-| response_type |Required |The response type, which must include `code` for the authorization code flow. |

-| [Integration of SAML with Azure AD B2C](https://www.youtube.com/watch?v=r2TIVBCm7v4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=11) 9:09 | [:::image type="icon" source="./media/external-identities-videos/saml-integration.png" border="false":::](https://www.youtube.com/watch?v=r2TIVBCm7v4&list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0&index=11) |

-If you are viewing **App registrations** in the context of a tenant, a subset of the applications that appear under the **All apps** tab are from another tenant and were registered into your tenant during the consent process. More specifically, they are represented by only a service principal object in your tenant, with no corresponding application object. For more information on the differences between application and service principal objects, see [Application and service principal objects in Azure AD](./app-objects-and-service-principals.md).

-In order to remove an applicationΓÇÖs access to your directory (after having granted consent), the company administrator must remove its service principal. The administrator must have Global Administrator access, and can remove the application through the Azure portal or use the [Azure AD PowerShell Cmdlets](/previous-versions/azure/jj151815(v=azure.100)) to remove access.

-After you delete an app registration, the app remains in a suspended state for 30 days. During that 30-day window, the app registration can be restored, along with all its properties. After that 30-day window passes, app registrations cannot be restored and the permanent deletion process may be automatically started. This functionality only applies to applications associated to a directory. It is not available for applications from a personal Microsoft account, which cannot be restored.

-You can view your deleted applications, restore a deleted application, or permanently delete an application using the App registrations experience under Azure Active Directory (Azure AD) in the Azure portal.

-Note that neither you nor Microsoft customer support can restore a permanently deleted application or an application deleted more than 30 days ago.

-> [!IMPORTANT]

-> The deleted applications portal UI feature [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]

-When an app registration is deleted from the organization, the app is in a suspended state and its configurations are preserved. When you restore an app registration, its configurations are also restored. However, if there were any organization-specific settings in **Enterprise applications** for the application's home tenant, those will not be restored.

-This is because organization-specific settings are stored on a separate object, called the service principal. Settings held on the service principal include permission consents and user and group assignments for a certain organization; these configurations will not be restored when the app is restored. For more information, see [Application and service principal objects](app-objects-and-service-principals.md).

- Name Value

- - --

- EnableMIPLabels True

- EnableMSStandardBlockedWords False

- AllowGuestsToBeGroupOwner False

- AllowGuestsToAccessGroups True

- AllowToAddGuests True

- UsageGuidelinesUrl https://guideline.example.com

- EnableGroupCreation True

-Group writeback is a valuable tool for administrators of Azure Active Directory (Azure AD) tenants being synced with on-premises Active Directory groups. Microsoft is now previewing new capabilities for group writeback. In this preview, you can specify in the Azure AD admin center which groups you want to write back and what youΓÇÖd like each group to write back as. You can write Microsoft 365 groups back to on-premises Active Directory as Distribution, Mail-enabled Security, or Security groups, and write Security groups back as Security groups. Groups are written back with a scope of universalΓÇï.

-description: The What's new release notes in the Overview section of this content set contains 6 months of activity. After 6 months, the items are removed from the main article and put into this archive article.

-A problematic interaction between Windows and a local Active Directory Federation Services (ADFS) instance can result in users attempting to sign into another account, but be silently signed into their existing account instead, with no warning. For federated IdPs such as ADFS, that support the [prompt=login](/windows-server/identity/ad-fs/operations/ad-fs-prompt-login) pattern, Azure AD will now trigger a fresh login at ADFS when a user is directed to ADFS with a login hint. This ensures that the user is signed into the account they requested, rather than being silently signed into the account they're already signed in with.

-The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to writeback a userΓÇÖs password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.[Learn more](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md).

-For more information on how to use this feature visit [View and search your recent sign-in activity from the My sign-ins page](../user-help/my-account-portal-sign-ins-page.md).

-[Tide - Connector](https://gallery.ctinsuretech-tide.com/), [Virtual Risk Manager - USA](../saas-apps/virtual-risk-manager-usa-tutorial.md), [Xorlia Policy Management](https://app.xoralia.com/), [WorkPatterns](https://app.workpatterns.com/oauth2/login?data_source_type=office_365_account_calendar_workspace_sync&utm_source=azure_sso), [GHAE](../saas-apps/ghae-tutorial.md), [Nodetrax Project](../saas-apps/nodetrax-project-tutorial.md), [Touchstone Benchmarking](https://app.touchstonebenchmarking.com/), [SURFsecureID - Azure AD Multi-Factor Authentication](../saas-apps/surfsecureid-azure-mfa-tutorial.md), [AIDEA](https://truebluecorp.com/en/prodotti/aidea-en/),[R and D Tax Credit

-### Public Preview ΓÇô Flagged sign-ins

-Flagged sign-ins is a feature that will increase the signal to noise ratio for user sign-ins where users need help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Also to help admins and help desk workers find the right sign-in events quickly and efficiently. [Learn more](../reports-monitoring/overview-flagged-sign-ins.md).

-### General Availability - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10/11

-If you would like to request an extension, impacted customers with affected OAuth client ID(s) should have received an email from Google Developers with the following information regarding a one-time policy enforcement extension, which must be completed by January 31, 2022.

-As a workaround, we are deploying the device login flow by October 8. Between today and until then, it is likely that it may not be rolled out to all regions yet (in which case, end-users will be met with an error screen until it gets deployed to your region.)

-For more details on the device login flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support).

-The modern Edge browser is now included in the requirement to provide an `Origin` header when redeeming a [single page app authorization code](../develop/v2-oauth2-auth-code-flow.md#redirect-uri-setup-required-for-single-page-apps). A compatibility fix accidentally exempted the modern Edge browser from CORS controls, and that bug is being fixed during October. A subset of applications depended on CORS being disabled in the browser, which has the side effect of removing the `Origin` header from traffic. This is an unsupported configuration for using Azure AD, and these apps that depended on disabling CORS can no longer use modern Edge as a security workaround. All modern browsers must now include the `Origin` header per HTTP spec, to ensure CORS is enforced. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).

-### Gmail users signing in on Microsoft Teams mobile and desktop clients will sign in with device login flow starting September 30, 2021

-Starting on September 30 2021, Azure AD B2B guests and Azure AD B2C customers signing in with their self-service signed up or redeemed Gmail accounts will have an extra login step. Users will now be prompted to enter a code in a separate browser window to finish signing in on Microsoft Teams mobile and desktop clients. If you haven't already done so, make sure to modify your apps to use the system browser for sign-in. See [Embedded vs System Web UI in the MSAL.NET](../develop/msal-net-web-browsers.md#embedded-vs-system-web-ui) documentation for more information. All MSAL SDKs use the system web-view by default.

-As the device login flow will start September 30, 2021, it may not be available in your region immediately. If it's not available yet, your end-users will be met with the error screen shown in the doc until it gets deployed to your region.) For more details on the device login flow and details on requesting extension to Google, see [Add Google as an identity provider for B2B guest users](../external-identities/google-federation.md#deprecation-of-web-view-sign-in-support).

-### Public Preview - Azure AD single Sign on and device-based Conditional Access support in Firefox on Windows 10

-Users that have been assigned the User administrator role can longer create catalogs or manage access packages in a catalog they don't own. If users in your organization have been assigned the User administrator role to configure catalogs, access packages, or policies in entitlement management, they will need a new assignment. You should instead assign these users the Identity Governance administrator role. [Learn more](../governance/entitlement-management-delegate.md)

-The Microsoft Azure AD Connector for FIM is at feature freeze and deprecated. The solution of using FIM and the Azure AD Connector has been replaced. Existing deployments should migrate to [Azure AD Connect](../hybrid/whatis-hybrid-identity.md), Azure AD Connect Sync, or the [Microsoft Graph Connector](/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph), as the internal interfaces used by the Azure AD Connector for FIM are being removed from Azure AD. [Learn more](/microsoft-identity-manager/microsoft-identity-manager-2016-deprecated-features).

-If you run a retired version of Azure AD Connect it may unexpectedly stop working. You may also not have the latest security fixes, performance improvements, troubleshooting, and diagnostic tools and service enhancements. Also, if you require support we can't provide you with the level of service your organization needs.

-As the device login flow will start rolling out on September 30, 2021, it is likely that it may not be rolled out to your region yet (in which case, your end-users will be met with the error screen shown in the documentation until it gets deployed to your region.)

-### General availability - Enable external users to self-service sign-up in Azure AD using MSA accounts

-Users can now enable external users to self-service sign-up in Azure Active Directory using Microsoft accounts. [Learn more](../external-identities/microsoft-account.md).

-Now users can enable external users to self-service sign-up in Azure Active Directory using their email and one-time passcode. [Learn more](../external-identities/one-time-passcode.md).

-### General availability - group owners in Azure AD can create and manage Azure AD access reviews for their groups

-As a security improvement, the [device code flow](../develop/v2-oauth2-device-code.md) has been updated to include another prompt, which validates that the user is signing into the app they expect. The rollout is planned to start in June and expected to be complete by June 30.

-To help prevent phishing attacks where an attacker tricks the user into signing into a malicious application, the following prompt is being added: "Are you trying to sign in to [application display name]?". All users will see this prompt while signing in using the device code flow. As a security measure, it cannot be removed or bypassed. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).

-[Zii Travel Azure AD Connect](https://azuremarketplace.microsoft.com/marketplace/apps/aad.ziitravelazureadconnect?tab=Overview), [Cerby](../saas-apps/cerby-tutorial.md), [Selflessly](https://app.selflessly.io/sign-in), [Apollo CX](https://apollo.cxlabs.de/sso/aad), [Pedagoo](https://account.pedagoo.com/), [Measureup](https://account.measureup.com/), [ProcessUnity](../saas-apps/processunity-tutorial.md), [Cisco Intersight](../saas-apps/cisco-intersight-tutorial.md), [Codility](../saas-apps/codility-tutorial.md), [H5mag](https://account.h5mag.com/auth/request-access/ms365), [Check Point Identity Awareness](../saas-apps/check-point-identity-awareness-tutorial.md), [Jarvis](https://jarvis.live/login), [desknet's NEO](../saas-apps/desknets-neo-tutorial.md), [SDS & Chemical Information Management](../saas-apps/sds-chemical-information-management-tutorial.md), [W├║ru App](../saas-apps/wuru-app-tutorial.md), [Holmes](../saas-apps/holmes-tutorial.md), [Tide Multi Tenant](https://gallery.tideapp.co.uk/), [Telenor](https://www.telenor.no/kundeservice/internett/wifi/administrere-ruter/), [Yooz US](https://us1.getyooz.com/?kc_idp_hint=microsoft), [Mooncamp](https://app.mooncamp.com/#/login), [inwise SSO](https://app.inwise.com/defaultsso.aspx), [Ecolab Digital Solutions](https://ecolabb2c.b2clogin.com/account.ecolab.com/oauth2/v2.0/authorize?p=B2C_1A_Connect_OIDC_SignIn&client_id=01281626-dbed-4405-a430-66457825d361&nonce=defaultNonce&redirect_uri=https://jwt.ms&scope=openid&response_type=id_token&prompt=login), [Taguchi Digital Marketing System](https://login.taguchi.com.au/), [XpressDox EU Cloud](https://test.xpressdox.com/Authentication/Login.aspx), [EZSSH](https://docs.keytos.io/getting-started/registering-a-new-tenant/registering_app_in_tenant/), [EZSSH Client](https://portal.ezssh.io/signup), [Verto 365](https://www.vertocloud.com/Login/), [KPN Grip](https://www.grip-on-it.com/), [AddressLook](https://portal.bbsonlineservices.net/Manage/AddressLook), [Cornerstone single sign-on](../saas-apps/cornerstone-ondemand-tutorial.md)

-Azure AD connect cloud sync now has an updated agent (version# - 1.1.359). For more details on agent updates, including bug fixes, check out the [version history](../cloud-sync/reference-version-history.md). With the updated agent, cloud sync customers can use GMSA cmdlets to set and reset their gMSA permission at a granular level. In addition that, we have changed the limit of syncing members using group scope filtering from 1499 to 50,000 (50K) members.

-### Public preview - External Identities Self-Service Sign-up in Azure AD using Email One-Time Passcode accounts

-[Bambuser Live Video Shopping](https://lcx.bambuser.com/), [DeepDyve Inc](https://www.deepdyve.com/azure-sso), [Moqups](../saas-apps/moqups-tutorial.md), [RICOH Spaces Mobile](https://ricohspaces.app/welcome), [Flipgrid](https://auth.flipgrid.com/), [hCaptcha Enterprise](../saas-apps/hcaptcha-enterprise-tutorial.md), [SchoolStream ASA](https://www.ssk12.com/), [TransPerfect GlobalLink Dashboard](../saas-apps/transperfect-globallink-dashboard-tutorial.md), [SimplificaCI](https://app.simplificaci.com.br/), [Thrive LXP](../saas-apps/thrive-lxp-tutorial.md), [Lexonis TalentScape](../saas-apps/lexonis-talentscape-tutorial.md), [Exium](../saas-apps/exium-tutorial.md), [Sapient](../saas-apps/sapient-tutorial.md), [TrueChoice](../saas-apps/truechoice-tutorial.md), [RICOH Spaces](https://ricohspaces.app/welcome), [Saba Cloud](../saas-apps/learning-at-work-tutorial.md), [Acunetix 360](../saas-apps/acunetix-360-tutorial.md), [Exceed.ai](../saas-apps/exceed-ai-tutorial.md), [GitHub Enterprise Managed User](../saas-apps/github-enterprise-managed-user-tutorial.md), [Enterprise Vault.cloud for Outlook](https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=id_token&scope=openid%20profile%20User.Read&client_id=7176efe5-e954-4aed-b5c8-f5c85a980d3a&nonce=4b9e1981-1bcb-4938-a283-86f6931dc8cb), [Smartlook](../saas-apps/smartlook-tutorial.md), [Accenture Academy](../saas-apps/accenture-academy-tutorial.md), [Onshape](../saas-apps/onshape-tutorial.md), [Tradeshift](../saas-apps/tradeshift-tutorial.md), [JuriBlox](../saas-apps/juriblox-tutorial.md), [SecurityStudio](../saas-apps/securitystudio-tutorial.md), [ClicData](https://app.clicdata.com/), [Evergreen](../saas-apps/evergreen-tutorial.md), [Patchdeck](https://patchdeck.com/ad_auth/authenticate/), [FAX.PLUS](../saas-apps/fax-plus-tutorial.md), [ValidSign](../saas-apps/validsign-tutorial.md), [AWS single sign-on](../saas-apps/aws-single-sign-on-tutorial.md), [Nura Space](https://dashboard.nuraspace.com/login), [Broadcom DX SaaS](../saas-apps/broadcom-dx-saas-tutorial.md), [Interplay Learning](https://skilledtrades.interplaylearning.com/#login), [SendPro Enterprise](../saas-apps/sendpro-enterprise-tutorial.md), [FortiSASE SIA](../saas-apps/fortisase-sia-tutorial.md)

-Customers can now use application.readwrite.ownedby as an application permission to call the synchronization APIs. Note this is only supported for provisioning from Azure AD out into third-party applications (for example, AWS, Data Bricks, etc.). It is currently not supported for HR-provisioning (Workday / Successfactors) or Cloud Sync (AD to Azure AD). [Learn more](/graph/api/resources/provisioningobjectsummary).

-An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you will have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers).

-An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you will have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers)

-### Public Preview - Email sign-in with ProxyAddresses now deployable via Staged Rollout

-Tenant administrators can now use Staged Rollout to deploy Email sign-in with ProxyAddresses to specific Azure AD groups. This can help while trying out the feature before deploying it to the entire tenant via the Home Realm Discovery policy. Instructions for deploying Email sign-in with ProxyAddresses via Staged Rollout are in the [documentation](../authentication/howto-authentication-use-email-signin.md).

-### Azure AD on-premises Hybrid Agents Impacted by Azure TLS Certificate Changes

-If you have an environment with firewall rules set to allow outbound calls to only specific Certificate Revocation List (CRL) download, you will need to allow the following CRL and OCSP URLs. For full details on the change and the CRL and OCSP URLs to enable access to, see [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md).

-### Azure AD on-premises Hybrid Agents Impacted by Azure Transport Layer Security (TLS) Certificate Changes

-Azure Active Directory will deprecate the following protocols in Azure Active Directory worldwide regions starting on January 31, 2022 (This date has been postponed from 30th June 2021 to 31st January 2022, to give Administrators more time to remove the dependency on legacy TLS protocols and ciphers (TLS 1.0,1.1 and 3DES)):

- Once you have setup your configuration, you might want to test to see if the user transformation is working as expected before applying it to all your users in scope. With on-demand provisioning, IT Admins can enter the Distinguished Name (DN) of an AD user and see if they're getting synced as expected. On-demand provisioning provides a great way to ensure that the attribute mappings you did previously work as expected. [Learn More](../cloud-sync/how-to-on-demand-provision.md)

-You can add free text notes to Enterprise applications. You can add any relevant information that will help you manage applications under Enterprise applications. For more information, see [Quickstart: Configure properties for an application in your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal-configure.md).

-[VMware Horizon - Unified Access Gateway](), [Pulse Secure PCS](../saas-apps/vmware-horizon-unified-access-gateway-tutorial.md), [Inventory360](../saas-apps/pulse-secure-pcs-tutorial.md), [Frontitude](https://services.enteksystems.de/sso/microsoft/signup), [BookWidgets](https://www.bookwidgets.com/sso/office365), [ZVD_Server](https://zaas.zenmutech.com/user/signin), [HashData for Business](https://hashdata.app/login.xhtml), [SecureLogin](https://securelogin.securelogin.nu/sso/azure/login), [CyberSolutions MAILBASEΣ/CMSS](../saas-apps/cybersolutions-mailbase-tutorial.md), [CyberSolutions CYBERMAILΣ](../saas-apps/cybersolutions-cybermail-tutorial.md), [LimbleCMMS](https://auth.limblecmms.com/), [Glint Inc](../saas-apps/glint-inc-tutorial.md), [zeroheight](../saas-apps/zeroheight-tutorial.md), [Gender Fitness](https://app.genderfitness.com/), [Coeo Portal](https://my.coeo.com/), [Grammarly](../saas-apps/grammarly-tutorial.md), [Fivetran](../saas-apps/fivetran-tutorial.md), [Kumolus](../saas-apps/kumolus-tutorial.md), [RSA Archer Suite](../saas-apps/rsa-archer-suite-tutorial.md), [TeamzSkill](../saas-apps/teamzskill-tutorial.md), [raumfürraum](../saas-apps/raumfurraum-tutorial.md), [Saviynt](../saas-apps/saviynt-tutorial.md), [BizMerlinHR](https://marketplace.bizmerlin.net/bmone/signup), [Mobile Locker](../saas-apps/mobile-locker-tutorial.md), [Zengine](../saas-apps/zengine-tutorial.md), [CloudCADI](https://app.cloudcadi.com/login), [Simfoni Analytics](https://simfonianalytics.com/accounts/microsoft/login/), [Priva Identity & Access Management](https://my.priva.com/), [Nitro Pro](https://www.gonitro.com/nps/product-details/downloads), [Eventfinity](../saas-apps/eventfinity-tutorial.md), [Fexa](../saas-apps/fexa-tutorial.md), [Secured Signing Enterprise Portal](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Secured Signing Enterprise Portal Azure AD Setup](https://www.securedsigning.com/aad/Auth/ExternalLogin/AdminPortal), [Wistec Online](https://wisteconline.com/auth/oidc), [Oracle PeopleSoft - Protected by F5 BIG-IP APM](../saas-apps/oracle-peoplesoft-protected-by-f5-big-ip-apm-tutorial.md)

-We will start to disable the current setting for the customers who are not using it and will offer an option to scope users for group owner privilege in the next few months. For guidance on updating group settings, see Edit your group information using [Azure Active Directory](./active-directory-groups-settings-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).

-Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD sign-ins blade in the Azure portal. Windows Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For more information on interpreting sign-in Logs, please see the [sign-in Logs documentation](../reports-monitoring/concept-sign-ins.md).

-[Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://www.alohacloud.com/), Control Tower, [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngageΓäó](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub single sign-on](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://q.moduleq.com/login), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack single sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md)

-### Azure Active Directory Multi-Factor Authentication Software Development (Azure AD Multi-Factor Authentication SDK) Deprecation

-The Azure Active Directory Multi-Factor Authentication Software Development (Azure AD Multi-Factor Authentication SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail.

-If your organization is using the Azure AD Multi-Factor Authentication SDK, you need to migrate by September 30th, 2020:

-Some SAML applications require SPNameQualifier to be returned in the assertion subject when requested. Now Azure AD responds correctly when a SPNameQualifier is requested in the request NameID policy. This also works for SP initiated sign-in, and IdP initiated sign-in will follow. To learn more about SAML protocol in Azure Active Directory, see [Single sign-on SAML protocol](../develop/single-sign-on-saml-protocol.md).

-In June 2020 we have added the following 29 new applications in our App gallery with Federation support:

-The riskyUsers and riskDetections Microsoft Graph APIs are now generally available. Now that they are available at the v1.0 endpoint, we invite you to use them in production. For more information, please check out the [Microsoft Graph docs](/graph/api/resources/identityprotectionroot).

-Now that Microsoft Authentication Libraries (MSAL) is available, we will no longer add new features to the Azure Active Directory Authentication Libraries (ADAL) and will end security patches on June 30th, 2022. For more information on how to migrate to MSAL, refer to [Migrate applications to Microsoft Authentication Library (MSAL)](../develop/msal-migration.md).

-Additionally, we have finished the work to make all Azure AD Graph functionality available through MS Graph. So, Azure AD Graph APIs will receive only bugfix and security fixes through June 30th, 2022. For more information, see [Update your applications to use Microsoft Authentication Library and Microsoft Graph API](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363)

-### Retirement of properties in sign-ins, riskyUsers, and riskDetections APIs

-Currently, enumerated types are used to represent the riskType property in both the riskDetections API and riskyUserHistoryItem (in preview). Enumerated types are also used for the riskEventTypes property in the sign-ins API. Going forward we will represent these properties as strings.

-Customers should transition to the riskEventType property in the beta riskDetections and riskyUserHistoryItem API, and to riskEventTypes_v2 property in the beta sign-ins API by September 9th, 2020. At that date, we will be retiring the current riskType and riskEventTypes properties. For more information, refer to [Changes to risk event properties and Identity Protection APIs on Microsoft Graph](https://developer.microsoft.com/graph/blogs/changes-to-risk-event-properties-and-identity-protection-apis-on-microsoft-graph/).

-### Deprecation of riskEventTypes property in sign-ins v1.0 API on Microsoft Graph

-Enumerated types will switch to string types when representing risk event properties in Microsoft Graph September 2020. In addition to affecting the preview APIs, this change will also affect the in-production sign-ins API.

-We have introduced a new riskEventsTypes_v2 (string) property to the sign-ins v1.0 API. We will retire the current riskEventTypes (enum) property on June 11, 2022 in accordance with our Microsoft Graph deprecation policy. Customers should transition to the riskEventTypes_v2 property in the v1.0 sign-ins API by June 11, 2022. For more information, refer to [Deprecation of riskEventTypes property in sign-ins v1.0 API on Microsoft Graph](https://developer.microsoft.com/graph/blogs/deprecation-of-riskeventtypes-property-in-signins-v1-0-api-on-microsoft-graph//).

-We are making the following changes to the email notifications for cloud multifactor authentication (MFA):

-Currently, users who are in domains federated in Azure AD, but who are not synced into the tenant, can't access Teams. Starting at the end of June, this new capability will enable them to do so by extending the existing email verified sign up feature. This will allow users who can sign in to a federated IdP, but who don't yet have a user object in Azure ID, to have a user object created automatically and be authenticated for Teams. Their user object will be marked as "self-service sign up." This is an extension of the existing capability to do email verified self-sign up that users in managed domains can do and can be controlled using the same flag. This change will complete rolling out during the following two months. Watch for documentation updates [here](../enterprise-users/directory-self-service-signup.md).

-On 1 June 2018, the official Azure Active Directory (Azure AD) Authority for Azure Government changed from https://login-us.microsoftonline.com to https://login.microsoftonline.us. If you own an application within an Azure Government tenant, you must update your application to sign users in on the .us endpoint.

-Starting May 5th, Azure AD will begin enforcing the endpoint change, blocking Azure Government users from signing into apps hosted in Azure Government tenants using the public endpoint (microsoftonline.com). Affected apps will begin seeing an error AADSTS900439 - USGClientNotSupportedOnPublicEndpoint.

-When a user clicks on sign-out (e.g., in the MyApps portal), Azure AD sends a SAML Single Logout message to each app that is active in the user session and has a Logout URL configured. These messages contain a NameID in a persistent format.

-If the original SAML sign-in token used a different format for NameID (e.g. email/UPN), then the SAML app cannot correlate the NameID in the logout message to an existing session (as the NameIDs used in both messages are different), which caused the logout message to be discarded by the SAML app and the user to stay logged in. This fix makes the sign-out message consistent with the NameID configured for the application.

-IT Admins can start using the new "Hybrid Admin" role as the least privileged role for setting up Azure AD Connect Cloud Provisioning. With this new role, you no longer have to use the Global Admin role to setup and configure Cloud Provisioning. [Learn more](../roles/delegate-by-task.md#connect).

-In May 2020, we have added the following 36 new applications in our App gallery with Federation support:

-[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their effect before enabling them, making deployment safer and easier. Over the past few months, weΓÇÖve seen strong adoption of report-only modeΓÇöover 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the effect of your policies from the moment theyΓÇÖre created. And for those of you who use the MS Graph APIs, you can [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy) as well.

-We are currently in Public Preview, looking for feedback. Please send your comments with this [brief survey](https://aka.ms/MsGraphAADSurveyDocs).

-Previously, the only filters you could use were "Enabled" and "Activity date." Now, you can [filter your list of devices on more properties](../devices/device-management-azure-portal.md), including OS type, join type, compliance, and more. These additions should simplify locating a particular device.

-Continuous Access Evaluation is a new security feature that enables near real-time enforcement of policies on relying parties consuming Azure AD Access Tokens when events happen in Azure AD (such as user account deletion). We are rolling this feature out first for Teams and Outlook clients. For more details, please read our [blog](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/moving-towards-real-time-policy-and-security-enforcement/ba-p/1276933) and [documentation](../conditional-access/concept-continuous-access-evaluation.md).

-[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their effect before enabling them, making deployment safer and easier. Over the past few months, weΓÇÖve seen strong adoption of report-only mode, with over 26M users already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the effect of your policies from the moment theyΓÇÖre created. And for those of you who use the MS Graph APIs, you can also [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy).

-**Printer Technician**: Users with this role can register printers and manage printer status in the Microsoft Universal Print solution. They can also read all connector information. Key tasks a Printer Technician cannot do are set user permissions on printers and sharing printers. [Learn more.](../roles/permissions-reference.md#printer-administrator)

-Users in this role can enable, configure and manage services and settings related to enabling hybrid identity in Azure AD. This role grants the ability to configure Azure AD to one of the three supported authentication methods—Password hash synchronization (PHS), Pass-through authentication (PTA) or Federation (AD FS or 3rd party federation provider)—and to deploy related on-premises infrastructure to enable them. On-premises infrastructure includes Provisioning and PTA agents. This role grants the ability to enable Seamless single sign-on (S-SSO) to enable seamless authentication on non-Windows 10 devices or non-Windows Server 2016 computers. In addition, this role grants the ability to see sign-in logs and to access health and analytics for monitoring and troubleshooting purposes. [Learn more.](../roles/permissions-reference.md#hybrid-identity-administrator)

-My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. With My Staff, a user who canΓÇÖt access their account can re-gain access in just a couple of clicks, with no helpdesk or IT staff required. For more information, see the [Manage your users with My Staff (preview)](../roles/my-staff-configure.md) and [Delegate user management with My Staff (preview)](https://support.microsoft.com/account-billing/manage-front-line-users-with-my-staff-c65b9673-7e1c-4ad6-812b-1a31ce4460bd).

-We have updated the reviewer experience for Azure AD access reviews in the My Apps portal. At the end of April, your reviewers who are logged in to the Azure AD access reviews reviewer experience will see a banner that will allow them to try the updated experience in My Access. Please note that the updated Access reviews experience offers the same functionality as the current experience, but with an improved user interface on top of new capabilities to enable your users to be productive. [You can learn more about the updated experience here](../governance/perform-access-review.md). This public preview will last until the end of July 2020. At the end of July, reviewers who have not opted into the preview experience will be automatically directed to My Access to perform access reviews. If you wish to have your reviewers permanently switched over to the preview experience in My Access now, [please make a request here](https://forms.microsoft.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR5dv-S62099HtxdeKIcgO-NUOFJaRDFDWUpHRk8zQ1BWVU1MMTcyQ1FFUi4u).

-Based on customer feedback, we have now updated the Workday inbound user provisioning and writeback apps in the enterprise app gallery to support the latest versions of the Workday Web Services (WWS) API. With this change, customers can specify the WWS API version that they would like to use in the connection string. This gives customers the ability to retrieve more HR attributes available in the releases of Workday. The Workday Writeback app now uses the recommended Change_Work_Contact_Info Workday web service to overcome the limitations of Maintain_Contact_Info.

-Historically, users with the default access role have been out of scope for provisioning. We've heard feedback that customers want users with this role to be in scope for provisioning. As of April 16, 2020, all new provisioning configurations allow users with the default access role to be provisioned. Gradually we will change the behavior for existing provisioning configurations to support provisioning users with this role. [Learn more.](../app-provisioning/application-provisioning-config-problem-no-users-provisioned.md)

-We fixed a bug where changes to the [HomeRealmDiscovery policy](../manage-apps/configure-authentication-for-federated-users-portal.md) were not included in the audit logs. You will now be able to see when and how the policy was changed, and by whom.

-We’re excited to share that we have now rolled out the refreshed [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) experience in the [Microsoft Azure Government portal](https://portal.azure.us/). For more information, see our [announcement blog post](https://techcommunity.microsoft.com/t5/public-sector-blog/identity-protection-refresh-in-microsoft-azure-government/ba-p/1223667).

-Custom controls will continue to be supported in preview alongside the new design until it reaches general availability. At that point, we'll give customers time to migrate to the new design. Because of the limitations of the current approach, we won't onboard new providers until the new design is available. We are working closely with customers and providers and will communicate the timeline as we get closer. [Learn more](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/upcoming-changes-to-custom-controls/ba-p/1144696#).

-**No immediate customer action is required.** For existing customers, the dynamic tier that was in use on February 1, 2020, determines the new default tier. There is no pricing or performance impact as the result of this change. Going forward, Azure AD DS customers will need to evaluate performance requirements as their directory size and workload characteristics change. Switching between service tiers will continue to be a no-downtime operation, and we will no longer automatically move customers to new tiers based on the growth of their directory. Furthermore, there will be no price increases, and new pricing will align with our current billing model. For more information, see the [Azure AD DS SKUs documentation](../../active-directory-domain-services/administration-concepts.md#azure-ad-ds-skus) and the [Azure AD Domain Services pricing page](https://azure.microsoft.com/pricing/details/active-directory-ds/).

-### Microsoft Edge Mobile Support for Conditional Access and single sign-on (General Availability)

-Azure AD for Microsoft Edge on iOS and Android now supports Azure AD single sign-on and Conditional Access:

-For more information about conditional access and SSO with Microsoft Edge, see the [Microsoft Edge Mobile Support for Conditional Access and single sign-on Now Generally Available](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Microsoft-Edge-Mobile-Support-for-Conditional-Access-and-Single/ba-p/988179) blog post. For more information about how to set up your client apps using [app-based conditional access](../conditional-access/app-based-conditional-access.md) or [device-based conditional access](../conditional-access/require-managed-devices.md), see [Manage web access using a Microsoft Intune policy-protected browser](/intune/apps/app-configuration-managed-browser).

-### New My sign-ins page for end users in Azure AD

-We've added a new **My sign-ins** page (https://mysignins.microsoft.com) to let your organization's users view their recent sign-in history to check for any unusual activity. This new page allows your users to see:

-[ScheduleLook](https://schedulelook.bbsonlineservices.net/), [MS Azure SSO Access for Ethidex Compliance Office™ - single sign-on](../saas-apps/ms-azure-sso-access-for-ethidex-compliance-office-tutorial.md), [iServer Portal](../saas-apps/iserver-portal-tutorial.md), [SKYSITE](../saas-apps/skysite-tutorial.md), [Concur Travel and Expense](../saas-apps/concur-travel-and-expense-tutorial.md), [WorkBoard](../saas-apps/workboard-tutorial.md), `https://apps.yeeflow.com/`, [ARC Facilities](../saas-apps/arc-facilities-tutorial.md), [Luware Stratus Team](https://stratus.emea.luware.cloud/login), [Wide Ideas](https://wideideas.online/wideideas/), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), [JDLT Client Hub](https://clients.jdlt.co.uk/login), [RENRAKU](../saas-apps/renraku-tutorial.md), [SealPath Secure Browser](https://protection.sealpath.com/SealPathInterceptorWopiSaas/Open/InstallSealPathEditorOneDrive), [Prisma Cloud](../saas-apps/prisma-cloud-tutorial.md), `https://app.penneo.com/`, `https://app.testhtm.com/settings/email-integration`, [Cintoo Cloud](https://aec.cintoo.com/login), [Whitesource](../saas-apps/whitesource-tutorial.md), [Hosted Heritage Online SSO](../saas-apps/hosted-heritage-online-sso-tutorial.md), [IDC](../saas-apps/idc-tutorial.md), [CakeHR](../saas-apps/cakehr-tutorial.md), [BIS](../saas-apps/bis-tutorial.md), [Coo Kai Team Build](https://ms-contacts.coo-kai.jp/), [Sonarqube](../saas-apps/sonarqube-tutorial.md), [Adobe Identity Management](../saas-apps/tutorial-list.md), [Discovery Benefits SSO](../saas-apps/discovery-benefits-sso-tutorial.md), [Amelio](https://app.amelio.co/), `https://itask.yipinapp.com/`

-The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, compliance portal, Azure AD Admin Center, and the Device Management Admin Center.

-If you need additional permissions or resources supported, which you don't currently see, you can send feedback to our [Azure feedback site](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) and we'll add your request to our update road map.

-By default, all Azure AD administrators will soon be able to access modern security reports within Azure AD. Until the end of September, you will be able to use the banner at the top of the modern security reports to return to the old reports.

-The modern security reports will provide additional capabilities from the older versions, including:

-Azure AD customers can now set policies to manage FIDO2 security keys for their organization's users and groups. End users can also self-register their security keys, use the keys to sign in to their Microsoft accounts on web sites while on FIDO-capable devices, as well as sign-in to their Azure AD-joined Windows 10 devices.

-We're excited to announce that Azure AD activity logs (Audit and sign-ins reports) are now available through the Azure AD PowerShell module. Previously, you could create your own scripts using MS Graph API endpoints, and now we've extended that capability to PowerShell cmdlets.

-[SAP Fiori](../saas-apps/sap-fiori-tutorial.md), [HRworks single sign-on](../saas-apps/hrworks-single-sign-on-tutorial.md), [Percolate](../saas-apps/percolate-tutorial.md), [MobiControl](../saas-apps/mobicontrol-tutorial.md), [Citrix NetScaler](../saas-apps/citrix-netscaler-tutorial.md), [Shibumi](../saas-apps/shibumi-tutorial.md), [Benchling](../saas-apps/benchling-tutorial.md), [MileIQ](https://mileiq.onelink.me/991934284/7e980085), [PageDNA](../saas-apps/pagedna-tutorial.md), [EduBrite LMS](../saas-apps/edubrite-lms-tutorial.md), [RStudio Connect](../saas-apps/rstudio-connect-tutorial.md), [AMMS](../saas-apps/amms-tutorial.md), [Mitel Connect](../saas-apps/mitel-connect-tutorial.md), [Alibaba Cloud (Role-based SSO)](../saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md), [Certent Equity Management](../saas-apps/certent-equity-management-tutorial.md), [Sectigo Certificate Manager](../saas-apps/sectigo-certificate-manager-tutorial.md), [GreenOrbit](../saas-apps/greenorbit-tutorial.md), [Workgrid](../saas-apps/workgrid-tutorial.md), [monday.com](../saas-apps/mondaycom-tutorial.md), [SurveyMonkey Enterprise](../saas-apps/surveymonkey-enterprise-tutorial.md), [Indiggo](https://indiggolead.com/)

-[Firstbird](../saas-apps/firstbird-tutorial.md), [Folloze](../saas-apps/folloze-tutorial.md), [Talent Palette](../saas-apps/talent-palette-tutorial.md), [Infor CloudSuite](../saas-apps/infor-cloud-suite-tutorial.md), [Cisco Umbrella](../saas-apps/cisco-umbrella-tutorial.md), [Zscaler Internet Access Administrator](../saas-apps/zscaler-internet-access-administrator-tutorial.md), [Expiration Reminder](../saas-apps/expiration-reminder-tutorial.md), [InstaVR Viewer](../saas-apps/instavr-viewer-tutorial.md), [CorpTax](../saas-apps/corptax-tutorial.md), [Verb](https://app.verb.net/login), [OpenLattice](https://openlattice.com/#/), [TheOrgWiki](https://www.theorgwiki.com/signup), [Pavaso Digital Close](../saas-apps/pavaso-digital-close-tutorial.md), [GoodPractice Toolkit](../saas-apps/goodpractice-toolkit-tutorial.md), [Cloud Service PICCO](../saas-apps/cloud-service-picco-tutorial.md), [AuditBoard](../saas-apps/auditboard-tutorial.md), [Zeyna](../saas-apps/zenya-tutorial.md), [Workable](../saas-apps/workable-tutorial.md), [CallPlease](https://webapp.callplease.com/create-account/create-account.html), [GTNexus SSO System](../saas-apps/gtnexus-sso-module-tutorial.md), [CBRE ServiceInsight](../saas-apps/cbre-serviceinsight-tutorial.md), [Deskradar](../saas-apps/deskradar-tutorial.md), [Coralogixv](../saas-apps/coralogix-tutorial.md), [Signagelive](../saas-apps/signagelive-tutorial.md), [ARES for Enterprise](../saas-apps/ares-for-enterprise-tutorial.md), [K2 for Office 365](https://www.k2.com/O365), [Xledger](https://www.xledger.net/), [IDID Manager](../saas-apps/idid-manager-tutorial.md), [HighGear](../saas-apps/highgear-tutorial.md), [Visitly](../saas-apps/visitly-tutorial.md), [Korn Ferry ALP](../saas-apps/korn-ferry-alp-tutorial.md), [Acadia](../saas-apps/acadia-tutorial.md), [Adoddle cSaas Platform](../saas-apps/adoddle-csaas-platform-tutorial.md)

-### Simplified single sign-on (SSO) configuration settings for some third-party apps

-We realize that setting up single sign-on (SSO) for Software as a Service (SaaS) apps can be challenging due to the unique nature of each apps configuration. We've built a simplified configuration experience to auto-populate the SSO configuration settings for the following third-party SaaS apps:

-### New Troubleshooting and Support tab on the sign-ins Logs page of the Azure portal

-The new **Troubleshooting and Support** tab on the **sign-ins** page of the Azure portal, is intended to help admins and support engineers troubleshoot issues related to Azure AD sign-ins. This new tab provides the error code, error message, and remediation recommendations (if any) to help solve the problem. If you're unable to resolve the problem, we also give you a new way to create a support ticket using the **Copy to clipboard** experience, which populates the **Request ID** and **Date (UTC)** fields for the log file in your support ticket.

-With this update, you can now click the **Get custom extension properties** link from the dynamic user group rule builder, enter your unique app ID, and receive the full list of custom extension properties to use when creating a dynamic membership rule for users. This list can also be refreshed to get any new custom extension properties for that app.

-We've introduced new claim transformation methods, ToLower() and ToUpper(), which can be applied to SAML tokens from the SAML-based **single sign-on Configuration** page.

-To turn on this updated view, click the **Try out our new experience** link from the top of the **single sign-on** page. For more information, see [Tutorial: Configure SAML-based single sign-on for an application with Azure Active Directory](../manage-apps/view-applications-portal.md).

-### View legacy authentications through sign-ins activity logs

-With the introduction of the **Client App** field in the Sign-in activity logs, customers can now see users that are using legacy authentications. Customers will be able to access this information using the sign-ins Microsoft Graph API or through the Sign-in activity logs in Azure AD portal where you can use the **Client App** control to filter on legacy authentications. Check out the documentation for more details.

-**Current text:** Choosing to accept means that you agree to all of the above terms of use.<br>**New text:** Please click Accept to confirm that you have read and understood the terms of use.

-2. Select your app that uses the Azure AD Activity Logs API, select **Settings**, select **Required permissions**, and then select the **Microsoft Azure Active Directory** API.

-Out-of-date browsers might not support newer TLS versions, such as TLS 1.2. To see which versions of TLS are supported by your browser, go to the [Qualys SSL Labs](https://www.ssllabs.com/) site and click **Test your browser**. We recommend you upgrade to the latest version of your web browser and preferably enable only TLS 1.2.

-Software as a Service offering, like Azure Active Directory (Azure AD) are designed to work best by going directly through the Internet, without requiring ExpressRoute or any other private VPN tunnels. Because of this, on **August 1, 2018**, we will stop supporting ExpressRoute for Azure AD services using Azure public peering and Azure communities in Microsoft peering. Any services impacted by this change might notice Azure AD traffic gradually shifting from ExpressRoute to the Internet.

-Azure AD Activity logs, which, includes sign-ins and Audit logs, are now available through the Microsoft Graph API. We have exposed two end points through the Microsoft Graph API to access these logs. Check out our [documents](../reports-monitoring/concept-reporting-api.md) for programmatic access to Azure AD Reporting APIs to get started.

-Criterion HCM, [FiscalNote](../saas-apps/fiscalnote-tutorial.md), [Secret Server (on-premises)](../saas-apps/secretserver-on-premises-tutorial.md), [Dynamic Signal](../saas-apps/dynamicsignal-tutorial.md), [mindWireless](../saas-apps/mindwireless-tutorial.md), [OrgChart Now](../saas-apps/orgchartnow-tutorial.md), [Ziflow](../saas-apps/ziflow-tutorial.md), [AppNeta Performance Monitor](../saas-apps/appneta-tutorial.md), [Elium](../saas-apps/elium-tutorial.md), [Fluxx Labs](../saas-apps/fluxxlabs-tutorial.md), [Cisco Cloud](../saas-apps/ciscocloud-tutorial.md), Shelf, [SafetyNet](../saas-apps/safetynet-tutorial.md)

-For more information, see [Azure Active Directory Seamless single sign-on](../hybrid/how-to-connect-sso.md).

-For more information, see [Azure Active Directory Seamless single sign-on](../hybrid/how-to-connect-sso.md).

-For more information, see [Azure Active Directory Seamless single sign-on](../hybrid/how-to-connect-sso.md)

-As part of customers feedback to enable non-admin roles to have access to Azure AD activity logs, we have enabled the ability for users who are in the "Report Reader" role to access sign-ins and Audit activity within the Azure portal as well as using the Microsoft Graph API.

-When the terms of use are displayed, you can now click **Having trouble viewing? Click here**. Clicking this link opens the terms of use natively on your device. Regardless of the font size in the document or the screen size of device, you can zoom and read the document as needed.

-With the Azure AD Premium P1 edition, detections that are not covered by your license appear as the risk detection Sign-in with additional risk detected.

-Azure AD supports automatic sign-in field detection for applications that render an HTML user name and password field. These steps are documented in [How to automatically capture sign-in fields for an application](../manage-apps/troubleshoot-password-based-sso.md#manually-capture-sign-in-fields-for-an-app). You can find this capability by adding a *Non-Gallery* application on the **Enterprise Applications** page in the [Azure portal](https://aad.portal.azure.com). Additionally, you can configure the **Single sign-on** mode on this new application to **Password-based single sign-on**, enter a web URL, and then save the page.

-**Product capability:** Third Party Integration

-Temporary Access Pass (TAP) is now generally available. TAP can be used to securely register password-less methods such as Phone Sign-in, phishing resistant methods such as FIDO2, and even assist in Windows onboarding (AADJ and WHFB). TAP also makes recovery easier when a user has lost or forgotten their strong authentication methods and needs to sign in to register new authentication methods. For more information, see: [Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods](../authentication/howto-authentication-temporary-access-pass.md).

-**Product capability:** Third Party Integration

-We're delighted to announce a new security protection that prevents bypassing of cloud Azure AD Multi-Factor Authentication when federated with Azure AD. When enabled for a federated domain in your Azure AD tenant, it ensures that a compromised federated account can't bypass Azure AD Multi-Factor Authentication by imitating that a multi factor authentication has already been performed by the identity provider. The protection can be enabled via new security setting, [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-1.0#federatedidpmfabehavior-values&preserve-view=true).

-### General availability - More device properties supported for Dynamic Device groups

-**Product capability:** Third Party Integration

-**Product capability:** Third Party Integration

-The sign-ins Microsoft Graph API now supports confirming safe and compromised on risky sign-ins. This public preview functionality is available at the beta endpoint. For more information, please check out the Microsoft Graph documentation: [Sign in: confirmSafe - Microsoft Graph beta | Microsoft Docs](/graph/api/signin-confirmsafe?view=graph-rest-beta&preserve-view=true)

-### General availability - Entitlement management 3 stages of approval

-### Public Preview - Integration of Microsoft 365 App Certification details into Azure AD UX and Consent Experiences

-### General availability - Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels

-Use Azure AD access reviews to review access of B2B direct connect users in Teams shared channels. For more information, see: [Include B2B direct connect users and teams accessing Teams Shared Channels in access reviews](../governance/create-access-review.md#include-b2b-direct-connect-users-and-teams-accessing-teams-shared-channels-in-access-reviews).

-In April 2022, we added the following 24 new applications in our App gallery with Federation support:

-Azure AD Identity Protection is extending its core capabilities of detecting, investigating, and remediating identity-based risk to workload identities. This allows organizations to better protect their applications, service principals, and managed identities. We're also extending Conditional Access so you can block at-risk workload identities. [Learn more](../identity-protection/concept-workload-identity-risk.md)

-In February 2022, we added the following 20 new applications in our App gallery with Federation support:

-Identity Protection has added two new detections from Microsoft Defender for Cloud Apps, formerly MCAS. The Mass Access to Sensitive Files detection detects anomalous user activity, and the Unusual Addition of Credentials to an OAuth app detects suspicious service principal activity.[Learn more](../identity-protection/concept-identity-protection-risks.md)

-We have improved the Privileged Identity management (PIM) time to role activation for SharePoint Online. Now, when activating a role in PIM for SharePoint Online, you should be able to use your permissions right away in SharePoint Online. This change will roll out in stages, so you might not yet see these improvements in your organization. [Learn more](../privileged-identity-management/pim-how-to-activate-role.md)

-## January 2022

-### Public preview - Custom security attributes

-**Type:** New feature

-**Service category:** Directory Management

-**Product capability:** Directory

-

-Enables you to define business-specific attributes that you can assign to Azure AD objects. These attributes can be used to store information, categorize objects, or enforce fine-grained access control. Custom security attributes can be used with Azure attribute-based access control. [Learn more](custom-security-attributes-overview.md).

-

-### Public preview - Filter groups in tokens using a substring match

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** SSO

-

-In the past, Azure AD only permitted groups to be filtered based on whether they were assigned to an application. Now, you can also use Azure AD to filter the groups included in the token. You can filter with the substring match on the display name or onPremisesSAMAccountName attributes of the group object on the token. Only groups that the user is a member of will be included in the token. This token will be recognized whether it's on the ObjectID or the on premises SAMAccountName or security identifier (SID). This feature can be used together with the setting to include only groups assigned to the application if desired to further filter the list.[Learn more](../hybrid/how-to-connect-fed-group-claims.md)

-### General availability - Continuous Access Evaluation

-**Type:** New feature

-**Service category:** Other

-**Product capability:** Access Control

-

-With Continuous access evaluation (CAE), critical security events and policies are evaluated in real time. This includes account disable, password reset, and location change. [Learn more](../conditional-access/concept-continuous-access-evaluation.md).

-

-### General Availability - User management enhancements are now available

-**Type:** New feature

-**Service category:** User Management

-**Product capability:** User Management

-

-The Azure AD portal has been updated to make it easier to find users in the All users and Deleted users pages. Changes in the preview include:

-For more information, go to [User management enhancements (preview) in Azure Active Directory](../enterprise-users/users-search-enhanced.md).

-### General Availability - My Apps customization of default Apps view

-**Type:** New feature

-**Service category:** My Apps

-**Product capability:** End User Experiences

-Customization of the default My Apps view in now in general availability. For more information on My Apps, you can go to [Sign in and start apps from the My Apps portal](https://support.microsoft.com/en-us/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-

-### General Availability - Audited BitLocker Recovery

-**Type:** New feature

-**Service category:** Device Access Management

-**Product capability:** Device Lifecycle Management

-

-BitLocker keys are sensitive security items. Audited BitLocker recovery ensures that when BitLocker keys are read, an audit log is generated so that you can trace who accesses this information for given devices. [Learn more](../devices/device-management-azure-portal.md#view-or-copy-bitlocker-keys).

-### General Availability - Download a list of devices

-**Type:** New feature

-**Service category:** Device Registration and Management

-**Product capability:** Device Lifecycle Management

-Download a list of your organization's devices to a .csv file for easier reporting and management. [Learn more](../devices/device-management-azure-portal.md#download-devices).

-

-### New provisioning connectors in the Azure AD Application Gallery - January 2022

-**Type:** New feature

-**Service category:** App Provisioning

-**Product capability:** 3rd Party Integration

-

-You can now automate creating, updating, and deleting user accounts for these newly integrated apps:

-For more information about how to better secure your organization by using automated user account provisioning, go to [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md).

-### New Federated Apps available in Azure AD Application gallery - January 2022

-**Type:** New feature

-**Service category:** Enterprise Apps

-**Product capability:** 3rd Party Integration

-In January 2022, weΓÇÖve added the following 47 new applications in our App gallery with Federation support:

-[Jooto](../saas-apps/jooto-tutorial.md), [Proprli](https://app.proprli.com/), [Pace Scheduler](https://www.pacescheduler.com/accounts/login/), [DRTrack](../saas-apps/drtrack-tutorial.md), [Dining Sidekick](../saas-apps/dining-sidekick-tutorial.md), [Cryotos](https://app.cryotos.com/oauth2/authorization/azure-client), [Emergency Management Systems](https://secure.emsystems.com.au/), [Manifestly Checklists](../saas-apps/manifestly-checklists-tutorial.md), [eLearnPOSH](../saas-apps/elearnposh-tutorial.md), [Scuba Analytics](../saas-apps/scuba-analytics-tutorial.md), [Athena Systems sign-in Platform](../saas-apps/athena-systems-login-platform-tutorial.md), [TimeTrack](../saas-apps/timetrack-tutorial.md), [MiHCM](../saas-apps/mihcm-tutorial.md), [Health Note](https://www.healthnote.com/), [Active Directory SSO for DoubleYou](../saas-apps/active-directory-sso-for-doubleyou-tutorial.md), [Emplifi platform](../saas-apps/emplifi-platform-tutorial.md), [Flexera One](../saas-apps/flexera-one-tutorial.md), [Hypothesis](https://web.hypothes.is/help/authorizing-hypothesis-from-the-azure-ad-app-gallery/), [Recurly](../saas-apps/recurly-tutorial.md), [XpressDox Administrative Unit Cloud](https://au.xpressdox.com/Authentication/Login.aspx), [Zoom for Intune](https://zoom.us/), [UPWARD AGENT](https://app.upward.jp/login/), [Linux Foundation ID](https://openprofile.dev/), [Asset Planner](../saas-apps/asset-planner-tutorial.md), [Kiho](https://v3.kiho.fi/index/sso), [chezie](https://app.chezie.co/), [Excelity HCM](../saas-apps/excelity-hcm-tutorial.md), [yuccaHR](https://app.yuccahr.com/), [Blue Ocean Brain](../saas-apps/blue-ocean-brain-tutorial.md), [EchoSpan](../saas-apps/echospan-tutorial.md), [Archie](../saas-apps/archie-tutorial.md), [Equifax Workforce Solutions](../saas-apps/equifax-workforce-solutions-tutorial.md), [Palantir Foundry](../saas-apps/palantir-foundry-tutorial.md), [ATP SpotLight and ChronicX](../saas-apps/atp-spotlight-and-chronicx-tutorial.md), [DigiSign](https://app.digisign.org/selfcare/sso), [mConnect](https://mconnect.skooler.com/), [BrightHR](https://login.brighthr.com/), [Mural Identity](../saas-apps/mural-identity-tutorial.md), [NordPass SSO](https://app.nordpass.com/login%20use%20%22Log%20in%20to%20business%22%20option), [CloudClarity](https://portal.cloudclarity.app/dashboard), [Twic](../saas-apps/twic-tutorial.md), [Eduhouse Online](https://app.eduhouse.fi/palvelu/kirjaudu/microsoft), [Bealink](../saas-apps/bealink-tutorial.md), [Time Intelligence Bot](https://teams.microsoft.com/), [SentinelOne](https://sentinelone.com/)

-You can also find the documentation of all the applications from: https://aka.ms/AppsTutorial,

-For listing your application in the Azure AD app gallery, read the details in: https://aka.ms/AzureADAppRequest

-### Azure Ad access reviews reviewer recommendations now account for non-interactive sign-in information

-**Type:** Changed feature

-**Service category:** Access Reviews

-**Product capability:** Identity Governance

-Azure AD access reviews reviewer recommendations now account for non-interactive sign-in information, improving upon original recommendations based on interactive last sign-ins only. Reviewers can now make more accurate decisions based on the last sign-in activity of the users theyΓÇÖre reviewing. To learn more about how to create access reviews, go to [Create an access review of groups and applications in Azure AD](../governance/create-access-review.md).

-

-### Risk reason for offline Azure AD Threat Intelligence risk detection

-**Type:** Changed feature

-**Service category:** Identity Protection

-**Product capability:** Identity Security & Protection

-

-The offline Azure AD Threat Intelligence risk detection can now have a risk reason that will help customers with the risk investigation. If a risk reason is available, it will show up as **Additional Info** in the risk details of that risk event. The information can be found in the Risk detections report. It will also be available through the additionalInfo property of the riskDetections API. [Learn more](../identity-protection/howto-identity-protection-investigate-risk.md).

-

-* The application relies upon user or group lists that are provided to the application by Azure AD. This fulfillment could be done through a provisioning protocol such as System for Cross-Domain Identity Management (SCIM) or by the application querying Azure AD via Microsoft Graph. Those users that are denied by a review lose their application role assignment or group membership, and when those changes are made available to the application, then the denied users will no longer have access.

-|B|If the application uses group claims in addition to application role assignments.| An application may use Azure AD group membership, distinct from application roles to express finer-grained access. Here, you can choose based on your business requirements either to have the users who have application role assignments reviewed, or to review the users who have group memberships. If the groups do not provide comprehensive access coverage, in particular if users may have access to the application even if they aren't a member of those groups, then we recommend reviewing the application role assignments, as in pattern A above.|

-|C| If the application doesn't rely solely on Azure AD for federated SSO, but does support provisioning via SCIM, or via updates to a SQL table of users or an LDAP directory. | In this pattern, you'll configure Azure AD to provision the users with application role assignments to the application's database or directory, update the application role assignments in Azure AD with a list of the users who currently have access, and then create a single access review of the application role assignments. For more information, see [Governing an application's existing users](identity-governance-applications-existing-users.md) to update the application role assignments in Azure AD.|

-1. If the application is not already listed, then check if the application is available the [application gallery](../manage-apps/overview-application-gallery.md) for applications that can be integrated for federated SSO or provisioning. If it is in the gallery, then use the [tutorials](../saas-apps/tutorial-list.md) to configure the application for federation, and if it supports provisioning, also [configure the application](../app-provisioning/configure-automatic-user-provisioning-portal.md) for provisioning.

-1. One the application is in the list of enterprise applications in your tenant, select the application from the list.

-1. Change to the **Provisioning** tab. If automatic provisioning isn't configured, then Azure AD won't have a way to notify the application when a user's access is removed if denied during the review. Provisioning might not be necessary for some integration patterns, if the application is federated and solely relies upon Azure AD as its identity provider. However, if your application integration is pattern C, and the application doesn't support federated SSO with Azure AD as its only identity provider, then you'll need to configure provisioning from Azure AD to the application. Provisioning will be necessary so that Azure AD can automatically remove the reviewed users from the application when a review completes, and this removal step can be done through a change sent from Azure AD to the application through SCIM, LDAP or SQL.

-1. If your application is integrated with pattern C, then you'll need to confirm that the users in this list are the same as those in the applications' internal data store, prior to starting the review. Azure AD does not automatically import the users or their access rights from an application, but you can [assign users to an application role via PowerShell](../manage-apps/assign-user-or-group-access-portal.md). See [Governing an application's existing users](identity-governance-applications-existing-users.md) for how to bring in users from different application data stores into Azure AD.

-1. Check the list of directory objects assigned to the roles to confirm that there are no groups assigned to the application roles. It's possible to review this application if there is a group assigned to a role; however, a user who is a member of the group assigned to the role, and whose access was denied, won't be automatically removed from the group. We recommend first converting the application to have direct user assignments, rather than members of groups, so that a user whose access is denied during the access review can have their application role assignment removed automatically.

-1. How long a user who has been denied continued access is able to continue to use a federated application will depend upon the application's own session lifetime, and on the access token lifetime. To learn more about controlling the lifetime of access tokens, see [configurable token lifetimes](../develop/active-directory-configurable-token-lifetimes.md).

-Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right people have the right access to the right resources. These and related Azure AD and Enterprise Mobility + Security features allows you to mitigate access risk by protecting, monitoring, and auditing access to critical assets -- while ensuring employee and business partner productivity.

-Historically, privileged access has been described by other vendors as a separate capability from Identity Governance. However, at Microsoft, we think governing privileged access is a key part of Identity Governance -- especially given the potential for misuse associated with those administrator rights can cause to an organization. The employees, vendors, and contractors that take on administrative rights need to be governed.

-You've now enabled the group writeback feature.

-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

-# Quickstart: Delete an enterprise application

-In this quickstart, you use the Azure Active Directory Admin Center to delete an application that was added to your Azure Active Directory (Azure AD) tenant.

-It is recommended that you use a non-production environment to test the steps in this quickstart.

-To delete an enterprise application:

-1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites.

-## Clean up resources

-When you are done with this quickstart series, consider deleting the application to clean up your test tenant. Deleting the application was covered in this quickstart.

-Learn more about planning a single sign-on deployment.

-> [!div class="nextstepaction"]

-> [Plan single sign-on deployment](plan-sso-deployment.md)

-description: Find answers to frequently asked questions (FAQs) about recovering deleted apps and service principals.

-# Recover deleted applications in Azure Active Directory FAQs

-This page answers frequently asked questions about deleting and restoring deleted application registrations and service principals.

-## When I create applications, I'm getting Directory_QuotaExceeded error. How can I avoid this problem?

-A non-admin user can create no more than 250 Azure AD resources that include applications and service principals. Both active resources and deleted resources that are available to restore count toward this quota. Even if you delete more applications that you don't need, they'll still add count to the quota. Hence, to free up the quota, you need to [permanently delete](/graph/api/directory-deleteditems-delete?tabs=http) objects in the deleted items container. You can learn more about the service limits through [this link](/azure/azure-resource-manager/management/azure-subscription-service-limits?msclkid=6cb6cc54c68711ec93eb9539fce3cc28#active-directory-limits).

-The quota limit set for Azure AD resources is applicable when creating applications or service principals using a delegated flow such as using Azure AD app registrations or Enterprise apps portal. Creating applications using the Microsoft Graph API programmatically using application flow won't have this restriction.

-## Where can I find all the deleted applications and service principals?

-Soft-deleted application and service principal objects go into the [deleted items](/graph/api/resources/directory?tabs=http) container and remain available to restore for up to 30 days. After 30 days, they're permanently deleted, and this frees up the quota.

-You find the deleted applications by using one of the following approaches:

-

-Recently deleted application objects can be found under the **Deleted applications** tab on the App registrations blade of Azure portal.

- :::image type="content" source="media/delete-application-portal/recover-deleted-apps.png" alt-text="Screenshot shows list of deleted items.":::

-

-Recently deleted application and service principal objects can be found using the [List deletedItems](/graph/api/directory-deleteditems-list?tabs=http) API.

-Recently deleted application and service principal objects can be found using the

-[Get-AzureADMSDeletedDirectoryObject](/powershell/module/azuread/get-azureadmsdeleteddirectoryobject?tabs=http) cmdlet.

-## How do I restore deleted applications or service principals?

-Deleted objects can be restored using the [Restore deleted item](/graph/api/directory-deleteditems-restore?tabs=http) API.

-Deleted objects can be restored using the [Restore-AzureADMSDeletedDirectoryObject](/powershell/module/azuread/restore-azureadmsdeleteddirectoryobject?tabs=http) cmdlet.

-## How do I permanently delete soft deleted applications or service principals?

-Soft deleted objects can be permanently deleted by using the [Permanently delete an item from deleted items](/graph/api/directory-deleteditems-delete?tabs=http) API.

-Soft deleted objects can be permanently deleted using the [Remove-AzureADMSDeletedDirectoryObject](/powershell/module/azuread/remove-azureadmsdeleteddirectoryobject?tabs=http) cmdlet.

-## Can I configure the interval in which applications and service principals are permanently deleted by Azure AD?

-No. You canΓÇÖt configure the periodicity of hard deletion.

-## I restored a deleted application using the App registrations portal experience. I don't see the SAML SSO configurations I made to the app prior to deletion.

-The SAML SSO configurations are stored on the service principal object. When you restore an application from the App registrations UI, it recovers the app object but creates a new service principal. Hence, the SAML SSO configurations done earlier to the app are lost when restoring a deleted application using the App registrations UI.

-To correct this problem, delete the new service principal the app registrations experience created and restore the original service principal using the [Microsoft Graph API](/graph/api/directory-deleteditems-restore?tabs=http) or the [Microsoft Graph PowerShell cmdlet](/powershell/module/azuread/restore-azureadmsdeleteddirectoryobject?tabs=http).

-If you recorded the object ID of the service principal before deleting the application, use the [Restore deleted item](/graph/api/directory-deleteditems-restore?tabs=http) API to recover the service principal. Otherwise, use the [list deleted items](/graph/api/directory-deleteditems-list?tabs=http) API to fetch the deleted service principal and filter the results by the client's application ID (**appId**) property using the following syntax:

-`https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.servicePrincipal?$filter=appId eq '{appId}'`

-## Why canΓÇÖt I recover managed identities?

-[Managed identities](../managed-identities-azure-resources/overview.md) are a special type of service principals. Deleted managed identities canΓÇÖt be recovered currently.

-## I canΓÇÖt see the provisioning data from a recovered service principal. How can I recover it back?

-After recovering an SP, you may initially see the error in the following screenshot. This issue will resolve itself between 40 mins and 1 day. If you would like the provisioning job to start immediately, you can hit restart to force the provisioning service to run again. Hitting restart will trigger an initial cycle that can take time for customers with 100 K+ users or group memberships.

-

-## I recovered my application that was configured for application proxy. I canΓÇÖt see app proxy configurations after the recovery. How can I recover it back?

-App proxy configurations can't be recovered through the portal UI. Use the API to recover app proxy settings. Expect a delay of up to 24 hours as the app proxy data gets synced back.

-## I canΓÇÖt see the policies I set on the service principal object after the recovery. How can I recover them?

-Policies can't be recovered currently. When you restore a service principal, you'll have to configure the policies again.

-## Next steps

-| Azure Spring Cloud | [How to enable system-assigned managed identity for Azure Spring Cloud application](../../spring-cloud/how-to-enable-system-assigned-managed-identity.md) |

-If you use [Azure Spring Apps](../../spring-cloud/index.yml), you can connect to Azure SQL Database with a managed identity without needing to make any changes to your code.

-Read more about how to [use a managed identity to connect Azure SQL Database to an Azure Spring Apps app](../../spring-cloud/connect-managed-identity-to-azure-sql.md).

-1. Select **Groups** and then select the role-assignable group you want to manage. You can search or filter the list.

-1. If the assignment should be permanent (permanently eligible or permanently assigned), select the **Permanently** checkbox. Depending on your organization's settings, the check box might not appear or might not be editable.

-

-For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles in Privileged Identity Management.

-| principle of least privilege access | | A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they are authorized to perform. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios. |

-## Extend and renew assignments

-After you set up your time-bound owner or member assignments, the first question you might ask is what happens if an assignment expires? In this new version, we provide two options for this scenario:

-Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure AD. For example, you can use these Privileged Identity Management features for Azure identity tasks with guests such as assigning access to specific Azure resources, specifying assignment duration and end date, or requiring two-step verification on active assignment or activation. For more information on how to invite a guest to your organization and manage their access , see [Add B2B collaboration users in the Azure AD portal](../external-identities/add-users-administrator.md).

-Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Privileged Identity Management dashboard. Select the alert to see a report that lists the users or roles that triggered the alert.

-

-| **Why do I get this alert?** | Users that have been assigned privileged roles they don't need increases the chance of an attack. It is also easier for attackers to remain unnoticed in accounts that are not actively being used. |

-| **How to fix?** | Review the users in the list and remove them from privileged roles that they do not need. |

-| **Why do I get this alert?** | The current Azure AD organization does not have Azure AD Premium P2. |

-| **Why do I get this alert?** | This alert is no longer triggered based on the last password change date of for an account. This alert is for accounts in a privileged role that haven't signed in during the past *n* days, where *n* is a number of days that is configurable between 1-365 days . These accounts might be service or shared accounts that aren't being maintained and are vulnerable to attackers. |

-| **Prevention** | Ensure that accounts that are shared are rotating strong passwords when there is a change in the users that know the password. </br>Regularly review accounts with privileged roles using [access reviews](./pim-create-azure-ad-roles-and-resource-roles-review.md) and remove role assignments that are no longer needed. |

-| **Best practices** | Shared, service, and emergency access accounts that authenticate using a password and are assigned to highly privileged administrative roles such as Global administrator or Security administrator should have their passwords rotated for the following cases:<ul><li>After a security incident involving misuse or compromise of administrative access rights</li><li>After any user's privileges are changed so that they are no longer an administrator (for example, after an employee who was an administrator leaves IT or leaves the organization)</li><li>At regular intervals (for example, quarterly or yearly), even if there was no known breach or change to IT staffing</li></ul>Since multiple people have access to these accounts' credentials, the credentials should be rotated to ensure that people that have left their roles can no longer access the accounts. [Learn more about securing accounts](../roles/security-planning.md) |

-| **Why do I get this alert?** | Privileged role assignments made outside of Privileged Identity Management are not properly monitored and may indicate an active attack. |

-| **How to fix?** | Review the users in the list and remove any that do not absolutely need the Global administrator role. </br>Assign lower privileged roles to these users instead. |

-| **Trigger** | Triggered if two different criteria are met, and you can configure both of them. First, you need to reach a certain threshold of Global administrator role assignments. Second, a certain percentage of your total role assignments must be Global administrators. If you only meet one of these measurements, the alert does not appear. |

-On the **Alerts** page, select **Setting**.

-

-Customize settings on the different alerts to work with your environment and security goals.

-

-With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):

-1. Use the resource filter to find the managed resources you're looking for.

- 

-1. Select the resource that you want to manage to open the resource overview page.

- 

-1. Select **Select a role** to open the **Select a role** page.

- 

-1. Select a role you want to assign and then click **Select**.

- The **Select a member or group** pane opens.

-1. Select a member or group you want to assign to the role and then click **Select**.

- 

- 

- - **Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

- 

- 

- 

-The following is a sample HTTP request to create an eligible assignment for an Azure role.

- "startDateTime": "2020-09-09T21:31:27.91Z",

- "startDateTime": "2020-09-09T21:31:27.91Z",

- "createdOn": "2020-09-09T21:32:27.91Z",

-1. Select the resource you want to manage to open its overview page.

-1. Under **Manage**, select **Roles** to see the list of roles for Azure resources.

- 

-1. Select the role that you want to update or remove.

- 

- 

-1. Select **Update** or **Remove** to update or remove the role assignment.

-Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. When an alert is triggered, it shows up on the Alerts page.

-

-

-**Too many permanent owners assigned to a resource** | Medium | Too many users are permanently assigned to a role. | Review the users in the list and re-assign some to require activation for role use.

-**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource blade or the Azure Resource Manager API | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management.

-From the Alerts page, go to **Settings**.

-

-Customize settings on the different alerts to work with your environment and security goals.

-

-1. Select **Azure AD roles** and then select **Discovery and insights (Preview)**. Opening the page begins the discovery process to find relevant role assignments.

-Verifiable credentials are made up of two components, *rules* definitions and *display* definitions. A rules definition determines what users need to provide before they receive a verifiable credential. A display definition controls the branding of the credential and styling of the claims.

-This article explains how to modify both types of files to meet the requirements of your organization.

-## Rules definition: Requirements from the user

-The rules definition is a simple JSON document that describes important properties of verifiable credentials. In particular, it describes how claims are used to populate your verifiable credential.

-### User-input types

-The following four user-input types are currently available to be configured in the rules definition. They're used by the verifiable credential issuing service to insert claims into a verifiable credential and attest to that information with your decentralized identifier (DID).

-* **ID token**: When this option is configured, you'll need to provide an Open ID Connect configuration URI and include the claims that should be included in the verifiable credential. Users are prompted to 'Sign in' on the Authenticator app to meet this requirement and add the associated claims from their account.

-* **ID token hint**: The sample App and Tutorial use the ID token Hint. When this option is configured, the relying party app will need to provide claims that should be included in the verifiable credential in the Request Service API issuance request. Where the relying party app gets the claims from is up to the app, but it can come from the current sign-in session, from backend CRM systems or even from self asserted user input.

-* **Verifiable credentials**: The end result of an issuance flow is to produce a verifiable credential but you may also ask the user to Present a verifiable credential in order to issue one. The rules definition is able to take specific claims from the presented verifiable credential and include those claims in the newly issued verifiable credential from your organization.

-* **Self-attested claims**: When this option is selected, the user can type information directly into Authenticator. At this time, strings are the only supported input for self attested claims.

- 

-### Static claims

-Additionally, you can declare a static claim in the rules definition, but this input doesn't come from the user. The issuer defines a static claim in the rules definition, and it looks like any other claim in the verifiable credential. You add credentialSubject after vc.type and declare the attribute and the claim.

-```json

-"vc": {

- "type": [ "StaticClaimCredential" ],

- "credentialSubject": {

- "staticClaim": true,

- "anotherClaim": "Your Claim Here"

- },

- }

-}

-```

-## Input type: ID token

-To get an ID token as input, the rules definition needs to configure the well-known endpoint of the OpenID Connect (OIDC)-compatible identity system. In that system you need to register an application with the correct information from the [Issuer service communication examples](issuer-openid.md). Additionally, you need to put client_id in the rules definition and fill in a scope parameter with the correct scopes. For example, Azure Active Directory needs the email scope if you want to return an email claim in the ID token.

- {

- "attestations": {

- "idTokens": [

- {

- "mapping": [

- {

- "outputClaim": "firstName",

- "inputClaim": "given_name",

- "required": true,

- "indexed": false

- },

- {

- "outputClaim": "lastName",

- "inputClaim": "family_name",

- "required": true,

- "indexed": true

- }

- ],

- "configuration": "https://dIdPlayground.b2clogin.com/dIdPlayground.onmicrosoft.com/B2C_1_sisu/v2.0/.well-known/openid-configuration",

- "client_id": "8d5b446e-22b2-4e01-bb2e-9070f6b20c90",

- "redirect_uri": "vcclient://openid/",

- "scope": "openid profile"

- }

- ]

- "validityInterval": 2592000,

- "vc": {

- "type": ["https://schema.org/EducationalCredential", "https://schemas.ed.gov/universityDiploma2020", "https://schemas.contoso.edu/diploma2020" ]

- }

- }

-```

-For more information about properties, see [idTokenAttestation type](rules-and-display-definitions-model.md#idtokenattestation-type).

-## Input type: ID token hint

-To get an ID token hint as input, the rules definition shouldn't contain configuration for an OIDC identity system. Instead, it should have the special value `https://self-issued.me` for the configuration property. The claims mappings are the same as for the ID token type, but the difference is that the claim values need to be provided by the issuance relying party app in the Request Service API issuance request.

-```json

- {

- "attestations": {

- "idTokenHints": [

- {

- "configuration": "https://self-issued.me",

- "mapping": [

- {

- "outputClaim": "firstName",

- "inputClaim": "given_name",

- "required": true,

- "indexed": false

- },

- {

- "outputClaim": "lastName",

- "inputClaim": "family_name",

- "required": true,

- "indexed": true

- }

- ]

- }

- ]

- "validityInterval": 2592000,

- "vc": {

- "type": ["VerifiedCredentialExpert" ]

- }

-```

-For more information about properties, see [idTokenHintAttestation type](rules-and-display-definitions-model.md#idtokenhintattestation-type).

-### vc.type: Choose credential types

-All verifiable credentials must declare their *type* in their rules definition. The credential type distinguishes your verifiable credentials from credentials that are issued by other organizations, and it ensures interoperability between issuers and verifiers.

-To indicate a credential type, provide one or more credential types that the credential satisfies. Each type is represented by a unique string. Often, a URI is used to ensure global uniqueness. The URI doesn't need to be addressable. It's treated as a string.

-As an example, a diploma credential issued by Contoso University might declare the following types:

-| Type | Purpose |

-| - | - |

-| `https://schema.org/EducationalCredential` | Declares that diplomas issued by Contoso University contain attributes defined by the schema.org `EducationaCredential` object. |

-| `https://schemas.ed.gov/universityDiploma2020` | Declares that diplomas issued by Contoso University contain attributes defined by the U.S. Department of Education. |

-| `https://schemas.contoso.edu/diploma2020` | Declares that diplomas issued by Contoso University contain attributes defined by Contoso University. |

-By declaring three types of diplomas, Contoso can issue credentials that satisfy different requests from verifiers. A bank can request a set of `EducationCredential`s from a user, and the diploma can be used to satisfy the request. Or the Contoso University Alumni Association can request a credential of type `https://schemas.contoso.edu/diploma2020`, and the diploma can also satisfy the request.

-To ensure interoperability of your credentials, we recommend that you work closely with related organizations to define credential types, schemas, and URIs for use in your industry. Many industry bodies provide guidance on the structure of official documents that can be repurposed for defining the contents of verifiable credentials. You should also work closely with the verifiers of your credentials to understand how they intend to request and consume your verifiable credentials.

-## Input type: Verifiable credential

-> [!NOTE]

-> Rules definitions that ask for a verifiable credential don't use the presentation exchange format for requesting credentials. This approach will be updated when the issuing service supports the standard, Credential Manifest.

-```json

-{

- "attestations": {

- "presentations": [

- {

- "mapping": [

- {

- "outputClaim": "first_name",

- "inputClaim": "$.vc.credentialSubject.firstName ",

- "required": true,

- "indexed": false

- },

- {

- "outputClaim": "last_name",

- "inputClaim": ""$.vc.credentialSubject.lastName ",

- "required": true,

- "indexed": true

- },

- "credentialType": "VerifiedCredentialNinja",

- "contracts": [

- "https://beta.did.msidentity.com/v1.0/3c32ed40-8a10-465b-8ba4-0b1e86882668/verifiableCredential/contracts/VerifiedCredentialNinja"

- ],

- "issuers": [

- {

- "iss": "did:ion:123"

- }

- ]

- }

- ]

- },

- "validityInterval": 25920000,

- "vc": {

- "type": [

- "ProofOfNinjaNinja"

- ]

- }

-For more information about properties, see [verifiablePresentationAttestation type](rules-and-display-definitions-model.md#verifiablepresentationattestation-type).

-## Input type: Self-attested claims

-During the issuance flow, users can be asked to input some self-attested information. As of now, the only input type is 'string'.

- "selfIssued" :

- {

- "mapping": [

- {

- "outputClaim": "firstName",

- "inputClaim": "firstName",

- "required": true,

- "indexed": false

- },

- {

- "outputClaim": "lasttName",

- "inputClaim": "lastName",

- "required": true,

- "indexed": true

- }

- }

- "validityInterval": 2592001,

- "type": [ "VerifiedCredentialExpert" ]

-For more information about properties, see [selfIssuedAttestation type](rules-and-display-definitions-model.md#selfissuedattestation-type).

-## Display definition: Verifiable credentials in Microsoft Authenticator

-Verifiable credentials offer a limited set of options that can be used to reflect your brand. This article provides instructions how to customize your credentials, and best practices for designing credentials that look great after they're issued to users.

-Authenticator displays verifiable credentials that are issued to users as cards. As an administrator, you can choose card colors, icons, and text strings to match your organization's brand.

-

-Cards also contain customizable fields. You can use these fields to let users know the purpose of the card, the attributes it contains, and more.

-## Create a credential display definition

-Much like the rules definition, the display definition is a simple JSON document that describes how the Authenticator app should display the contents of your verifiable credentials.

->[!NOTE]

-> This display model is currently used only by Microsoft Authenticator.

-The display definition has the following structure:

-```json

-{

- "default": {

- "locale": "en-US",

- "card": {

- "title": "University Graduate",

- "issuedBy": "Contoso University",

- "backgroundColor": "#212121",

- "textColor": "#FFFFFF",

- "logo": {

- "uri": "https://contoso.edu/images/logo.png",

- "description": "Contoso University Logo"

- },

- "description": "This digital diploma is issued to students and alumni of Contoso University."

- },

- "consent": {

- "title": "Do you want to get your digital diploma from Contoso U?",

- "instructions": "Please log in with your Contoso U account to receive your digital diploma."

- },

- "claims": [

- {

- "claim": "vc.credentialSubject.name",

- "type": "String",

- "label": "Name"

- }

- ]

- }

-}

-```

-For more information about properties, see [displayModel type](rules-and-display-definitions-model.md#displaymodel-type).

-# Introduction to Azure Active Directory Verifiable Credentials (preview)

-> Azure Active Directory Verifiable Credentials is currently in public preview.

-But identity data has too often been exposed in security breaches. These breaches affect our social, professional, and financial lives. Microsoft believes that thereΓÇÖs a better way. Every person has a right to an identity that they own and control, one that securely stores elements of their digital identity and preserves privacy. We are building an open, trustworthy, interoperable, and standards-based Decentralized Identity (DID) solution for individuals and organizations.

-Today we use our digital identity at work, home, and across every app, service, and device we use. Our digital identity is made up of everything we say, do, and experience in our lives. Activities like purchasing tickets for an event, checking into a hotel, or even ordering lunch become part of our identity. Today our identity and information about our online activity are owned and controlled by others. In some cases, even without our knowledge.

-WeΓÇÖre committed to working closely with customers, partners, and the community to unlock the next generation of Decentralized IdentityΓÇôbased experiences. We are excited to partner with individuals and organizations making incredible contributions in this space. If the DID ecosystem is to grow, standards, technical components, and code deliverables must be open source and accessible to all.

-Decentralized Identifiers (DIDs) are different. DIDs are user-generated, self-owned, globally unique identifiers rooted in decentralized systems like ION. They possess unique characteristics, like greater assurance of immutability, censorship resistance, and tamper evasiveness. These attributes are critical for any ID system that is intended to provide self-ownership and user control.

-**1. W3C Decentralized Identifiers (DIDs)**

-**2. Decentralized system**

-**3. DID User Agent/Wallet: Microsoft Authenticator App**

-**4. Microsoft Resolver**

-**5. Azure Active Directory Verified Credentials Service**

-The scenario we use to explain how Verifiable Credentials work involves:

-Today, Alice provides a username and password to sign in WoodGroveΓÇÖs networked environment. WoodGrove is deploying a verifiable credential solution to provide a more manageable way for Alice to prove that she's an employee of WoodGrove. ProseWare accepts verifiable credentials issued by WoodGrove as proof of employment to offer corporate discounts as part of their corporate discount program.

-Alice requests WoodGrove Inc for a proof of employment verifiable credential. WoodGrove Inc attests Alice's identity and issues a signed verifiable credential that Alice can accept and store in her digital wallet application. Alice can now present this verifiable credential as a proof of employment on the ProseWare site. After a successful presentation of the credential, ProsWare offers discount to Alice and the transaction is logged in Alice's wallet application so that she can track where and to whom she's presented her proof of employment verifiable credential.

-**issuer** ΓÇô The issuer is an organization that creates an issuance solution requesting information from a user. The information is used to verify the userΓÇÖs identity. For example, WoodGrove, Inc. has an issuance solution that enables them to create and distribute verifiable credentials (VCs) to all their employees. The employee uses the Authenticator app to sign in with their username and password, which passes an ID token to the issuing service. Once WoodGrove, Inc. validates the ID token submitted, the issuance solution creates a VC that includes claims about the employee and is signed with WoodGrove, Inc. DID. The employee now has a verifiable credential that is signed by their employer, which includes the employees DID as the subject DID.

-**user** ΓÇô The user is the person or entity that is requesting a VC. For example, Alice is a new employee of WoodGrove, Inc. and was previously issued her proof of employment verifiable credential. When Alice needs to provide proof of employment in order to get a discount at ProseWare, she can grant access to the credential in her Authenticator app by signing a verifiable presentation that proves Alice is the owner of the DID. ProseWare is able to validate the credential was issued by WoodGrove, Inc.and Alice is the owner of the credential.

-**verifier** ΓÇô The verifier is a company or entity who needs to verify claims from one or more issuers they trust. For example, ProseWare trusts WoodGrove, Inc. does an adequate job of verifying their employeesΓÇÖ identity and issuing authentic and valid VCs. When Alice tries to order the equipment she needs for her job, ProseWare will use open standards such as SIOP and Presentation Exchange to request credentials from the user proving they are an employee of WoodGrove, Inc. For example, ProseWare might provide Alice a link to a website with a QR code she scans with her phone camera. This initiates the request for a specific VC, which Authenticator will analyze and give Alice the ability to approve the request to prove her employment to ProseWare. ProseWare can use the verifiable credentials service API or SDK, to verify the authenticity of the verifiable presentation. Based on the information provided by Alice they give Alice the discount. If other companies and organizations know that WoodGrove, Inc. issues VCs to their employees, they can also create a verifier solution and use the WoodGrove, Inc. verifiable credential to provide special offers reserved for WoodGrove, Inc. employees.

-Azure Active Directory (Azure AD) Verifiable Credentials includes the Request Service REST API. This API allows you to issue and verify credentials. This article shows you how to start using the Request Service REST API.

-Refer to to the Microsoft Authentication Library (MSAL) documentation for more information on how to acquire tokens via HTTP.

- scopes: ["bbb94529-53a3-4be5-a069-7eaf2712b826/.default"],

-| Scopes | Required | Must be set to `bbb94529-53a3-4be5-a069-7eaf2712b826/.default`. |

-&scope=bbb94529-53a3-4be5-a069-7eaf2712b826/.default

- scopes: ["bbb94529-53a3-4be5-a069-7eaf2712b826/.default"],

-1. Construct an HTTP POST request to the Request Service REST API. Replace the `{tenantID}` with your tenant ID, or your tenant name.

- POST https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request

-POST https://beta.did.msidentity.com/v1.0/contoso.onmicrosoft.com/verifiablecredentials/request

- "api-key": "OPTIONAL API-KEY for VERIFIER CALLBACK API"

- "issuance": {

- "type": "VerifiedCredentialExpert",

- "manifest": "https://beta.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert1",

- "pin": {

- "value": "3539",

- "length": 4

- },

- "claims": {

- "given_name": "Megan",

- "family_name": "Bowen"

- }

-POST https://beta.did.msidentity.com/v1.0/contoso.onmicrosoft.com/verifiablecredentials/request

- "api-key": "OPTIONAL API-KEY for VERIFIER CALLBACK API"

- "presentation": {

- "includeReceipt": true,

- "requestedCredentials": [

- {

- "type": "VerifiedCredentialExpert",

- "purpose": "So we can see that you a veritable credentials expert",

- "acceptedIssuers": [

- "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDekxTVlFWcVl3S2JNY1Fsc0RILUZJUSIsInkiO..."

- ]

- ]

- }

-The request payload contains the [issuance](issuance-request-api.md#callback-events) and [presentation](presentation-request-api.md#callback-events) callback endpoint. The endpoint is part of your web application, and should be publicly available. Azure AD Verifiable Credentials calls your endpoint to inform your app on certain events. For example, such events might be when a user scans the QR code, uses the deep link the authenticator app, or finishes the presentation process.

-In the event where the domain associated with your company changes, you would also need to change the domain in your DID document. You can update the domain in your DID directly from the Azure AD Verifiable Credential portal

-If the trust system is ION, once the domain changes are published to ION, the domain section inside the Azure AD Verifiable Credentials service will display Published as the status and you should be able to make new changes to the domain. If the trust system is Web, the changes are public as soon as you replace the did-configuration.json file on your web server.

-As part of the process of working with verifiable credentials (VCs), you not only have to issue credentials, but sometimes you also have to revoke them. In this article we go over the **Status** property part of the VC specification and take a closer look at the revocation process, why we may want to revoke credentials and some data and privacy implications.

-> Azure Active Directory Verifiable Credentials is currently in public preview.

-## Status property in verifiable credentials specification

-Before we can understand the implications of revoking a verifiable credential, it may help to know what the **status check** is and how it works today.

-The [W3C Verifiable Credentials spec](https://www.w3.org/TR/vc-data-model/) references the **status** property in section [4.9:](https://www.w3.org/TR/vc-data-model/#status)

-"This specification defines the following **credentialStatus** property for the discovery of information about the current status of a verifiable credential, such as whether it is suspended or revoked."

-However, the W3C specification does not define a format on how **status check** should be implemented.

-"Defining the data model, formats, and protocols for status schemes are out of scope for this specification. A Verifiable Credential Extension Registry [VC-EXTENSION-REGISTRY] exists that contains available status schemes for implementers who want to implement verifiable credential status checking."

->[!NOTE]

->For now, Microsoft's status check implementation is proprietary but we are actively working with the DID community to align on a standard.

-## How does the **status** property work?

-In every Microsoft issued verifiable credential, there is an attribute called credentialStatus. It's populated with a status API that Microsoft manages on your behalf. Here is an example of what it looks like.

-```json

- "credentialStatus": {

- "id": "https://portableidentitycards.azure-api.net/v1.0/7952032d-d1f3-4c65-993f-1112dab7e191/portableIdentities/card/status",

- "type": "PortableIdentityCardServiceCredentialStatus2020"

- }

-```

-The open source Verifiable Credentials SDK handles calling the status API and providing the necessary data.

-Once the API is called and provided the right information, the API will return either a True or False. True being the verifiable credential is still active with the Issuer and False signifying the verifiable credential has been actively revoked by the Issuer.

-## Why you may want to revoke a VC?

-Each customer will have their own unique reason's for wanting to revoke a verifiable credential, but here are some of the common themes we have heard thus far.

-All verifiable credential data is not stored with Microsoft by default. Therefore, we do not have any data to reference to revoke a specific verifiable credential ID. The issuer needs to specify a specific field from the verifiable credential attribute for Microsoft to index and subsequently salt and hash.

-You can tell Microsoft which attribute of the verifiable credential you would like to index. The implication of indexing is that indexed values may be used to search your verifiable credentials for the VCs you want to revoke.

-**Example:** Alice is a Woodgrove employee. Alice left Woodgrove to work at Contoso. Jane, the IT admin for Woodgrove, searches for Alice's email in the Verifiable Credentials Revoke search query. In this example, Jane, indexed the email field of the Woodgrove verified employee credential.

-See below for an example of how the Rules file is modified to include the index.

- {

- {

- "outputClaim": "Name",

- "inputClaim": "name",

- "required": true,

- "indexed": false

- },

- {

- "outputClaim": "email",

- "inputClaim": "email",

- "required": true,

- "indexed": true

- }

- "configuration": "https://login.microsoftonline.com/tenant-id-here7/v2.0/.well-known/openid-configuration",

- "client_id": "c0d6b785-7a08-494e-8f63-c30744c3be2f",

- "redirect_uri": "vcclient://openid"

- "validityInterval": 25920000,

- "type": ["WoodgroveEmployee"]

->Only one attribute can be indexed from a rules claims mapping.

-## How do I revoke a verifiable credential

-Once an index claim has been set and verifiable credentials have been issued to your users, it's time to see how you can revoke a verifiable credential in the VC blade.

-1. Navigate to the verifiable credentials blade in Azure Active Directory.

-1. Choose the verifiable credential where you've previously set up the index claim and issued a verifiable credential to a user. =

-1. On the left-hand menu, choose **Revoke a credential**

- 

-1. Search for the index attribute of the user you want to revoke.

- 

- >[!NOTE]

- >Since we are only storing a hash of the indexed claim from the verifiable credential, only an exact match will populate the search results. We take the input as searched by the IT Admin and we use the same hashing algorithm to see if we have a hash match in our database.

-

-1. Once you've found a match, select the **Revoke** option to the right of the credential you want to revoke.

- 

-1. After successful revocation you see the status update and a green banner will appear at the top of the page.

- 

-Now whenever a relying party calls to check the status of this specific verifiable credential, Microsoft's status API, acting on behalf of the tenant, returns a 'false' response.

-Test out the functionality on your own with a test credential to get used to the flow. You can see information on how to configure your tenant to issue verifiable credentials by [reviewing our tutorials](get-started-verifiable-credentials.md).

-> Azure Active Directory Verifiable Credentials is currently in public preview.

-Opting out is a one-way operation, after you opt out your Azure Active Directory Verifiable Credentials environment will be reset. During the public preview, opting out may be required to:

-## What happens to your data when you opt out?

-When you complete opting out of the Azure Active Directory Verifiable Credentials service, the following actions will take place:

-However, when relying parties call the status API, they'll always receive back a failure message.

-## How to opt out from the Azure Active Directory Verifiable Credentials Public Preview?

-> Azure Active Directory Verifiable Credentials is currently in public preview.

-See the [Rules and display definitions reference](rules-and-display-definitions-model.md).

-See the [Rules and display definitions reference](rules-and-display-definitions-model.md).

-Learn [how to customize your verifiable credentials](credential-design.md).

-# Azure AD Verifiable Credentials architecture overview (preview)

-> Azure Active Directory Verifiable Credentials is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-ItΓÇÖs important to plan your verifiable credential solution so that in addition to issuing and or validating credentials, you have a complete view of the architectural and business impacts of your solution. If you havenΓÇÖt reviewed them already, we recommend you review [Introduction to Azure Active Directory Verifiable Credentials](decentralized-identifier-overview.md) and the [FAQs](verifiable-credentials-faq.md), and then complete the [Getting Started](get-started-verifiable-credentials.md) tutorial.

-This architectural overview introduces the capabilities and components of the Azure Active Directory Verifiable Credentials service. For more detailed information on issuance and validation, see

-* In the preceding diagram, the public keys of the actorΓÇÖs DIDs are shown stored in the decentralized ledger (ION).- in the decentralized identifier document.

-By providing Alice the VC, Woodgrove is attesting that Alice is an employee. Woodgrove is a trusted VC issuer in ProsewareΓÇÖs validation solution. This trust in WoodgroveΓÇÖs issuance process allows Proseware to electronically accept the VC as proof that Alice is a Woodgrove employee and provide Alice the discount. As part of validation of the VC Alice presents, Proseware checks the validity of the VC by using the distributed ledger. In this solution:

-* Proseware doesnΓÇÖt need to expand their trust boundary to validate Alice is an employee of Woodgrove. Proseware can use the VC that Woodgrove provides instead. Because the trust boundary isnΓÇÖt expanded, managing the trust relationship is easier and Proseware can easily end the relationship by not accepting the VCs anymore.

-In decentralized identity architectures, the issuer, user, and relying party (RP) each have a role in establishing and ensuring ongoing trusted exchange of each otherΓÇÖs credentials. The public keys of the actorsΓÇÖ DIDs are resolvable in ION, which allows signature validation and therefore trust of any artifact, including a verifiable credential. Relying parties can consume verifiable credentials without establishing trust relationships with the issuer. Instead, the issuer provides the subject a credential to present as proof to relying parties. All messages between actors are signed with the actorΓÇÖs DID; DIDs from issuers and verifiers also need to own the DNS domains that generated the requests.

-For example: When VC holders need to access a resource, they must present the VC to that relying party. They do so by using a wallet application to read the RPΓÇÖs request to present a VC. As a part of reading the request, the wallet application uses the RPΓÇÖs DID to find the RPs public keys using ION, validating that the request to present the VC hasn't been tampered with. The wallet also checks that the DID is referenced in a metadata document hosted in the DNS domain of the RP, to prove domain ownership.

-1. The issuer web frontend calls the Azure AD VC Service to generate a VC issuance request.

- * DID of the issuer. This is used by the wallet app to resolve in ION to find the public keys and linked domains.

- 1. Validates that the issuance request message is signed by the issuerΓÇÖ keys found in the DID document resolved in ION. This ensures that the message hasn't been tampered with.

-1. Submits the artifacts required by the contract to the Azure AD VC Service. The Azure AD VC service returns the VC, signed with the issuerΓÇÖs DID key and the wallet securely stores the VC.

-For detailed information on how to build an issuance solution and architectural considerations, see [Plan your Azure Active Directory Verifiable Credentials issuance solution](plan-issuance-solution.md).

-1. The web frontend calls the Azure AD VC Service to generate a VC presentation request.

- * the DID of the RP, which the wallet looks up in ION.

- Then, the wallet sends a presentation response payload to the Azure AD VC Service signed by the subject. It contains:

-1. The Azure AD VC service validates the response sent by the wallet. Depending on how the original presentation request was created in step 2, this validation can include checking the status of the presented VC with the VC issuer for cases such as revocation.

-1. Upon validation, the Azure AD VC service calls back the RP with the result.

-For detailed information on how to build a validation solution and architectural considerations, see [Plan your Azure Active Directory Verifiable Credentials verification solution](plan-verification-solution.md).

- * ION enables the discovery of any actorΓÇÖs decentralized identifier (DID).

-* [Get started with Azure Active Directory Verifiable Credentials](get-started-verifiable-credentials.md)

-#Customer intent: As an administrator, I am trying to learn the process of revoking verifiable credentials that I have issued.

-Azure Active Directory (Azure AD) Verifiable Credentials includes the Request Service REST API. This API allows you to issue and verify a credential. This article specifies the Request Service REST API for an issuance request.

-https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request

-POST https://beta.did.msidentity.com/v1.0/contoso.onmicrosoft.com/verifiablecredentials/request

- "callback":ΓÇ»{

- "url":ΓÇ»"https://wwww.contoso.com/vc/callback",

- "state": "Aaaabbbb11112222",

- "headers":ΓÇ»{

- "api-key":ΓÇ»"an-api-key-can-go-here"

-      }

- },

-| Application | bbb94529-53a3-4be5-a069-7eaf2712b826/.default|

- "includeQRCode": true,

- "callback": {

- "url": "https://www.contoso.com/api/issuer/issuanceCallback",

- "state": "de19cb6b-36c1-45fe-9409-909a51292a9c",

- "headers": {

- "api-key": "OPTIONAL API-KEY for VERIFIER CALLBACK API"

- }

- },

- "authority": "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDek...",

- "registration": {

- "clientName": "Verifiable Credential Expert Sample"

- },

- "issuance": {

- "type": "VerifiedCredentialExpert",

- "manifest": "https://beta.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert",

- "pin": {

- "value": "3539",

- "length": 4

- },

- "claims": {

- "given_name": "Megan",

- "family_name": "Bowen"

- }

-| `issuance` | [RequestIssuance](#requestissuance-type)| Provides information about the issuance request. |

-|`callback`| [Callback](#callback-type)| Mandatory. Allows the developer to asynchronously get information on the flow during the verifiable credential issuance process. For example, the developer might want a call when the user has scanned the QR code or if the issuance request succeeds or fails.|

-### RequestIssuance type

-The `RequestIssuance` type provides information required for verifiable credential issuance. There are currently three input types that you can send in `RequestIssuance`. Azure AD Verifiable Credentials uses these types to insert claims into a verifiable credential, and attest to that information with the issuer's DID. The following are the three types:

-You can find detailed information about the input types in [Customizing your verifiable credential](credential-design.md).

-The `RequestIssuance` type contains the following properties:

-| `type` | string | The verifiable credential type. Should match the type as defined in the verifiable credential manifest. For example: `VerifiedCredentialExpert`. For more information, see [Create the verified credential expert card in Azure](verifiable-credentials-configure-issuer.md). |

-| `manifest` | string| The URL of the verifiable credential manifest document. For more information, see [Gather credentials and environment details to set up your sample application](verifiable-credentials-configure-issuer.md).|

-| `claims` | string| Optional. Include a collection of assertions made about the subject in the verifiable credential. For PIN code flow, it's important that you provide the user's first name and last name. For more information, see [Verifiable credential names](verifiable-credentials-configure-issuer.md#verifiable-credential-names). |

-| `pin` | [PIN](#pin-type)| Optional. A PIN number to provide extra security during issuance. For PIN code flow, this property is required. You generate a PIN code, and present it to the user in your app. The user must provide the PIN code that you generated. |

-### pin type

-### Callback type

-The Request Service REST API generates several events to the callback endpoint. Those events allow you to update the UI and continue the process after the results are returned to the application. The `Callback` type contains the following properties:

-|Property |Type |Description |

-||||

-| `url` | string| URI to the callback endpoint of your application. The URI must point to a reachable endpoint on the internet otherwise the service will throw callback URL unreadable error. Accepted formats IPv4, IPv6 or DNS resolvable hostname |

-| `state` | string| Associates with the state passed in the original payload. |

-| `headers` | string| Optional. You can include a collection of HTTP headers required by the receiving end of the POST message. The current supported header values are the `api-key` or the `Authorization` headers. Any other header will throw an invalid callback header error|

- "requestId":ΓÇ»:"799f23ea-5241-45af-99ad-cf8e5018814e",

- "url":ΓÇ»"openid://vc?request_uri=https://beta.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiablecredentials/request/178319f7-20be-4945-80fb-7d52d47ae82e",

-| `requestId`| string | An autogenerated correlation ID. The [callback](#callback-events) uses the same request, allowing you to keep track of the issuance request and its callbacks. |

-Error responses also can be returned so that the app can handle them appropriately. The following JSON shows an unauthorized error message:

-```json

-{

- "requestId": "d60b068e7fbd975896e179b99347866a",

- "date": "Wed, 29 Sep 2021 21:49:00 GMT",

- "error": {

- "code": "unauthorized",

- "message": "Failed to authenticate the request."

- }

-}

-```

-The response contains the following properties:

-|Property |Type |Description |

-||||

-| `requestId`| string | An autogenerated request ID.|

-| `date`| date| The time of the error. |

-| `error.code` | string| The return error code. |

-| `error.message`| string| The error message. |

-| `code` |string |The code returned when the request has an error. Possible values: <ul><li>`request_retrieved`: The user scanned the QR code or selected the link that starts the issuance flow.</li><li>`issuance_successful`: The issuance of the verifiable credentials was successful.</li><li>`Issuance_error`: There was an error during issuance. For details, see the `error` property.</li></ul> |

-    "requestId":"aef2133ba45886ce2c38974339ba1057",

-    "state":"Wy0ThUz1gSasAjS1"

-    "requestId":"87e1cb24-9096-409f-81cb-9e645f23a4ba",

-    "state":"f3d94e35-ca5f-4b1b-a7d7-a88caa05e322",

-| `fetch_contract_error*`| Unable to fetch the verifiable credential contract. This error usually happens when the API can't fetch the manifest you specify in the request payload [RequestIssuance object](#requestissuance-type).|

-    "requestId":"87e1cb24-9096-409f-81cb-9e645f23a4ba",

-    "state":"f3d94e35-ca5f-4b1b-a7d7-a88caa05e322",

-The Azure AD Verifiable Credential service can issue verifiable credentials by retrieving claims from an ID token generated by your organization's OpenID compliant identity provider. This article instructs you on how to set up your identity provider so Authenticator can communicate with it and retrieve the correct ID Token to pass to the issuing service.

-# Plan your Azure Active Directory Verifiable Credentials issuance solution (preview)

-> Azure Active Directory Verifiable Credentials is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [**Supplemental Terms of Use for Microsoft Azure Previews**](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-ItΓÇÖs important to plan your issuance solution so that in addition to issuing credentials, you have a complete view of the architectural and business impacts of your solution. If you havenΓÇÖt done so, we recommend you view the [Azure Active Directory Verifiable Credentials architecture overview](introduction-to-verifiable-credentials-architecture.md) for foundational information.

-This article covers the technical aspects of planning for a verifiable credential issuance solution using Microsoft products to interoperate with the Identity Overlay Network (ION). The Microsoft solution for verifiable credentials follows the World Wide Web Consortium (W3C) [Verifiable Credentials Data Model 1.0](https://www.w3.org/TR/vc-data-model/) and [Decentralized Identifiers (DIDs) V1.0](https://www.w3.org/TR/did-core/) standards so can interoperate with non-Microsoft services. However, the examples in this content reflect the Microsoft solution stack for verifiable credentials.

-Out of scope for this content are topics covering supporting technologies that aren't specific to issuance solutions. For example, websites are used in a verifiable credential issuance solution but planning a website deployment isn't covered in detail.

-A prerequisite for running the Azure AD Verifiable Credentials service is that it's hosted in an Azure Active Directory (Azure AD) tenant. The Azure AD tenant provides an Identity and Access Management (IAM) control plane for the Azure resources that are part of the solution.

-Each tenant has a single instance of the Azure AD Verifiable Credentials service, and a single decentralized identifier (DID). The DID provides proof that the issuer owns the domain incorporated into the DID. The DID is used by the subject and the verifier to validate the issuer.

-The **Azure Key Vault** service stores your issuer keys, which are generated when you initiate the Azure AD Verifiable Credentials issuance service. The keys and metadata are used to execute credential management operations and provide message security.

-**Azure AD Verifiable Credentials Service** is used to store credential metadata and definitions; specifically, the rules and display definitions for your credentials.

-* Display definitions determine which claims are stored in the VC and how it's displayed in the holderΓÇÖs wallet. The display definition also includes branding and other elements. Rules definitions are limited in size to 50 KB, while display definitions are limited to 150 KB. See [How to customize your verifiable credentials](../verifiable-credentials/credential-design.md).

-* Rules are an issuer-defined model that describes the required inputs of a verifiable credential, the trusted sources of the inputs, and the mapping of input claims to output claims.

-### Azure AD Verifiable Credentials service

-

-The Azure AD Verifiable Credentials service enables you to issue and revoke VCs based on your configuration. The service:

-* Provisions the decentralized identifier (DID) and writes the DID document to ION, where it can be used by subjects and verifiers. Each issuer has a single DID per tenant.

-### ION

-As one alternative for the tenants trust system, Microsoft uses the [Identity Overlay Network (ION)](https://identity.foundation/ion/), [a Sidetree-based network](https://identity.foundation/sidetree/spec/) that uses BitcoinΓÇÖs blockchain for decentralized identifier (DID) implementation. The DID document of the issuer is stored in ION and is used to perform cryptographic signature checks by parties to the transaction. The other alternative for trust system is Web, where the DID document is hosted on the issuers webserver.

-Microsoft Authenticator is the mobile application that orchestrates the interactions between the user, the Azure AD Verifiable Credentials service, and dependencies that are described in the contract used to issue VCs. It acts as a digital wallet in which the holder of the VC stores the VC, including the private key of the subject of the VC. Authenticator is also the mechanism used to present VCs for verification.

-These services provide supporting roles that don't necessarily need to integrate with ION or Azure AD Verifiable Credentials issuance service. This layer typically includes:

-

-With Azure AD Verifiable Credentials, the most common credential use cases are:

-

-Note that common schemas are an area where standards are still emerging. One example of such an effort is the [Verifiable Credentials for Education Task Force](https://github.com/w3c-ccg/vc-ed). We encourage you to investigate and contribute to emerging standards in your organization's industry.

-### Credential Attributes

-After establishing the use case for a credential, you need to decide what attributes to include in the credential. Verifiers can read the claims in the VC presented by the users.

-* **Minimize private information**: Meet the use cases with the minimal amount of private information necessary. For example, a VC used for e-commerce websites that offers discounts to employees and alumni can be fulfilled by presenting the credential with just the first and last name claims. Additional information such as hiring date, title, department, etc. are not needed.

-* **Plan for revocability**: We recommend you define an index claim to enable mechanisms to find and revoke credentials. You are limited to defining one index claim per contract. It is important to note that values for indexed claims are not stored in the backend, only a hash of the claim value. For more information, see [Revoke a previously issued verifiable credential](../verifiable-credentials/how-to-issuer-revoke.md).

-For additional considerations on credential attributes, refer to the [Verifiable Credentials Data Model 1.0 (w3.org)](https://www.w3.org/TR/vc-data-model/) specification.

-As with any solution, you must plan for performance. The key areas to focus on are latency, throughput storage, and scalability. During initial phases of a release cycle, performance should not be a concern. However, when adoption of your issuance solution results in many verifiable credentials being issued, performance planning might become a critical part of your solution.

-* The Azure AD Verifiable Credentials issuance service is deployed in West Europe, North Europe, West US 2, and West Central US Azure regions. You do not select a region to deploy the service to.

-* To limit latency, deploy your issuance frontend website, key vault, and storage in the region listed above that is closest to where requests are expected to originate.

-* You cannot control throttling; however, we recommend you read [Azure Key Vault throttling guidance](../../key-vault/general/overview-throttling.md).

-* If you are planning a large rollout and onboarding of VCs, consider batching VC creation to ensure you do not exceed limits.

-* The issuance service is subject to Azure storage limits. In typical use cases storage should not be a concern. However, if you feel you might exceed storage limits or feel storage might be a bottleneck, review the following:

- * We recommend reading [Scalability and performance targets for Blob storage](../../storage/blobs/scalability-targets.md) as part of your planning process. Azure AD Verifiable Credentials issuance service reads rules and displays files, and results are cached by the service.

- * We also recommend you review [Performance and scalability checklist for Blob storage - Azure Storage](../../storage/blobs/storage-performance-checklist.md).

- * Calls to Azure AD Verifiable Credentials issuance service

-* Monitor Azure Key Vault and Storage using the following:

-If the rare event that the Azure AD Verifiable Credentials issuance service, Azure Key Vault, or Azure Storage services become unavailable, the entire solution will become unavailable.

-**Data residency**: The Azure AD Verifiable Credentials issuance service is deployed in a subset of Azure regions. The service is used for compute functions only. We do not store values of verifiable credentials in Microsoft systems. However, as part of the issuance process, personal data is sent and used when issuing VCs. Using the VC service should not impact data residency requirements. If, as a part of identity verification you store any personal information, that should be stored in a manner and region that meets your compliance requirements. For Azure-related guidance, visit the Microsoft Trust Center website.

-When planning for operations, it is critical you develop a schema to use for troubleshooting, reporting, and distinguishing various customers you support. Additionally, if the operations team is responsible for executing VC revocation, that process must be defined. Each step in the process should be correlated so that you can determine which log entries can be associated with each unique issuance request. For auditing, we recommend you capture each attempt of credential issuing individually. Specifically:

- * Create a dedicated Key Vault for VC issuance. Limit Azure Key Vault permissions to the Azure AD Verifiable Credentials issuance service and the issuance service frontend website service principal.

-* Enable logging of your Azure Storage account to monitor and send alert for configuration changes. More information can be found at [Monitoring Azure Blob Storage](../../storage/blobs/monitor-blob-storage.md).

-[Get started with verifiable credentials](get-started-verifiable-credentials.md)

-# Plan your Azure Active Directory Verifiable Credentials verification solution (preview)

-> Azure Active Directory Verifiable Credentials is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-MicrosoftΓÇÖs Azure Active Directory Verifiable Credentials (Azure AD VC) service enables you to trust proofs of user identity without expanding your trust boundary. With Azure AD VC, you create accounts or federate with another identity provider. By using verifiable credentials based on an open standard, a verification exchange enables applications to request credentials that aren't bound to a specific domain. This approach makes it easier to request and verify credentials at scale.

-If you havenΓÇÖt already, we suggest you review the [Azure AD Verifiable Credentials architecture overview](introduction-to-verifiable-credentials-architecture.md). You may also want to review [Plan your Azure AD Verifiable Credentials issuance solution](plan-issuance-solution.md).

-This content covers the technical aspects of planning for a verifiable credential (VC) verification solution using Microsoft products and services. The solution interfaces with the Identity Overlay Network (ION) which acts as the decentralized public key infrastructure (DPKI).

-

-### Azure AD Verifiable Credentials service

-In the context of a verifier solution, the Azure AD Verifiable Credentials service is the interface between the Microsoft components of the solution and ION. The service provisions the key set to Key Vault, provisions the decentralized identifier (DID), and writes the DID document to ION, where it can be used by subjects and issuers.

-The service requires an Azure AD tenant that provides an Identity and Access Management (IAM) control plane for the Azure resources that are part of the solution. There's a single instance of the Azure AD VC service within a tenant, and it issues a single DID document representing the verifier. If you have multiple relying parties using your verification service, they all use the same verifier DID. The verifier DID provides pointers to the public key that allows subjects and issuers to validate messages that come from the relying party.

-

-The Azure Key Vault service stores your verifier keys, which are generated when you enable the Azure AD Verifiable Credentials issuance service. The keys are used to provide message security. Each verifier has a single key set used for signing, updating, and recovering VCs. This key set is used each time you service a verification request. Microsoft key set currently uses Elliptic Curve Cryptography (ECC) [SECP256k1](https://en.bitcoin.it/wiki/Secp256k1). We're exploring other cryptographic signature schemas that will be adopted by the broader DID community.

-### Azure AD VC APIs

-

-### ION

-

-As one alternative for the tenants trust system, Microsoft uses the [Identity Overlay Network (ION)](https://identity.foundation/ion/), [a Sidetree-based network](https://identity.foundation/sidetree/spec/)that uses BitcoinΓÇÖs blockchain for decentralized identifier (DID) implementation. The DID document of the issuer is stored in ION and is used to perform cryptographic signature checks by parties to the transaction. The other alternative for trust system is Web, where the DID document is hosted on the issuers webserver.

-

-Microsoft Authenticator is the mobile application that orchestrates the interactions between the relying party, the user, the Azure AD Verifiable Credentials issuance service, and dependencies described in the contract used to issue VCs. Microsoft Authenticator acts as a digital wallet in which the holder of the VC stores the VC. It's also the mechanism used to present VCs for verification.

-

-The relying party web front end uses the Azure AD VC APIs to verify VCs by generating deep links or QR codes that are consumed by the subjectΓÇÖs wallet. Depending on the scenario, the front end can be a publicly accessible or internal website to enable end-user experiences that require verification. However, the endpoints that the wallet accesses must be publicly accessible. Specifically, it controls redirection to the wallet with specific request parameters. This is accomplished using the Microsoft-provided APIs.

-Verifiable credentials can also be used to enable faster onboarding by replacing some human interactions. VCs can be used to onboard employees, students, citizens, or others to access services. For example, rather than an employee needing to go to a central office to activate an employee badge, they can use a VC to verify their identity to activate a badge that is delivered to them remotely. Rather than a citizen receiving a code they must redeem to access governmental services, they can use a VC to prove their identity and gain access.

-

-**Onboarding portal**: A web front end that orchestrates the Azure AD VC APIs calls for VC presentation and validation, and the logic to onboard accounts.

- * If your RP is running in Azure, use Managed Identities to call Microsoft Graph; this will remove the risks of managing service principal credentials in code or configuration files. To learn more about Managed identities, go to [Managed identities for Azure resources.](../managed-identities-azure-resources/overview.md)

-

-**Relying party web frontend**: This is the web frontend of the application that is enhanced through Azure AD Verifiable Credential API calls for VC presentation and validation, based on your business requirements.

-

-**Relying party web frontend**: This is the web frontend of the application that is enhanced through Azure AD Verifiable Credential API calls for VC presentation and validation, based on your business requirements.

-

- * Define a mechanism to deprovision the user profile from the application. Due to the decentralized nature of the Azure AD Verifiable Credentials system, there is no application user provisioning lifecycle.

-As with any solution, you must plan for performance. Focus areas include latency, throughput, and scalability. During initial phases of a release cycle, performance should not be a concern. However, when adoption of your solution results in many verifiable credentials being verified, performance planning might become a critical part of your solution.

-* The Azure AD Verifiable Credentials issuance service is deployed in West Europe, North Europe, West US 2, and West Central US Azure regions. To limit latency, deploy your verification front end (website) and key vault in the region listed above that is closest to where requests are expected to originate from.

-* Azure AD Verifiable Credentials service is deployed in the West Europe, North Europe, West US 2, and West Central US Azure regions. Consider deploying your supporting web servers and supporting applications in one of those regions, specifically in the ones from which you expect most of your validation traffic to originate.

-* Only the Azure AD Verifiable Credentials service and the website service principals should have permissions to use Key Vault to sign messages with the private key.

- * [Azure AD Verifiable Credentials overview](introduction-to-verifiable-credentials-architecture.md)

- * [Plan your Azure AD Verifiable Credentials issuance solution](plan-issuance-solution.md)

- * [Introduction to Azure Active Directory Verifiable Credentials](decentralized-identifier-overview.md)

-[FAQs](verifiable-credentials-faq.md)

-#Customer intent: As an administrator, I am trying to learn the process of revoking verifiable credentials that I have issued.

-Azure Active Directory (Azure AD) Verifiable Credentials includes the Request Service REST API. This API allows you to issue and verify a credential. This article specifies the Request Service REST API for a presentation request. The presentation request asks the user to present a verifiable credential, and then verify the credential.

-Construct an HTTP POST request to the Request Service REST API. Replace the `{tenantID}` with your tenant ID or tenant name.

-https://beta.did.msidentity.com/v1.0/{tenantID}/verifiablecredentials/request

-POST https://beta.did.msidentity.com/v1.0/contoso.onmicrosoft.com/verifiablecredentials/request

- "api-key": "OPTIONAL API-KEY for VERIFIER CALLBACK API"

- "authority": "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDekxTVlFWcVl3S2JNY1Fsc0RILUZJUSIsInkiOiJiRWo5MDY...",

- "registration": {

- "clientName": "Veritable Credential Expert Verifier"

- },

- "presentation": {

- "includeReceipt": true,

- "requestedCredentials": [

- {

- "type": "VerifiedCredentialExpert",

- "purpose": "So we can see that you a veritable credentials expert",

- "acceptedIssuers": [

- "did:ion:EiCLL8lzCqlGLYTGbjwgR6SN6OkIjO6uUKyF5zM7fQZ8Jg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfOTAyZmM2NmUiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiTEdUOWk3aFYzN1dUcFhHcUg5c1VDekxTVlFWcVl3S2JNY1Fsc0RILUZJUSIsInkiO..."

- ]

- ]

- }

-| `includeQRCode` | Boolean | Determines whether a QR code is included in the response of this request. Present the QR code and ask the user to scan it. Scanning the QR code launches the authenticator app with this presentation request. Possible values are `true` (default) or `false`. When you set the value to `false`, use the return `url` property to render a deep link. |

-| `presentation` | [RequestPresentation](#requestpresentation-type)| Provides information about the verifiable credentials presentation request. |

-### RequestPresentation type

-The `RequestPresentation` type provides information required for verifiable credential presentation. `RequestPresentation` contains the following properties:

-| `includeReceipt` | Boolean | Determines whether a receipt should be included in the response of this request. Possible values are `true` or `false` (default). The receipt contains the original payload sent from the authenticator to the Verifiable Credentials service. The receipt is useful for troubleshooting, and shouldn't be set by default. In the `OpenId Connect SIOP` request, the receipt contains the ID token from the original request. |

-| `requestedCredentials` | collection| A collection of [RequestCredential](#requestcredential-type) objects.|

-### Callback type

-The Request Service REST API generates several events to the callback endpoint. Those events allow you to update the UI and continue the process after the results are returned to the application. The `Callback` type contains the following properties:

-| `url` | string| URI to the callback endpoint of your application. The URI must point to a reachable endpoint on the internet otherwise the service will throw a callback URL unreadable error. Accepted inputs IPv4, IPv6 or DNS resolvable hostname. |

-| `state` | string| Associates with the state passed in the original payload. |

-| `headers` | string| Optional. You can include a collection of HTTP headers required by the receiving end of the POST message. The current supported header values are the `api-key` or the `Authorization` headers. Any other header will throw an invalid callback header error.|

- "url": "openid://vc/?request_uri=https://beta.did.msidentity.com/v1.0/87654321-0000-0000-0000-000000000000/verifiablecredentials/request/e4ef27ca-eb8c-4b63-823b-3b95140eac11",

-| `requestId`| string | An autogenerated correlation ID. The [callback](#callback-events) uses the same request, allowing you to keep track of the presentation request and its callbacks. |

-Error responses also can be returned so that the app can handle them appropriately. The following JSON shows an unauthorized error message:

-```json

-{

- "requestId": "fb888ac646c96083de83b099b2678de0",

- "date": "Wed, 29 Sep 2021 21:49:00 GMT",

- "error": {

- "code": "unauthorized",

- "message": "Failed to authenticate the request."

- }

-}

-```

-The response contains the following properties:

-|Property |Type |Description |

-||||

-| `requestId`| string | An autogenerated request ID.|

-| `date`| date | The time of the error. |

-| `error.code` | string | The return error code. |

-| `error.message`| string | The error message. |

-| `receipt`| string | Optional. The receipt contains the original payload sent from the wallet to the Verifiable Credentials service. The receipt should be used for troubleshooting/debugging only. The format in the receipt is not fix and can change based on the wallet and version used.|

-    "requestId":"aef2133ba45886ce2c38974339ba1057",

-    "state":"Wy0ThUz1gSasAjS1"

- "requestId": "87e1cb24-9096-409f-81cb-9e645f23a4ba",

- "state": "f3d94e35-ca5f-4b1b-a7d7-a88caa05e322",

- "firstName": "John",

- "lastName": "Doe"

- "issuer": "did:ion:….."

-# Issue Azure AD Verifiable Credentials from an application (preview)

-The following diagram illustrates the Azure AD Verifiable Credentials architecture and the component you configure.

-In this step, you create the verified credential expert card by using Azure AD Verifiable Credentials. After you create the credential, your Azure AD tenant can issue it to users who initiate the process.

- ]

- },

- "validityInterval": 2592000,

- "vc": {

- "type": [

- "VerifiedCredentialExpert"

- ]

-1. Under the project root folder, open the *appsettings.json* file. This file contains information about your Azure AD Verifiable Credentials. Update the following properties with the information that you recorded in earlier steps:

- "Endpoint": "https://beta.did.msidentity.com/v1.0/{0}/verifiablecredentials/request",

- "CredentialManifest": "https://beta.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert"

- cd active-directory-verifiable-credentials-dotnet/1-asp-net-core-api-idtokenhint dotnet build "AspNetCoreVerifiableCredentials.csproj" -c Debug -o .\\bin\\Debug\\netcoreapp3. dotnet run

-# Configure your tenant for Azure AD Verifiable Credentials (preview)

-Azure Active Directory (Azure AD) Verifiable Credentials safeguards your organization with an identity solution that's seamless and decentralized. The service allows you to issue and verify credentials. For issuers, Azure AD provides a service that they can customize and use to issue their own verifiable credentials. For verifiers, the service provides a free REST API that makes it easy to request and accept verifiable credentials in your apps and services.

-The following diagram illustrates the Azure AD Verifiable Credentials architecture and the component you configure.

-

-If you don't have an Azure Key Vault instance available, follow [these steps](../../key-vault/general/quick-create-portal.md) to create a key vault using the Azure portal.

-A Key Vault [access policy](../../key-vault/general/assign-access-policy.md) defines whether a specified security principal can perform operations on Key Vault secrets and keys. Set access policies in your key vault for both the Azure AD Verifiable Credentials service administrator account, and for the Request Service API principal that you created.

-To set up Azure AD Verifiable Credentials, follow these steps:

-Azure AD Verifiable Credentials Service Request needs to get access tokens to issue and verify. To get access tokens, register a web application and grant API permission for the API Verifiable Credential Request Service that you set up in the previous step.

-In this step, you grant permissions to the Verifiable Credentials Service Request Service principal.

-# Configure Azure AD Verifiable Credentials verifier (preview)

-In [Issue Azure AD Verifiable Credentials from an application (preview)](verifiable-credentials-configure-issuer.md), you learn how to issue and verify credentials by using the same Azure Active Directory (Azure AD) tenant. In this tutorial, you go over the steps needed to present and verify your first verifiable credential: a verified credential expert card.

-> - Set up Azure AD Verifiable Credentials on your Azure AD tenant

-Now that you've set up your Azure AD Verifiable Credentials service, you're going to gather some information about your environment and the verifiable credentials you set. You use these pieces of information when you set up your sample application.

-

-1. Under the project root folder, open the *appsettings.json* file. This file contains information about your credentials in Azure AD Verifiable Credentials. Update the following properties with the information that you collected during earlier steps.

- "Endpoint": "https://beta.did.msidentity.com/v1.0/{0}/verifiablecredentials/request",

- "VCServiceScope": "bbb94529-53a3-4be5-a069-7eaf2712b826/.default",

- "CredentialManifest": " https://beta.did.msidentity.com/v1.0/987654321-0000-0000-0000-000000000000/verifiableCredential/contracts/VerifiedCredentialExpert"

- cd active-directory-verifiable-credentials-dotnet/1. asp-net-core-api-idtokenhint dotnet build "asp-net-core-api-idtokenhint.csproj" -c Debug -o .\bin\Debug\netcoreapp3.1

-1. In another terminal, run the following command. This command runs the [ngrok](https://ngrok.com/) to set up a URL on 3000 and make it publicly available on the internet.

- ngrok http 3000

-Learn [how to customize your verifiable credentials](credential-design.md).

-1. See the value for Country or Region. If the value is a country or a region in Europe, your Azure AD Verifiable Credentials service will be set up in Europe.

- "https://beta.hub.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000"

- - (new) [Current supported open standards for Microsoft Entra Verified ID](verifiable-credentials-standards.md).

- - (new) [How to create verifiable credentials for ID token hint](how-to-use-quickstart.md).

- - (new) [How to create verifiable credentials for ID token](how-to-use-quickstart-idtoken.md).

- - (new) [How to create verifiable credentials for self-asserted claims](how-to-use-quickstart-selfissued.md).

- - (new) [Rules and Display definition model specification](rules-and-display-definitions-model.md).

- - (new) [Creating an Azure AD tenant for development](how-to-create-a-free-developer-account.md).

-You can now issue [verifiable credentials](decentralized-identifier-overview.md) in Azure AD. This service is useful when you need to present proof of employment, education, or any other claim. The holder of such a credential can decide when, and with whom, to share their credentials. Each credential is signed by using cryptographic keys associated with the decentralized identity that the user owns and controls.

-Advisor considers resizing virtual machines when it's possible to fit the current load on a more appropriate SKU, which costs less than the current one (we currently consider retail rates only during recommendation generation).

-This is a special type of resize recommendation, where Advisor analyzes workloads to determine eligibility to run on specialized SKUs called Burstable SKUs that allow for variable workload performance requirements and are generally cheaper than general purpose SKUs. Learn more about burstable SKUs here: [B-series burstable - Azure Virtual Machines](../virtual-machines/sizes-b-series-burstable.md).

-### Update your outdated Azure Spring Cloud SDK to the latest version

-We have identified API calls from an outdated Azure Spring Cloud SDK. We recommend upgrading to the latest version for the latest fixes, performance improvements, and new feature capabilities.

-Learn more about [Spring Cloud Service - SpringCloudUpgradeOutdatedSDK (Update your outdated Azure Spring Cloud SDK to the latest version)](../spring-cloud/index.yml).

-### Update Azure Spring Cloud API Version

-We have identified API calls from outdated Azure Spring Cloud API for resources under this subscription. We recommend switching to the latest Spring Cloud API version. You need to update your existing code to use the latest API version. Also, you need to upgrade your Azure SDK and Azure CLI to the latest version. This ensures you receive the latest features and performance improvements.

-Learn more about [Spring Cloud Service - UpgradeAzureSpringCloudAPI (Update Azure Spring Cloud API Version)](../spring-cloud/index.yml).

-### Right-size overutilized SQL Databases

-We've analyzed the DTU consumption of your SQL Database over the past 14 days and identified SQL Databases with high usage. You can improve your database performance by right-sizing to the recommended SKU based on the 95th percentile of your everyday workload

-Learn more about [SQL database - sqlRightsizePerformance (Right-size overutilized SQL Databases)](https://aka.ms/SQLDBrecommendation).

-Create an AKS cluster using the [az aks create][az-aks-create] command with the *--enable-addons monitoring* parameter to enable [Container insights][azure-monitor-containers]. The following example creates a cluster named *myAKSCluster* with one node and enables a system-assigned managed identity:

-az aks create -g myResourceGroup -n myAKSCluster --enable-managed-identity --node-count 1 --enable-addons monitoring

-Run the [az webapp deployment list-publishing-profiles](/cli/azure/webapp/deployment#az-webapp-deployment-list-publishing-profiles) command. The following example uses a [JMES path](https://jmespath.org/) to extract the FTP/S endpoints from the output.

-While App Service Environment does deploy into your virtual network, there are a few networking features that aren't available:

-* Sending SMTP traffic. Although you can still have email-triggered alerts, your app can't send outbound traffic on port 25.

-* Using Azure Network Watcher or NSG flow to monitor outbound traffic.

-When you scale an App Service plan, the needed infrastructure is added automatically. There's a time delay to scale operations while the infrastructure is being added. If you do several scale operations in sequence, the first infrastructure scale request is acted on and the others are queued. When the first scale operation finishes, the other infrastructure requests all operate together. And when the infrastructure is added, the App Service plans are assigned as appropriate. Creating a new App Service plan is itself a scale operation because it requests additional hardware.

-> [!NOTE]

-> * Only traffic configured in application or configuration routing is subject to the NSGs and UDRs that are applied to your integration subnet.

-> * When **Route All** is enabled, outbound traffic from your app is still sent from the addresses that are listed in your app properties, unless you provide routes that direct the traffic elsewhere.

-> [!NOTE]

-> * Windows containers don't support pulling custom container images over virtual network integration.

-> * Backup/restore to private storage accounts is currently not supported.

-> * Configure SSL/TLS certificates from private Key Vaults is currently not supported.

-> * App Service Logs to private storage accounts is currently not supported. We recommend using Diagnostics Logging and allowing Trusted Services for the storage account.

-Besides App Service, Azure offers other services that can be used for hosting websites and web applications. For most scenarios, App Service is the best choice. For microservice architecture, consider [Azure Spring-Cloud Service](../spring-cloud/index.yml) or [Service Fabric](https://azure.microsoft.com/documentation/services/service-fabric). If you need more control over the VMs on which your code runs, consider [Azure Virtual Machines](https://azure.microsoft.com/documentation/services/virtual-machines/). For more information about how to choose between these Azure services, see [Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison](/azure/architecture/guide/technology-choices/compute-decision-tree).

-## Receipt and business card models

-Pre-Built Receipt and Business Cards support all English receipts and business cards with the following locales:

-## ID documents

-Azure [Confidential VM](../confidential-computing/confidential-vm-overview.md) (CVM) is based on [AMD processors with SEV-SNP technology](../confidential-computing/virtual-machine-solutions-amd.md) and aims to improve VM security posture by removing trust in host, hypervisor and Cloud Service Provider (CSP). To achieve this, CVM offers VM OS disk encryption option with platform-managed keys and binds the disk encryption keys to the virtual machine's TPM. When a CVM boots up, SNP report containing the guest VM firmware measurements will be sent to Azure Attestation. The service validates the measurements and issues an attestation token that is used to release keys from [Managed-HSM](../key-vault/managed-hsm/overview.md) or [Azure Key Vault](../key-vault/general/basic-concepts.md). These keys are used to decrypt the vTPM state of the guest VM, unlock the OS disk and start the CVM. The attestation and key release process is performed automatically on each CVM boot, and the process ensures the CVM boots up only upon successful attestation of the hardware.

-Architecting cross-regional replication for your services and data can be decided on a per-service basis. You'll necessarily take a cost-benefit analysis approach based on your organization's strategic and business requirements. Primary and ripple benefits of cost-region replication are complex, extensive, and deserve elaboration. These benefits include:

-This article provides information on troubleshooting and resolving issues that may occur while attempting to configure the Azure Connected Machine agent for Windows or Linux. Both the interactive and at-scale installation methods when configuring connection to the service are included. For general information, see [Azure Arc-enabled servers overview](./overview.md).

-If you receive an error when configuring the Azure Arc-enabled servers agent, the following table can help you identify the probable cause and suggested steps to resolve your problem. You will need the `AZCM0000` ("0000" can be any 4 digit number) error code printed to the console or script output to proceed.

-| AZCM0015 | The correlation ID specified is not a valid GUID | Provide a valid GUID for `--correlation-id` |

-| AZCM0061 | Unable to reach the agent service | Verify you are running the command in an elevated user context (administrator/root) and that the HIMDS service is running on your server. |

-| AZCM0063 | An error occurred while disconnecting the server | Review other error codes in the output for more specific information. If you continue to encounter this error, you can delete the resource in Azure and then run `azcmagent disconnect --force-local-only` on the server to disconnect the agent. |

-The public IP address assigned to your cache can change as a result of a scale operation or backend improvement. We recommend relying on the hostname, in the form `<cachename>.redis.cache.windows.net`, instead of an explicit public IP address.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-Fluid clients require a centralized service that all connected clients use to send and receive operations. When using Fluid in an application you must use the correct package that corresponds to the underlying service you are connecting to.

-For the Azure Fluid Relay service this package is **@fluidframework/azure-client**. This package helps create and load Fluid containers hosted on Azure via Azure Fluid Relay.

-Creating new containers is a client-driven action and container lifetimes are bound to the data stored on the supporting server. When getting existing containers it's important to consider the previous state of the container.

-For more about containers see [Containers](https://fluidframework.com/docs/build/containers/) on fluidframework.com.

-For more information see [Data modeling](https://fluidframework.com/docs/build/data-modeling/) on fluidframework.com.

-For more information see [Packages](https://fluidframework.com/docs/build/packages/) on fluidframework.com.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-Encryption-at-rest is enabled by default. There is no additional cost.

-Microsoft has a set of internal guidelines for encryption key rotation which Azure Fluid Relay follows. The specific guidelines are not published. Microsoft does publish the [Security Development Lifecycle (SDL)](https://www.microsoft.com/sdl/default.aspx), which is seen as a subset of internal guidance and has useful best practices for developers.

-Yes. For more information, refer to [Customer-managed keys for Azure Fluid Relay encryption](../concepts/customer-managed-keys.md).

-A: There is no impact or changes to performance with encryption at rest enabled.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-You have control of the Azure region where container data is stored. During the provisioning of the Azure Fluid Relay resource, you can select the region where you want that data to be stored at-rest. All containers created in that Azure Fluid Relay resource will be stored in that region. Once selected, the region cannot be changed. You will need to create a new Azure Fluid Relay resource in another region to store data in a different region.

-To deliver a highly available service, the container data is replicated to another region. This helps in the cases where disaster recovery is needed in face of a full regional outage. Internally, Azure Fluid Relay uses Azure Blob Storage cross-region replication to achieve that. The region where data is replicated is defined by the Azure regional pairs listed on the [Cross-region replication in Azure](../../availability-zones/cross-region-replication-azure.md#azure-cross-region-replication-pairings-for-all-geographies) page.

-For regions that have the cross-region replication done outside of the geography (like Brazil South), Azure Fluid Relay provides a single region offering. You can select between the cross-region replication or this single region offering during the provisioning of the Azure Fluid Relay resource. Note that if you select the single region offering, you do not get the benefits of recovery from regional outage. Your application will experience downtime for the entire time the region is down.

-For the single region offering, in-transit data is scoped to the region selected. This may result in higher latencies distributing changes in DDSes to your end users if they are not close to that region.

-If the Fluid container is required for the duration of the collaborative session only, you can delete the container from the Azure Fluid Relay service. This helps you control the storage cost of your Azure Fluid Relay resource.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-Each Azure Fluid Relay resource you create is assigned a **tenant ID** and its own unique **tenant secret key**. The secret key is a **shared secret**. Your app/service knows it, and the Azure Fluid Relay service knows it. TokenProviders must know the secret key to sign requests, but the secret key cannot be included in client code.

-[Azure Functions](../../azure-functions/functions-overview.md) are a fast way to create such an HTTPS endpoint. The example below implements that pattern in a class called **AzureFunctionTokenProvider**. It accepts the URL to your Azure Function, `userId` and`userName`. This specific implementation is also provided for you as an export from the `@fluidframework/azure-client` package.

-The `generateToken` function, found in the `@fluidframework/azure-service-utils` package, generates a token for the given user that is signed using the tenant's secret key. This method enables the token to be returned to the client without exposing the secret. Instead, the token is generated server-side using the secret to provide scoped access to the given document. The example ITokenProvider below makes HTTP requests to this Azure Function to retrieve tokens.

-Azure Functions can be deployed in several ways. See the **Deploy** section of the [Azure Functions documentation](../../azure-functions/functions-continuous-deployment.md) for more information about deploying Azure Functions.

-TokenProviders can be implemented in many ways, but must implement two separate API calls: `fetchOrdererToken` and `fetchStorageToken`. These APIs are responsible for fetching tokens for the Fluid orderer and storage services respectively. Both functions return `TokenResponse` objects representing the token value. The Fluid Framework runtime calls these two APIs as needed to retrieve tokens. Note that while your application code is using only one service endpoint to establish conectivity with the Azure Fluid Relay service, the azure-client internally in conjunction with the service translate that one endpoint to an orderer and storage endpoint pair. Those two endpoints are used from that point on for that session. That is why you need to implement the two separate functions for fetching tokens, one for each.

-To ensure that the tenant secret key is kept secure, it is stored in a secure backend location and is only accessible from within the Azure Function. To retrieve tokens, you need to make a `GET` or `POST` request to your deployed Azure Function, providing the `tenantID` and `documentId`, and `userID`/`userName`. The Azure Function is responsible for the mapping between the tenant ID and a tenant key secret to appropriately generate and sign the token.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-To connect to an Azure Fluid Relay instance you first need to create an `AzureClient`. You must provide some configuration parameters including the the tenant ID, orderer and storage URLs, and a token provider to generate the JSON Web Token (JWT) that will be used to authorize the current user against the service. The `@fluidframework/test-client-utils` package provides an `InsecureTokenProvider` that can be used for development purposes.

-The [AzureFunctionTokenProvider](https://github.com/microsoft/FluidFramework/blob/main/azure/packages/azure-client/src/AzureFunctionTokenProvider.ts) is an implementation of `ITokenProvider` which ensures your tenant key secret is not exposed in your client-side bundle code. The `AzureFunctionTokenProvider` takes in your Azure Function URL appended by `/api/GetAzureToken` along with the current user object. Later on, it makes a `GET` request to your Azure Function by passing in the tenantId, documentId and userId/userName as optional parameters.

-The `container.attach()` call is when the container actually becomes connected to the service and is recorded in its blob storage. It returns an `id` which is the unique identifier to this container instance.

-The `container` contains the Fluid data model and is service-agnostic. Any code you write against this container object returned by the `AzureClient` is reusable with the client for another service. An example of this is if you prototyped your scenario using `TinyliciousClient`, then all of your code interacting with the shared objects within the Fluid container can be reused when moving to using `AzureClient`.

-A sample `AzureMember` object looks like the following:

-Alongside the user ID, name and additional details, `AzureMember` objects also hold an array of `connections`. If the user is logged into the session with only one client, `connections` will only have one value in it with the ID of the client and if is in read/write mode. However, if the same user is logged in from multiple clients (i.e. they are logged in from different devices or have multiple browser tabs open with the same container), `connections` here will hold multiple values for each client. In the example data above, we can see that a user with name "Test User" and ID "0e662aca-9d7d-4ff0-8faf-9f8672b70f15" currently has the container open from two different clients. The values in the `additionalDetails` field match up to the values provided in the `AzureFunctionTokenProvider` token generation.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-**apiVersion**: API Version of resource provider. Minimum supported version is **2021-08-30-preview**.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-This example uses the **InsecureTokenProvider** to generate and sign authentication tokens that the Azure Fluid Relay service will accept. However, as the name implies, this is insecure and should not be used in production environments. For more information about InsecureTokenProvider, refer to [Authentication and authorization in your app](https://fluidframework.com/docs/build/auth/#the-token-provider).

-To run locally, you first configure the orderer and storage URLs to point to the domain and port that the local Azure Fluid Relay service instance is running at (http://localhost:7070 by default). The final step is to set the `tenantId` to `LOCAL_MODE_TENANT_ID`. All of these settings together configure AzureClient to work with a local Azure Fluid Relay service.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

- > During the public preview, the only West US 2, West Europe, and SoutheastAsia regions are supported

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-When creating a document in Azure Fluid Relay, the JWT provided by the `ITokenProvider` for the creation request can only be used once. After creating a document, the client must generate a new JWT that contains the document ID provided by the service at creation time. If an application has an authorization service that manages document access control, it will need to know who created a document with a given ID in order to authorize the generation of a new JWT for access to that document.

-The `documentPostCreateCallback()` receives 2 parameters: 1) the ID of the document that was created and 2) a JWT signed by the service with no permission scopes. The authorization service can verify the given JWT and use the information in the JWT to grant the correct user permissions for the newly created document.

-This example implementation below extends the [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider/) and uses the [axios](https://www.npmjs.com/package/axios) library to make a simple HTTP request to the Azure Function used for generating tokens.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-## Getting to version 1.0

-The core technology powering Fluid Framework is mature and stable. However, the layers built on top of that foundation are still a work in progress. Over the coming months we will be evolving APIs, adding new features, and working to further simplify using the framework. These changes are driven by Microsoft's use of Fluid internally and by requirements we are gathering from developers currently building on Fluid.

-Fluid Framework is not ready to power production-quality solutions yet. But we are excited to open source it now to give developers an opportunity to explore, learn, and contribute both through feedback and through direct participation.

-> [!NOTE]

-> This preview version is provided without a service-level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-In this quickstart, we'll walk through through the process of creating a dice roller app that uses the Azure Fluid Relay service. The quickstart is broken into two parts. In part one, we'll create the app itself and run it against a local Fluid server. In part two, we'll reconfigure the app to run against the Azure Fluid Relay service instead of the local dev server.

- | Select a version | Azure Functions v3 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |

- - For Azure Functions 3.x, Core Tools **v3.0.4585** or newer is required.

- | Select a version | Azure Functions v3 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |

- | Select a version | Azure Functions v3 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |

- | Select a version | Azure Functions v3 | You only see this option when the Core Tools aren't already installed. In this case, Core Tools are installed the first time you run the app. |

-For Windows function apps, target the version in Azure by setting the `WEBSITE_NODE_DEFAULT_VERSION` [app setting](functions-how-to-use-azure-function-app-settings.md#settings) to a supported LTS version, such as `~14`.

-The following steps use a Windows installer (MSI) to install Core Tools v4.x. For more information about other package-based installers, see the [Core Tools readme](https://github.com/Azure/azure-functions-core-tools/blob/master/README.md#windows).

-| [Spring Cloud](../../spring-cloud/index.yml) | &#x2705; | &#x2705; |

-[Homomorphic encryption](https://www.microsoft.com/research/project/homomorphic-encryption/) refers to a special type of encryption technology that allows for computations to be performed on encrypted data, without requiring access to a key needed to decrypt the data. The results of the computation are encrypted and can be revealed only by the owner of the encryption key. In this manner, only the encrypted data are processed in the cloud and only you can reveal the results of the computation.

- - If you are developing a Cloud Service with Azure SDK 2.8 and later, this instrumentation key is automatically populated. The value is based on the **APPINSIGHTS_INSTRUMENTATIONKEY** service configuration setting when packaging the Cloud Service project. See [Use Application Insights with Cloud Services](../app/cloudservices.md).

-* Learn how to [view your Azure diagnostics information](../app/cloudservices.md) in Application Insights.

-Added the sinks element and the ability to send diagnostics data to [Application Insights](../app/cloudservices.md) making it easier to diagnose issues across your application as well as the system and infrastructure level.

-| Azure Cloud Service | Add [startup task to install StatusMonitor](../../azure-monitor/app/cloudservices.md#set-up-status-monitor-to-collect-full-sql-queries-optional) <br> Your app should be onboarded to ApplicationInsights SDK at build time by installing NuGet packages for [ASP.NET](./asp-net.md) or [ASP.NET Core applications](./asp-net-core.md) |

-description: Monitor your web and worker roles effectively with Application Insights

-# Application Insights for Azure cloud services

-[Application Insights][start] can monitor [Azure cloud service apps](https://azure.microsoft.com/services/cloud-services/) for availability, performance, failures, and usage by combining data from Application Insights SDKs with [Azure Diagnostics](../agents/diagnostics-extension-overview.md) data from your cloud services. With the feedback you get about the performance and effectiveness of your app in the wild, you can make informed choices about the direction of the design in each development lifecycle.

-

-## Prerequisites

-Before you begin, you need:

-* An [Azure](https://azure.com) subscription.

- [Sign in](https://azure.microsoft.com/auth/signin) with your Microsoft account for Windows, Xbox Live, or other Microsoft cloud services.

-* Microsoft Azure tools 2.9 or later.

-* Developer Analytics Tools 7.10 or later.

-## Get started quickly

-The quickest and easiest way to monitor your cloud service with Application Insights is to choose that option when you publish your service to Azure.

-

-This option instruments your app at runtime, giving you all the telemetry that you need to monitor requests, exceptions, and dependencies in your web role. It also monitors performance counters from your worker roles. Any diagnostics traces generated by your app are also sent to Application Insights.

-If this option is all you need, you're done.

-Your next steps are [viewing metrics from your app](../essentials/metrics-charts.md) and [querying your data with Analytics](../logs/log-query-overview.md).

-To monitor performance in the browser, you might also want to set up [availability tests](./monitor-web-app-availability.md) and [add code to your webpages](./javascript.md).

-The next sections discuss the following additional options:

-* Send data from various components and build configurations to separate resources.

-* Add custom telemetry from your app.

-## Sample app instrumented with Application Insights

-In this [sample app](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService), Application Insights is added to a cloud service with two worker roles hosted in Azure.

-In the next section, you learn how to adapt your own cloud service project in the same way.

-## Plan resources and resource groups

-The telemetry from your app is stored, analyzed, and displayed in an Azure resource of type Application Insights.

-Each resource belongs to a resource group. Resource groups are used to manage costs, to grant access to team members, and to deploy updates in a single coordinated transaction. For example, you could [write a script to deploy](../../azure-resource-manager/templates/deploy-powershell.md) an Azure cloud service and its Application Insights monitoring resources all in one operation.

-### Resources for components

-We recommend that you [add a dimension property to each telemetry item](./api-filtering-sampling.md#addmodify-properties-itelemetryinitializer) that identifies its source role. In this approach, metric charts, such as exceptions, normally show an aggregation of the counts from the various roles, but you can segment the chart by the role identifier, as necessary. You can also filter searches by the same dimension. This alternative makes it a bit easier to view everything at the same time, but it could also lead to some confusion between the roles.

-Browser telemetry is usually included in the same resource as its server-side web role.

-Put the Application Insights resources for the various components in one resource group. This approach makes it easy to manage them together.

-### Separate development, test, and production

-If you are developing custom events for your next feature while the previous version is live, you want to send the development telemetry to a separate Application Insights resource. Otherwise, it can be hard to find your test telemetry among all the traffic from the live site.

-To avoid this situation, create separate resources for each build configuration or "stamp" (development, test, production, and so on) of your system. Put the resources for each build configuration in a separate resource group.

-To send the telemetry to the appropriate resources, you can set up the Application Insights SDK so that it picks up a different instrumentation key, depending on the build configuration.

-Learn how to [dynamically set the instrumentation key](./separate-resources.md#dynamic-ikey) for different stages.

-## Create an Application Insights resource for each role

-If you've decided to create a separate resource for each role, and perhaps a separate set for each build configuration, it's easiest to create them all in the Application Insights portal. If you create resources a lot, you can [automate the process](./powershell.md).

-1. In the [Azure portal][portal], select **New** > **Developer Services** > **Application Insights**.

- 

-1. In the **Application Type** drop-down list, select **ASP.NET web application**.

-Each resource is identified by an instrumentation key. You might need this key later if you want to manually configure or verify the configuration of the SDK.

-## Set up Azure Diagnostics for each role

-Set this option to monitor your app with Application Insights. For web roles, this option provides performance monitoring, alerts, diagnostics, and usage analysis. For other roles, you can search and monitor Azure Diagnostics such as restart, performance counters, and calls to System.Diagnostics.Trace.

-1. In Visual Studio Solution Explorer, under **\<YourCloudService>** > **Roles**, open the properties of each role.

-1. In **Configuration**, select the **Send diagnostics data to Application Insights** check box, and then select the Application Insights resource that you created earlier.

-If you have decided to use a separate Application Insights resource for each build configuration, select the configuration first.

-

-This has the effect of inserting your Application Insights instrumentation keys into the files named *ServiceConfiguration.\*.cscfg*. Here is the [Sample code](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/AzureEmailService/ServiceConfiguration.Cloud.cscfg).

-If you want to vary the level of diagnostics information that's sent to Application Insights, you can do so [by editing the *.cscfg* files directly](../agents/diagnostics-extension-to-application-insights.md).

-## <a name="sdk"></a>Install the SDK in each project

-With this option, you can add custom business telemetry to any role. The option provides a closer analysis of how your app is used and performs.

-In Visual Studio, configure the Application Insights SDK for each cloud app project.

-1. To configure **web roles**, right-click the project, and then select **Configure Application Insights** or **Add > Application Insights telemetry**.

-1. To configure **worker roles**:

- a. Right-click the project, and then select **Manage NuGet Packages**.

- b. Add [Application Insights for Windows Servers](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WindowsServer/).

-1. To configure the SDK to send data to the Application Insights resource:

- a. In a suitable startup function, set the instrumentation key from the configuration setting in the *.cscfg* file:

-

- ```csharp

- TelemetryConfiguration configuration = TelemetryConfiguration.CreateDefault();

- configuration.InstrumentationKey = RoleEnvironment.GetConfigurationSettingValue("APPINSIGHTS_INSTRUMENTATIONKEY");

- var telemetryClient = new TelemetryClient(configuration);

- ```

-

- b. Repeat "step a" for each role in your app. See the examples:

-

- * [Web role](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/Global.asax.cs#L27)

- * [Worker role](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/WorkerRoleA.cs#L232)

- * [For webpages](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/Views/Shared/_Layout.cshtml#L13)

-1. Set the *ApplicationInsights.config* file to be copied always to the output directory.

- A message in the *.config* file asks you to place the instrumentation key there. However, for cloud apps, it's better to set it from the *.cscfg* file. This approach ensures that the role is correctly identified in the portal.

-## Set up Status Monitor to collect full SQL Queries (optional)

-This step is only needed if you want to capture full SQL queries on .NET Framework.

-1. In `\*.csdef` file Add [startup task](../../cloud-services/cloud-services-startup-tasks.md) for each role similar to

- ```xml

- <Startup>

- <Task commandLine="AppInsightsAgent\InstallAgent.bat" executionContext="elevated" taskType="simple">

- <Environment>

- <Variable name="ApplicationInsightsAgent.DownloadLink" value="http://go.microsoft.com/fwlink/?LinkID=522371" />

- <Variable name="RoleEnvironment.IsEmulated">

- <RoleInstanceValue xpath="/RoleEnvironment/Deployment/@emulated" />

- </Variable>

- </Environment>

- </Task>

- </Startup>

- ```

-

-2. Download [InstallAgent.bat](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/AppInsightsAgent/InstallAgent.bat) and [InstallAgent.ps1](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/AppInsightsAgent/InstallAgent.ps1), put them into the `AppInsightsAgent` folder on each role project. Make sure to copy them to the output directory through Visual Studio file properties or build scripts.

-3. On all Worker Roles, add environment variables:

- ```xml

- <Environment>

- <Variable name="COR_ENABLE_PROFILING" value="1" />

- <Variable name="COR_PROFILER" value="{324F817A-7420-4E6D-B3C1-143FBED6D855}" />

- <Variable name="MicrosoftInstrumentationEngine_Host" value="{CA487940-57D2-10BF-11B2-A3AD5A13CBC0}" />

- </Environment>

- ```

-

-## Run and publish the app

-1. Run your app, and sign in to Azure.

-1. Open the Application Insights resources that you created.

- Individual data points are displayed in [Search][diagnostic], and aggregated data is displayed in [Metric Explorer](../essentials/metrics-charts.md).

-1. Add more telemetry (see the next sections) and then publish your app to get live diagnostics and usage feedback.

-If there is no data, do the following:

-1. To view individual events, open the [Search][diagnostic] tile.

-1. In the app, open various pages so that it generates some telemetry.

-1. Wait a few seconds, and then click **Refresh**.

-## View Azure Diagnostics events

-You can find the [Azure Diagnostics](../agents/diagnostics-extension-overview.md) information in Application Insights in the following locations:

-* Performance counters are displayed as custom metrics.

-* Windows event logs are shown as traces and custom events.

-* Application logs, ETW logs, and any diagnostics infrastructure logs appear as traces.

-To view performance counters and counts of events, open [Metrics Explorer](../essentials/metrics-charts.md) and add the following chart:

-

-To search across the various trace logs that are sent by Azure Diagnostics, use [Search](./diagnostic-search.md) or an [Analytics query](../logs/log-analytics-tutorial.md). For example, suppose you have an unhandled exception that has caused a role to crash and recycle. That information would show up in the Application channel of Windows Event Log. You can use Search to view the Windows Event Log error and get the full stack trace for the exception. Doing so helps you find the root cause of the issue.

-

-## More telemetry

-The next sections discuss how to get additional telemetry from various aspects of your app.

-## Track requests from worker roles

-In web roles, the requests module automatically collects data about HTTP requests. For examples of how you can override the default collection behavior, see the [sample MVCWebRole](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService/MvcWebRole).

-You can capture the performance of calls to worker roles by tracking them in the same way as HTTP requests. In Application Insights, the Request telemetry type measures a unit of named server-side work that can be timed and can independently succeed or fail. Although HTTP requests are captured automatically by the SDK, you can insert your own code to track requests to worker roles.

-See the two sample worker roles instrumented to report requests:

-* [WorkerRoleA](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService/WorkerRoleA)

-* [WorkerRoleB](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService/WorkerRoleB)

-## Exceptions

-For information about how to collect unhandled exceptions from various web app types, see [Monitoring exceptions in Application Insights](./asp-net-exceptions.md).

-The sample web role has MVC5 and Web API 2 controllers. The unhandled exceptions from the two are captured with the following handlers:

-* [AiHandleErrorAttribute](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/Telemetry/AiHandleErrorAttribute.cs) set up for MVC5 controllers [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/App_Start/FilterConfig.cs#L12)

-* [AiWebApiExceptionLogger](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/Telemetry/AiWebApiExceptionLogger.cs) set up for Web API 2 controllers [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/MvcWebRole/App_Start/WebApiConfig.cs#L25)

-For worker roles, you can track exceptions in two ways:

-* Use TrackException(ex).

-* If you have added the Application Insights trace listener NuGet package, you can use System.Diagnostics.Trace to log exceptions [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/WorkerRoleA.cs#L107).

-## Performance counters

-The following counters are collected by default:

-* \Process(??APP_WIN32_PROC??)\% Processor Time

-* \Memory\Available Bytes

-* \.NET CLR Exceptions(??APP_CLR_PROC??)\# of Exceps Thrown / sec

-* \Process(??APP_WIN32_PROC??)\Private Bytes

-* \Process(??APP_WIN32_PROC??)\IO Data Bytes/sec

-* \Processor(_Total)\% Processor Time

-For web roles, these counters are also collected:

-* \ASP.NET Applications(??APP_W3SVC_PROC??)\Requests/Sec

-* \ASP.NET Applications(??APP_W3SVC_PROC??)\Request Execution Time

-* \ASP.NET Applications(??APP_W3SVC_PROC??)\Requests In Application Queue

-You can specify additional custom or other Windows performance counters by editing *ApplicationInsights.config* [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/ApplicationInsights.config#L14).

- 

-## Correlated telemetry for worker roles

-For a rich diagnostics experience, you can view what led to a failed or high latency request. With web roles, the SDK automatically sets up a correlation between related telemetry.

-To achieve this view for worker roles, you can use a custom telemetry initializer to set a common Operation.Id context attribute for all the telemetry. Doing so lets you view at a glance whether the latency or failure issue was caused by a dependency or your code.

-Here's how:

-* Set the correlationId into a CallContext [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/WorkerRoleA.cs#L36). In this case, we are using the Request ID as the correlationId.

-* Add a custom TelemetryInitializer implementation, to set the Operation.Id to the correlationId that was set previously. For an example, see [ItemCorrelationTelemetryInitializer](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/Telemetry/ItemCorrelationTelemetryInitializer.cs#L13).

-* Add the custom telemetry initializer. You could do so in the *ApplicationInsights.config* file or in code [as shown in this example](https://github.com/MohanGsk/ApplicationInsights-Home/blob/master/Samples/AzureEmailService/WorkerRoleA/WorkerRoleA.cs#L233).

-## Client telemetry

-To get browser-based telemetry, such as page view counts, page load times, or script exceptions, and to write custom telemetry in your page scripts, see [Add the JavaScript SDK to your webpages][client].

-## Availability tests

-To make sure your app stays live and responsive, [Set up web tests][availability].

-## Display everything together

-For an overall picture of your system, you can display the key monitoring charts together on one [dashboard](./overview-dashboard.md). For example, you could pin the request and failure counts of each role.

-If your system uses other Azure services, such as Stream Analytics, include their monitoring charts as well.

-If you have a client mobile app, use [App Center](../app/mobile-center-quickstart.md). Create queries in [Analytics](../logs/log-query-overview.md) to display the event counts, and pin them to the dashboard.

-## Example

-[The example](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService) monitors a service that has a web role and two worker roles.

-## Exception "method not found" on running in Azure cloud services

-Did you build for .NET [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core)? Earlier versions aren't automatically supported in Azure cloud services roles. [Install .NET LTS on each role](../../cloud-services/cloud-services-dotnet-install-dotnet.md) before running your app.

-## Next steps

-* [Configure sending Azure Diagnostics to Application Insights](../agents/diagnostics-extension-to-application-insights.md)

-* [Automatically create Application Insights resources](./powershell.md)

-* [Automate Azure Diagnostics](./powershell-azure-diagnostics.md)

-* [Azure Functions](https://github.com/christopheranderson/azure-functions-app-insights-sample)

-[api]: ./api-custom-events-metrics.md

-[availability]: ./monitor-web-app-availability.md

-[azure]: ./app-insights-overview.md

-[client]: ./javascript.md

-[diagnostic]: ./diagnostic-search.md

-[netlogs]: ./asp-net-trace-logs.md

-[portal]: https://portal.azure.com/

-[qna]: ../faq.yml

-[redfield]: ./status-monitor-v2-overview.md

-[start]: ./app-insights-overview.md

-* [Azure Cloud Services](./cloudservices.md), including both web and worker roles

-* [Monitor Azure Cloud Services apps with Application Insights](./cloudservices.md)

-(If your system is an Azure Cloud Service, there's [another method of setting separate ikeys](../../azure-monitor/app/cloudservices.md).)

-| Spring Cloud |[Set up autoscale for microservice applications](../../spring-cloud/how-to-setup-autoscale.md)|

-Register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription to make the tracked properties and proxied settings change data available. The `Microsoft.ChangeAnalysis` resource is automatically registered as you either:

-Currently, the Change Analysis resource provider is limited to registration through Azure Lighthouse subscription for users outside of home tenant. We are working on addressing this limitation.

-If this is a blocking issue for you, we can provide a workaround that involves creating a service principal and explicitly assigning the role to allow the access. Contact the [Change Analysis help team](mailto:changeanalysishelp@microsoft.com) to learn more about it.

-## Standalone UI

-Change Analysis lives in a standalone pane under Azure Monitor, where you can view all changes and application dependency/resource insights. You can access Change Analysis through a couple of entry points:

-From your resource's overview page in Azure portal, select **Diagnose and solve problems** the left menu. As you enter the Diagnose and Solve Problems tool, the **Microsoft.ChangeAnalysis** resource provider will automatically be registered.

-### Azure Resource Manager tracked properties changes

-### Azure Resource Manager proxied setting changes

-

-## Create extension instance using Azure CLI

-## Create extension instance using Azure portal

-5. Select the 'Configure' button to deploy the Azure Monitor Container Insights cluster extension.

-4. Choose the Log Analytics workspace and select the 'Configure' button to continue.

-## Create extension instance using Azure Resource Manager

-### Azure portal

-### Azure CLI

-# Enable monitoring of Azure Kubernetes Service (AKS) cluster already deployed

-## Enable using Azure CLI

-## Enable using Terraform

-## Enable from Azure Monitor in the portal

-## Enable directly from AKS cluster in the portal

-## Enable using an Azure Resource Manager template

->

-The Log Analytics workspace has to be created before you enable monitoring using Azure PowerShell or CLI. To create the workspace, you can set it up through [Azure Resource Manager](../logs/resource-manager-workspace.md), through [PowerShell](../logs/powershell-workspace-configuration.md?toc=%2fpowershell%2fmodule%2ftoc.json), or in the [Azure portal](../logs/quick-create-workspace.md).

-If you are unfamiliar with the concept of deploying resources by using a template, see:

-* [Deploy resources with Resource Manager templates and Azure PowerShell](../../azure-resource-manager/templates/deploy-powershell.md)

-* [Deploy resources with Resource Manager templates and the Azure CLI](../../azure-resource-manager/templates/deploy-cli.md)

-If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.0.59 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-### Create and execute a template

-1. Copy and paste the following JSON syntax into your file:

-2. Save this file as **existingClusterOnboarding.json** to a local folder.

-3. Paste the following JSON syntax into your file:

-4. Edit the values for **aksResourceId** and **aksResourceLocation** using the values on the **AKS Overview** page for the AKS cluster. The value for **workspaceResourceId** is the full resource ID of your Log Analytics workspace, which includes the workspace name.

- Edit the values for **aksResourceTagValues** to match the existing tag values specified for the AKS cluster.

-5. Save this file as **existingClusterParam.json** to a local folder.

-6. You are ready to deploy this template.

- * To deploy with Azure PowerShell, use the following commands in the folder that contains the template:

- ```powershell

- New-AzResourceGroupDeployment -Name OnboardCluster -ResourceGroupName <ResourceGroupName> -TemplateFile .\existingClusterOnboarding.json -TemplateParameterFile .\existingClusterParam.json

- ```

- The configuration change can take a few minutes to complete. When it's completed, a message is displayed that's similar to the following and includes the result:

- ```output

- provisioningState : Succeeded

- ```

- * To deploy with Azure CLI, run the following commands:

- ```azurecli

- az login

- az account set --subscription "Subscription Name"

- az deployment group create --resource-group <ResourceGroupName> --template-file ./existingClusterOnboarding.json --parameters @./existingClusterParam.json

- ```

- The configuration change can take a few minutes to complete. When it's completed, a message is displayed that's similar to the following and includes the result:

- ```output

- provisioningState : Succeeded

- ```

- After you've enabled monitoring, it might take about 15 minutes before you can view health metrics for the cluster.

->If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.0.74 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-Container insights supports a [Log Analytics workspace](../logs/log-analytics-workspace-overview.md) in the regions that are listed in [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=monitor). For a list of the supported mapping pairs to use for the default workspace, see [Region mappings supported by Container insights](container-insights-region-mapping.md).

-|Agent resource|Port |Description |

-| `*.ods.opinsights.azure.cn` | 443 | Data ingestion |

-| `*.oms.opinsights.azure.cn` | 443 | OMS onboarding |

-| `dc.services.visualstudio.com` | 443 | For agent telemetry that uses Azure Public Cloud Application Insights |

-|Agent resource|Port |Description |

-| `*.ods.opinsights.azure.us` | 443 | Data ingestion |

-| `*.oms.opinsights.azure.us` | 443 | OMS onboarding |

-| `dc.services.visualstudio.com` | 443 | For agent telemetry that uses Azure Public Cloud Application Insights |

-Container insights relies on a containerized Log Analytics agent for Linux. This specialized agent collects performance and event data from all nodes in the cluster, and the agent is automatically deployed and registered with the specified Log Analytics workspace during deployment.

-| New Kubernetes cluster | [Enable monitoring for a new AKS cluster using the Azure CLI](../../aks/learn/quick-kubernetes-deploy-cli.md)|

-| Existing AKS cluster | [Enable monitoring for an existing AKS cluster using the Azure CLI](container-insights-enable-existing-clusters.md#enable-using-azure-cli) |

-| |[Enable for an existing AKS cluster using Terraform](container-insights-enable-existing-clusters.md#enable-using-terraform) |

-| | [Enable for an existing AKS cluster from Azure Monitor](container-insights-enable-existing-clusters.md#enable-from-azure-monitor-in-the-portal)|

-| | [Enable directly from an AKS cluster in the Azure portal](container-insights-enable-existing-clusters.md#enable-directly-from-aks-cluster-in-the-portal)|

-| | [Enable for AKS cluster using an Azure Resource Manager template](container-insights-enable-existing-clusters.md#enable-using-an-azure-resource-manager-template)|

-| Existing non-AKS Kubernetes cluster | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc using the Azure CLI](container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-cli). |

-| | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc using a preconfigured Azure Resource Manager template](container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-resource-manager) |

-| | [Enable for non-AKS Kubernetes cluster hosted outside of Azure and enabled with Azure Arc from the multicluster page Azure Monitor](container-insights-enable-arc-enabled-clusters.md#create-extension-instance-using-azure-portal) |

-Once [Change Analysis is enabled](./change/change-analysis-enable.md), the `Microsoft.ChangeAnalysis` resource provider is registered with an Azure Resource Manager subscription to make the tracked properties and proxied settings change data available. Change Analysis' [integrations with Monitoring and Diagnostics tools](./change/change-analysis-visualizations.md) provide data for various management and troubleshooting scenarios to help users understand what changes might have caused the issues.

-1. Go to the [Azure portal](https://portal.azure.com). Search for and select **Solutions**.

-To remove an installed solution by using the portal, find it in the [list of installed solutions](#list-installed-monitoring-solutions). Select the name of the solution to open its summary page, and then select **Delete**.

- | [Azure Spring Cloud](../spring-cloud/overview.md) | Microsoft.AppPlatform/Spring | [**Yes**](./essentials/metrics-supported.md#microsoftappplatformspring) | [**Yes**](./essentials/resource-logs-categories.md#microsoftappplatformspring) | | |

-Change Analysis alerts you to live site issues, outages, component failures, or other change data. It also provides insights into those application changes, increases observability, and reduces the mean time to repair. You automatically register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription by going to Change Analysis via the Azure portal. For web app in-guest changes, you can enable Change Analysis by using the [Diagnose and solve problems tool](./change/change-analysis-visualizations.md#diagnose-and-solve-problems-tool).

-When publishing your CloudService to Azure portal, add the [Application Insights SDK to Azure Cloud Services](../app/cloudservices.md).

-You can create a new Log Analytics workspace using any of the following methods. See Design a Log Analytics workspace configuration(../logs/workspace-design.md) for guidance on determining the number of workspaces you should use in your environment and how to design their access strategy.

-The following table shows the installation methods available for different supported machines.

-| [Azure portal](vminsights-enable-portal.md) | Single Azure virtual machine, Azure virtual machine scale set, or Azure Arc machine |

-| [Azure Policy](vminsights-enable-policy.md) | Multiple Azure virtual machines, Azure virtual machine scale sets, or Azure Arc machines |

-| [PowerShell](vminsights-enable-powershell.md) | Multiple Azure virtual machines, Azure virtual machine scale sets, or Azure Arc machines |

-| [Manual install](vminsights-enable-hybrid.md) | Virtual machines or physical computers on-premises other cloud environments |

-| Connected source | Supported | Description |

-|:--|:--|:--|

-| Windows agents | Yes | Along with the [Log Analytics agent for Windows](../agents/log-analytics-agent.md), Windows agents need the Dependency agent. For more information, see [supported operating systems](../agents/agents-overview.md#supported-operating-systems). |

-| Linux agents | Yes | Along with the [Log Analytics agent for Linux](../agents/log-analytics-agent.md), Linux agents need the Dependency agent. For more information, see [supported operating systems](#supported-operating-systems). |

-| System Center Operations Manager management group | No | |

-VM insights supports any operating system that supports the Log Analytics agent and Dependency agent. See [Overview of Azure Monitor agents

-> [!IMPORTANT]

-> The VM insights guest health feature has more limited operating system support while it's in public preview. See [Enable VM insights guest health (preview)](../vm/vminsights-health-enable.md) for a detailed list.

-When you enable VM insights for a machine, the following two agents are installed. See [Network requirements](../agents/log-analytics-agent.md#network-requirements) for the network requirements for these agents.

-> [!NOTE]

-> The Log Analytics agent is the same agent used by System Center Operations Manager. VM insights can monitor agents that are also monitored by Operations Manager if they are directly connected, and you install the Dependency agent on them. Agents connected to Azure Monitor through a [management group connection](../tform/../agents/om-agents.md) cannot be monitored by VM insights.

-The following are multiple methods for deploying these agents.

-| Method | Description |

-|:|:|

-| [Azure portal](../vm/vminsights-enable-portal.md) | Install both agents on a single virtual machine, virtual machine scale set, or hybrid virtual machines connected with Azure Arc. |

-| [Resource Manager templates](../vm/vminsights-enable-resource-manager.md) | Install both agents using any of the supported methods to deploy a Resource Manager template including CLI and PowerShell. |

-| [Azure Policy](../vm/vminsights-enable-policy.md) | Assign Azure Policy initiative to automatically install the agents when a virtual machine or virtual machine scale set is created. |

-| [Manual install](../vm/vminsights-enable-hybrid.md) | Install the agents in the guest operating system on computers hosted outside of Azure including in your datacenter or other cloud environments. |

-## Network requirements

-## Management packs

-# Enable Azure Monitor for single virtual machine or virtual machine scale set in the Azure portal

-This article describes how to enable VM insights for a virtual machine or virtual machine scale set using the Azure portal. This procedure can be used for the following:

-## Enable VM insights

-From the Azure portal, select **Virtual machines**, **Virtual machine scale sets**, or **Servers - Azure Arc** and select a resource from the list. In the **Monitoring** section of the menu, select **Insights** and then **Enable**. The following example shows an Azure virtual machine, but the menu is similar for Azure virtual machine scale set or Azure Arc.

-

-If the virtual machine isn't already connected to a Log Analytics workspace, then you'll be prompted to select one. If you haven't previously [created a workspace](../logs/quick-create-workspace.md), then you can select a default for the location where the virtual machine or virtual machine scale set is deployed in the subscription. This workspace will be created and configured if it doesn't already exist. If you select an existing workspace, it will be configured for VM insights if it wasn't already.

-> If you select a workspace that wasn't previously configured for VM insights, the *VMInsights* management pack will be added to this workspace. This will be applied to any agent already connected to the workspace, whether or not it's enabled for VM insights. Performance data will be collected from these virtual machines and stored in the *InsightsMetrics* table.

-

-You will receive status messages as the configuration is performed.

->[!NOTE]

->If you use a manual upgrade model for your virtual machine scale set, upgrade the instances to complete the setup. You can start the upgrades from the **Instances** page, in the **Settings** section.

-

-For each virtual machine or virtual machine scale set, the script verifies whether the VM extension for the Log Analytics agent and Dependency agent are already installed. If both extensions are installed, the script tries to reinstall it. If both extensions aren't installed, the script installs them.

-We have created example Azure Resource Manager templates for onboarding your virtual machines and virtual machine scale sets. These templates include scenarios you can use to enable monitoring on an existing resource and create a new resource that has monitoring enabled.

-The Azure Resource Manager templates are provided in an archive file (.zip) that you can [download](https://aka.ms/VmInsightsARMTemplates) from our GitHub repo. Contents of the file include folders that represent each deployment scenario with a template and parameter file. Before you run them, modify the parameters file and specify the values required.

-The download file contains the following templates for different scenarios:

->[!NOTE]

->If virtual machine scale sets were already present and the upgrade policy is set to **Manual**, VM insights won't be enabled for instances by default after running the **ExistingVmssOnboarding** Azure Resource Manager template. You have to manually upgrade the instances.

-## Sign in to Azure

-Sign in to the [Azure portal](https://portal.azure.com).

-> VM insights does not currently support [Azure Monitor agent](../agents/azure-monitor-agent-overview.md).

-

-

-* Low concurrency (r/w):

- * Sequential latency increased 0.3 ms.

- * Random I/O latency increased 0.2 ms.

- * Metadata I/O latency increased 0.2 ms.

-* High concurrency (r/w):

- * Maximum sequential throughput was unimpacted by krb5.

- * Maximum random I/O decreased by 30% for pure read workloads with the overall impact dropping to zero as the workload shifts to pure write.

- * Maximum metadata workload decreased 30%.

-* Low concurrency (r/w):

- * Sequential latency increased 0.5 ms.

- * Random I/O latency increased 0.2 ms.

- * Metadata I/O latency increased 0.2 ms.

-* High concurrency (r/w):

- * Maximum sequential throughput decreased by 70% overall regardless of the workload mixture.

- * Maximum random I/O decreased by 50% for pure read workloads with the overall impact decreasing to 25% as the workload shifts to pure write.

- * Maximum metadata workload decreased 30%.

-* Low concurrency (r/w):

- * Sequential latency increased 0.8 ms.

- * Random I/O latency increased 0.2 ms.

- * Metadata I/O latency increased 0.2 ms.

-* High concurrency (r/w):

- * Maximum sequential throughput decreased by 85% overall regardless of the workload mixture.

- * Maximum random I/O decreased by 65% for pure read workloads with the overall impact decreasing to 43% as the workload shifts to pure write.

- * Maximum metadata workload decreased 30%.

- Disaster Recovery to cloud is a resilient and cost-effective way of protecting the workloads against site outages and data corruption events like ransomware. Leveraging the VMware VAIO framework, on-premise VMware workloads can be replicated to Azure Blob storage and recovered with minimal or close to no data loss and near-zero Recovery Time Objective (RTO). JetStream DR can now seamlessly recover workloads replicated from on-premises to Azure VMware Solution to Azure NetApp Files. JetStream DR enables cost-effective disaster recovery by consuming minimal resources at the DR site and using cost-effective cloud storage. JetStream DR automates recovery to Azure NetApp Files datastores using Azure Blob Storage. It can recover independent VMs or groups of related VMs into the recovery site infrastructure according to runbook settings. It also provides point-in-time recovery for ransomware protection.

- "verbose": false,

- "verbose": false,

-| Microsoft.AppPlatform | [Azure Spring Cloud](../../spring-cloud/overview.md) |

-| Microsoft.Microservices4Spring | [Azure Spring Cloud](../../spring-cloud/overview.md) |

-Insights contain an aggregated view of the data: faces, topics, emotions. Azure Video Indexer analyzes the video and audio content by running 30+ AI models, generating rich insights. Below is an illustration of the audio and video analysis performed by Azure Video Indexer in the background.

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="./media/video-indexer-overview/model-chart.png" alt-text="Diagram of Azure Video Indexer flow.":::

-

-> [!NOTE]

-> The service is now rebranded from Azure Video Analyzer for Media to **Azure Video Indexer**. Click [here](https://vi.microsoft.com) to read more.

-> :::image type="content" source="./media/video-indexer-overview/model-chart.png" alt-text="Diagram of Azure Video Indexer flow.":::

-To start extracting insights with Azure Video Indexer, you need to [create an account](connect-to-azure.md) and upload videos, see the [how can I get started](#how-can-i-get-started-with-azure-video-indexer) section below.

-To view the command output in JSON format, add `--json` to the end of your command. For example, to display the properties of a pool named **pool001**, run `az batch pool show pool001 --json`. Then, copy and modify the output to [create Batch resources using a JSON configuration file](#create-resources-with-json).

- wget "https://raw.githubusercontent.com/Azure/ACSS-preview/main/Installation%20Script/DownloadDeployerVMPackages.sh" -O "DownloadDeployerVMPackages.sh"

-When you publish the Cloud Service from Visual Studio, you are given the option to send the diagnostic data to Application Insights. You can create the Application Insights Azure resource at that time or send the data to an existing Azure resource. Your cloud service can be monitored by Application Insights for availability, performance, failures, and usage. Custom charts can be added to Application Insights so that you can see the data that matters the most. Role instance data can be collected by using the Application Insights SDK in your cloud service project. For more information on how to integrate Application Insights, see [Application Insights with Cloud Services](../azure-monitor/app/cloudservices.md).

-Azure Application Insights for Cloud Services allows you specify what performance counters you want to collect. After you [add Application Insights to your project](../azure-monitor/app/cloudservices.md#sdk), a config file named **ApplicationInsights.config** is added to your Visual Studio project. This config file defines what type of information Application Insights collects and sends to Azure.

-For more information, see [System performance counters in Application Insights](../azure-monitor/app/performance-counters.md) and [Application Insights for Azure Cloud Services](../azure-monitor/app/cloudservices.md#performance-counters).

-zone_pivot_groups: programming-languages-set-nine

-zone_pivot_groups: programming-languages-set-nine

-## Next steps

-* Improve your pattern matching by using [custom entities](how-to-use-custom-entity-pattern-matching.md).

-* Look through our [GitHub samples](https://github.com/Azure-Samples/cognitive-services-speech-sdk).

-> For the code samples below, you'll hard-code your Shared Access Signature (SAS) URL where indicated. Remember to remove the SAS URL from your code when you're done, and never post it publicly. For production, use a secure way of storing and accessing your credentials like [Azure Key Vault](../../../key-vault/general/overview.md). See the Cognitive Services [security](../../cognitive-services-security.md) article for more information.

-POST `<resource-url>/text/analytics/v3.1/sentiment?model-version=2021-10-01-preview`.

-| Sentiment Analysis and opinion mining | `2019-10-01` | `2021-10-01` | |

-| Key phrase extraction | `2021-06-01` | `2021-06-01` | |

-> Languages are added as new [model versions](how-to/call-api.md#specify-the-key-phrase-extraction-model) are released for specific features. The current model version for Key Phrase Extraction is `2021-06-01`.

-| Language | Language code | v3 support | Starting with v3 model version: | Notes |

-|:-|:-:|:-:|:--:|::|

-| Afrikaans      |     `af`  |     ✓      |                2020-07-01                 |                    |

-| Bulgarian      |     `bg`  |     ✓      |                2020-07-01                 |                    |

-| Catalan    |     `ca`  |     ✓      |                2020-07-01                 |                    |

-| Chinese-Simplified    |     `zh-hans` |     ✓      |                2021-06-01                 |                    |

-| Croatian | `hr` | Γ£ô | 2020-07-01 | |

-| Danish | `da` | Γ£ô | 2019-10-01 | |

-| Dutch                 |     `nl`      |     ✓      |                2019-10-01                 |                    |

-| English               |     `en`      |     ✓      |                2019-10-01                 |                    |

-| Estonian              |     `et`      |     ✓      |                2020-07-01                 |                    |

-| Finnish               |     `fi`      |     ✓      |                2019-10-01                 |                    |

-| French                |     `fr`      |     ✓      |                2019-10-01                 |                    |

-| German                |     `de`      |     ✓      |                2019-10-01                 |                    |

-| Greek    |     `el`  |     ✓      |                2020-07-01                 |                    |

-| Hungarian    |     `hu`  |     ✓      |                2020-07-01                 |                    |

-| Italian               |     `it`      |     ✓      |                2019-10-01                 |                    |

-| Indonesian            |     `id`      |     ✓      |                2020-07-01                 |                    |

-| Japanese              |     `ja`      |     ✓      |                2019-10-01                 |                    |

-| Korean                |     `ko`      |     ✓      |                2019-10-01                 |                    |

-| Latvian               |     `lv`      |     ✓      |                2020-07-01                 |                    |

-| Norwegian  (Bokmål)   |     `no`      |     ✓      |                2020-07-01                 | `nb` also accepted |

-| Polish                |     `pl`      |    ✓      |                2019-10-01                 |                    |

-| Portuguese (Brazil)   |    `pt-BR`    |     ✓      |                2019-10-01                 |                    |

-| Portuguese (Portugal) |    `pt-PT`    |    ✓      |                2019-10-01                 | `pt` also accepted |

-| Romanian              |     `ro`      |     ✓      |                2020-07-01                 |                    |

-| Russian               |     `ru`      |     ✓      |                2019-10-01                 |                    |

-| Spanish               |     `es`      |     ✓      |                2019-10-01                 |                    |

-| Slovak                |     `sk`      |     ✓      |                2020-07-01                 |                    |

-| Slovenian             |     `sl`      |     ✓      |                2020-07-01                 |                    |

-| Swedish               |     `sv`      |     ✓      |                2019-10-01                 |                    |

-| Turkish              |     `tr`      |     ✓      |                2020-07-01                 |                    |

-[Key phrase analysis overview](overview.md)

-The PII feature can evaluate unstructured text, extract extract sensitive information (PII) and health information (PHI) in text across several pre-defined categories.

-When you get results from PII detection, you can stream the results to an application or save the output to a file on the local system. The API response will include [recognized entities](concepts/entity-categories.md), including their categories and sub-categories, and confidence scores. The text string with the PII entities redacted will also be returned.

-|**Azure Cognitive Search tier** | **Free** | **Basic** |**S1** | **S2**| **S3** |**S3 HD**|

-|||||||-|

-|Maximum number of published knowledge bases allowed|2|14|49|199|199|2,999|

- For example, if your tier has 15 allowed indexes, you can publish 14 knowledge bases (one index per published knowledge base). The 15th index, `testkb`, is used for all the knowledge bases for authoring and testing.

-> Question answering currently has no limits on the number of sources that can be added. Throughput is currently capped at 10 transactions per second for both management APIs and prediction APIs.

-* Maximum three responses per document.

-description: This article explains which natural languages are supported by the Sentiment Analysis and Opinion Mining features of Azure Cognitive Service for Language.

-Use this article to learn which natural languages are supported by Sentiment Analysis and Opinion Mining.

-> Languages are added as new model versions are released. The current Generally Available model version for Sentiment Analysis is `2020-04-01`. To use the latest preview model version (`2021-10-01-preview`), specify it in your API call. See [how to call the API](how-to/call-api.md#specify-the-sentiment-analysis-model) for more information.

-| Language | Language code | Starting with model version: | Notes |

-|:-|:-:|:--:|-:|

-| Norwegian (Bokmål) | `no` | 2020-04-01 | |

-| Portuguese (Brazil) | `pt-BR` | 2020-04-01 | |

-| Turkish | `tr` | 2020-04-01 | |

-| Language | Language code | Starting with model version: | Notes |

-|:-|:-:|::|-:|

-| French | `fr` | 2021-10-01-preview | |

-| German | `de` | 2021-10-01-preview | |

-| Italian | `it` | 2021-10-01-preview | |

-| Portuguese (Brazil) | `pt-BR` | 2021-10-01-preview | |

-| Portuguese (Portugal) | `pt-PT` | 2021-10-01-preview | `pt` also accepted |

-| Spanish | `es` | 2021-10-01-preview | |

-[Sentiment Analysis and Opinion Mining overview](overview.md)

-* [Language Studio](../language-studio.md), which is a web-based platform that enables you to try several Azure Cognitive Service for Language features without needing to write code.

-description: This article describes use cases for Azure Communication Services support Teams identities.

-# Azure Communication Services support Teams identities ΓÇö Use cases

-Microsoft Teams provides identities managed by Azure Active Directory and calling experiences controlled by Teams Admin Center and policies. Users might have assigned licenses to enable PSTN connectivity and advanced calling capabilities of Microsoft Teams Phone. Azure Communication Services support Teams identities for managing Teams VoIP calls, Teams PSTN calls, and join Teams meetings. Developers might extend the Azure Communication Services with Graph API to provide contextual data from Microsoft 365 ecosystem. This page is providing inspiration on how to use existing Microsoft technologies to provide an end-to-end experience for calling scenarios with Teams users and Azure Communication Services calling SDKs.

-This scenario is showing a multi-tenant use case, where company Contoso is providing SaaS to company Fabrikam. SaaS allows Fabrikam's users to make Teams PSTN calls via a custom website that takes the identity of the Teams user and configuration of the PSTN connectivity assigned to that Teams user.

-

-The following sequence diagram shows detailed steps of initiation of a Teams PSTN call:

-callAgent = await callClient.createCallAgent(tokenCredential)

-4. Connecting PSTN call to Megan: The call is routed through the Teams PSTN connectivity assigned to Alice, reaching the PSTN network and ringing the phone associated with the provided phone number. Megan sees an incoming call from the phone number associated with Alice's Teams user.

-## Use case 2: Receive inbound Teams PSTN call

-This scenario is showing a multi-tenant use case, where company Contoso is providing SaaS to company Fabrikam. SaaS allows Fabrikam's users to receive a Teams PSTN call via a custom website that takes the identity of the Teams user and configuration of the PSTN connectivity assigned to that Teams user.

-

-The following sequence diagram shows detailed steps for accepting incoming Teams PSTN calls:

-callAgent = await callClient.createCallAgent(tokenCredential)

-const incomingCallHandler = async (args: { incomingCall: IncomingCall }) => {

-3. Megan start's a call to PSTN number assigned to Teams user Alice: Megan uses her phone to call Alice. The carrier network will connect to Teams PSTN connectivity assigned to Alice and it will ring all Teams endpoints registered for Alice. It includes: Teams desktop, mobile, web clients, and applications based on Azure Communication Services calling SDK.

-Then the client application creates an instance of callAgent, that holds the Azure Communication Services access token acquired during first step.

-callAgent = await callClient.createCallAgent(tokenCredential)

-2. Subscribe for receiving calls: Client application uses Azure Communication Services calling SDK to provide the calling capability. First, it creates an instance of callAgent, that holds the Azure Communication Services access token acquired during first step.

-callAgent = await callClient.createCallAgent(tokenCredential)

-const incomingCallHandler = async (args: { incomingCall: IncomingCall }) => {

-3. Join Teams meeting "Project Tailspin": Alice selects a button to join Teams meeting "Project Tailspin" in the Contoso's Client application. Client application uses Azure Communication Services calling SDK to provide the calling capability. Client applications create an instance of callAgent, that holds the Azure Communication Services access token acquired during first step.

-callAgent = await callClient.createCallAgent(tokenCredential)

-description: This article discusses how to integrate communication as Teams user with Azure Communication Services.

-# Integrate communication as Teams user with Azure Communication Services and Graph API

-1. Find license detail where property `servicePlanName` has one of the values in the [Eligible Teams Licenses table](../quickstarts/eligible-teams-licenses.md#eligible-teams-licenses)

-To use Azure Communication Services support for Teams users, you need an Azure Active Directory instance with users that have a valid Teams license. Furthermore, license must be assigned to the administrators or relevant users. This article describes the Teams license requirements to use Azure Communication Services support for Teams users.

-### Eligible Teams licenses

-Ensure that your Azure Active Directory users have at least one of the following eligible Teams licenses:

-| Service Plan (friendly names) | Service Plan ID |

-|: |: |

-| TEAMS1 | 57ff2da0-773e-42df-b2af-ffb7a2317929 |

-| TEAMS_FREE | 4fa4026d-ce74-4962-a151-8e96d57ea8e4 |

-| TEAMS_GOV | 304767db-7d23-49e8-a945-4a7eb65f9f28 |

-| TEAMS_GCCHIGH | 495922d5-f138-498b-8967-4acdcdfb2a74 |

-| TEAMS_AR_GCCHIGH | 9953b155-8aef-4c56-92f3-72b0487fce41 |

-| TEAMS_DOD | ec0dd2de-a877-4059-a9b8-5838b5629b2a |

-| TEAMS_AR_DOD | fd500458-c24c-478e-856c-a6067a8376cd |

-### How to find current Teams license

-You can find your current Teams license using [licenseDetails](/graph/api/resources/licensedetails) Microsoft Graph API that returns licenses assigned to a user.

-[Azure Spring Apps](../spring-cloud/overview.md) makes it easy to deploy Spring Boot microservice applications to Azure without any code changes. The service manages the infrastructure of Spring Cloud applications so developers can focus on their code. Azure Spring Cloud provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. If your team or organization is predominantly Spring, Azure Spring Apps is an ideal option.

-When a secret is updated or deleted, you can respond to changes in one of two ways:

-An updated or removed secret does not automatically restart a revision.

-Here, a connection string to a queue storage account is declared in the `secrets` array. To use this configuration you would replace `<MY-CONNECTION-STRING-VALUE>` with the value of your connection string.

-Secrets are defined using the `--secrets` parameter.

- --secrets "queue-connection-string=$CONNECTION_STRING" \

-Secrets are defined using the `--secrets` parameter.

- --secrets "queue-connection-string=$CONNECTION_STRING" `

-## Using secrets

-The secret value is mapped to the secret name declared at the application level as described in the [defining secrets](#defining-secrets) section. The `passwordSecretRef` and `secretref` parameters are used to reference the secret names as environment variables at the container level. The `passwordSecretRef` provides a descriptive parameter name for secrets containing passwords.

-The following example shows an application that declares a connection string at the application level and is used throughout the configuration via `secretref`.

-Here, the environment variable named `connection-string` gets its value from the application-level `queue-connection-string` secret. Also, the Azure Queue Storage scale rule's authorization configuration uses the `queue-connection-string` as a connection is established.

-In this example, you create an application with a secret that's referenced in an environment variable using the Azure CLI.

-Here, the environment variable named `connection-string` gets its value from the application-level `queue-connection-string` secret by using `secretref`.

-In this example, you create an application with a secret that's referenced in an environment variable using the Azure CLI.

-Here, the environment variable named `connection-string` gets its value from the application-level `queue-connection-string` secret by using `secretref`.

-You can use Spring Data Azure Cosmos DB in your [Azure Spring Cloud](https://azure.microsoft.com/services/spring-cloud/) applications.

-You can use Spring Data Azure Cosmos DB in your [Azure Spring Cloud](https://azure.microsoft.com/services/spring-cloud/) applications.

-To get the primary table storage connection string using Azure CLI, use the [az Cosmos DB keys list](/cli/azure/cosmosdb/keys#az-cosmosdb-keys-list) command with the option `--type connection-strings`. This command uses a [JMESPath query](https://jmespath.org/) to display only the primary table connection string.

-To get the primary table storage connection string using Azure CLI, use the [az cosmosdb keys list](/cli/azure/cosmosdb/keys#az-cosmosdb-keys-list) command with the option `--type connection-strings`. This command uses a [JMESPath query](https://jmespath.org/) to display only the primary table connection string.

-To get the primary connection string using Azure CLI, use the [az cosmosdb keys list](/cli/azure/cosmosdb/keys#az-cosmosdb-keys-list) command with the option `--type connection-strings`. This command uses a [JMESPath query](https://jmespath.org/) to display only the primary table connection string.

-Monthly payments are not available for: Databricks, SUSE Linux reservations, Red Hat Plans and Azure Red Hat OpenShift Licenses.

-Currently, the reservation administrator and reservation reader roles are only available to assign using PowerShell. They can't be viewed or assigned in the Azure portal. For more information, see [Grant access with PowerShell](#grant-access-with-powershell).

-## Add a Reservation Administrator role at the tenant level

-## Assign a Reservation Reader role at the tenant level

-This HubSpot connector is supported for the following activities:

-You can copy data from HubSpot to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Jira connector is supported for the following activities:

-You can copy data from Jira to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Magento connector is supported for the following activities:

-You can copy data from Magento to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Marketo connector is supported for the following activities:

-You can copy data from Marketo to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Oracle Eloqua connector is supported for the following activities:

-You can copy data from Oracle Eloqua to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Oracle Responsys connector is supported for the following activities:

-You can copy data from Oracle Responsys to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Oracle Service Cloud connector is supported for the following activities:

-You can copy data from Oracle Service Cloud to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This PayPal connector is supported for the following activities:

-You can copy data from PayPal to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Quickbase connector is supported for the following activities:

-This QuickBooks connector is supported for the following activities:

-You can copy data from QuickBooks Online to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Salesforce Marketing Cloud connector is supported for the following activities:

-You can copy data from Salesforce Marketing Cloud to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Salesforce Service Cloud connector is supported for the following activities:

-You can copy data from Salesforce Service Cloud to any supported sink data store. You also can copy data from any supported source data store to Salesforce Service Cloud. For a list of data stores that are supported as sources or sinks by the Copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Salesforce connector is supported for the following activities:

-You can copy data from Salesforce to any supported sink data store. You also can copy data from any supported source data store to Salesforce. For a list of data stores that are supported as sources or sinks by the Copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This SAP Cloud for Customer connector is supported for the following activities:

-You can copy data from SAP Cloud for Customer to any supported sink data store, or copy data from any supported source data store to SAP Cloud for Customer. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This SAP ECC connector is supported for the following activities:

-You can copy data from SAP ECC to any supported sink data store. For a list of data stores that are supported as sources or sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This ServiceNow connector is supported for the following activities:

-You can copy data from ServiceNow to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This SharePoint Online List connector is supported for the following activities:

-You can copy data from SharePoint Online List to any supported sink data store. For a list of data stores that Copy Activity supports as sources and sinks, see [Supported data stores and formats](copy-activity-overview.md#supported-data-stores-and-formats).

-This Shopify connector is supported for the following activities:

-You can copy data from Shopify to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Smartsheet connector is supported for the following activities:

-This Square connector is supported for the following activities:

-You can copy data from Square to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This TeamDesk connector is supported for the following activities:

-This Twilio connector is supported for the following activities:

-This Web table connector is supported for the following activities:

-You can copy data from Web table database to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Xero connector is supported for the following activities:

-You can copy data from Xero to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

-This Zendesk connector is supported for the following activities:

-This Zoho connector is supported for the following activities:

-You can copy data from Zoho to any supported sink data store. For a list of data stores that are supported as sources/sinks by the copy activity, see the [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats) table.

- * You can also use [JMESPATH](https://jmespath.org/) query format to only extract the migrationState from the expand output:

-Each Azure Policy assignment can be associated with only one managed identity. However, the managed identity can be assigned multiple roles. Configuration occurs in two steps: first create either a system-assigned or user-assigned managed identity, then grant it the necessary roles.

-To set a system-assigned managed identity in the portal:

-1. On the **Remediation** tab of the create/edit assignment view, under **Types of Managed Identity**, ensure that **System assigned managed identity**

-is selected.

-1. Specify the location at which the managed identity is to be located.

-To set a user-assigned managed identity in the portal:

-1. On the **Remediation** tab of the create/edit assignment view, under **Types of Managed Identity**, ensure that **User assigned managed identity**

-is selected.

-1. Specify the scope where the managed identity is hosted. The scope of the managed identity does not have to equate to the scope of the assignment, but it must be in the same tenant.

-1. Under **Existing user assigned identities**, select the managed identity.

-To create an identity during the assignment of the policy, **Location** must be defined and **Identity** used.

-$userassignedidentity = Get-AzUserAssignedIdentity -ResourceGroupName $rgname -Name $userassignedidentityname

-`$assignment.Identity.PrincipalId` for system-assigned managed identities and `$assignment.Identity.UserAssignedIdentities[$userassignedidentityid].PrincipalId` for user-assigned managed identities.

->

->

-> - If the assignment is created through SDK

-granted the needed roles. Once replication is complete, the following example iterates the policy

- New-AzRoleAssignment -Scope $resourceGroup.ResourceId -ObjectId $assignment.Identity.PrincipalId -RoleDefinitionId $roleDefId

-

-1. From the assignment wizard in the portal, navigate to the **Remediation** tab. Select the check box for **Create a remediation task**.

-1. If the remediation task is initiated from an initiative assignment, select the policy to remediate from the drop-down. One **deployIfNotExists** or **modify** policy can be remediated through a single Remediation task at a time.

-1. Optionally modify remediation settings on the **New remediation task** page:

- - **Failure Threshold percentage** - Used to specify whether the remediation task should fail if the percentage of failures exceeds the given threshold. Provided as a number between 0 to 100. By default, the failure threshold is 100%.

-

- the resources.

-> **Get started:** [Deploy your first Spring Boot app in Azure Spring Cloud](../../spring-cloud/quickstart.md).

- clusters = src, dest

- # for example. "A_host1:9092, A_host2:9092, A_host3:9092"

- source.bootstrap.servers = wn0-src-kafka.azurehdinsight.net:9092,wn1-src-kafka.azurehdinsight.net:9092,wn2-src-kafka.azurehdinsight.net:9092

- destination.bootstrap.servers = wn0-dest-kafka.azurehdinsight.net:9092,wn1-dest-kafka.azurehdinsight.net:9092,wn2-dest-kafka.azurehdinsight.net:9092

-* Install [Python 2.x or 3.x](https://www.python.org/downloads/). Make sure to use the 32-bit or 64-bit installation as required by your setup. When prompted during the installation, make sure to add Python to your platform-specific environment variables.

-* If you're using Windows OS, install the [Visual C++ redistributable package](https://support.microsoft.com/help/2977003/the-latest-supported-visual-c-downloads) to allow the use of native DLLs from Python.

-* [Visual Studio](https://visualstudio.microsoft.com/vs/) 2019 with the ['Desktop development with C++'](/cpp/ide/using-the-visual-studio-ide-for-cpp-desktop-development) workload enabled. Visual Studio 2015 and Visual Studio 2017 are also supported.

-* [CMake build system](https://cmake.org/download/).

-1. Open a Git CMD or Git Bash command-line environment.

-2. Clone the [Python](https://github.com/Azure/azure-iot-sdk-python) GitHub repository using the following command:

- ```cmd/sh

- git clone --single-branch --branch v1-deprecated https://github.com/Azure/azure-iot-sdk-python.git --recursive

- ```

-3. Create a folder in your local copy of this GitHub repo for the CMake build process.

- ```cmd/sh

- cd azure-iot-sdk-python/c

- mkdir cmake

- cd cmake

- ```

-4. Follow [these instructions](https://github.com/Azure/azure-iot-sdk-python/blob/v1-deprecated/doc/python-devbox-setup.md) to build the Python packages.

- > [!NOTE]

- > If running the `build_client.cmd` make sure to use the `--use-tpm-simulator` flag.

- >

- > [!NOTE]

- > If using `pip` make sure to also install the `azure-iot-provisioning-device-client` package. Note that the released PIP packages are using the real TPM, not the simulator. To use the simulator you need to compile from the source using the `--use-tpm-simulator` flag.

-1. Run the following command to enable the SAS token authentication (the command also generates a Visual Studio solution for the simulated device):

- ```cmd/sh

- cmake -Duse_prov_client:BOOL=ON -Duse_tpm_simulator:BOOL=ON ..

- ```

-2. Open a second command prompt.

-3. In the second command prompt, navigate to the TPM simulator folder.

-4. Run the [TPM](/windows/device-security/tpm/trusted-platform-module-overview) simulator to be the [HSM](https://azure.microsoft.com/blog/azure-iot-supports-new-security-hardware-to-strengthen-iot-security/) for the simulated device.

-5. Select **Allow Access**. The simulator listens over a socket on ports 2321 and 2322. Do not close this command window; you will need to keep this simulator running until the end of this quickstart guide.

- ```cmd/sh

- .\azure-iot-sdk-python\c\provisioning_client\deps\utpm\tools\tpm_simulator\Simulator.exe

- ```

- 

-1. Launch Visual Studio.

-2. Open the solution generated in the *cmake* folder named `azure_iot_sdks.sln`.

-3. On the Visual Studio menu, select **Build** > **Build Solution** to build all projects in the solution.

-4. Right-click the **tpm_device_provision** project and select **Set as Startup Project**.

-5. Run the solution. The output window displays the **_Endorsement key_** and the **_Registration ID_** needed for device enrollment. Copy these values.

-1. Navigate to the samples folder of the Git repository.

- ```cmd/sh

- cd azure-iot-sdk-python/provisioning_device_client/samples

- ```

-2. Using your Python IDE, edit the Python script named **provisioning\_device\_client\_sample.py** (replace `{globalServiceEndpoint}` and `{idScope}` to the values that you previously copied). Also, make sure *SECURITY\_DEVICE\_TYPE* is set to `ProvisioningSecurityDeviceType.TPM`.

- ```python

- GLOBAL_PROV_URI = "{globalServiceEndpoint}"

- ID_SCOPE = "{idScope}"

- SECURITY_DEVICE_TYPE = ProvisioningSecurityDeviceType.TPM

- PROTOCOL = ProvisioningTransportProvider.HTTP

- ```

- 

-3. Run the sample.

- ```cmd/sh

- python provisioning_device_client_sample.py

- ```

-4. Notice the messages that simulate the device booting and connecting to the Device Provisioning Service to get your IoT hub information.

- :::zone pivot="programming-language-ansi-c"

- :::zone-end

- :::zone pivot="programming-language-csharp"

- ::: zone-end

- ::: zone pivot="programming-language-nodejs"

- ::: zone-end

- ::: zone pivot="programming-language-python"

- 

- ::: zone-end

- ::: zone pivot="programming-language-java"

- ::: zone-end

-> [Quickstart - Enroll TPM device to Azure IoT Hub Device Provisioning Service](quick-enroll-device-tpm.md)

-1. In your Windows command prompt, clone the [Azure IoT Samples for Python](https://github.com/Azure/azure-iot-sdk-node.git) GitHub repository using the following command:

-description: Quickstart - Enroll an individual device to Azure IoT Hub Device Provisioning Service (DPS) using TPM attestation.

-# Quickstart: Enroll individual device to IoT Hub Device Provisioning Service using TPM attestation

-This article shows you how to programmatically create an individual enrollment for a TPM device in the Azure IoT Hub Device Provisioning Service by using the [Microsoft Azure IoT SDK](../iot-hub/iot-hub-devguide-sdks.md) and a sample application. You can optionally enroll a simulated TPM device to the provisioning service by using this individual enrollment entry.

-* Install [Visual Studio 2019](https://www.visualstudio.com/vs/).

-* Install [.NET Core 3.1 SDK or later](https://dotnet.microsoft.com/download) or later on your Windows-based machine. You can use the following command to check your version.

-* (Optional) If you want to enroll a simulated device at the end of this quickstart, follow the procedure in [Create and provision a simulated TPM device](quick-create-simulated-device-tpm.md) up to the step where you get an endorsement key for the device. Save the endorsement key, registration ID, and, optionally, the device ID.

-* (Optional) Create an endorsement key. Follow the steps in [Create and provision a simulated device](quick-create-simulated-device-tpm.md) until you get the key.

-* Install the [Java SE Development Kit 8](/azure/developer/java/fundamentals/java-support-on-azure). This quickstart installs the [Java Service SDK](https://azure.github.io/azure-iot-sdk-java/master/service/) below. It works on both Windows and Linux. This quickstart uses Windows.

-> [!NOTE]

-> Don't follow the steps to create an individual enrollment by using the Azure portal.

-<a id="setupdevbox"></a>

-## Prepare the development environment

-### Set up environment variables

-To set up environment variables:

-1. The `PATH` variable should include the full path to *jdk1.8.x\bin* directory. If this is your machine's first Java installation, then create a new environment variable named `JAVA_HOME` and point it to the full path to the *jdk1.8.x* directory. On Windows machine, this directory is found in the *C:\\Program Files\\Java\\* folder, and you can create or edit environment variables by searching for **Edit the system environment variables** on the **Control panel** of your Windows machine.

- You can check if Java is successfully set up on your machine by running the following command on your command window:

- ```cmd\sh

- java -version

- ```