-* Go to [noknok.com](https://noknok.com/products/strong-authentication-service/). On the top menu, select **Demo**.

-[Azure Active Directory user provisioning service](../app-provisioning/user-provisioning.md) integrates with [SAP SuccessFactors Employee Central](https://www.successfactors.com/products-services/core-hr-payroll/employee-central.html) to manage the identity life cycle of users. Azure Active Directory offers three prebuilt integrations:

-The Azure AD SuccessFactors connector uses SuccessFactors OData API to retrieve changes and provision users. If you observe issues with the provisioning service and want to confirm what data was retrieved from SuccessFactors, you can enable OData API Audit logs in SuccessFactors. To enable audit logs, follow the steps documented in [SAP support note 2680837](https://userapps.support.sap.com/sap/support/knowledge/en/2680837). Retrieve the request payload sent by Azure AD from the audit logs. To troubleshoot, you can copy this request payload in a tool like [Postman](https://www.postman.com/downloads/), set it up to use the same API user that is used by the connector and see if it returns the desired changes from SuccessFactors.

-Because this configuration is widely used with the *Workday to Active Directory user provisioning* app, the following steps include screenshots of the Workday application. However, the configuration can also be used with *all other apps*, such as ServiceNow, Salesforce, and Dropbox and [cross-tenant synchronization](../multi-tenant-organizations/cross-tenant-synchronization-configure.md). To successfully complete this procedure, you must have first set up app provisioning for the app. Each app has its own configuration article. For example, to configure the Workday application, see [Tutorial: Configure Workday to Azure AD user provisioning](../saas-apps/workday-inbound-cloud-only-tutorial.md).

-> If you are installing the connector on Windows Server 2019, you must disable HTTP2 protocol support in the WinHttp component for Kerberos Constrained Delegation to properly work. This is disabled by default in earlier versions of supported operating systems. Adding the following registry key and restarting the server disables it on Windows Server 2019. Note that this is a machine-wide registry key.

- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

-| [Movenda](https://www.movenda.com/en/authentication/fido2/overview) | ![y] | ![n]| ![y]| ![y]| ![n] |

-| [Movenda](https://www.movenda.com/en/authentication/fido2/overview) | ![y] | ![n]| ![y]| ![y]| ![n] |

-This article describes how to onboard a Google Cloud Platform (GCP) project on Permissions Management.

-For GCP, permissions management is scoped to a *GCP project*. A GCP project is a logical collection of your resources in GCP, like a subscription in Azure, albeit with further configurations you can perform such as application registrations and OIDC configurations.

-There are several moving parts across GCP and Azure, which are required to be configured before onboarding.

-1. On the **Data Collectors** tab, select **GCP**, and then select **Create Configuration**.

- > 1. To confirm that the app was created, open **App registrations** in Azure and, on the **All applications** tab, locate your app.

-The automatically manage option allows projects to be automatically detected and monitored without extra configuration. Steps to detect list of projects and onboard for collection:

-1. Firstly, grant **Viewer** and **Security Reviewer** role to service account created in previous step at organization, folder or project scope.

-To enable controller mode 'On' for any projects, add following roles to the specific projects:

-2. Once done, the steps are listed in the screen, which shows how to further configure in the GPC console, or programmatically with the gCloud CLI.

- To enable controller mode 'On' for any projects, add following roles to the specific projects:

-This option detects all projects that are accessible by the Cloud Infrastructure Entitlement Management application.

-1. Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope

- To enable controller mode 'On' for any projects, add following roles to the specific projects:

- - Role Administrators

- - Security Admin

-2. Once done, the steps are listed in the screen to do configure manually in the GPC console, or programmatically with the gCloud CLI

- The following message appears: **Successfully Created Configuration.**

- You have now completed onboarding GCP, and Permissions Management has started collecting and processing your data.

-Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Azure AD, their primary identity is [bound to the device](../devices/concept-primary-refresh-token.md#how-is-the-prt-protected). What this means is that a policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs) are used by applications when requesting access to a resource.

-This preview supports the following configurations:

- - Power BI Desktop client

- - Visual Studio

- - The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in an August release.

-> **Sign In logs output:** The value of the string used in "enforcedSessionControls" and "sessionControlsNotSatisfied" changed from "Binding" to "SignInTokenProtection" in late June 2023. Queries on Sign In Log data should be updated to reflect this change.

-| where ConditionalAccessPolicies ["enforcedSessionControls"] contains '["SignInTokenProtection"]'

-| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow')

-| where ConditionalAccessPolicies.enforcedSessionControls contains '["SignInTokenProtection"]'

-| extend Result = case (SessionNotSatisfyResult contains 'SignInTokenProtection', 'Block','Allow')

-Organizations may choose to require other grant controls with or in place of **Require multifactor authentication** at step 7a. When selecting multiple controls, be sure to select the appropriate radio button toggle to require **all** or **one** of the selected controls when making this change.

-If you don't already have an Azure AD tenant or if you want to create a new one for development, see [Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md). Or use the [directory creation experience](https://portal.azure.com/#create/Microsoft.AzureActiveDirectory) in the Azure portal.

- | `curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01"` | Correct information about the Azure VM |

- | `curl -H Metadata:true "http://169.254.169.254/metadata/identity/info?api-version=2018-02-01"` | Valid tenant ID associated with the Azure subscription |

- | `curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?resource=urn:ms-drs:enterpriseregistration.windows.net&api-version=2018-02-01"` | Valid access token issued by Azure Active Directory for the managed identity that is assigned to this VM |

->This information last updated on July 28th, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

-The `MainView` class is a content page responsible for displaying the main view of the app. In the constructor, it retrieves the cached user account using the `MSALClientHelper` from the `PublicClientSingleton` instance and enables the sign-in button, if no cached user account is found.

- This XAML markup code represents the UI layout for a claim view in a .NET MAUI app. It starts by defining the `ContentPage` with a title and disabling the back button behavior.

-

- Inside a `VerticalStackLayout`, there are several `Label` elements displaying static text, followed by a `ListView` named `Claims` that binds to a collection called `IdTokenClaims` to display the claims found in the ID token. Each claim is rendered within a `ViewCell` using a `DataTemplate` and displayed as a centered `Label` within a Grid.

-

- Lastly, there's a `Sign Out` button centered at the bottom of the layout, which triggers the `SignOutButton_Clicked` event handler when clicked.

- The _ClaimsView.xaml.cs_ code represents the code-behind for a claim view in a .NET MAUI app. It starts by importing the necessary namespaces and defining the `ClaimsView` class, which extends `ContentPage`. The `IdTokenClaims` property is an enumerable of strings, initially set to a single string indicating no claims found.

-1. Select **Framework**

- The `MainView` class is a content page responsible for displaying the main view of the app. In the constructor, it retrieves the cached user account using the `MSALClientHelper` from the `PublicClientSingleton` instance and enables the sign-in button, if no cached user account is found.

-

- This XAML markup code represents the UI layout for a claim view in a .NET MAUI app. It starts by defining the `ContentPage` with a title and disabling the back button behavior.

-

- Inside a `VerticalStackLayout`, there are several `Label` elements displaying static text, followed by a `ListView` named `Claims` that binds to a collection called `IdTokenClaims` to display the claims found in the ID token. Each claim is rendered within a `ViewCell` using a `DataTemplate` and displayed as a centered `Label` within a Grid.

-

- Lastly, there's a `Sign Out` button centered at the bottom of the layout, which triggers the `SignOutButton_Clicked` event handler when clicked.

- The _ClaimsView.xaml.cs_ code represents the code-behind for a claim view in a .NET MAUI app. It starts by importing the necessary namespaces and defining the `ClaimsView` class, which extends `ContentPage`. The `IdTokenClaims` property is an enumerable of strings, initially set to a single string indicating no claims found.

-

-

-

- Let's break down the key parts of the code you have added:

-

- - The necessary `using` statements are included at the top.

- - The `MainActivity` class is defined, inheriting from `MauiAppCompatActivity`, which is the base class for the Android platform in .NET MAUI.

- - The [Activity] attribute is applied to the `MainActivity` class, specifying various settings for the Android activity.

- - `Theme = "@style/Maui.SplashTheme"` sets the splash theme for the activity.

- - `MainLauncher = true` designates this activity as the main entry point of the application.

- - `ConfigurationChanges` specifies the configuration changes that the activity can handle, such as _screen size_, _orientation_, _UI mode_, _screen layout_, _smallest screen size_, and _density_.

- - `OnCreate` method is overridden to provide custom logic when the activity is being created.

- - `base.OnCreate(savedInstanceState)` calls the base implementation of the method.

- - `PlatformConfig.Instance.RedirectUri` is set to a dynamically generated value based on `PublicClientSingleton.Instance.MSALClientHelper.AzureAdConfig.ClientId`. It configures the redirect URI for the MSAL client.

- - `PlatformConfig.Instance.ParentWindow` is set to the current activity instance, which specifies the parent window for authentication-related operations.

- - `PublicClientSingleton.Instance.MSALClientHelper.InitializePublicClientAppAsync()` initializes the MSAL client app asynchronously using a helper method from a singleton instance called `MSALClientHelper`. The `Task.Run` is used to execute the initialization on a background thread, and `.Result` is used to synchronously wait for the task to complete.

- - `OnActivityResult` method is overridden to handle the result of an activity launched by the current activity.

- - `base.OnActivityResult(requestCode, resultCode, data)` calls the base implementation of the method.

- - `AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs(requestCode, resultCode, data)` sets the authentication continuation event arguments based on the received request code, result code, and intent data. This is used to continue the authentication flow after an external activity returns a result.

-1. Select **Android Emulators**.

-When sharing an application with external users, you might not always know in advance who will need access to the application. As an alternative to sending invitations directly to individuals, you can allow external users to sign up for specific applications themselves by enabling [self-service sign-up user flow](self-service-sign-up-user-flow.md). You can create a personalized sign-up experience by customizing the self-service sign-up user flow. For example, you can provide options to sign up with Azure AD or social identity providers and collect information about the user during the sign-up process.

-A self-service sign-up user flow creates a sign-up experience for your external users through the application you want to share. The user flow can be associated with one or more of your applications. First you'll enable self-service sign-up for your tenant and federate with the identity providers you want to allow external users to use for sign-in. Then you'll create and customize the sign-up user flow and assign your applications to it.

-You can configure user flow settings to control how the user signs up for the application:

-The user can sign in to your application, via the web, mobile, desktop, or single-page application (SPA). The application initiates an authorization request to the user flow-provided endpoint. The user flow defines and controls the user's experience. When the user completes the sign-up user flow, Azure AD generates a token and redirects the user back to your application. Upon completion of sign-up, a guest account is provisioned for the user in the directory. Multiple applications can use the same user flow.

-The following example illustrates how we're bringing social identity providers to Azure AD with self-service sign-up capabilities for guest users.

-A partner of Woodgrove opens the Woodgrove app. They decide they want to sign up for a supplier account, so they select Request your supplier account, which initiates the self-service sign-up flow.

- For details, see how to [add self-service sign-up to an app](self-service-sign-up-user-flow.md).

-[New-MgRoleManagementDirectoryRoleAssignment](/powershell/module/microsoft.graph.devicemanagement.enrolment/new-mgrolemanagementdirectoryroleassignment)

-[New-MgRoleManagementDirectoryRoleAssignment](/powershell/module/microsoft.graph.devicemanagement.enrolment/new-mgrolemanagementdirectoryroleassignment)

-You can't configure groups and organizational units within a configuration.

-description: Covers the pillars of identity, and identifying access requirements for resources for users in a hybrid environment.

-# Determine access control requirements for your hybrid identity solution

-When an organization is designing their hybrid identity solution, they can also use this opportunity to review access requirements for the resources that they are planning to make it available for users. The data access cross all four pillars of identity, which are:

-* Administration

-* Authentication

-* Authorization

-* Auditing

-The sections that follow will cover authentication and authorization in more details, administration, and auditing are part of the hybrid identity lifecycle. Read [Determine hybrid identity management tasks](plan-hybrid-identity-design-considerations-hybrid-id-management-tasks.md) for more information about these capabilities.

-> [!NOTE]

-> Read [The Four Pillars of Identity - Identity Management in the Age of Hybrid IT](https://social.technet.microsoft.com/wiki/contents/articles/15530.the-four-pillars-of-identity-identity-management-in-the-age-of-hybrid-it.aspx) for more information about each one of those pillars.

->

->

-## Authentication and authorization

-There are different scenarios for authentication and authorization, these scenarios will have specific requirements that must be fulfilled by the hybrid identity solution that the company is going to adopt. Scenarios involving Business to Business (B2B) communication can add an extra challenge for IT Admins since they will need to ensure that the authentication and authorization method used by the organization can communicate with their business partners. During the designing process for authentication and authorization requirements, ensure that the following questions are answered:

-* Will your organization authenticate and authorize only users located at their identity management system?

- * Are there any plans for B2B scenarios?

- * If yes, do you already know which protocols (SAML, OAuth, Kerberos, or Certificates) will be used to connect both businesses?

-* Does the hybrid identity solution that you are going to adopt support those protocols?

-Another important point to consider is where the authentication repository that will be used by users and partners will be located and the administrative model to be used. Consider the following two core options:

-* Centralized: in this model, the userΓÇÖs credentials, policies and administration can be centralized on-premises or in the cloud.

-* Hybrid: in this model, the userΓÇÖs credentials, policies and administration will be centralized on-premises and a replicated in the cloud.

-Which model your organization will adopt will vary according to their business requirements, you want to answer the following questions to identify where the identity management system will reside and the administrative mode to use:

-* Does your organization currently have an identity management on-premises?

- * If yes, do they plan to keep it?

- * Are there any regulation or compliance requirements that your organization must follow that dictates where the identity management system should reside?

-* Does your organization use single sign-on for apps located on-premises or in the cloud?

- * If yes, does the adoption of a hybrid identity model affect this process?

-## Access Control

-While authentication and authorization are core elements to enable access to corporate data through userΓÇÖs validation, it is also important to control the level of access that these users will have and the level of access administrators will have over the resources that they are managing. Your hybrid identity solution must be able to provide granular access to resources, delegation, and role base access control. Ensure that the following question is answered regarding access control:

-* Does your company have more than one user with elevated privilege to manage your identity system?

- * If yes, does each user need the same access level?

-* Would your company need to delegate access to users to manage specific resources?

- * If yes, how frequently this happens?

-* Would your company need to integrate access control capabilities between on-premises and cloud resources?

-* Would your company need to limit access to resources according to some conditions?

-* Would your company have any application that needs custom control access to some resources?

- * If yes, where are those apps located (on-premises or in the cloud)?

- * If yes, where are those target resources located (on-premises or in the cloud)?

-> [!NOTE]

-> Make sure to take notes of each answer and understand the rationale behind the answer. [Define Data Protection Strategy](plan-hybrid-identity-design-considerations-data-protection-strategy.md) will go over the options available and advantages/disadvantages of each option. By answering those questions you will select which option best suits your business needs.

->

->

-## Next steps

-[Determine incident response requirements](plan-hybrid-identity-design-considerations-incident-response-requirements.md)

-## See Also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: Identify the companyΓÇÖs business needs that will lead you to define the requirements for the hybrid identity design.

-# Determine identity requirements for your hybrid identity solution

-The first step in designing a hybrid identity solution is to determine the requirements for the business organization that will be leveraging this solution. Hybrid identity starts as a supporting role (it supports all other cloud solutions by providing authentication) and goes on to provide new and interesting capabilities that unlock new workloads for users. These workloads or services that you wish to adopt for your users will dictate the requirements for the hybrid identity design. These services and workloads need to leverage hybrid identity both on-premises and in the cloud.

-You need to go over these key aspects of the business to understand what it is a requirement now and what the company plans for the future. If you donΓÇÖt have the visibility of the long term strategy for hybrid identity design, chances are that your solution will not be scalable as the business needs grow and change. The diagram below shows an example of a hybrid identity architecture and the workloads that are being unlocked for users. This is just an example of all the new possibilities that can be unlocked and delivered with a solid hybrid identity strategy.

-Some components that are part of the hybrid identity architecture

-

-## Determine business needs

-Each company will have different requirements, even if these companies are part of the same industry, the real business requirements might vary. You can still leverage best practices from the industry, but ultimately it is the companyΓÇÖs business needs that will lead you to define the requirements for the hybrid identity design.

-Make sure to answer the following questions to identify your business needs:

-* Is your company looking to cut IT operational cost?

-* Is your company looking to secure cloud assets (SaaS apps, infrastructure)?

-* Is your company looking to modernize your IT?

- * Are your users more mobile and demanding IT to create exceptions into your DMZ to allow different type of traffic to access different resources?

- * Does your company have legacy apps that needed to be published to these modern users but are not easy to rewrite?

- * Does your company need to accomplish all these tasks and bring it under control at the same time?

-* Is your company looking to secure usersΓÇÖ identities and reduce risk by bringing new tools that leverage the expertise of MicrosoftΓÇÖs Azure security expertise on-premises?

-* Is your company trying to get rid of the dreaded ΓÇ£externalΓÇ¥ accounts on premises and move them to the cloud where they are no longer a dormant threat inside your on-premises environment?

-## Analyze on-premises identity infrastructure

-Now that you have an idea regarding your company business requirements, you need to evaluate your on-premises identity infrastructure. This evaluation is important for defining the technical requirements to integrate your current identity solution to the cloud identity management system. Make sure to answer the following questions:

-* What authentication and authorization solution does your company use on-premises?

-* Does your company currently have any on-premises synchronization services?

-* Does your company use any third-party Identity Providers (IdP)?

-You also need to be aware of the cloud services that your company might have. Performing an assessment to understand the current integration with SaaS, IaaS or PaaS models in your environment is very important. Make sure to answer the following questions during this assessment:

-* Does your company have any integration with a cloud service provider?

-* If yes, which services are being used?

-* Is this integration currently in production or is it a pilot?

-> [!NOTE]

-> Cloud Discovery analyzes your traffic logs against the Microsoft Defender for Cloud Apps catalog of over 16,000 cloud apps that are ranked and scored based on more than 70 risk factors, to provide you with ongoing visibility into cloud use, Shadow IT, and the risk Shadow IT poses into your organization.To get started see [Set up Cloud Discovery](/cloud-app-security/set-up-cloud-discovery).

->

->

-## Evaluate identity integration requirements

-Next, you need to evaluate the identity integration requirements. This evaluation is important to define the technical requirements for how users will authenticate, how the organizationΓÇÖs presence will look in the cloud, how the organization will allow authorization and what the user experience is going to be. Make sure to answer the following questions:

-* Will your organization be using federation, standard authentication or both?

-* Is federation a requirement? Because of the following:

- * Kerberos-based SSO

- * Your company has an on-premises applications (either built in-house or 3rd party) that uses SAML or similar federation capabilities.

- * MFA via Smart Cards. RSA SecurID, etc.

- * Client access rules that address the questions below:

- 1. Can I block all external access to Microsoft 365 based on the IP address of the client?

- 2. Can I block all external access to Microsoft 365, except Exchange ActiveSync?

- 3. Can I block all external access to Microsoft 365, except for browser-based apps (OWA, SPO)

- 4. Can I block all external access to Microsoft 365 for members of designated AD groups

-* Security/auditing concerns

-* Already existing investment in federated authentication

-* What name will our organization use for our domain in the cloud?

-* Does the organization have a custom domain?

- 1. Is that domain public and easily verifiable via DNS?

- 2. If it is not, then do you have a public domain that can be used to register an alternate UPN in AD?

-* Are the user identifiers consistent for cloud representation?

-* Does the organization have apps that require integration with cloud services?

-* Does the organization have multiple domains and will they all use standard or federated authentication?

-## Evaluate applications that run in your environment

-Now that you have an idea regarding your on-premises and cloud infrastructure, you need to evaluate the applications that run in these environments. This evaluation is important to define the technical requirements to integrate these applications to the cloud identity management system. Make sure to answer the following questions:

-* Where will our applications live?

-* Will users be accessing on-premises applications? In the cloud? Or both?

-* Are there plans to take the existing application workloads and move them to the cloud?

-* Are there plans to develop new applications that will reside either on-premises or in the cloud that will use cloud authentication?

-## Evaluate user requirements

-You also have to evaluate the user requirements. This evaluation is important to define the steps that will be needed for on-boarding and assisting users as they transition to the cloud. Make sure to answer the following questions:

-* Will users be accessing applications on-premises?

-* Will users be accessing applications in the cloud?

-* How do users typically login to their on-premises environment?

-* How will users sign-in to the cloud?

-> [!NOTE]

-> Make sure to take notes of each answer and understand the rationale behind the answer. [Determine incident response requirements](plan-hybrid-identity-design-considerations-incident-response-requirements.md) will go over the options available and pros/cons of each option. By having answered those questions you will select which option best suits your business needs.

->

->

-## Next steps

-[Determine directory synchronization requirements](plan-hybrid-identity-design-considerations-directory-sync-requirements.md)

-## See also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: Provides insight into how to determine the content management requirements of your business. Usually when a user has their own device, they might also have multiple credentials that will be alternating according to the application that they use. It is important to differentiate what content was created using personal credentials versus the ones created using corporate credentials. Your identity solution should be able to interact with cloud services to provide a seamless experience to the end user while ensure their privacy and increase the protection against data leakage.

-# Determine content management requirements for your hybrid identity solution

-Understanding the content management requirements for your business may direct affect your decision on which hybrid identity solution to use. With the proliferation of multiple devices and the capability of users to bring their own devices ([BYOD](/mem/intune/fundamentals/byod-technology-decisions)), the company must protect its own data but it also must keep userΓÇÖs privacy intact. Usually when a user has their own device, they might also have multiple credentials that will be alternating according to the application that they use. It is important to differentiate what content was created using personal credentials versus the ones created using corporate credentials. Your identity solution should be able to interact with cloud services to provide a seamless experience to the end user while ensure their privacy and increase the protection against data leakage.

-Your identity solution will be leveraged by different technical controls in order to provide content management as shown in the figure below:

-

-**Security controls that will be leveraging your identity management system**

-In general, content management requirements will leverage your identity management system in the following areas:

-* Privacy: identifying the user that owns a resource and applying the appropriate controls to maintain integrity.

-* Data Classification: identify the user or group and level of access to an object according to its classification.

-* Data Leakage Protection: security controls responsible for protecting data to avoid leakage will need to interact with the identity system to validate the userΓÇÖs identity. This is also important for auditing trail purpose.

-> [!NOTE]

-> Read [data classification for cloud readiness](https://download.microsoft.com/download/0/A/3/0A3BE969-85C5-4DD2-83B6-366AA71D1FE3/Data-Classification-for-Cloud-Readiness.pdf) for more information about best practices and guidelines for data classification.

->

->

-When planning your hybrid identity solution ensure that the following questions are answered according to your organizationΓÇÖs requirements:

-* Does your company have security controls in place to enforce data privacy?

- * If yes, will the security controls be able to integrate with the hybrid identity solution that you are going to adopt?

-* Does your company use data classification?

- * If yes, is the current solution able to integrate with the hybrid identity solution that you are going to adopt?

-* Does your company currently have any solution for data leakage?

- * If yes, is the current solution able to integrate with the hybrid identity solution that you are going to adopt?

-* Does your company need to audit access to resources?

- * If yes, what type of resources?

- * If yes, what level of information is necessary?

- * If yes, where the audit log must reside? On-premises or in the cloud?

-* Does your company need to encrypt any emails that contain sensitive data (SSNs, credit card numbers, etc.)?

-* Does your company need to encrypt all documents/contents shared with external business partners?

-* Does your company need to enforce corporate policies on certain kinds of emails (do no reply all, do not forward)?

-> [!NOTE]

-> Make sure to take notes of each answer and understand the rationale behind the answer. [Define Data Protection Strategy](plan-hybrid-identity-design-considerations-data-protection-strategy.md) will go over the options available and advantages/disadvantages of each option. By having answered those questions you will select which option best suits your business needs.

->

->

-## Next steps

-[Determine access control requirements](plan-hybrid-identity-design-considerations-accesscontrol-requirements.md)

-## See Also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: You define the data protection strategy for your hybrid identity solution to meet the business requirements that you defined.

-# Define data protection strategy for your hybrid identity solution

-In this task, youΓÇÖll define the data protection strategy for your hybrid identity solution to meet the business requirements that you defined in:

-* [Determine data protection requirements](plan-hybrid-identity-design-considerations-dataprotection-requirements.md)

-* [Determine content management requirements](plan-hybrid-identity-design-considerations-contentmgt-requirements.md)

-* [Determine access control requirements](plan-hybrid-identity-design-considerations-accesscontrol-requirements.md)

-* [Determine incident response requirements](plan-hybrid-identity-design-considerations-incident-response-requirements.md)

-## Define data protection options

-As explained in [Determine directory synchronization requirements](plan-hybrid-identity-design-considerations-directory-sync-requirements.md), Microsoft Azure AD can synchronize with your on-premises Active Directory Domain Services (AD DS). This integration lets organizations use Azure AD to verify users' credentials when they are trying to access corporate resources. You can do this for both scenarios: data at rest on-premises and in the cloud. Access to data in Azure AD requires user authentication via a security token service (STS).

-Once authenticated, the user principal name (UPN) is read from the authentication token. Then, the authorization system determines the replicated partition and container corresponding to the userΓÇÖs domain. Information on the userΓÇÖs existence, enabled state, and role then helps the authorization system determine whether access to the target tenant is authorized for the user in that session. Certain authorized actions (specifically, create user and password reset) create an audit trail that a tenant administrator then uses to manage compliance efforts or investigations.

-Moving data from your on-premises datacenter into Azure Storage over an Internet connection may not always be feasible due to data volume, bandwidth availability, or other considerations. The [Azure Storage Import/Export Service](../../../import-export/storage-import-export-service.md) provides a hardware-based option for placing/retrieving large volumes of data in blob storage. It allows you to send [BitLocker-encrypted](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)#BKMK_BL2012R2) hard disk drives directly to an Azure datacenter where cloud operators upload the contents to your storage account, or they can download your Azure data to your drives to return to you. Only encrypted disks are accepted for this process (using a BitLocker key generated by the service itself during the job setup). The BitLocker key is provided to Azure separately, thus providing out of band key sharing.

-Since data in transit can take place in different scenarios, is also relevant to know that Microsoft Azure uses [virtual networking](../../../virtual-network/index.yml) to isolate tenantsΓÇÖ traffic from one another, employing measures such as host- and guest-level firewalls, IP packet filtering, port blocking, and HTTPS endpoints. However, most of AzureΓÇÖs internal communications, including infrastructure-to-infrastructure and infrastructure-to-customer (on-premises), are also encrypted. Another important scenario is the communications within Azure datacenters; Microsoft manages networks to assure that no VM can impersonate or eavesdrop on the IP address of another. TLS/SSL is used when accessing Azure Storage or SQL Databases, or when connecting to Cloud Services. In this case, the customer administrator is responsible for obtaining a TLS/SSL certificate and deploying it to their tenant infrastructure. Data traffic moving between Virtual Machines in the same deployment or between tenants in a single deployment via Microsoft Azure Virtual Network can be protected through encrypted communication protocols such as HTTPS, SSL/TLS, or others.

-Depending on how you answered the questions in [Determine data protection requirements](plan-hybrid-identity-design-considerations-dataprotection-requirements.md), you should be able to determine how you want to protect your data and how the hybrid identity solution can assist you with that process. The following table shows the options supported by Azure that are available for each data protection scenario.

-| Data protection options | At rest in the cloud | At rest on-premises | In transit |

-| | | | |

-| BitLocker Drive Encryption |X |X | |

-| SQL Server to encrypt databases |X |X | |

-| VM-to-VM Encryption | | |X |

-| SSL/TLS | | |X |

-| VPN | | |X |

-> [!NOTE]

-> Read [Compliance by Feature](https://azure.microsoft.com/support/trust-center/services/) at [Microsoft Azure Trust Center](https://azure.microsoft.com/support/trust-center/) to know more about the certifications that each Azure service is compliant with.

-> Since the options for data protection use a multilayer approach, comparison between those options are not applicable for this task. Ensure that you are leveraging all options available for each state of the data.

->

->

-## Define content management options

-One advantage of using Azure AD to manage a hybrid identity infrastructure is that the process is fully transparent from the end userΓÇÖs perspective. The user tries to access a shared resource, the resource requires authentication, the user has to send an authentication request to Azure AD in order to obtain the token and access the resource. This entire process happens in the background, without user interaction.

-Organizations that are concern about data privacy usually require data classification for their solution. If their current on-premises infrastructure is already using data classification, it is possible to use Azure AD as the main repository for the userΓÇÖs identity. A common tool that it is used on-premises for data classification is called [Data Classification Toolkit](/previous-versions/tn-archive/hh204743(v=technet.10)) for Windows Server 2012 R2. This tool can help to identify, classify, and protect data on file servers in your private cloud. It is also possible to use the [Automatic File Classification](/windows-server/identity/solution-guides/deploy-automatic-file-classification--demonstration-steps-) in Windows Server 2012 to accomplish this task.

-If your organization doesnΓÇÖt have data classification in place but needs to protect sensitive files without adding new Servers on-premises, they can use Microsoft [Azure Rights Management Service](/azure/information-protection/what-is-azure-rms). Azure RMS uses encryption, identity, and authorization policies to help secure your files and email, and it works across multiple devicesΓÇöphones, tablets, and PCs. Because Azure RMS is a cloud service, thereΓÇÖs no need to explicitly configure trusts with other organizations before you can share protected content with them. If they already have a Microsoft 365 or an Azure AD directory, collaboration across organizations is automatically supported. You can also synchronize just the directory attributes that Azure RMS needs to support a common identity for your on-premises Active Directory accounts, by using Azure Active Directory Synchronization Services (Azure AD Sync) or Azure AD Connect.

-A vital part of content management is to understand who is accessing which resource, therefore a rich logging capability is important for the identity management solution. Azure AD provides log over 30 days including:

-* Changes in role membership (ex: user added to Global Administrator role)

-* Credential updates (ex: password changes)

-* Domain management (ex: verifying a custom domain, removing a domain)

-* Adding or removing applications

-* User management (ex: adding, removing, updating a user)

-* Adding or removing licenses

-> [!NOTE]

-> Read [Microsoft Azure Security and Audit Log Management](https://download.microsoft.com/download/B/6/C/B6C0A98B-D34A-417C-826E-3EA28CDFC9DD/AzureSecurityandAuditLogManagement_11132014.pdf) to know more about logging capabilities in Azure.

-> Depending on how you answered the questions in [Determine content management requirements](plan-hybrid-identity-design-considerations-contentmgt-requirements.md), you should be able to determine how you want the content to be managed in your hybrid identity solution. While all options exposed in Table 6 are capable of integrating with Azure AD, it is important to define which is more appropriate for your business needs.

->

->

-| Content management options | Advantages | Disadvantages |

-| | | |

-| Centralized on-premises (Active Directory Rights Management Server) |Full control over the server infrastructure responsible for classifying the data <br> Built-in capability in Windows Server, no need for extra license or subscription <br> Can be integrated with Azure AD in a hybrid scenario <br> Supports information rights management (IRM) capabilities in Microsoft Online services such as Exchange Online and SharePoint Online, as well as Microsoft 365 <br> Supports on-premises Microsoft server products, such as Exchange Server, SharePoint Server, and file servers that run Windows Server and File Classification Infrastructure (FCI). |Higher maintenance (keep up with updates, configuration and potential upgrades), since IT owns the Server <br> Require a server infrastructure on-premises<br> DoesnΓÇÖt leverage Azure capabilities natively |

-| Centralized in the cloud (Azure RMS) |Easier to manage compared to the on-premises solution <br> Can be integrated with AD DS in a hybrid scenario <br> Fully integrated with Azure AD <br> DoesnΓÇÖt require a server on-premises in order to deploy the service <br> Supports on-premises Microsoft server products such as Exchange Server, SharePoint, Server, and file servers that run Windows Server and File Classification, Infrastructure (FCI) <br> IT, can have complete control over their tenantΓÇÖs key with BYOK capability. |Your organization must have a cloud subscription that supports RMS <br> Your organization must have an Azure AD directory to support user authentication for RMS |

-| Hybrid (Azure RMS integrated with, On-Premises Active Directory Rights Management Server) |This scenario accumulates the advantages of both, centralized on-premises and in the cloud. |Your organization must have a cloud subscription that supports RMS <br> Your organization must have an Azure AD directory to support user authentication for RMS, <br> Requires a connection between Azure cloud service and on-premises infrastructure |

-## Define access control options

-By leveraging the authentication, authorization and access control capabilities available in Azure AD you can enable your company to use a central identity repository while allowing users and partners to use single sign-on (SSO) as shown in the following figure:

-

-Centralized management and fully integration with other directories

-Azure Active Directory provides single sign-on to thousands of SaaS applications and on-premises web applications. See the [Azure Active Directory federation compatibility list: third-party identity providers that can be used to implement single sign-on](how-to-connect-fed-compatibility.md) article for more details about the SSO third-party that were tested by Microsoft. This capability enables organization to implement a variety of B2B scenarios while keeping control of the identity and access management. However, during the B2B designing process, is important to understand the authentication method that is used by the partner and validate if this method is supported by Azure. Currently, the following methods are supported by Azure AD:

-* Security Assertion Markup Language (SAML)

-* OAuth

-* Kerberos

-* Tokens

-* Certificates

-> [!NOTE]

-> read [Azure Active Directory Authentication Protocols](/previous-versions/azure/dn151124(v=azure.100)) to know more details about each protocol and its capabilities in Azure.

->

->

-Using the Azure AD support, mobile business applications can use the same easy Mobile Services authentication experience to allow employees to sign into their mobile applications with their corporate Active Directory credentials. With this feature, Azure AD is supported as an identity provider in Mobile Services alongside the other identity providers already supported (which include Microsoft Accounts, Facebook ID, Google ID, and Twitter ID). If the on-premises apps use the userΓÇÖs credential located at the companyΓÇÖs AD DS, the access from partners and users coming from the cloud should be transparent. You can manage userΓÇÖs Conditional Access control to (cloud-based) web applications, web API, Microsoft cloud services, third-party SaaS applications, and native (mobile) client applications, and have the benefits of security, auditing, reporting all in one place. However, it is recommended to validate the implementation in a non-production environment or with a limited number of users.

-> [!TIP]

-> it is important to mention that Azure AD does not have Group Policy as AD DS has. In order to enforce policy for devices, you need a mobile device management solution such as [Microsoft Intune](/mem/intune/).

->

->

-Once the user is authenticated using Azure AD, it is important to evaluate the level of access that the user has. The level of access that the user has over a resource can vary. While Azure AD can add an additional security layer by controlling access to some resources, keep in mind that the resource itself can also have its own access control list separately, such as the access control for files located in a File Server. The following figure summarizes the levels of access control that you can have in a hybrid scenario:

-

-Each interaction in the diagram showed in Figure X represents one access control scenario that can be covered by Azure AD. Below you have a description of each scenario:

-1. Conditional Access to applications that are hosted on-premises: You can use registered devices with access policies for applications that are configured to use AD FS with Windows Server 2012 R2.

-2. Access Control to the Azure portal: Azure also lets you control access to the portal by using Azure role-based access control (Azure RBAC)). This method enables the company to restrict the number of operations that an individual can do in the Azure portal. By using Azure RBAC to control access to the portal, IT Admins can delegate access by using the following access management approaches:

- - Group-based role assignment: You can assign access to Azure AD groups that can be synced from your local Active Directory. This lets you leverage the existing investments that your organization has made in tooling and processes for managing groups. You can also use the delegated group management feature of Azure AD Premium.

- - Use built-in roles in Azure: You can use three roles ΓÇö Owner, Contributor, and Reader, to ensure that users and groups have permission to do only the tasks they need to do their jobs.

- - Granular access to resources: You can assign roles to users and groups for a particular subscription, resource group, or an individual Azure resource such as a website or database. In this way, you can ensure that users have access to all the resources they need and no access to resources that they do not need to manage.

- > [!NOTE]

- > If you are building applications and want to customize the access control for them, it is also possible to use Azure AD Application Roles for authorization. Review this [WebApp-RoleClaims-DotNet example](https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet) on how to build your app to use this capability.

-3. Conditional Access for Microsoft 365 applications with Microsoft Intune: IT admins can provision Conditional Access device policies to secure corporate resources, while at the same time allowing information workers on compliant devices to access the services.

-

-4. Conditional Access for Saas apps: [This feature](https://cloudblogs.microsoft.com/enterprisemobility/2015/06/25/azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work/) allows you to configure per-application multi-factor authentication access rules and the ability to block access for users not on a trusted network. You can apply the multi-factor authentication rules to all users that are assigned to the application, or only for users within specified security groups. Users may be excluded from the multi-factor authentication requirement if they are accessing the application from an IP address that in inside the organizationΓÇÖs network.

-Since the options for access control use a multilayer approach, comparison between those options are not applicable for this task. Ensure that you are leveraging all options available for each scenario that requires you to control access to your resources.

-## Define incident response options

-Azure AD can assist IT to identity potential security risks in the environment by monitoring userΓÇÖs activity. IT can use Azure AD Access and Usage reports to gain visibility into the integrity and security of your organizationΓÇÖs directory. With this information, an IT admin can better determine where possible security risks may lie so that they can adequately plan to mitigate those risks. [Azure AD Premium subscription](../../fundamentals/active-directory-get-started-premium.md) has a set of security reports that can enable IT to obtain this information. [Azure AD reports](../../reports-monitoring/overview-reports.md) are categorized as follows:

-* **Anomaly reports**: Contain sign-in events that were found to be anomalous. The goal is to make you aware of such activity and enable you to make a determination about whether an event is suspicious.

-* **Integrated Application report**: Provides insights into how cloud applications are being used in your organization. Azure Active Directory offers integration with thousands of cloud applications.

-* **Error reports**: Indicate errors that may occur when provisioning accounts to external applications.

-* **User-specific reports**: Display device/sign in activity data for a specific user.

-* **Activity logs**: Contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days, as well as group activity changes, and password reset and registration activity.

-> [!TIP]

-> Another report that can also help the Incident Response team working on a case is the [user with leaked credentials](https://cloudblogs.microsoft.com/enterprisemobility/2015/06/15/azure-active-directory-premium-reporting-now-detects-leaked-credentials/) report. This report surfaces any matches between the leaked credentials list and your tenant.

->

-Other important built-in reports in Azure AD that can be used during an incident response investigation and are:

-* **Password reset activity**: provide the admin with insights into how actively password reset is being used in the organization.

-* **Password reset registration activity**: provides insights into which users have registered their methods for password reset, and which methods they have selected.

-* **Group activity**: provides a history of changes to the group (ex: users added or removed) that were initiated in the Access Panel.

-In addition to the core reporting capability of Azure AD Premium that you can use during an Incident Response investigation process, IT can also take advantage of the Audit Report to obtain information such as:

-* Changes in role membership (for example, user added to Global Administrator role)

-* Credential updates (for example, password changes)

-* Domain management (for example, verifying a custom domain, removing a domain)

-* Adding or removing applications

-* User management (for example, adding, removing, updating a user)

-* Adding or removing licenses

-Since the options for incident response use a multilayer approach, comparison between those options is not applicable for this task. Ensure that you are leveraging all options available for each scenario that requires you to use Azure AD reporting capability as part of your companyΓÇÖs incident response process.

-## Next steps

-[Determine hybrid identity management tasks](plan-hybrid-identity-design-considerations-hybrid-id-management-tasks.md)

-## See Also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: When planning your hybrid identity solution, identify the data protection requirements for your business and which options are available to best fulfill these requirements.

-# Plan for enhancing data security through a strong identity solution

-The first step in protecting data is to identify who can access that data. Also, you need to have an identity solution that can integrate with your system to provide authentication and authorization capabilities. Authentication and authorization are often confused with each other and their roles misunderstood. In reality, they are different, as shown in the figure below:

-

-**Mobile device management lifecycle stages**

-When planning your hybrid identity solution, you must understand the data protection requirements for your business and which options are available to best fulfil these requirements.

-> [!NOTE]

-> Once you finish planning for data security, review [Determine multi-factor authentication requirements](plan-hybrid-identity-design-considerations-multifactor-auth-requirements.md) to ensure that your selections regarding multi-factor authentication requirements were not affected by the decisions you made in this section.

->

->

-## Determine data protection requirements

-In the age of mobility, most companies have a common goal: enable their users to be productive on their mobile devices, while on-premises, or remotely from anywhere in order to increase productivity. Companies that have such requirements will also be concerned about the number of threats that must be mitigated in order to keep the companyΓÇÖs data secure and maintain userΓÇÖs privacy. Each company might have different requirements in this regard; different compliance rules that will vary according to which industry the company is acting will lead to different design decisions.

-However, there are some security aspects that should be explored and validated, regardless of the industry.

-## Data protection paths

-

-**Data protection paths**

-In the above diagram, the identity component will be the first one to be verified before data is accessed. However, this data can be in different states during the time it was accessed. Each number on this diagram represents a path in which data can be located at some point in time. These numbers are explained below:

-1. Data protection at the device level.

-2. Data protection while in transit.

-3. Data protection while at rest on-premises.

-4. Data protection while at rest in the cloud.

-It is necessary that the hybrid identity solution is capable of leveraging both on-premises and cloud identity management resources to identify the user before it grants access to the data. When planning your hybrid identity solution, ensure that the following questions are answered according to your organizationΓÇÖs requirements:

-## Data protection at rest

-Regardless of where the data is at rest (device, cloud or on-premises), it is important to perform an assessment to understand the organization needs in this regard. For this area, ensure that the following questions are asked:

-* Does your company need to protect data at rest?

- * If yes, is the hybrid identity solution able to integrate with your current on-premises infrastructure?

- * If yes, is the hybrid identity solution able to integrate with your workloads located in the cloud?

-* Is the cloud identity management able to protect the userΓÇÖs credentials and other data stored in the cloud?

-## Data protection in transit

-Data in transit between the device and the datacenter or between the device and the cloud must be protected. However, being in-transit does not necessarily mean a communications process with a component outside of your cloud service; it moves internally, also, such as between two virtual networks. For this area, ensure that the following questions are asked:

-* Does your company need to protect data in transit?

- * If yes, is the hybrid identity solution able to integrate with secure controls such as SSL/TLS?

-* Does the cloud identity management keep the traffic to and within the directory store (within and between datacenters) signed?

-## Compliance

-Regulations, laws, and regulatory compliance requirements will vary according to the industry that your company belongs. Companies in high regulated industries must address identity-management concerns related to compliance issues. Regulations such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS) are strict regarding identity and access. The hybrid identity solution that your company will adopt must have the core capabilities that will fulfill the requirements of one or more of these regulations. For this area, ensure that the following questions are asked:

-* Is the hybrid identity solution compliant with the regulatory requirements for your business?

-* Does the hybrid identity solution has built

-* in capabilities that will enable your company to be compliant regulatory requirements?

-> [!NOTE]

-> Make sure to take notes of each answer and understand the rationale behind the answer. [Define Data Protection Strategy](plan-hybrid-identity-design-considerations-data-protection-strategy.md) will go over the options available and advantages/disadvantages of each option. By having answered those questions you will select which option best suits your business needs.

->

->

-## Next steps

- [Determine content management requirements](plan-hybrid-identity-design-considerations-contentmgt-requirements.md)

-## See Also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: Identify what requirements are needed for synchronizing all the users between on=premises and cloud for the enterprise.

-# Determine directory synchronization requirements

-Synchronization is all about providing users an identity in the cloud based on their on-premises identity. Whether or not they will use synchronized account for authentication or federated authentication, the users will still need to have an identity in the cloud. This identity will need to be maintained and updated periodically. The updates can take many forms, from title changes to password changes.

-Start by evaluating the organizations on-premises identity solution and user requirements. This evaluation is important to define the technical requirements for how user identities will be created and maintained in the cloud. For a majority of organizations, Active Directory is on-premises and will be the on-premises directory that users will by synchronized from, however in some cases this will not be the case.

-Make sure to answer the following questions:

-* Do you have one AD forest, multiple, or none?

-

- * How many Azure AD directories will you be synchronizing to?

-

- 1. Are you using filtering?

- 2. Do you have multiple Azure AD Connect servers planned?

-* Do you currently have a synchronization tool on-premises?

-

- * If yes, does your users if users have a virtual directory/integration of identities?

-* Do you have any other directory on-premises that you want to synchronize (e.g. LDAP Directory, HR database, etc)?

- * Are you going to be doing any GALSync?

- * What is the current state of UPNs in your organization?

- * Do you have a different directory that users authenticate against?

- * Does your company use Microsoft Exchange?

- * Do they plan of having a hybrid exchange deployment?

-Now that you have an idea about your synchronization requirements, you need to determine which tool is the correct one to meet these requirements. Microsoft provides several tools to accomplish directory integration and synchronization. See the [Hybrid Identity directory integration tools comparison table](plan-hybrid-identity-design-considerations-tools-comparison.md) for more information.

-Now that you have your synchronization requirements and the tool that will accomplish this for your company, you need to evaluate the applications that use these directory services. This evaluation is important to define the technical requirements to integrate these applications to the cloud. Make sure to answer the following questions:

-* Will these applications be moved to the cloud and use the directory?

-* Are there special attributes that need to be synchronized to the cloud so these applications can use them successfully?

-* Will these applications need to be re-written to take advantage of cloud auth?

-* Will these applications continue to live on-premises while users access them using the cloud identity?

-You also need to determine the security requirements and constraints directory synchronization. This evaluation is important to get a list of the requirements that will be needed in order to create and maintain userΓÇÖs identities in the cloud. Make sure to answer the following questions:

-* Where will the synchronization server be located?

-* Will it be domain joined?

-* Will the server be located on a restricted network behind a firewall, such as a DMZ?

- * Will you be able to open the required firewall ports to support synchronization?

-* Do you have a disaster recovery plan for the synchronization server?

-* Do you have an account with the correct permissions for all forests you want to synch with?

- * If your company doesnΓÇÖt know the answer for this question, review the section ΓÇ£Permissions for password synchronizationΓÇ¥ in the article [Install the Azure Active Directory Sync Service](/previous-versions/azure/azure-services/dn757602(v=azure.100)#BKMK_CreateAnADAccountForTheSyncService) and determine if you already have an account with these permissions or if you need to create one.

-* If you have multi-forest sync is the sync server able to get to each forest?

-> [!NOTE]

-> Make sure to take notes of each answer and understand the rationale behind the answer. [Determine incident response requirements](plan-hybrid-identity-design-considerations-incident-response-requirements.md) will go over the options available. By having answered those questions you will select which option best suits your business needs.

->

->

-## Next steps

-[Determine multi-factor authentication requirements](plan-hybrid-identity-design-considerations-multifactor-auth-requirements.md)

-## See also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: Azure AD checks the specific conditions you pick when authenticating the user and before allowing access to the application with Conditional Access control.

-# Plan for Hybrid Identity Lifecycle

-Identity is one of the foundations of your enterprise mobility and application access strategy. Whether you are signing on to your mobile device or SaaS app, your identity is the key to gaining access to everything. At its highest level, an identity management solution encompasses unifying and syncing between your identity repositories, which includes automating and centralizing the process of provisioning resources. The identity solution should be a centralized identity across on-premises and cloud and also use some form of identity federation to maintain centralized authentication and securely share and collaborate with external users and businesses. Resources range from operating systems and applications to people in, or affiliated with, an organization. Organizational structure can be altered to accommodate the provisioning policies and procedures.

-It is also important to have an identity solution geared to empower your users by providing them with self-service experiences to keep them productive. Your identity solution is more robust if it enables single sign-on for users across all the resources they need access. Administrators at all levels can use standardized procedures for managing user credentials. Some levels of administration can be reduced or eliminated, depending on the breadth of the provisioning management solution. Furthermore, you can securely distribute administration capabilities, manually or automatically, among various organizations. For example, a domain administrator can serve only the people and resources in that domain. This user can do administrative and provisioning tasks, but is not authorized to do configuration tasks, such as creating workflows.

-## Determine Hybrid Identity Management Tasks

-Distributing administrative tasks in your organization improves the accuracy and effectiveness of administration and improves the balance of the workload of an organization. Following are the pivots that define a robust identity management system.

- 

-To define hybrid identity management tasks, you must understand some essential characteristics of the organization that will be adopting hybrid identity. It is important to understand the current repositories being used for identity sources. By knowing those core elements, you will have the foundational requirements and based on that you will need to ask more granular questions that will lead you to a better design decision for your Identity solution.

-While defining those requirements, ensure that at least the following questions are answered

-* Provisioning options:

-

- * Does the hybrid identity solution support a robust account access management and provisioning system?

- * How are users, groups, and passwords going to be managed?

- * Is the identity lifecycle management responsive?

- * How long does password updates account suspension take?

-* License management:

-

- * Does the hybrid identity solution handles license management?

- * If yes, what capabilities are available?

- * Does the solution handle group-based license management?

-

- * If yes, is it possible to assign a security group to it?

- * If yes, will the cloud directory automatically assign licenses to all the members of the group?

- * What happens if a user is subsequently added to, or removed from the group, will a license be automatically assigned or removed as appropriate?

-* Integration with other third-party identity providers:

- * Can this hybrid solution be integrated with third-party identity providers to implement single sign-on?

- * Is it possible to unify all the different identity providers into a cohesive identity system?

- * If yes, how and which are they and what capabilities are available?

-## Synchronization Management

-One of the goals of an identity manager, to be able to bring all the identity providers and keep them synchronized. You keep the data synchronized based on an authoritative master identity provider. In a hybrid identity scenario, with a synchronized management model, you manage all user and device identities in an on-premises server and synchronize the accounts and, optionally, passwords to the cloud. The user enters the same password on-premises as they do in the cloud, and at sign-in, the password is verified by the identity solution. This model uses a directory synchronization tool.

-

-To proper design the synchronization of your hybrid identity solution ensure that the following questions are answered:

-* What are the sync solutions available for the hybrid identity solution?

-* What are the single sign on capabilities available?

-* What are the options for identity federation between B2B and B2C?

-## Next steps

-[Determine hybrid identity management adoption strategy](plan-hybrid-identity-design-considerations-lifecycle-adoption-strategy.md)

-## See Also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: With Conditional Access control, Azure AD checks the specific conditions you pick when authenticating the user and before allowing access to the application.

-# Define a hybrid identity adoption strategy

-In this task, you define the hybrid identity adoption strategy for your hybrid identity solution to meet the business requirements that were discussed in:

-* [Determine business needs](plan-hybrid-identity-design-considerations-business-needs.md)

-* [Determine directory synchronization requirements](plan-hybrid-identity-design-considerations-directory-sync-requirements.md)

-* [Determine multi-factor authentication requirements](plan-hybrid-identity-design-considerations-multifactor-auth-requirements.md)

-## Define business needs strategy

-The first task addresses determining the organizations business needs. This task can be broad and scope creep can occur if you aren't careful. In the beginning, keep it simple but always remember to plan for a design that will accommodate and facilitate change in the future. Regardless of whether it's a simple design or a complex one, Azure Active Directory is the Microsoft Identity platform that supports Microsoft 365, Microsoft Online Services, and cloud aware applications.

-## Define an integration strategy

-Microsoft has three main integration scenarios: cloud identities, synchronized identities, and federated identities. You should plan on adopting one of these integration strategies. The strategy you choose can vary. Decisions in choosing one may include, what type of user experience you want to provide, do you've an existing infrastructure, and what is the most cost effective.

-

-The scenarios defined in the above figure are:

-* **Cloud identities**: identities that exist solely in the cloud. For Azure AD, they would reside specifically in your Azure AD directory.

-* **Synchronized**: identities that exist on-premises and in the cloud. Using Azure AD Connect, users are either created or joined with existing Azure AD accounts. The userΓÇÖs password hash is synchronized from the on-premises environment to the cloud in what is called a password hash. Remember that if a user is disabled in the on-premises environment, it can take up to three hours for that account status to show up in Azure AD. This behavior is due to the synchronization time interval.

-* **Federated**: identities exist both on-premises and in the cloud. Using Azure AD Connect, users are either created or joined with existing Azure AD accounts.

-> [!NOTE]

-> For more information about the Synchronization options, read [Integrating your on-premises identities with Azure Active Directory](../whatis-hybrid-identity.md).

->

->

-The following table helps in determining the advantages and disadvantages of each of the following strategies:

-| Strategy | Advantages | Disadvantages |

-| | | |

-| **Cloud identities** |Easier to manage for small organization. <br> Nothing to install on-premises. No extra hardware needed<br>Easily disabled if the user leaves the company |Users will need to sign in when accessing workloads in the cloud <br> Passwords may or may not be the same for cloud and on-premises identities |

-| **Synchronized** |On-premises password authenticates both on-premises and cloud directories <br>Easier to manage for small, medium, or large organizations <br>Users can have single sign-on (SSO) for some resources <br> Microsoft preferred method for synchronization <br> Easier to manage |Some customers may be reluctant to synchronize their directories with the cloud due specific companyΓÇÖs policies |

-| **Federated** |Users can have single sign-on (SSO) <br>If a user is terminated or leaves, the account can be immediately disabled and access revoked,<br> Supports advanced scenarios that can't be accomplished with synchronized |More steps to set up and configure <br> Higher maintenance <br> May require extra hardware for the STS infrastructure <br> May require extra hardware to install the federation server. Other software is required if AD FS is used <br> Require extensive setup for SSO <br> Critical point of failure if the federation server is down, users wonΓÇÖt be able to authenticate |

-### Client experience

-The strategy that you use will dictate the user sign-in experience. The following tables provide you with information on what the users should expect their sign-in experience to be. Not all federated identity providers support SSO in all scenarios.

-**Domain-joined and private network applications**:

-| Application | Synchronized Identity | Federated Identity |

-| | | |

-| Web Browsers |Forms-based authentication |single sign-on, sometimes required to supply organization ID |

-| Outlook |Prompt for credentials |Prompt for credentials |

-| Skype for Business (Lync) |Prompt for credentials |single sign-on for Lync, prompted credentials for Exchange |

-| OneDrive for Business |Prompt for credentials |single sign-on |

-| Office Pro Plus Subscription |Prompt for credentials |single sign-on |

-**External or untrusted sources**:

-| Application | Synchronized Identity | Federated Identity |

-| | | |

-| Web Browsers |Forms-based authentication |Forms-based authentication |

-| Outlook, Skype for Business (Lync), OneDrive for Business, Office subscription |Prompt for credentials |Prompt for credentials |

-| Exchange ActiveSync |Prompt for credentials |single sign-on for Lync, prompted credentials for Exchange |

-| Mobile apps |Prompt for credentials |Prompt for credentials |

-If you've a third-party IdP or are going to use one to provide federation with Azure AD, you need to be aware of the following supported capabilities:

-* Any SAML 2.0 provider that is compliant for the SP-Lite profile can support authentication to Azure AD and associated applications

-* Supports passive authentication, which facilitates authentication to OWA, SPO, etc.

-* Exchange Online clients can be supported via the SAML 2.0 Enhanced Client Profile (ECP)

-You must also be aware of what capabilities won't be available:

-* Without WS-Trust/Federation support, all other active clients break

- * That means no Lync client, OneDrive client, Office Subscription, Office Mobile prior to Office 2016

-* Transition of Office to passive authentication allows them to support pure SAML 2.0 IdPs, but support will still be on a client-by-client basis

-> [!NOTE]

-> For the most updated list read the article [Azure AD federation compatibility list](how-to-connect-fed-compatibility.md).

->

->

-## Define synchronization strategy

-This task defines the tools that will be used to synchronize the organizationΓÇÖs on-premises data to the cloud and what topology you should use. Because, most organizations use Active Directory, information on using Azure AD Connect to address the questions above is provided in some detail. For environments that don't have Active Directory, there's information about using FIM 2010 R2 or MIM 2016 to help plan this strategy. However, future releases of Azure AD Connect will support LDAP directories, so depending on your timeline, this information may be able to assist.

-### Synchronization tools

-Over the years, several synchronization tools have existed and used for various scenarios. Currently Azure AD Connect is the go to tool of choice for all supported scenarios. Azure AD Sync and DirSync are also still around and may even be present in your environment now.

-> [!NOTE]

-> For the latest information regarding the supported capabilities of each tool, read [Directory integration tools comparison](plan-hybrid-identity-design-considerations-tools-comparison.md) article.

->

->

-### Supported topologies

-When defining a synchronization strategy, the topology that is used must be determined. Depending on the information that was determined in step 2 you can determine which topology is the proper one to use.

-The single forest, single Azure AD topology is the most common and consists of a single Active Directory forest and a single instance of Azure AD. This topology is going to be used in most scenarios and is the expected topology when using Azure AD Connect Express installation as shown in the figure below.

-

-Single Forest Scenario

-It's common for large and even small organizations to have multiple forests, as shown in Figure 5.

-> [!NOTE]

-> For more information about the different on-premises and Azure AD topologies with Azure AD Connect sync read the article [Topologies for Azure AD Connect](plan-connect-topologies.md).

->

->

-

-Multi-Forest Scenario

-The multi-forest single Azure AD topology should be considered if the following items are true:

-* Users have only 1 identity across all forests ΓÇô the uniquely identifying users section below describes this scenario in more detail.

-* The user authenticates to the forest in which their identity is located

-* UPN and Source Anchor (immutable ID) will come from this forest

-* All forests are accessible by Azure AD Connect ΓÇô meaning it does not need to be domain joined and can be placed in a DMZ.

-* Users have only one mailbox

-* The forest that hosts a userΓÇÖs mailbox has the best data quality for attributes visible in the Exchange Global Address List (GAL)

-* If there's no mailbox on the user, then any forest may be used to contribute values

-* If you've a linked mailbox, then there's also another account in a different forest used to sign in.

-> [!NOTE]

-> Objects that exist in both on-premises and in the cloud are ΓÇ£connectedΓÇ¥ via a unique identifier. In the context of Directory Synchronization, this unique identifier is referred to as the SourceAnchor. In the context of Single Sign-On, this identifier is referred to as the ImmutableId. [Design concepts for Azure AD Connect](plan-connect-design-concepts.md#sourceanchor) for more considerations regarding the use of SourceAnchor.

->

->

-If the above aren't true and you've more than one active account or more than one mailbox, Azure AD Connect will pick one and ignore the other. If you've linked mailboxes but no other account, accounts won't be exported to Azure AD and that user won't be a member of any groups. This behavior is different from how it was in the past with DirSync and is intentional to better support multi-forest scenarios. A multi-forest scenario is shown in the figure below.

-

-**Multi-forest multiple Azure AD scenario**

-It's recommended to have just a single directory in Azure AD for an organization. However, it's supported if a 1:1 relationship is kept between an Azure AD Connect sync server and an Azure AD directory. For each instance of Azure AD, you need an installation of Azure AD Connect. Also, Azure AD, by design is isolated and users in one instance of Azure AD, won't be able to see users in another instance.

-It's possible and supported to connect one on-premises instance of Active Directory to multiple Azure AD directories as shown in the figure below:

-

-**Single-forest filtering scenario**

-The following statements must be true:

-* Azure AD Connect sync servers must be configured for filtering so they each have a mutually exclusive set of objects. This done, for example, by scoping each server to a particular domain or OU.

-* A DNS domain can only be registered in a single Azure AD directory so the UPNs of the users in the on-premises AD must use separate namespaces

-* Users in one instance of Azure AD will only be able to see users from their instance. They won't be able to see users in the other instances

-* Only one of the Azure AD directories can enable Exchange hybrid with the on-premises AD

-* Mutual exclusivity also applies to write-back. Thus, some write-back features aren't supported with this topology since it's assumed to be a single on-premises configuration.

- * Group write-back with default configuration

- * Device write-back

-The following items aren't supported and should not be chosen as an implementation:

-* It isn't supported to have multiple Azure AD Connect sync servers connecting to the same Azure AD directory even if they are configured to synchronize mutually exclusive set of object

-* It's unsupported to sync the same user to multiple Azure AD directories.

-* It's also unsupported to make a configuration change to make users in one Azure AD to appear as contacts in another Azure AD directory.

-* It's also unsupported to modify Azure AD Connect sync to connect to multiple Azure AD directories.

-* Azure AD directories are by design isolated. It's unsupported to change the configuration of Azure AD Connect sync to read data from another Azure AD directory in an attempt to build a common and unified GAL between the directories. It's also unsupported to export users as contacts to another on-premises AD using Azure AD Connect sync.

-> [!NOTE]

-> If your organization restricts computers on your network from connecting to the Internet, this article lists the endpoints (FQDNs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists and Internet Explorer Trusted Sites Zone of client computers to ensure your computers can successfully use Microsoft 365. For more information read [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).

->

->

-## Define multi-factor authentication strategy

-In this task, you'll define the multi-factor authentication strategy to use. Azure AD Multi-Factor Authentication comes in two different versions. One is a cloud-based and the other is on-premises based using the Azure MFA Server. Based on the evaluation you did above you can determine which solution is the correct one for your strategy. Use the table below to determine which design option best fulfills your companyΓÇÖs security requirement:

-Multi-factor design options:

-| Asset to secure | MFA in the cloud | MFA on-premises |

-| | | |

-| Microsoft apps |yes |yes |

-| SaaS apps in the app gallery |yes |yes |

-| IIS applications published through Azure AD App Proxy |yes |yes |

-| IIS applications not published through the Azure AD App Proxy |no |yes |

-| Remote access as VPN, RDG |no |yes |

-Even though you may have settled on a solution for your strategy, you still need to use the evaluation from above. This decision may cause the solution to change. Use the table below to assist you determining this:

-| User location | Preferred design option |

-| | |

-| Azure Active Directory |Multi-FactorAuthentication in the cloud |

-| Azure AD and on-premises AD using federation with AD FS |Both |

-| Azure AD and on-premises AD using Azure AD Connect no password sync |Both |

-| Azure AD and on-premises using Azure AD Connect with password sync |Both |

-| On-premises AD |Multi-Factor Authentication Server |

-> [!NOTE]

-> You should also ensure that the multi-factor authentication design option that you selected supports the features that are required for your design. For more information read [Choose the multi-factor security solution for you](../../authentication/concept-mfa-howitworks.md).

->

-## Multi-Factor Auth Provider

-Multi-factor authentication is available by default for Hybrid Identity Administrators who have an Azure Active Directory tenant. However, if you wish to extend multi-factor authentication to all of your users and/or want to your Hybrid Identity Administrators to be able to take advantage features such as the management portal, custom greetings, and reports, then you must purchase and configure Multi-Factor Authentication Provider.

-> [!NOTE]

-> You should also ensure that the multi-factor authentication design option that you selected supports the features that are required for your design.

->

->

-## Next steps

-[Determine data protection requirements](plan-hybrid-identity-design-considerations-dataprotection-requirements.md)

-## See also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: Determine monitoring and reporting capabilities for the hybrid identity solution that can be leveraged by IT to take actions to identify and mitigate a potential threat.

-# Determine incident response requirements for your hybrid identity solution

-Large or medium organizations most likely will have a [security incident response](/previous-versions/tn-archive/cc700825(v=technet.10)) in place to help IT take actions accordingly to the level of incident. The identity management system is an important component in the incident response process because it can be used to help identifying who performed a specific action against the target. The hybrid identity solution must be able to provide monitoring and reporting capabilities that can be leveraged by IT to take actions to identify and mitigate a potential threat. In a typical incident response plan you'll have the following phases as part of the plan:

-1. Initial assessment.

-2. Incident communication.

-3. Damage control and risk reduction.

-4. Identification of what it was compromise and severity.

-5. Evidence preservation.

-6. Notification to appropriate parties.

-7. System recovery.

-8. Documentation.

-9. Damage and cost assessment.

-10. Process and plan revision.

-During the identification of what it was compromise and severity- phase, it will be necessary to identify the systems that have been compromised, files that have been accessed and determine the sensitivity of those files. Your hybrid identity system should be able to fulfill these requirements to assist you identifying the user that made those changes.

-## Monitoring and reporting

-Many times the identity system can also help in initial assessment phase mainly if the system has built in auditing and reporting capabilities. During the initial assessment, IT Admin must be able to identify a suspicious activity, or the system should be able to trigger it automatically based on a pre-configured task. Many activities could indicate a possible attack, however in other cases, a badly configured system might lead to a number of false positives in an intrusion detection system.

-The identity management system should assist IT admins to identify and report those suspicious activities. Usually these technical requirements can be fulfilled by monitoring all systems and having a reporting capability that can highlight potential threats. Use the questions below to help you design your hybrid identity solution while taking into consideration incident response requirements:

-* Does your company have a security incident response in place?

- * If yes, is the current identity management system used as part of the process?

-* Does your company need to identify suspicious sign-on attempts from users across different devices?

-* Does your company need to detect potential compromised userΓÇÖs credentials?

-* Does your company need to audit userΓÇÖs access and action?

-* Does your company need to know when a user resets their password?

-## Policy enforcement

-During damage control and risk reduction-phase, it is important to quickly reduce the actual and potential effects of an attack. That action that you'll take at this point can make the difference between a minor and a major one. The exact response will depend on your organization and the nature of the attack that you face. If the initial assessment concluded that an account was compromised, you'll need to enforce policy to block this account. ThatΓÇÖs just one example where the identity management system will be leveraged. Use the questions below to help you design your hybrid identity solution while taking into consideration how policies will be enforced to react to an ongoing incident:

-* Does your company have policies in place to block users from access the network if necessary?

- * If yes, does the current solution integrate with the hybrid identity management system that you're going to adopt?

-* Does your company need to enforce Conditional Access for users that are in quarantine?

-> [!NOTE]

-> Make sure to take notes of each answer and understand the rationale behind the answer. [Define data protection strategy](plan-hybrid-identity-design-considerations-data-protection-strategy.md) will go over the options available and advantages/disadvantages of each option. By having answered those questions you'll select which option best suits your business needs.

->

->

-## Next steps

-[Define data protection strategy](plan-hybrid-identity-design-considerations-data-protection-strategy.md)

-## See Also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: Helps define the hybrid identity management tasks according to the options available for each lifecycle phase.

-# Determine hybrid identity lifecycle adoption strategy

-In this task, youΓÇÖll define the identity management strategy for your hybrid identity solution to meet the business requirements that you defined in [Determine hybrid identity management tasks](plan-hybrid-identity-design-considerations-hybrid-id-management-tasks.md).

-To define the hybrid identity management tasks according to the end-to-end identity lifecycle presented earlier in this step, you will have to consider the options available for each lifecycle phase.

-## Access management and provisioning

-With a good account access management solution, your organization can track precisely who has access to what information across the organization.

-Access control is a critical function of a centralized, single-point provisioning system. Besides protecting sensitive information, access controls expose existing accounts that have unapproved authorizations or are no longer necessary. To control obsolete accounts, the provisioning system links together account information with authoritative information about the users who own the accounts. Authoritative user identity information is typically maintained in the databases and directories of human resources.

-Accounts in sophisticated IT enterprises include hundreds of parameters that define the authorities, and these details can be controlled by your provisioning system. New users can be identified with the data that you provide from the authoritative source. The access request approval capability initiates the processes that approve (or reject) resource provisioning for them.

-| Lifecycle management phase | On premises | Cloud | Hybrid |

-| | | | |

-| Account Management and Provisioning |By using the Active Directory® Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for user and resource management, and provide support for directory-enabled applications such as Microsoft® Exchange Server. <br><br> [You can provision groups in AD DS through an Identity manager](/previous-versions/mim/ff686261(v=ws.10)) <br>[You can provision users in AD DS](/previous-versions/mim/ff686263(v=ws.10)) <br><br> Administrators can use access control to manage user access to shared resources for security purposes. In Active Directory, access control is administered at the object level by setting different levels of access, or permissions, to objects, such as Full Control, Write, Read, or No Access. Access control in Active Directory defines how different users can use Active Directory objects. By default, permissions on objects in Active Directory are set to the most secure setting. |You have to create an account for every user who will access a Microsoft cloud service. You can also change user accounts or delete them when they’re no longer needed. By default, users do not have administrator permissions, but you can optionally assign them. <br><br> Within Azure Active Directory, one of the major features is the ability to manage access to resources. These resources can be part of the directory, as in the case of permissions to manage objects through roles in the directory, or resources that are external to the directory, such as SaaS applications, Azure services, and SharePoint sites or on-premises resources. <br><br> At the center of Azure Active Directory’s access management solution is the security group. The resource owner (or the administrator of the directory) can assign a group to provide a certain access right to the resources they own. The members of the group will be provided the access, and the resource owner can delegate the right to manage the members list of a group to someone else – such as a department manager or a helpdesk administrator<br> <br> The Managing groups in Azure AD section, provides more information on managing access through groups. |Extend Active Directory identities into the cloud through synchronization and federation |

-## Role-based access control

-Azure role-based access control (Azure RBAC) uses roles and provisioning policies to evaluate, test, and enforce your business processes and rules for granting access to users. Key administrators create provisioning policies and assign users to roles and that define sets of entitlements to resources for these roles. Azure RBAC extends the identity management solution to use software-based processes and reduce user manual interaction in the provisioning process.

-Azure RBAC enables the company to restrict the number of operations that an individual can do once they have access to the Azure portal. By using Azure RBAC to control access to the portal, IT Admins ca delegate access by using the following access management approaches:

-* **Group-based role assignment**: You can assign access to Azure AD groups that can be synced from your local Active Directory. This enables you to leverage the existing investments that your organization has made in tooling and processes for managing groups. You can also use the delegated group management feature of Azure AD Premium.

-* **Leverage built in roles in Azure**: You can use three roles ΓÇö Owner, Contributor, and Reader, to ensure that users and groups have permission to do only the tasks they need to do their jobs.

-* **Granular access to resources**: You can assign roles to users and groups for a particular subscription, resource group, or an individual Azure resource such as a website or database. In this way, you can ensure that users have access to all the resources they need and no access to resources that they do not need to manage.

-## Provisioning and other customization options

-Your team can use business plans and requirements to decide how much to customize the identity solution. For example, a large enterprise might require a phased roll-out plan for workflows and custom adapters that is based on a time line for incrementally provisioning applications that are widely used across geographies. Another customization plan might provide for two or more applications to be provisioned across an entire organization, after successful testing. User-application interaction can be customized, and procedures for provisioning resources might be changed to accommodate automated provisioning.

-You can deprovision to remove a service or component. For example, deprovisioning an account means that the account is deleted from a resource.

-The hybrid model of provisioning resources combines request and role-based approaches, which are both supported by Azure AD. For a subset of employees or managed systems, a business might want to automate access with role-based assignment. A business might also handle all other access requests or exceptions through a request-based model. Some businesses might start with manual assignment, and evolve toward a hybrid model, with an intention of a fully role-based deployment at a future time.

-Other companies might find it impractical for business reasons to achieve complete role-based provisioning, and target a hybrid approach as a wanted goal. Still other companies might be satisfied with only request-based provisioning, and not want to invest additional effort to define and manage role-based, automated provisioning policies.

-## License management

-Group-based license management in Azure AD lets administrators assign users to a security group and Azure AD automatically assigns licenses to all the members of the group. If a user is subsequently added to, or removed from the group, a license will be automatically assigned or removed as appropriate.

-You can use groups you synchronize from on-premises AD or manage in Azure AD. Pairing this up with Azure AD premium Self-Service Group Management you can easily delegate license assignment to the appropriate decision makers. You can be assured that problems like license conflicts and missing location data are automatically sorted out.

-## Self-regulating user administration

-When your organization starts to provision resources across all internal organizations, you implement the self-regulating user administration capability. You can realize the advantages and benefits of provisioning users across organizational boundaries. In this environment, a change in a user's status is automatically reflected in access rights across organization boundaries and geographies. You can reduce provisioning costs and streamline the access and approval processes. The implementation realizes the full potential of implementing role-based access control for end-to-end access management in your organization. You can reduce administrative costs through automated procedures for governing user provisioning. You can improve security by automating security policy enforcement, and streamline and centralize user lifecycle management and resource provisioning for large user populations.

-> [!NOTE]

-> For more information, see Setting up Azure AD for self service application access management

->

->

-License-based (Entitlement-based) Azure AD services work by activating a subscription in your Azure AD directory/service tenant. Once the subscription is active the service capabilities can be managed by directory/service administrators and used by licensed users.

-## Integration with other 3rd party providers

-Azure Active Directory provides single-sign on and enhanced application access security to thousands of SaaS applications and on-premises web applications. For more information, see [Integrating applications with Azure Active Directory](../../develop/quickstart-register-app.md)

-## Define synchronization management

-Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration, users and organizations can take advantage of the following:

-* Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.

-* Administrators can provide Conditional Access based on application resource, device and user identity, network location and multi-factor authentication.

-* Users can leverage their common identity through accounts in Azure AD to Microsoft 365, Intune, SaaS apps, and third-party applications.

-* Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

-The following figure has an example of a high-level view of identity synchronization process.

-

-Identity synchronization process

-Review the following table to compare the synchronization options:

-| Synchronization Management Option | Advantages | Disadvantages |

-| | | |

-| Sync-based (through DirSync or AADConnect) |Users, and groups synchronized from on-premises and cloud <br> **Policy control**: Account policies can be set through Active Directory, which gives the administrator the ability to manage password policies, workstation, restrictions, lock-out controls, and more, without having to perform additional tasks in the cloud. <br> **Access control**: Can restrict access to the cloud service so that, the services can be accessed through the corporate environment, through online servers, or both. <br> Reduced support calls: If users have fewer passwords to remember, they are less likely to forget them. <br> Security: User identities and information are protected because all of the servers and services used in single sign-on, are mastered and controlled on-premises. <br> Support for strong authentication: You can use strong authentication (also called two-factor authentication) with the cloud service. However, if you use strong authentication, you must use single sign-on. | |

-| Federation-based (through AD FS) |Enabled by Security Token Service (STS). When you configure an STS to provide single sign-on access with a Microsoft cloud service, you will be creating a federated trust between your on-premises STS and the federated domain youΓÇÖve specified in your Azure AD tenant. <br> Allows end users to use the same set of credentials to obtain access to multiple resources <br>end users do not have to maintain multiple sets of credentials. Yet, the users have to provide their credentials to each one of the participating resources.,B2B and B2C scenarios supported. |Requires specialized personnel for deployment and maintenance of dedicated on premises AD FS servers. There are restrictions on the use of strong authentication if you plan to use AD FS for your STS. For more information, see [Configuring Advanced Options for AD FS 2.0](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh237448(v=ws.10)). |

-> [!NOTE]

-> For more information see, [Integrating your on-premises identities with Azure Active Directory](../whatis-hybrid-identity.md).

->

->

-## See Also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: With Conditional Access control, Azure AD verifies the specific conditions you pick when authenticating the user and before allowing access to the application.

-# Determine multi-factor authentication requirements for your hybrid identity solution

-In this world of mobility, with users accessing data and applications in the cloud and from any device, securing this information has become paramount. Every day there is a new headline about a security breach. Although, there is no guarantee against such breaches, multi-factor authentication, provides an additional layer of security to help prevent these breaches.

-Start by evaluating the organizations requirements for multi-factor authentication. That is, what is the organization trying to secure. This evaluation is important to define the technical requirements for setting up and enabling the organizations users for multi-factor authentication.

-Make sure to answer the following:

-* Is your company trying to secure Microsoft apps?

-* How these apps are published?

-* Does your company provide remote access to allow employees to access on-premises apps?

-If yes, what type of remote access?You also need to evaluate where the users who are accessing these applications will be located. This evaluation is another important step to define the proper multi-factor authentication strategy. Make sure to answer the following questions:

-* Where are the users going to be located?

-* Can they be located anywhere?

-* Does your company want to establish restrictions according to the userΓÇÖs location?

-Once you understand these requirements, it is important to also evaluate the userΓÇÖs requirements for multi-factor authentication. This evaluation is important because it will define the requirements for rolling out multi-factor authentication. Make sure to answer the following questions:

-* Are the users familiar with multi-factor authentication?

-* Will some uses be required to provide additional authentication?

- * If yes, all the time, when coming from external networks, or accessing specific applications, or under other conditions?

-* Will the users require training on how to setup and implement multi-factor authentication?

-* What are the key scenarios that your company wants to enable multi-factor authentication for their users?

-After answering the previous questions, you will be able to understand if there are multi-factor authentication already implemented on-premises. This evaluation is important to define the technical requirements for setting up and enabling the organizations users for multi-factor authentication. Make sure to answer the following questions:

-* Does your company need to protect privileged accounts with MFA?

-* Does your company need to enable MFA for certain application for compliance reasons?

-* Does your company need to enable MFA for all eligible users of these application or only administrators?

-* Do you need have MFA always enabled or only when the users are logged outside of your corporate network?

-## Next steps

-[Define a hybrid identity adoption strategy](plan-hybrid-identity-design-considerations-identity-adoption-strategy.md)

-## See also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: A synopsis and next steps after you have read the Hybrid Identity design considerations guide

-# Azure Active Directory hybrid identity design considerations- next steps

-Now that youΓÇÖve completed defining your requirements and examining all the options for your mobile device management solution, youΓÇÖre ready to take the next steps for deploying the supporting infrastructure thatΓÇÖs right for you and your organization.

-## Hybrid identity documentation

-Conceptual and procedural planning, deployment, and administration content are useful when implementing your mobile device management solution:

-* [Microsoft System Center](/previous-versions/system-center/developer/cc817313(v=msdn.10)) solutions can help you capture and aggregate knowledge about your infrastructure, policies, processes, and best practices so that your IT staff can build manageable systems and automate operations.

-* [Microsoft Intune](/mem/intune/) is a cloud-based device management service that helps you to manage your computers and mobile devices and to secure your companyΓÇÖs information.

-* [MDM for Microsoft 365](/microsoft-365/admin/basic-mobility-security/overview) allows you to manage and secure mobile devices when they're connected to your Microsoft 365 organization. You can use MDM for Microsoft 365 to set device security policies and access rules, and to wipe mobile devices if theyΓÇÖre lost or stolen.

-## Hybrid identity resources

-Monitoring the following resources often provides the latest news and updates on mobile device management solutions:

-* [Microsoft Enterprise Mobility blog](https://cloudblogs.microsoft.com/ENTERPRISEMOBILITY/)

-* [Microsoft In The Cloud blog](https://cloudblogs.microsoft.com/)

-* [Microsoft Intune blog](https://techcommunity.microsoft.com/t5/intune-customer-success/welcome-to-the-new-intune-customer-success-blog/ba-p/281367)

-* [Microsoft Configuration Manager blog](https://techcommunity.microsoft.com/t5/Configuration-Manager-Blog/bg-p/ConfigurationManagerBlog)

-## See also

-[Design considerations overview](plan-hybrid-identity-design-considerations-overview.md)

-description: Overview and content map of Hybrid Identity design considerations guide

-# Azure Active Directory Hybrid Identity Design Considerations

-Consumer-based devices are proliferating the corporate world, and cloud-based software-as-a-service (SaaS) applications are easy to adopt. As a result, maintaining control of usersΓÇÖ application access across internal datacenters and cloud platforms is challenging.

-MicrosoftΓÇÖs identity solutions span on-premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources, regardless of location. This concept is known as Hybrid Identity. There are different design and configuration options for hybrid identity using Microsoft solutions, and in some case it might be difficult to determine which combination will best meet the needs of your organization.

-This Hybrid Identity Design Considerations Guide will help you to understand how to design a hybrid identity solution that best fits the business and technology needs for your organization. This guide details a series of steps and tasks that you can follow to help you design a hybrid identity solution that meets your organizationΓÇÖs unique requirements. Throughout the steps and tasks, the guide will present the relevant technologies and feature options available to organizations to meet functional and service quality (such as availability, scalability, performance, manageability, and security) level requirements.

-Specifically, the hybrid identity design considerations guide goals are to answer the following questions:

-* What questions do I need to ask and answer to drive a hybrid identity-specific design for a technology or problem domain that best meets my requirements?

-* What sequence of activities should I complete to design a hybrid identity solution for the technology or problem domain?

-* What hybrid identity technology and configuration options are available to help me meet my requirements? What are the trade-offs between those options so that I can select the best option for my business?

-## Who is this guide intended for?

- CIO, CITO, Chief Identity Architects, Enterprise Architects, and IT Architects responsible for designing a hybrid identity solution for medium or large organizations.

-## How can this guide help you?

-You can use this guide to understand how to design a hybrid identity solution that is able to integrate a cloud-based identity management system with your current on-premises identity solution.

-The following graphic shows an example a hybrid identity solution that enables IT Admins to manage to integrate their current Windows Server Active Directory solution located on-premises with Microsoft Azure Active Directory to enable users to use Single Sign-On (SSO) across applications located in the cloud and on-premises.

-

-The above illustration is an example of a hybrid identity solution that is leveraging cloud services to integrate with on-premises capabilities in order to provide a single experience to the end-user authentication process and to facilitate IT managing those resources. Although this example can be a common scenario, every organizationΓÇÖs hybrid identity design is likely to be different than the example illustrated in Figure 1 due to different requirements.

-This guide provides a series of steps and tasks that you can follow to design a hybrid identity solution that meets your organizationΓÇÖs unique requirements. Throughout the following steps and tasks, the guide presents the relevant technologies and feature options available to you to meet functional and service quality level requirements for your organization.

-**Assumptions**: You have some experience with Windows Server, Active Directory Domain Services, and Azure Active Directory. In this document, it is assumed you are looking for how these solutions can meet your business needs on their own, or in an integrated solution.

-## Design considerations overview

-This document provides a set of steps and tasks that you can follow to design a hybrid identity solution that best meets your requirements. The steps are presented in an ordered sequence. Design considerations you learn in later steps may require you to change decisions you made in earlier steps, however, due to conflicting design choices. Every attempt is made to alert you to potential design conflicts throughout the document.

-You will arrive at the design that best meets your requirements only after iterating through the steps as many times as necessary to incorporate all of the considerations within the document.

-| Hybrid Identity Phase | Topic List |

-| | |

-| Determine identity requirements |[Determine business needs](plan-hybrid-identity-design-considerations-business-needs.md)<br> [Determine directory synchronization requirements](plan-hybrid-identity-design-considerations-directory-sync-requirements.md)<br> [Determine multi-factor authentication requirements](plan-hybrid-identity-design-considerations-multifactor-auth-requirements.md)<br> [Define a hybrid identity adoption strategy](plan-hybrid-identity-design-considerations-identity-adoption-strategy.md) |

-| Plan for enhancing data security through strong identity solution |[Determine data protection requirements](plan-hybrid-identity-design-considerations-dataprotection-requirements.md) <br> [Determine content management requirements](plan-hybrid-identity-design-considerations-contentmgt-requirements.md)<br> [Determine access control requirements](plan-hybrid-identity-design-considerations-accesscontrol-requirements.md)<br> [Determine incident response requirements](plan-hybrid-identity-design-considerations-incident-response-requirements.md) <br> [Define data protection strategy](plan-hybrid-identity-design-considerations-data-protection-strategy.md) |

-| Plan for hybrid identity lifecycle |[Determine hybrid identity management tasks](plan-hybrid-identity-design-considerations-hybrid-id-management-tasks.md) <br> [Synchronization Management](plan-hybrid-identity-design-considerations-hybrid-id-management-tasks.md)<br> [Determine hybrid identity management adoption strategy](plan-hybrid-identity-design-considerations-lifecycle-adoption-strategy.md) |

-## Next Steps

-[Determine identity requirements](plan-hybrid-identity-design-considerations-business-needs.md)

-description: This is page provides a comprehensive table that compares the various directory integration tools that can be used for directory integration.

-# Hybrid Identity directory integration tools comparison

-Over the years the directory integration tools have grown and evolved.

- - If users and groups are needed in Active Directory Domain Services (AD DS), then use MIM to populate users and groups into AD DS, and use either Azure AD Connect sync or Azure AD Connect cloud provisioning to synchronize those users and groups from AD DS to Azure AD.

- - If users and groups are not needed in AD DS, then use MIM to populate users and groups into Azure AD through the [MIM Graph connector](/microsoft-identity-manager/microsoft-identity-manager-2016-connector-graph).

-To learn more about the differences between Azure AD Connect sync and Azure AD Connect cloud provisioning, see the article [What is Azure AD Connect cloud provisioning?](../cloud-sync/what-is-cloud-sync.md). For more information on deployment options with multiple HR sources or directories, then see the article [parallel and combined identity infrastructure options](../../fundamentals/parallel-identity-options.md).

-## Next steps

-Learn more about [Integrating your on-premises identities with Azure Active Directory](../whatis-hybrid-identity.md).

-This recommendation shows up if your tenant has applications that still use ADAL.

-The first step to migrating your apps from ADAL to MSAL is to identify all applications in your tenant that are currently using ADAL. You can identify your apps in the Azure portal or programmatically.

-### Identify your apps in the Azure portal

-### Identify your apps with the Microsoft Graph API

-### Identify your apps with Microsoft Graph PowerShell SDK

-Use the [Get-MgRoleManagementDirectoryRoleDefinition](/powershell/module/microsoft.graph.devicemanagement.enrolment/get-mgrolemanagementdirectoryroledefinition?branch=main) command to get a role definition.

-Use the [New-MgRoleManagementDirectoryRoleAssignment](/powershell/module/microsoft.graph.devicemanagement.enrolment/new-mgrolemanagementdirectoryroleassignment?branch=main) command to assign the role.

-description: Learn how to automatically provision and de-provision user accounts from Azure AD to Airbase.

-This tutorial describes the steps you need to perform in both Airbase and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users to [Airbase](https://www.airbase.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

-Contact Airbase support to configure Airbase to support provisioning with Azure AD.

- 

- 

- 

- 

- 

- |Attribute|Type|Supported for filtering|

- ||||

- |userName|String|&check;|

- |emails[type eq "work"].value|String|

- |active|Boolean|

- |name.givenName|String|

- |name.familyName|String|

- |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|

- |addresses[type eq "work"].country|String|

- 

- 

- 

-* 04/20/2021 - Added support for "preferredLanguage" and enterprise extension attribute "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division".

-description: Learn how to configure Azure Active Directory to automatically provision and de-provision user accounts to SAP Business Technology Platform Identity Authentication.

-# Tutorial: Configure SAP Business Technology Platform Identity Authentication for automatic user provisioning

-The objective of this tutorial is to demonstrate the steps to be performed in SAP Business Technology Platform Identity Authentication and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and de-provision users to SAP Business Technology Platform Identity Authentication.

-> This tutorial describes a connector built on top of the Azure AD User Provisioning Service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

-* An Azure AD tenant

-* [A SAP Business Technology Platform Identity Authentication tenant](https://www.sap.com/products/cloud-platform.html)

-* A user account in SAP Business Technology Platform Identity Authentication with Admin permissions.

-> This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.

-## Assigning users to SAP Business Technology Platform Identity Authentication

-Azure Active Directory uses a concept called *assignments* to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users that have been assigned to an application in Azure AD are synchronized.

-Before configuring and enabling automatic user provisioning, you should decide which users in Azure AD need access to SAP Business Technology Platform Identity Authentication. Once decided, you can assign these users to SAP Business Technology Platform Identity Authentication by following the instructions here:

-## Important tips for assigning users to SAP Business Technology Platform Identity Authentication

-* It is recommended that a single Azure AD user is assigned to SAP Business Technology Platform Identity Authentication to test the automatic user provisioning configuration. Additional users may be assigned later.

-* When assigning a user to SAP Business Technology Platform Identity Authentication, you must select any valid application-specific role (if available) in the assignment dialog. Users with the **Default Access** role are excluded from provisioning.

-## Setup SAP Business Technology Platform Identity Authentication for provisioning

-1. Sign in to your [SAP Business Technology Platform Identity Authentication Admin Console](https://sapmsftintegration.accounts.ondemand.com/admin). Navigate to **Users & Authorizations > Administrators**.

- 

-2. Press the **+Add** button on the left hand panel in order to add a new administrator to the list. Choose **Add System** and enter the name of the system.

-> [!NOTE]

-> The administrator user in SAP Business Technology Platform Identity Authentication must be of type **System**. Creating a normal administrator user can lead to *unauthorized* errors while provisioning.

-3. Under Configure Authorizations, switch on the toggle button against **Manage Users**.

- 

-4. You will receive an email to activate your account and set a password for **SAP Business Technology Platform Identity Authentication Service**.

-4. Copy the **User ID** and **Password**. These values will be entered in the Admin Username and Admin Password fields respectively in the Provisioning tab of your SAP Business Technology Platform Identity Authentication application in the Azure portal.

-## Add SAP Business Technology Platform Identity Authentication from the gallery

-Before configuring SAP Business Technology Platform Identity Authentication for automatic user provisioning with Azure AD, you need to add SAP Business Technology Platform Identity Authentication from the Azure AD application gallery to your list of managed SaaS applications.

-**To add SAP Business Technology Platform Identity Authentication from the Azure AD application gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Azure Active Directory**.

- 

-2. Go to **Enterprise applications**, and then select **All applications**.

- 

-3. To add a new application, select the **New application** button at the top of the pane.

- 

-4. In the search box, enter **SAP Business Technology Platform Identity Authentication**, select **SAP Business Technology Platform Identity Authentication** in the results panel, and then click the **Add** button to add the application.

- 

-## Configuring automatic user provisioning to SAP Business Technology Platform Identity Authentication

-This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users in SAP Business Technology Platform Identity Authentication based on users assignments in Azure AD.

-> You may also choose to enable SAML-based single sign-on for SAP Business Technology Platform Identity Authentication, following the instructions provided in the [SAP Business Technology Platform Identity Authentication Single sign-on tutorial](./sap-hana-cloud-platform-identity-authentication-tutorial.md). Single sign-on can be configured independently of automatic user provisioning, though these two features compliment each other

-### To configure automatic user provisioning for SAP Business Technology Platform Identity Authentication in Azure AD:

- 

-2. In the applications list, select **SAP Business Technology Platform Identity Authentication**.

- 

-3. Select the **Provisioning** tab.

-4. Set the **Provisioning Mode** to **Automatic**.

-5. Under the **Admin Credentials** section, input `https://<tenantID>.accounts.ondemand.com/service/scim ` in **Tenant URL**. Input the **User ID** and **Password** values retrieved earlier in **Admin Username** and **Admin Password** respectively. Click **Test Connection** to ensure Azure AD can connect to SAP Business Technology Platform Identity Authentication. If the connection fails, ensure your SAP Business Technology Platform Identity Authentication account has Admin permissions and try again.

- 

-6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**.

- 

-7. Click **Save**.

-8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to SAP Business Technology Platform Identity Authentication**.

- 

-9. Review the user attributes that are synchronized from Azure AD to SAP Business Technology Platform Identity Authentication in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in SAP Business Technology Platform Identity Authentication for update operations. Select the **Save** button to commit any changes.

- 

-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-11. To enable the Azure AD provisioning service for SAP Business Technology Platform Identity Authentication, change the **Provisioning Status** to **On** in the **Settings** section.

- 

-12. Define the users that you would like to provision to SAP Business Technology Platform Identity Authentication by choosing the desired values in **Scope** in the **Settings** section.

- 

-13. When you are ready to provision, click **Save**.

- 

-This operation starts the initial synchronization of all users defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on SAP Business Technology Platform Identity Authentication.

-For more information on how to read the Azure AD provisioning logs, see [Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md).

-* SAP Business Technology Platform Identity Authentication's SCIM endpoint requires certain attributes to be of specific format. You can know more about these attributes and their specific format [here](https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/b10fc6a9a37c488a82ce7489b1fab64c.html#).

-* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

- > [!NOTE]

- > In order to set up the service provider (SP) configuration, you must click on **Expand** next to **Advanced Options** in the SAML configuration page. In the **Service Provider Issuer** box, enter the workspace URL. The default is slack.com.

- > These values are not real. Update these values with the actual Sign-on URL, Identifier and Reply URL. Contact [SuccessFactors Client support team](https://www.sap.com/support.html) to get these values.

-To get users created in SuccessFactors, you need to contact the [SuccessFactors support team](https://www.sap.com/support.html).

-Contact Xledger support to configure Xledger to support provisioning with Azure AD.

-Azure Active Directory helps meet identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To be compliant with requirements in [CMMC V2.0 level 2](https://cmmc-coe.org/maturity-level-two/), it's the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD) to complete other configurations or processes.

-Azure Active Directory helps you meet identity-related practice requirements in each Cybersecurity Maturity Model Certification (CMMC) level. To complete other configurations or processes to be compliant with [CMMC V2.0 level 2](https://cmmc-coe.org/maturity-level-two/)requirements, is the responsibility of companies performing work with, and on behalf of, the US Dept. of Defense (DoD).

-* [Configure CMMC Level 2 additional controls](configure-cmmc-level-2-additional-controls.md)

-The FedRAMP high baseline is made up of 421 controls and control enhancements from [NIST 800-53 Security Controls Catalog Revision 4](https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final). Where applicable, we included clarifying information from the [800-53 Revision 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final). This article set covers a subset of these controls that are related to identity, and which you must configure.

-* [Combined regulation text](https://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/https://docsupdatetracker.net/index.html?language=es) of all HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164

-For more information, see [SynapseML estimator for Multivariate Anomaly Detector](https://microsoft.github.io/SynapseML/docs/documentation/estimators/estimators_cognitive/#fitmultivariateanomaly).

-* SynapseML documentation with [Multivariate Anomaly Detector feature](https://microsoft.github.io/SynapseML/docs/documentation/estimators/estimators_cognitive/#fitmultivariateanomaly).

-* Recipe: [Azure AI services - Multivariate Anomaly Detector](https://microsoft.github.io/SynapseML/docs/features/cognitive_services/CognitiveServices%20-%20Multivariate%20Anomaly%20Detection/).

-# Changelog and release history

-#### Document Intelligence SDK April 2023 preview release

-[**Package (NuGet)**](https://www.nuget.org/packages/Azure.AI.FormRecognizer/4.1.0-beta.1)

-[**Package (MVN)**](https://mvnrepository.com/artifact/com.azure/azure-ai-formrecognizer/4.1.0-beta.1)

-[**Package (npm)**](https://www.npmjs.com/package/@azure/ai-form-recognizer/v/4.1.0-beta.1)

-[**Package (PyPi)**](https://pypi.org/project/azure-ai-formrecognizer/3.3.0b1/)

-#### Document Intelligence SDK September 2022 (GA) release

-[**Package (NuGet)**](https://www.nuget.org/packages/Azure.AI.FormRecognizer/4.0.0)

-[**Package (Maven)**](https://oss.sonatype.org/#nexus-search;quick~azure-ai-formrecognizer)

-[**Package (npm)**](https://www.npmjs.com/package/@azure/ai-form-recognizer)

-[**Package (PyPi)**](https://pypi.org/project/azure-ai-formrecognizer/3.2.0/)

-#### Document Intelligence SDK beta August 2022 preview release

-### Document Intelligence SDK beta June 2022 preview release

-The Read OCR model extracts all identified barcodes in the `barcodes` collection as a top level object under `content`. Inside the `content`, detected barcodes are represented as `:barcode:`. Each entry in this collection represents a barcode and includes the barcode type as `kind` and the embedded barcode content as `value` along with its `polygon` coordinates. Initially, barcodes appear at the end of each page. Here, the `confidence` is hard-coded for the public preview (`2023-02-28`) release.

-Custom classification models are only available in the [v3.1 API](v3-1-migration-guide.md) starting with API version ```2023-02-28-preview```. [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio) provides a no-code user interface to interactively train a custom classifier.

-1. Neural models now support added languages in the ```v3.1 and v3.0``` APIs.

- |Language| Code (optional) |

- |Abaza|abq|

- |Abkhazian|ab|

- |Achinese|ace|

- |Acoli|ach|

- |Adangme|ada|

- |Adyghe|ady|

- |Afar|aa|

- |Afrikaans|af|

- |Akan|ak|

- |Albanian|sq|

- |Algonquin|alq|

- |Angika (Devanagari)|anp|

- |Arabic|ar|

- |Asturian|ast|

- |Asu (Tanzania)|asa|

- |Avaric|av|

- |Awadhi-Hindi (Devanagari)|awa|

- |Aymara|ay|

- |Azerbaijani (Latin)|az|

- |Bafia|ksf|

- |Bagheli|bfy|

- |Bambara|bm|

- |Bashkir|ba|

- |Basque|eu|

- |Bemba (Zambia)|bem|

- |Bena (Tanzania)|bez|

- |Bhojpuri-Hindi (Devanagari)|bho|

- |Bikol|bik|

- |Bini|bin|

- |Bislama|bi|

- |Bodo (Devanagari)|brx|

- |Bosnian (Latin)|bs|

- |Brajbha|bra|

- |Breton|br|

- |Bulgarian|bg|

- |Bundeli|bns|

- |Buryat (Cyrillic)|bua|

- |Catalan|ca|

- |Cebuano|ceb|

- |Chamling|rab|

- |Chamorro|ch|

- |Chechen|ce|

- |Chhattisgarhi (Devanagari)|hne|

- |Chiga|cgg|

- |Chinese Simplified|zh-Hans|

- |Chinese Traditional|zh-Hant|

- |Choctaw|cho|

- |Chukot|ckt|

- |Chuvash|cv|

- |Cornish|kw|

- |Corsican|co|

- |Cree|cr|

- |Creek|mus|

- |Crimean Tatar (Latin)|crh|

- |Croatian|hr|

- |Crow|cro|

- |Czech|cs|

- |Danish|da|

- |Dargwa|dar|

- |Dari|prs|

- |Dhimal (Devanagari)|dhi|

- |Dogri (Devanagari)|doi|

- |Duala|dua|

- |Dungan|dng|

- |Dutch|nl|

- |Efik|efi|

- |English|en|

- |Erzya (Cyrillic)|myv|

- |Estonian|et|

- |Faroese|fo|

- |Fijian|fj|

- |Filipino|fil|

- |Finnish|fi|

- |Language| Code (optional) |

- |Fon|fon|

- |French|fr|

- |Friulian|fur|

- |Ga|gaa|

- |Gagauz (Latin)|gag|

- |Galician|gl|

- |Ganda|lg|

- |Gayo|gay|

- |German|de|

- |Gilbertese|gil|

- |Gondi (Devanagari)|gon|

- |Greek|el|

- |Greenlandic|kl|

- |Guarani|gn|

- |Gurung (Devanagari)|gvr|

- |Gusii|guz|

- |Haitian Creole|ht|

- |Halbi (Devanagari)|hlb|

- |Hani|hni|

- |Haryanvi|bgc|

- |Hawaiian|haw|

- |Hebrew|he|

- |Herero|hz|

- |Hiligaynon|hil|

- |Hindi|hi|

- |Hmong Daw (Latin)|mww|

- |Ho(Devanagiri)|hoc|

- |Hungarian|hu|

- |Iban|iba|

- |Icelandic|is|

- |Igbo|ig|

- |Iloko|ilo|

- |Inari Sami|smn|

- |Indonesian|id|

- |Ingush|inh|

- |Interlingua|ia|

- |Inuktitut (Latin)|iu|

- |Irish|ga|

- |Italian|it|

- |Japanese|ja|

- |Jaunsari (Devanagari)|Jns|

- |Javanese|jv|

- |Jola-Fonyi|dyo|

- |Kabardian|kbd|

- |Kabuverdianu|kea|

- |Kachin (Latin)|kac|

- |Kalenjin|kln|

- |Kalmyk|xal|

- |Kangri (Devanagari)|xnr|

- |Kanuri|kr|

- |Karachay-Balkar|krc|

- |Kara-Kalpak (Latin)|kaa|

- |Kashubian|csb|

- |Khakas|kjh|

- |Khaling|klr|

- |Khasi|kha|

- |K'iche'|quc|

- |Kikuyu|ki|

- |Kildin Sami|sjd|

- |Kinyarwanda|rw|

- |Komi|kv|

- |Kongo|kg|

- |Korean|ko|

- |Korku|kfq|

- |Koryak|kpy|

- |Kosraean|kos|

- |Kpelle|kpe|

- |Kuanyama|kj|

- |Kumyk (Cyrillic)|kum|

- |Language| Code (optional) |

- |Kurukh (Devanagari)|kru|

- |Kyrgyz (Cyrillic)|ky|

- |Lak|lbe|

- |Lakota|lkt|

- |Latin|la|

- |Latvian|lv|

- |Lezghian|lex|

- |Lingala|ln|

- |Lithuanian|lt|

- |Lower Sorbian|dsb|

- |Lozi|loz|

- |Lule Sami|smj|

- |Luo (Kenya and Tanzania)|luo|

- |Luxembourgish|lb|

- |Luyia|luy|

- |Macedonian|mk|

- |Machame|jmc|

- |Madurese|mad|

- |Mahasu Pahari (Devanagari)|bfz|

- |Makhuwa-Meetto|mgh|

- |Makonde|kde|

- |Malagasy|mg|

- |Malay (Latin)|ms|

- |Maltese|mt|

- |Malto (Devanagari)|kmj|

- |Mandinka|mnk|

- |Manx|gv|

- |Maori|mi|

- |Mapudungun|arn|

- |Marathi|mr|

- |Mari (Russia)|chm|

- |Masai|mas|

- |Mende (Sierra Leone)|men|

- |Meru|mer|

- |Meta'|mgo|

- |Minangkabau|min|

- |Mohawk|moh|

- |Mongolian (Cyrillic)|mn|

- |Mongondow|mog|

- |Morisyen|mfe|

- |Mundang|mua|

- |Nahuatl|nah|

- |Navajo|nv|

- |Ndonga|ng|

- |Neapolitan|nap|

- |Nepali|ne|

- |Ngomba|jgo|

- |Niuean|niu|

- |Nogay|nog|

- |North Ndebele|nd|

- |Northern Sami (Latin)|sme|

- |Norwegian|no|

- |Nyanja|ny|

- |Nyankole|nyn|

- |Nzima|nzi|

- |Occitan|oc|

- |Ojibwa|oj|

- |Oromo|om|

- |Ossetic|os|

- |Pampanga|pam|

- |Pangasinan|pag|

- |Papiamento|pap|

- |Pashto|ps|

- |Pedi|nso|

- |Persian|fa|

- |Polish|pl|

- |Portuguese|pt|

- |Punjabi (Arabic)|pa|

- |Quechua|qu|

- |Ripuarian|ksh|

- |Romanian|ro|

- |Romansh|rm|

- |Rundi|rn|

- |Russian|ru|

- |Language| Code (optional) |

- |Rwa|rwk|

- |Sadri (Devanagari)|sck|

- |Samburu|saq|

- |Samoan (Latin)|sm|

- |Sango|sg|

- |Sangu (Gabon)|snq|

- |Sanskrit (Devanagari)|sa|

- |Santali(Devanagiri)|sat|

- |Scots|sco|

- |Scottish Gaelic|gd|

- |Sena|seh|

- |Shambala|ksb|

- |Sherpa (Devanagari)|xsr|

- |Shona|sn|

- |Siksika|bla|

- |Sirmauri (Devanagari)|srx|

- |Skolt Sami|sms|

- |Slovak|sk|

- |Slovenian|sl|

- |Soga|xog|

- |Somali (Arabic)|so|

- |Somali (Latin)|so-latn|

- |Songhai|son|

- |South Ndebele|nr|

- |Southern Altai|alt|

- |Southern Sami|sma|

- |Southern Sotho|st|

- |Spanish|es|

- |Sundanese|su|

- |Swahili (Latin)|sw|

- |Swati|ss|

- |Swedish|sv|

- |Tabassaran|tab|

- |Tachelhit|shi|

- |Tahitian|ty|

- |Taita|dav|

- |Tajik (Cyrillic)|tg|

- |Tamil|ta|

- |Tatar (Latin)|tt|

- |Teso|teo|

- |Tetum|tet|

- |Thai|th|

- |Thangmi|thf|

- |Tok Pisin|tpi|

- |Tongan|to|

- |Tsonga|ts|

- |Tswana|tn|

- |Turkish|tr|

- |Turkmen (Latin)|tk|

- |Tuvan|tyv|

- |Udmurt|udm|

- |Ukrainian|uk|

- |Upper Sorbian|hsb|

- |Urdu|ur|

- |Uyghur (Arabic)|ug|

- |Uzbek (Latin)|uz|

- |Vietnamese|vi|

- |Volap├╝k|vo|

- |Vunjo|vun|

- |Walser|wae|

- |Welsh|cy|

- |Western Frisian|fy|

- |Wolof|wo|

- |Xhosa|xh|

- |Yakut|sah|

- |Yucatec Maya|yua|

- |Zapotec|zap|

- |Zarma|dje|

- |Zhuang|za|

- |Zulu|zu|

-| &bullet; ARS | United States (`us`) |

-| &bullet; AUD | Australia (`au`) |

-| &bullet; BRL | United States (`us`) |

-| &bullet; CLP | United States (`us`) |

-| &bullet; CNY | United States (`us`) |

-| &bullet; COP | United States (`us`) |

-| &bullet; CRC | United States (`us`) |

-| &bullet; CZK | United States (`us`) |

-| &bullet; DKK | United States (`us`) |

-| &bullet; EUR | United States (`us`) |

-| &bullet; GBP | United Kingdom (`uk`) |

-| &bullet; HUF | United States (`us`) |

-| &bullet; IDR | United States (`us`) |

-| &bullet; INR | United States (`us`) |

-| &bullet; ISK | United States (`us`) |

-| &bullet; JPY | Japan (`jp`) |

-| &bullet; KRW | United States (`us`) |

-| &bullet; NOK | United States (`us`) |

-| &bullet; PAB | United States (`us`) |

-| &bullet; PEN | United States (`us`) |

-| &bullet; PLN | United States (`us`) |

-| &bullet; RON | United States (`us`) |

-| &bullet; RSD | United States (`us`) |

-| &bullet; SEK | United States (`us`) |

-| &bullet; TWD | United States (`us`) |

-|[**Custom model**](concept-custom.md) | Extracts information from forms and documents into structured data based on a model created from a set of representative training document sets.|Extract distinct data from forms and documents specific to your business and use cases.|&#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&#9679; [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/BuildDocumentModel)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&#9679; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)|

-|[**Custom Template model**](concept-custom-template.md) | The custom template model extracts labeled values and fields from structured and semi-structured documents.</br> | Extract key data from highly structured documents with defined visual templates or common visual layouts, forms.| &#9679; [**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&#9679; [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/BuildDocumentModel)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&#9679; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)

- |[**Custom Neural model**](concept-custom-neural.md)| The custom neural model is used to extract labeled data from structured (surveys, questionnaires), semi-structured (invoices, purchase orders), and unstructured documents (contracts, letters).|Extract text data, checkboxes, and tabular fields from structured and unstructured documents.|[**Document Intelligence Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</br>&#9679; [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2023-02-28-preview/operations/BuildDocumentModel)</br>&#9679; [**C# SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&#9679; [**Java SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&#9679; [**JavaScript SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)</br>&#9679; [**Python SDK**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true)

-description: Walkthrough on how to get started with Azure OpenAI and make your first image generation call.

-# Quickstart: Get started generating images using Azure OpenAI Service

-1. [Download this demo as a notebook](https://github.com/microsoft/SynapseML/blob/master/notebooks/features/cognitive_services/CognitiveServices%20-%20OpenAI.ipynb) (select Raw, then save the file)

-> [!IMPORTANT]

- > If you configure **Selected Networks and Private Endpoints** via the **Networking** → **Firewalls and virtual networks** tab, you can't use the Custom Translator portal and your Translator resource. However, you can still use the Translator resource outside of the Custom Translator portal.

-| Selected Networks and Private Endpoints | &bullet; Not accessible from allowed VNET IP addresses. </br>&#9679; Use [Custom Translator non-interactive REST API](https://microsofttranslator.github.io/CustomTranslatorApiSamples/) to build and publish custom models. |

-| Disabled | &#9679; Not accessible |

-The following table lists the billing region code for each supported billing region:

-description: Learn how to use Planned Maintenance in Azure Kubernetes Service (AKS) for cluster weekly releases.

-# Use Planned Maintenance pre-created configurations to schedule Azure Kubernetes Service (AKS) weekly releases (preview)

-Planned Maintenance allows you to schedule weekly maintenance windows that ensure the weekly [releases] are controlled. You can select from the set of pre-created configurations and use the Azure CLI to configure your maintenance windows.

-You can also be schedule with more fine-grained control using Planned Maintenance's `default` configuration type. For more information, see [Planned Maintenance to schedule and control upgrades][planned-maintenance].

-## Before you begin

-This article assumes you have an existing AKS cluster. If you need an AKS cluster, you can create one using [Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or [Azure portal][aks-quickstart-portal].

-### Limitations

-When you use Planned Maintenance, the following restrictions apply:

-## Available pre-created public maintenance configurations

-There are two general kinds of pre-created public maintenance configurations:

-The following pre-created public maintenance configurations are available on the weekday and weekend schedules. For weekend schedules, replace `weekday` with `weekend`.

-|Configuration name| Time zone|

-|--|--|

-|aks-mrp-cfg-weekday_utc12|UTC+12|

-|...|...|

-|aks-mrp-cfg-weekday_utc1|UTC+1|

-|aks-mrp-cfg-weekday_utc|UTC+0|

-|aks-mrp-cfg-weekday_utc-1|UTC-1|

-|...|...|

-|aks-mrp-cfg-weekday_utc-12|UTC-12|

-## Assign a public maintenance configuration to an AKS Cluster

-1. Find the public maintenance configuration ID using the [`az maintenance public-configuration show`][az-maintenance-public-configuration-show] command.

- ```azurecli-interactive

- az maintenance public-configuration show --resource-name "aks-mrp-cfg-weekday_utc8"

- ```

- > [!NOTE]

- > You may be prompted to install the `maintenance` extension.

- Your output should look like the following example output. Make sure you take note of the `id` field.

- ```json

- {

- "duration": "08:00",

- "expirationDateTime": null,

- "extensionProperties": {

- "maintenanceSubScope": "AKS"

- },

- "id": "/subscriptions/0159df5c-b605-45a9-9876-36e17d5286e0/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/aks-mrp-cfg-weekday_utc8",

- "installPatches": null,

- "location": "westus2",

- "maintenanceScope": "Resource",

- "name": "aks-mrp-cfg-weekday_utc8",

- "namespace": "Microsoft.Maintenance",

- "recurEvery": "Week Monday,Tuesday,Wednesday,Thursday",

- "startDateTime": "2022-08-01 22:00",

- "systemData": null,

- "tags": {},

- "timeZone": "China Standard Time",

- "type": "Microsoft.Maintenance/publicMaintenanceConfigurations",

- "visibility": "Public"

- }

- ```

-2. Assign the public maintenance configuration to your AKS cluster using the [`az maintenance assignment create`][az-maintenance-assignment-create] command and specify the ID from the previous step for the `--maintenance-configuration-id` parameter.

- ```azurecli-interactive

- az maintenance assignment create --maintenance-configuration-id "/subscriptions/0159df5c-b605-45a9-9876-36e17d5286e0/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/aks-mrp-cfg-weekday_utc8" --name assignmentName --provider-name "Microsoft.ContainerService" --resource-group myResourceGroup --resource-name myAKSCluster --resource-type "managedClusters"

- ```

-## List all maintenance windows in an existing cluster

- ```azurecli-interactive

- az maintenance assignment list --provider-name "Microsoft.ContainerService" --resource-group myResourceGroup --resource-name myAKSCluster --resource-type "managedClusters"

- ```

-## Remove a public maintenance configuration from an AKS cluster

- ```azurecli-interactive

- az maintenance assignment delete --name assignmentName --provider-name "Microsoft.ContainerService" --resource-group myResourceGroup --resource-name myAKSCluster --resource-type "managedClusters"

- ```

-<!-- LINKS - Internal -->

-[aks-quickstart-cli]: ./learn/quick-kubernetes-deploy-cli.md

-[aks-quickstart-portal]: ./learn/quick-kubernetes-deploy-portal.md

-[aks-quickstart-powershell]: ./learn/quick-kubernetes-deploy-powershell.md

-[releases]:release-tracker.md

-[planned-maintenance]: ./planned-maintenance.md

-[az-maintenance-public-configuration-show]: /cli/azure/maintenance/public-configuration#az-maintenance-public-configuration-show

-[az-maintenance-assignment-create]: /cli/azure/maintenance/assignment#az-maintenance-assignment-create

-[az-maintenance-assignment-list]: /cli/azure/maintenance/assignment#az-maintenance-assignment-list

-[az-maintenance-assignment-delete]: /cli/azure/maintenance/assignment#az-maintenance-assignment-delete

-| Area | Azure CNI Overlay | Kubenet |

-|||-|

-| Cluster scale | 1000 nodes and 250 pods/node | 400 nodes and 250 pods/node |

-| Pod connectivity performance | Performance on par with VMs in a VNet | Extra hop adds minor latency |

-| Kubernetes Network Policies | Azure Network Policies, Calico, Cilium | Calico |

-| OS platforms supported | Linux and Windows Server 2022(Preview) | Linux only |

- - Pod CIDR space must not overlap with the cluster subnet range.

- - Pod CIDR space must not overlap with IP ranges used in on-premises networks and peered networks.

-* Not compatible with Istio or other sidecar-based service meshes ([Istio issue #27619](https://github.com/istio/istio/issues/27619)).

- --delegations "Microsoft.NetApp/volumes" \

-By using `containerd` for AKS nodes, pod startup latency improves and node resource consumption by the container runtime decreases. These improvements through this new architecture enable kubelet communicating directly to `containerd` through the CRI plugin. While in a Moby/docker architecture, kubelet communicates to the `dockershim` and docker engine before reaching `containerd`, therefore having extra hops in the data flow.

-az aks create -n aksTest -g aksTest ΓÇô-nrg-lockdown-restriction-level ReadOnly

-az aks update -n aksTest -g aksTest ΓÇô-nrg-lockdown-restriction-level ReadOnly

-az aks update -n aksTest -g aksTest ΓÇô-nrg-lockdown-restriction-level Unrestricted

-[aks-add-np-containerd]: /create-node-pools.md#add-a-windows-server-node-pool-with-containerd

-| Security | [Prisma](#prisma) |

-### Prisma

-A cluster with Windows nodes can have approximately 500 services before it encounters port exhaustion.

-If your cluster is already using the latest version of the Azure Identity SDK, perform the following steps to complete the authentication configuration:

-If your cluster isn't using the latest version of the Azure Identity SDK, you have two options:

-**Tabular Editor** - An open-source tool for creating, maintaining, and managing tabular models using an intuitive, lightweight editor. A hierarchical view shows all objects in your tabular model. Objects are organized by display folders with support for multi-select property editing and DAX syntax highlighting. XMLA read-only is required for query operations. Read-write is required for metadata operations. To learn more, see [tabulareditor.github.io](https://tabulareditor.github.io/).

-If you've deployed a model to your server, you're ready to connect to it using a client application or tool. To learn more, see [Get data from Azure Analysis Services server](analysis-services-connect.md).

-User authentication is handled by [Azure Active Directory (AAD)](../active-directory/fundamentals/active-directory-whatis.md). When logging in, users use an organization account identity with role-based access to the database. User identities must be members of the default Azure Active Directory for the subscription that the server is in. To learn more, see [Authentication and user permissions](analysis-services-manage-users.md).

-Analysis Services has a vibrant community of developers who create tools. Be sure to check out [Tabular Editor](https://tabulareditor.github.io/), an open-source tool for creating, maintaining, and managing tabular models using an intuitive, lightweight editor. [DAX Studio](https://daxstudio.org/), is a great open-source tool for DAX authoring, diagnosis, performance tuning, and analysis.

-Use the `set-body` policy to set the message body for incoming and outgoing requests. To access the message body you can use the `context.Request.Body` property or the `context.Response.Body`, depending on whether the policy is in the inbound or outbound section.

-| Your app need to handle the access token expiring without making the user sign in again (use a refresh token)? | ❌ | ✅ | ✅ |

-Please note that _/api/health_ is just an example added for illustration purposes. We do not create a Health Check path by default. You should make sure that the path you are selecting is a valid path that exists within your application

-|`WEBSITE_HEALTHCHECK_MAXPINGFAILURES` | 2 - 10 | The required number of failed requests for an instance to be deemed unhealthy and removed from the load balancer. For example, when set to `2`, your instances will be removed after `2` failed pings. (Default value is `10`) |

-|`WEBSITE_HEALTHCHECK_MAXUNHEALTHYWORKERPERCENT` | 1 - 100 | By default, no more than half of the instances will be excluded from the load balancer at one time to avoid overwhelming the remaining healthy instances. For example, if an App Service Plan is scaled to four instances and three are unhealthy, two will be excluded. The other two instances (one healthy and one unhealthy) will continue to receive requests. In the worst-case scenario where all instances are unhealthy, none will be excluded. <br /> To override this behavior, set app setting to a value between `1` and `100`. A higher value means more unhealthy instances will be removed (default value is `50`). |

-Health check integrates with App Service's [authentication and authorization features](overview-authentication-authorization.md). No additional settings are required if these security features are enabled.

-Once Health Check is enabled, you can restart and monitor the status of your application instances through the instances tab. The instances tab will show your instance's name, the status of that instance and give you the option to manually restart the application instance.

-If the status of your instance is unhealthy, you can restart the instance manually using the restart button in the table. Keep in mind that any other applications hosted on the same App Service Plan as the instance will also be affected by the restart. If there are other applications using the same App Service Plan as the instance, they will be listed on the opening blade from the restart button.

-For Windows applications, you have the option to collect diagnostic information in the Health Check tab. Enabling diagnostic collection will add an auto-heal rule that creates memory dumps for unhealthy instances and saves it to a designated storage account. Enabling this option will change auto-heal configurations. If there are existing auto-heal rules, we recommend setting this up through App Service diagnostics.

-Once diagnostic collection is enabled, you can create or choose an existing storage account for your files. You can only select storage accounts in the same region as your application. Keep in mind that saving will restart your application. After saving, if your site instances are found to be unhealthy after continuous pings, you can go to your storage account resource and view the memory dumps.

-After providing your application's Health check path, you can monitor the health of your site using Azure Monitor. From the **Health check** blade in the Portal, select the **Metrics** in the top toolbar. This will open a new blade where you can see the site's historical health status and option to create a new alert rule. Health check metrics will aggregate the successful pings & display failures only when the instance was deemed unhealthy based on the health check configuration. For more information on monitoring your sites, [see the guide on Azure Monitor](web-sites-monitor.md).

-On Windows App Service, the Health check requests will be sent via HTTPS when [HTTPS Only](configure-ssl-bindings.md#enforce-https) is enabled on the site. Otherwise, they're sent over HTTP. On Linux App Service, the health check requests are only sent over HTTP and can't be sent over HTTP**S** at this time.

-Imagine you have two applications (or one app with a slot) with Health check enabled, called App A and App B. They are on the same App Service Plan and that the Plan is scaled out to four instances. If App A becomes unhealthy on two instances, the load balancer will stop sending requests to App A on those two instances. Requests will still be routed to App B on those instances assuming App B is healthy. If App A remains unhealthy for over an hour on those two instances, those instances will only be replaced if App B is **also** unhealthy on those instances. If App B is healthy, the instance won't be replaced.

-fqdn=$(kubectl get ingress ingress-01 -n test-infra -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'')

->Run the `Set-AzContext -Subscription <V1 application gateway SubscriptionId>` cmdlet every time before running the migration script. This is necessary to set the active Azure context to the correct subscription, because the migration script might clean up the existing resource group if it doesn't exist in current subscription context.

-You can download the migration script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureAppGWMigration).

- * **appgwName: [String]: Optional**. This is a string you specify to use as the name for the new Standard_V2 or WAF_V2 gateway. If this parameter isn't supplied, the name of your existing V1 gateway is used with the suffix *_V2* appended.

- * **publicIpResourceId: [String]: Optional**. The resourceId of existing public IP address (standard SKU) resource in your subscription that you want to allocate to the new V2 gateway. If this isn't specified, the script allocates a new public IP in the same resource group. The name is the V2 gateway's name with *-IP* appended.

-To learn how to rewrite request and response headers with Application Gateway using Azure portal, see [here](rewrite-url-portal.md).

-|Solution and version | Kubernetes version | Azure Arc-enabled data services version | SQL engine version | PostgreSQL server version

-|Solution and version | Kubernetes version | Azure Arc-enabled data services version | SQL engine version | PostgreSQL server version

-|Lenovo ThinkAgile MX3520 |AKS on Azure Stack HCI 21H2| 1.10.0_2022-08-09 |16.0.312.4243| 12.3 (Ubuntu 12.3-1)|

-Building and deploying containers can slow the inner dev experience and impact team productivity. Cloud-native development teams will benefit from a robust inner dev loop framework. Inner dev loop frameworks assist in the iterative process of writing code, building, and debugging.

-Inner dev loop frameworks capabilities include:

-

-Depending on the maturity and complexity of the service, dev teams determine which cluster setup they will use to accelerate the inner dev loop:

-* Completely local

-* Completely remote

-* Hybrid

-Luckily, there are many frameworks out there that support the listed capabilities. Microsoft offers Bridge to Kubernetes for local tunnel debugging and there are similar market offerings like DevSpace, Scaffold, and Tilt, among others.

-> DonΓÇÖt confuse the market offering [DevSpace](https://github.com/loft-sh/devspace) with MicrosoftΓÇÖs previously named DevSpace, which is now called [Bridge to Kubernetes](https://code.visualstudio.com/docs/containers/bridge-to-kubernetes).

-## Inner loop to outer loop transition

-Once you've evaluated and chosen an inner loop dev framework, build seamless inner loop to outer loop transition.

-As described in the [CI/CD workflow using GitOps](conceptual-gitops-flux2-ci-cd.md) article's example, an application developer works on application code within an application repository. This application repository also holds high-level deployment Helm and/or Kustomize templates. CI\CD pipelines:

-* Generate the low-level manifests from the high-level templates, adding environment-specific values

-* Create a pull request that merges the low-level manifests with the GitOps repo that holds desired state for the specific environment.

-Similar low-level manifests can be generated locally for the inner dev loop, using the configuration values local to the developer. Application developers can iterate on the code changes and use the low-level manifests to deploy and debug applications. Generation of the low-level manifests can be integrated into an inner loop workflow, using the developerΓÇÖs local configuration. Most of the inner loop framework allows configuring custom flows by either extending through custom plugins or injecting script invocation based on hooks.

-### Diagram A: Inner Loop Flow

-### Diagram B: Inner Loop to Outer Loop transition

-## Example workflow

-As an application developer, Alice:

-1. Alice selects a namespace to work with by running `devspace use namespace <namespace_name>`.

-1. Alice can iterates changes to the application code, and deploys and debugs the application onto the target cluster by running `devspace dev`.

-1. Running `devspace dev` generates low-level manifests based on AliceΓÇÖs local configuration and deploys the application. These low-level manifests are configured with devspace hooks in devspace.yaml

-1. Alice doesn't need to rebuild the container every time she makes code changes, since DevSpace will enable hot reloading, using file sync to copy her latest changes inside the container.

-1. Running `devspace dev` will also deploy any dependencies configured in devspace.yaml, such as back-end dependencies to front-end.

-> Find the sample code for above workflow at this [GitHub repo](https://github.com/Azure/arc-cicd-demo-src)

-Learn more about creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc-enabled Kubernetes](./conceptual-gitops-flux2.md)

-We provide dashboards to help you monitor status, compliance, resource consumption, and reconciliation activity for GitOps with Flux v2 in your Azure Arc-enabled Kubernetes clusters or Azure Kubernetes Service (AKS) clusters. These JSON dashboards can be imported to Grafana to help you view and analyze your data in real time.

-The **Count of Flux Extension Deployments by Status** chart shows the count of clusters, based on their provisioning state.

-After you have imported the dashboards, they'll display information from the clusters that you're monitoring.

-## Filter dashboard data to track Application Deployments

-You can filter data in the **GitOps Flux - Application Deployments Dashboard** to change the information shown. For example, you can show data for only certain subscriptions or resource groups, or limit data to a particular cluster. To do so, select the filter option either from the top level dropdowns or from any column header in the tables.

-For example, in the **Flux Configuration Compliance Status** table, you can select a specific commit from the **SourceLastSyncCommit** column. By doing so, you can track the status of a configuration deployment to all of the clusters affected by that commit.

-[Resource Graph samples by Category](../../governance/resource-graph/samples/samples-by-category.md)

-and [Resource Graph samples by Table](../../governance/resource-graph/samples/samples-by-table.md).

-| VMware | [Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid) | TKGm 2.2; upstream K8s v1.25.7+vmware.2 <br> TKGm 2.1.0; upstream K8s v1.24.9+vmware.1 <br> TKGm 1.6.0; upstream K8s v1.23.8+vmware.2 <br>TKGm 1.5.3; upstream K8s v1.22.8+vmware.1 <br>TKGm 1.4.0; upstream K8s v1.21.2+vmware.1 <br>TKGm 1.3.1; upstream K8s v1.20.5+vmware.2 <br>TKGm 1.2.1; upstream K8s v1.19.3+vmware.1 |

-| Kublr | [Kublr Managed K8s](https://kublr.com/managed-kubernetes/) Distribution | Upstream K8s Version: 1.22.10 <br> Upstream K8s Version: 1.21.3 |

-| Wind River | [Wind River Cloud Platform](https://www.windriver.com/studio/operator/cloud-platform) | Wind River Cloud Platform 22.12; Upstream K8s version: 1.24.4 <br>Wind River Cloud Platform 22.06; Upstream K8s version: 1.23.1 <br>Wind River Cloud Platform 21.12; Upstream K8s version: 1.21.8 <br>Wind River Cloud Platform 21.05; Upstream K8s version: 1.18.1 |

-## Should I use Arc-enabled servers or Arc-enabled VMware vSphere, and can I use both?

-While Azure Arc-enabled servers and Azure Arc-enabled VMware vSphere can be used in conjunction with one another, please note that this will produce dual representations in the Azure portal of the same underlying virtual machine. This scenario can potentially introduce a ΓÇ£duplicateΓÇ¥ guest management experience and is not advisable.

-description: Learn how to use Azure Functions

-zone_pivot_groups: cache-redis-zone-pivot-group

-# Serverless event-based architectures with Azure Cache for Redis and Azure Functions (preview)

-This article describes how to use Azure Cache for Redis with [Azure Functions](/azure/azure-functions/functions-overview) to create optimized serverless and event-driven architectures.

-Azure Cache for Redis can be used as a [trigger](/azure/azure-functions/functions-triggers-bindings) for Azure Functions, allowing Redis to initiate a serverless workflow.

-This functionality can be highly useful in data architectures like a [write-behind cache](https://azure.microsoft.com/resources/cloud-computing-dictionary/what-is-caching/#types-of-caching), or any [event-based architectures](/azure/architecture/guide/architecture-styles/event-driven).

-There are three triggers supported in Azure Cache for Redis:

-[Keyspace notifications](https://redis.io/docs/manual/keyspace-notifications/) can also be used as triggers through `RedisPubSubTrigger`.

-## Scope of availability for functions triggers

-|Tier | Basic | Standard, Premium | Enterprise, Enterprise Flash |

-||::|::|::|

-|Pub/Sub | Yes | Yes | Yes |

-|Lists | Yes | Yes | Yes |

-|Streams | Yes | Yes | Yes |

-> [!IMPORTANT]

-> Redis triggers are not currently supported on consumption functions.

->

-## Triggering on keyspace notifications

-Redis offers a built-in concept called [keyspace notifications](https://redis.io/docs/manual/keyspace-notifications/). When enabled, this feature publishes notifications of a wide range of cache actions to a dedicated pub/sub channel. Supported actions include actions that affect specific keys, called _keyspace notifications_, and specific commands, called _keyevent notifications_. A huge range of Redis actions are supported, such as `SET`, `DEL`, and `EXPIRE`. The full list can be found in the [keyspace notification documentation](https://redis.io/docs/manual/keyspace-notifications/).

-The `keyspace` and `keyevent` notifications are published with the following syntax:

-```

-PUBLISH __keyspace@0__:<affectedKey> <command>

-PUBLISH __keyevent@0__:<affectedCommand> <key>

-```

-Because these events are published on pub/sub channels, the `RedisPubSubTrigger` is able to pick them up. See the [RedisPubSubTrigger](#redispubsubtrigger) section for more examples.

-> [!IMPORTANT]

-> In Azure Cache for Redis, `keyspace` events must be enabled before notifications are published. For more information, see [Advanced Settings](cache-configure.md#keyspace-notifications-advanced-settings).

-## Prerequisites and limitations

-## Trigger usage

-### RedisPubSubTrigger

-The `RedisPubSubTrigger` subscribes to a specific channel pattern using [`PSUBSCRIBE`](https://redis.io/commands/psubscribe/), and surfaces messages received on those channels to the function.

-> [!WARNING]

-> This trigger isn't supported on a [consumption plan](/azure/azure-functions/consumption-plan) because Redis PubSub requires clients to always be actively listening to receive all messages. For consumption plans, your function might miss certain messages published to the channel.

->

-> [!NOTE]

-> Functions with the `RedisPubSubTrigger` should not be scaled out to multiple instances.

-> Each instance listens and processes each pubsub message, resulting in duplicate processing.

-#### Inputs for RedisPubSubTrigger

-This sample listens to the channel "channel" at a localhost Redis instance at `127.0.0.1:6379`

-```csharp

-[FunctionName(nameof(PubSubTrigger))]

-public static void PubSubTrigger(

- [RedisPubSubTrigger(ConnectionString = "127.0.0.1:6379", Channel = "channel")] RedisMessageModel model,

- ILogger logger)

-{

- logger.LogInformation(JsonSerializer.Serialize(model));

-}

-```

-```java

-@FunctionName("PubSubTrigger")

- public void PubSubTrigger(

- @RedisPubSubTrigger(

- name = "message",

- connectionStringSetting = "redisLocalhost",

- channel = "channel")

- String message,

- final ExecutionContext context) {

- context.getLogger().info(message);

- }

-```

-```json

-{

- "bindings": [

- {

- "type": "redisPubSubTrigger",

- "connectionStringSetting": "redisLocalhost",

- "channel": "channel",

- "name": "message",

- "direction": "in"

- }

- ],

- "scriptFile": "__init__.py"

-}

-```

-This sample listens to any keyspace notifications for the key `myKey` in a localhost Redis instance at `127.0.0.1:6379`.

-```csharp

-[FunctionName(nameof(PubSubTrigger))]

-public static void PubSubTrigger(

- [RedisPubSubTrigger(ConnectionString = "127.0.0.1:6379", Channel = "__keyspace@0__:myKey")] RedisMessageModel model,

- ILogger logger)

-{

- logger.LogInformation(JsonSerializer.Serialize(model));

-}

-```

-```java

-@FunctionName("KeyspaceTrigger")

- public void KeyspaceTrigger(

- @RedisPubSubTrigger(

- name = "message",

- connectionStringSetting = "redisLocalhost",

- channel = "__keyspace@0__:myKey")

- String message,

- final ExecutionContext context) {

- context.getLogger().info(message);

- }

-```

-```json

-{

- "bindings": [

- {

- "type": "redisPubSubTrigger",

- "connectionStringSetting": "redisLocalhost",

- "channel": "__keyspace@0__:myKey",

- "name": "message",

- "direction": "in"

- }

- ],

- "scriptFile": "__init__.py"

-}

-```

-This sample listens to any `keyevent` notifications for the delete command [`DEL`](https://redis.io/commands/del/) in a localhost Redis instance at `127.0.0.1:6379`.

-```csharp

-[FunctionName(nameof(PubSubTrigger))]

-public static void PubSubTrigger(

- [RedisPubSubTrigger(ConnectionString = "127.0.0.1:6379", Channel = "__keyevent@0__:del")] RedisMessageModel model,

- ILogger logger)

-{

- logger.LogInformation(JsonSerializer.Serialize(model));

-}

-```

-```java

- @FunctionName("KeyeventTrigger")

- public void KeyeventTrigger(

- @RedisPubSubTrigger(

- name = "message",

- connectionStringSetting = "redisLocalhost",

- channel = "__keyevent@0__:del")

- String message,

- final ExecutionContext context) {

- context.getLogger().info(message);

- }

-```

-```json

-{

- "bindings": [

- {

- "type": "redisPubSubTrigger",

- "connectionStringSetting": "redisLocalhost",

- "channel": "__keyevent@0__:del",

- "name": "message",

- "direction": "in"

- }

- ],

- "scriptFile": "__init__.py"

-}

-```

-### RedisListTrigger

-The `RedisListTrigger` pops elements from a list and surfaces those elements to the function. The trigger polls Redis at a configurable fixed interval, and uses [`LPOP`](https://redis.io/commands/lpop/)/[`RPOP`](https://redis.io/commands/rpop/)/[`LMPOP`](https://redis.io/commands/lmpop/) to pop elements from the lists.

-#### Inputs for RedisListTrigger

- - Multiple keys only supported on Redis 7.0+ using [`LMPOP`](https://redis.io/commands/lmpop/).

- - Listens to only the first key given in the argument using [`LPOP`](https://redis.io/commands/lpop/)/[`RPOP`](https://redis.io/commands/rpop/) on Redis versions less than 7.0.

- - This field can be resolved using `INameResolver`

- - Default: 1000

- - Default: 100

- - Default: 10

- - Only supported on Redis 6.2+ using the `COUNT` argument in [`LPOP`](https://redis.io/commands/lpop/)/[`RPOP`](https://redis.io/commands/rpop/).

- - Default: true

-The following sample polls the key `listTest` at a localhost Redis instance at `127.0.0.1:6379`:

-```csharp

-[FunctionName(nameof(ListTrigger))]

-public static void ListTrigger(

- [RedisListTrigger(ConnectionStringSetting = "127.0.0.1:6379", Key = "listTest")] RedisMessageModel model,

- ILogger logger)

-{

- logger.LogInformation(JsonSerializer.Serialize(model));

-}

-```

-```java

-@FunctionName("ListTrigger")

- public void ListTrigger(

- @RedisListTrigger(

- name = "entry",

- connectionStringSetting = "redisLocalhost",

- key = "listTest",

- pollingIntervalInMs = 100,

- messagesPerWorker = 10,

- count = 1,

- listPopFromBeginning = false)

- String entry,

- final ExecutionContext context) {

- context.getLogger().info(entry);

- }

-```

-```json

-{

- "bindings": [

- {

- "type": "redisListTrigger",

- "listPopFromBeginning": true,

- "connectionStringSetting": "redisLocalhost",

- "key": "listTest",

- "pollingIntervalInMs": 1000,

- "messagesPerWorker": 100,

- "count": 10,

- "name": "entry",

- "direction": "in"

- }

- ],

- "scriptFile": "__init__.py"

-}

-```

-### RedisStreamTrigger

-The `RedisStreamTrigger` pops elements from a stream and surfaces those elements to the function.

-The trigger polls Redis at a configurable fixed interval, and uses [`XREADGROUP`](https://redis.io/commands/xreadgroup/) to read elements from the stream.

-The consumer group for all function instances will be the ID of the function. For example, for the StreamTrigger function in [this sample](https://github.com/Azure/azure-functions-redis-extension/blob/main/samples/dotnet/RedisSamples.cs), the consumer group would be `Microsoft.Azure.WebJobs.Extensions.Redis.Samples.RedisSamples.StreamTrigger`.

-Each function creates a new random GUID to use as its consumer name within the group to ensure that scaled out instances of the function don't read the same messages from the stream.

-#### Inputs for RedisStreamTrigger

- - Uses [`XREADGROUP`](https://redis.io/commands/xreadgroup/).

- - This field can be resolved using `INameResolver`.

- - Default: 1000

- - Default: 100

- - Default: 10

- - Default: false

-The following sample polls the key `streamTest` at a localhost Redis instance at `127.0.0.1:6379`:

-```csharp

-[FunctionName(nameof(StreamTrigger))]

-public static void StreamTrigger(

- [RedisStreamTrigger(ConnectionString = "127.0.0.1:6379", Keys = "streamTest")] RedisMessageModel model,

- ILogger logger)

-{

- logger.LogInformation(JsonSerializer.Serialize(model));

-}

-```

-```java

-@FunctionName("StreamTrigger")

- public void StreamTrigger(

- @RedisStreamTrigger(

- name = "entry",

- connectionStringSetting = "redisLocalhost",

- key = "streamTest",

- pollingIntervalInMs = 100,

- messagesPerWorker = 10,

- count = 1,

- deleteAfterProcess = true)

- String entry,

- final ExecutionContext context) {

- context.getLogger().info(entry);

- }

-```

-```json

-{

- "bindings": [

- {

- "type": "redisStreamTrigger",

- "deleteAfterProcess": false,

- "connectionStringSetting": "redisLocalhost",

- "key": "streamTest",

- "pollingIntervalInMs": 1000,

- "messagesPerWorker": 100,

- "count": 10,

- "name": "entry",

- "direction": "in"

- }

- ],

- "scriptFile": "__init__.py"

-}

-```

-### Return values

-All triggers return a `RedisMessageModel` object that has two fields:

-```csharp

-namespace Microsoft.Azure.WebJobs.Extensions.Redis

-{

- public class RedisMessageModel

- {

- public string Trigger { get; set; }

- public string Message { get; set; }

- }

-}

-```

-```java

-public class RedisMessageModel {

- public String Trigger;

- public String Message;

-}

-```

-```python

-class RedisMessageModel:

- def __init__(self, trigger, message):

- self.Trigger = trigger

- self.Message = message

-```

-## Next steps

-To connect to an Azure Fluid Relay instance, you first need to create an `AzureClient`. You must provide some configuration parameters including the tenant ID, service URL, and a token provider to generate the JSON Web Token (JWT) that will be used to authorize the current user against the service. The [@fluidframework/test-client-utils](https://fluidframework.com/docs/apis/test-client-utils/) package provides an [InsecureTokenProvider](https://fluidframework.com/docs/apis/test-client-utils/insecuretokenprovider-class) that can be used for development purposes.

-You can connect to Azure Fluid Relay by providing the tenant ID and key that is uniquely generated for you when creating the Azure resource. You can build your own token provider implementation or you can use the two token provider implementations that the Fluid Framework provides: [InsecureTokenProvider](https://fluidframework.com/docs/apis/test-client-utils/insecuretokenprovider-class) and [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider-class).

-1. Add a reference to the [Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore NuGet package, version 1.0.0-preview2 or later](https://www.nuget.org/packages/Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore/1.0.0-preview2) to your project.

-Update the value of the `AzureWebJobsStorage` app setting on your function app with a valid storage account connection string.

-You should suppress this event when your function app uses an Azure Key Vault reference in the `AzureWebjobsStorage` app setting instead of a connection string. For more information, see [Source application settings from Key Vault](../../../app-service/app-service-key-vault-references.md?toc=%2Fazure%2Fazure-functions%2Ftoc.json#source-app-settings-from-key-vault)

-The following example shows an HTTP trigger that returns a "hello, world" response as an [IActionResult], using [ASP.NET Core integration in .NET Isolated](./dotnet-isolated-process-guide.md#aspnet-core-integration-preview):

-Before a client can connect to Azure SignalR Service, it must retrieve the service endpoint URL and a valid access token. The *SignalRConnectionInfo* input binding produces the SignalR Service endpoint URL and a valid token that are used to connect to the service. Because the token is time-limited and can be used to authenticate a specific user to a connection, you should not cache the token or share it between clients. An HTTP trigger using this binding can be used by clients to retrieve the connection information.

-For more information on how this binding is used to create a "negotiate" function that can be consumed by a SignalR client SDK, see the [Azure Functions development and configuration article](../azure-signalr/signalr-concept-serverless-development-config.md) in the SignalR Service concepts documentation.

-The following example shows a SignalR trigger that reads a message string from one hub using a SignalR trigger and writes it to a second hub using an output binding. The data required to connect to the output binding is obtained as a `MyConnectionInfo` object from an input binding defined using a `SignalRConnectionInfo` attribute.

-When the function is triggered by an authenticated client, you can add a user ID claim to the generated token. You can easily add authentication to a function app using [App Service Authentication](../app-service/overview-authentication-authorization.md).

-You can set the `UserId` property of the binding to the value from either header using a [binding expression](./functions-bindings-expressions-patterns.md): `{headers.x-ms-client-principal-id}` or `{headers.x-ms-client-principal-name}`.

-You can set the `userId` property of the binding to the value from either header using a [binding expression](./functions-bindings-expressions-patterns.md): `{headers.x-ms-client-principal-id}` or `{headers.x-ms-client-principal-name}`.

-You can set the `userId` property of the binding to the value from either header using a [binding expression](./functions-bindings-expressions-patterns.md): `{headers.x-ms-client-principal-id}` or `{headers.x-ms-client-principal-name}`.

-You can set the `userId` property of the binding to the value from either header using a [binding expression](./functions-bindings-expressions-patterns.md): `{headers.x-ms-client-principal-id}` or `{headers.x-ms-client-principal-name}`.

-**HubName**| This value must be set to the name of the SignalR hub for which the connection information is generated. |

-|**UserId**| Optional: The value of the user identifier claim to be set in the access key token. |

-**HubName**| This value must be set to the name of the SignalR hub for which the connection information is generated. |

-|**UserId**| Optional: The value of the user identifier claim to be set in the access key token. |

-|**hubName**| This value must be set to the name of the SignalR hub for which the connection information is generated.|

-|**userId**| Optional: The value of the user identifier claim to be set in the access key token. |

-|**hubName**| This value must be set to the name of the SignalR hub for which the connection information is generated.|

-|**userId**| Optional: The value of the user identifier claim to be set in the access key token. |

-|**name**| Variable name used in function code for connection info object. |

-|**hubName**| This value must be set to the name of the SignalR hub for which the connection information is generated.|

-|**userId**| Optional: The value of the user identifier claim to be set in the access key token. |

-az functionapp create --name <APP_NAME> --storage-account <STORAGE_NAME> --environment MyContainerappEnvironment --resource-group AzureFunctionsContainers-rg --functions-version 4 --runtime node --image <LOGIN_SERVER>/azurefunctionsimage:v1.0.0 --registry-username <REGISTRY_NAME> --registry-password <ADMIN_PASSWORD>

-### Maps Creator service

-Maps Creator service is a suite of web services that developers can use to create applications with map features based on indoor map data.

-Maps Creator provides the following

-* [Dataset service]. Use the Dataset service to create a dataset from a converted drawing package data. For information about drawing package requirements, see drawing package requirements.

-* [Conversion service]. Use the Conversion service to convert a DWG design file into drawing package data for indoor maps.

-* [Tileset service]. Use the Tileset service to create a vector-based representation of a dataset. Applications can use a tileset to present a visual tile-based view of the dataset.

-* [Custom styling service] (preview). Use the [style service] or [visual style editor] to customize the visual elements of an indoor map.

-* [Feature State service]. Use the Feature State service to support dynamic map styling. Dynamic map styling allows applications to reflect real-time events on spaces provided by IoT systems.

-* [WFS service]. Use the WFS service to query your indoor map data. The WFS service follows the [Open Geospatial Consortium API] standards for querying a single dataset.

-* [Wayfinding service] (preview). Use the [wayfinding API] to generate a path between two points within a facility. Use the [routeset API] to create the data that the wayfinding service needs to generate paths.

-[Conversion service]: creator-indoor-maps.md#convert-a-drawing-package

-[Custom styling service]: creator-indoor-maps.md#custom-styling-preview

-[Dataset service]: creator-indoor-maps.md#datasets

-[Feature State service]: creator-indoor-maps.md#feature-statesets

-[Tileset service]: creator-indoor-maps.md#tilesets

-[Wayfinding service]: creator-indoor-maps.md#wayfinding-preview

-[WFS service]: creator-indoor-maps.md#web-feature-service-api

-[routeset API]: /rest/api/maps/v20220901preview/routeset

-[style service]: /rest/api/maps/v20220901preview/style

-[wayfinding API]: /rest/api/maps/v20220901preview/wayfinding

-[Open Geospatial Consortium API]: https://docs.opengeospatial.org/is/17-069r3/17-069r3.html

-[visual style editor]: https://azure.github.io/Azure-Maps-Style-Editor

-<iframe height="700" scrolling="no" title="Map style options" src="https://codepen.io/azuremaps/embed/eYNMjPb?height=700&theme-id=0&default-tab=result" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/eYNMjPb'>Map style options</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Setting the style on map load' src='//codepen.io/azuremaps/embed/WKOQRq/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/WKOQRq/'>Setting the style on map load</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Updating the style' src='//codepen.io/azuremaps/embed/yqXYzY/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/yqXYzY/'>Updating the style</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Adding the style picker' src='//codepen.io/azuremaps/embed/OwgyvG/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/OwgyvG/'>Adding the style picker</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Basic bubble layer clustering" src="//codepen.io/azuremaps/embed/qvzRZY/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/qvzRZY/'>Basic bubble layer clustering</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Clustered Symbol layer" src="//codepen.io/azuremaps/embed/Wmqpzz/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/Wmqpzz/'>Clustered Symbol layer</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Cluster weighted Heat Map" src="//codepen.io/azuremaps/embed/VRJrgO/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/VRJrgO/'>Cluster weighted Heat Map</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Cluster getClusterExpansionZoom" src="//codepen.io/azuremaps/embed/moZWeV/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/moZWeV/'>Cluster getClusterExpansionZoom</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

- <iframe height="500" scrolling="no" title="Cluster area convex hull" src="//codepen.io/azuremaps/embed/QoXqWJ/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/QoXqWJ/'>Cluster area convex hull</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Cluster aggregates" src="//codepen.io/azuremaps/embed/jgYyRL/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/jgYyRL/'>Cluster aggregates</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Vector tile line layer" src="https://codepen.io/azuremaps/embed/wvMXJYJ?height=500&theme-id=default&default-tab=js,result&editable=true" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/wvMXJYJ'>Vector tile line layer</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-[Drawing package requirements]: drawing-requirements.md

-[The JavaScript Object Notation (JSON) Data Interchange Format]: https://tools.ietf.org/html/rfc7159

-[manifest section in the Drawing package requirements]: drawing-requirements.md#manifest-file-requirements

-[How to use Azure Maps Drawing error visualizer]: drawing-error-visualizer.md

-[Creator for indoor mapping]: creator-indoor-maps.md

-> The following feature class should be defined (not case sensitive) in order to use [wayfinding]. `Wall` will be treated as an obstruction for a given path request. `Stair` and `Elevator` will be treated as level connectors to navigate across floors:

-> 1. Wall

-> 2. Stair

-> 3. Elevator

-<iframe height="500" scrolling="no" title="Drawing tools events" src="https://codepen.io/azuremaps/embed/dyPMRWo?height=500&theme-id=default&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/dyPMRWo'>Drawing tools events</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-This code demonstrates how to monitor an event of a user drawing shapes. For this example, the code monitors shapes of polygons, rectangles, and circles. Then, it determines which data points on the map are within the drawn area. The `drawingcomplete` event is used to trigger the select logic. In the select logic, the code loops through all the data points on the map. It checks if there's an intersection of the point and the area of the drawn shape. This example makes use of the open-source [Turf.js](https://turfjs.org/) library to perform a spatial intersection calculation.

-<iframe height="500" scrolling="no" title="Select data in drawn polygon area" src="https://codepen.io/azuremaps/embed/XWJdeja?height=500&theme-id=default&default-tab=result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/XWJdeja'>Select data in drawn polygon area</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Draw and search in polygon area" src="https://codepen.io/azuremaps/embed/eYmZGNv?height=500&theme-id=default&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/eYmZGNv'>Draw and search in polygon area</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Measuring tool" src="https://codepen.io/azuremaps/embed/RwNaZXe?height=500&theme-id=default&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/RwNaZXe'>Measuring tool</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-> [Get shape data](map-get-shape-data.md)

-> [Interaction types and keyboard shortcuts](drawing-tools-interactions-keyboard-shortcuts.md)

-> [Services module](how-to-use-services-module.md)

-> [Code sample page](https://aka.ms/AzureMapsSamples)

-[Drawing tools events]: https://samples.azuremaps.com/drawing-tools-module/drawing-tools-events

-[Select data in drawn polygon area]: https://samples.azuremaps.com/drawing-tools-module/select-data-in-drawn-polygon-area

-[Draw and search polygon area]: https://samples.azuremaps.com/drawing-tools-module/draw-and-search-polygon-area

-[Draw and search polygon area sample code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Drawing%20Tools%20Module/Draw%20and%20search%20polygon%20area/Draw%20and%20search%20polygon%20area.html

-[Create a measuring tool]: https://samples.azuremaps.com/drawing-tools-module/create-a-measuring-tool

-[Create a measuring tool sample code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Drawing%20Tools%20Module/Create%20a%20measuring%20tool/Create%20a%20measuring%20tool.html

-> [Azure Maps Search service](/rest/api/maps/search)

-[Get Search Address API]: /rest/api/maps/search/getsearchaddress

-<a name="Zoom level"></a> **Zoom level**: Specifies the level of detail and how much of the map is visible. When zoomed all the way to level 0, the full world map is often visible. But, the map shows limited details such as country/region names, borders, and ocean names. When zoomed in closer to level 17, the map displays an area of a few city blocks with detailed road information. In Azure Maps, the highest zoom level is 22. For more information, see [Zoom levels and tile grid].

-[Satellite imagery]: #satellite-imagery

-[Shared key authentication]: #shared-key-authentication

-[Manage authentication in Azure Maps]: how-to-manage-authentication.md

-[Parcel]: #parcel

-[Bearing]: #bearing

-[Reachable Range]: #reachable-range

-[Zoom levels and tile grid]: zoom-levels-and-tile-grid.md

-[Postal code]: #postal-code

-[Transformation]: #transformation

-[EPSG:3857]: https://epsg.io/3857

-[Altitude]: #altitude

-> [Use the Azure Maps Indoor Maps module](how-to-use-indoor-module.md)

-[tileset]: /rest/api/maps/v20220901preview/tileset

-[tileset get]: /rest/api/maps/v20220901preview/tileset/get

-[Use Creator to create indoor maps]: tutorial-creator-indoor-maps.md

-[manifest]: drawing-requirements.md#manifest-file-requirements

-[categories]: https://atlas.microsoft.com/sdk/javascript/indoor/0.2/categories.json

-[Instantiate the Indoor Manager]: how-to-use-indoor-module.md#instantiate-the-indoor-manager

-[map configuration]: creator-indoor-maps.md#map-configuration

-> - This article uses the `us.atlas.microsoft.com` geographical URL. If your account wasn't created in the United States, you must use a different geographical URL. For more information, see [Access to Creator services](how-to-manage-creator.md#access-to-creator-services).

-> - `{udid}` with the user data ID of your data registry. For more information, see [The user data ID](#the-user-data-id).

-There are two types of managed identities: **system-assigned** and **user-assigned**. System-assigned managed identities have their lifecycle tied to the resource that created them. User-assigned managed identities can be used on multiple resources. For more information, see [managed identities for Azure resources][managed identity].

-For more information, see [managed identities for Azure resources][managed identity].

-> All storage accounts linked to an Azure Maps account must be in the same geographic location. For more information, see [Azure Maps service geographic scope][geographic scope].

-> If you do not have a storage account see [Create a storage account][create storage account].

-There are the AzureBlob properties that you pass in the body of the HTTP request, and [The user data ID](#the-user-data-id) passed in the URL.

-The following two sections provide you with details how to get the values to use for the [msiClientId](#the-msiclientid-property), [blobUrl](#the-bloburl-property) properties.

-The `msiClientId` property is the ID of the managed identity used to create the data registry. There are two types of managed identities: **system-assigned** and **user-assigned**. System-assigned managed identities have their lifecycle tied to the resource that created them. User-assigned managed identities can be used on multiple resources. For more information, see [What are managed identities for Azure resources?][managed identity].

-> The `udid` is a user-defined GUID that must be supplied when creating a data registry. If you want to be certain you have a globally unique identifier (GUID), consider creating it by running a GUID generating tool such as the Guidgen.exe command line program (Available with [Visual Studio][Visual Studio]).

- For more information on the properties required in the HTTP request body, see [Data registry properties](#data-registry-properties).

- For more information on the `udid` property, see [The user data ID](#the-user-data-id).

- For more information on the properties required in the HTTP request body, see [Data registry properties](#data-registry-properties).

- For more information on the `udid` property, see [The user data ID](#the-user-data-id).

-> If the contents of a previously registered file is modified, it will fail its [data validation](#data-validation) and won't be usable in Azure Maps until it's re-registered. To re-register a file, rerun the register request, passing in the same [AzureBlob](#the-azureblob) used to create the original registration.

-The value of the **Operation-Location** key is the status URL that you'll use to check the status of the data registry creation in the next section, it contains the operation ID used by the [Get operation][Get operation] API.

-To (optionally) check the status of the data registry creation process, enter the status URL you copied in the [Create a data registry](#create-a-data-registry) section, and add your subscription key as a query string parameter. The request should look similar to the following URL:

-Use the [List][list] request to get a list of all files registered in an Azure Maps account:

-| contentMD5 | MD5 hash created from the contents of the file being registered. For more information, see [Data validation](#data-validation) |

-If you need to replace a previously registered file with another file, rerun the register request, passing in the same [AzureBlob](#the-azureblob) used to create the original registration, except for the [blobUrl](#the-bloburl-property). The `BlobUrl` needs to be modified to point to the new file.

-[create storage account]: /azure/storage/common/storage-account-create?tabs=azure-portal

-[geographic scope]: geographic-scope.md

-[managed identity]: /azure/active-directory/managed-identities-azure-resources/overview

-[storage account overview]: /azure/storage/common/storage-account-overview

-[subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

-[Visual Studio]: https://visualstudio.microsoft.com/downloads/

-<!- REST API Links >

-[Register]: /rest/api/maps/data-registry/register-or-replace

-* [**Microsoft.Maps/accounts**](/azure/templates/microsoft.maps/accounts): create an Azure Maps account.

-[free account]: https://azure.microsoft.com/free/?WT.mc_id=A261C142F

-[ARM templates]: ../azure-resource-manager/templates/overview.md

-> This article explains how to create a dataset from a GeoJSON package. For information on additional steps required to complete an indoor map, see [Next steps](#next-steps).

-For more information on the GeoJSON package, see the [Geojson zip package requirements](#geojson-zip-package-requirements) section.

-> This is different from the [previous version][Dataset Create] in that it doesn't require a `conversionId` from a converted drawing package.

-1. Enter the following URL to the dataset service. The request should look like the following URL (replace {udid} with the `udid` obtained in [Check the GeoJSON package upload status](#check-the-geojson-package-upload-status) section):

-1. Enter the status URL you copied in [Create a dataset](#create-a-dataset). The request should look like the following URL:

-See [Next steps](#next-steps) for links to articles to help you complete your indoor map.

-[Facility ontology] defines how Azure Maps Creator internally stores facility data, divided into feature classes, in a Creator dataset. When importing a GeoJSON package, anytime a feature is added or modified, a series of validations run. This includes referential integrity checks and geometry and attribute validations. These validations are described in more detail in the following list.

-<! learn.microsoft.com links >

-<! REST API Links >

-[Data Upload API]: /rest/api/maps/data-v2/upload

-[Dataset Create API]: /rest/api/maps/v20220901preview/dataset/create

-[Dataset Create]: /rest/api/maps/v2/dataset/create

-<! External Links >

-[Contoso building sample]: https://github.com/Azure-Samples/am-creator-indoor-data-examples

-[RFC 7946]: https://www.rfc-editor.org/rfc/rfc7946.html

-You can authenticate with Azure AD using the [Azure Identity library][Identity library]. To use the [DefaultAzureCredential] provider, you need to add the mvn dependency in the `pom.xml` file:

-You need to register the new Azure AD application and grant access to Azure Maps by assigning the required role to your service principal. For more information, see [Host a daemon on non-Azure resources][Host daemon]. The Application (client) ID, a Directory (tenant) ID, and a client secret are returned. Copy these values and store them in a secure place. You need them in the following steps.

-[Host daemon]: ./how-to-secure-daemon-app.md#host-a-daemon-on-non-azure-resources

-[Identity library]: /java/api/overview/azure/identity-readme?source=recommendations&view=azure-java-stable

-<iframe height="500" scrolling="no" title="Symbol layer with built-in icon template" src="//codepen.io/azuremaps/embed/VoQMPp/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/VoQMPp/'>Symbol layer with built-in icon template</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Line layer with built-in icon template" src="//codepen.io/azuremaps/embed/KOQvJe/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/KOQvJe/'>Line layer with built-in icon template</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Fill polygon with built-in icon template" src="//codepen.io/azuremaps/embed/WVMEmz/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/WVMEmz/'>Fill polygon with built-in icon template</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="HTML Marker with built-in icon template" src="//codepen.io/azuremaps/embed/EqQvzq/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/EqQvzq/'>HTML Marker with built-in icon template</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Add custom icon template to atlas namespace" src="//codepen.io/azuremaps/embed/NQyvEX/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/NQyvEX/'>Add custom icon template to atlas namespace</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Icon template options" src="//codepen.io/azuremaps/embed/NQyaaO/?height=500&theme-id=0&default-tab=result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/NQyaaO/'>Icon template options</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-The domain for the services needs to be set when creating an instance of an API URL endpoint, when using the services module. For example, the following code creates an instance of the `SearchURL` class and points the domain to the Azure Government cloud.

-```javascript

-var searchURL = new atlas.service.SearchURL(pipeline, 'atlas.azure.us');

-```

-If directly accessing the Azure Maps REST services, change the URL domain to `atlas.azure.us`. For example, if using the search API service, change the URL domain from `https://atlas.microsoft.com/search/` to `https://atlas.azure.us/search/`.

-<iframe height="500" scrolling="no" title="Using the Services Module" src="//codepen.io/azuremaps/embed/zbXGMR/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/zbXGMR/'>Using the Services Module</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Make an accessible application' src='//codepen.io/azuremaps/embed/ZoVyZQ/?height=504&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ZoVyZQ/'>Make an accessible application</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>. </iframe>

-<iframe height='500' scrolling='no' title='BubbleLayer DataSource' src='//codepen.io/azuremaps/embed/mzqaKB/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/mzqaKB/'>BubbleLayer DataSource</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='MultiLayer DataSource' src='//codepen.io/azuremaps/embed/rqbQXy/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/rqbQXy/'>MultiLayer DataSource</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='700' scrolling='no' title='Bubble Layer Options' src='//codepen.io/azuremaps/embed/eQxbGm/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/eQxbGm/'>Bubble Layer Options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Adding a zoom control' src='//codepen.io/azuremaps/embed/WKOQyN/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/WKOQyN/'>Adding a zoom control</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Adding a pitch control' src='//codepen.io/azuremaps/embed/xJrwaP/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/xJrwaP/'>Adding a pitch control</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Adding a rotate control' src='//codepen.io/azuremaps/embed/GBEoRb/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/GBEoRb/'>Adding a rotate control</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='A map with all the controls' src='//codepen.io/azuremaps/embed/qyjbOM/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/qyjbOM/'>A map with all the controls</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="700" scrolling="no" title="Navigation control options" src="//codepen.io/azuremaps/embed/LwBZMx/?height=700&theme-id=0&default-tab=result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/LwBZMx/'>Navigation control options</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Add an HTML Marker to a map' src='//codepen.io/azuremaps/embed/MVoeVw/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/MVoeVw/'>Add an HTML Marker to a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='HTML Marker with Custom SVG Template' src='//codepen.io/azuremaps/embed/LXqMWx/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/LXqMWx/'>HTML Marker with Custom SVG Template</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='HTML DataSource' src='//codepen.io/azuremaps/embed/qJVgMx/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/qJVgMx/'>HTML DataSource</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Draggable HTML Marker' src='//codepen.io/azuremaps/embed/wQZoEV/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/wQZoEV/'>Draggable HTML Marker</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Adding Mouse Events to HTML Markers' src='//codepen.io/azuremaps/embed/RqOKRz/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/RqOKRz/'>Adding Mouse Events to HTML Markers</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Add drawing toolbar" src="//codepen.io/azuremaps/embed/ZEzLeRg/?height=265&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/ZEzLeRg/'>Add drawing toolbar</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Add a polygon drawing tool" src="//codepen.io/azuremaps/embed/OJLWWMy/?height=265&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/OJLWWMy/'>Add a polygon drawing tool</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Change drawing rendering style" src="//codepen.io/azuremaps/embed/OJLWpyj/?height=265&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/OJLWpyj/'>Change drawing rendering style</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Simple Heat Map Layer' src='//codepen.io/azuremaps/embed/gQqdQB/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/gQqdQB/'>Simple Heat Map Layer</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='700' scrolling='no' title='Heat Map Layer Options' src='//codepen.io/azuremaps/embed/WYPaXr/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/WYPaXr/'>Heat Map Layer Options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Consistent zoomable heat map" src="//codepen.io/azuremaps/embed/OGyMZr/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/OGyMZr/'>Consistent zoomable heat map</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Simple Image Layer' src='//codepen.io/azuremaps/embed/eQodRo/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/eQodRo/'>Simple Image Layer</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='KML Ground Overlay as Image Layer' src='//codepen.io/azuremaps/embed/EOJgpj/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/EOJgpj/'>KML Ground Overlay as Image Layer</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='700' scrolling='no' title='Image Layer Options' src='//codepen.io/azuremaps/embed/RqOGzx/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/RqOGzx/'>Image Layer Options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Add a line to a map' src='//codepen.io/azuremaps/embed/qomaKv/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/qomaKv/'>Add a line to a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Show arrow along line" src="//codepen.io/azuremaps/embed/drBJwX/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/drBJwX/'>Show arrow along line</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Line with Stroke Gradient" src="//codepen.io/azuremaps/embed/wZwWJZ/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/wZwWJZ/'>Line with Stroke Gradient</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='700' scrolling='no' title='Line Layer Options' src='//codepen.io/azuremaps/embed/GwLrgb/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/GwLrgb/'>Line Layer Options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Switch pin location' src='//codepen.io/azuremaps/embed/ZqJjRP/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ZqJjRP/'>Switch pin location</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Custom Symbol Image Icon' src='//codepen.io/azuremaps/embed/WYWRWZ/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/WYWRWZ/'>Custom Symbol Image Icon</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='700' scrolling='no' title='Symbol Layer Options' src='//codepen.io/azuremaps/embed/PxVXje/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/PxVXje/'>Symbol Layer Options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Reusing Popup with Multiple Pins' src='//codepen.io/azuremaps/embed/rQbjvK/?height=500&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/rQbjvK/'>Reusing Popup with Multiple Pins</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Customized Popup" src="//codepen.io/azuremaps/embed/ymKgdg/?height=500&theme-id=0&default-tab=result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/ymKgdg/'>Customized Popup</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='PopupTemplates' src='//codepen.io/azuremaps/embed/dyovrzL/?height=500&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/dyovrzL/'>PopupTemplates</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='ReusePopupTemplate' src='//codepen.io/azuremaps/embed/WNvjxGw/?height=500&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/WNvjxGw/'>ReusePopupTemplate</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Popup events" src="//codepen.io/azuremaps/embed/BXrpvB/?height=500&theme-id=0&default-tab=result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/BXrpvB/'>Popup events</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Add a polygon to a map ' src='//codepen.io/azuremaps/embed/yKbOvZ/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/yKbOvZ/'>Add a polygon to a map </a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Polygon and line layer to add polygon' src='//codepen.io/azuremaps/embed/aRyEPy/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/aRyEPy/'>Polygon and line layer to add polygon</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Polygon fill pattern" src="//codepen.io/azuremaps/embed/JzQpYX/?height=500&theme-id=0&default-tab=js,result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/JzQpYX/'>Polygon fill pattern</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='700' scrolling='no' title='LXvxpg' src='//codepen.io/azuremaps/embed/LXvxpg/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/LXvxpg/'>LXvxpg</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Add a circle to a map' src='//codepen.io/azuremaps/embed/PRmzJX/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/PRmzJX/'>Add a circle to a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Update shape properties' src='//codepen.io/azuremaps/embed/ZqMeQY/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ZqMeQY/'>Update shape properties</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Use a snapping grid" src="https://codepen.io/azuremaps/embed/rNmzvXO?default-tab=js%2Cresult" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href="https://codepen.io/azuremaps/pen/rNmzvXO">

- Use a snapping grid</a> by Azure Maps (<a href="https://codepen.io/azuremaps">@azuremaps</a>)

- on <a href="https://codepen.io">CodePen</a>.

-</iframe>

-<iframe height="700" scrolling="no" title="Snap grid options" src="https://codepen.io/azuremaps/embed/RwVZJry?default-tab=result" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href="https://codepen.io/azuremaps/pen/RwVZJry">

- Snap grid options</a> by Azure Maps (<a href="https://codepen.io/azuremaps">@azuremaps</a>)

- on <a href="https://codepen.io">CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Tile Layer using X, Y, and Z' src='//codepen.io/azuremaps/embed/BGEQjG/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/BGEQjG/'>Tile Layer using X, Y, and Z</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="WMS Tile Layer" src="https://codepen.io/azuremaps/embed/BapjZqr?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/BapjZqr'>WMS Tile Layer</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="WMTS tile layer" src="https://codepen.io/azuremaps/embed/BapjZVY?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true" frameborder="no" loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/BapjZVY'>WMTS tile layer</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='700' scrolling='no' title='Tile Layer Options' src='//codepen.io/azuremaps/embed/xQeRWX/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/xQeRWX/'>Tile Layer Options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Basic map load" src="//codepen.io/azuremaps/embed/rXdBXx/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/rXdBXx/'>Basic map load</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="renderWorldCopies = false" src="//codepen.io/azuremaps/embed/eqMYpZ/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/eqMYpZ/'>renderWorldCopies = false</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Create a map via CameraOptions' src='//codepen.io/azuremaps/embed/qxKBMN/?height=543&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/qxKBMN/'>Create a map via `CameraOptions` </a>by Azure Location Based Services (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Create a map via CameraBoundsOptions' src='//codepen.io/azuremaps/embed/ZrRbPg/?height=543&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ZrRbPg/'>Create a map via `CameraBoundsOptions` </a>by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Animate Map View' src='//codepen.io/azuremaps/embed/WayvbO/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/WayvbO/'>Animate Map View</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='600' scrolling='no' title='Interacting with the map ΓÇô mouse events' src='//codepen.io/azuremaps/embed/bLZEWd/?height=600&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/bLZEWd/'>Interact with the map ΓÇô mouse events</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='600' scrolling='no' title='Interacting with the map ΓÇô Layer Events' src='//codepen.io/azuremaps/embed/bQRRPE/?height=600&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/bQRRPE/'>Interacting with the map ΓÇô Layer Events</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Interacting with the map - HTML Marker events' src='//codepen.io/azuremaps/embed/VVzKJY/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/VVzKJY/'>Interacting with the map - HTML Marker events</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="500" scrolling="no" title="Extruded polygon" src="https://codepen.io/azuremaps/embed/wvvBpvE?height=265&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/wvvBpvE'>Extruded polygon</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Extruded choropleth map" src="https://codepen.io/azuremaps/embed/eYYYNox?height=265&theme-id=0&default-tab=result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/eYYYNox'>Extruded choropleth map</a> by Azure Maps(<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Drone airspace polygon" src="https://codepen.io/azuremaps/embed/zYYYrxo?height=265&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/zYYYrxo'>Drone airspace polygon</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='700' scrolling='no' title='PoogBRJ' src='//codepen.io/azuremaps/embed/PoogBRJ/?height=700&theme-id=0&default-tab=result' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/PoogBRJ/'>PoogBRJ</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a></iframe>

-<iframe height='500' scrolling='no' title='Get information from a coordinate (Service Module)' src='//codepen.io/azuremaps/embed/ejEYMZ/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ejEYMZ/'>Get information from a coordinate (Service Module)</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Get information from a coordinate' src='//codepen.io/azuremaps/embed/ddXzoB/?height=516&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ddXzoB/'>Get information from a coordinate</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height="686" title="Get shape data" src="//codepen.io/azuremaps/embed/xxKgBVz/?height=265&theme-id=0&default-tab=result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true">See the Pen <a href='https://codepen.io/azuremaps/pen/xxKgBVz/'>Get shape data</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Show directions from A to B on a map (Service Module)' src='//codepen.io/azuremaps/embed/RBZbep/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/RBZbep/'>Show directions from A to B on a map (Service Module)</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Show directions from A to B on a map' src='//codepen.io/azuremaps/embed/zRyNmP/?height=469&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/zRyNmP/'>Show directions from A to B on a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Show search results on a map (Service Module)' src='//codepen.io/azuremaps/embed/zLdYEB/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/zLdYEB/'>Show search results on a map (Service Module)</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Show search results on a map' src='//codepen.io/azuremaps/embed/KQbaeM/?height=265&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/KQbaeM/'>Show search results on a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Show traffic on a map' src='//codepen.io/azuremaps/embed/WMLRPw/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/WMLRPw/'>Show traffic on a map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="700" scrolling="no" title="Traffic overlay options" src="//codepen.io/azuremaps/embed/RwbPqRY/?height=700&theme-id=0&default-tab=result" frameborder='no' loading="lazy" loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/RwbPqRY/'>Traffic overlay options</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Traffic controls" src="https://codepen.io/azuremaps/embed/ZEWaeLJ?height500&theme-id=0&default-tab=js,result&embed-version=2&editable=true" frameborder='no' loading="lazy" loading="lazy" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/ZEWaeLJ'>Traffic controls</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Draw a polygon" src="//codepen.io/azuremaps/embed/YzKVKRa/?height=265&theme-id=0&default-tab=js,result&editable=true" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/YzKVKRa/'>Draw a polygon</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Free-hand drawing" src="//codepen.io/azuremaps/embed/ZEzKoaj/?height=265&theme-id=0&default-tab=js,result&editable=true" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/ZEzKoaj/'>Free-hand drawing</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="685" title="Customize drawing manager" src="//codepen.io/azuremaps/embed/LYPyrxR/?height=600&theme-id=0&default-tab=result" frameborder="no" allowtransparency="true" allowfullscreen="true">See the Pen <a href='https://codepen.io/azuremaps/pen/LYPyrxR/'>Get shape data</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='700' scrolling='no' title='OGC Map layer example' src='//codepen.io/azuremaps/embed/xxGLZWB/?height=700&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/xxGLZWB/'>OGC Map layer example</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='700' scrolling='no' title='OGC map layer options' src='//codepen.io/azuremaps/embed/abOyEVQ/?height=700&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/abOyEVQ/'>OGC map layer options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='750' scrolling='no' title='OGC Web Map Service explorer' src='//codepen.io/azuremaps/embed/YzXxYdX/?height=750&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/YzXxYdX/'>OGC Web Map Service explorer</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Use the Simple data layer" src="//codepen.io/azuremaps/embed/zYGzpQV/?height=500&theme-id=0&default-tab=js,result&editable=true" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true"> See the Pen <a href='https://codepen.io/azuremaps/pen/zYGzpQV/'>Use the simple data layer</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="700" scrolling="no" title="Simple data layer options" src="//codepen.io/azuremaps/embed/gOpRXgy/?height=700&theme-id=0&default-tab=result" frameborder='no' loading="lazy" allowtransparency="true" allowfullscreen="true"> See the Pen <a href='https://codepen.io/azuremaps/pen/gOpRXgy/'>Simple data layer options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='700' scrolling='no' title='Simple WFS example' src='//codepen.io/azuremaps/embed/MWwvVYY/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/MWwvVYY/'>Simple WFS example</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title= 'WFS filter examples' src='//codepen.io/azuremaps/embed/NWqvYrV/?height=500&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/NWqvYrV/'>WFS filter examples</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='700' scrolling='no' title= 'WFS service explorer' src='//codepen.io/azuremaps/embed/bGdrvmG/?height=700&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/bGdrvmG/'>WFS service explorer</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.

-</iframe>

-<iframe height='500' scrolling='no' title='Load Spatial Data Simple' src='//codepen.io/azuremaps/embed/yLNXrZx/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/yLNXrZx/'>Load Spatial Data Simple</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Load KML Onto Map' src='//codepen.io/azuremaps/embed/XWbgwxX/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/XWbgwxX/'>Load KML Onto Map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Add a Delimited File' src='//codepen.io/azuremaps/embed/ExjXBEb/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/ExjXBEb/'>Add a Delimited File</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='700' scrolling='no' title='Spatial data write options' src='//codepen.io/azuremaps/embed/YzXxXPG/?height=700&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/YzXxXPG/'>Spatial data write options</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='700' scrolling='no' title='Drag and drop spatial files onto map' src='//codepen.io/azuremaps/embed/zYGdGoO/?height=700&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/zYGdGoO/'>Drag and drop spatial files onto map</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Read Well-Known Text' src='//codepen.io/azuremaps/embed/XWbabLd/?height=500&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/XWbabLd/'>Read Well-Known Text</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='700' scrolling='no' title='Read and write Well-Known Text' src='//codepen.io/azuremaps/embed/JjdyYav/?height=700&theme-id=0&default-tab=result&embed-version=2&editable=true' frameborder='no' allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/JjdyYav/'>Read and write Well-Known Text</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Azure Maps + Leaflet" src="//codepen.io/azuremaps/embed/GeLgyx/?height=500&theme-id=0&default-tab=html,result" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/GeLgyx/'>Azure Maps + Leaflet</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Lazy load the map" src="https://codepen.io/azuremaps/embed/vYEeyOv?height=500&theme-id=default&default-tab=js,result" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/vYEeyOv'>Lazy load the map</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height='500' scrolling='no' title='Reusing Popup with Multiple Pins' src='//codepen.io/azuremaps/embed/rQbjvK/?height=500&theme-id=0&default-tab=js,result&embed-version=2&editable=true' frameborder='no' loading="lazy" allowtransparency='true' allowfullscreen='true'>See the Pen <a href='https://codepen.io/azuremaps/pen/rQbjvK/'>Reusing Popup with Multiple Pins</a> by Azure Maps (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-<iframe height="500" scrolling="no" title="Symbol layer animation" src="https://codepen.io/azuremaps/embed/oNgGzRd?height=500&theme-id=default&default-tab=js,result" frameborder="no" allowtransparency="true" allowfullscreen="true">

- See the Pen <a href='https://codepen.io/azuremaps/pen/oNgGzRd'>Symbol layer animation</a> by Azure Maps

- (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

-[A migration tool](alerts-using-migration-tool.md) is available in the Azure portal for customers to trigger migration themselves. This article explains the automatic migration process in public cloud, that will start after 31 May 2021. It also details issues and solutions you might run into.

-After you [trigger the migration](alerts-using-migration-tool.md), you'll receive email at the addresses you provided to notify you that migration is complete or if any action is needed from you. This section describes some common problems and how to deal with them.

-To avoid mixing up telemetry from development, test, and production environments, you can [create separate Application Insights resources](./create-new-resource.md) and change their keys, depending on the environment.

-### Get an instrumentation key

-To get started, you need an instrumentation key. For more information, see [Create an Application Insights resource](create-new-resource.md#copy-the-instrumentation-key).

-> - To get started, you need an instrumentation key. For more information, see [Create a resource](create-new-resource.md#copy-the-instrumentation-key).

-To create an availability test, you must use an existing Application Insights resource or [create an Application Insights resource](create-new-resource.md).

-[new]: ./create-new-resource.md

- * Set the sampling percentage to 100 for an important request type (e.g. `/login`)

-This will suppress collecting telemetry for all requests to `/health-checks`.

-This will also suppress collecting any downstream spans (dependencies) that would normally be collected under

-This will suppress collecting telemetry for all `GET my-noisy-key` redis calls.

-This will collect 100% of telemetry for `/login`.

-those will also be collected for all '/login' requests.

-If you use `regexp` and the sampling override doesn't work, please try with the `.*` regex. If the sampling now works, it means

-you have an issue with the first regex and please read [this regex documentation](https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html).

-If it doesn't work with `.*`, you may have a syntax issue in your `application-insights.json file`. Please look at the Application Insights logs and see if you notice

-1. Create an [Application Insights resource](create-new-resource.md).

-* [Create an Application Insights resource](./create-new-resource.md#create-a-resource-automatically) via a quick method without using a template.

-To create an Applications Insights resource, see [Create an Application Insights resource](./create-new-resource.md).

- * If you don't want to install server code, [create an Application Insights resource](./create-new-resource.md).

-You must have a valid Application Insights connection string. This string is required to send any telemetry to Application Insights. If you need to create a new Application Insights resource to get a connection string, see [Create an Application Insights resource](./create-new-resource.md).

-Virtual machines generate similar data as other Azure resources, but they require a containerized version of the Log Analytics agent to collect required data. Container insights help you prepare your containerized environment for monitoring. It works in conjunction with third-party tools to provide comprehensive monitoring of Azure Kubernetes Service (AKS) and the workflows it supports. See [Monitoring Azure Kubernetes Service with Azure Monitor](../aks/monitor-aks.md?toc=/azure/azure-monitor/toc.json) for a dedicated scenario on monitoring AKS with Azure Monitor.

-description: This article describes how you can configure Container insights to monitor Kubernetes clusters hosted on Azure Stack or other environments.

-# Configure hybrid Kubernetes clusters with Container insights

-Container insights provides a rich monitoring experience for the Azure Kubernetes Service (AKS) and [AKS Engine on Azure](https://github.com/Azure/aks-engine), which is a self-managed Kubernetes cluster hosted on Azure. This article describes how to enable monitoring of Kubernetes clusters hosted outside of Azure and achieve a similar monitoring experience.

-## Supported configurations

-The following configurations are officially supported with Container insights. If you have a different version of Kubernetes and operating system versions, please open a support ticket..

- - Kubernetes on-premises.

- - AKS Engine on Azure and Azure Stack. For more information, see [AKS Engine on Azure Stack](/azure-stack/user/azure-stack-kubernetes-aks-engine-overview).

- - [OpenShift](https://docs.openshift.com/container-platform/4.3/welcome/https://docsupdatetracker.net/index.html) version 4 and higher, on-premises or in other cloud environments.

-## Prerequisites

-Before you start, make sure that you meet the following prerequisites:

- >[!NOTE]

- >Enabling the monitoring of multiple clusters with the same cluster name to the same Log Analytics workspace isn't supported. Cluster names must be unique.

- >

- |Agent resource|Ports |

- |||

- |*.ods.opinsights.azure.com |Port 443 |

- |*.oms.opinsights.azure.com |Port 443 |

- |*.dc.services.visualstudio.com |Port 443 |

->[!IMPORTANT]

->The minimum agent version supported for monitoring hybrid Kubernetes clusters is *ciprod10182019* or later.

-## Enable monitoring

-To enable Container insights for the hybrid Kubernetes cluster:

-1. Configure your Log Analytics workspace with the Container insights solution.

-1. Enable the Container insights Helm chart with a Log Analytics workspace.

-For more information on monitoring solutions in Azure Monitor, see [Monitoring solutions in Azure Monitor](/previous-versions/azure/azure-monitor/insights/solutions).

-### Add the Azure Monitor Containers solution

-You can deploy the solution with the provided Azure Resource Manager template by using the Azure PowerShell cmdlet `New-AzResourceGroupDeployment` or with the Azure CLI.

-If you're unfamiliar with the concept of deploying resources by using a template, see:

-If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.0.59 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-This method includes two JSON templates. One template specifies the configuration to enable monitoring. The other template contains parameter values that you configure to specify:

-To first identify the full resource ID of your Log Analytics workspace that's required for the `workspaceResourceId` parameter value in the *containerSolutionParams.json* file, perform the following steps. Then run the PowerShell cmdlet or Azure CLI command to add the solution.

-1. List all the subscriptions to which you have access by using the following command:

- ```azurecli

- az account list --all -o table

- ```

- The output will resemble the following example:

- ```azurecli

- Name CloudName SubscriptionId State IsDefault

- -- - --

- Microsoft Azure AzureCloud 0fb60ef2-03cc-4290-b595-e71108e8f4ce Enabled True

- ```

- Copy the value for **SubscriptionId**.

-1. Switch to the subscription hosting the Log Analytics workspace by using the following command:

- ```azurecli

- az account set -s <subscriptionId of the workspace>

- ```

-1. The following example displays the list of workspaces in your subscriptions in the default JSON format:

- ```azurecli

- az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json

- ```

- In the output, find the workspace name. Then copy the full resource ID of that Log Analytics workspace under the field **ID**.

-1. Copy and paste the following JSON syntax into your file:

- ```json

- {

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "workspaceResourceId": {

- "type": "string",

- "metadata": {

- "description": "Azure Monitor Log Analytics Workspace Resource ID"

- }

- },

- "workspaceRegion": {

- "type": "string",

- "metadata": {

- "description": "Azure Monitor Log Analytics Workspace region"

- }

- }

- },

- "resources": [

- {

- "type": "Microsoft.Resources/deployments",

- "name": "[Concat('ContainerInsights', '-', uniqueString(parameters('workspaceResourceId')))]",

- "apiVersion": "2017-05-10",

- "subscriptionId": "[split(parameters('workspaceResourceId'),'/')[2]]",

- "resourceGroup": "[split(parameters('workspaceResourceId'),'/')[4]]",

- "properties": {

- "mode": "Incremental",

- "template": {

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {},

- "variables": {},

- "resources": [

- {

- "apiVersion": "2015-11-01-preview",

- "type": "Microsoft.OperationsManagement/solutions",

- "location": "[parameters('workspaceRegion')]",

- "name": "[Concat('ContainerInsights', '(', split(parameters('workspaceResourceId'),'/')[8], ')')]",

- "properties": {

- "workspaceResourceId": "[parameters('workspaceResourceId')]"

- },

- "plan": {

- "name": "[Concat('ContainerInsights', '(', split(parameters('workspaceResourceId'),'/')[8], ')')]",

- "product": "[Concat('OMSGallery/', 'ContainerInsights')]",

- "promotionCode": "",

- "publisher": "Microsoft"

- }

- }

- ]

- },

- "parameters": {}

- }

- }

- ]

- }

- ```

-1. Save this file as **containerSolution.json** to a local folder.

-1. Paste the following JSON syntax into your file:

- ```json

- {

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "workspaceResourceId": {

- "value": "<workspaceResourceId>"

- },

- "workspaceRegion": {

- "value": "<workspaceRegion>"

- }

- }

- }

- ```

-1. Edit the values for **workspaceResourceId** by using the value you copied in step 3. For **workspaceRegion**, copy the **Region** value after running the Azure CLI command [az monitor log-analytics workspace show](/cli/azure/monitor/log-analytics/workspace#az-monitor-log-analytics-workspace-list&preserve-view=true).

-1. Save this file as **containerSolutionParams.json** to a local folder.

-1. You're ready to deploy this template.

- - To deploy with Azure PowerShell, use the following commands in the folder that contains the template:

- ```powershell

- # configure and login to the cloud of Log Analytics workspace.Specify the corresponding cloud environment of your workspace to below command.

- Connect-AzureRmAccount -Environment <AzureCloud | AzureChinaCloud | AzureUSGovernment>

- ```

- ```powershell

- # set the context of the subscription of Log Analytics workspace

- Set-AzureRmContext -SubscriptionId <subscription Id of Log Analytics workspace>

- ```

- ```powershell

- # execute deployment command to add Container Insights solution to the specified Log Analytics workspace

- New-AzureRmResourceGroupDeployment -Name OnboardCluster -ResourceGroupName <resource group of Log Analytics workspace> -TemplateFile .\containerSolution.json -TemplateParameterFile .\containerSolutionParams.json

- ```

- The configuration change can take a few minutes to finish. When it's finished, a message similar to the following example includes this result:

- ```powershell

- provisioningState : Succeeded

- ```

- - To deploy with the Azure CLI, run the following commands:

- ```azurecli

- az login

- az account set --name <AzureCloud | AzureChinaCloud | AzureUSGovernment>

- az login

- az account set --subscription "Subscription Name"

- # execute deployment command to add container insights solution to the specified Log Analytics workspace

- az deployment group create --resource-group <resource group of log analytics workspace> --name <deployment name> --template-file ./containerSolution.json --parameters @./containerSolutionParams.json

- ```

- The configuration change can take a few minutes to finish. When it's finished, a message similar to the following example includes this result:

- ```azurecli

- provisioningState : Succeeded

- ```

- After you've enabled monitoring, it might take about 15 minutes before you can view health metrics for the cluster.

-## Install the Helm chart

-In this section, you install the containerized agent for Container insights. Before you proceed, identify the workspace ID required for the `amalogsagent.secret.wsid` parameter and the primary key required for the `amalogsagent.secret.key` parameter. To identify this information, follow these steps and then run the commands to install the agent by using the Helm chart.

-1. Run the following command to identify the workspace ID:

- `az monitor log-analytics workspace list --resource-group <resourceGroupName>`

- In the output, find the workspace name under the field **name**. Then copy the workspace ID of that Log Analytics workspace under the field **customerID**.

-1. Run the following command to identify the primary key for the workspace:

- `az monitor log-analytics workspace get-shared-keys --resource-group <resourceGroupName> --workspace-name <logAnalyticsWorkspaceName>`

- In the output, find the primary key under the field **primarySharedKey** and then copy the value.

- >[!NOTE]

- >The following commands are applicable only for Helm version 2. Use of the `--name` parameter isn't applicable with Helm version 3.

-

- If your Kubernetes cluster communicates through a proxy server, configure the parameter `amalogsagent.proxy` with the URL of the proxy server. If the cluster doesn't communicate through a proxy server, you don't need to specify this parameter. For more information, see the section [Configure the proxy endpoint](#configure-the-proxy-endpoint) later in this article.

-1. Add the Azure charts repository to your local list by running the following command:

- ```

- helm repo add microsoft https://microsoft.github.io/charts/repo

- ````

-1. Install the chart by running the following command:

- ```

- $ helm install --name myrelease-1 \

- --set amalogsagent.secret.wsid=<logAnalyticsWorkspaceId>,amalogsagent.secret.key=<logAnalyticsWorkspaceKey>,amalogsagent.env.clusterName=<my_prod_cluster> microsoft/azuremonitor-containers

- ```

- If the Log Analytics workspace is in Microsoft Azure operated by 21Vianet, run the following command:

- ```

- $ helm install --name myrelease-1 \

- --set amalogsagent.domain=opinsights.azure.cn,amalogsagent.secret.wsid=<logAnalyticsWorkspaceId>,amalogsagent.secret.key=<logAnalyticsWorkspaceKey>,amalogsagent.env.clusterName=<your_cluster_name> incubator/azuremonitor-containers

- ```

- If the Log Analytics workspace is in Azure US Government, run the following command:

- ```

- $ helm install --name myrelease-1 \

- --set amalogsagent.domain=opinsights.azure.us,amalogsagent.secret.wsid=<logAnalyticsWorkspaceId>,amalogsagent.secret.key=<logAnalyticsWorkspaceKey>,amalogsagent.env.clusterName=<your_cluster_name> incubator/azuremonitor-containers

- ```

-### Enable the Helm chart by using the API model

-You can specify an add-on in the AKS Engine cluster specification JSON file, which is also referred to as the API model. In this add-on, provide the base64-encoded version of `WorkspaceGUID` and `WorkspaceKey` of the Log Analytics workspace where the collected monitoring data is stored. You can find `WorkspaceGUID` and `WorkspaceKey` by using steps 1 and 2 in the previous section.

-Supported API definitions for the Azure Stack Hub cluster can be found in the example [kubernetes-container-monitoring_existing_workspace_id_and_key.json](https://github.com/Azure/aks-engine/blob/master/examples/addons/container-monitoring/kubernetes-container-monitoring_existing_workspace_id_and_key.json). Specifically, find the **addons** property in **kubernetesConfig**:

-```json

-"orchestratorType": "Kubernetes",

- "kubernetesConfig": {

- "addons": [

- {

- "name": "container-monitoring",

- "enabled": true,

- "config": {

- "workspaceGuid": "<Azure Log Analytics Workspace Id in Base-64 encoded>",

- "workspaceKey": "<Azure Log Analytics Workspace Key in Base-64 encoded>"

- }

- }

- ]

- }

-```

-## Configure agent data collection

-Starting with chart version 1.0.0, the agent data collection settings are controlled from the ConfigMap. For more information on agent data collection settings, see [Configure agent data collection for Container insights](container-insights-agent-config.md).

-After you've successfully deployed the chart, you can review the data for your hybrid Kubernetes cluster in Container insights from the Azure portal.

->[!NOTE]

->Ingestion latency is around 5 to 10 minutes from the agent to commit in the Log Analytics workspace. Status of the cluster shows the value **No data** or **Unknown** until all the required monitoring data is available in Azure Monitor.

-## Configure the proxy endpoint

-Starting with chart version 2.7.1, the chart will support specifying the proxy endpoint with the `amalogsagent.proxy` chart parameter. In this way, it can communicate through your proxy server. Communication between the Container insights agent and Azure Monitor can be an HTTP or HTTPS proxy server. Both anonymous and basic authentication with a username and password are supported.

-The proxy configuration value has the syntax `[protocol://][user:password@]proxyhost[:port]`.

-> [!NOTE]

->If your proxy server doesn't require authentication, you still need to specify a pseudo username and password. It can be any username or password.

-|Property| Description |

-|--|-|

-|protocol | HTTP or HTTPS |

-|user | Optional username for proxy authentication |

-|password | Optional password for proxy authentication |

-|proxyhost | Address or FQDN of the proxy server |

-|port | Optional port number for the proxy server |

-An example is `amalogsagent.proxy=http://user01:password@proxy01.contoso.com:8080`.

-If you specify the protocol as **http**, the HTTP requests are created by using an SSL/TLS secure connection. Your proxy server must support SSL/TLS protocols.

-## Troubleshooting

-If you encounter an error while you attempt to enable monitoring for your hybrid Kubernetes cluster, copy the PowerShell script [TroubleshootError_nonAzureK8s.ps1](https://aka.ms/troubleshoot-non-azure-k8s) and save it to a folder on your computer. This script is provided to help you detect and fix the issues you encounter. It's designed to detect and attempt correction of the following issues:

-To execute with Azure PowerShell, use the following commands in the folder that contains the script:

-```powershell

-.\TroubleshootError_nonAzureK8s.ps1 - azureLogAnalyticsWorkspaceResourceId </subscriptions/<subscriptionId>/resourceGroups/<resourcegroupName>/providers/Microsoft.OperationalInsights/workspaces/<workspaceName> -kubeConfig <kubeConfigFile> -clusterContextInKubeconfig <clusterContext>

-```

-## Next steps

-Now that monitoring is enabled to collect health and resource utilization of your hybrid Kubernetes clusters and workloads are running on them, learn [how to use](container-insights-analyze.md) Container insights.

-description: This article describes how you can stop monitoring of your hybrid Kubernetes cluster with Container insights.

-# How to stop monitoring your hybrid cluster

-After you enable monitoring of your Kubernetes cluster, you can stop monitoring the cluster with Container insights if you decide you no longer want to monitor it. This article shows how to accomplish this for the following environments:

-## How to stop monitoring using Helm

-The following steps apply to the following environments:

-1. To first identify the Container insights helm chart release installed on your cluster, run the following helm command.

- ```

- helm list

- ```

- The output will resemble the following:

- ```

- NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION

- azmon-containers-release-1 default 3 2020-04-21 15:27:24.1201959 -0700 PDT deployed azuremonitor-containers-2.7.0 7.0.0-1

- ```

- *azmon-containers-release-1* represents the helm chart release for Container insights.

-2. To delete the chart release, run the following helm command.

- `helm delete <releaseName>`

- Example:

- `helm delete azmon-containers-release-1`

- This will remove the release from the cluster. You can verify by running the `helm list` command:

- ```

- NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION

- ```

-The configuration change can take a few minutes to complete. Because Helm tracks your releases even after youΓÇÖve deleted them, you can audit a clusterΓÇÖs history, and even undelete a release with `helm rollback`.

-## How to stop monitoring on Azure Arc-enabled Kubernetes

-### Using PowerShell

-1. Download and save the script to a local folder that configures your cluster with the monitoring add-on using the following commands:

- ```powershell

- wget https://aka.ms/disable-monitoring-powershell-script -OutFile disable-monitoring.ps1

- ```

-2. Configure the `$azureArcClusterResourceId` variable by setting the corresponding values for `subscriptionId`, `resourceGroupName` and `clusterName` representing the resource ID of your Azure Arc-enabled Kubernetes cluster resource.

- ```powershell

- $azureArcClusterResourceId = "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Kubernetes/connectedClusters/<clusterName>"

- ```

-3. Configure the `$kubeContext` variable with the **kube-context** of your cluster by running the command `kubectl config get-contexts`. If you want to use the current context, set the value to `""`.

- ```powershell

- $kubeContext = "<kubeContext name of your k8s cluster>"

- ```

-4. Run the following command to stop monitoring the cluster.

- ```powershell

- .\disable-monitoring.ps1 -clusterResourceId $azureArcClusterResourceId -kubeContext $kubeContext

- ```

-#### Using service principal

-The script *disable-monitoring.ps1* uses the interactive device login. If you prefer non-interactive login, you can use an existing service principal or create a new one that has the required permissions as described in [Prerequisites](container-insights-enable-arc-enabled-clusters.md#prerequisites). To use service principal, you will have to pass $servicePrincipalClientId, $servicePrincipalClientSecret and $tenantId parameters with values of service principal you have intended to use to enable-monitoring.ps1 script.

-```powershell

-$subscriptionId = "<subscription Id of the Azure Arc-connected cluster resource>"

-$servicePrincipal = New-AzADServicePrincipal -Role Contributor -Scope "/subscriptions/$subscriptionId"

-$servicePrincipalClientId = $servicePrincipal.ApplicationId.ToString()

-$servicePrincipalClientSecret = [System.Net.NetworkCredential]::new("", $servicePrincipal.Secret).Password

-$tenantId = (Get-AzSubscription -SubscriptionId $subscriptionId).TenantId

-```

-For example:

-```powershell

-\disable-monitoring.ps1 -clusterResourceId $azureArcClusterResourceId -kubeContext $kubeContext -servicePrincipalClientId $servicePrincipalClientId -servicePrincipalClientSecret $servicePrincipalClientSecret -tenantId $tenantId

-```

-### Using bash

-1. Download and save the script to a local folder that configures your cluster with the monitoring add-on using the following commands:

- ```bash

- curl -o disable-monitoring.sh -L https://aka.ms/disable-monitoring-bash-script

- ```

-2. Configure the `azureArcClusterResourceId` variable by setting the corresponding values for `subscriptionId`, `resourceGroupName` and `clusterName` representing the resource ID of your Azure Arc-enabled Kubernetes cluster resource.

- ```bash

- export AZUREARCCLUSTERRESOURCEID="/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Kubernetes/connectedClusters/<clusterName>"

- ```

-3. Configure the `kubeContext` variable with the **kube-context** of your cluster by running the command `kubectl config get-contexts`.

- ```bash

- export KUBECONTEXT="<kubeContext name of your k8s cluster>"

- ```

-4. To stop monitoring your cluster, there are different commands provided based on your deployment scenario.

- Run the following command to stop monitoring the cluster using the current context.

- ```bash

- bash disable-monitoring.sh --resource-id $AZUREARCCLUSTERRESOURCEID

- ```

- Run the following command to stop monitoring the cluster by specifying a context

- ```bash

- bash disable-monitoring.sh --resource-id $AZUREARCCLUSTERRESOURCEID --kube-context $KUBECONTEXT

- ```

-#### Using service principal

-The bash script *disable-monitoring.sh* uses the interactive device login. If you prefer non-interactive login, you can use an existing service principal or create a new one that has the required permissions as described in [Prerequisites](container-insights-enable-arc-enabled-clusters.md#prerequisites). To use service principal, you will have to pass --client-id, --client-secret and --tenant-id values of service principal you have intended to use to *enable-monitoring.sh* bash script.

-```bash

-SUBSCRIPTIONID="<subscription Id of the Azure Arc-connected cluster resource>"

-SERVICEPRINCIPAL=$(az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/${SUBSCRIPTIONID}")

-SERVICEPRINCIPALCLIENTID=$(echo $SERVICEPRINCIPAL | jq -r '.appId')

-SERVICEPRINCIPALCLIENTSECRET=$(echo $SERVICEPRINCIPAL | jq -r '.password')

-TENANTID=$(echo $SERVICEPRINCIPAL | jq -r '.tenant')

-```

-For example:

-```bash

-bash disable-monitoring.sh --resource-id $AZUREARCCLUSTERRESOURCEID --kube-context $KUBECONTEXT --client-id $SERVICEPRINCIPALCLIENTID --client-secret $SERVICEPRINCIPALCLIENTSECRET --tenant-id $TENANTID

-```

-## Next steps

-If the Log Analytics workspace was created only to support monitoring the cluster and it's no longer needed, you have to manually delete it. If you are not familiar with how to delete a workspace, see [Delete an Azure Log Analytics workspace](../logs/delete-workspace.md).

-description: This article describes how you can stop monitoring of your Azure Red Hat OpenShift cluster with Container insights.

-# How to stop monitoring your Azure Red Hat OpenShift v3 cluster

->[!IMPORTANT]

-> Azure Red Hat OpenShift 3.11 will be retired June 2022.

->

-> As of October 2020 you will no longer be able to create new 3.11 clusters.

-> Existing 3.11 clusters will continue to operate until June 2022 but will no be longer supported after that date.

->

-> Follow this guide to [create an Azure Red Hat OpenShift 4 cluster](../../openshift/tutorial-create-cluster.md).

-> If you have specific questions, [please contact us](mailto:aro-feedback@microsoft.com).

-After you enable monitoring of your Azure Red Hat OpenShift version 3.x cluster, you can stop monitoring the cluster with Container insights if you decide you no longer want to monitor it. This article shows how to accomplish this using the Azure Resource Manager template provided.

-## Azure Resource Manager template

-Provided are two Azure Resource Manager template to support removing the solution resources consistently and repeatedly in your resource group. One is a JSON template specifying the configuration to stop monitoring and the other contains parameter values that you configure to specify the OpenShift cluster resource ID and Azure region that the cluster is deployed in.

-If you're unfamiliar with the concept of deploying resources by using a template, see:

-* [Deploy resources with Resource Manager templates and Azure PowerShell](../../azure-resource-manager/templates/deploy-powershell.md)

-* [Deploy resources with Resource Manager templates and the Azure CLI](../../azure-resource-manager/templates/deploy-cli.md)

-If you choose to use the Azure CLI, you first need to install and use the CLI locally. You must be running the Azure CLI version 2.0.65 or later. To identify your version, run `az --version`. If you need to install or upgrade the Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli).

-### Create template

-1. Copy and paste the following JSON syntax into your file:

- ```json

- {

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "aroResourceId": {

- "type": "string",

- "metadata": {

- "description": "ARO Cluster Resource ID"

- }

- },

- "aroResourceLocation": {

- "type": "string",

- "metadata": {

- "description": "Location of the aro cluster resource e.g. westcentralus"

- }

- }

- },

- "resources": [

- {

- "name": "[split(parameters('aroResourceId'),'/')[8]]",

- "type": "Microsoft.ContainerService/openShiftManagedClusters",

- "location": "[parameters('aroResourceLocation')]",

- "apiVersion": "2019-09-30-preview",

- "properties": {

- "mode": "Incremental",

- "id": "[parameters('aroResourceId')]",

- "monitorProfile": {

- "workspaceResourceID": null,

- "enabled": false

- }

- }

- }

- ]

- }

- ```

-2. Save this file as **OptOutTemplate.json** to a local folder.

-3. Paste the following JSON syntax into your file:

- ```json

- {

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "aroResourceId": {

- "value": "/subscriptions/<subscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.ContainerService/openShiftManagedClusters/<clusterName>"

- },

- "aroResourceLocation": {

- "value": "<azure region of the cluster e.g. westcentralus>"

- }

- }

- }

- ```

-4. Edit the values for **aroResourceId** and **aroResourceLocation** by using the values of the OpenShift cluster, which you can find on the **Properties** page for the selected cluster.

- 

-5. Save this file as **OptOutParam.json** to a local folder.

-6. You are ready to deploy this template.

-### Remove the solution using Azure CLI

-Execute the following command with Azure CLI on Linux to remove the solution and clean up the configuration on your cluster.

-```azurecli

-az login

-az account set --subscription "Subscription Name"

-az deployment group create --resource-group <ResourceGroupName> --template-file ./OptOutTemplate.json --parameters @./OptOutParam.json

-```

-The configuration change can take a few minutes to complete. When it's completed, a message similar to the following that includes the result is returned:

-```output

-ProvisioningState : Succeeded

-```

-### Remove the solution using PowerShell

-Execute the following PowerShell commands in the folder containing the template to remove the solution and clean up the configuration from your cluster.

-```powershell

-Connect-AzAccount

-Select-AzSubscription -SubscriptionName <yourSubscriptionName>

-New-AzResourceGroupDeployment -Name opt-out -ResourceGroupName <ResourceGroupName> -TemplateFile .\OptOutTemplate.json -TemplateParameterFile .\OptOutParam.json

-```

-The configuration change can take a few minutes to complete. When it's completed, a message similar to the following that includes the result is returned:

-```output

-ProvisioningState : Succeeded

-```

-## Next steps

-If the workspace was created only to support monitoring the cluster and it's no longer needed, you have to manually delete it. If you are not familiar with how to delete a workspace, see [Delete an Azure Log Analytics workspace](../logs/delete-workspace.md).

-description: This article describes how you can stop monitoring of your Azure Red Hat OpenShift and Red Hat OpenShift version 4 cluster with Container insights.

-# How to stop monitoring your Azure and Red Hat OpenShift v4 cluster

-After you enable monitoring of your Azure Red Hat OpenShift and Red Hat OpenShift version 4.x cluster, you can stop monitoring the cluster with Container insights if you decide you no longer want to monitor it. This article shows how to accomplish this.

-## How to stop monitoring using Helm

-1. To first identify the Container insights helm chart release installed on your cluster, run the following helm command.

- ```

- helm list --all-namespaces

- ```

- The output will resemble the following:

- ```

- NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION

- azmon-containers-release-1 default 3 2020-04-21 15:27:24.1201959 -0700 PDT deployed azuremonitor-containers-2.7.0 7.0.0-1

- ```

- *azmon-containers-release-1* represents the helm chart release for Container insights.

-2. To delete the chart release, run the following helm command.

- `helm delete <releaseName>`

- Example:

- `helm delete azmon-containers-release-1`

- This will remove the release from the cluster. You can verify by running the `helm list` command:

- ```

- NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION

- ```

-The configuration change can take a few minutes to complete. Because Helm tracks your releases even after youΓÇÖve deleted them, you can audit a clusterΓÇÖs history, and even undelete a release with `helm rollback`.

-## Next steps

-If the Log Analytics workspace was created only to support monitoring the cluster and it's no longer needed, you have to manually delete it. If you are not familiar with how to delete a workspace, see [Delete an Azure Log Analytics workspace](../logs/delete-workspace.md).

- csi:

- driver: secrets-store.csi.k8s.io

- readOnly: true

- volumeAttributes:

- secretProviderClass: azure-kvname-user-msi

-Metrics are available for interactive analysis in the Azure portal with [Azure Metrics Explorer](essentials/metrics-getting-started.md). They can be added to an [Azure dashboard](app/tutorial-app-dashboards.md) for visualization in combination with other data and used for near-real-time [alerting](alerts/alerts-metric.md).

-To read more about Azure Monitor metrics, including their sources of data, see [Metrics in Azure Monitor](essentials/data-platform-metrics.md).

-## Compare Azure Monitor metrics and logs

-The following table compares metrics and logs in Azure Monitor.

-| Attribute | Metrics | Logs |

-|:|:|:|

-| Benefits | Lightweight and capable of near-real time scenarios such as alerting. Ideal for fast detection of issues. | Analyzed with rich query language. Ideal for deep analysis and identifying root cause. |

-| Data | Numerical values only | Text or numeric data |

-| Structure | Standard set of properties including sample time, resource being monitored, a numeric value. Some metrics include multiple dimensions for further definition. | Unique set of properties depending on the log type. |

-| Collection | Collected at regular intervals. | May be collected sporadically as events trigger a record to be created. |

-| Analyze in Azure portal | Metrics Explorer | Log Analytics |

-| Data sources include | Platform metrics collected from Azure resources<br>Applications monitored by Application Insights<br>Azure Monitor agent<br>Custom defined by application or API | Application and resource logs<br>Azure Monitor agent<br>Application requests and exceptions<br>Logs ingestion API<br>Azure Sentinel<br>Microsoft Defender for Cloud |

-1. In the namespaces dropdown list, select **azure.vm.windows.guest**.

-| Custom logs | [Configure custom logs by using the Azure portal](../logs/tutorial-logs-ingestion-portal.md)<br>[Configure custom logs by using Azure Resource Manager templates and the REST API](../logs/tutorial-logs-ingestion-api.md)<br>[Configure custom logs by using Azure Monitorint Agent](../agents/data-collection-text-log.md) | Send custom data by using a REST API or Agent. The API call connects to a data collection endpoint and specifies a DCR to use. The agent uses the DCR to configure the collection of data on a machine. The DCR specifies the target table and potentially includes a transformation that filters and modifies the data before it's stored in a Log Analytics workspace. |

- - For the activity log, select **Activity log** on the **Azure Monitor** menu and then select **Diagnostic settings**. Make sure you disable any legacy configuration for the activity log. For instructions, see [Disable existing settings](./activity-log.md#legacy-collection-methods).

- 

-| Azure Logic Apps |[Logic Apps B2B custom tracking schema](../../logic-apps/logic-apps-track-integration-account-custom-tracking-schema.md) |

- 

-Azure Monitor provides full stack monitoring for applications and services in Azure, in other clouds, and on-premises. In most cases, the most effective method to stream monitoring data to external tools is by using [Azure Event Hubs](../../event-hubs/index.yml). This article provides a brief description on how to stream data and then lists some of the partners where you can send it. Some partners have special integration with Azure Monitor and might be hosted on Azure.

-[Sources of monitoring data for Azure Monitor](../data-sources.md) describes the data tiers for Azure applications and the kinds of data available for each. The following table lists each of these tiers and a description of how that data can be streamed to an event hub. Follow the links provided for further detail.

-| [Azure subscription](../data-sources.md#azure-subscription) | Azure activity log | Create a log profile to export activity log events to event hubs. For more information, see [Stream Azure platform logs to Azure event hubs](../essentials/resource-logs.md#send-to-azure-event-hubs). |

-| [Azure resources](../data-sources.md#azure-resources) | Platform metrics<br> Resource logs |Both types of data are sent to an event hub by using a resource diagnostic setting. For more information, see [Stream Azure resource logs to an event hub](../essentials/resource-logs.md#send-to-azure-event-hubs). |

-For data that you can't directly stream to an event hub, you can write to Azure Storage Then you can use a time-triggered logic app that [pulls data from Azure Blob Storage](../../connectors/connectors-create-api-azureblobstorage.md#add-action) and [pushes it as a message to the event hub](../../connectors/connectors-create-api-azure-event-hubs.md#add-action).

-## Query events from your Event Hubs

-Use the process data query function to see the contents of monitoring events sent to your event hub.

-Follow the steps below to query your event data using the Azure portal:

-1. Select **Process data** from your event hub.

-1. Find the tile entitled **Enable real time insights from events** and select **Start**.

-1. Select **Refresh** in the **Input preview** section of the page to fetch events from your event hub.

-* [Archive the activity log to a storage account](./activity-log.md#legacy-collection-methods)

-<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/eu1P_vLTZO0" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

-#### Template file

-|**Build and training a machine learning model**|Model training is an iterative process. Researchers or data scientists develop a model by fetching and cleaning the training data, engineer features, trying various models and tuning parameters, and repeating this cycle until the model is accurate and robust.|For small to medium-sized datasets, you typically use single-node machine learning libraries, like [Scikit Learn](https://scikit-learn.org/stable/).<br> For an example of how to train a machine learning model on data in Azure Monitor Logs using the Scikit Learn library, see this [sample notebook: Detect anomalies in Azure Monitor Logs using machine learning techniques](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/monitor/azure-monitor-query/samples/notebooks/sample_machine_learning_sklearn.ipynb).|For large datasets, you typically use big data machine learning libraries, likeΓÇ»[SynapseML](/azure/synapse-analytics/machine-learning/synapse-machine-learning-library).<br>For examples of how to train a machine learning model on data you export out of Azure Monitor Logs, see [SynapseML examples](https://microsoft.github.io/SynapseML/docs/about/#examples).|

-|**Deploy and score a model**|Scoring is the process of applying a machine learning model on new data to get predictions. Scoring usually needs to be done at scale with minimal latency.|To query new data in Azure Monitor Logs, use [Azure Monitor Query client library](/python/api/overview/azure/monitor-query-readme).<br>For an example of how to score data using open source tools, see this [sample notebook: Detect anomalies in Azure Monitor Logs using machine learning techniques](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/monitor/azure-monitor-query/samples/notebooks/sample_machine_learning_sklearn.ipynb).|For examples of how to score new data you export out of Azure Monitor Logs, see [SynapseML examples](https://microsoft.github.io/SynapseML/docs/about/#examples).|

-1. [Migrate to Azure Monitor Agent](../agents/azure-monitor-agent-migration.md) from the Log Analytics agents. Azure Monitor Agent doesn't require any keys but instead [requires a system-managed identity](../agents/azure-monitor-agent-overview.md#security).

-1. [Disable local authentication for Log Analytics workspaces](#disable-local-authentication-for-log-analytics).

-## Disable local authentication for Log Analytics

-After you've removed your reliance on the Log Analytics agent, you can disable local authentication for Log Analytics workspaces. Then you can ingest and query telemetry authenticated exclusively by Azure AD.

-### Azure Policy

-### Azure Resource Manager

-### Azure CLI

-### PowerShell

-[Overview of Log Analytics in Azure Monitor](log-analytics-overview.md)