://github.com/ciphertxt/AzureStoragePolicy).

+> [!IMPORTANT]

+> Currently, once you configure the retention, there will be a rule created in the lifecycle management policy to delete the older version based on the retention period set. Thereafter, the settings shall not be visible in the data protection options. In case you want to change the retention period, you will have to delete the rule, which shall make the settings visible for editing again. In case you have any other rule already to delete the versions, then also this setting shall not appear.

+ :::column:::

+ <iframe width="560" height="315" src="https://www.youtube.com/embed/TOHaNJpAOfc" title="How Azure Files can help protect against ransomware and accidental data loss" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

+ :::column-end:::

+ :::column:::

+ Watch this video to learn how Azure Files advanced data protection helps enterprises stay protected against ransomware and accidental data loss while delivering greater business continuity.

+ :::column-end:::

+1. Mount both the source and target file shares to the VM. Be sure to mount them using the storage account key to make sure the VM has access to all the files. Don't use a domain identity.

+1. Run this command at the Windows command prompt. Optionally, you can include flags for logging features as a best practice (/NP, /NFL, /NDL, /UNILOG).

+ robocopy <source> <target> /MIR /COPYALL /MT:16 /R:2 /W:1 /B /IT /DCOPY:DAT

+ robocopy s:\ t:\ /MIR /COPYALL /MT:16 /R:2 /W:1 /B /IT /DCOPY:DAT

+ As a workaround for mounting the file share, see the instructions in [Mount the file share from a non-domain-joined VM or a VM joined to a different AD domain](storage-files-identity-ad-ds-mount-file-share.md#mount-the-file-share-from-a-non-domain-joined-vm-or-a-vm-joined-to-a-different-ad-domain).

+## Mount the file share from a non-domain-joined VM or a VM joined to a different AD domain

+If the identity you created in AD DS to represent the storage account is in a domain or OU that enforces password rotation, you might need to [update the password of your storage account identity in AD DS](storage-files-identity-ad-ds-update-password.md).

+ If a machine isn't domain joined, you can still use AD DS for authentication if the machine has line of sight to the on-premises AD domain controller and the user provides explicit credentials. For more information, see [Mount the file share from a non-domain-joined VM or a VM joined to a different AD domain](storage-files-identity-ad-ds-mount-file-share.md#mount-the-file-share-from-a-non-domain-joined-vm-or-a-vm-joined-to-a-different-ad-domain).

+- [Get started with Queue Storage using .NET](/azure/storage/queues/storage-quickstart-queues-dotnet?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli)

+- [Get started with Queue Storage using Java](/azure/storage/queues/storage-quickstart-queues-java?tabs=powershell%2Cpasswordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli)

+- [Get started with Queue Storage using Python](/azure/storage/queues/storage-quickstart-queues-python?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli)

+- [Get started with Queue Storage using Node.js](/azure/storage/queues/storage-quickstart-queues-nodejs?tabs=passwordless%2Croles-azure-portal%2Cenvironment-variable-windows%2Csign-in-azure-cli)

+ |**Striim**<br>Striim enables continuous data movement and in-stream transformations from a wide variety of sources into multiple Azure solutions including Azure Synapse Analytics, Azure Cosmos DB, and Azure cloud databases. The Striim solution enables Azure Data Lake Storage customers to quickly build streaming data pipelines. Customers can choose their desired data latency (real-time, micro-batch, or batch) and enrich the data with more context. These pipelines can then support any application or big data analytics solution, including Azure SQL Data Warehouse and Azure Databricks. |[Partner ](https://www.striim.com/partners/striim-and-microsoft-azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/striim.azurestorageintegration?tab=overview)|

+ Title: Customize RDP properties - Azure

+description: How to customize RDP Properties for Azure Virtual Desktop.

+>[!IMPORTANT]

+>

+>

+>

+>- If you also configure device redirection settings using Group Policy objects (GPOs), the settings in the GPOs will override the RDP properties you specify on the host pool.

+1. Once you're remote session has started, open **File Explorer**, then select **This PC**.

+1. You'll see a redirected drive called **Remote Desktop Virtual Drive on RDWebClient**. Inside this drive are two folders: **Uploads** and **Downloads**

+ - **Downloads** prompts your local browser to download any files you copy to this folder.

+ - **Uploads** contains the files you uploaded through the Remote Desktop Web client.

+1. To download from your remote session to your local device, copy and paste files to the **Downloads** folder. Before the paste can complete, the Remote Desktop Web client will prompt you **Are you sure you want to download *N* file(s)?**. Select **Confirm**. Your browser will download the files in its normal way.

+1. To upload files from your local device to your remote session, use the button in the Remote Desktop Web client taskbar for **Upload new file** (the upwards arrow icon). Selecting this will open a file explorer window on your local device.

+ Browse to and select files you want to upload to the remote session. You can select multiple files by holding down the <kbd>CTRL</kbd> key on your keyboard for Windows, or the <kbd>Command</kbd> key for macOS, then select **Open**. There is a file size limit of 255MB.

+>

+> - Don't download files directly from your browser in a remote session to the **Remote Desktop Virtual Drive on RDWebClient\Downloads** folder as it triggers your local browser to download the file before it is ready. Download files in a remote session to a different folder, then copy and paste them to the **Remote Desktop Virtual Drive on RDWebClient\Downloads** folder.

+- Fixed an issue where the client doesn't auto-reconnect when the gateway WebSocket connection shuts down normally.

+- Added a new RDP file property called *allowed security protocols*. This property restricts the list of security protocols the client can negotiate.

+- Accessibility improvements:

+ - Added heading-level description to **Subscribe with URL**.

+- Dialog improvements:

+ - Updated **file** and **URI launch** dialog error handling messages to be more specific and user-friendly.

+ - Fixed an issue where, after having been automatically reconnected to the remote session, the **connection information** dialog gave inconsistent information about identity verification.

+- Fixed an issue where the narrator was announcing the **tenant expander** button as **on** or **off** instead of **expanded** or **collapsed**.

+ - The new hardware encoding feature increases the video quality (resolution and framerate) of the outgoing camera during Teams calls. Because this feature uses the underlying hardware on the PC and not just software, we're being extra careful to ensure broad compatibility before turning the feature on by default for all users. Therefore, this feature is currently off by default. To get an early preview of the feature, you can enable it on your local machine by creating a registry key at **Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\WebRTC Redirector\UseHardwareEncoding** as a **DWORD** value and setting it to **1**. To disable the feature, set the key to **0**.

+- Fixed a regression that prevented subsequent connections after reconnecting to an existing session with the group policy object (GPO) **User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options\Remove Lock Computer** enabled.

+- Fixed an issue where the `msrdc.exe` process might take a long time to exit after closing the last Azure Virtual Desktop connection if customers have set a very short token expiration policy.

+- The client also updates in the background when the auto-update feature is enabled, no remote connection is active, and `msrdcw.exe` isn't running.

+- Fixed an issue that caused the client to crash when users selected **Disconnect all sessions** in the system tray.

+- Fixed an issue where entering an email address into the **Subscribe to a Workplace** tab caused the application to stop responding.

+- Added a **Need help with settings?** link to the desktop settings page.

+- Fixed an issue with the **Subscribe** button that happened when using high-contrast dark themes.

+- Renamed the **Update** action for Workspaces to **Refresh** for consistency with other Remote Desktop clients.

+- You can also reset the client's user data using `msrdcw.exe /reset` with an optional `/f` parameter to skip the prompt.

+ },

+ }

+}

+| 1.16.0 | [1.16.0](https://github.com/microsoft/OMS-Agent-for-Linux/releases/tag/OMSAgent_v1.16.0-0) |

+ "typeHandlerVersion": "1.16",

+| typeHandlerVersion | 1.16 |

+ "typeHandlerVersion": "1.16",

+ "typeHandlerVersion": "1.16",

+* The best performance is obtained when I/O is done directly to each of the raw NVMe devices with no partitioning, no file systems, no RAID config, etc. Before starting a testing session, ensure the configuration is in a known fresh/clean state by running `blkdiscard` on each of the NVMe devices. To obtain the most consistent performance during benchmarking, it's recommended to precondition the NVMe devices before testing by issuing random writes to all of the devices' LBAs twice as defined in the SNIA Solid State Storage Enterprise Performance Test Specification.

+Local storage on the 1.92 TB NVMe disk on all Lsv3, Lasv3, and Lsv2 VMs is ephemeral. During a successful standard reboot of the VM, the data on the local NVMe disk persists. The data doesn't persist on the NVMe if the VM is redeployed, deallocated, or deleted. Data doesn't persist if another issue causes the VM, or the hardware it's running on, to become unhealthy. When scenario happens, any data on the old host is securely erased.

+- The VM is paused (stopped without deallocation).

+- The VM is redeployed, stopped (deallocated), or deleted (by you).

+If a disk failure is detected on the hardware node, the hardware is in a failed state. When this problem occurs, all VMs on the node are automatically deallocated and moved to a healthy node. For Lsv3, Lasv3, and Lsv2-series VMs, this problem means that the customer's data on the failing node is also securely erased. The customer needs to recreate the data on the new node.

+1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign administrator and non-administrator roles to users with Azure Active Directory](/azure/active-directory-b2c/tenant-management-read-tenant-name).

+ Title: Best practices for Azure Web Application Firewall in Azure Front Door

+description: In this article, you learn about the best practices for using Azure Web Application Firewall in Azure Front Door.

+# Best practices for Azure Web Application Firewall in Azure Front Door

+This article summarizes best practices for using Azure Web Application Firewall in Azure Front Door.

+This section discusses general best practices.

+For internet-facing applications, we recommend that you enable a web application firewall (WAF) and configure it to use managed rules. When you use a WAF and Microsoft-managed rules, your application is protected from a range of attacks.

+While you tune your WAF, consider using [detection mode](waf-front-door-policy-settings.md#waf-mode). This mode logs requests and the actions the WAF would normally take, but it doesn't actually block any traffic.

+For more information, see [Tune Azure Web Application Firewall for Azure Front Door](waf-front-door-tuning.md).

+After you tune your WAF, configure it to [run in prevention mode](waf-front-door-policy-settings.md#waf-mode). By running in prevention mode, you ensure that the WAF blocks requests that it detects are malicious. Running in detection mode is useful while you tune and configure your WAF, but it provides no protection.

+When you tune your WAF for your application workload, you typically create a set of rule exclusions to reduce false positive detections. If you manually configure these exclusions by using the Azure portal, when you upgrade your WAF to use a newer rule-set version, you need to reconfigure the same exceptions against the new rule-set version. This process can be time consuming and error prone.

+Instead, consider defining your WAF rule exclusions and other configuration as code, such as by using the Azure CLI, Azure PowerShell, Bicep, or Terraform. When you need to update your WAF rule-set version, you can easily reuse the same exclusions.

+## Managed rule-set best practices

+This section discusses best practices for rule sets.

+Microsoft's default rule sets are designed to protect your application by detecting and blocking common attacks. The rules are based on various sources, including the OWASP top-10 attack types and information from Microsoft Threat Intelligence.

+### Use the latest rule set versions

+For more information, see [Azure Web Application Firewall DRS rule groups and rules](waf-front-door-drs.md).

+This section discusses best practices for rate limiting.

+The Azure Front Door WAF enables you to control the number of requests allowed from each client's IP address over a period of time. It's a good practice to add rate limiting to reduce the effect of clients accidentally or intentionally sending large amounts of traffic to your service, such as during a [retry storm](/azure/architecture/antipatterns/retry-storm/).

+- [What is rate limiting for Azure Front Door?](waf-front-door-rate-limit.md).

+- [Configure an Azure Web Application Firewall rate limit rule by using Azure PowerShell](waf-front-door-rate-limit-configure.md).

+- [Why do additional requests above the threshold configured for my rate limit rule get passed to my back-end server?](waf-faq.yml#why-do-additional-requests-above-the-threshold-configured-for-my-rate-limit-rule-get-passed-to-my-backend-server-)

+Usually it's good practice to set your rate limit threshold to be quite high. For example, if you know that a single client IP address might send around 10 requests to your server each minute, consider specifying a threshold of 20 requests per minute.

+High rate-limit thresholds avoid blocking legitimate traffic. These thresholds still provide protection against extremely high numbers of requests that might overwhelm your infrastructure.

+This section discusses best practices for geo-filtering.

+Many web applications are designed for users within a specific geographic region. If this situation applies to your application, consider implementing geo-filtering to block requests that come from outside of the countries or regions from which you expect to receive traffic.

+For more information, see [What is geo-filtering on a domain for Azure Front Door?](waf-front-door-tutorial-geo-filtering.md).

+Some IP addresses aren't mapped to locations in our dataset. When an IP address can't be mapped to a location, the WAF assigns the traffic to the unknown (ZZ) country or region. To avoid blocking valid requests from these IP addresses, consider allowing the unknown (ZZ) country or region through your geo-filter.

+For more information, see [What is geo-filtering on a domain for Azure Front Door?](waf-front-door-tutorial-geo-filtering.md).

+This section discusses logging.

+The Azure Front Door WAF integrates with Azure Monitor. It's important to save the WAF logs to a destination like Log Analytics. You should review the WAF logs regularly. Reviewing logs helps you to [tune your WAF policies to reduce false-positive detections](#tune-your-waf) and to understand whether your application has been the subject of attacks.

+Microsoft Sentinel is a security information and event management (SIEM) system, which imports logs and data from multiple sources to understand the threat landscape for your web application and overall Azure environment. Azure Front Door WAF logs should be imported into Microsoft Sentinel or another SIEM so that your internet-facing properties are included in its analysis. For Microsoft Sentinel, use the Azure WAF connector to easily import your WAF logs.

+For more information, see [Use Microsoft Sentinel with Azure Web Application Firewall](../waf-sentinel.md).

+Learn how to [create an Azure Front Door WAF policy](waf-front-door-create-portal.md).

+ Title: Configure WAF exclusion lists for Azure Front Door

+description: Learn how to configure a web application firewall (WAF) exclusion list for an existing Azure Front Door endpoint.

+# Configure web application firewall exclusion lists

+Sometimes Azure Web Application Firewall in Azure Front Door might block a legitimate request. As part of tuning your web application firewall (WAF), you can configure the WAF to allow the request for your application. WAF exclusion lists allow you to omit specific request attributes from a WAF evaluation. The rest of the request is evaluated as normal. For more information about exclusion lists, see [Azure Web Application Firewall with Azure Front Door exclusion lists](waf-front-door-exclusion.md).

+An exclusion list can be configured by using [Azure PowerShell](/powershell/module/az.frontdoor/New-AzFrontDoorWafManagedRuleExclusionObject), the [Azure CLI](/cli/azure/network/front-door/waf-policy/managed-rules/exclusion#az-network-front-door-waf-policy-managed-rules-exclusion-add), the [REST API](/rest/api/frontdoorservice/webapplicationfirewall/policies/createorupdate), Bicep, Azure Resource Manager templates, and the Azure portal.

+While tuning your WAF, you notice that some legitimate requests were blocked because the user headers included character sequences that the WAF detected as SQL injection attacks. Specifically, rule ID 942230 detects the request headers and blocks the requests. [Rule 942230 is part of the SQLI rule group.](waf-front-door-drs.md#drs942-20)

+1. Open your Azure Front Door WAF policy.

+1. Select **Managed rules** > **Manage exclusions**.

+ :::image type="content" source="../media/waf-front-door-exclusion-configure/managed-rules-exclusion.png" alt-text="Screenshot that shows the Azure portal showing the WAF policy's Managed rules page, with the Manage exclusions button highlighted." :::

+1. Select **Add**.

+ :::image type="content" source="../media/waf-front-door-exclusion-configure/exclusion-add.png" alt-text="Screenshot that shows the Azure portal with the exclusion list Add button." :::

+1. Configure the exclusion's **Applies to** section:

+1. Configure the exclusion match conditions:

+ | Selector | User |

+ :::image type="content" source="../media/waf-front-door-exclusion-configure/exclusion-details.png" alt-text="Screenshot that shows the Azure portal showing the exclusion configuration." :::

+The following example uses the SQLI rule group because that group contains rule ID 942230.

+The following example configures the DRS 2.0 rule set with the rule group override and its exclusion.

+Use the [Update-AzFrontDoorWafPolicy](/powershell/module/az.frontdoor/update-azfrontdoorwafpolicy) cmdlet to update your WAF policy to include the configuration you created. Ensure that you use the correct resource group name and WAF policy name for your own environment.

+Use the [`az network front-door waf-policy managed-rules exclusion add`](/cli/azure/network/front-door/waf-policy/managed-rules/exclusion) command to update your WAF policy to add a new exclusion.

+The following example Bicep file shows how to:

+- Create an Azure Front Door WAF policy.

+Learn more about [Azure Front Door](../../frontdoor/front-door-overview.md).

+description: Learn how to use web application firewall rate limiting to protect your web applications from malicious attacks.

+# What is rate limiting for Azure Front Door?

+Rate limiting enables you to detect and block abnormally high levels of traffic from any socket IP address.

+By using Azure Web Application Firewall in Azure Front Door, you can mitigate some types of denial-of-service attacks. Rate limiting also protects you against clients that have accidentally been misconfigured to send large volumes of requests in a short time period.

+The socket IP address is the address of the client that initiated the TCP connection to Azure Front Door. Typically, the socket IP address is the IP address of the user, but it might also be the IP address of a proxy server or another device that sits between the user and Azure Front Door.

+You can define rate limits at the socket IP address level or the remote address level. If you have multiple clients that access Azure Front Door from different socket IP addresses, they each have their own rate limits applied. The socket IP address is the source IP address the web application firewall (WAF) sees. If your user is behind a proxy, the socket IP address is often the proxy server address. The remote address is the original client IP that's usually sent via the `X-Forwarded-For` request header.

+When you configure a rate limit rule, you specify the *threshold*. The threshold is the number of web requests that are allowed from each socket IP address within a time period of either one minute or five minutes.

+You also must specify at least one *match condition*, which tells Azure Front Door when to activate the rate limit. You can configure multiple rate limits that apply to different paths within your application.

+If you need to apply a rate limit rule to all your requests, consider using a match condition like the following example:

+The preceding match condition identifies all requests with a `Host` header of a length greater than `0`. Because all valid HTTP requests for Azure Front Door contain a `Host` header, this match condition has the effect of matching all HTTP requests.

+## Rate limits and Azure Front Door servers

+Requests from the same client often arrive at the same Azure Front Door server. In that case, you see requests are blocked as soon as the rate limit is reached for each of the client IP addresses.

+It's possible that requests from the same client might arrive at a different Azure Front Door server that hasn't refreshed the rate limit counters yet. For example, the client might open a new TCP connection for each request, and each TCP connection could be routed to a different Azure Front Door server.

+If the threshold is low enough, the first request to the new Azure Front Door server could pass the rate limit check. So, for a low threshold (for example, less than about 200 requests per minute), you might see some requests above the threshold get through.

+A few considerations to keep in mind while you determine threshold values and time windows for rate limiting:

+- Larger window size and smaller thresholds are most effective in preventing against DDoS attacks.

+- Setting larger time window sizes (for example, five minutes over one minute) and larger threshold values (for example, 200 over 100) tend to be more accurate in enforcing close to rate limits thresholds than using the shorter time window sizes and lower threshold values.

+- Configure [rate limiting on your Azure Front Door WAF](waf-front-door-rate-limit-configure.md).

+- Review [rate limiting best practices](waf-front-door-best-practices.md#rate-limiting-best-practices).

+ Title: Tune Azure Web Application Firewall for Azure Front Door

+description: In this article, you learn how to tune Azure Web Application Firewall for Azure Front Door.

+# Tune Azure Web Application Firewall for Azure Front Door

+The Microsoft-managed default rule set is based on the [OWASP Core Rule Set](https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.1/dev) and includes Microsoft Threat Intelligence collection rules.

+It's often expected that web application firewall (WAF) rules must be tuned to suit the specific needs of the application or organization that's using the WAF. Organizations commonly achieve tuning by taking one of the following actions:

+- Defining rule exclusions.

+- Creating custom rules.

+- Disabling rules that might be causing issues or false positives.

+This article describes what you can do if requests that should pass through your WAF are blocked.

+> [!NOTE]

+> The Microsoft-managed rule set isn't available for the Azure Front Door Standard SKU. For more information about the different tier SKUs, see [Feature comparison between tiers](../../frontdoor/standard-premium/tier-comparison.md#feature-comparison-between-tiers).

+Read the [Azure Front Door WAF overview](afds-overview.md) and the [WAF Policy for Azure Front Door](waf-front-door-create-portal.md) documents. Also, enable [WAF monitoring and logging](waf-front-door-monitor.md). These articles explain how the WAF functions, how the WAF rule sets work, and how to access WAF logs.

+## Understand WAF logs

+The purpose of WAF logs is to show every request that's matched or blocked by the WAF. It's a collection of all evaluated requests that are matched or blocked. If you notice that the WAF blocks a request that it shouldn't (a false positive), you can do a few things.

+First, narrow down and find the specific request. You can [configure a custom response message](./waf-front-door-configure-custom-response-code.md) to include the `trackingReference` field to easily identify the event and perform a log query on that specific value. Look through the logs to find the specific URI, timestamp, or client IP of the request. When you find the related log entries, you can act on false positives.

+For example, say you have legitimate traffic that contains the string `1=1` that you want to pass through your WAF. Here's what the request looks like:

+If you try the request, the WAF blocks traffic that contains your `1=1` string in any parameter or field. This string is often associated with a SQL injection attack. You can look through the logs and see the timestamp of the request and the rules that blocked or matched.

+The following example shows a log entry that was generated based on a rule match. You can use the following Log Analytics query to find requests that were blocked within the last 24 hours.

+In the `requestUri` field, you can see the request was made to `/api/Feedbacks/` specifically. Going further, find the rule ID `942110` in the `ruleName` field. Knowing the rule ID, you could go to the [OWASP ModSecurity Core Rule Set official repository](https://github.com/coreruleset/coreruleset) and search by that [rule ID](https://github.com/coreruleset/coreruleset/blob/v3.1/dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf) to review its code and understand exactly what this rule matches on.

+Then, by checking the `action` field, you can see that this rule is set to block requests upon matching. You can confirm that the request was blocked by the WAF because the `policyMode` is set to `prevention`.

+Now, check the information in the `details` field. This field is where you can see the `matchVariableName` and the `matchVariableValue` information. This rule was triggered because someone input `1=1` in the `comment` field of the web app.

+There's also value in checking the access logs to expand your knowledge about a given WAF event. Next, review the log that was generated as a response to the preceding event.

+You can see these logs are related because the `trackingReference` value is the same. Among various fields that provide general insight, such as `userAgent` and `clientIP`, notice the `httpStatusCode` and `httpStatusDetails` fields. Here, you can see that the client received an HTTP 403 response, which confirms that this request was denied and blocked.

+## Resolve false positives

+To make an informed decision about handling a false positive, it's important to familiarize yourself with the technologies your application uses. For example, say there isn't a SQL server in your technology stack, and you're getting false positives related to those rules. Disabling those rules doesn't necessarily weaken your security.

+With this information, and the knowledge that rule 942110 is the one that matched the `1=1` string in the example, you can do a few things to stop this legitimate request from being blocked:

+* **Use exclusion lists.** For more information about exclusion lists, see [Azure Web Application Firewall with Azure Front Door exclusion lists](waf-front-door-exclusion.md).

+* **Change WAF actions.** For more information about what actions can be taken when a request matches a rule's conditions, see [WAF Actions](afds-overview.md#waf-actions).

+* **Use custom rules.** For more information about custom rules, see [Custom rules for Azure Web Application Firewall with Azure Front Door](waf-front-door-custom-rules.md).

+* **Disable rules.**

+> When you select an approach to allow legitimate requests through the WAF, try to make it as narrow as you can. For example, it's better to use an exclusion list than to disable a rule entirely.

+### Use exclusion lists

+One benefit of using an exclusion list is that only the match variable you select to exclude will be no longer inspected for that given request. That is, you can choose between specific request headers, request cookies, query string arguments, or request body post arguments to be excluded if a certain condition is met, as opposed to excluding the whole request from being inspected. The other nonspecified variables of the request are inspected normally.

+Exclusions are a global setting. The configured exclusion applies to all traffic that passes through your WAF, not just a specific web app or URI. For example, this could be a concern if `1=1` is a valid request in the body for a certain web app, but not for others under the same WAF policy.

+If it makes sense to use different exclusion lists for different applications, consider using different WAF policies for each application and applying them to each application's front end.

+When you configure exclusion lists for managed rules, you can choose to exclude:

+- All rules within a rule set.

+- All rules within a rule group.

+- An individual rule.

+You can configure an exclusion list by using [PowerShell](/powershell/module/az.frontdoor/New-AzFrontDoorWafManagedRuleExclusionObject), the [Azure CLI](/cli/azure/network/front-door/waf-policy/managed-rules/exclusion), the [REST API](/rest/api/frontdoorservice/webapplicationfirewall/policies/createorupdate), Bicep, Azure Resource Manager templates, or the Azure portal.

+* **Exclusions at a rule level:** Applying exclusions at a rule level means that the specified exclusions won't be analyzed against that individual rule only. It will still be analyzed by all other rules in the rule set. This is the most granular level for exclusions. You can use it to fine-tune the managed rule set based on the information you find in the WAF logs when you troubleshoot an event.

+* **Exclusions at a rule group level:** Applying exclusions at a rule group level means that the specified exclusions won't be analyzed against that specific set of rule types. For example, selecting **SQLI** as an excluded rule group indicates the defined request exclusions won't be inspected by any of the SQLI-specific rules. It will still be inspected by rules in other groups, such as **PHP**, **RFI**, or **XSS**. This type of exclusion can be useful when you're sure the application isn't susceptible to specific types of attacks. For example, an application that doesn't have any SQL databases could have all SQLI rules excluded without it being detrimental to its security level.

+* **Exclusions at a rule set level:** Applying exclusions at a rule set level means that the specified exclusions won't be analyzed against any of the security rules available in that rule set. This exclusion is comprehensive, so use it carefully.

+In this example, you perform an exclusion at the most granular level by applying an exclusion to a single rule. You want to exclude the match variable **Request body post args name** that contains `comment`. You can see the match variable details in the firewall log: `"matchVariableName": "PostParamValue:comment"`. The attribute is `comment`. You can also find this attribute name a few other ways. For more information, see [Find request attribute names](#find-request-attribute-names).

+

+

+Occasionally, there are cases where specific parameters get passed into the WAF in a manner that might not be intuitive. For example, a token gets passed when you authenticate by using Azure Active Directory (Azure AD). The token `__RequestVerificationToken` usually gets passed in as a request cookie.

+In some cases where cookies are disabled, this token is also passed in as a request post argument. For this reason, to address Azure AD token false positives, you must ensure that `__RequestVerificationToken` is added to the exclusion list for both `RequestCookieNames` and `RequestBodyPostArgsNames`.

+Exclusions on a field name (**Selector**) means that the value will no longer be evaluated by the WAF. The field name itself continues to be evaluated and in rare cases it might match a WAF rule and trigger an action.

+

+### Change WAF actions

+Another way to handle the behavior of WAF rules is by choosing the action it takes when a request matches a rule's conditions. The available actions are [Allow, Block, Log, and Redirect](afds-overview.md#waf-actions).

+In this example, the default action **Block** changed to the **Log** action on rule 942110. This action causes the WAF to log the request and continue evaluating the same request against the remaining lower priority rules.

+

+After you perform the same request, you can refer back to the logs and see that this request was a match on rule ID 942110. The `action_s` field now indicates **Log** instead of **Block**. The log query was then expanded to include the `trackingReference_s` information to see what else happened with this request.

+

+Now you can see a different SQLI rule match that occurs milliseconds after rule ID 942110 was processed. The same request matched on rule ID 942310, and this time the default action **Block** was triggered.

+Another advantage of using the **Log** action during WAF tuning or troubleshooting is that you can identify if multiple rules within a specific rule group are matching and blocking a given request. You can then create your exclusions at the appropriate level, that is, at the rule or rule group level.

+### Use custom rules

+After you identify what's causing a WAF rule match, you can use custom rules to adjust how the WAF responds to the event. Custom rules are processed before managed rules. They can contain more than one condition, and their actions can be [Allow, Deny, Log, or Redirect](afds-overview.md#waf-actions).

+> [!WARNING]

+> When a request matches a custom rule, the WAF engine stops processing the request. Managed rules won't be processed for this request and neither will other custom rules with a lower priority.

+The following example shows a custom rule with two conditions. The first condition looks for the `comment` value in the request body. The second condition looks for the `/api/Feedbacks/` value in the request URI.

+By using a custom rule, you can be the most granular so that you can fine-tune your WAF rules and deal with false positives. In this case, you're not taking action only based on the `comment` request body value, which could exist across multiple sites or apps under the same WAF policy.

+When you include another condition to also match on a particular request URI `/api/Feedbacks/`, you ensure this custom rule truly applies to this explicit use case that you vetted out. In this way, the same attack, if performed against different conditions, is still inspected and prevented by the WAF engine.

+

+When you explore the log, you can see that the `ruleName_s` field contains the name given to the custom rule `redirectcomment`. In the `action_s` field, you can see that the **Redirect** action was taken for this event. In the `details_matches_s` field, you can see the details for both conditions were matched.

+### Disable rules

+Another way to get around a false positive is to disable the rule that matched the input the WAF thought was malicious. Because you parsed the WAF logs and narrowed the rule down to 942110, you can disable it in the Azure portal. For more information, see [Customize Azure Web Application Firewall rules by using the Azure portal](../ag/application-gateway-customize-waf-rules-portal.md#disable-rule-groups-and-rules).

+Disabling a rule is a benefit when you're sure that all requests meeting that specific condition are legitimate requests, or when you're sure the rule doesn't apply to your environment (such as disabling a SQL injection rule because you have non-SQL back ends).

+Disabling a rule is a global setting that applies to all front-end hosts associated to the WAF policy. When you choose to disable a rule, you might be leaving vulnerabilities exposed without protection or detection for any other front-end hosts associated to the WAF policy.

+If you want to use Azure PowerShell to disable a managed rule, see the [`PSAzureManagedRuleOverride`](/powershell/module/az.frontdoor/new-azfrontdoorwafmanagedruleoverrideobject) object documentation. If you want to use the Azure CLI, see the [`az network front-door waf-policy managed-rules override`](/cli/azure/network/front-door/waf-policy/managed-rules/override) documentation.

+

+> Document any changes you make to your WAF policy. Include example requests to illustrate the false positive detection. Explain why you added a custom rule, disabled a rule or rule set, or added an exception. If you redesign your application in the future, you might need to verify that your changes are still valid. Or you might be audited or need to justify why you reconfigured the WAF policy from its default settings.

+## Find request fields

+By using a browser proxy like [Fiddler](https://www.telerik.com/fiddler), you can inspect individual requests and determine what specific fields of a webpage are called. This technique is helpful when you need to exclude certain fields from inspection by using exclusion lists in the WAF.

+### Find request attribute names

+In this example, the field where the `1=1` string was entered is called `comment`. This data was passed in the body of a POST request.

+

+You can exclude this field. To learn more about exclusion lists, see [Web application firewall exclusion lists](./waf-front-door-exclusion.md). You can exclude the evaluation in this case by configuring the following exclusion:

+

+You can also examine the firewall logs to get the information to see what you need to add to the exclusion list. To enable logging, see [Monitor metrics and logs in Azure Front Door](./waf-front-door-monitor.md).

+Examine the firewall log in the `PT1H.json` file for the hour that the request you want to inspect occurred. The `PT1H.json` files are available in the storage account containers where the `FrontDoorWebApplicationFirewallLog` and the `FrontDoorAccessLog` diagnostic logs are stored.

+Examine the firewall log in the `PT1H.json` file for the hour that the request you want to inspect occurred. The `PT1H.json` files are available in the storage account containers where the `FrontdoorWebApplicationFirewallLog` and the `FrontdoorAccessLog` diagnostic logs are stored.

+In this example, you can see the rule that blocked the request (with the same Transaction Reference) and that occurred at the same time.

+With your knowledge of how the Azure-managed rule sets work, you know that the rule with the `action: Block` property is blocking based on the data matched in the request body. (For more information, see [Azure Web Application Firewall in Azure Front Door](afds-overview.md).) You can see in the details that it matched a pattern (`1=1`) and the field is named `comment`. Follow the same previous steps to exclude the request body post args name that contains `comment`.

+### Find request header names

+Fiddler is a useful tool to find request header names. The following screenshot shows the headers for this GET request, which include `Content-Type` and `User-Agent`. You can also use request headers to create exclusions and custom rules in the WAF.

+

+Another way to view request and response headers is to look inside the developer tools of your browser, such as Microsoft Edge or Chrome. You can select F12 or right-click **Inspect** > **Developer Tools**. Select the **Network** tab. Load a webpage and select the request you want to inspect.

+

+### Find request cookie names

+If the request contains cookies, select the **Cookies** tab to view them in Fiddler. Cookie information can also be used to create exclusions or custom rules in the WAF.

+If you see rule ID 949110 during the process of tuning your WAF, its presence indicates that the request was blocked by the [anomaly scoring](waf-front-door-drs.md#anomaly-scoring-mode) process.

+Review the other WAF log entries for the same request by searching for the log entries with the same tracking reference. Look at each of the rules that were triggered. Tune each rule by following the guidance in this article.

+- Learn about [Azure Web Application Firewall](../overview.md).

+- Learn how to [create an instance of Azure Front Door](../../frontdoor/quickstart-create-front-door.md).