+ >[!NOTE]

+ >You shouldn't use public IP addresses for virtual networks and their subnets due to the following issues:

+ >

+ >- **Scarcity of the IP address**: IPv4 public IP addresses are limited, and their demand often exceeds the available supply. Also, there are potentially overlapping IPs with public endpoints.

+ >- **Security risks**: Using public IPs for virtual networks exposes your devices directly to the internet, increasing the risk of unauthorized access and potential attacks. Without proper security measures, your devices may become vulnerable to various threats.

+ >

+ >- **Complexity**: Managing a virtual network with public IPs can be more complex than using private IPs, as it requires dealing with external IP ranges and ensuring proper network segmentation and security.

+ >

+ >It is strongly recommended to use private IP addresses. If you use a public IP, ensure you are the owner/dedicated user of the chosen IPs in the public range you chose.

+>[!NOTE]

+>You shouldn't use public IP addresses for virtual networks and their subnets due to the following issues:

+>

+>- **Scarcity of the IP address**: IPv4 public IP addresses are limited, and their demand often exceeds the available supply. Also, there are potentially overlapping IPs with public endpoints.

+>- **Security risks**: Using public IPs for virtual networks exposes your devices directly to the internet, increasing the risk of unauthorized access and potential attacks. Without proper security measures, your devices may become vulnerable to various threats.

+>

+>- **Complexity**: Managing a virtual network with public IPs can be more complex than using private IPs, as it requires dealing with external IP ranges and ensuring proper network segmentation and security.

+>

+>It is strongly recommended to use private IP addresses. If you use a public IP, ensure you are the owner/dedicated user of the chosen IPs in the public range you chose.

+ "id": "8b1025e4-1dd2-430b-a150-2ef79cd700f5",

+- Number of errors in the [provisioning logs](check-status-user-account-provisioning.md). Performance is slower if there are many errors and the provisioning service has gone into a quarantine state.

+1. Run the following PowerShell script to assign permissions to your managed identity.

+1. To confirm that the permission was applied, find the managed identity service principal under **Enterprise Applications** in Azure AD. Remove the **Application type** filter to see all service principals.

+1. Download and install the latest version of PowerShell.

+1. Run the command to enable execution of remote signed scripts:

+1. **HR team** performs the transactions in the cloud HR app tenant.

+2. **Azure AD provisioning service** runs the scheduled cycles from the cloud HR app tenant and identifies changes that need to be processed for sync with AD.

+3. **Azure AD provisioning service** invokes the Azure AD Connect provisioning agent with a request payload containing AD account create/update/enable/disable operations.

+4. **Azure AD Connect provisioning agent** uses a service account to manage AD account data.

+5. **Azure AD Connect** runs delta sync to pull updates in AD.

+6. **AD** updates are synced with Azure AD.

+7. **Azure AD provisioning service** writebacks email attribute and username from Azure AD to the cloud HR app tenant.

+You can extend the schema of Azure AD users using [Microsoft Graph](/graph/overview).

+ "User"

+Create a custom extension using PowerShell and assign a value to a user.

+#Connect to your Azure AD tenant

+7. The new attributes will be available in the drop-down under **source attribute**.

+2. Sign in as an Azure AD Global Administrator.

+> The ability to provision reference attributes from on-premises AD, such as **managedby** or **DN/DistinguishedName**, is not supported today. You can request this feature on [User Voice](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789).

+1. Install connector for the location that your app instances will be in (For example US West). For the connector group assign the connector to the right region (For example North America).

+2. Set up your app instance with Application Proxy as follows:

+3. In the Front Door service, utilize the URL generated for the app by Application Proxy as a backend for the backend pool. For example, contoso.msappproxy.net

+1. Create a Front Door (Standard) with the configuration below:

+2. Verify if the deployment is complete and the Front Door Service is ready

+3. To give your Front Door service a user-friendly domain host name URL, create a CNAME record with your DNS provider for your Application Proxy External URL that points to Front DoorΓÇÖs domain host name (generated by the Front Door service). For example, contoso.org points to contoso.azurefd.net Reference: [How to add a custom domain - Azure Front Door][front-door-custom-domain]

+4. As per the reference, on the Front Door Service Dashboard navigate to Front Door Manager and add a Domain with the Custom Hostname. For example, contoso.org

+5. Navigate to the Origin groups in the Front Door Service Dashboard, select the origin name and validate the Origin host header matches the domain of the backend. For example here the Origin host header should be: contoso.org

+1. Pre-authentication- The client must separately acquire an access token or cookie for each Azure AD Application Proxy app. This might lead to additional redirects to login.microsoftonline.com and CORS issues.

+2. CORS issues- Cross-origin resource sharing calls (OPTIONS request) might be triggered to validate if the caller web app is allowed to access the URL of the targeted web app. These will be blocked by the Azure AD Application Proxy Cloud service, since these requests cannot contain authentication information.

+3. Poor app management- Multiple enterprise apps are created to enable access to a private app adding friction to the app management experience.

+1. Enable the group policy Make proxy settings per-machine. This is found in: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer. This needs to be set rather than having this policy set to per-user.

+2. Run `gpupdate /force` on the server or reboot the server to ensure it uses the updated group policy settings.

+3. Launch an elevated command prompt with admin rights and enter `control inetcpl.cpl`.

+4. Configure the required proxy settings.

+1. Under **Enable and Target**, click **Enable**.

+1. Pick the correct user certificate in the client certificate picker UI and click **OK**.

+1. Run the installer for your previous version (for example, 8.0.x.x).

+1. Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Sign-in logs** > **Service Principal Sign-ins**. You can use filters to ease the debugging process.

+1. Select an entry to see activity details. The **Continuous access evaluation** field indicates whether a CAE token was issued in a particular sign-in attempt.

+1. Browse to **Azure Active Directory** > **Security** > **Continuous access evaluation**.

+1. You have the option to **Migrate** your policy. This action is the only one that you have access to at this point.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Sign-in logs**.

+1. Apply the **Is CAE Token** filter.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Workbooks**.

+1. Under **Public Templates**, search for **Continuous access evaluation insights**.

+1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator.

+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. Here you can create or update trusted IP locations.

+- Augmentation Loop

+- Call Recorder

+- Device Management Service

+- IC3 Gateway

+- Media Analysis and Transformation Service

+- Message Recall app

+- Messaging Async Media

+- Microsoft 365 Reporting Service

+- Microsoft Discovery Service

+- Microsoft Exchange Online Protection

+- Microsoft Flow

+- Microsoft Flow GCC

+- Microsoft Forms

+- Microsoft Forms Web

+- Microsoft Forms Web in Azure Government

+- Microsoft Legacy To-Do WebApp

+- Microsoft Office 365 Portal

+- Microsoft Office client application

+- Microsoft People Cards Service

+- Microsoft SharePoint Online - SharePoint Home

+- Microsoft Stream Portal

+- Microsoft Stream Service

+- Microsoft Teams

+- Microsoft Teams - T4L Web Client

+- Microsoft Teams - Teams And Channels Service

+- Microsoft Teams Chat Aggregator

+- Microsoft Teams Graph Service

+- Microsoft Teams Retail Service

+- Microsoft Teams Services

+- Microsoft Teams UIS

+- Microsoft Teams Web Client

+- Microsoft To-Do WebApp

+- Microsoft Whiteboard Services

+- O365 Suite UX

+- OCPS Checkin Service

+- Office 365 app, corresponding to a migrated siteId.

+- Office 365 Exchange Microservices

+- Office 365 Exchange Online

+- Office 365 Search Service

+- Office 365 SharePoint Online

+- Office 365 Yammer

+- Office Delve

+- Office Hive

+- Office Hive Azure Government

+- Office Online

+- Office Services Manager

+- Office Services Manager in USGov

+- Office Shredding Service

+- Office365 Shell WCSS-Client

+- Office365 Shell WCSS-Client in Azure Government

+- OneDrive SyncEngine

+- Outlook Browser Extension

+- Outlook Service for Exchange

+- PowerApps Service

+- PowerApps Web

+- PowerApps Web GCC

+- Reply at mention

+- Security & Compliance Center

+- SharePoint Online Web Client Extensibility

+- SharePoint Online Web Client Extensibility Isolated

+- Skype and Teams Tenant Admin API

+- Skype for Business Online

+- Skype meeting broadcast

+- Skype Presence Service

+- Targeted Messaging Service

+- The GCC DoD app for office.com

+- The Office365 Shell DoD WCSS-Client

+1. Which Conditional Access policies apply?

+1. For policies that do apply, were the required controls are satisfied?

+1. Navigate to the **Azure portal** > **Security** > **Conditional Access**

+1. Create a new policy or select an existing policy

+1. Open the Session control settings

+1. Select Disable resilience defaults to disable the setting for this policy. Sign-ins in scope of the policy will be blocked during an Azure AD outage

+1. Save changes to the policy

+1. Navigate to Service Principal sign-in logs in your tenant to find services authenticating to access resources in your tenant.

+1. Check using app ID if a Service Principal exists for both resource and client apps in your tenant that you wish to manage access.

+1. Create a Service Principal using app ID, if it doesn't exist:

+1. Explicitly assign client apps to resource apps (this functionality is available only in API and not in the Azure AD Portal):

+1. Require assignment for the resource application to restrict access only to the explicitly assigned users or services.

+ "AzureAd": {

+ // Same AzureAd section as before.

+ },

+ "MyWebApi": {

+ "BaseUrl": "https://localhost:44372/",

+ "RelativePath": "api/TodoList",

+ "RequestAppToken": true,

+ "Scopes": [ "[Enter here the scopes for your web API]" ]

+ }

+ auth: {

+ clientId: process.env.CLIENT_ID,

+ authority: process.env.AAD_ENDPOINT + process.env.TENANT_ID,

+ clientSecret: process.env.CLIENT_SECRET,

+ }

+ uri: process.env.GRAPH_ENDPOINT + 'v1.0/users',

+ scopes: [process.env.GRAPH_ENDPOINT + '.default'],

+ if (!error)

+ {

+ // You'll want to get the account identifier to retrieve and reuse the account

+ // for later acquireToken calls

+ NSString *accountIdentifier = result.account.identifier;

+ NSString *accessToken = result.accessToken;

+ }

+ guard let authResult = result, error == nil else {

+ print(error!.localizedDescription)

+ return

+ }

+ // Get access token from result

+ let accessToken = authResult.accessToken

+ private readonly _destroying$ = new Subject<void>();

+ constructor(private broadcastService: MsalBroadcastService) { }

+ ngOnInit() {

+ this.broadcastService.msalSubject$

+ .pipe(

+ filter((msg: EventMessage) => msg.eventType === EventType.ACQUIRE_TOKEN_SUCCESS),

+ takeUntil(this._destroying$)

+ )

+ .subscribe((result: EventMessage) => {

+ // Do something with event payload here

+ });

+ }

+ ngOnDestroy(): void {

+ this._destroying$.next(undefined);

+ this._destroying$.complete();

+ }

+ '@odata.context': 'https://graph.microsoft.com/v1.0/$metadata#users',

+ value: [

+ {

+ displayName: 'Adele Vance'

+ givenName: 'Adele',

+ jobTitle: 'Retail Manager',

+ mail: 'AdeleV@msaltestingjs.onmicrosoft.com',

+ mobilePhone: null,

+ officeLocation: '18/2111',

+ preferredLanguage: 'en-US',

+ surname: 'Vance',

+ userPrincipalName: 'AdeleV@msaltestingjs.onmicrosoft.com',

+ id: 'a6a218a5-f5ae-462a-acd3-581af4bcca00'

+ }

+ ]

+2. Find the callback URI for your app by adding the `redirectURI` field in *MainPage.xaml.cs* and setting a breakpoint on it:

+1. Repeat steps 3-4 for package `aadlogin-selinux`.

+This article describes two ways to take over a DNS domain name in an unmanaged directory in Azure Active Directory (Azure AD), part of Microsoft Entra. When a self-service user signs up for a cloud service that uses Azure AD, they're added to an unmanaged Azure AD directory based on their email domain. For more about self-service or "viral" sign-up for a service, see [What is self-service sign-up for Azure Active Directory?](directory-self-service-signup.md)

+* When you perform an ["internal" admin takeover](#internal-admin-takeover) of an unmanaged Azure directory, you're added as the global administrator of the unmanaged directory. No users, domains, or service plans are migrated to any other directory you administer.

+Some products that include SharePoint and OneDrive, such as Microsoft 365, don't support external takeover. If that is your scenario, or if you're an admin and want to take over an unmanaged or "shadow" Azure AD organization create by users who used self-service sign-up, you can do this with an internal admin takeover.

+5. Add the TXT record to prove that you own the domain name **fourthcoffee.xyz** at your domain name registrar. In this example, it's GoDaddy.com.

+When you complete the preceding steps, you're now the global administrator of the Fourth Coffee organization in Microsoft 365. To integrate the domain name with your other Azure services, you can remove it from Microsoft 365 and add it to a different managed organization in Azure.

+2. Select **Users** tab, and create a new user account with a name like *user\@fourthcoffeexyz.onmicrosoft.com* that doesn't use the custom domain name.

+If you already manage an organization with Azure services or Microsoft 365, you can't add a custom domain name if it's already verified in another Azure AD organization. However, from your managed organization in Azure AD you can take over an unmanaged organization as an external admin takeover. The general procedure follows the article [Add a custom domain to Azure AD](../fundamentals/add-custom-domain.md).

+External admin takeover isn't supported for any service that has service plans that include SharePoint, OneDrive, or Skype For Business; for example, through an Office free subscription.

+The key and templates aren't moved over when the unmanaged organization is in a different region. For example, if the unmanaged organization is in Europe and the organization that you own is in North America.

+Although RMS for individuals is designed to support Azure AD authentication to open protected content, it doesn't prevent users from also protecting content. If users did protect content with the RMS for individuals subscription, and the key and templates weren't moved over, that content isn't accessible after the domain takeover.

+`connect-mggraph` | When prompted, sign in to your managed organization.

+`get-mgdomain` | Shows your domain names associated with the current organization.

+`new-mgdomain -BodyParameter @{Id="<your domain name>"; IsDefault="False"}` | Adds the domain name to organization as Unverified (no DNS verification has been performed yet).

+`get-mgdomain` | The domain name is now included in the list of domain names associated with your managed organization, but is listed as **Unverified**.

+`Get-MgDomainVerificationDnsRecord` | Provides the information to put into new DNS TXT record for the domain (MS=xxxxx). Verification might not happen immediately because it takes some time for the TXT record to propagate, so wait a few minutes before considering the **-ForceTakeover** option.

+`confirm-mgdomain ΓÇôDomainname <domainname>` | - If your domain name is still not verified, you can proceed with the **-ForceTakeover** option. It verifies that the TXT record was created and kicks off the takeover process.<br>- The **-ForceTakeover** option should be added to the cmdlet only when forcing an external admin takeover, such as when the unmanaged organization has Microsoft 365 services blocking the takeover.

+`get-mgdomain` | The domain list now shows the domain name as **Verified**.

+1. Connect to Microsoft Graph using the credentials that were used to respond to the self-service offering:

+ Install-Module -Name Microsoft.Graph

+

+ Connect-MgGraph -Scopes "User.ReadWrite.All","Domain.ReadWrite.All"

+ Get-MgDomain

+3. Run the New-MgDomain cmdlet to add a new domain in Azure:

+ New-MgDomain -BodyParameter @{Id="<your domain name>"; IsDefault="False"}

+4. Run the Get-MgDomainVerificationDnsRecord cmdlet to view the DNS challenge:

+ ```powershell

+ (Get-MgDomainVerificationDnsRecord -DomainId "<your domain name>" | ?{$_.recordtype -eq "Txt"}).AdditionalProperties.text

+ For example:

+ ```powershell

+ (Get-MgDomainVerificationDnsRecord -DomainId "contoso.com" | ?{$_.recordtype -eq "Txt"}).AdditionalProperties.text

+ MS=ms18939161

+6. Run the Confirm-MgDomain cmdlet to verify the challenge:

+ Confirm-MgDomain -DomainId "<your domain name>"

+ Confirm-MgDomain -DomainId "contoso.com"

+1. Select **Add dynamic query**.

+ ```powershell

+ ```powershell

+ ```powershell

+In this quickstart, you invited and added a single guest user to your directory using PowerShell. You can also invite a guest user using the [Azure portal](b2b-quickstart-add-guest-users-portal.md). Additionally you can [invite guest users in bulk using PowerShell](tutorial-bulk-invite.md).

+If you use Azure Active Directory (Azure AD) B2B collaboration to work with external partners, you can invite multiple guest users to your organization at the same time via the portal or via PowerShell. In this tutorial, you learn how to use PowerShell to send bulk invitations to external users. Specifically, you do the following:

+You should see the users that you invited listed, with a user principal name (UPN) in the format *emailaddress*#EXT#\@*domain*. For example, *msullivan_fabrikam.com#EXT#\@contoso.onmicrosoft.com*, where contoso.onmicrosoft.com is the organization from which you sent the invitations.

+For example: `Remove-AzureADUser -ObjectId "msullivan_fabrikam.com#EXT#@contoso.onmicrosoft.com"`

+In this tutorial, you sent bulk invitations to guest users outside of your organization. Next, learn how to bulk invite guest users on the portal and how to enforce MFA for them.

+- [Bulk invite guest users via the portal](tutorial-bulk-invite.md)

+1. Microsoft background image and color.

+2. Microsoft favicon.

+3. Microsoft banner logo.

+4. Footer as a page layout element.

+5. Microsoft footer hyperlinks, for example, Privacy & cookies, Terms of use and troubleshooting details also known as ellipsis in the right bottom corner of the screen.

+6. Microsoft overlay.

+1. Microsoft background image and color.

+2. Microsoft favicon.

+3. Microsoft banner logo.

+4. Footer as a page layout element.

+5. Microsoft footer hyperlinks, for example, Privacy & cookies, Terms of use and troubleshooting details also known as ellipsis in the right bottom corner of the screen.

+6. Microsoft overlay.

+1. On the **Text** tab select **Add Custom Text**.

+1. Select any of the options:

+1. Remove the elements you no longer need.

+1. Once finished select **Review + save**.

+### Enable the password reset link

+You can hide, show or customize the self-service password reset link on the sign-in page.

+1. In the search bar, type and select **Company Branding**.

+1. Under **Default sign-in** select **Edit**.

+1. On the **Sign-in form** tab, scroll to the **Self-service password reset** section and select **Show self-service password reset**.

+

+ :::image type="content" source="media/how-to-customize-branding-customers/company-branding-self-service-password-reset.png" alt-text="Screenshot of the company branding Self-service password reset.":::

+1. Select **Review + save** and **Save** on the **Review** tab.

+For more details, check out the [Customize the neutral branding in your customer tenant](how-to-customize-branding-customers.md#to-customize-self-service-password-reset) article.

+ ```html

+ ```

+1. Open a browser and navigate to the external URL that you created when you published the app.

+2. Sign in with the Azure AD B2B account that you assigned to the app. You should be able to open the app and access it with single sign-on.

+1. A user from a partner organization (the Fabrikam tenant) is invited to the Contoso tenant.

+2. A guest user object is created in the Contoso tenant (for example, a user object with a UPN of guest_fabrikam.com#EXT#@contoso.onmicrosoft.com).

+3. The Fabrikam guest is imported from Contoso through MIM or through the B2B PowerShell script.

+4. A representation or ΓÇ£footprintΓÇ¥ of the Fabrikam guest user object (Guest#EXT#) is created in the on-premises directory, Contoso.com, through MIM or through the B2B PowerShell script.

+5. The guest user accesses the on-premises application, app.contoso.com.

+6. The authentication request is authorized through Application Proxy, using Kerberos constrained delegation.

+7. Because the guest user object exists locally, the authentication is successful.

+1. Delete the conflicting Contact object.

+2. Delete the guest user in the Azure portal (the user's "Invitation accepted" property should be in a pending state).

+3. Reinvite the guest user.

+4. Wait for the user to redeem invitation.

+5. Add the user's Contact email back into Exchange and any DLs they should be a part of.

+1. Select the **MDM policy - West** group.

+## July 2023

+### General Availability: Azure Active Directory (Azure AD) is being renamed.

+**Type:** Changed feature

+**Service category:** N/A

+**Product capability:** End User Experiences

+**No action is required from you, but you may need to update some of your own documentation.**

+Azure AD is being renamed to Microsoft Entra ID. The name change rolls out across all Microsoft products and experiences throughout the second half of 2023.

+Capabilities, licensing, and usage of the product isn't changing. To make the transition seamless for you, the pricing, terms, service level agreements, URLs, APIs, PowerShell cmdlets, Microsoft Authentication Library (MSAL) and developer tooling remain the same.

+Learn more and get renaming details: [New name for Azure Active Directory](../fundamentals/new-name.md).

+### General Availability - Include/exclude My Apps in Conditional Access policies

+**Type:** Fixed

+**Service category:** Conditional Access

+**Product capability:** End User Experiences

+My Apps can now be targeted in conditional access policies. This solves a top customer blocker. The functionality is available in all clouds. GA also brings a new app launcher, which improves app launch performance for both SAML and other app types.

+Learn More about setting up conditional access policies here: [Azure AD Conditional Access documentation](../conditional-access/index.yml).

+### General Availability - Conditional Access for Protected Actions

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** Identity Security & Protection

+Protected actions are high-risk operations, such as altering access policies or changing trust settings, that can significantly impact an organization's security. To add an extra layer of protection, Conditional Access for Protected Actions lets organizations define specific conditions for users to perform these sensitive tasks. For more information, see: [What are protected actions in Azure AD?](../roles/protected-actions-overview.md).

+### General Availability - Access Reviews for Inactive Users

+**Type:** New feature

+**Service category:** Access Reviews

+**Product capability:** Identity Governance

+This new feature, part of the Microsoft Entra ID Governance SKU, allows admins to review and address stale accounts that havenΓÇÖt been active for a specified period. Admins can set a specific duration to determine inactive accounts that weren't used for either interactive or non-interactive sign-in activities. As part of the review process, stale accounts can automatically be removed. For more information, see: [Microsoft Entra ID Governance Introduces Two New Features in Access Reviews](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-id-governance-introduces-two-new-features-in/ba-p/2466930).

+### General Availability - Automatic assignments to access packages in Microsoft Entra ID Governance

+**Type:** Changed feature

+**Service category:** Entitlement Management

+**Product capability:** Entitlement Management

+Microsoft Entra ID Governance includes the ability for a customer to configure an assignment policy in an entitlement management access package that includes an attribute-based rule, similar to dynamic groups, of the users who should be assigned access. For more information, see: [Configure an automatic assignment policy for an access package in entitlement management](../governance/entitlement-management-access-package-auto-assignment-policy.md).

+### General Availability - Custom Extensions in Entitlement Management

+**Type:** New feature

+**Service category:** Entitlement Management

+**Product capability:** Entitlement Management

+Custom extensions in Entitlement Management are now generally available, and allow you to extend the access lifecycle with your organization-specific processes and business logic when access is requested or about to expire. With custom extensions you can create tickets for manual access provisioning in disconnected systems, send custom notifications to additional stakeholders, or automate additional access-related configuration in your business applications such as assigning the correct sales region in Salesforce. You can also leverage custom extensions to embed external governance, risk, and compliance (GRC) checks in the access request.

+For more information, see:

+- [Microsoft Entra ID Governance Entitlement Management New Generally Available Capabilities](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-id-governance-entitlement-management-new/ba-p/2466929)

+- [Trigger Logic Apps with custom extensions in entitlement management](../governance/entitlement-management-logic-apps-integration.md)

+### General Availability - Conditional Access templates

+**Type:** Plan for change

+**Service category:** Conditional Access

+**Product capability:** Identity Security & Protection

+Conditional Access templates are predefined set of conditions and controls that provide a convenient method to deploy new policies aligned with Microsoft recommendations. Customers are assured that their policies reflect modern best practices for securing corporate assets, promoting secure, optimal access for their hybrid workforce. For more information, see: [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md).

+### General Availability - Lifecycle Workflows

+**Type:** New feature

+**Service category:** Lifecycle Workflows

+**Product capability:** Identity Governance

+User identity lifecycle is a critical part of an organizationΓÇÖs security posture, and when managed correctly, can have a positive impact on their usersΓÇÖ productivity for Joiners, Movers, and Leavers. The ongoing digital transformation is accelerating the need for good identity lifecycle management. However, IT and security teams face enormous challenges managing the complex, time-consuming, and error-prone manual processes necessary to execute the required onboarding and offboarding tasks for hundreds of employees at once. This is an ever present and complex issue IT admins continue to face with digital transformation across security, governance, and compliance.

+Lifecycle Workflows, one of our newest Microsoft Entra ID Governance capabilities is now generally available to help organizations further optimize their user identity lifecycle. For more information, see: [Lifecycle Workflows is now generally available!](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/lifecycle-workflows-is-now-generally-available/ba-p/2466931)

+### General Availability - Enabling extended customization capabilities for sign-in and sign-up pages in Company Branding capabilities.

+**Type:** New feature

+**Service category:** User Experience and Management

+**Product capability:** User Authentication

+Update the Microsoft Entra ID and Microsoft 365 sign in experience with new Company Branding capabilities. You can apply your companyΓÇÖs brand guidance to authentication experiences with predefined templates. For more information, see: [Company Branding](../fundamentals/how-to-customize-branding.md)

+### General Availability - Enabling customization capabilities for the Self-Service Password Reset (SSPR) hyperlinks, footer hyperlinks and browser icons in Company Branding.

+**Type:** Changed feature

+**Service category:** User Experience and Management

+**Product capability:** End User Experiences

+Update the Company Branding functionality on the Microsoft Entra ID/Microsoft 365 sign in experience to allow customizing Self Service Password Reset (SSPR) hyperlinks, footer hyperlinks, and a browser icon. For more information, see: [Company Branding](../fundamentals/how-to-customize-branding.md)

+### General Availability - User-to-Group Affiliation recommendation for group Access Reviews

+**Type:** New feature

+**Service category:** Access Reviews

+**Product capability:** Identity Governance

+This feature provides Machine Learning based recommendations to the reviewers of Azure AD Access Reviews to make the review experience easier and more accurate. The recommendation leverages machine learning based scoring mechanism and compares usersΓÇÖ relative affiliation with other users in the group, based on the organizationΓÇÖs reporting structure. For more information, see: [Review recommendations for Access reviews](../governance/review-recommendations-access-reviews.md) and [Introducing Machine Learning based recommendations in Azure AD Access reviews](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-machine-learning-based-recommendations-in-azure-ad/ba-p/2466923)

+### Public Preview - Inactive guest insights

+**Type:** New feature

+**Service category:** Reporting

+**Product capability:** Identity Governance

+Monitor guest accounts at scale with intelligent insights into inactive guest users in your organization. Customize the inactivity threshold depending on your organizationΓÇÖs needs, narrow down the scope of guest users you want to monitor and identify the guest users that may be inactive. For more information, see: [Monitor and clean up stale guest accounts using access reviews](../enterprise-users/clean-up-stale-guest-accounts.md).

+### Public Preview - Just-in-time application access with PIM for Groups

+**Type:** New feature

+**Service category:** Privileged Identity Management

+**Product capability:** Privileged Identity Management

+You can minimize the number of persistent administrators in applications such as [AWS](../saas-apps/aws-single-sign-on-provisioning-tutorial.md#just-in-time-jit-application-access-with-pim-for-groups-preview)/[GCP](../saas-apps/g-suite-provisioning-tutorial.md#just-in-time-jit-application-access-with-pim-for-groups-preview) and get JIT access to groups in AWS and GCP. While PIM for Groups is publicly available, weΓÇÖve released a public preview that integrates PIM with provisioning and reduces the activation delay from 40+ minutes to 1 ΓÇô 2 minutes.

+### Public Preview - Graph beta API for PIM security alerts on Azure AD roles

+**Type:** New feature

+**Service category:** Privileged Identity Management

+**Product capability:** Privileged Identity Management

+Announcing API support (beta) for managing PIM security alerts for Azure AD roles. [Azure Privileged Identity Management (PIM)](../privileged-identity-management/index.yml) generates alerts when there's suspicious or unsafe activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra. You can now manage these alerts using REST APIs. These alerts can also be [managed through the Azure portal](../privileged-identity-management/pim-resource-roles-configure-alerts.md). For more information, see: [unifiedRoleManagementAlert resource type](/graph/api/resources/unifiedrolemanagementalert).

+### General Availability - Reset Password on Azure Mobile App

+**Type:** New feature

+**Service category:** Other

+**Product capability:** End User Experiences

+The Azure mobile app has been enhanced to empower admins with specific permissions to conveniently reset their users' passwords. Self Service Password Reset won't be supported at this time. However, users can still more efficiently control and streamline their authentication methods. For more information, see: [What authentication and verification methods are available in Azure Active Directory?](../authentication/concept-authentication-methods.md).

+### Public Preview - API-driven inbound user provisioning

+**Type:** New feature

+**Service category:** Provisioning

+**Product capability:** Inbound to Azure AD

+With API-driven inbound provisioning, Microsoft Entra ID provisioning service now supports integration with any system of record. Customers and partners can use any automation tool of their choice to retrieve workforce data from any system of record for provisioning into Entra ID and connected on-premises Active Directory domains. The IT admin has full control on how the data is processed and transformed with attribute mappings. Once the workforce data is available in Entra ID, the IT admin can configure appropriate joiner-mover-leaver business processes using Entra ID Governance Lifecycle Workflows. For more information, see: [API-driven inbound provisioning concepts (Public preview)](../app-provisioning/inbound-provisioning-api-concepts.md).

+### Public Preview - Dynamic Groups based on EmployeeHireDate User attribute

+**Type:** New feature

+**Service category:** Group Management

+**Product capability:** Directory

+This feature enables admins to create dynamic group rules based on the user objects' employeeHireDate attribute. For more information, see: [Properties of type string](../enterprise-users/groups-dynamic-membership.md#properties-of-type-string).

+### General Availability - Enhanced Create User and Invite User Experiences

+**Type:** Changed feature

+**Service category:** User Management

+**Product capability:** User Management

+We have increased the number of properties admins are able to define when creating and inviting a user in the Entra admin portal, bringing our UX to parity with our Create User APIs. Additionally, admins can now add users to a group or administrative unit, and assign roles. For more information, see: [Add or delete users using Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).

+### General Availability - All Users and User Profile

+**Type:** Changed feature

+**Service category:** User Management

+**Product capability:** User Management

+The All Users list now features an infinite scroll, and admins can now modify more properties in the User Profile. For more information, see: [How to create, invite, and delete users](../fundamentals/how-to-create-delete-users.md).

+### Public Preview - Windows MAM

+**Type:** New feature

+**Service category:** Conditional Access

+**Product capability:** Identity Security & Protection

+“*When will you have MAM for Windows?*” is one of our most frequently asked customer questions. We’re happy to report that the answer is: “Now!” We’re excited to offer this new and long-awaited MAM Conditional Access capability in Public Preview for Microsoft Edge for Business on Windows.

+Using MAM Conditional Access, Microsoft Edge for Business provides users with secure access to organizational data on personal Windows devices with a customizable user experience. WeΓÇÖve combined the familiar security features of app protection policies (APP), Windows Defender client threat defense, and conditional access, all anchored to Azure AD identity to ensure un-managed devices are healthy and protected before granting data access. This can help businesses to improve their security posture and protect sensitive data from unauthorized access, without requiring full mobile device enrollment.

+The new capability extends the benefits of app layer management to the Windows platform via Microsoft Edge for Business. Admins are empowered to configure the user experience and protect organizational data within Microsoft Edge for Business on un-managed Windows devices.

+For more information, see: [Require an app protection policy on Windows devices (preview)](../conditional-access/how-to-app-protection-policy-windows.md).

+### General Availability - New Federated Apps available in Azure AD Application gallery - July 2023

+**Type:** New feature

+**Service category:** Enterprise Apps

+**Product capability:** 3rd Party Integration

+In July 2023 we've added the following 10 new applications in our App gallery with Federation support:

+[Gainsight SAML](../saas-apps/gainsight-saml-tutorial.md), [Dataddo](https://www.dataddo.com/), [Puzzel](https://www.puzzel.com/), [Worthix App](../saas-apps/worthix-app-tutorial.md), [iOps360 IdConnect](https://iops360.com/iops360-id-connect-azuread-single-sign-on/), [Airbase](../saas-apps/airbase-tutorial.md), [Couchbase Capella - SSO](../saas-apps/couchbase-capella-sso-tutorial.md), [SSO for Jama Connect®](../saas-apps/sso-for-jama-connect-tutorial.md), [mediment (メディメント)](https://mediment.jp/), [Netskope Cloud Exchange Administration Console](../saas-apps/netskope-cloud-exchange-administration-console-tutorial.md), [Uber](../saas-apps/uber-tutorial.md), [Plenda](https://app.plenda.nl/), [Deem Mobile](../saas-apps/deem-mobile-tutorial.md), [40SEAS](https://www.40seas.com/), [Vivantio](https://www.vivantio.com/), [AppTweak](https://www.apptweak.com/), [ioTORQ EMIS](https://www.iotorq.com/), [Vbrick Rev Cloud](../saas-apps/vbrick-rev-cloud-tutorial.md), [OptiTurn](../saas-apps/optiturn-tutorial.md), [Application Experience with Mist](https://www.mist.com/), [クラウド勤怠管理システムKING OF TIME](../saas-apps/cloud-attendance-management-system-king-of-time-tutorial.md), [Connect1](../saas-apps/connect1-tutorial.md), [DB Education Portal for Schools](../saas-apps/db-education-portal-for-schools-tutorial.md), [SURFconext](../saas-apps/surfconext-tutorial.md), [Chengliye Smart SMS Platform](../saas-apps/chengliye-smart-sms-platform-tutorial.md), [CivicEye SSO](../saas-apps/civic-eye-sso-tutorial.md), [Colloquial](../saas-apps/colloquial-tutorial.md), [BigPanda](../saas-apps/bigpanda-tutorial.md), [Foreman](https://foreman.mn/)

+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial.

+For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest

+### Public Preview - New provisioning connectors in the Azure AD Application Gallery - July 2023

+**Type:** New feature

+**Service category:** App Provisioning

+**Product capability:** 3rd Party Integration

+

+We've added the following new applications in our App gallery with Provisioning support. You can now automate creating, updating, and deleting of user accounts for these newly integrated apps:

+- [Albert](../saas-apps/albert-provisioning-tutorial.md)

+- [Rhombus Systems](../saas-apps/rhombus-systems-provisioning-tutorial.md)

+- [Axiad Cloud](../saas-apps/axiad-cloud-provisioning-tutorial.md)

+- [Dagster Cloud](../saas-apps/dagster-cloud-provisioning-tutorial.md)

+- [WATS](../saas-apps/wats-provisioning-tutorial.md)

+- [Funnel Leasing](../saas-apps/funnel-leasing-provisioning-tutorial.md)

+For more information about how to better secure your organization by using automated user account provisioning, see: [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).

+### General Availability - Microsoft Authentication Library for .NET 4.55.0

+**Type:** New feature

+**Service category:** Other

+**Product capability:** User Authentication

+Earlier this month we announced the release of [MSAL.NET 4.55.0](https://www.nuget.org/packages/Microsoft.Identity.Client/4.55.0), the latest version of the [Microsoft Authentication Library for the .NET platform](/entra/msal/dotnet/). The new version introduces support for user-assigned [managed identity](/entra/msal/dotnet/advanced/managed-identity) being specified through object IDs, CIAM authorities in the `WithTenantId` API, better error messages when dealing with cache serialization, and improved logging when using the [Windows authentication broker](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/wam).

+### General Availability - Microsoft Authentication Library for Python 1.23.0

+**Type:** New feature

+**Service category:** Other

+**Product capability:** User Authentication

+Earlier this month, the Microsoft Authentication Library team announced the release of [MSAL for Python version 1.23.0](https://pypi.org/project/msal/1.23.0/). The new version of the library adds support for better caching when using client credentials, eliminating the need to request new tokens repeatedly when cached tokens exist.

+To learn more about MSAL for Python, see: [Microsoft Authentication Library (MSAL) for Python](/entra/msal/python/).

+Privileged Identity Management for Groups is now generally available. With this feature, you have the ability to grant users just-in-time membership in a group, which in turn provides access to Azure Active Directory roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third-party applications. Through one activation, you can conveniently assign a combination of permissions across different applications and RBAC systems.

+The Privileged Identity Management (PIM) integration with Conditional Access authentication context is generally available. You can require users to meet various requirements during role activation such as:

+Hybrid IT Admins can now sync both Active Directory and Azure AD Directory Extensions using Azure AD Cloud Sync. This new capability adds the ability to dynamically discover the schema for both Active Directory and Azure Active Directory, thereby, allowing customers to map the needed attributes using Cloud Sync's attribute mapping experience. For more information, see: [Cloud Sync directory extensions and custom attribute mapping](../hybrid/cloud-sync/custom-attribute-mapping.md).

+We have increased the number of properties that admins are able to define when creating and inviting a user in the Entra admin portal. This brings our UX to parity with our Create User APIs. Additionally, admins can now add users to a group or administrative unit, and assign roles. For more information, see: [How to create, invite, and delete users](../fundamentals/how-to-create-delete-users.md).

+- Creating a review on inactive users with [use-to-group affiliation](review-recommendations-access-reviews.md#user-to-group-affiliation) recommendations requires a Microsoft Entra ID Governance license.

+1. In the **Select policy** list, select a policy that the users' future requests and lifecycle will be governed and tracked by. If you want the selected users to have different policy settings, you can select **Create new policy** to add a new policy.

+1. Once you select a policy, youΓÇÖll be able to Add users to select the users you want to assign this access package to, under the chosen policy.

+1. Optionally provide a justification for your direct assignment for record keeping.

+1. If the selected policy includes additional requestor information, select **View questions** to answer them on behalf of the users, then select **Save**.

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package in which you want to add a user.

+1. In the left menu, select **Assignments**.

+1. Select **New assignment** to open **Add user to access package**.

+1. In the **Select policy** list, select a policy that allows that is set to **For users not in your directory**

+1. Set the date and time you want the selected users' assignment to start and end. If an end date isn't provided, the policy's lifecycle settings will be used.

+1. Select **Add** to directly assign the selected users to the access package.

+1. After a few moments, select **Refresh** to see the users in the Assignments list.

+ CatalogId = $catalog.id

+ DisplayName = "sales reps"

+ Description = "outside sales representatives"

+ AccessPackageResourceRole = @{

+ OriginId = $rr[2].OriginId

+ DisplayName = $rr[2].DisplayName

+ OriginSystem = $rr[2].OriginSystem

+ AccessPackageResource = @{

+ Id = $rsc[0].Id

+ ResourceType = $rsc[0].ResourceType

+ OriginId = $rsc[0].OriginId

+ OriginSystem = $rsc[0].OriginSystem

+ }

+ }

+ AccessPackageResourceScope = @{

+ OriginId = $rsc[0].OriginId

+ OriginSystem = $rsc[0].OriginSystem

+ }

+ AccessPackageId = $ap.Id

+ DisplayName = "direct"

+ Description = "direct assignments by administrator"

+ AccessReviewSettings = $null

+ RequestorSettings = @{

+ ScopeType = "NoSubjects"

+ AcceptRequests = $true

+ AllowedRequestors = @(

+ )

+ }

+ RequestApprovalSettings = @{

+ IsApprovalRequired = $false

+ IsApprovalRequiredForExtension = $false

+ IsRequestorJustificationRequired = $false

+ ApprovalMode = "NoApproval"

+ ApprovalStages = @(

+ )

+ }

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left menu, select **Access packages** and then open the access package which users will request.

+1. In the left menu, select **Separation of duties**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left menu, select **Access packages** and then open the access package.

+1. In the left menu, select **Separation of duties**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left menu, select **Access packages** and then open the access package where you've configured another access package as incompatible.

+1. In the left menu, select **Separation of duties**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left menu, select **Access packages** and then open the access package where you'll be configuring incompatible assignments.

+1. In the left menu, select **Assignments**.

+1. In the left menu, select **Access packages** and then open the access package that you plan to indicate as incompatible.

+1. In the left menu, select **Assignments**.

+ AccessPackageId = $apid

+ DisplayName = "direct"

+ Description = "direct assignments by administrator"

+ AccessReviewSettings = $null

+ RequestorSettings = @{

+ ScopeType = "NoSubjects"

+ AcceptRequests = $true

+ AllowedRequestors = @(

+ )

+ }

+ RequestApprovalSettings = @{

+ IsApprovalRequired = $false

+ IsApprovalRequiredForExtension = $false

+ IsRequestorJustificationRequired = $false

+ ApprovalMode = "NoApproval"

+ ApprovalStages = @(

+ )

+ }

+1. In the bar at the top of the page, select **Accept recommendations**.

+1. Select **Submit** to accept the recommendations.

+1. Select the review that youΓÇÖd like to begin.

+1. Decide whether you still need access to the access package. For example, the project you're working on isn't complete, so you still need access to continue working on the project.

+1. Select **Yes** to keep your access or select **No** to remove your access.

+1. If you chose **Yes**, you may need to include a justification statement in the **Reason** box.

+1. Select **Submit**.

+1. Select the attribute type:

+1. Select the answer format you want requestors to use for their answer. Answer formats include **short text**, **multiple choice**, and **long text**.

+1. If you select multiple choice, select **Edit and localize** to configure the answer options.

+1. If you want to add localization, select **Add localization**.

+1. After all attribute information is completed on the **Require attributes** page, select **Save**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left menu, select **Access packages** and then open the access package with the user assignment you want to reprocess.

+1. Underneath **Manage** on the left side, select **Assignments**.

+1. Select all users whose assignments you wish to reprocess.

+1. Select **Reprocess**.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. In the left menu, click **Access packages** and then open the access package.

+1. Underneath **Manage** on the left side, click **Requests**.

+1. Select all users whose requests you wish to reprocess.

+1. Click **Reprocess**.

+1. Navigate to the Entra portal [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement)

+Example of usage within the workflow:

+```json

+ "category": "joiner",

+ "continueOnError": false,

+ "description": "Send welcome email to new hire",

+ "displayName": "Send Welcome Email",

+ "isEnabled": true,

+ "taskDefinitionId": "70b29d51-b59a-4773-9280-8841dfd3f2ea",

+ "arguments": [

+ {

+ "name": "cc",

+ "value": "e94ad2cd-d590-4b39-8e46-bb4f8e293f85,ac17d108-60cd-4eb2-a4b4-084cacda33f2"

+ },

+ {

+ "name": "customSubject",

+ "value": "Welcome to the organization {{userDisplayName}}!"

+ },

+ {

+ "name": "customBody",

+ "value": "Welcome to our organization {{userGivenName}} {{userSurname}}.\n\nFor more information, reach out to your manager {{managerDisplayName}} at {{managerEmail}}."

+ },

+ {

+ "name": "locale",

+ "value": "en-us"

+ }

+ ]

+Example of usage within the workflow:

+```json

+ "category": "joiner",

+ "continueOnError": false,

+ "description": "Send onboarding reminder email to user\u2019s manager",

+ "displayName": "Send onboarding reminder email",

+ "isEnabled": true,

+ "taskDefinitionId": "3C860712-2D37-42A4-928F-5C93935D26A1",

+ "arguments": [

+ {

+ "name": "cc",

+ "value": "e94ad2cd-d590-4b39-8e46-bb4f8e293f85,068fa0c1-fa00-4f4f-8411-e968d921c3e7"

+ },

+ {

+ "name": "customSubject",

+ "value": "Reminder: {{userDisplayName}} is starting soon"

+ },

+ {

+ "name": "customBody",

+ "value": "Hello {{managerDisplayName}}\n\nthis is a reminder that {{userDisplayName}} is starting soon.\n\nRegards\nYour IT department"

+ },

+ {

+ "name": "locale",

+ "value": "en-us"

+ }

+ ]

+Example of usage within the workflow:

+```json

+ "category": "joiner",

+ "continueOnError": false,

+ "description": "Generate Temporary Access Pass and send via email to user's manager",

+ "displayName": "Generate TAP and Send Email",

+ "isEnabled": true,

+ "taskDefinitionId": "1b555e50-7f65-41d5-b514-5894a026d10d",

+ "arguments": [

+ {

+ "name": "tapLifetimeMinutes",

+ "value": "480"

+ },

+ {

+ "name": "tapIsUsableOnce",

+ "value": "false"

+ },

+ {

+ "name": "cc",

+ "value": "068fa0c1-fa00-4f4f-8411-e968d921c3e7,9d208c40-7eb6-46ff-bebd-f30148c39b47"

+ },

+ {

+ "name": "customSubject",

+ "value": "Temporary access pass for your new employee {{userDisplayName}}"

+ },

+ {

+ "name": "customBody",

+ "value": "Hello {{managerDisplayName}}\n\nPlease find the temporary access pass for your new employee {{userDisplayName}} below:\n\n{{temporaryAccessPass}}\n\nRegards\nYour IT department"

+ },

+ {

+ "name": "locale",

+ "value": "en-us"

+ }

+ ]

+Example of usage within the workflow:

+```json

+ "category": "mover",

+ "continueOnError": false,

+ "description": "Send email to notify user\u2019s manager of user move",

+ "displayName": "Send email to notify manager of user move",

+ "isEnabled": true,

+ "taskDefinitionId": "aab41899-9972-422a-9d97-f626014578b7",

+ "arguments": [

+ {

+ "name": "cc",

+ "value": "ac17d108-60cd-4eb2-a4b4-084cacda33f2,7d3ee937-edcc-46b0-9e2c-f832e01231ea"

+ },

+ {

+ "name": "customSubject",

+ "value": "{{userDisplayName}} has moved"

+ },

+ {

+ "name": "customBody",

+ "value": "Hello {{managerDisplayName}}\n\nwe are reaching out to let you know {{userDisplayName}} has moved in the organization.\n\nRegards\nYour IT department"

+ },

+ {

+ "name": "locale",

+ "value": "en-us"

+ }

+ ]

+Example of usage within the workflow:

+```json

+ "category": "joiner,mover",

+ "continueOnError": false,

+ "description": "Request user assignment to selected access package",

+ "displayName": "Request user access package assignment",

+ "isEnabled": true,

+ "taskDefinitionId": "c1ec1e76-f374-4375-aaa6-0bb6bd4c60be",

+ "arguments": [

+ {

+ "name": "assignmentPolicyId",

+ "value": "00d6fd25-6695-4f4a-8186-e4c6f901d2c1"

+ },

+ {

+ "name": "accessPackageId",

+ "value": "2ae5d6e5-6cbe-4710-82f2-09ef6ffff0d0"

+ }

+ ]

+ "category": "leaver,mover",

+ "continueOnError": false,

+ "description": "Remove user assignment of selected access package",

+ "displayName": "Remove access package assignment for user",

+ "isEnabled": true,

+ "taskDefinitionId": "4a0b64f2-c7ec-46ba-b117-18f262946c50",

+ "arguments": [

+ {

+ "name": "accessPackageId",

+ "value": "2ae5d6e5-6cbe-4710-82f2-09ef6ffff0d0"

+ }

+ ]

+Example of usage within the workflow:

+```json

+ "category": "leaver",

+ "continueOnError": false,

+ "description": "Remove all access packages assigned to the user",

+ "displayName": "Remove all access package assignments for user",

+ "isEnabled": true,

+ "taskDefinitionId": "42ae2956-193d-4f39-be06-691b8ac4fa1d",

+ "arguments": []

+Example of usage within the workflow:

+```json

+ "category": "leaver",

+ "continueOnError": false,

+ "description": "Cancel all access package assignment requests pending for the user",

+ "displayName": "Cancel all pending access package assignment requests for user",

+ "isEnabled": true,

+ "taskDefinitionId": "498770d9-bab7-4e4c-b73d-5ded82a1d0b3",

+ "arguments": []

+Example of usage within the workflow:

+```

+ "category": "leaver",

+ "continueOnError": false,

+ "description": "Send offboarding email to userΓÇÖs manager before the last day of work",

+ "displayName": "Send email before userΓÇÖs last day",

+ "isEnabled": true,

+ "taskDefinitionId": "52853a3e-f4e5-4eb8-bb24-1ac09a1da935",

+ "arguments": [

+ {

+ "name": "cc",

+ "value": "068fa0c1-fa00-4f4f-8411-e968d921c3e7,e94ad2cd-d590-4b39-8e46-bb4f8e293f85"

+ },

+ {

+ "name": "customSubject",

+ "value": "Reminder that {{userDisplayName}}'s last day is coming up"

+ },

+ {

+ "name": "customBody",

+ "value": "Hello {{managerDisplayName}}\n\nthis is a reminder that {{userDisplayName}}'s last day is coming up.\n\nRegards\nYour IT department"

+ },

+ {

+ "name": "locale",

+ "value": "en-us"

+ }

+ ]

+Example of usage within the workflow:

+```json

+ "category": "leaver",

+ "continueOnError": false,

+ "description": "Send offboarding email to userΓÇÖs manager on the last day of work",

+ "displayName": "Send email on userΓÇÖs last day",

+ "isEnabled": true,

+ "taskDefinitionId": "9c0a1eaf-5bda-4392-9d9e-6e155bb57411",

+ "arguments": [

+ {

+ "name": "cc",

+ "value": "068fa0c1-fa00-4f4f-8411-e968d921c3e7,e94ad2cd-d590-4b39-8e46-bb4f8e293f85"

+ },

+ {

+ "name": "customSubject",

+ "value": "{{userDisplayName}}'s last day"

+ },

+ {

+ "name": "customBody",

+ "value": "Hello {{managerDisplayName}}\n\nthis is a reminder that {{userDisplayName}}'s last day is today and their access will be revoked.\n\nRegards\nYour IT department"

+ },

+ {

+ "name": "locale",

+ "value": "en-us"

+ }

+ ]

+Example of usage within the workflow:

+```json

+ "category": "leaver",

+ "continueOnError": false,

+ "description": "Send offboarding email to userΓÇÖs manager after the last day of work",

+ "displayName": "Send email after userΓÇÖs last day",

+ "isEnabled": true,

+ "taskDefinitionId": "6f22ddd4-b3a5-47a4-a846-0d7c201a49ce",

+ "arguments": [

+ {

+ "name": "cc",

+ "value": "ac17d108-60cd-4eb2-a4b4-084cacda33f2,7d3ee937-edcc-46b0-9e2c-f832e01231ea"

+ },

+ {

+ "name": "customSubject",

+ "value": "{{userDisplayName}}'s accounts will be deleted today"

+ },

+ {

+ "name": "customBody",

+ "value": "Hello {{managerDisplayName}}\n\nthis is a reminder that {{userDisplayName}} left the organization a while ago and today their disabled accounts will be deleted.\n\nRegards\nYour IT department"

+ },

+ {

+ "name": "locale",

+ "value": "en-us"

+ }

+ ]

+1. The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.

+2. [PowerShell RSAT modules](/windows-server/remote/remote-server-administration-tools) on a domain controller

+3. At least one domain controller in the domain must be running Windows Server 2012 or later.

+4. A domain joined server where the agent is being installed needs to be either Windows Server 2016 or later.

+ 1. Verify which version you should install. Most customers no longer need Azure AD Connect and can now use [Azure AD Cloud Sync](../cloud-sync/what-is-cloud-sync.md). Cloud sync is the next generation of sync tools to provision users and groups from AD into Azure AD. It features a lightweight agent and is fully managed from the cloud ΓÇô and it upgrades to newer versions automatically, so you never have to worry about upgrading again!

+ 2. If you're not yet eligible for Azure AD Cloud Sync, please follow this [link to download](https://www.microsoft.com/download/details.aspx?id=47594) and install the latest version of Azure AD Connect. In most cases, upgrading to the latest version will only take a few moments. For more information, see [Upgrading Azure AD Connect from a previous version.](how-to-upgrade-previous-version.md).

+1. Run Azure AD Connect. In the **Additional tasks** page, select **Configure device options**. Click **Next**.

+2. After providing the credentials for Azure AD, you can chose the operation to be performed on the Device options page.

+1. Connect Health for AD FS installed and updated to the latest agent.

+2. A Log Analytics Workspace with the ΓÇ£ADFSSignInLogsΓÇ¥ stream enabled.

+3. Permissions to use the Azure AD Monitor Workbooks. To use Workbooks, you need:

+1. In the Azure portal, search for ΓÇ£MonitorΓÇ¥ in the search bar to navigate to the Azure ΓÇ£MonitorΓÇ¥ service. Select ΓÇ£AlertsΓÇ¥ from the left menu, then ΓÇ£+ New alert ruleΓÇ¥.

+2. On the ΓÇ£Create alert ruleΓÇ¥ blade:

+1. Start at the Azure Active Directory Connect health blade and select **Sync Services** from the left-hand navigation bar.

+2. Click on the **Alerts** tile.</br>

+3. Click on **Notification Settings**.

+4. On the **Notification Setting** blade, you will find the list of email addresses that have been enabled as recipients for health Alert notifications.

+1. Starting on the Azure Active Directory Health blade, select **Sync Errors**.

+2. In the **Sync Errors** blade, click on **Export**. This will export a list of the recorded sync errors.

+1. Check the **Diagnose status** column. The status shows if there's a possible way to fix a sync error directly from Azure Active Directory. In other words, a troubleshooting flow exists that can narrow down the error case and potentially fix it.

+1. Create the necessary computer account in your on-premises instance of Active Directory.

+2. Configure the intranet zone of the client machines to support single sign-on.

+1. Open the Group Policy management tools.

+2. Edit the group policy that will be applied to all users. For example, the Default Domain policy.

+3. Go to **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Security Page**. Then select **Site to Zone Assignment List**.

+4. Enable the policy. Then, in the dialog box, enter a value name of `https://autologon.microsoftazuread-sso.com` and value of `1`. Your setup should look like the following image.

+6. Select **OK** twice.

+1. Download Azure AD Connect installer (AzureADConnect.MSI) to the Windows server. Double-click the Azure AD Connect installer to start installing Azure AD Connect.

+2. Once the MSI installation completes, the Azure AD Connect wizard starts with the Express mode setup. Close the screen by clicking the Exit icon.

+3. Start a new command prompt or PowerShell session. Navigate to folder "C:\Program Files\Microsoft Azure Active Directory Connect". Run command .\AzureADConnect.exe /useexistingdatabase to start the Azure AD Connect wizard in ΓÇ£Use existing databaseΓÇ¥ setup mode.

+2. **Ensure high availability**: If not completed previously, install a second standalone Authentication Agent to provide high availability for sign-in requests, using these [instructions](how-to-connect-pta-quick-start.md#step-4-ensure-high-availability).

+1. Upon request, extract data for a person and remove data from that person from the installations.

+2. Ensure no data is retained beyond 48 hours.

+1. Save the script in a file with the ".PS1" extension.

+2. Open **Control Panel** and click on **System and Security**.

+3. Under the **Administrative Tools** heading, click on ΓÇ£**Schedule Tasks**ΓÇ¥.

+4. In **Task Scheduler**, right-click on “**Task Schedule Library**” and click on “**Create Basic task…**”.

+5. Enter the name for the new task and click **Next**.

+6. Select ΓÇ£**Daily**ΓÇ¥ for the **Task Trigger** and click **Next**.

+7. Set the recurrence to two days and click **Next**.

+8. Select ΓÇ£**Start a program**ΓÇ¥ as the action and click **Next**.

+9. Type ΓÇ£**PowerShell**ΓÇ¥ in the box for the Program/script, and in box labeled ΓÇ£**Add arguments (optional)**ΓÇ¥, enter the full path to the script that you created earlier, then click **Next**.

+10. The next screen shows a summary of the task you are about to create. Verify the values and click **Finish** to create the task:

+1. Upon request, extract data for a person and remove data from that person from the installations.

+2. Ensure no data is retained beyond 48 hours.

+1. Disable the sync scheduler and verify there is no synchronization in progress.

+2. Add the source attribute to the on-premises AD Connector schema.

+3. Add the UserType to the Azure AD Connector schema.

+4. Create an inbound synchronization rule to flow the attribute value from on-premises Active Directory.

+5. Create an outbound synchronization rule to flow the attribute value to Azure AD.

+6. Run a full synchronization cycle.

+7. Enable the sync scheduler.

+ [Parameter(Mandatory=$true, HelpMessage="Must be a file generated using csexport 'Name of Connector' export.xml /f:x)")]

+ [string]$xmltoimport="%temp%\exportedStage1a.xml",

+ [Parameter(Mandatory=$false, HelpMessage="Maximum number of users per output file")][int]$batchsize=1000,

+ [Parameter(Mandatory=$false, HelpMessage="Show console output")][bool]$showOutput=$false

+ do 

+ {

+ #create the object placeholder

+ #adding them up here means we can enforce consistency

+ $objOutputUser=New-Object psobject

+ Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name ID -Value ""

+ Add-Member -InputObject $objOutputUser -MemberType NoteProperty -Name Type -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name DN -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name operation -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name UPN -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name displayName -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name sourceAnchor -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name alias -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name primarySMTP -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name onPremisesSamAccountName -Value ""

+ Add-Member -inputobject $objOutputUser -MemberType NoteProperty -Name mail -Value ""

+ $user = [System.Xml.Linq.XElement]::ReadFrom($reader)

+ if ($showOutput) {Write-Host Found an exported object... -ForegroundColor Green}

+ #object id

+ $outID=$user.Attribute('id').Value

+ if ($showOutput) {Write-Host ID: $outID}

+ $objOutputUser.ID=$outID

+ #object type

+ $outType=$user.Attribute('object-type').Value

+ if ($showOutput) {Write-Host Type: $outType}

+ $objOutputUser.Type=$outType

+ #dn

+ $outDN= $user.Element('unapplied-export').Element('delta').Attribute('dn').Value

+ if ($showOutput) {Write-Host DN: $outDN}

+ $objOutputUser.DN=$outDN

+ #operation

+ $outOperation= $user.Element('unapplied-export').Element('delta').Attribute('operation').Value

+ if ($showOutput) {Write-Host Operation: $outOperation}

+ $objOutputUser.operation=$outOperation

+ #now that we have the basics, go get the details

+ foreach ($attr in $user.Element('unapplied-export-hologram').Element('entry').Elements("attr"))

+ {

+ $attrvalue=$attr.Attribute('name').Value

+ $internalvalue= $attr.Element('value').Value

+ switch ($attrvalue)

+ {

+ "userPrincipalName"

+ {

+ if ($showOutput) {Write-Host UPN: $internalvalue}

+ $objOutputUser.UPN=$internalvalue

+ }

+ "displayName"

+ {

+ if ($showOutput) {Write-Host displayName: $internalvalue}

+ $objOutputUser.displayName=$internalvalue

+ }

+ "sourceAnchor"

+ {

+ if ($showOutput) {Write-Host sourceAnchor: $internalvalue}

+ $objOutputUser.sourceAnchor=$internalvalue

+ }

+ "alias"

+ {

+ if ($showOutput) {Write-Host alias: $internalvalue}

+ $objOutputUser.alias=$internalvalue

+ }

+ "proxyAddresses"

+ {

+ if ($showOutput) {Write-Host primarySMTP: ($internalvalue -replace "SMTP:","")}

+ $objOutputUser.primarySMTP=$internalvalue -replace "SMTP:",""

+ }

+ }

+ }

+ $objOutputUsers += $objOutputUser

+ Write-Progress -activity "Processing ${xmltoimport} in batches of ${batchsize}" -status "Batch ${outputfilecount}: " -percentComplete (($objOutputUsers.Count / $batchsize) * 100)

+ #every so often, dump the processed users in case we blow up somewhere

+ if ($count % $batchsize -eq 0)

+ {

+ Write-Host Hit the maximum users processed without completion... -ForegroundColor Yellow

+ #export the collection of users as a CSV

+ Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow

+ $objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation

+ #increment the output file counter

+ $outputfilecount+=1

+ #reset the collection and the user counter

+ $objOutputUsers = $null

+ $count=0

+ }

+ $count+=1

+ #need to bail out of the loop if no more users to process

+ if ($reader.NodeType -eq [System.Xml.XmlNodeType]::EndElement)

+ {

+ break

+ }

+ } while ($reader.Read)

+ #need to write out any users that didn't get picked up in a batch of 1000

+ #export the collection of users as CSV

+ Write-Host Writing processedusers${outputfilecount}.csv -ForegroundColor Yellow

+ $objOutputUsers | Export-Csv -path processedusers${outputfilecount}.csv -NoTypeInformation

+3. Let the sync engine run full import and full synchronization on your staging server.

+- mailNickName: &lt;not set&gt;

+- proxyAddresses: {SMTP:us1@contoso.com}

+- mail: us2@contoso.com

+- userPrincipalName: us3@contoso.com

+- MailNickName : us1

+- UserPrincipalName: us1@contoso.onmicrosoft.com

+- mailNickName: us4

+- proxyAddresses: {SMTP:us1@contoso.com}

+- mail: us2@contoso.com

+- userPrincipalName: us3@contoso.com

+- MailNickName: us4

+- UserPrincipalName: us1@contoso.onmicrosoft.com

+- mailNickName: us4

+- proxyAddresses: {SMTP:us1@contoso.com}

+- mail: us2@contoso.com

+- userPrincipalName: us5@contoso.com

+- MailNickName: us4

+- UserPrincipalName: us4@contoso.onmicrosoft.com

+- mailNickName: us4

+- proxyAddresses: {SMTP:us6@contoso.com}

+- mail: us7@contoso.com

+- userPrincipalName: us5@contoso.com

+- MailNickName: us4

+- UserPrincipalName: us4@contoso.onmicrosoft.com

+- mailNickName: us4

+- proxyAddresses: {SMTP:us6@contoso.com}

+- mail: us7@contoso.com

+- userPrincipalName: us5@verified.contoso.com

+- MailNickName: us4

+- UserPrincipalName: us5@verified.contoso.com

+1. Upon request, extract data for a person and remove data from that person from the installations

+2. Ensure no data is retained beyond 48 hours.

+1. Data about a person in the **Azure AD Connect database**

+2. Data in the **Windows Event log** files that may contain information about a person

+3. Data in the **Azure AD Connect installation log files** that may contain about a person

+1. Delete the contents of the folder that contains the Azure AD Connect installation log files on a regular basis ΓÇô at least every 48 hours

+2. This product may also create Event Logs. To learn more about Event Logs logs, please see the [documentation here](/windows/win32/wes/windows-event-log).

+1. Save the script in a file with the extension **&#46;PS1**, then open the Control Panel and click on **Systems and Security**.

+2. Under the Administrative Tools heading, click on **Schedule Tasks**.

+3. In Task Scheduler, right click on **Task Schedule Library** and click on **Create Basic task…**

+4. Enter the name for the new task and click **Next**.

+5. Select **Daily** for the task trigger and click on **Next**.

+6. Set the recurrence to **2 days** and click **Next**.

+7. Select **Start a program** as the action and click on **Next**.

+8. Type **PowerShell** in the box for the Program/script, and in box labeled **Add arguments (optional)**, enter the full path to the script that you created earlier, then click **Next**.

+9. The next screen shows a summary of the task you are about to create. Verify the values and click **Finish** to create the task.

+### Step 1. Disable sync scheduler and verify there is no synchronization in progress

+### Step 2. Find the existing outbound sync rule for userCertificate attribute

+### Step 4. Verify the new sync rule on an existing object with LargeObject error

+3. In the Connector Space Object Properties pop-up screen, click on the **Preview** button.

+### Step 5. Apply the new sync rule to remaining objects with LargeObject error

+### Step 6. Verify there are no unexpected changes waiting to be exported to Azure AD

+### Step 7. Export the changes to Azure AD

+### Step 8. Re-enable sync scheduler

+1. Inventory credentials assigned to the risky workload identity, whether for the service principal or application objects.

+1. Remediate any Azure KeyVault secrets that the Service Principal has access to by rotating them.

+1. **Create an equivalent** [user risk-based](#user-risk-policy-in-conditional-access) and [sign-in risk-based ](#sign-in-risk-policy-in-conditional-access) policy in Conditional Access in report-only mode. You can create a policy with the steps above or using [Conditional Access templates](../conditional-access/concept-conditional-access-policy-common.md) based on Microsoft's recommendations and your organizational requirements.

+1. **Enable** the new Conditional Access risk policy. You can choose to have both policies running side-by-side to confirm the new policies are working as expected before turning off the Identity Protection risk policies.

+1. **Disable** the old risk policies in Identity Protection.

+1. Create other risk policies if needed in [Conditional Access](../conditional-access/concept-conditional-access-policy-common.md).

+1. Attack Activity

+1. Admin Remediation Activity

+1. Self-Remediation Activity

+1. New High-Risk Users

+ Tags = @(

+ "HR"

+ "Payroll"

+ "HideApp"

+ )

+ Info = @{

+ LogoUrl = "https://cdn.pixabay.com/photo/2016/03/21/23/25/link-1271843_1280.png"

+ MarketingUrl = "https://www.contoso.com/app/marketing"

+ PrivacyStatementUrl = "https://www.contoso.com/app/privacy"

+ SupportUrl = "https://www.contoso.com/app/support"

+ TermsOfServiceUrl = "https://www.contoso.com/app/termsofservice"

+ }

+ Web = @{

+ HomePageUrl = "https://www.contoso.com/"

+ LogoutUrl = "https://www.contoso.com/frontchannel_logout"

+ RedirectUris = @(

+ "https://localhost"

+ )

+ }

+ ServiceManagementReference = "Owners aliases: Finance @ contosofinance@contoso.com; The Phone Company HR consulting @ hronsite@thephone-company.com;"

+1. Sign in to the [Azure portal](https://portal.azure.com) with the appropriate role.

+2. Select **Azure Active Directory** in Azure Services, and then select **Enterprise applications**.

+3. Search for and select the application that you want to add linked SSO.

+4. Select **Single sign-on** and then select **Linked**.

+5. Enter the URL for the sign-in page of the application.

+6. Select **Save**.

+1. Sign in to the [Azure portal](https://portal.azure.com) with the appropriate role.

+1. Select **Azure Active Directory** in Azure Services, and then select **Enterprise applications**.

+1. Search for and select the application that you want to add password-based SSO.

+1. Select **Single sign-on** and then select **Password-based**.

+1. Enter the URL for the sign-in page of the application.

+1. Select **Save**.

+4. In **Security Settings**, from the **Assertion Decryption Private Key** list, select **Create New**.

+5. Select **OK**.

+6. The **Import SSL Certificate and Keys** dialog appears.

+7. For **Import Type**, select **PKCS 12 (IIS)**. This action imports the certificate and private key.

+8. For **Certificate and Key Name**, select **New** and enter the input.

+9. Enter the **Password**.

+10. Select **Import**.

+11. Close the browser tab to return to the main tab.

+12. Check the box for **Enable Encrypted Assertion**.

+13. If you enabled encryption, from the **Assertion Decryption Private Key** list, select the certificate. BIG-IP APM uses this certificate private key to decrypt Azure AD assertions.

+14. If you enabled encryption, from the **Assertion Decryption Certificate** list, select the certificate. BIG-IP uploads this certificate to Azure AD to encrypt the issued SAML assertions.

+1. On the **Conditional Access Policy** tab, in the **Available Policies** list, select a policy.

+2. Select the **right arrow** and move it to the **Selected Policies** list.

+5. Select **OK**.

+6. The **Import SSL Certificate and Keys** dialog appears in a new tab.

+7. To import the certificate and private key, select **PKCS 12 (IIS)**.

+8. Close the browser tab to return to the main tab.

+9. For **Enable Encrypted Assertion**, check the box.

+1. From the **Available Policies** list, select the policy.

+2. Select the right arrow.

+3. Move the policy to the **Selected Policies** list.

+13. Repeat steps to create an **SSL server certificate profile**.

+14. From the top ribbon, select **SSL** > **Server** > **Create**.

+15. In the **New Server SSL Profile** page, enter a unique, friendly **Name**.

+16. Ensure the Parent profile is set to **serverssl**.

+17. Select the far-right check box for the **Certificate** and **Key** rows

+18. From the **Certificate** and **Key** drop-down lists, select your imported certificate.

+19. Select **Finished**.

+ ```http

+ ```http

+1. Select the logs that you would like to send to the workspace.

+1. Select **Save** to save the setting.

+1. Create, if not exist, a new built-in user-assigned managed identity in the subscription and each Azure region based on the VMs that are in scope of the policy.

+2. Once created, put a lock on the user-assigned managed identity so that it will not be accidentally deleted.

+3. Assign the built-in user-assigned managed identity to Virtual Machines from the subscription and region based on the VMs that are in scope of the policy.

+ "totalCount": 2,

+ "value": [

+ {

+ "id": "/subscriptions/{subId}/resourceGroups/testrg/providers/Microsoft.CognitiveServices/accounts/test1",

+ "name": "test1",

+ "type": "microsoft.cognitiveservices/accounts",

+ "resourceGroup": "testrg",

+ "subscriptionId": "{subId}",

+ "subscriptionDisplayName": "TestSubscription"

+ },

+ {

+ "id": "/subscriptions/{subId}/resourceGroups/testrg/providers/Microsoft.CognitiveServices/accounts/test2",

+ "name": "test2",

+ "type": "microsoft.cognitiveservices/accounts",

+ "resourceGroup": "testrg",

+ "subscriptionId": "{subId}",

+ "subscriptionDisplayName": "TestSubscription"

+ }

+ ],

+ "nextLink": "https://management.azure.com/subscriptions/{subId}/resourceGroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testid?skiptoken=ew0KICAiJGlkIjogIjEiLA0KICAiTWF4Um93cyI6IDIsDQogICJSb3dzVG9Ta2lwIjogMiwNCiAgIkt1c3RvQ2x1c3RlclVybCI6ICJodHRwczovL2FybXRvcG9sb2d5Lmt1c3RvLndpbmRvd3MubmV0Ig0KfQ%253d%253d&api-version=2021"

+2. Select **Sign-in logs** from the **Monitoring** section.

+5. To view the identity's Enterprise application in Azure Active Directory, select the ΓÇ£Managed Identity IDΓÇ¥ column.

+6. To view the Azure resource or user-assigned managed identity, search by name in the search bar of the Azure portal.

+1. In the portal, navigate to **Virtual Machines** and go to your Windows virtual machine and in the **Overview**, select **Connect**.

+2. Enter in your **Username** and **Password** for which you added when you created the Windows VM.

+3. Now that you've created a **Remote Desktop Connection** with the virtual machine, open **PowerShell** in the remote session.

+4. Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager.

+1. Make active assignments of users to the group, and then assign the group to a role as eligible for activation.

+2. Make active assignment of a role to a group and assign users to be eligible to group membership.

+1. Select **Activate**.

+1. If the assignment should be permanent (permanently eligible or permanently assigned), select the **Permanently** checkbox. Depending on the group's settings, the check box might not appear or might not be editable. For more information, check out the [Configure PIM for Groups settings in Privileged Identity Management](groups-role-settings.md#assignment-duration) article.

+1. Select **Assign**.

+1. Select **Update** or **Remove** to update or remove the membership or ownership assignment.

+1. Filter the history using a predefined date or custom range.

+1. Filter the history using a predefined date or custom range.

+1. Select **Discover groups** and select a group that you want to bring under management with PIM.

+6. Reproduce the sign-in error that was seen before.

+1. In the Azure portal, go to **Sign-in logs** > **Add Filters**.

+1. From the **Pick a field** menu, select **Flagged for review** and **Apply**.

+1. All events that were flagged by users are shown.

+1. If needed, apply more filters to refine the event view.

+1. Select the event to review what happened.

+1. Ensure that notification through mobile app and/or verification code from mobile app are available to users as authentication methods. How to Configure Verification Options

+2. Educate users on how to add a work or school account.

+2. Require MFA using a Conditional Access policy.

+|EntitlementManagement|Administrator directly assigns user to access package|

+|EntitlementManagement|Create access package assignment user update request|

+|EntitlementManagement|Create connected organization|

+ Title: Azure Active Directory SSO integration with Acoustic Connect

+description: Learn how to configure single sign-on between Azure Active Directory and Acoustic Connect.

+# Azure Active Directory SSO integration with Acoustic Connect

+In this article, you'll learn how to integrate Acoustic Connect with Azure Active Directory (Azure AD). Acoustic Connect is platform that helps you create marketing campaigns that resonate with people, build a loyal following, and drive revenue. When you integrate Acoustic Connect with Azure AD, you can:

+* Control in Azure AD who has access to Acoustic Connect.

+* Enable your users to be automatically signed-in to Acoustic Connect with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Acoustic Connect in a test environment. Acoustic Connect supports both **SP** and **IDP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with Acoustic Connect, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Acoustic Connect single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Acoustic Connect application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Acoustic Connect from the Azure AD gallery

+Add Acoustic Connect from the Azure AD application gallery to configure single sign-on with Acoustic Connect. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Acoustic Connect** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://www.okta.com/saml2/service-provider/<Acoustic_ID>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://login.goacoustic.com/sso/saml2/<ID>`

+1. Perform the following step, if you wish to configure the application in **SP** initiated mode:

+ In the **Sign on URL** textbox, type the URL:

+ `https://login.goacoustic.com/`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Acoustic Connect support team](mailto:support@acoustic.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Acoustic Connect** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Acoustic Connect SSO

+To configure single sign-on on **Acoustic Connect** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Acoustic Connect support team](mailto:support@acoustic.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Acoustic Connect test user

+In this section, a user called B.Simon is created in Acoustic Connect. Acoustic Connect supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Acoustic Connect, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Acoustic Connect Sign-on URL where you can initiate the login flow.

+* Go to Acoustic Connect Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Acoustic Connect for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Acoustic Connect tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Acoustic Connect for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Acoustic Connect you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with CloudBees CI

+description: Learn how to configure single sign-on between Azure Active Directory and CloudBees CI.

+# Azure Active Directory SSO integration with CloudBees CI

+In this article, you'll learn how to integrate CloudBees CI with Azure Active Directory (Azure AD). Centralize management, ensure compliance, and automate at scale with CloudBees CI - the secure, scalable, and flexible CI solution based on Jenkins. When you integrate CloudBees CI with Azure AD, you can:

+* Control in Azure AD who has access to CloudBees CI.

+* Enable your users to be automatically signed-in to CloudBees CI with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for CloudBees CI in a test environment. CloudBees CI supports only **SP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with CloudBees CI, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* CloudBees CI single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the CloudBees CI application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add CloudBees CI from the Azure AD gallery

+Add CloudBees CI from the Azure AD application gallery to configure single sign-on with CloudBees CI. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **CloudBees CI** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `<Customer_EntityID>`

+ b. In the **Reply URL** textbox, type a URL using one of the following patterns:

+ | **Reply URL** |

+ ||

+ | `https://<CustomerDomain>/cjoc/securityRealm/finishLogin` |

+ | `https://<CustomerDomain>/<Environment>/securityRealm/finishLogin` |

+ | `https://cjoc.<CustomerDomain>/securityRealm/finishLogin` |

+ | `https://<Environment>.<CustomerDomain>/securityRealm/finishLogin` |

+1. Perform the following step, if you wish to configure the application in **SP** initiated mode:

+ In the **Sign on URL** textbox, type the URL using one of the following patterns:

+ | **Sign on URL** |

+ ||

+ | `https://<CustomerDomain>/cjoc` |

+ | `https://<CustomerDomain>/<Environment>` |

+ | `https://cjoc.<CustomerDomain>` |

+ | `https://<Environment>.<CustomerDomain>` |

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [CloudBees CI support team](mailto:support@cloudbees.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. CloudBees CI application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, CloudBees CI application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | username | user.userprincipalname |

+ | displayname | user.givenname |

+ | groups | user.groups |

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up CloudBees CI** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure CloudBees CI SSO

+To configure single sign-on on **CloudBees CI** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [CloudBees CI support team](mailto:support@cloudbees.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create CloudBees CI test user

+In this section, you create a user called Britta Simon at CloudBees CI SSO. Work with [CloudBees CI support team](mailto:support@cloudbees.com) to add the users in the CloudBees CI SSO platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to CloudBees CI Sign-on URL where you can initiate the login flow.

+* Go to CloudBees CI Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the CloudBees CI tile in the My Apps, this will redirect to CloudBees CI Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure CloudBees CI you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with KanbanBOX

+description: Learn how to configure single sign-on between Azure Active Directory and KanbanBOX.

+# Azure Active Directory SSO integration with KanbanBOX

+In this article, you'll learn how to integrate KanbanBOX with Azure Active Directory (Azure AD).KanbanBOX digitizes kanban material flows along the Supply Chain. KanbanBOX supports internal production and logistic flows, as well as collaboration with external suppliers and customers. When you integrate KanbanBOX with Azure AD, you can:

+* Control in Azure AD who has access to KanbanBOX.

+* Enable your users to be automatically signed-in to KanbanBOX with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for KanbanBOX in a test environment. KanbanBOX supports both **SP** and **IDP** initiated single sign-on.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with KanbanBOX, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* KanbanBOX single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the KanbanBOX application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add KanbanBOX from the Azure AD gallery

+Add KanbanBOX from the Azure AD application gallery to configure single sign-on with KanbanBOX. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **KanbanBOX** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.

+ In the **Relay State** textbox, type the URL:

+ `https://app.kanbanbox.com/auth/idp_initiated_sso_login`

+1. Perform the following step, if you wish to configure the application in **SP** initiated mode:

+ In the **Sign on URL** textbox, type the URL:

+ `https://app.kanbanbox.com/auth/login`

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up KanbanBOX** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure KanbanBOX SSO

+To configure single sign-on on **KanbanBOX** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [KanbanBOX support team](mailto:help@kanbanbox.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create KanbanBOX test user

+In this section, you create a user called Britta Simon at KanbanBOX SSO. Work with [KanbanBOX support team](mailto:help@kanbanbox.com) to add the users in the KanbanBOX SSO platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to KanbanBOX Sign-on URL where you can initiate the login flow.

+* Go to KanbanBOX Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the KanbanBOX for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the KanbanBOX tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the KanbanBOX for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure KanbanBOX you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+1. On the **Basic SAML Configuration** section, the user doesn't have to perform any step as the app is already preintegrated with Azure.

+ > This value is not real. Update this value with the actual Sign on URL. You can collect `Integration_ID` from your WhosOff account when activating Azure SSO which is explained later in this tutorial. For any queriers, please contact [WhosOff support team](mailto:support@whosoff.com). You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Log in to your WhosOff company site as an administrator.

+1. Go to **ADMINISTRATION** on the left hand menu and click **COMPANY SETTINGS** > **Single Sign On**.

+1. In the **Setup Single Sign On** section, perform the following steps:

+

+ 

+ 1. Select **Azure** SSO provider from the drop-down and click **Active SSO**.

+ 1. Once activated, copy the **Integration GUID** and save it on your computer.

+ 1. Upload **Federation Metadata XML** file by clicking on the **Choose File** option, which you have downloaded from the Azure portal.

+ 1. Click **Save changes**.

+ var input = contractid + claimvalue;

+ byte[] inputasbytes = Encoding.UTF8.GetBytes(input);

+ hashedsearchclaimvalue = Convert.ToBase64String(sha256.ComputeHash(inputasbytes));

+1. Download or clone the Android Wallet Library [github repo](https://github.com/microsoft/entra-verifiedid-wallet-library-android/archive/refs/heads/dev.zip).

+1. Start Android Studio and open the parent folder of walletlibrarydemo

+1. Select **Build** menu and then **Make Project**. This step takes some time.

+1. Connect your Android test device via USB cable to your laptop

+1. Select your test device in Android Studio and click **run** button (green triangle)

+1. Start the WalletLibraryDemo app

+1. On your laptop, launch the public demo website [https://aka.ms/vcdemo](https://aka.ms/vcdemo) and do the following

+1. Scan the QR code with your QR Code Reader app on your test device, then copy the full URL displayed in the QR Code Reader app. Remember the pin code.

+1. Switch back to WalletLibraryDemo app and paste in the URL from the clipboard

+1. Press **CREATE REQUEST** button

+1. When the app has downloaded the request, it shows a screen like below. Click on the white rectangle, which is a textbox, and enter the pin code that is displayed in the browser page. Then click the **COMPLETE** button.

+1. Once issuance completes, the demo app displays the claims in the credential

+1. The WalletLibraryDemo app should display some credential details on the home screen if you have successfully issued a credential.

+1. In the Woodgrove demo in the browser, click **Return to Woodgrove** if you havenΓÇÖt done so already and continue with step 3 **Access personalized portal**.

+1. Scan the QR code with the QR Code Reader app on your test device, then copy the full URL to the clipboard.

+1. Switch back to the WalletLibraryDemo app and paste in the URL and click **CREATE REQUEST** button

+1. The app retrieves the presentation request and display the matching credentials you have in memory. In this case you only have one. **Click on it** so that the little check mark appears, then click the **COMPLETE** button to submit the presentation response

+1. Download or clone the iOS Wallet Library [github repo](https://github.com/microsoft/entra-verifiedid-wallet-library-ios/archive/refs/heads/dev.zip).

+1. Start Xcode and open the top level folder for the WalletLibrary

+1. Set focus on WalletLibraryDemo project

+1. Change the Team ID to your [Apple Developer Team ID](https://developer.apple.com/help/account/manage-your-team/locate-your-team-id).

+1. Select Product menu and then **Build**. This step takes some time.

+1. Connect your iOS test device via USB cable to your laptop

+1. Select your test device in Xcode

+1. Select Product menu and then **Run** or click on run triangle

+1. Start the WalletLibraryDemo app

+1. On your laptop, launch the public demo website [https://aka.ms/vcdemo](https://aka.ms/vcdemo) and do the following

+1. Scan the QR code with your QR Code Reader app on your test device, then copy the full URL displayed in the QR Code Reader app. Remember the pin code.

+1. Switch back to WalletLibraryDemo app and paste in the URL from the clipboard

+1. Press **Create Request** button

+1. When the app has downloaded the request, it shows a screen like below. Click on the **Add Pin** text to go to a screen where you can input the pin code, then click **Add** button to get back and finally click the **Complete** button.

+1. Once issuance completes, the demo app displays the claims in the credential.

+1. The WalletLibraryDemo app should display credential type name on the home screen if you have successfully issued a credential.

+1. In the Woodgrove demo in the browser, click **Return to Woodgrove** if you havenΓÇÖt done so already and continue with step 3 **Access personalized portal**.

+1. Scan the QR code with the QR Code Reader app on your test device, then copy the full URL to the clipboard.

+1. Switch back to the WalletLibraryDemo app, ***clear the previous request*** from the textbox, paste in the URL and click **Create Request** button

+1. The app retrieves the presentation request and display the matching credentials you have in memory. In this case you only have one. **Click on it** so that the little check mark switches from blue to green, then click the **Complete** button to submit the presentation response

+- Access to the BYOS-enabled Speech resource is allowed using the resource [system assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md).

+- Access to the BYOS-enabled Speech resource is allowed using the resource [system assigned managed identity](../../active-directory/managed-identities-azure-resources/overview.md) and [User delegation SAS](../../storage/common/storage-sas-overview.md#user-delegation-sas).

+- You can use a migration sidecar that we provide within your Linux applications, which proxies the IMDS transactions your application makes over to [OpenID Connect][openid-connect-overview] (OIDC). The migration sidecar isn't intended to be a long-term solution, but a way to get up and running quickly on workload identity. Perform the following steps to:

+ > The migration sidecar is **not supported for production use**. This feature is meant to give you time to migrate your application SDK's to a supported version, and not meant or intended to be a long-term solution.

+ > The migration sidecar is only available for Linux containers, due to only providing pod-managed identities with Linux node pools.

+For a conceptual overview of API authorization, see [Authentication and authorization to APIs in API Management](authentication-authorization-overview.md).

+1. Create the sign-up and sign-in policies to allow users to sign in with Azure AD B2C

+1. Configure the Sample JS Client App with the new Azure AD B2C Client IDΓÇÖs and keys

+ > We're going to capture quite a few pieces of information and keys etc as we walk this document, you might find it handy to have a text editor open to store the following items of configuration temporarily.

+ > B2C BACKEND CLIENT ID:

+ > B2C BACKEND CLIENT SECRET KEY:

+ > B2C BACKEND API SCOPE URI:

+ > B2C FRONTEND CLIENT ID:

+ > B2C USER FLOW ENDPOINT URI:

+ > B2C WELL-KNOWN OPENID ENDPOINT:

+ > B2C POLICY NAME: Frontendapp_signupandsignin

+ > FUNCTION URL:

+ > APIM API BASE URL:

+ > STORAGE PRIMARY ENDPOINT URL:

+ >

+ > In this case we configured a sign-up or sign in flow (policy). This also exposed a well-known configuration endpoint, in both cases our created policy was identified in the URL by the "p=" query string parameter.

+ > Now your Function API is deployed and should throw 401 responses if the correct JWT isn't supplied as an Authorization: Bearer header, and should return data when a valid request is presented.

+ > You added additional defense-in-depth security in EasyAuth by configuring the 'Login With Azure AD' option to handle unauthenticated requests.

+ >

+ > We still have no IP security applied, if you have a valid key and OAuth2 token, anyone can call this from anywhere - ideally we want to force all requests to come via API Management.

+1. Click the 'settings' tab, then under subscription - switch off the 'Subscription Required' checkbox as we'll use the Oauth JWT token in this case to rate limit. Note that if you're using the consumption tier, this would still be required in a production environment.

+ > If using the consumption tier of APIM the unlimited product won't be available as an out of the box. Instead, navigate to "Products" under "APIs" and hit "Add".

+1. Open the storage accounts blade in the Azure portal

+ >

+ > If you're using the API Management consumption tier then instead of rate limiting by the JWT subject or incoming IP Address (Limit call rate by key policy isn't supported today for the "Consumption" tier), you can Limit by call rate quota see [here](rate-limit-policy.md).

+ <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0-beta2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-BmbxuPwQa2lc/FVzBcNJ7UAyJxM6wuqIj61tLrc4wSX0szH/Ev+nYRRuWlolflfl" crossorigin="anonymous">

+ <script type="text/javascript" src="https://alcdn.msauth.net/browser/2.11.1/js/msal-browser.min.js"></script>

+ <nav class="navbar navbar-expand-lg navbar-dark bg-dark">

+ <div class="container-fluid">

+ <a class="navbar-brand" href="#">Azure Active Directory B2C with Azure API Management</a>

+ <div class="navbar-nav">

+ <button class="btn btn-success" id="signinbtn" onClick="login()">Sign In</a>

+ </div>

+ </div>

+ </nav>

+ <div id="cardheader" class="card-header">

+ <div class="card-text"id="message">Please sign in to continue</div>

+ </div>

+ <div class="card-body">

+ <button class="btn btn-warning" id="callapibtn" onClick="getAPIData()">Call API</a>

+ <div id="progress" class="spinner-border" role="status">

+ <span class="visually-hidden">Loading...</span>

+ </div>

+ </div>

+ // Just change the values in this config object ONLY.

+ var config = {

+ msal: {

+ auth: {

+ clientId: "{CLIENTID}", // This is the client ID of your FRONTEND application that you registered with the SPA type in Azure Active Directory B2C

+ authority: "{YOURAUTHORITYB2C}", // Formatted as https://{b2ctenantname}.b2clogin.com/tfp/{b2ctenantguid or full tenant name including onmicrosoft.com}/{signuporinpolicyname}

+ redirectUri: "{StoragePrimaryEndpoint}", // The storage hosting address of the SPA, a web-enabled v2 storage account - recorded earlier as the Primary Endpoint.

+ knownAuthorities: ["{B2CTENANTDOMAIN}"] // {b2ctenantname}.b2clogin.com

+ },

+ cache: {

+ cacheLocation: "sessionStorage",

+ storeAuthStateInCookie: false

+ }

+ },

+ api: {

+ scopes: ["{BACKENDAPISCOPE}"], // The scope that we request for the API from B2C, this should be the backend API scope, with the full URI.

+ backend: "{APIBASEURL}/hello" // The location that we'll call for the backend api, this should be hosted in API Management, suffixed with the name of the API operation (in the sample this is '/hello').

+ }

+ }

+ document.getElementById("callapibtn").hidden = true;

+ document.getElementById("progress").hidden = true;

+ const myMSALObj = new msal.PublicClientApplication(config.msal);

+ myMSALObj.handleRedirectPromise().then((tokenResponse) => {

+ if(tokenResponse !== null){

+ console.log(tokenResponse.account);

+ document.getElementById("message").innerHTML = "Welcome, " + tokenResponse.account.name;

+ document.getElementById("signinbtn").hidden = true;

+ document.getElementById("callapibtn").hidden = false;

+ }}).catch((error) => {console.log("Error Signing in:" + error);

+ });

+ function login() {

+ try {

+ myMSALObj.loginRedirect({scopes: config.api.scopes});

+ } catch (err) {console.log(err);}

+ }

+ function getAPIData() {

+ document.getElementById("progress").hidden = false;

+ document.getElementById("message").innerHTML = "Calling backend ... "

+ document.getElementById("cardheader").classList.remove('bg-success','bg-warning','bg-danger');

+ myMSALObj.acquireTokenSilent({scopes: config.api.scopes, account: getAccount()}).then(tokenResponse => {

+ const headers = new Headers();

+ headers.append("Authorization", `Bearer ${tokenResponse.accessToken}`);

+ fetch(config.api.backend, {method: "GET", headers: headers})

+ .then(async (response) => {

+ if (!response.ok)

+ {

+ document.getElementById("message").innerHTML = "Error: " + response.status + " " + JSON.parse(await response.text()).message;

+ document.getElementById("cardheader").classList.add('bg-warning');

+ }

+ else

+ {

+ document.getElementById("cardheader").classList.add('bg-success');

+ document.getElementById("message").innerHTML = await response.text();

+ }

+ }).catch(async (error) => {

+ document.getElementById("cardheader").classList.add('bg-danger');

+ document.getElementById("message").innerHTML = "Error: " + error;

+ });

+ }).catch(error => {console.log("Error Acquiring Token Silently: " + error);

+ return myMSALObj.acquireTokenRedirect({scopes: config.api.scopes, forceRefresh: false})

+ });

+ document.getElementById("progress").hidden = true;

+ > Congratulations, you just deployed a JavaScript Single Page App to Azure Storage Static content hosting.

+1. Go back to the Azure portal storage blade

+1. Select 'Containers' (under 'Settings')

+1. Select https://docsupdatetracker.net/index.html blob from the list

+1. Click 'Edit'

+ > This configuration will result in a client of the frontend application receiving an access token with appropriate claims from Azure AD B2C.

+ > The SPA will be able to add this as a bearer token in the https header in the call to the backend API.

+ >

+ > API Management will pre-validate the token, rate-limit calls to the endpoint by both the subject of the JWT issued by Azure ID (the user) and by IP address of the caller (depending on the service tier of API Management, see the note above), before passing through the request to the receiving Azure Function API, adding the functions security key.

+ <targets>

+ <graphql-subscription id="subscription field" />

+ </targets>

+ </publish-event>

+* This policy is invoked only when a related GraphQL query or mutation is executed.

+ <http-request>

+ <set-method>POST</set-method>

+ <set-url>https://contoso.com/api/user</set-url>

+ <set-body template="liquid">{ "id" : {{body.arguments.id}}, "name" : "{{body.arguments.name}}"}</set-body>

+ </http-request>

+ <http-response>

+ <publish-event>

+ <targets>

+ <graphql-subscription id="onUserCreated" />

+ </targets>

+ </publish-event>

+ </http-response>

+ Title: Path, header, and query string routing with Application Gateway for Containers - Gateway API (preview)

+description: Learn how to configure Application Gateway for Containers with support with path, header, and query string routing.

+# Path, header, and query string routing with Application Gateway for Containers - Gateway API (preview)

+This document helps you set up an example application that uses the resources from Gateway API to demonstrate traffic routing based on URL path, query string, and header. Review the following gateway API resources for more information:

+- [Gateway](https://gateway-api.sigs.k8s.io/concepts/api-overview/#gateway) - create a gateway with one HTTPS listener.

+- [HTTPRoute](https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/) - create an HTTP route that references a backend service.

+- [HTTPRouteMatch](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteMatch) - Use `matches` to route based on path, header, and query string.

+## Prerequisites

+> [!IMPORTANT]

+> Application Gateway for Containers is currently in PREVIEW.<br>

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+1. If following the BYO deployment strategy, ensure you have set up your Application Gateway for Containers resources and [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md)

+2. If following the ALB managed deployment strategy, ensure you have provisioned your [ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md) and provisioned the Application Gateway for Containers resources via the [ApplicationLoadBalancer custom resource](quickstart-create-application-gateway-for-containers-managed-by-alb-controller.md).

+3. Deploy sample HTTP application

+ Apply the following deployment.yaml file on your cluster to create a sample web application to demonstrate path, query, and header based routing.

+ ```bash

+ kubectl apply -f https://trafficcontrollerdocs.blob.core.windows.net/examples/traffic-split-scenario/deployment.yaml

+ ```

+

+ This command creates the following on your cluster:

+ - a namespace called `test-infra`

+ - 2 services called `backend-v1` and `backend-v2` in the `test-infra` namespace

+ - 2 deployments called `backend-v1` and `backend-v2` in the `test-infra` namespace

+## Deploy the required Gateway API resources

+# [ALB managed deployment](#tab/alb-managed)

+Create a gateway:

+```bash

+kubectl apply -f - <<EOF

+apiVersion: gateway.networking.k8s.io/v1beta1

+kind: Gateway

+metadata:

+ name: gateway-01

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-namespace: alb-test-infra

+ alb.networking.azure.io/alb-name: alb-test

+spec:

+ gatewayClassName: azure-alb-external

+ listeners:

+ - name: http-listener

+ port: 80

+ protocol: HTTP

+ allowedRoutes:

+ namespaces:

+ from: Same

+EOF

+```

+# [Bring your own (BYO) deployment](#tab/byo)

+1. Set the following environment variables

+```bash

+RESOURCE_GROUP='<resource group name of the Application Gateway For Containers resource>'

+RESOURCE_NAME='alb-test'

+RESOURCE_ID=$(az network alb show --resource-group $RESOURCE_GROUP --name $RESOURCE_NAME --query id -o tsv)

+FRONTEND_NAME='frontend'

+```

+2. Create a Gateway

+```bash

+kubectl apply -f - <<EOF

+apiVersion: gateway.networking.k8s.io/v1beta1

+kind: Gateway

+metadata:

+ name: gateway-01

+ namespace: test-infra

+ annotations:

+ alb.networking.azure.io/alb-id: $RESOURCE_ID

+spec:

+ gatewayClassName: azure-alb-external

+ listeners:

+ - name: http-listener

+ port: 80

+ protocol: HTTP

+ allowedRoutes:

+ namespaces:

+ from: Same

+ addresses:

+ - type: alb.networking.azure.io/alb-frontend

+ value: $FRONTEND_NAME

+EOF

+```

+Once the gateway resource has been created, ensure the status is valid, the listener is _Programmed_, and an address is assigned to the gateway.

+```bash

+kubectl get gateway gateway-01 -n test-infra -o yaml

+```

+Example output of successful gateway creation.

+```yaml

+status:

+ addresses:

+ - type: IPAddress

+ value: xxxx.yyyy.alb.azure.com

+ conditions:

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: Valid Gateway

+ observedGeneration: 1

+ reason: Accepted

+ status: "True"

+ type: Accepted

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: Application Gateway For Containers resource has been successfully updated.

+ observedGeneration: 1

+ reason: Programmed

+ status: "True"

+ type: Programmed

+ listeners:

+ - attachedRoutes: 0

+ conditions:

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: ""

+ observedGeneration: 1

+ reason: ResolvedRefs

+ status: "True"

+ type: ResolvedRefs

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: Listener is accepted

+ observedGeneration: 1

+ reason: Accepted

+ status: "True"

+ type: Accepted

+ - lastTransitionTime: "2023-06-19T21:04:55Z"

+ message: Application Gateway For Containers resource has been successfully updated.

+ observedGeneration: 1

+ reason: Programmed

+ status: "True"

+ type: Programmed

+ name: https-listener

+ supportedKinds:

+ - group: gateway.networking.k8s.io

+ kind: HTTPRoute

+```

+Once the gateway has been created, create an HTTPRoute to define two different matches and a default service to route traffic to.

+The way the following rules read are as follows:

+1) If the path is **/bar**, traffic is routed to backend-v2 service on port 8080 OR

+2) If the request contains an HTTP header with the name **magic** and the value **foo**, the URL contains a query string defining the name great with a value of example, AND the path is **/some/thing**, the request is sent to backend-v2 on port 8080.

+3) Otherwise, all other requests are routed to backend-v1 service on port 8080.

+```bash

+kubectl apply -f - <<EOF

+apiVersion: gateway.networking.k8s.io/v1beta1

+kind: HTTPRoute

+metadata:

+ name: http-route

+ namespace: test-infra

+spec:

+ parentRefs:

+ - name: gateway-01

+ namespace: test-infra

+ rules:

+ - matches:

+ - path:

+ type: PathPrefix

+ value: /bar

+ backendRefs:

+ - name: backend-v2

+ port: 8080

+ - matches:

+ - headers:

+ - type: Exact

+ name: magic

+ value: foo

+ queryParams:

+ - type: Exact

+ name: great

+ value: example

+ path:

+ type: PathPrefix

+ value: /some/thing

+ method: GET

+ backendRefs:

+ - name: backend-v2

+ port: 8080

+ - backendRefs:

+ - name: backend-v1

+ port: 8080

+EOF

+```

+Once the HTTPRoute resource has been created, ensure the route has been _Accepted_ and the Application Gateway for Containers resource has been _Programmed_.

+```bash

+kubectl get httproute http-route -n test-infra -o yaml

+```

+Verify the status of the Application Gateway for Containers resource has been successfully updated.

+```yaml

+status:

+ parents:

+ - conditions:

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: ""

+ observedGeneration: 1

+ reason: ResolvedRefs

+ status: "True"

+ type: ResolvedRefs

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: Route is Accepted

+ observedGeneration: 1

+ reason: Accepted

+ status: "True"

+ type: Accepted

+ - lastTransitionTime: "2023-06-19T22:18:23Z"

+ message: Application Gateway For Containers resource has been successfully updated.

+ observedGeneration: 1

+ reason: Programmed

+ status: "True"

+ type: Programmed

+ controllerName: alb.networking.azure.io/alb-controller

+ parentRef:

+ group: gateway.networking.k8s.io

+ kind: Gateway

+ name: gateway-01

+ namespace: test-infra

+ ```

+## Test access to the application

+Now we're ready to send some traffic to our sample application, via the FQDN assigned to the frontend. Use the following command to get the FQDN.

+```bash

+fqdn=$(kubectl get gateway gateway-01 -n test-infra -o jsonpath='{.status.addresses[0].value}')

+```

+By using the curl command, we can validate three different scenarios:

+### Path based routing

+In this scenario, the client request sent to http://frontend-fqdn/bar is routed to backend-v2 service.

+Run the following command:

+```bash

+curl http://$fqdn/bar

+```

+Notice the container serving the request is backend-v2.

+### Query string + header + path routing

+In this scenario, the client request sent to http://frontend-fqdn/some/thing?great=example with a header key/value part of "magic: foo" is routed to backend-v2 service.

+Run the following command:

+```bash

+curl http://$fqdn/some/thing?great=example -H "magic: foo"

+```

+Notice the container serving the request is backend-v2.

+### Default route

+If neither of the first two scenarios are satisfied, Application Gateway for Containers routes all other requests to the backend-v1 service.

+Run the following command:

+```bash

+curl http://$fqdn/

+```

+Notice the container serving the request is backend-v1.

+Congratulations, you have installed ALB Controller, deployed a backend application and routed traffic to the application via Gateway API on Application Gateway for Containers.

+kubectl get httproute traffic-split-route -n test-infra -o yaml

+ ```azurecli-interactive

+ # Sign in to your Azure subscription.

+ SUBSCRIPTION_ID='<your subscription id>'

+ az login

+ az account set --subscription $SUBSCRIPTION_ID

+ # Register required resource providers on Azure.

+ az provider register --namespace Microsoft.ContainerService

+ az provider register --namespace Microsoft.Network

+ az provider register --namespace Microsoft.NetworkFunction

+ az provider register --namespace Microsoft.ServiceNetworking

+ # Install Azure CLI extensions.

+ az extension add --name alb

+ ```

+ > [!NOTE]

+ > The AKS cluster needs to be in a [region where Application Gateway for Containers is available](overview.md#supported-regions)

+ > AKS cluster should use [Azure CNI](../../aks/configure-azure-cni.md).

+ If using an existing cluster, ensure you enable Workload Identity support on your AKS cluster. Workload identities can be enabled via the following:

+

+ ```azurecli-interactive

+ AKS_NAME='<your cluster name>'

+ RESOURCE_GROUP='<your resource group name>'

+ az aks update -g $RESOURCE_GROUP -n $AKS_NAME --enable-oidc-issuer --enable-workload-identity --no-wait

+ ```

+ If you don't have an existing cluster, use the following commands to create a new AKS cluster with Azure CNI and workload identity enabled.

+ ```azurecli-interactive

+ AKS_NAME='<your cluster name>'

+ RESOURCE_GROUP='<your resource group name>'

+ LOCATION='northeurope' # The list of available regions may grow as we roll out to more preview regions

+ VM_SIZE='<the size of the vm in AKS>' # The size needs to be available in your location

+ az group create --name $RESOURCE_GROUP --location $LOCATION

+ az aks create \

+ --resource-group $RESOURCE_GROUP \

+ --name $AKS_NAME \

+ --location $LOCATION \

+ --node-vm-size $VM_SIZE \

+ --network-plugin azure \

+ --enable-oidc-issuer \

+ --enable-workload-identity \

+ --generate-ssh-key

+ ```

+ [Helm](https://github.com/helm/helm) is an open-source packaging tool that is used to install ALB controller.

+ > [!NOTE]

+ > Helm is already available in Azure Cloud Shell. If you are using Azure Cloud Shell, no additional Helm installation is necessary.

+ You can also use the following steps to install Helm on a local device running Windows or Linux. Ensure that you have the latest version of helm installed.

+ # [Windows](#tab/install-helm-windows)

+ See the [instructions for installation](https://github.com/helm/helm#install) for various options of installation. Similarly, if your version of Windows has [Windows Package Manager winget](/windows/package-manager/winget/) installed, you may execute the following command:

+ ```powershell

+ winget install helm.helm

+ ```

+ # [Linux](#tab/install-helm-linux)

+ The following command can be used to install Helm. Commands that use Helm with Azure CLI in this article can also be run using Bash.

+ ```bash

+ curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

+ ```

+ RESOURCE_GROUP='<your resource group name>'

+ AKS_NAME='<your aks cluster name>'

+ IDENTITY_RESOURCE_NAME='azure-alb-identity'

+ mcResourceGroup=$(az aks show --resource-group $RESOURCE_GROUP --name $AKS_NAME --query "nodeResourceGroup" -o tsv)

+ mcResourceGroupId=$(az group show --name $mcResourceGroup --query id -otsv)

+ echo "Creating identity $IDENTITY_RESOURCE_NAME in resource group $RESOURCE_GROUP"

+ az identity create --resource-group $RESOURCE_GROUP --name $IDENTITY_RESOURCE_NAME

+ principalId="$(az identity show -g $RESOURCE_GROUP -n $IDENTITY_RESOURCE_NAME --query principalId -otsv)"

+ echo "Waiting 60 seconds to allow for replication of the identity..."

+ sleep 60

+ echo "Apply Reader role to the AKS managed cluster resource group for the newly provisioned identity"

+ az role assignment create --assignee-object-id $principalId --assignee-principal-type ServicePrincipal --scope $mcResourceGroupId --role "acdd72a7-3385-48ef-bd42-f606fba81ae7" # Reader role

+ echo "Set up federation with AKS OIDC issuer"

+ AKS_OIDC_ISSUER="$(az aks show -n "$AKS_NAME" -g "$RESOURCE_GROUP" --query "oidcIssuerProfile.issuerUrl" -o tsv)"

+ az identity federated-credential create --name "azure-alb-identity" \

+ --identity-name "$IDENTITY_RESOURCE_NAME" \

+ --resource-group $RESOURCE_GROUP \

+ --issuer "$AKS_OIDC_ISSUER" \

+ --subject "system:serviceaccount:azure-alb-system:alb-controller-sa"

+ ### For new deployments

+ ALB Controller can be installed by running the following commands:

+ ```azurecli-interactive

+ az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME

+ helm install alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \

+ --version 0.4.023971 \

+ --set albController.podIdentity.clientID=$(az identity show -g $RESOURCE_GROUP -n azure-alb-identity --query clientId -o tsv)

+ ```

+ > [!Note]

+ > ALB Controller will automatically be provisioned into a namespace called azure-alb-system. The namespace name may be changed by defining the _--namespace <namespace_name>_ parameter when executing the helm command. During upgrade, please ensure you specify the --namespace parameter.

+ ### For existing deployments

+ ALB can be upgraded by running the following commands (ensure you add the `--namespace namespace_name` parameter to define the namespace if the previous installation did not use the namespace _azure-alb-system_):

+ ```azurecli-interactive

+ az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME

+ helm upgrade alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \

+ --version 0.4.023971 \

+ --set albController.podIdentity.clientID=$(az identity show -g $RESOURCE_GROUP -n azure-alb-identity --query clientId -o tsv)

+ ```

+Each SSL profile can support up to 100 trusted client CA certificate chains. A single Application Gateway can support a total of 200 trusted client CA certificate chains.

+Customers who didn't have Application Gateway V1 SKU in their subscriptions as of 4 July 2023 are considered as new customers. These customers wonΓÇÖt be able to create new V1 gateways in subscriptions which didn't have an existing V1 gateway as of 4 July 2023 going forward.

+- No new subscriptions for V1 deployments: July 1,2023 onwards - Application Gateway V1 is no longer available for deployment on subscriptions with out V1 gateways(Refer to [FAQ](./retirement-faq.md#what-is-the-definition-of-a-new-customer-on-application-gateway-v1-sku) for details) from July 1 2023 onwards.

+- SKU retirement: April 28, 2026 - Any Application Gateway V1 that are in Running status will be stopped. Application Gateway V1s that is not migrated to Application Gateway V2 are informed regarding timelines for deleting them and then force deleted.

+- Follow the steps outlined in the [migration script](./migrate-v1-v2.md) to migrate from Application Gateway v1 to v2. Review [pricing](./understanding-pricing.md) before making the transition.

+ # Ensures you do not inherit an AzContext in your runbook

+ Disable-AzContextAutosave -Scope Process

+ # Connect to Azure with system-assigned managed identity

+ $AzureContext = (Connect-AzAccount -Identity).context

+ # set and store context

+ $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext

+1. Under **Scope**, select **Edit resource**.

+ 1. For the **Runbook source** item, select **User**.

+Azure Automation provides scripts for common Azure VM management operations like restart VM, stop VM, delete VM, scale up and down scenarios in Runbook gallery. The scripts can also be found in the Azure Automation [GitHub repository](https://github.com/azureautomation) You can also use these scripts as mentioned in the above steps.

+Starting a runbook on a Hybrid Runbook Worker uses a **Run on** option that allows you to specify the name of a Hybrid Runbook Worker group when initiating from the Azure portal, with the Azure PowerShell, or REST API. When a group is specified, one of the workers in that group retrieves and runs the runbook. If your runbook does not specify this option, Azure Automation runs the runbook in the Azure sandbox.

+Anyone in your organization who is a member of the [Automation Job Operator](automation-role-based-access-control.md#automation-job-operator) or higher can create runbook jobs. To manage runbook execution targeting a Hybrid Runbook Worker group in your Automation account, you can use [Azure Policy](../governance/policy/overview.md). This helps to enforce organizational standards and ensure your automation jobs are controlled and managed by those designated, and anyone cannot execute a runbook on an Azure sandbox, only on Hybrid Runbook workers.

+ ```json

+ "properties": {

+ "displayName": "Enforce job execution on Automation Hybrid Runbook Worker",

+ "description": "Enforce job execution on Hybrid Runbook Workers in your Automation account.",

+ "mode": "all",

+ "parameters": {

+ "effectType": {

+ "type": "string",

+ "defaultValue": "Deny",

+ "allowedValues": [

+ "Deny",

+ "Disabled"

+ ],

+ "metadata": {

+ "displayName": "Effect",

+ "description": "Enable or disable execution of the policy"

+ }

+ }

+ },

+ "policyRule": {

+ ```

+ # [Azure CLI](#tab/azure-cli)

+ ```azurecli

+ ```

+ The command creates a policy definition named **Audit Enforce Jobs on Automation Hybrid Runbook Workers**. For more information about other parameters that you can use, see [az policy definition create](/cli/azure/policy/definition#az-policy-definition-create).

+ When called without location parameters, `az policy definition create` defaults to saving the policy definition in the selected subscription of the sessions context. To save the definition to a different location, use the following parameters:

+ * **subscription** - Save to a different subscription. Requires a *GUID* value for the subscription ID or a *string* value for the subscription name.

+ * **management-group** - Save to a management group. Requires a *string* value.

+ # [PowerShell](#tab/azure-powershell)

+ ```azurepowershell

+ New-AzPolicyDefinition -Name 'audit-enforce-jobs-on-automation-hybrid-runbook-workers' -DisplayName 'Audit Enforce Jobs on Automation Hybrid Runbook Workers' -Policy 'AuditAutomationHRWJobExecution.json'

+ ```

+ The command creates a policy definition named **Audit Enforce Jobs on Automation Hybrid Runbook Workers**. For more information about other parameters that you can use, see [New-AzPolicyDefinition](/powershell/module/az.resources/new-azpolicydefinition).

+ When called without location parameters, `New-AzPolicyDefinition` defaults to saving the policy definition in the selected subscription of the sessions context. To save the definition to a different location, use the following parameters:

+ * **SubscriptionId** - Save to a different subscription. Requires a *GUID* value.

+ * **ManagementGroupName** - Save to a management group. Requires a *string* value.

+

+ # [Azure CLI](#tab/azure-cli)

+ ```azurecli

+ az policy assignment create --name '<name>' --scope '<scope>' --policy '<policy definition ID>'

+ ```

+ The **scope** parameter on `az policy assignment create` works with management group, subscription, resource group, or a single resource. The parameter uses a full resource path. The pattern for **scope** for each container is as follows. Replace `{rName}`, `{rgName}`, `{subId}`, and `{mgName}` with your resource name, resource group name, subscription ID, and management group name, respectively. `{rType}` would be replaced with the **resource type** of the resource, such as `Microsoft.Compute/virtualMachines` for a VM.

+ - Resource - `/subscriptions/{subID}/resourceGroups/{rgName}/providers/{rType}/{rName}`

+ - Resource group - `/subscriptions/{subID}/resourceGroups/{rgName}`

+ - Subscription - `/subscriptions/{subID}`

+ - Management group - `/providers/Microsoft.Management/managementGroups/{mgName}`

+ You can get the Azure Policy Definition ID by using PowerShell with the following command:

+ ```azurecli

+ az policy definition show --name 'Audit Enforce Jobs on Automation Hybrid Runbook Workers'

+ ```

+ The policy definition ID for the policy definition that you created should resemble the following example:

+ ```output

+ "/subscription/<subscriptionId>/providers/Microsoft.Authorization/policyDefinitions/Audit Enforce Jobs on Automation Hybrid Runbook Workers"

+ ```

+ # [PowerShell](#tab/azure-powershell)

+ ```azurepowershell

+ $rgName = Get-AzResourceGroup -Name 'ContosoRG'

+ $Policy = Get-AzPolicyDefinition -Name 'audit-enforce-jobs-on-automation-hybrid-runbook-workers'

+ New-AzPolicyAssignment -Name 'audit-enforce-jobs-on-automation-hybrid-runbook-workers' -PolicyDefinition $Policy -Scope $rg.ResourceId

+ ```

+ Replace _ContosoRG_ with the name of your intended resource group.

+ The **Scope** parameter on `New-AzPolicyAssignment` works with management group, subscription, resource group, or a single resource. The parameter uses a full resource path, which the **ResourceId** property on `Get-AzResourceGroup` returns. The pattern for **Scope** for each container is as follows. Replace `{rName}`, `{rgName}`, `{subId}`, and `{mgName}` with your resource name, resource group name, subscription ID, and management group name, respectively. `{rType}` would be replaced with the **resource type** of the resource, such as `Microsoft.Compute/virtualMachines` for a VM.

+ - Resource - `/subscriptions/{subID}/resourceGroups/{rgName}/providers/{rType}/{rName}`

+ - Resource group - `/subscriptions/{subId}/resourceGroups/{rgName}`

+ - Subscription - `/subscriptions/{subId}`

+ - Management group - `/providers/Microsoft.Management/managementGroups/{mgName}`

+

+To work with runbooks, see [Manage runbooks in Azure Automation](manage-runbooks.md).

+1. Select **+ Add role assignment (Preview)** to open the **Add role assignment (Preview)** page.

+1. From the left menu, select **Azure role assignments** and then **+ Add role assignment (Preview)** to open the **Add role assignment (Preview)** page.

+> With release runbook creation has a new experience in the Azure portal. When you select **Runbooks** blade > **Create a runbook**, a new page **Create a runbook** opens with applicable options.

+ Get-Date

+ Review the output. Everything in the `Parallel` block, including the `Start-Sleep` command, executed at the same time. The same commands outside the `Parallel` block ran sequentially, as shown by the different date time stamps.

+ $AzureContext = Set-AzContext ΓÇôSubscriptionId "<SubscriptionID>"

+Now that your runbook is authenticating to the Azure subscription, you can manage resources. Add a command to start a virtual machine. You can pick any VM in your Azure subscription, and for now you're hardcoding that name in the runbook.

+1. Add the code below as the last line immediately before the closing brace. Replace `VMName` with the actual name of a VM.

+ Param(

+ [string]$resourceGroup,

+ [string[]]$VMs,

+ [string]$action

+ )

+ # Ensures you do not inherit an AzContext in your runbook

+ Disable-AzContextAutosave -Scope Process

+ # Connect to Azure with system-assigned managed identity

+ Connect-AzAccount -Identity

+ # set and store context

+ $AzureContext = Set-AzContext ΓÇôSubscriptionId "<SubscriptionID>"

+ # Start or stop VMs in parallel

+ if ($action -eq "Start") {

+ ForEach -Parallel ($vm in $VMs)

+ {

+ Start-AzVM -Name $vm -ResourceGroupName $resourceGroup -DefaultProfile $AzureContext

+ }

+ }

+ elseif ($action -eq "Stop") {

+ ForEach -Parallel ($vm in $VMs)

+ {

+ Stop-AzVM -Name $vm -ResourceGroupName $resourceGroup -DefaultProfile $AzureContext -Force

+ }

+ }

+ else {

+ Write-Output "`r`n Action not allowed. Please enter 'stop' or 'start'."

+ }

+ }

+ -ObjectId <automation-Identity-Object(Principal)-Id> `

+ {

+ "apiVersion": "2015-11-01-preview",

+ "location": "[parameters('location')]",

+ "name": "[variables('Updates').name]",

+ "type": "Microsoft.OperationsManagement/solutions",

+ "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.OperationsManagement/solutions/', variables('Updates').name)]",

+ "dependsOn": [

+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"

+ ],

+ "properties": {

+ "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"

+ },

+ "plan": {

+ "name": "[variables('Updates').name]",

+ "publisher": "Microsoft",

+ "promotionCode": "",

+ "product": "[concat('OMSGallery/', variables('Updates').galleryName)]"

+ }

+ },

+This article provides a guide for importing and exporting data with App Configuration. If youΓÇÖd like to set up an ongoing sync with your GitHub repo, take a look at [GitHub Actions](./concept-github-action.md) and [Azure Pipelines tasks](./pull-key-value-devops-pipeline.md).

+ --version 1.0.0-preview3 \

+An `AzureAppConfigurationProvider` resource has the following top-level child properties under the `spec`. Either `endpoint` or `connectionStringReference` has to be specified.

+|endpoint|The endpoint of Azure App Configuration, which you would like to retrieve the key-values from|alternative|string|

+|connectionStringReference|The name of the Kubernetes Secret that contains Azure App Configuration connection string|alternative|string|

+|refresh|The settings for refreshing the key-values in ConfigMap or Secret|false|object|

+The `spec.keyValues.refresh` property has the following child properties.

+|Name|Description|Required|Type|

+|||||

+|monitoring|The key-values that are monitored by the provider, provider automatically refreshes the ConfigMap or Secret if value change in any designated key-value|true|object|

+|interval|The interval for refreshing, default value is 30 seconds, must be greater than 1 second|false|duration string|

+The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which have the following child properties.

+|Name|Description|Required|Type|

+|||||

+|key|The key of a key-value|true|string|

+|label|The label of a key-value|false|string|

+#### Use Connection String

+1. Create a Kubernetes Secret in the same namespace as the `AzureAppConfigurationProvider` resource and add Azure App Configuration connection string with key *azure_app_configuration_connection_string* in the Secret.

+2. Set the `spec.connectionStringReference` property to the name of the Secret in the following sample `AzureAppConfigurationProvider` resource and deploy it to the Kubernetes cluster.

+ ``` yaml

+ apiVersion: azconfig.io/v1beta1

+ kind: AzureAppConfigurationProvider

+ metadata:

+ name: appconfigurationprovider-sample

+ spec:

+ connectionStringReference: <your-connection-string-secret-name>

+ target:

+ configMapName: configmap-created-by-appconfig-provider

+ ```

+### Dynamically refresh ConfigMap and Secret

+Setting the `spec.keyValues.refresh` property enables dynamic configuration data refresh in ConfigMap and Secret by monitoring designated key-values. The provider periodically polls the key-values, if there is any value change, provider triggers ConfigMap and Secret refresh in accordance with the present data in Azure App Configuration.

+The following sample instructs monitoring two key-values with 1 minute polling interval.

+``` yaml

+apiVersion: azconfig.io/v1beta1

+kind: AzureAppConfigurationProvider

+metadata:

+ name: appconfigurationprovider-sample

+spec:

+ endpoint: <your-app-configuration-store-endpoint>

+ target:

+ configMapName: configmap-created-by-appconfig-provider

+ keyValues:

+ selectors:

+ - keyFilter: app1*

+ labelFilter: common

+ - keyFilter: app1*

+ labelFilter: development

+ refresh:

+ interval: 1m

+ monitoring:

+ keyValues:

+ - key: sentinelKey

+ label: common

+ - key: sentinelKey

+ label: development

+```

+1. Create an Azure Managed Grafana instance by using the [Azure portal](/azure/managed-grafana/quickstart-managed-grafana-portal) or [Azure CLI](/azure/managed-grafana/quickstart-managed-grafana-cli). Ensure that you're able to access Grafana by selecting its endpoint on the Overview page. You need at least **Reader** level permissions. You can check your access by going to **Access control (IAM)** on the Grafana instance.

+1. If you're using a managed identity for the Azure Managed Grafana instance, follow these steps to assign it a Reader role on the subscription(s):

+1. [Create the Azure Monitor Data Source connection](https://grafana.com/docs/grafana/latest/datasources/azure-monitor/) in your Azure Managed Grafana instance. This connection lets the dashboard access Azure Resource Graph data.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#cosmos-db-input).

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#cosmos-db-output).

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+Both [in-process](functions-dotnet-class-library.md) and [isolated process](dotnet-isolated-process-guide.md) C# libraries use the [CosmosDBTriggerAttribute](https://github.com/Azure/azure-webjobs-sdk-extensions/blob/master/src/WebJobs.Extensions.CosmosDB/Trigger/CosmosDBTriggerAttribute.cs) to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#cosmos-db-trigger).

+* [Isolated worker process class library](dotnet-isolated-process-guide.md): compiled C# function that runs in a worker process isolated from the runtime.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attribute to configure the binding. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#event-grid-output).

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the [EventGridTrigger](https://github.com/Azure/azure-functions-eventgrid-extension/blob/master/src/EventGridExtension/TriggerBinding/EventGridTriggerAttribute.cs) attribute. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#event-grid-trigger).

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attribute to configure the binding. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#event-hubs-output).

+Requires you to define a custom type, or use a string. Additional options are available in **Extension v5.x+**.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries don't require an attribute. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#http-output).

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the `HttpTriggerAttribute` to define the trigger binding. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#http-trigger).

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the output binding. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#service-bus-output).

+Earlier versions of this extension in the isolated worker process only support binding to messaging-specific types. Additional options are available to **Extension 5.x and higher**

+Functions version 1.x doesn't support isolated worker process. To use the isolated worker model, [upgrade your application to Functions 4.x].

+[upgrade your application to Functions 4.x]: ./migrate-version-1-version-4.md

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the [ServiceBusTriggerAttribute](https://github.com/Azure/azure-functions-servicebus-extension/blob/master/src/Microsoft.Azure.WebJobs.Extensions.ServiceBus/ServiceBusTriggerAttribute.cs) attribute to define the function trigger. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#service-bus-trigger).

+Earlier versions of this extension in the isolated worker process only support binding to messaging-specific types. Additional options are available to **extension 5.x and higher**

+Functions version 1.x doesn't support isolated worker process. To use the isolated worker model, [upgrade your application to Functions 4.x].

+# [Functions 2.x and higher](#tab/functionsv2/isolated-process)

+Earlier versions of this extension in the isolated worker process only support binding to messaging-specific types. Additional options are available to **Extension 5.x and higher**

+# [Functions 1.x](#tab/functionsv1/isolated-process)

+Functions version 1.x doesn't support isolated worker process. To use the isolated worker model, [upgrade your application to Functions 4.x].

+[upgrade your application to Functions 4.x]: ./migrate-version-1-version-4.md

+`InvocationContext` contains all the content in the message sent from a SignalR service, which includes the following properties:

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#blob-input).

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attribute to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#blob-output).

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the [BlobAttribute](/dotnet/api/microsoft.azure.webjobs.blobattribute) attribute to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#blob-trigger).

+The attribute that defines an output binding in C# libraries depends on the mode in which the C# class library runs.

+In [C# class libraries](functions-dotnet-class-library.md), use the [QueueAttribute](/dotnet/api/microsoft.azure.webjobs.queueattribute). C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#queue-output).

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use the [QueueTriggerAttribute](https://github.com/Azure/azure-webjobs-sdk/blob/master/src/Microsoft.Azure.WebJobs.Extensions.Storage/Queues/QueueTriggerAttribute.cs) to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#queue-trigger).

+Earlier versions of this extension in the isolated worker process only support binding to strings. Additional options are available to **Extension 5.x+**.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#table-input).

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+Both [in-process](functions-dotnet-class-library.md) and [isolated worker process](dotnet-isolated-process-guide.md) C# libraries use attributes to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#table-output).

+An isolated worker process class library compiled C# function runs in a process isolated from the runtime.

+[In-process](functions-dotnet-class-library.md) C# library uses [TimerTriggerAttribute](https://github.com/Azure/azure-webjobs-sdk-extensions/blob/master/src/WebJobs.Extensions/Extensions/Timers/TimerTriggerAttribute.cs) from [Microsoft.Azure.WebJobs.Extensions](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions) whereas [isolated worker process](dotnet-isolated-process-guide.md) C# library uses [TimerTriggerAttribute](https://github.com/Azure/azure-functions-dotnet-worker/blob/main/extensions/Worker.Extensions.Timer/src/TimerTriggerAttribute.cs) from [Microsoft.Azure.Functions.Worker.Extensions.Timer](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Timer) to define the function. C# script instead uses a function.json configuration file as described in the [C# scripting guide](./functions-reference-csharp.md#timer-trigger).

+## Binding configuration and examples

+### Blob trigger

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file.

+|function.json property | Description|

+||-|

+|**type** | Must be set to `blobTrigger`. This property is set automatically when you create the trigger in the Azure portal.|

+|**direction** | Must be set to `in`. This property is set automatically when you create the trigger in the Azure portal. |

+|**name** | The name of the variable that represents the blob in function code. |

+|**path** | The [container](../storage/blobs/storage-blobs-introduction.md#blob-storage-resources) to monitor. May be a [blob name pattern](./functions-bindings-storage-blob-trigger.md#blob-name-patterns). |

+|**connection** | The name of an app setting or setting collection that specifies how to connect to Azure Blobs. See [Connections](./functions-bindings-storage-blob-trigger.md#connections).|

+The following example shows a blob trigger binding in a *function.json* file and code that uses the binding. The function writes a log when a blob is added or updated in the `samples-workitems` [container](../storage/blobs/storage-blobs-introduction.md#blob-storage-resources).

+Here's the binding data in the *function.json* file:

+```json

+{

+ "disabled": false,

+ "bindings": [

+ {

+ "name": "myBlob",

+ "type": "blobTrigger",

+ "direction": "in",

+ "path": "samples-workitems/{name}",

+ "connection":"MyStorageAccountAppSetting"

+ }

+ ]

+}

+```

+The string `{name}` in the blob trigger path `samples-workitems/{name}` creates a [binding expression](./functions-bindings-expressions-patterns.md) that you can use in function code to access the file name of the triggering blob. For more information, see [Blob name patterns](./functions-bindings-storage-blob-trigger.md#blob-name-patterns).

+Here's C# script code that binds to a `Stream`:

+```cs

+public static void Run(Stream myBlob, string name, ILogger log)

+{

+ log.LogInformation($"C# Blob trigger function Processed blob\n Name:{name} \n Size: {myBlob.Length} Bytes");

+}

+```

+Here's C# script code that binds to a `CloudBlockBlob`:

+```cs

+#r "Microsoft.WindowsAzure.Storage"

+using Microsoft.WindowsAzure.Storage.Blob;

+public static void Run(CloudBlockBlob myBlob, string name, ILogger log)

+{

+ log.LogInformation($"C# Blob trigger function Processed blob\n Name:{name}\nURI:{myBlob.StorageUri}");

+}

+```

+### Blob input

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file.

+|function.json property | Description|

+||-|

+|**type** | Must be set to `blob`. |

+|**direction** | Must be set to `in`. |

+|**name** | The name of the variable that represents the blob in function code.|

+|**path** | The path to the blob. |

+|**connection** | The name of an app setting or setting collection that specifies how to connect to Azure Blobs. See [Connections](./functions-bindings-storage-blob-input.md#connections).|

+The following example shows blob input and output bindings in a *function.json* file and C# script code that uses the bindings. The function makes a copy of a text blob. The function is triggered by a queue message that contains the name of the blob to copy. The new blob is named *{originalblobname}-Copy*.

+In the *function.json* file, the `queueTrigger` metadata property is used to specify the blob name in the `path` properties:

+```json

+{

+ "bindings": [

+ {

+ "queueName": "myqueue-items",

+ "connection": "MyStorageConnectionAppSetting",

+ "name": "myQueueItem",

+ "type": "queueTrigger",

+ "direction": "in"

+ },

+ {

+ "name": "myInputBlob",

+ "type": "blob",

+ "path": "samples-workitems/{queueTrigger}",

+ "connection": "MyStorageConnectionAppSetting",

+ "direction": "in"

+ },

+ {

+ "name": "myOutputBlob",

+ "type": "blob",

+ "path": "samples-workitems/{queueTrigger}-Copy",

+ "connection": "MyStorageConnectionAppSetting",

+ "direction": "out"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's the C# script code:

+```cs

+public static void Run(string myQueueItem, string myInputBlob, out string myOutputBlob, ILogger log)

+{

+ log.LogInformation($"C# Queue trigger function processed: {myQueueItem}");

+ myOutputBlob = myInputBlob;

+}

+```

+### Blob output

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file.

+|function.json property | Description|

+||-|

+|**type** | Must be set to `blob`. |

+|**direction** | Must be set to `out`. |

+|**name** | The name of the variable that represents the blob in function code.|

+|**path** | The path to the blob. |

+|**connection** | The name of an app setting or setting collection that specifies how to connect to Azure Blobs. See [Connections](./functions-bindings-storage-blob-output.md#connections).|

+The following example shows blob input and output bindings in a *function.json* file and C# script code that uses the bindings. The function makes a copy of a text blob. The function is triggered by a queue message that contains the name of the blob to copy. The new blob is named *{originalblobname}-Copy*.

+In the *function.json* file, the `queueTrigger` metadata property is used to specify the blob name in the `path` properties:

+```json

+{

+ "bindings": [

+ {

+ "queueName": "myqueue-items",

+ "connection": "MyStorageConnectionAppSetting",

+ "name": "myQueueItem",

+ "type": "queueTrigger",

+ "direction": "in"

+ },

+ {

+ "name": "myInputBlob",

+ "type": "blob",

+ "path": "samples-workitems/{queueTrigger}",

+ "connection": "MyStorageConnectionAppSetting",

+ "direction": "in"

+ },

+ {

+ "name": "myOutputBlob",

+ "type": "blob",

+ "path": "samples-workitems/{queueTrigger}-Copy",

+ "connection": "MyStorageConnectionAppSetting",

+ "direction": "out"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's the C# script code:

+```cs

+public static void Run(string myQueueItem, string myInputBlob, out string myOutputBlob, ILogger log)

+{

+ log.LogInformation($"C# Queue trigger function processed: {myQueueItem}");

+ myOutputBlob = myInputBlob;

+}

+```

+### Queue trigger

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file.

+|function.json property | Description|

+||-|

+|**type** |Must be set to `queueTrigger`. This property is set automatically when you create the trigger in the Azure portal.|

+|**direction**| In the *function.json* file only. Must be set to `in`. This property is set automatically when you create the trigger in the Azure portal. |

+|**name** | The name of the variable that contains the queue item payload in the function code. |

+|**queueName** | The name of the queue to poll. |

+|**connection** | The name of an app setting or setting collection that specifies how to connect to Azure Queues. See [Connections](./functions-bindings-storage-queue-trigger.md#connections).|

+The following example shows a queue trigger binding in a *function.json* file and C# script code that uses the binding. The function polls the `myqueue-items` queue and writes a log each time a queue item is processed.

+Here's the *function.json* file:

+```json

+{

+ "disabled": false,

+ "bindings": [

+ {

+ "type": "queueTrigger",

+ "direction": "in",

+ "name": "myQueueItem",

+ "queueName": "myqueue-items",

+ "connection":"MyStorageConnectionAppSetting"

+ }

+ ]

+}

+```

+Here's the C# script code:

+```csharp

+#r "Microsoft.WindowsAzure.Storage"

+using Microsoft.Extensions.Logging;

+using Microsoft.WindowsAzure.Storage.Queue;

+using System;

+public static void Run(CloudQueueMessage myQueueItem,

+ DateTimeOffset expirationTime,

+ DateTimeOffset insertionTime,

+ DateTimeOffset nextVisibleTime,

+ string queueTrigger,

+ string id,

+ string popReceipt,

+ int dequeueCount,

+ ILogger log)

+{

+ log.LogInformation($"C# Queue trigger function processed: {myQueueItem.AsString}\n" +

+ $"queueTrigger={queueTrigger}\n" +

+ $"expirationTime={expirationTime}\n" +

+ $"insertionTime={insertionTime}\n" +

+ $"nextVisibleTime={nextVisibleTime}\n" +

+ $"id={id}\n" +

+ $"popReceipt={popReceipt}\n" +

+ $"dequeueCount={dequeueCount}");

+}

+```

+### Queue output

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file.

+|function.json property | Description|

+||-|

+|**type** |Must be set to `queue`. This property is set automatically when you create the trigger in the Azure portal.|

+|**direction** | Must be set to `out`. This property is set automatically when you create the trigger in the Azure portal. |

+|**name** | The name of the variable that represents the queue in function code. Set to `$return` to reference the function return value.|

+|**queueName** | The name of the queue. |

+|**connection** | The name of an app setting or setting collection that specifies how to connect to Azure Queues. See [Connections](./functions-bindings-storage-queue-output.md#connections).|

+The following example shows an HTTP trigger binding in a *function.json* file and C# script code that uses the binding. The function creates a queue item with a **CustomQueueMessage** object payload for each HTTP request received.

+Here's the *function.json* file:

+```json

+{

+ "bindings": [

+ {

+ "type": "httpTrigger",

+ "direction": "in",

+ "authLevel": "function",

+ "name": "input"

+ },

+ {

+ "type": "http",

+ "direction": "out",

+ "name": "$return"

+ },

+ {

+ "type": "queue",

+ "direction": "out",

+ "name": "$return",

+ "queueName": "outqueue",

+ "connection": "MyStorageConnectionAppSetting"

+ }

+ ]

+}

+```

+Here's C# script code that creates a single queue message:

+```cs

+public class CustomQueueMessage

+{

+ public string PersonName { get; set; }

+ public string Title { get; set; }

+}

+public static CustomQueueMessage Run(CustomQueueMessage input, ILogger log)

+{

+ return input;

+}

+```

+You can send multiple messages at once by using an `ICollector` or `IAsyncCollector` parameter. Here's C# script code that sends multiple messages, one with the HTTP request data and one with hard-coded values:

+```cs

+public static void Run(

+ CustomQueueMessage input,

+ ICollector<CustomQueueMessage> myQueueItems,

+ ILogger log)

+{

+ myQueueItems.Add(input);

+ myQueueItems.Add(new CustomQueueMessage { PersonName = "You", Title = "None" });

+}

+```

+### Table input

+This section outlines support for the [Tables API version of the extension](./functions-bindings-storage-table.md?tabs=in-process%2Ctable-api) only.

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file.

+|function.json property | Description|

+||-|

+|**type** | Must be set to `table`. This property is set automatically when you create the binding in the Azure portal.|

+|**direction** | Must be set to `in`. This property is set automatically when you create the binding in the Azure portal. |

+|**name** | The name of the variable that represents the table or entity in function code. |

+|**tableName** | The name of the table.|

+|**partitionKey** | Optional. The partition key of the table entity to read. |

+|**rowKey** |Optional. The row key of the table entity to read. Can't be used with `take` or `filter`.|

+|**take** | Optional. The maximum number of entities to return. Can't be used with `rowKey`. |

+|**filter** | Optional. An OData filter expression for the entities to return from the table. Can't be used with `rowKey`.|

+|**connection** | The name of an app setting or setting collection that specifies how to connect to the table service. See [Connections](./functions-bindings-storage-table-input.md#connections). |

+he following example shows a table input binding in a *function.json* file and C# script code that uses the binding. The function uses a queue trigger to read a single table row.

+The *function.json* file specifies a `partitionKey` and a `rowKey`. The `rowKey` value `{queueTrigger}` indicates that the row key comes from the queue message string.

+```json

+{

+ "bindings": [

+ {

+ "queueName": "myqueue-items",

+ "connection": "MyStorageConnectionAppSetting",

+ "name": "myQueueItem",

+ "type": "queueTrigger",

+ "direction": "in"

+ },

+ {

+ "name": "personEntity",

+ "type": "table",

+ "tableName": "Person",

+ "partitionKey": "Test",

+ "rowKey": "{queueTrigger}",

+ "connection": "MyStorageConnectionAppSetting",

+ "direction": "in"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's the C# script code:

+```csharp

+#r "Azure.Data.Tables"

+using Microsoft.Extensions.Logging;

+using Azure.Data.Tables;

+public static void Run(string myQueueItem, Person personEntity, ILogger log)

+{

+ log.LogInformation($"C# Queue trigger function processed: {myQueueItem}");

+ log.LogInformation($"Name in Person entity: {personEntity.Name}");

+}

+public class Person : ITableEntity

+{

+ public string Name { get; set; }

+ public string PartitionKey { get; set; }

+ public string RowKey { get; set; }

+ public DateTimeOffset? Timestamp { get; set; }

+ public ETag ETag { get; set; }

+}

+```

+### Table output

+This section outlines support for the [Tables API version of the extension](./functions-bindings-storage-table.md?tabs=in-process%2Ctable-api) only.

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file.

+|function.json property | Description|

+|||

+|**type** |Must be set to `table`. This property is set automatically when you create the binding in the Azure portal.|

+|**direction** | Must be set to `out`. This property is set automatically when you create the binding in the Azure portal. |

+|**name** | The variable name used in function code that represents the table or entity. Set to `$return` to reference the function return value.|

+|**tableName** |The name of the table to which to write.|

+|**partitionKey** |The partition key of the table entity to write. |

+|**rowKey** | The row key of the table entity to write. |

+|**connection** | The name of an app setting or setting collection that specifies how to connect to the table service. See [Connections](./functions-bindings-storage-table-output.md#connections). |

+The following example shows a table output binding in a *function.json* file and C# script code that uses the binding. The function writes multiple table entities.

+Here's the *function.json* file:

+```json

+{

+ "bindings": [

+ {

+ "name": "input",

+ "type": "manualTrigger",

+ "direction": "in"

+ },

+ {

+ "tableName": "Person",

+ "connection": "MyStorageConnectionAppSetting",

+ "name": "tableBinding",

+ "type": "table",

+ "direction": "out"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's the C# script code:

+```csharp

+public static void Run(string input, ICollector<Person> tableBinding, ILogger log)

+{

+ for (int i = 1; i < 10; i++)

+ {

+ log.LogInformation($"Adding Person entity {i}");

+ tableBinding.Add(

+ new Person() {

+ PartitionKey = "Test",

+ RowKey = i.ToString(),

+ Name = "Name" + i.ToString() }

+ );

+ }

+}

+public class Person

+{

+ public string PartitionKey { get; set; }

+ public string RowKey { get; set; }

+ public string Name { get; set; }

+}

+```

+### Timer trigger

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file.

+|function.json property | Description|

+||-|

+|**type** | Must be set to "timerTrigger". This property is set automatically when you create the trigger in the Azure portal.|

+|**direction** | Must be set to "in". This property is set automatically when you create the trigger in the Azure portal. |

+|**name** | The name of the variable that represents the timer object in function code. |

+|**schedule**| A [CRON expression](./functions-bindings-timer.md#ncrontab-expressions) or a [TimeSpan](./functions-bindings-timer.md#timespan) value. A `TimeSpan` can be used only for a function app that runs on an App Service Plan. You can put the schedule expression in an app setting and set this property to the app setting name wrapped in **%** signs, as in this example: "%ScheduleAppSetting%". |

+|**runOnStartup**| If `true`, the function is invoked when the runtime starts. For example, the runtime starts when the function app wakes up after going idle due to inactivity. when the function app restarts due to function changes, and when the function app scales out. *Use with caution.* **runOnStartup** should rarely if ever be set to `true`, especially in production. |

+|**useMonitor**| Set to `true` or `false` to indicate whether the schedule should be monitored. Schedule monitoring persists schedule occurrences to aid in ensuring the schedule is maintained correctly even when function app instances restart. If not set explicitly, the default is `true` for schedules that have a recurrence interval greater than or equal to 1 minute. For schedules that trigger more than once per minute, the default is `false`. |

+The following example shows a timer trigger binding in a *function.json* file and a C# script function that uses the binding. The function writes a log indicating whether this function invocation is due to a missed schedule occurrence. The [`TimerInfo`](https://github.com/Azure/azure-webjobs-sdk-extensions/blob/master/src/WebJobs.Extensions/Extensions/Timers/TimerInfo.cs) object is passed into the function.

+Here's the binding data in the *function.json* file:

+```json

+{

+ "schedule": "0 */5 * * * *",

+ "name": "myTimer",

+ "type": "timerTrigger",

+ "direction": "in"

+}

+```

+Here's the C# script code:

+```csharp

+public static void Run(TimerInfo myTimer, ILogger log)

+{

+ if (myTimer.IsPastDue)

+ {

+ log.LogInformation("Timer is running late!");

+ }

+ log.LogInformation($"C# Timer trigger function executed at: {DateTime.Now}" );

+}

+```

+### HTTP trigger

+The following table explains the trigger configuration properties that you set in the *function.json* file:

+|function.json property | Description|

+|||

+| **type** | Required - must be set to `httpTrigger`. |

+| **direction** | Required - must be set to `in`. |

+| **name** | Required - the variable name used in function code for the request or request body. |

+| **authLevel** | Determines what keys, if any, need to be present on the request in order to invoke the function. For supported values, see [Authorization level](./functions-bindings-http-webhook-trigger.md#http-auth). |

+| **methods** | An array of the HTTP methods to which the function responds. If not specified, the function responds to all HTTP methods. See [customize the HTTP endpoint](./functions-bindings-http-webhook-trigger.md#customize-the-http-endpoint). |

+| **route** | Defines the route template, controlling to which request URLs your function responds. The default value if none is provided is `<functionname>`. For more information, see [customize the HTTP endpoint](./functions-bindings-http-webhook-trigger.md#customize-the-http-endpoint). |

+| **webHookType** | _Supported only for the version 1.x runtime._<br/><br/>Configures the HTTP trigger to act as a [webhook](https://en.wikipedia.org/wiki/Webhook) receiver for the specified provider. For supported values, see [WebHook type](./functions-bindings-http-webhook-trigger.md#webhook-type).|

+The following example shows a trigger binding in a *function.json* file and a C# script function that uses the binding. The function looks for a `name` parameter either in the query string or the body of the HTTP request.

+Here's the *function.json* file:

+```json

+{

+ "disabled": false,

+ "bindings": [

+ {

+ "authLevel": "function",

+ "name": "req",

+ "type": "httpTrigger",

+ "direction": "in",

+ "methods": [

+ "get",

+ "post"

+ ]

+ },

+ {

+ "name": "$return",

+ "type": "http",

+ "direction": "out"

+ }

+ ]

+}

+```

+Here's C# script code that binds to `HttpRequest`:

+```cs

+#r "Newtonsoft.Json"

+using System.Net;

+using Microsoft.AspNetCore.Mvc;

+using Microsoft.Extensions.Primitives;

+using Newtonsoft.Json;

+public static async Task<IActionResult> Run(HttpRequest req, ILogger log)

+{

+ log.LogInformation("C# HTTP trigger function processed a request.");

+ string name = req.Query["name"];

+

+ string requestBody = String.Empty;

+ using (StreamReader streamReader = new StreamReader(req.Body))

+ {

+ requestBody = await streamReader.ReadToEndAsync();

+ }

+ dynamic data = JsonConvert.DeserializeObject(requestBody);

+ name = name ?? data?.name;

+

+ return name != null

+ ? (ActionResult)new OkObjectResult($"Hello, {name}")

+ : new BadRequestObjectResult("Please pass a name on the query string or in the request body");

+}

+```

+You can bind to a custom object instead of `HttpRequest`. This object is created from the body of the request and parsed as JSON. Similarly, a type can be passed to the HTTP response output binding and returned as the response body, along with a `200` status code.

+```csharp

+using System.Net;

+using System.Threading.Tasks;

+using Microsoft.Extensions.Logging;

+public static string Run(Person person, ILogger log)

+{

+ return person.Name != null

+ ? (ActionResult)new OkObjectResult($"Hello, {person.Name}")

+ : new BadRequestObjectResult("Please pass an instance of Person.");

+}

+public class Person {

+ public string Name {get; set;}

+}

+```

+### HTTP output

+The following table explains the binding configuration properties that you set in the *function.json* file.

+|Property |Description |

+|||

+| **type** |Must be set to `http`. |

+| **direction** | Must be set to `out`. |

+| **name** | The variable name used in function code for the response, or `$return` to use the return value. |

+### Event Hubs trigger

+The following table explains the trigger configuration properties that you set in the *function.json* file:

+|function.json property | Description|

+||-|

+|**type** | Must be set to `eventHubTrigger`. This property is set automatically when you create the trigger in the Azure portal.|

+|**direction** | Must be set to `in`. This property is set automatically when you create the trigger in the Azure portal. |

+|**name** | The name of the variable that represents the event item in function code. |

+|**eventHubName** | Functions 2.x and higher. The name of the event hub. When the event hub name is also present in the connection string, that value overrides this property at runtime. Can be referenced via [app settings](./functions-bindings-expressions-patterns.md#binding-expressionsapp-settings) `%eventHubName%`. In version 1.x, this property is named `path`. |

+|**consumerGroup** |An optional property that sets the [consumer group](../event-hubs/event-hubs-features.md#event-consumers) used to subscribe to events in the hub. If omitted, the `$Default` consumer group is used. |

+|**connection** | The name of an app setting or setting collection that specifies how to connect to Event Hubs. See [Connections](./functions-bindings-event-hubs-trigger.md#connections).|

+The following example shows an Event Hubs trigger binding in a *function.json* file and a C# script functionthat uses the binding. The function logs the message body of the Event Hubs trigger.

+The following examples show Event Hubs binding data in the *function.json* file for Functions runtime version 2.x and later versions.

+```json

+{

+ "type": "eventHubTrigger",

+ "name": "myEventHubMessage",

+ "direction": "in",

+ "eventHubName": "MyEventHub",

+ "connection": "myEventHubReadConnectionAppSetting"

+}

+```

+Here's the C# script code:

+```cs

+using System;

+public static void Run(string myEventHubMessage, TraceWriter log)

+{

+ log.Info($"C# function triggered to process a message: {myEventHubMessage}");

+}

+```

+To get access to event metadata in function code, bind to an [EventData](/dotnet/api/microsoft.servicebus.messaging.eventdata) object. You can also access the same properties by using binding expressions in the method signature. The following example shows both ways to get the same data:

+```cs

+#r "Microsoft.Azure.EventHubs"

+using System.Text;

+using System;

+using Microsoft.ServiceBus.Messaging;

+using Microsoft.Azure.EventHubs;

+public void Run(EventData myEventHubMessage,

+ DateTime enqueuedTimeUtc,

+ Int64 sequenceNumber,

+ string offset,

+ TraceWriter log)

+{

+ log.Info($"Event: {Encoding.UTF8.GetString(myEventHubMessage.Body)}");

+ log.Info($"EnqueuedTimeUtc={myEventHubMessage.SystemProperties.EnqueuedTimeUtc}");

+ log.Info($"SequenceNumber={myEventHubMessage.SystemProperties.SequenceNumber}");

+ log.Info($"Offset={myEventHubMessage.SystemProperties.Offset}");

+ // Metadata accessed by using binding expressions

+ log.Info($"EnqueuedTimeUtc={enqueuedTimeUtc}");

+ log.Info($"SequenceNumber={sequenceNumber}");

+ log.Info($"Offset={offset}");

+}

+```

+To receive events in a batch, make `string` or `EventData` an array:

+```cs

+public static void Run(string[] eventHubMessages, TraceWriter log)

+{

+ foreach (var message in eventHubMessages)

+ {

+ log.Info($"C# function triggered to process a message: {message}");

+ }

+}

+```

+### Event Hubs output

+The following table explains the binding configuration properties that you set in the *function.json* file.

+|function.json property | Description|

+|||

+|**type** | Must be set to `eventHub`. |

+|**direction** | Must be set to `out`. This parameter is set automatically when you create the binding in the Azure portal. |

+|**name** | The variable name used in function code that represents the event. |

+|**eventHubName** | Functions 2.x and higher. The name of the event hub. When the event hub name is also present in the connection string, that value overrides this property at runtime. In Functions 1.x, this property is named `path`.|

+|**connection** | The name of an app setting or setting collection that specifies how to connect to Event Hubs. To learn more, see [Connections](./functions-bindings-event-hubs-output.md#connections).|

+The following example shows an event hub trigger binding in a *function.json* file and a C# script function that uses the binding. The function writes a message to an event hub.

+The following examples show Event Hubs binding data in the *function.json* file for Functions runtime version 2.x and later versions.

+```json

+{

+ "type": "eventHub",

+ "name": "outputEventHubMessage",

+ "eventHubName": "myeventhub",

+ "connection": "MyEventHubSendAppSetting",

+ "direction": "out"

+}

+```

+Here's C# script code that creates one message:

+```cs

+using System;

+using Microsoft.Extensions.Logging;

+public static void Run(TimerInfo myTimer, out string outputEventHubMessage, ILogger log)

+{

+ String msg = $"TimerTriggerCSharp1 executed at: {DateTime.Now}";

+ log.LogInformation(msg);

+ outputEventHubMessage = msg;

+}

+```

+Here's C# script code that creates multiple messages:

+```cs

+public static void Run(TimerInfo myTimer, ICollector<string> outputEventHubMessage, ILogger log)

+{

+ string message = $"Message created at: {DateTime.Now}";

+ log.LogInformation(message);

+ outputEventHubMessage.Add("1 " + message);

+ outputEventHubMessage.Add("2 " + message);

+}

+```

+### Event Grid trigger

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file. There are no constructor parameters or properties to set in the `EventGridTrigger` attribute.

+|function.json property |Description|

+|||

+| **type** | Required - must be set to `eventGridTrigger`. |

+| **direction** | Required - must be set to `in`. |

+| **name** | Required - the variable name used in function code for the parameter that receives the event data. |

+The following example shows an Event Grid trigger defined in the *function.json* file.

+Here's the binding data in the *function.json* file:

+```json

+{

+ "bindings": [

+ {

+ "type": "eventGridTrigger",

+ "name": "eventGridEvent",

+ "direction": "in"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's an example of a C# script function that uses an `EventGridEvent` binding parameter:

+```csharp

+#r "Azure.Messaging.EventGrid"

+using Azure.Messaging.EventGrid;

+using Microsoft.Extensions.Logging;

+public static void Run(EventGridEvent eventGridEvent, ILogger log)

+{

+ log.LogInformation(eventGridEvent.Data.ToString());

+}

+```

+Here's an example of a C# script function that uses a `JObject` binding parameter:

+```cs

+#r "Newtonsoft.Json"

+using Newtonsoft.Json;

+using Newtonsoft.Json.Linq;

+public static void Run(JObject eventGridEvent, TraceWriter log)

+{

+ log.Info(eventGridEvent.ToString(Formatting.Indented));

+}

+```

+### Event Grid output

+The following table explains the binding configuration properties for C# script that you set in the *function.json* file.

+|function.json property | Description|

+|||-|

+|**type** | Must be set to `eventGrid`. |

+|**direction** | Must be set to `out`. This parameter is set automatically when you create the binding in the Azure portal. |

+|**name** | The variable name used in function code that represents the event. |

+|**topicEndpointUri** | The name of an app setting that contains the URI for the custom topic, such as `MyTopicEndpointUri`. |

+|**topicKeySetting** | The name of an app setting that contains an access key for the custom topic. |

+The following example shows the Event Grid output binding data in the *function.json* file.

+```json

+{

+ "type": "eventGrid",

+ "name": "outputEvent",

+ "topicEndpointUri": "MyEventGridTopicUriSetting",

+ "topicKeySetting": "MyEventGridTopicKeySetting",

+ "direction": "out"

+}

+```

+Here's C# script code that creates one event:

+```cs

+#r "Microsoft.Azure.EventGrid"

+using System;

+using Microsoft.Azure.EventGrid.Models;

+using Microsoft.Extensions.Logging;

+public static void Run(TimerInfo myTimer, out EventGridEvent outputEvent, ILogger log)

+{

+ outputEvent = new EventGridEvent("message-id", "subject-name", "event-data", "event-type", DateTime.UtcNow, "1.0");

+}

+```

+Here's C# script code that creates multiple events:

+```cs

+#r "Microsoft.Azure.EventGrid"

+using System;

+using Microsoft.Azure.EventGrid.Models;

+using Microsoft.Extensions.Logging;

+public static void Run(TimerInfo myTimer, ICollector<EventGridEvent> outputEvent, ILogger log)

+{

+ outputEvent.Add(new EventGridEvent("message-id-1", "subject-name", "event-data", "event-type", DateTime.UtcNow, "1.0"));

+ outputEvent.Add(new EventGridEvent("message-id-2", "subject-name", "event-data", "event-type", DateTime.UtcNow, "1.0"));

+}

+```

+### Service Bus trigger

+The following table explains the binding configuration properties that you set in the *function.json* file.

+|function.json property | Description|

+||-|

+|**type** | Must be set to `serviceBusTrigger`. This property is set automatically when you create the trigger in the Azure portal.|

+|**direction** | Must be set to "in". This property is set automatically when you create the trigger in the Azure portal. |

+|**name** | The name of the variable that represents the queue or topic message in function code. |

+|**queueName**| Name of the queue to monitor. Set only if monitoring a queue, not for a topic.

+|**topicName**| Name of the topic to monitor. Set only if monitoring a topic, not for a queue.|

+|**subscriptionName**| Name of the subscription to monitor. Set only if monitoring a topic, not for a queue.|

+|**connection**| The name of an app setting or setting collection that specifies how to connect to Service Bus. See [Connections](./functions-bindings-service-bus-trigger.md#connections).|

+|**accessRights**| Access rights for the connection string. Available values are `manage` and `listen`. The default is `manage`, which indicates that the `connection` has the **Manage** permission. If you use a connection string that does not have the **Manage** permission, set `accessRights` to "listen". Otherwise, the Functions runtime might fail trying to do operations that require manage rights. In Azure Functions version 2.x and higher, this property is not available because the latest version of the Service Bus SDK doesn't support manage operations.|

+|**isSessionsEnabled**| `true` if connecting to a [session-aware](../service-bus-messaging/message-sessions.md) queue or subscription. `false` otherwise, which is the default value.|

+|**autoComplete**| `true` when the trigger should automatically call complete after processing, or if the function code will manually call complete.<br/><br/>Setting to `false` is only supported in C#.<br/><br/>If set to `true`, the trigger completes the message automatically if the function execution completes successfully, and abandons the message otherwise.<br/><br/>When set to `false`, you are responsible for calling [MessageReceiver](/dotnet/api/microsoft.azure.servicebus.core.messagereceiver) methods to complete, abandon, or deadletter the message. If an exception is thrown (and none of the `MessageReceiver` methods are called), then the lock remains. Once the lock expires, the message is re-queued with the `DeliveryCount` incremented and the lock is automatically renewed.<br/><br/>This property is available only in Azure Functions 2.x and higher. |

+The following example shows a Service Bus trigger binding in a *function.json* file and a C# script function that uses the binding. The function reads message metadata and logs a Service Bus queue message.

+Here's the binding data in the *function.json* file:

+```json

+{

+"bindings": [

+ {

+ "queueName": "testqueue",

+ "connection": "MyServiceBusConnection",

+ "name": "myQueueItem",

+ "type": "serviceBusTrigger",

+ "direction": "in"

+ }

+],

+"disabled": false

+}

+```

+Here's the C# script code:

+```cs

+using System;

+public static void Run(string myQueueItem,

+ Int32 deliveryCount,

+ DateTime enqueuedTimeUtc,

+ string messageId,

+ TraceWriter log)

+{

+ log.Info($"C# ServiceBus queue trigger function processed message: {myQueueItem}");

+ log.Info($"EnqueuedTimeUtc={enqueuedTimeUtc}");

+ log.Info($"DeliveryCount={deliveryCount}");

+ log.Info($"MessageId={messageId}");

+}

+```

+### Service Bus output

+The following table explains the binding configuration properties that you set in the *function.json* file.

+|function.json property | Description|

+|||-|

+|**type** |Must be set to "serviceBus". This property is set automatically when you create the trigger in the Azure portal.|

+|**direction** | Must be set to "out". This property is set automatically when you create the trigger in the Azure portal. |

+|**name** | The name of the variable that represents the queue or topic message in function code. Set to "$return" to reference the function return value. |

+|**queueName**|Name of the queue. Set only if sending queue messages, not for a topic.

+|**topicName**|Name of the topic. Set only if sending topic messages, not for a queue.|

+|**connection**|The name of an app setting or setting collection that specifies how to connect to Service Bus. See [Connections](./functions-bindings-service-bus-output.md#connections).|

+|**accessRights** (v1 only)|Access rights for the connection string. Available values are `manage` and `listen`. The default is `manage`, which indicates that the `connection` has the **Manage** permission. If you use a connection string that does not have the **Manage** permission, set `accessRights` to "listen". Otherwise, the Functions runtime might fail trying to do operations that require manage rights. In Azure Functions version 2.x and higher, this property is not available because the latest version of the Service Bus SDK doesn't support manage operations.|

+The following example shows a Service Bus output binding in a *function.json* file and a C# script function that uses the binding. The function uses a timer trigger to send a queue message every 15 seconds.

+Here's the binding data in the *function.json* file:

+```json

+{

+ "bindings": [

+ {

+ "schedule": "0/15 * * * * *",

+ "name": "myTimer",

+ "runsOnStartup": true,

+ "type": "timerTrigger",

+ "direction": "in"

+ },

+ {

+ "name": "outputSbQueue",

+ "type": "serviceBus",

+ "queueName": "testqueue",

+ "connection": "MyServiceBusConnection",

+ "direction": "out"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's C# script code that creates a single message:

+```cs

+public static void Run(TimerInfo myTimer, ILogger log, out string outputSbQueue)

+{

+ string message = $"Service Bus queue message created at: {DateTime.Now}";

+ log.LogInformation(message);

+ outputSbQueue = message;

+}

+```

+Here's C# script code that creates multiple messages:

+```cs

+public static async Task Run(TimerInfo myTimer, ILogger log, IAsyncCollector<string> outputSbQueue)

+{

+ string message = $"Service Bus queue messages created at: {DateTime.Now}";

+ log.LogInformation(message);

+ await outputSbQueue.AddAsync("1 " + message);

+ await outputSbQueue.AddAsync("2 " + message);

+}

+```

+### Cosmos DB trigger

+This section outlines support for the [version 4.x+ of the extension](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4) only.

+The following table explains the binding configuration properties that you set in the *function.json* file.

+The following example shows an Azure Cosmos DB trigger binding in a *function.json* file and a [C# script function](functions-reference-csharp.md) that uses the binding. The function writes log messages when Azure Cosmos DB records are added or modified.

+Here's the binding data in the *function.json* file:

+```json

+{

+ "type": "cosmosDBTrigger",

+ "name": "documents",

+ "direction": "in",

+ "leaseContainerName": "leases",

+ "connection": "<connection-app-setting>",

+ "databaseName": "Tasks",

+ "containerName": "Items",

+ "createLeaseContainerIfNotExists": true

+}

+```

+Here's the C# script code:

+```cs

+ using System;

+ using System.Collections.Generic;

+ using Microsoft.Extensions.Logging;

+ // Customize the model with your own desired properties

+ public class ToDoItem

+ {

+ public string id { get; set; }

+ public string Description { get; set; }

+ }

+ public static void Run(IReadOnlyList<ToDoItem> documents, ILogger log)

+ {

+ log.LogInformation("Documents modified " + documents.Count);

+ log.LogInformation("First document Id " + documents[0].id);

+ }

+```

+### Cosmos DB input

+This section outlines support for the [version 4.x+ of the extension](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4) only.

+The following table explains the binding configuration properties that you set in the *function.json* file.

+This section contains the following examples:

+* [Queue trigger, look up ID from string](#queue-trigger-look-up-id-from-string-c-script)

+* [Queue trigger, get multiple docs, using SqlQuery](#queue-trigger-get-multiple-docs-using-sqlquery-c-script)

+* [HTTP trigger, look up ID from query string](#http-trigger-look-up-id-from-query-string-c-script)

+* [HTTP trigger, look up ID from route data](#http-trigger-look-up-id-from-route-data-c-script)

+* [HTTP trigger, get multiple docs, using SqlQuery](#http-trigger-get-multiple-docs-using-sqlquery-c-script)

+* [HTTP trigger, get multiple docs, using DocumentClient](#http-trigger-get-multiple-docs-using-documentclient-c-script)

+The HTTP trigger examples refer to a simple `ToDoItem` type:

+```cs

+namespace CosmosDBSamplesV2

+{

+ public class ToDoItem

+ {

+ public string Id { get; set; }

+ public string Description { get; set; }

+ }

+}

+```

+<a id="queue-trigger-look-up-id-from-string-c-script"></a>

+#### Queue trigger, look up ID from string

+The following example shows an Azure Cosmos DB input binding in a *function.json* file and a C# script function that uses the binding. The function reads a single document and updates the document's text value.

+Here's the binding data in the *function.json* file:

+```json

+{

+ "name": "inputDocument",

+ "type": "cosmosDB",

+ "databaseName": "MyDatabase",

+ "collectionName": "MyCollection",

+ "id" : "{queueTrigger}",

+ "partitionKey": "{partition key value}",

+ "connectionStringSetting": "MyAccount_COSMOSDB",

+ "direction": "in"

+}

+```

+Here's the C# script code:

+```cs

+ using System;

+ // Change input document contents using Azure Cosmos DB input binding

+ public static void Run(string myQueueItem, dynamic inputDocument)

+ {

+ inputDocument.text = "This has changed.";

+ }

+```

+<a id="queue-trigger-get-multiple-docs-using-sqlquery-c-script"></a>

+#### Queue trigger, get multiple docs, using SqlQuery

+The following example shows an Azure Cosmos DB input binding in a *function.json* file and a C# script function that uses the binding. The function retrieves multiple documents specified by a SQL query, using a queue trigger to customize the query parameters.

+The queue trigger provides a parameter `departmentId`. A queue message of `{ "departmentId" : "Finance" }` would return all records for the finance department.

+Here's the binding data in the *function.json* file:

+```json

+{

+ "name": "documents",

+ "type": "cosmosDB",

+ "direction": "in",

+ "databaseName": "MyDb",

+ "collectionName": "MyCollection",

+ "sqlQuery": "SELECT * from c where c.departmentId = {departmentId}",

+ "connectionStringSetting": "CosmosDBConnection"

+}

+```

+Here's the C# script code:

+```csharp

+ public static void Run(QueuePayload myQueueItem, IEnumerable<dynamic> documents)

+ {

+ foreach (var doc in documents)

+ {

+ // operate on each document

+ }

+ }

+ public class QueuePayload

+ {

+ public string departmentId { get; set; }

+ }

+```

+<a id="http-trigger-look-up-id-from-query-string-c-script"></a>

+#### HTTP trigger, look up ID from query string

+The following example shows a C# script function that retrieves a single document. The function is triggered by an HTTP request that uses a query string to specify the ID and partition key value to look up. That ID and partition key value are used to retrieve a `ToDoItem` document from the specified database and collection.

+Here's the *function.json* file:

+```json

+{

+ "bindings": [

+ {

+ "authLevel": "anonymous",

+ "name": "req",

+ "type": "httpTrigger",

+ "direction": "in",

+ "methods": [

+ "get",

+ "post"

+ ]

+ },

+ {

+ "name": "$return",

+ "type": "http",

+ "direction": "out"

+ },

+ {

+ "type": "cosmosDB",

+ "name": "toDoItem",

+ "databaseName": "ToDoItems",

+ "collectionName": "Items",

+ "connectionStringSetting": "CosmosDBConnection",

+ "direction": "in",

+ "Id": "{Query.id}",

+ "PartitionKey" : "{Query.partitionKeyValue}"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's the C# script code:

+```cs

+using System.Net;

+using Microsoft.Extensions.Logging;

+public static HttpResponseMessage Run(HttpRequestMessage req, ToDoItem toDoItem, ILogger log)

+{

+ log.LogInformation("C# HTTP trigger function processed a request.");

+ if (toDoItem == null)

+ {

+ log.LogInformation($"ToDo item not found");

+ }

+ else

+ {

+ log.LogInformation($"Found ToDo item, Description={toDoItem.Description}");

+ }

+ return req.CreateResponse(HttpStatusCode.OK);

+}

+```

+<a id="http-trigger-look-up-id-from-route-data-c-script"></a>

+#### HTTP trigger, look up ID from route data

+The following example shows a C# script function that retrieves a single document. The function is triggered by an HTTP request that uses route data to specify the ID and partition key value to look up. That ID and partition key value are used to retrieve a `ToDoItem` document from the specified database and collection.

+Here's the *function.json* file:

+```json

+{

+ "bindings": [

+ {

+ "authLevel": "anonymous",

+ "name": "req",

+ "type": "httpTrigger",

+ "direction": "in",

+ "methods": [

+ "get",

+ "post"

+ ],

+ "route":"todoitems/{partitionKeyValue}/{id}"

+ },

+ {

+ "name": "$return",

+ "type": "http",

+ "direction": "out"

+ },

+ {

+ "type": "cosmosDB",

+ "name": "toDoItem",

+ "databaseName": "ToDoItems",

+ "collectionName": "Items",

+ "connectionStringSetting": "CosmosDBConnection",

+ "direction": "in",

+ "id": "{id}",

+ "partitionKey": "{partitionKeyValue}"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's the C# script code:

+```cs

+using System.Net;

+using Microsoft.Extensions.Logging;

+public static HttpResponseMessage Run(HttpRequestMessage req, ToDoItem toDoItem, ILogger log)

+{

+ log.LogInformation("C# HTTP trigger function processed a request.");

+ if (toDoItem == null)

+ {

+ log.LogInformation($"ToDo item not found");

+ }

+ else

+ {

+ log.LogInformation($"Found ToDo item, Description={toDoItem.Description}");

+ }

+ return req.CreateResponse(HttpStatusCode.OK);

+}

+```

+<a id="http-trigger-get-multiple-docs-using-sqlquery-c-script"></a>

+#### HTTP trigger, get multiple docs, using SqlQuery

+The following example shows a C# script function that retrieves a list of documents. The function is triggered by an HTTP request. The query is specified in the `SqlQuery` attribute property.

+Here's the *function.json* file:

+```json

+{

+ "bindings": [

+ {

+ "authLevel": "anonymous",

+ "name": "req",

+ "type": "httpTrigger",

+ "direction": "in",

+ "methods": [

+ "get",

+ "post"

+ ]

+ },

+ {

+ "name": "$return",

+ "type": "http",

+ "direction": "out"

+ },

+ {

+ "type": "cosmosDB",

+ "name": "toDoItems",

+ "databaseName": "ToDoItems",

+ "collectionName": "Items",

+ "connectionStringSetting": "CosmosDBConnection",

+ "direction": "in",

+ "sqlQuery": "SELECT top 2 * FROM c order by c._ts desc"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's the C# script code:

+```cs

+using System.Net;

+using Microsoft.Extensions.Logging;

+public static HttpResponseMessage Run(HttpRequestMessage req, IEnumerable<ToDoItem> toDoItems, ILogger log)

+{

+ log.LogInformation("C# HTTP trigger function processed a request.");

+ foreach (ToDoItem toDoItem in toDoItems)

+ {

+ log.LogInformation(toDoItem.Description);

+ }

+ return req.CreateResponse(HttpStatusCode.OK);

+}

+```

+<a id="http-trigger-get-multiple-docs-using-documentclient-c-script"></a>

+#### HTTP trigger, get multiple docs, using DocumentClient

+The following example shows a C# script function that retrieves a list of documents. The function is triggered by an HTTP request. The code uses a `DocumentClient` instance provided by the Azure Cosmos DB binding to read a list of documents. The `DocumentClient` instance could also be used for write operations.

+Here's the *function.json* file:

+```json

+{

+ "bindings": [

+ {

+ "authLevel": "anonymous",

+ "name": "req",

+ "type": "httpTrigger",

+ "direction": "in",

+ "methods": [

+ "get",

+ "post"

+ ]

+ },

+ {

+ "name": "$return",

+ "type": "http",

+ "direction": "out"

+ },

+ {

+ "type": "cosmosDB",

+ "name": "client",

+ "databaseName": "ToDoItems",

+ "collectionName": "Items",

+ "connectionStringSetting": "CosmosDBConnection",

+ "direction": "inout"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's the C# script code:

+```cs

+#r "Microsoft.Azure.Documents.Client"

+using System.Net;

+using Microsoft.Azure.Documents.Client;

+using Microsoft.Azure.Documents.Linq;

+using Microsoft.Extensions.Logging;

+public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, DocumentClient client, ILogger log)

+{

+ log.LogInformation("C# HTTP trigger function processed a request.");

+ Uri collectionUri = UriFactory.CreateDocumentCollectionUri("ToDoItems", "Items");

+ string searchterm = req.GetQueryNameValuePairs()

+ .FirstOrDefault(q => string.Compare(q.Key, "searchterm", true) == 0)

+ .Value;

+ if (searchterm == null)

+ {

+ return req.CreateResponse(HttpStatusCode.NotFound);

+ }

+ log.LogInformation($"Searching for word: {searchterm} using Uri: {collectionUri.ToString()}");

+ IDocumentQuery<ToDoItem> query = client.CreateDocumentQuery<ToDoItem>(collectionUri)

+ .Where(p => p.Description.Contains(searchterm))

+ .AsDocumentQuery();

+ while (query.HasMoreResults)

+ {

+ foreach (ToDoItem result in await query.ExecuteNextAsync())

+ {

+ log.LogInformation(result.Description);

+ }

+ }

+ return req.CreateResponse(HttpStatusCode.OK);

+}

+```

+### Cosmos DB output

+This section outlines support for the [version 4.x+ of the extension](./functions-bindings-cosmosdb-v2.md?tabs=in-process%2Cextensionv4) only.

+The following table explains the binding configuration properties that you set in the *function.json* file.

+This section contains the following examples:

+* [Queue trigger, write one doc](#queue-trigger-write-one-doc-c-script)

+* [Queue trigger, write docs using IAsyncCollector](#queue-trigger-write-docs-using-iasynccollector-c-script)

+<a id="queue-trigger-write-one-doc-c-script"></a>

+#### Queue trigger, write one doc

+The following example shows an Azure Cosmos DB output binding in a *function.json* file and a [C# script function](functions-reference-csharp.md) that uses the binding. The function uses a queue input binding for a queue that receives JSON in the following format:

+```json

+{

+ "name": "John Henry",

+ "employeeId": "123456",

+ "address": "A town nearby"

+}

+```

+The function creates Azure Cosmos DB documents in the following format for each record:

+```json

+{

+ "id": "John Henry-123456",

+ "name": "John Henry",

+ "employeeId": "123456",

+ "address": "A town nearby"

+}

+```

+Here's the binding data in the *function.json* file:

+```json

+{

+ "name": "employeeDocument",

+ "type": "cosmosDB",

+ "databaseName": "MyDatabase",

+ "collectionName": "MyCollection",

+ "createIfNotExists": true,

+ "connectionStringSetting": "MyAccount_COSMOSDB",

+ "direction": "out"

+}

+```

+Here's the C# script code:

+```cs

+ #r "Newtonsoft.Json"

+ using Microsoft.Azure.WebJobs.Host;

+ using Newtonsoft.Json.Linq;

+ using Microsoft.Extensions.Logging;

+ public static void Run(string myQueueItem, out object employeeDocument, ILogger log)

+ {

+ log.LogInformation($"C# Queue trigger function processed: {myQueueItem}");

+ dynamic employee = JObject.Parse(myQueueItem);

+ employeeDocument = new {

+ id = employee.name + "-" + employee.employeeId,

+ name = employee.name,

+ employeeId = employee.employeeId,

+ address = employee.address

+ };

+ }

+```

+<a id="queue-trigger-write-docs-using-iasynccollector-c-script"></a>

+#### Queue trigger, write docs using IAsyncCollector

+To create multiple documents, you can bind to `ICollector<T>` or `IAsyncCollector<T>` where `T` is one of the supported types.

+This example refers to a simple `ToDoItem` type:

+```cs

+namespace CosmosDBSamplesV2

+{

+ public class ToDoItem

+ {

+ public string id { get; set; }

+ public string Description { get; set; }

+ }

+}

+```

+Here's the function.json file:

+```json

+{

+ "bindings": [

+ {

+ "name": "toDoItemsIn",

+ "type": "queueTrigger",

+ "direction": "in",

+ "queueName": "todoqueueforwritemulti",

+ "connectionStringSetting": "AzureWebJobsStorage"

+ },

+ {

+ "type": "cosmosDB",

+ "name": "toDoItemsOut",

+ "databaseName": "ToDoItems",

+ "collectionName": "Items",

+ "connectionStringSetting": "CosmosDBConnection",

+ "direction": "out"

+ }

+ ],

+ "disabled": false

+}

+```

+Here's the C# script code:

+```cs

+using System;

+using Microsoft.Extensions.Logging;

+public static async Task Run(ToDoItem[] toDoItemsIn, IAsyncCollector<ToDoItem> toDoItemsOut, ILogger log)

+{

+ log.LogInformation($"C# Queue trigger function processed {toDoItemsIn?.Length} items");

+ foreach (ToDoItem toDoItem in toDoItemsIn)

+ {

+ log.LogInformation($"Description={toDoItem.Description}");

+ await toDoItemsOut.AddAsync(toDoItem);

+ }

+}

+```

+|C# (in-process model) |[link](./functions-dotnet-class-library.md#supported-versions)|

+|C# (isolated worker model) |[link](./dotnet-isolated-process-guide.md#supported-versions)|

+# <a name="top"></a>Migrate apps from Azure Functions version 1.x to version 4.x

+> Python isn't supported by version 1.x of the Azure Functions runtime. Perhaps you're instead looking to [migrate your Python app from version 3.x to version 4.x](./migrate-version-3-version-4.md). If you're migrating a version 1.x function app, select either C# or JavaScript above.

+This article walks you through the process of safely migrating your function app to run on version 4.x of the Functions runtime. Because project upgrade instructions are language dependent, make sure to choose your development language from the selector at the [top of the article](#top).

+## Choose your target .NET version

+On version 1.x of the Functions runtime, your C# function app targets .NET Framework.

+> [!TIP]

+> **Unless your app depends on a library or API only available to .NET Framework, we recommend upgrading to .NET 6 on the isolated worker model.** Many apps on version 1.x target .NET Framework only because that is what was available when they were created. Additional capabilities are available to more recent versions of .NET, and if your app is not forced to stay on .NET Framework due to a dependency, you should upgrade.

+>

+> Migrating to the isolated worker model will require additional code changes as part of this migration, but it will give your app [additional benefits](./dotnet-isolated-in-process-differences.md), including the ability to more easily target future versions of .NET. The [.NET Upgrade Assistant] can also handle many of the necessary code changes for you.

+Migrating a C# function app from version 1.x to version 4.x of the Functions runtime requires you to make changes to your project code. Many of these changes are a result of changes in the C# language and .NET APIs.

+> [!TIP]

+> The [.NET Upgrade Assistant] can be used to automatically make many of the changes mentioned in the following sections.

+[.NET Upgrade Assistant]: /dotnet/core/porting/upgrade-assistant-overview

+> As of December 13, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime have reached the end of life (EOL) of extended support.

+> Apps using versions 2.x and 3.x can still be created and deployed from your CI/CD DevOps pipeline, and all existing apps continue to run without breaking changes. However, your apps are not eligible for new features, security patches, and performance optimizations. You'll only get related service support once you upgrade them to version 4.x.

+> End of support for these older runtime versions is due to the end of support for .NET Core 3.1, which they had as a core dependency. This requirement affects all [languages supported by Azure Functions](supported-languages.md).

+> We highly recommend that you migrate your function apps to version 4.x of the Functions runtime by following this article.

+## Choose your target .NET version

+On version 3.x of the Functions runtime, your C# function app targets .NET Core 3.1 using the in-process model or .NET 5 using the isolated worker model.

+> **If you're migrating from .NET 5 (on the isolated worker model), we recommend upgrading to .NET 6 on the isolated worker model.** This provides a quick upgrade path with the longest support window from .NET.

+> **If you're migrating from .NET Core 3.1 (on the in-process model), we recommend upgrading to .NET 6 on the in-process model.** This provides a quick upgrade path. However, you might also consider upgrading to .NET 6 on the isolated worker model. Switching to the isolated worker model will require additional code changes as part of this migration, but it will give your app [additional benefits](./dotnet-isolated-in-process-differences.md), including the ability to more easily target future versions of .NET. The [.NET Upgrade Assistant] can also handle many of the necessary code changes for you.

+> [!TIP]

+> The [.NET Upgrade Assistant] can be used to automatically make many of the changes mentioned in the following sections.

+[.NET Upgrade Assistant]: /dotnet/core/porting/upgrade-assistant-overview

+ Option 1: Outputs **ready-to-deploy ARM template files** only, which creates the generated DCR in the specified subscription and resource group, when deployed.

+ ```powershell

+ .\WorkspaceConfigToDCRMigrationTool.ps1 -SubscriptionId $subId -ResourceGroupName $rgName -WorkspaceName $workspaceName -DCRName $dcrName -Location $location -FolderPath $folderPath

+ ```

+ Option 2: Outputs **ready-to-deploy ARM template files** and **the DCR JSON files** separately for you to deploy via other means. You need to set the `GetDcrPayload` parameter.

+ ```powershell

+ .\WorkspaceConfigToDCRMigrationTool.ps1 -SubscriptionId $subId -ResourceGroupName $rgName -WorkspaceName $workspaceName -DCRName $dcrName -Location $location -FolderPath $folderPath -GetDcrPayload

+ ```

+ **Parameters**

+ | Parameter | Required? | Description |

+ ||||

+ | `SubscriptionId` | Yes | ID of the subscription that contains the target workspace. |

+ | `ResourceGroupName` | Yes | Resource group that contains the target workspace. |

+ | `WorkspaceName` | Yes | Name of the target workspace. |

+ | `DCRName` | Yes | Name of the new DCR. |

+ | `Location` | Yes | Region location for the new DCR. |

+ | `GetDcrPayload` | No | When set, it generates additional DCR JSON files

+ | `FolderPath` | No | Path in which to save the ARM template files and JSON files (optional). By default, Azure Monitor uses the current directory. |

+ - Windows ARM template and parameter files - if the target workspace contains Windows performance counters or Windows events.

+ - Linux ARM template and parameter files - if the target workspace contains Linux performance counters or Linux Syslog events.

+ If the Log Analytics workspace wasn't [configured to collect data](./log-analytics-agent.md#data-collected) from connected agents, the generated files will be empty. This is a scenario in which the agent was connected to a Log Analytics workspace, but wasn't configured to send any data from the host machine.

+ > [!NOTE]

+ > Azure Monitor Agent uses local persistency by default. All events received from `rsyslog` or `syslog-ng` are queued in `/var/opt/microsoft/azuremonitoragent/events` if they fail to be uploaded.

+ ```config

+ *.*;auth,authpriv.none -/var/log/syslog

+ ```

+ To this snippet (add `local4.none;`):

+ ```config

+ *.*;local4.none;auth,authpriv.none -/var/log/syslog

+ ```

+ 1. Open Azure portal > select your virtual machine > Open **Settings** : **Extensions + applications** from the pane on the left > 'AzureMonitorLinuxAgent'should show up with Status: 'Provisioning succeeded'

+ 2. If you don't see the extension listed, check if machine can reach Azure and find the extension to install using the command below:

+ ```azurecli

+ az vm extension image list-versions --location <machine-region> --name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor

+ ```

+ 3. Wait for 10-15 minutes as extension maybe in transitioning status. If it still doesn't show up as above, [uninstall and install the extension](./azure-monitor-agent-manage.md) again.

+ 4. Check if you see any errors in extension logs located at `/var/log/azure/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent/` on your machine

+ 5. If none of the above helps, [file a ticket](#file-a-ticket) with **Summary** as 'AMA extension fails to install or provision' and **Problem type** as 'I need help with Azure Monitor Linux Agent'.

+ 1. Check if the agent is emitting heartbeat logs to Log Analytics workspace using the query below. Skip if 'Custom Metrics' is the only destination in the DCR:

+ ```Kusto

+ Heartbeat | where Category == "Azure Monitor Agent" and Computer == "<computer-name>" | take 10

+ ```

+ 2. Check if the agent service is running

+ ```

+ systemctl status azuremonitoragent

+ ```

+ 3. Check if you see any errors in core agent logs located at `/var/opt/microsoft/azuremonitoragent/log/mdsd.*` on your machine

+ 3. If none of the above helps, [file a ticket](#file-a-ticket) with **Summary** as 'AMA extension provisioned but not running' and **Problem type** as 'I need help with Azure Monitor Linux Agent'.

+

+ 1. If using Log Analytics workspace as destination, verify that DCR exists in the same physical region as the Log Analytics workspace.

+ 2. Open Azure portal > select your data collection rule > Open **Configuration** : **Resources** from the pane on the left > You should see the virtual machine listed here.

+ 3. If not listed, click 'Add' and select your virtual machine from the resource picker. Repeat across all DCRs.

+ 4. If none of the above helps, [file a ticket](#file-a-ticket) with **Summary** as 'DCR not found or associated' and **Problem type** as 'I need help configuring data collection from a VM'.

+ 1. Check if you see the latest DCR downloaded at this location `/etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/`

+ 2. If not, [file a ticket](#file-a-ticket) with **Summary** as 'AMA unable to download DCR config' and **Problem type** as 'I need help with Azure Monitor Linux Agent'.

+- The quality of service (QoS) file `/var/opt/microsoft/azuremonitoragent/log/mdsd.qos` provides CSV-format 15-minute aggregations of the processed events and contains the information on the amount of the processed syslog events in the given timeframe. **This file is useful in tracking Syslog event ingestion drops**.

+ For example, the below fragment shows that in the 15 minutes preceding 2022-02-28T19:55:23.5432920Z, the agent received 77 syslog events with facility daemon and level info and sent 77 of said events to the upload task. Additionally, the agent upload task received 77 and successfully uploaded all 77 of these daemon.info messages.

+ ```

+ #Time: 2022-02-28T19:55:23.5432920Z

+ #Fields: Operation,Object,TotalCount,SuccessCount,Retries,AverageDuration,AverageSize,AverageDelay,TotalSize,TotalRowsRead,TotalRowsSent

+ ...

+ MaRunTaskLocal,daemon.debug,15,15,0,60000,0,0,0,0,0

+ MaRunTaskLocal,daemon.info,15,15,0,60000,46.2,0,693,77,77

+ MaRunTaskLocal,daemon.notice,15,15,0,60000,0,0,0,0,0

+ MaRunTaskLocal,daemon.warning,15,15,0,60000,0,0,0,0,0

+ MaRunTaskLocal,daemon.error,15,15,0,60000,0,0,0,0,0

+ MaRunTaskLocal,daemon.critical,15,15,0,60000,0,0,0,0,0

+ MaRunTaskLocal,daemon.alert,15,15,0,60000,0,0,0,0,0

+ MaRunTaskLocal,daemon.emergency,15,15,0,60000,0,0,0,0,0

+ ...

+ MaODSRequest,https://e73fd5e3-ea2b-4637-8da0-5c8144b670c8_LogManagement,15,15,0,455067,476.467,0,7147,77,77

+ ```

+ 1. If yes, proceed to step 3. If not, the issue is in the configuration workflow.

+ 2. Investigate `mdsd.err`,`mdsd.warn`, `mdsd.info` files under `/var/opt/microsoft/azuremonitoragent/log` for possible configuration errors.

+ 3. If none of the above helps, [file a ticket](#file-a-ticket) with **Summary** as 'Syslog DCR not available' and **Problem type** as 'I need help configuring data collection from a VM'.

+ 1. For `rsyslog` users, ensure the `/etc/rsyslog.d/10-azuremonitoragent.conf` file is present, isn't empty, and is accessible by the `rsyslog` daemon (syslog user).

+ 1. Check your rsyslog configuration at `/etc/rsyslog.conf` and `/etc/rsyslog.d/*` to see if you have any inputs bound to a non-default ruleset, as messages from these inputs won't be forwarded to Azure Monitor Agent. For instance, messages from an input configured with a non-default ruleset like `input(type="imtcp" port="514" `**`ruleset="myruleset"`**`)` won't be forward.

+ 2. For `syslog-ng` users, ensure the `/etc/syslog-ng/conf.d/azuremonitoragent.conf` file is present, isn't empty, and is accessible by the `syslog-ng` daemon (syslog user).

+ 3. Ensure the file `/run/azuremonitoragent/default_syslog.socket` exists and is accessible by `rsyslog` or `syslog-ng` respectively.

+ 4. Check for a corresponding drop in count of processed syslog events in `/var/opt/microsoft/azuremonitoragent/log/mdsd.qos`. If such drop isn't indicated in the file, [file a ticket](#file-a-ticket) with **Summary** as 'Syslog data dropped in pipeline' and **Problem type** as 'I need help with Azure Monitor Linux Agent'.

+ 5. Check that syslog daemon queue isn't overflowing, causing the upload to fail, by referring the guidance here: [Rsyslog data not uploaded due to Full Disk space issue on AMA Linux Agent](./azure-monitor-agent-troubleshoot-linux-vm-rsyslog.md)

+ ```

+ export MDSD_OPTIONS="-A -c /etc/opt/microsoft/azuremonitoragent/mdsd.xml -d -r $MDSD_ROLE_PREFIX -S $MDSD_SPOOL_DIRECTORY/eh -L $MDSD_SPOOL_DIRECTORY/events -e $MDSD_LOG_DIR/mdsd.err -w $MDSD_LOG_DIR/mdsd.warn -o $MDSD_LOG_DIR/mdsd.info -T 0x2002"

+ ```

+ > [!WARNING]

+ > Ensure to remove trace flag setting **-T 0x2002** after the debugging session, since it generates many trace statements that could fill up the disk more quickly or make visually parsing the log file difficult.

+ 1. Open Azure portal > select your Arc-enabled server > Open **Settings** : **Extensions** from the pane on the left > 'AzureMonitorWindowsAgent'should show up with Status: 'Succeeded'

+ 2. If not, check if the Arc agent (Connected Machine Agent) is able to connect to Azure and the extension service is running.

+ ```azurecli

+ azcmagent show

+ ```

+ You should see the below output:

+ ```

+ Resource Name : <server name>

+ [...]

+ Dependent Service Status

+ Agent Service (himds) : running

+ GC Service (gcarcservice) : running

+ Extension Service (extensionservice) : running

+ ```

+ If instead you see `Agent Status: Disconnected` or any other status, [file a ticket](#file-a-ticket) with **Summary** as 'Arc agent or extensions service not working' and **Problem type** as 'I need help with Azure Monitor Windows Agent'.

+ 3. Wait for 10-15 minutes as extension maybe in transitioning status. If it still doesn't show up, [uninstall and install the extension](./azure-monitor-agent-manage.md) again and repeat the verification to see the extension show up.

+ 4. If not, check if you see any errors in extension logs located at `C:\ProgramData\GuestConfig\extension_logs\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent` on your machine

+ 5. If none of the above works, [file a ticket](#file-a-ticket) with **Summary** as 'AMA extension fails to install or provision' and **Problem type** as 'I need help with Azure Monitor Windows Agent'.

+ 1. Check if the agent is emitting heartbeat logs to Log Analytics workspace using the query below. Skip if 'Custom Metrics' is the only destination in the DCR:

+ ```Kusto

+ Heartbeat | where Category == "Azure Monitor Agent" and Computer == "<computer-name>" | take 10

+ ```

+ 2. If not, open Task Manager and check if 'MonAgentCore.exe' process is running. If it is, wait for 5 minutes for heartbeat to show up.

+ 3. If not, check if you see any errors in core agent logs located at `C:\Resources\Directory\AMADataStore\Configuration` on your machine

+ 4. If none of the above helps, [file a ticket](#file-a-ticket) with **Summary** as 'AMA extension provisioned but not running' and **Problem type** as 'I need help with Azure Monitor Windows Agent'.

+

+ 1. If using Log Analytics workspace as destination, verify that DCR exists in the same physical region as the Log Analytics workspace.

+ 2. On your Arc-enabled server, verify the existence of the file `C:\Resources\Directory\AMADataStore\mcs\mcsconfig.latest.xml`. If this file doesn't exist, the Arc-enabled server may not be associated with a DCR.

+ 3. Open Azure portal > select your data collection rule > Open **Configuration** : **Resources** from the pane on the left > You should see the Arc-enabled server listed here

+ 4. If not listed, click 'Add' and select your Arc-enabled server from the resource picker. Repeat across all DCRs.

+ 5. If none of the above helps, [file a ticket](#file-a-ticket) with **Summary** as 'DCR not found or associated' and **Problem type** as 'I need help configuring data collection from a VM'.

+ 1. Check if you see the latest DCR downloaded at this location `C:\Resources\Directory\AMADataStore\mcs\configchunks`

+ 2. If not, [file a ticket](#file-a-ticket) with **Summary** as 'AMA unable to download DCR config' and **Problem type** as 'I need help with Azure Monitor Windows Agent'.