- "total": 300000

-You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md)

-[powershell-gallery]: https://www.powershellgallery.com/

-<!-- EXTERNAL LINKS -->

-[naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix

-> When a directory extension attribute in Azure AD doesn't show up automatically in your attribute mapping drop-down, you can manually add it to the "Azure AD attribute list". When manually adding Azure AD directory extension attributes to your provisioning app, note that directory extension attribute names are case-sensitive. For example: If you have a directory extension attribute named `extension_53c9e2c0exxxxxxxxxxxxxxxx_acmeCostCenter`, make sure you enter it in the same format as defined in the directory.

-Your users wonΓÇÖt notice anything different when they sign in to use your corporate applications. They can still work from anywhere on any device. The Application Proxy connectors direct remote traffic to all apps without regard to their authentication type, so theyΓÇÖll still balance loads automatically.

-This article is for people to publish an application with this scenario for the first time. Besides detailing the publishing steps, it guides you in getting started with both Application Proxy and PingAccess. If youΓÇÖve already configured both services but want a refresher on the publishing steps, skip to the [Add your application to Azure AD with Application Proxy](#add-your-application-to-azure-ad-with-application-proxy) section.

- 1. **Internal URL**: Normally you provide the URL that takes you to the appΓÇÖs sign-in page when youΓÇÖre on the corporate network. For this scenario, the connector needs to treat the PingAccess proxy as the front page of the application. Use this format: `https://<host name of your PingAccess server>:<port>`. The port is 3000 by default, but you can configure it in PingAccess.

- > If this is your first application, use port 3000 to start and come back to update this setting if you change your PingAccess configuration. For subsequent applications, the port will need to match the Listener youΓÇÖve configured in PingAccess. Learn more about [listeners in PingAccess](https://docs.pingidentity.com/access/sources/dita/topic?category=pingaccess&Releasestatus_ce=Current&resourceid=pa_assigning_key_pairs_to_https_listeners).

-1. From the **App registrations** sidebar for your application, select **API permissions** > **Add a permission** > **Microsoft APIs** > **Microsoft Graph**. The **Request API permissions** page for **Microsoft Graph** appears, which contains the APIs for Windows Azure Active Directory.

-It might sound alarming to not ask for a user to sign back in, though any violation of IT policies revokes the session. Some examples include a password change, an incompliant device, or an account disable operation. You can also explicitly [revoke users' sessions using PowerShell](/powershell/module/azuread/revoke-azureaduserallrefreshtoken).

-This article describes how to configure and setup a custom claims provider with the [token issuance start event](custom-claims-provider-overview.md#token-issuance-start-event-listener) type. This event is triggered right before the token is issued, and allows you to call a REST API to add claims to the token.

-Create an Application Registration to authenticate your custom authentication extension to your Azure Function.

-1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in.

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/applications`

-1. Select **Request Body** and paste the following JSON:

- ```json

- "displayName": "authenticationeventsAPI"

-1. Select **Run Query** to submit the request.

-1. Copy the **Application ID** value (*appId*) from the response. You need this value later, which is referred to as the `{authenticationeventsAPI_AppId}`. Also get the object ID of the app (*ID*), which is referred to as `{authenticationeventsAPI_ObjectId}` from the response.

-Create a service principal in the tenant for the authenticationeventsAPI app registration:

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals`

-1. Select **Request Body** and paste the following JSON:

- ```json

- {

- "appId": "{authenticationeventsAPI_AppId}"

- }

- ```

-1. Select **Run Query** to submit the request.

-1. Set the HTTP method to **PATCH**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/applications/{authenticationeventsAPI_ObjectId}`

-1. Select **Request Body** and paste the following JSON:

- Set the application ID URI value in the *identifierUris* property. Replace `{Function_Url_Hostname}` with the hostname of the `{Function_Url}` you recorded earlier.

-

- Set the `{authenticationeventsAPI_AppId}` value with the App ID generated from the app registration created in the previous step.

-

- An example value would be `api://authenticationeventsAPI.azurewebsites.net/f4a70782-3191-45b4-b7e5-dd415885dd80`. Take note of this value as it is used in following steps and is referenced as `{functionApp_IdentifierUri}`.

-

- ```json

- "identifierUris": [

- "api://{Function_Url_Hostname}/{authenticationeventsAPI_AppId}"

- ],

- "api": {

- "requestedAccessTokenVersion": 2,

- "acceptMappedClaims": null,

- "knownClientApplications": [],

- "oauth2PermissionScopes": [],

- "preAuthorizedApplications": []

- },

- "requiredResourceAccess": [

- "resourceAppId": "00000003-0000-0000-c000-000000000000",

- "resourceAccess": [

- {

- "id": "214e810f-fda8-4fd7-a475-29461495eb00",

- "type": "Role"

- }

- ]

- ```

-1. Select **Run Query** to submit the request.

-Next, you register the custom authentication extension. You register the custom authentication extension by associating it with the App Registration for the Azure Function, and your Azure Function endpoint `{Function_Url}`.

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/beta/identity/customAuthenticationExtensions`

-1. Select **Request Body** and paste the following JSON:

- Replace `{Function_Url}` with the hostname of your Azure Function app. Replace `{functionApp_IdentifierUri}` with the identifierUri used in the previous step.

- ```json

-1. Select **Run Query** to submit the request.

-Record the ID value of the created custom claims provider object. The ID is needed in a later step and is referred to as the `{customExtensionObjectId}`.

-After your custom authentication extension is created, you'll be taken to the **Overview** tab of the new custom authentication extension.

-In your app registration, under **Overview**, copy the **Application (client) ID**. The app ID is referred to as the `{App_to_enrich_ID}` in later steps.

-First create an event listener to trigger a custom authentication extension using the token issuance start event:

-1. Sign in to the [Microsoft Graph Explorer](https://aka.ms/ge) using an account whose home tenant is the tenant you wish to manage your custom authentication extension in.

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/beta/identity/authenticationEventListeners`

-1. Select **Request Body** and paste the following JSON:

- Replace `{App_to_enrich_ID}` with the app ID of *My Test application* recorded earlier. Replace `{customExtensionObjectId}` with the custom authentication extension ID recorded earlier.

- ```json

-1. Select **Run Query** to submit the request.

-Next, create the claims mapping policy, which describes which claims can be issued to an application from a custom claims provider:

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/policies/claimsmappingpolicies`

-1. Select **Request Body** and paste the following JSON:

- ```json

-1. Record the `ID` generated in the response, later it's referred to as `{claims_mapping_policy_ID}`.

-1. Select **Run Query** to submit the request.

-Get the `servicePrincipal` objectId:

-1. Set the HTTP method to **GET**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals(appId='{App_to_enrich_ID}')/claimsMappingPolicies/$ref`. Replace `{App_to_enrich_ID}` with *My Test Application* App ID.

-1. Record the `id` value, later it's referred to as `{test_App_Service_Principal_ObjectId}`.

-Assign the claims mapping policy to the `servicePrincipal` of *My Test Application*:

-1. Set the HTTP method to **POST**.

-1. Paste the URL: `https://graph.microsoft.com/v1.0/servicePrincipals/{test_App_Service_Principal_ObjectId}/claimsMappingPolicies/$ref`

-1. Select **Request Body** and paste the following JSON:

- ```json

-1. Select **Run Query** to submit the request.

-By adding Azure AD roles to the local administrators group, you can update the users that can manage a device anytime in Azure AD without modifying anything on the device. Azure AD also adds the Azure AD joined device local administrator role to the local administrators group to support the principle of least privilege (PoLP). In addition to the global administrators, you can also enable users that have been *only* assigned the device administrator role to manage a device.

-## Manage the global administrators role

-To view and update the membership of the Global Administrator role, see:

-## Manage the device administrator role

-In the Azure portal, you can manage the device administrator role from **Device settings**.

-To modify the device administrator role, configure **Additional local administrators on all Azure AD joined devices**.

-Device administrators are assigned to all Azure AD joined devices. You canΓÇÖt scope device administrators to a specific set of devices. Updating the device administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen:

-Users won't be listed in the local administrator group, the permissions are received through the Primary Refresh Token.

-Starting with Windows 10 version 20H2, you can use Azure AD groups to manage administrator privileges on Azure AD joined devices with the [Local Users and Groups](/windows/client-management/mdm/policy-csp-localusersandgroups) MDM policy. This policy allows you to assign individual users or Azure AD groups to the local administrators group on an Azure AD joined device, providing you the granularity to configure distinct administrators for different groups of devices.

-#Customer intent: As an IT admin, I want to understand how I can get rid of stale devices, so that I can I can cleanup my device registration data.

-# Customer intent: As a tenant administrator, I want to send B2B invitations to multiple external users at the same time so that I can avoid having to send individual invitations to each user.

-# Customer intent: As a tenant administrator, I want to customize the invitation process with the API.

-# Customer intent: As a tenant administrator, I want to set up Facebook as an identity provider for guest user login.

-# Customer intent: As a tenant administrator, I want to learn about B2B collaboration guest user properties and states before and after invitation redemption.

-> - For information about delays activating the Azure AD Joined Device Local Administrator role, see [How to manage the local administrators group on Azure AD joined devices](../devices/assign-local-admin.md#manage-the-device-administrator-role).

-description: Learn how to choose the right method for accessing the activity logs in Azure AD.

-# How To: Access activity logs in Azure AD

-The data in your Azure Active Directory (Azure AD) logs enables you to assess many aspects of your Azure AD tenant. To cover a broad range of scenarios, Azure AD provides you with various options to access your activity log data. As an IT administrator, you need to understand the intended uses cases for these options, so that you can select the right access method for your scenario.

-The required roles and licenses may vary based on the report. Global Administrator can access all reports, but we recommend using a role with least privilege access to align with the [Zero Trust guidance](/security/zero-trust/zero-trust-overview).

-*The level of access and capabilities for Identity Protection varies with the role and license. For more information, see the [license requirements for Identity Protection](../identity-protection/overview-identity-protection.md#license-requirements).

-The Microsoft Graph API provides a unified programmability model that you can use to access data for your Azure AD Premium tenants. It doesn't require an administrator or developer to set up extra infrastructure to support your script or app. The Microsoft Graph API is **not** designed for pulling large amounts of activity data. Pulling large amounts of activity data using the API may lead to issues with pagination and performance.

-### Archive activity logs to a storage account

-The Azure Active Directory (Azure AD) [reporting APIs](/graph/api/resources/azure-ad-auditlog-overview) provide you with programmatic access to the data through a set of REST APIs. You can call these APIs from many programming languages and tools. The reporting API uses [OAuth](../../api-management/api-management-howto-protect-backend-with-aad.md) to authorize access to the web APIs.

-In order to access the sign-in reports for a tenant, an Azure AD tenant must have associated Azure AD Premium P1 or P2 license. Alternatively if the directory type is Azure AD B2C, the sign-in reports are accessible through the API without any additional license requirement.

-# How to: Download logs in Azure Active Directory

-description: Learn how to integrate Azure Active Directory logs with ArcSight using Azure Monitor

-# Integrate Azure Active Directory logs with ArcSight using Azure Monitor

-[Micro Focus ArcSight](https://software.microfocus.com/products/siem-security-information-event-management/overview) is a security information and event management (SIEM) solution that helps you detect and respond to security threats in your platform. You can now route Azure Active Directory (Azure AD) logs to ArcSight using Azure Monitor using the ArcSight connector for Azure AD. This feature allows you to monitor your tenant for security compromise using ArcSight.

-In this article, you learn how to route Azure AD logs to ArcSight using Azure Monitor.

-## Prerequisites

-To use this feature, you need:

-* An Azure event hub that contains Azure AD activity logs. Learn how to [stream your activity logs to an event hub](./tutorial-azure-monitor-stream-logs-to-event-hub.md).

-* A configured instance of ArcSight Syslog NG Daemon SmartConnector (SmartConnector) or ArcSight Load Balancer. If the events are sent to ArcSight Load Balancer, they're sent to the SmartConnector by the Load Balancer.

-Download and open the [configuration guide for ArcSight SmartConnector for Azure Monitor Event Hubs](https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Azure-Monitor-Event-Hub/ta-p/1671292). This guide contains the steps you need to install and configure the ArcSight SmartConnector for Azure Monitor.

-## Integrate Azure AD logs with ArcSight

-1. First, complete the steps in the **Prerequisites** section of the configuration guide. This section includes the following steps:

- * Set user permissions in Azure, to ensure there's a user with the **owner** role to deploy and configure the connector.

- * Open ports on the server with Syslog NG Daemon SmartConnector, so it's accessible from Azure.

- * The deployment runs a Windows PowerShell script, so you must enable PowerShell to run scripts on the machine where you want to deploy the connector.

-2. Follow the steps in the **Deploying the Connector** section of configuration guide to deploy the connector. This section walks you through how to download and extract the connector, configure application properties and run the deployment script from the extracted folder.

-3. Use the steps in the **Verifying the Deployment in Azure** to make sure the connector is set up and functions correctly. Verify the following prerequisites:

- * The requisite Azure functions are created in your Azure subscription.

- * The Azure AD logs are streamed to the correct destination.

- * The application settings from your deployment are persisted in the Application Settings in Azure Function Apps.

- * A new resource group for ArcSight is created in Azure, with an Azure AD application for the ArcSight connector and storage accounts containing the mapped files in CEF format.

-4. Finally, complete the post-deployment steps in the **Post-Deployment Configurations** of the configuration guide. This section explains how to perform another configuration if you are on an App Service Plan to prevent the function apps from going idle after a timeout period, configure streaming of resource logs from the event hub, and update the SysLog NG Daemon SmartConnector keystore certificate to associate it with the newly created storage account.

-5. The configuration guide also explains how to customize the connector properties in Azure, and how to upgrade and uninstall the connector. There's also a section on performance improvements, including upgrading to an [Azure Consumption plan](https://azure.microsoft.com/pricing/details/functions) and configuring an ArcSight Load Balancer if the event load is greater than what a single Syslog NG Daemon SmartConnector can handle.

-## Next steps

-[Configuration guide for ArcSight SmartConnector for Azure Monitor Event Hubs](https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Azure-Monitor-Event-Hub/ta-p/1671292)

-description: Learn how to integrate Azure Active Directory logs with Azure Monitor

-# How to integrate Azure AD logs with Azure Monitor logs

-Using **Diagnostic settings** in Azure Active Directory (Azure AD), you can integrate logs with Azure Monitor so sign-in activity and the audit trail of changes within your tenant can be analyzed along with other Azure data. Integrating Azure AD logs with Azure Monitor logs enables rich visualizations, monitoring, and alerting on the connected data.

-This article provides the steps to integrate Azure Active Directory (Azure AD) logs with Azure Monitor Logs.

-## Roles and licenses

-To integrate Azure AD logs with Azure Monitor, you need the following roles and licenses:

-* **An Azure subscription:** If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/).

-* **An Azure AD Premium P1 or P2 tenant:** You can find the license type of your tenant on the [Overview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview) page in Azure AD.

-* **Security Administrator access for the Azure AD tenant:** This role is required to set up the Diagnostics settings.

-* **Permission to access data in a Log Analytics workspace:** See [Manage access to log data and workspaces in Azure Monitor](../../azure-monitor/logs/manage-access.md) for information on the different permission options and how to configure permissions.

-## Integrate logs with Azure Monitor logs

-To send Azure AD logs to Azure Monitor Logs you must first have a [Log Analytics workspace](../../azure-monitor/logs/log-analytics-overview.md). Then you can set up the Diagnostics settings in Azure AD to send your activity logs to that workspace.

-### Create a Log Analytics workspace

-A Log Analytics workspace allows you to collect data based on a variety or requirements, such as geographic location of the data, subscription boundaries, or access to resources. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).

-Looking for how to set up a Log Analytics workspace for Azure resources outside of Azure AD? Check out the [Collect and view resource logs for Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md) article.

-### Set up Diagnostics settings

-Once you have a Log Analytics workspace created, follow the steps below to send logs from Azure Active Directory to that workspace.

-Follow the steps below to send logs from Azure Active Directory to Azure Monitor. Looking for how to set up Log Analytics workspace for Azure resources outside of Azure AD? Check out the [Collect and view resource logs for Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md) article.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a **Security Administrator**.

-1. Go to **Azure Active Directory** > **Diagnostic settings**. You can also select **Export Settings** from the Audit logs or Sign-in logs.

-1. Select **+ Add diagnostic setting** to create a new integration or select **Edit setting** to change an existing integration.

-1. Enter a **Diagnostic setting name**. If you're editing an existing integration, you can't change the name.

-1. Any or all of the following logs can be sent to the Log Analytics workspace. Some logs may be in public preview but still visible in the portal.

- * `AuditLogs`

- * `SignInLogs`

- * `NonInteractiveUserSignInLogs`

- * `ServicePrincipalSignInLogs`

- * `ManagedIdentitySignInLogs`

- * `ProvisioningLogs`

- * `ADFSSignInLogs` Active Directory Federation Services (ADFS)

- * `RiskyServicePrincipals`

- * `RiskyUsers`

- * `ServicePrincipalRiskEvents`

- * `UserRiskEvents`

-1. The following logs are in preview but still visible in Azure AD. At this time, selecting these options will not add new logs to your workspace unless your organization was included in the preview.

- * `EnrichedOffice365AuditLogs`

- * `MicrosoftGraphActivityLogs`

- * `NetworkAccessTrafficLogs`

-1. In the **Destination details**, select **Send to Log Analytics workspace** and choose the appropriate details from the menus that appear.

- * You can also send logs to any or all of the following destinations. Additional fields appear, depending on your selection.

- * **Archive to a storage account:** Provide the number of days you'd like to retain the data in the **Retention days** boxes that appear next to the log categories. Select the appropriate details from the menus that appear.

- * **Stream to an event hub:** Select the appropriate details from the menus that appear.

- * **Send to partner solution:** Select the appropriate details from the menus that appear.

-1. Select **Save** to save the setting.

- 

-If you do not see logs appearing in the selected destination after 15 minutes, sign out and back into Azure to refresh the logs.

-> [!NOTE]

-> Integrating Azure Active Directory logs with Azure Monitor will automatically enable the Azure Active Directory data connector within Microsoft Sentinel.

-## Next steps

-* [Analyze Azure AD activity logs with Azure Monitor logs](howto-analyze-activity-logs-log-analytics.md)

-* [Learn about the data sources you can analyze with Azure Monitor](../../azure-monitor/data-sources.md)

-* [Automate creating diagnostic settings with Azure Policy](../../azure-monitor/essentials/diagnostic-settings-policy.md)

-description: Learn how to integrate Azure Active Directory logs with Splunk using Azure Monitor.

-# How to: Integrate Azure Active Directory logs with Splunk using Azure Monitor

-In this article, you learn how to integrate Azure Active Directory (Azure AD) logs with Splunk by using Azure Monitor. You first route the logs to an Azure event hub, and then you integrate the event hub with Splunk.

-## Prerequisites

-To use this feature, you need:

-## Integrate Azure Active Directory logs

-1. Open your Splunk instance, and select **Data Summary**.

- 

-2. Select the **Sourcetypes** tab, and then select **mscs:azure:eventhub**

- 

-Append **body.records.category=AuditLogs** to the search. The Azure AD activity logs are shown in the following figure:

- 

-> [!NOTE]

-> If you cannot install an add-on in your Splunk instance (for example, if you're using a proxy or running on Splunk Cloud), you can forward these events to the Splunk HTTP Event Collector. To do so, use this [Azure function](https://github.com/splunk/azure-functions-splunk), which is triggered by new messages in the event hub.

->

-## Next steps

-* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)

-* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md)

-description: Learn how to integrate Azure Active Directory logs with SumoLogic using Azure Monitor.

-# Integrate Azure Active Directory logs with SumoLogic using Azure Monitor

-In this article, you learn how to integrate Azure Active Directory (Azure AD) logs with SumoLogic using Azure Monitor. You first route the logs to an Azure event hub, and then you integrate the event hub with SumoLogic.

-## Prerequisites

-To use this feature, you need:

-* An Azure event hub that contains Azure AD activity logs. Learn how to [stream your activity logs to an event hub](./tutorial-azure-monitor-stream-logs-to-event-hub.md).

-* A SumoLogic single sign-on enabled subscription.

-## Steps to integrate Azure AD logs with SumoLogic

-1. First, [stream the Azure AD logs to an Azure event hub](./tutorial-azure-monitor-stream-logs-to-event-hub.md).

-2. Configure your SumoLogic instance to [collect logs for Azure Active Directory](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#collecting-logs-for-azure-active-directory).

-3. [Install the Azure AD SumoLogic app](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#viewing-azure-active-directory-dashboards) to use the pre-configured dashboards that provide real-time analysis of your environment.

- 

-## Next steps

-* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)

-* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md)

-# How to: Use Azure AD recommendations

-description: Provides a general overview of Azure Active Directory monitoring.

-# Customer intent: As an Azure AD administrator, I want to understand what monitoring solutions are available for Azure AD activity data and how they can help me manage my tenant.

-# What is Azure Active Directory monitoring?

-With Azure Active Directory (Azure AD) monitoring, you can now route your Azure AD activity logs to different endpoints. You can then either retain it for long-term use or integrate it with third-party Security Information and Event Management (SIEM) tools to gain insights into your environment.

-Currently, you can route the logs to:

-**Prerequisite role**: Global Administrator

-> [!VIDEO https://www.youtube.com/embed/syT-9KNfug8]

-## Licensing and prerequisites for Azure AD reporting and monitoring

-You'll need an Azure AD premium license to access the Azure AD sign-in logs.

-For detailed feature and licensing information in the [Azure Active Directory pricing guide](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).

-To deploy Azure AD monitoring and reporting you'll need a user who is a global administrator or security administrator for the Azure AD tenant.

-Depending on the final destination of your log data, you'll need one of the following:

-* An Azure storage account that you have ListKeys permissions for. We recommend that you use a general storage account and not a Blob storage account. For storage pricing information, see the [Azure Storage pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=storage).

-* An Azure Event Hubs namespace to integrate with third-party SIEM solutions.

-* An Azure Log Analytics workspace to send logs to Azure Monitor logs.

-## Diagnostic settings configuration

-To configure monitoring settings for Azure AD activity logs, first sign in to the [Azure portal](https://portal.azure.com), then select **Azure Active Directory**. From here, you can access the diagnostic settings configuration page in two ways:

-* Select **Diagnostic settings** from the **Monitoring** section.

- 

-

-* Select **Audit Logs** or **Sign-ins**, then select **Export settings**.

- 

-## Route logs to storage account

-By routing logs to an Azure storage account, you can retain it for longer than the default retention period outlined in our [retention policies](reference-reports-data-retention.md). Learn how to [route data to your storage account](quickstart-azure-monitor-route-logs-to-storage-account.md).

-## Stream logs to event hub

-Routing logs to an Azure event hub allows you to integrate with third-party SIEM tools like Sumologic and Splunk. This integration allows you to combine Azure AD activity log data with other data managed by your SIEM, to provide richer insights into your environment. Learn how to [stream logs to an event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md).

-## Send logs to Azure Monitor logs

-[Azure Monitor logs](../../azure-monitor/logs/log-query-overview.md) is a solution that consolidates monitoring data from different sources and provides a query language and analytics engine that gives you insights into the operation of your applications and resources. By sending Azure AD activity logs to Azure Monitor logs, you can quickly retrieve, monitor and alert on collected data. Learn how to [send data to Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md).

-You can also install the pre-built views for Azure AD activity logs to monitor common scenarios involving sign-ins and audit events. Learn how to [install and use log analytics views for Azure AD activity logs](../../azure-monitor/visualize/workbooks-view-designer-conversion-overview.md).

-## Next steps

-* [Activity logs in Azure Monitor](concept-activity-logs-azure-monitor.md)

-* [Stream logs to event hub](tutorial-azure-monitor-stream-logs-to-event-hub.md)

-* [Send logs to Azure Monitor logs](howto-integrate-activity-logs-with-log-analytics.md)

-description: Provides a general overview of Azure Active Directory reports.

-# Customer intent: As an Azure AD administrator, I want to understand what Azure AD reports are available and how I can use them to gain insights into my environment.

-# What are Azure Active Directory reports?

-Azure Active Directory (Azure AD) reports provide a comprehensive view of activity in your environment. The provided data enables you to:

-## Activity reports

-Activity reports help you understand the behavior of users in your organization. There are two types of activity reports in Azure AD:

-> [!VIDEO https://www.youtube.com/embed/ACVpH6C_NL8]

-### Audit logs report

-The [audit logs report](concept-audit-logs.md) provides you with records of system activities for compliance. This data enables you to address common scenarios such as:

-#### What Azure AD license do you need to access the audit logs report?

-The audit logs report is available for features for which you have licenses. If you have a license for a specific feature, you also have access to the audit log information for it. A detailed feature comparison as per [different types of licenses](../fundamentals/whatis.md#what-are-the-azure-ad-licenses) can be seen on the [Azure Active Directory pricing page](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). For more information, see [Azure Active Directory features and capabilities](../fundamentals/whatis.md#which-features-work-in-azure-ad).

-### Sign-ins report

-The [sign-ins report](concept-sign-ins.md) enables you to find answers to questions such as:

-#### What Azure AD license do you need to access the sign-ins activity report?

-To access the sign-ins activity report, your tenant must have an Azure AD Premium license associated with it.

-## Programmatic access

-In addition to the user interface, Azure AD also provides you with [programmatic access](./howto-configure-prerequisites-for-reporting-api.md) to the reports data, through a set of REST-based APIs. You can call these APIs from various programming languages and tools.

-## Next steps

-description: Learn how Service Health notifications provide you with a customizable dashboard that tracks the health of your Azure services in the regions where you use them.

-# What are Service Health notifications in Azure Active Directory?

-Azure Service Health has been updated to provide notifications to tenant admins within the Azure portal when there are Service Health events for Azure Active Directory services. Due to the criticality of these events, an alert card in the Azure AD overview page will also be provided to support the discovery of these notifications.

-## How it works

-When there happens to be a Service Health notification for an Azure Active Directory service, it will be posted to the Service Health page within the Azure portal. Previously these were subscription events that were posted to all the subscription owners/readers of subscriptions within the tenant that had an issue. To improve the targeting of these notifications, they'll now be available as tenant events to the tenant admins of the impacted tenant. For a transition period, these service events will be available as both tenant events and subscription events.

-Now that they're available as tenant events, they appear on the Azure AD overview page as alert cards. Any Service Health notification that has been updated within the last three days will be shown in one of the cards.

-

-

-Each card:

-

-

-

-For more information on the new Azure Service Health tenant events, see [Azure Service Health portal updates](../../service-health/service-health-portal-update.md)

-## Who will see the notifications

-Most of the built-in admin roles will have access to see these notifications. For the complete list of all authorized roles, see [Azure Service Health Tenant Admin authorized roles](../../service-health/admin-access-reference.md). Currently custom roles aren't supported.

-## What you should know

-Service Health events allow the addition of alerts and notifications to be applied to subscription events. This feature isn't yet supported with tenant events, but will be coming soon.

-

-## Next steps

-description: Learn how to route Azure Active Directory logs to a storage account

-# Customer intent: As an IT administrator, I want to learn how to route Azure AD logs to an Azure storage account so I can retain it for longer than the default retention period.

-# Tutorial: Archive Azure AD logs to an Azure storage account

-In this tutorial, you learn how to set up Azure Monitor diagnostics settings to route Azure Active Directory (Azure AD) logs to an Azure storage account.

-## Prerequisites

-To use this feature, you need:

-* An Azure subscription with an Azure storage account. If you don't have an Azure subscription, you can [sign up for a free trial](https://azure.microsoft.com/free/).

-* An Azure AD tenant.

-* A user who's a *Global Administrator* or *Security Administrator* for the Azure AD tenant.

-* To export sign-in data, you must have an Azure AD P1 or P2 license.

-## Archive logs to an Azure storage account

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Monitoring** > **Audit logs**.

-1. Select **Export Data Settings**.

-1. You can either create a new setting (up to three settings are allowed) or edit an existing setting.

- - To change existing setting, select **Edit setting** next to the diagnostic setting you want to update.

- - To add new settings, select **Add diagnostic setting**.

- 

-1. Once in the **Diagnostic setting** pane if you're creating a new setting, enter a name for the setting to remind you of its purpose (for example, *Send to Azure storage account*). You can't change the name of an existing setting.

-1. Under **Destination Details** select the **Archive to a storage account** check box. Text fields for the retention period appear next to each log category.

-1. Select the Azure subscription and storage account for you want to route the logs.

-1. Select all the relevant categories in under **Category details**:

- 

-1. In the **Retention days** field, enter the number of days of retention you need of your log data. By default, this value is *0*, which means that logs are retained in the storage account indefinitely. If you set a different value, events older than the number of days selected are automatically cleaned up.

-

-1. Select **Save**.

-1. After the categories have been selected, in the **Retention days** field, type in the number of days of retention you need of your log data. By default, this value is *0*, which means that logs are retained in the storage account indefinitely. If you set a different value, events older than the number of days selected are automatically cleaned up.

- > [!NOTE]

- > The Diagnostic settings storage retention feature is being deprecated. For details on this change, see [**Migrate from diagnostic settings storage retention to Azure Storage lifecycle management**](../../azure-monitor/essentials/migrate-to-azure-storage-lifecycle-policy.md).

-1. Select **Save** to save the setting.

-1. Close the window to return to the Diagnostic settings pane.

-## Next steps

-* [Tutorial: Configure a log analytics workspace](tutorial-log-analytics-wizard.md)

-* [Interpret audit logs schema in Azure Monitor](./overview-reports.md)

-* [Interpret sign-in logs schema in Azure Monitor](reference-azure-monitor-sign-ins-log-schema.md)

-The first step to migrating your apps from ADAL to MSAL is to identify all applications in your tenant that are currently using ADAL. You can identify your apps in the Azure portal or programmatically with the Microsoft Graph API or the Microsoft Graph PowerShell SDK.

-### [Azure portal](#tab/Azure-portal)

-There are four steps to identifying and updating your apps in the Azure portal. The following steps are covered in detail in the [List all apps using ADAL](../develop/howto-get-list-of-all-auth-library-apps.md) article.

-1. Send Azure AD sign-in event to Azure Monitor.

-1. [Access the sign-ins workbook in Azure AD.](../develop/howto-get-list-of-all-auth-library-apps.md)

-1. Identify the apps that use ADAL.

-1. Update your code.

- - The steps to update your code vary depending on the type of application.

- - For example, the steps for .NET and Python applications have separate instructions.

- - For a full list of instructions for each scenario, see [How to migrate to MSAL](../develop/msal-migration.md#how-to-migrate-to-msal).

-Run the following query in Microsoft Graph, replacing the `<TENANT_ID>` placeholder with your tenant ID. This query returns a list of the impacted resources in your tenant.

-The [Azure AD sign-ins workbook](../develop/howto-get-list-of-all-auth-library-apps.md) is an alternative method to identify these apps. The workbook is still available to you, but using the workbook requires streaming sign-in logs to Azure Monitor first. The ADAL to MSAL recommendation works out of the box. Plus, the sign-ins workbook does not capture Service Principal sign-ins, while the recommendation does.

-Microsoft Entra Verified ID implements the [W3C StatusList2021](https://github.com/w3c-ccg/vc-status-list-2021/tree/343b8b59cddba4525e1ef355356ae760fc75904e). When presentation to the Request Service API happens, the API will do the revocation check for you. The revocation check happens over an anonymous API call to Identity Hub and does not contain any data who is checking if the verifiable credential is still valid or revoked. With the **statusList2021**, Microsoft Entra Verified ID just keeps a flag by the hashed value of the indexed claim to keep track of the revocation status.

-Azure AI services provides a layered security model. This model enables you to secure your Azure AI services accounts to a specific subset of networksΓÇï. When network rules are configured, only applications requesting data over the specified set of networks can access the account. You can limit access to your resources with request filtering. Allowing only requests originating from specified IP addresses, IP ranges or from a list of subnets in [Azure Virtual Networks](../virtual-network/virtual-networks-overview.md).

-> Turning on firewall rules for your Azure AI services account blocks incoming requests for data by default. In order to allow requests through, one of the following conditions needs to be met:

-> * The request should originate from a service operating within an Azure Virtual Network (VNet) on the allowed subnet list of the target Azure AI services account. The endpoint in requests originated from VNet needs to be set as the [custom subdomain](cognitive-services-custom-subdomains.md) of your Azure AI services account.

-> * Or the request should originate from an allowed list of IP addresses.

-> Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.

-To secure your Azure AI services resource, you should first configure a rule to deny access to traffic from all networks (including internet traffic) by default. Then, you should configure rules that grant access to traffic from specific VNets. This configuration enables you to build a secure network boundary for your applications. You can also configure rules to grant access to traffic from select public internet IP address ranges, enabling connections from specific internet or on-premises clients.

-Network rules are enforced on all network protocols to Azure AI services, including REST and WebSocket. To access data using tools such as the Azure test consoles, explicit network rules must be configured. You can apply network rules to existing Azure AI services resources, or when you create new Azure AI services resources. Once network rules are applied, they're enforced for all requests.

-Virtual networks (VNETs) are supported in [regions where Azure AI services are available](https://azure.microsoft.com/global-infrastructure/services/). Azure AI services supports service tags for network rules configuration. The services listed below are included in the **CognitiveServicesManagement** service tag.

-> * Anomaly Detector

-> * Azure OpenAI

-> * Azure AI Vision

-> * Content Moderator

-> * Custom Vision

-> * Face

-> * Language Understanding (LUIS)

-> * Personalizer

-> * Speech service

-> * Language service

-> * QnA Maker

-> * Translator Text

-> If you're using, Azure OpenAI, LUIS, Speech Services, or Language services, the **CognitiveServicesManagement** tag only enables you use the service using the SDK or REST API. To access and use Azure OpenAI Studio, LUIS portal , Speech Studio or Language Studio from a virtual network, you will need to use the following tags:

-> * **AzureActiveDirectory**

-> * **AzureFrontDoor.Frontend**

-> * **AzureResourceManager**

-> * **CognitiveServicesManagement**

-> * **CognitiveServicesFrontEnd**

-> Making changes to network rules can impact your applications' ability to connect to Azure AI services. Setting the default network rule to **deny** blocks all access to the data unless specific network rules that **grant** access are also applied. Be sure to grant access to any allowed networks using network rules before you change the default rule to deny access. If you are allow listing IP addresses for your on-premises network, be sure to add all possible outgoing public IP addresses from your on-premises network.

-### Managing default network access rules

-1. Select the **RESOURCE MANAGEMENT** menu called **Virtual network**.

- 

-1. To deny access by default, choose to allow access from **Selected networks**. With the **Selected networks** setting alone, unaccompanied by configured **Virtual networks** or **Address ranges** - all access is effectively denied. When all access is denied, requests attempting to consume the Azure AI services resource aren't permitted. The Azure portal, Azure PowerShell or, Azure CLI can still be used to configure the Azure AI services resource.

-1. To allow traffic from all networks, choose to allow access from **All networks**.

- 

-1. Install the [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps), or select **Try it**.

- ```azurepowershell-interactive

- $parameters = @{

- "ResourceGroupName"= "myresourcegroup"

- "Name"= "myaccount"

-}

- (Get-AzCognitiveServicesAccountNetworkRuleSet @parameters).DefaultAction

- ```

-1. Set the default rule to deny network access by default.

- -ResourceGroupName "myresourcegroup"

- -Name "myaccount"

- -DefaultAction Deny

-1. Set the default rule to allow network access by default.

- -ResourceGroupName "myresourcegroup"

- -Name "myaccount"

- -DefaultAction Allow

-1. Install the [Azure CLI](/cli/azure/install-azure-cli) and [sign in](/cli/azure/authenticate-azure-cli), or select **Try it**.

- -g "myresourcegroup" -n "myaccount" \

- --query networkRuleSet.defaultAction

- --ids {resourceId} \

- --ids {resourceId} \

-You can configure Azure AI services resources to allow access only from specific subnets. The allowed subnets may belong to a VNet in the same subscription, or in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.

-Enable a [service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) for Azure AI services within the VNet. The service endpoint routes traffic from the VNet through an optimal path to the Azure AI services service. The identities of the subnet and the virtual network are also transmitted with each request. Administrators can then configure network rules for the Azure AI services resource that allow requests to be received from specific subnets in a VNet. Clients granted access via these network rules must continue to meet the authorization requirements of the Azure AI services resource to access the data.

-Each Azure AI services resource supports up to 100 virtual network rules, which may be combined with [IP network rules](#grant-access-from-an-internet-ip-range).

-### Required permissions

-To apply a virtual network rule to an Azure AI services resource, the user must have the appropriate permissions for the subnets being added. The required permission is the default *Contributor* role, or the *Cognitive Services Contributor* role. Required permissions can also be added to custom role definitions.

-Azure AI services resource and the virtual networks granted access may be in different subscriptions, including subscriptions that are a part of a different Azure AD tenant.

-> Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through PowerShell, CLI and REST APIs. Such rules cannot be configured through the Azure portal, though they may be viewed in the portal.

-### Managing virtual network rules

-1. Select the **RESOURCE MANAGEMENT** menu called **Virtual network**.

-1. Check that you've selected to allow access from **Selected networks**.

-1. To grant access to a virtual network with an existing network rule, under **Virtual networks**, select **Add existing virtual network**.

- 

- 

-1. To create a new virtual network and grant it access, select **Add new virtual network**.

- 

- 

- > [!NOTE]

- > If a service endpoint for Azure AI services wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation.

- >

- > Presently, only virtual networks belonging to the same Azure Active Directory tenant are shown for selection during rule creation. To grant access to a subnet in a virtual network belonging to another tenant, please use PowerShell, CLI or REST APIs.

-1. To remove a virtual network or subnet rule, select **...** to open the context menu for the virtual network or subnet, and select **Remove**.

- 

-1. Install the [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps), or select **Try it**.

-1. List virtual network rules.

- $parameters = @{

- "ResourceGroupName"= "myresourcegroup"

- "Name"= "myaccount"

-}

-1. Enable service endpoint for Azure AI services on an existing virtual network and subnet.

- -AddressPrefix "10.0.0.0/24" `

- -ResourceGroupName "myresourcegroup"

- -Name "myvnet"

- > To add a network rule for a subnet in a VNet belonging to another Azure AD tenant, use a fully-qualified **VirtualNetworkResourceId** parameter in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name".

- -ResourceGroupName "myresourcegroup"

- -Name "myvnet"

- -ResourceGroupName "myresourcegroup"

- -Name "myaccount"

- -VirtualNetworkResourceId $subnet.Id

-1. Install the [Azure CLI](/cli/azure/install-azure-cli) and [sign in](/cli/azure/authenticate-azure-cli), or select **Try it**.

-1. List virtual network rules.

- -g "myresourcegroup" -n "myaccount" \

-1. Enable service endpoint for Azure AI services on an existing virtual network and subnet.

- az network vnet subnet update -g "myresourcegroup" -n "mysubnet" \

- $subnetid=(az network vnet subnet show \

- -g "myresourcegroup" -n "mysubnet" --vnet-name "myvnet" \

- -g "myresourcegroup" -n "myaccount" \

- > To add a rule for a subnet in a VNet belonging to another Azure AD tenant, use a fully-qualified subnet ID in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name".

- > You can use the **subscription** parameter to retrieve the subnet ID for a VNet belonging to another Azure AD tenant.

- -g "myresourcegroup" -n "mysubnet" --vnet-name "myvnet" \

- -g "myresourcegroup" -n "myaccount" \

-> Be sure to [set the default rule](#change-the-default-network-access-rule) to **deny**, or network rules have no effect.

-You can configure Azure AI services resources to allow access from specific public internet IP address ranges. This configuration grants access to specific services and on-premises networks, effectively blocking general internet traffic.

-Provide allowed internet address ranges using [CIDR notation](https://tools.ietf.org/html/rfc4632) in the form `16.17.18.0/24` or as individual IP addresses like `16.17.18.19`.

- > Small address ranges using "/31" or "/32" prefix sizes are not supported. These ranges should be configured using individual IP address rules.

-IP network rules are only allowed for **public internet** IP addresses. IP address ranges reserved for private networks (as defined in [RFC 1918](https://tools.ietf.org/html/rfc1918#section-3)) aren't allowed in IP rules. Private networks include addresses that start with `10.*`, `172.16.*` - `172.31.*`, and `192.168.*`.

-Only IPV4 addresses are supported at this time. Each Azure AI services resource supports up to 100 IP network rules, which may be combined with [Virtual network rules](#grant-access-from-a-virtual-network).

-### Configuring access from on-premises networks

-To grant access from your on-premises networks to your Azure AI services resource with an IP network rule, you must identify the internet facing IP addresses used by your network. Contact your network administrator for help.

-If you're using [ExpressRoute](../expressroute/expressroute-introduction.md) on-premises for public peering or Microsoft peering, you need to identify the NAT IP addresses. For public peering, each ExpressRoute circuit by default uses two NAT IP addresses. Each is applied to Azure service traffic when the traffic enters the Microsoft Azure network backbone. For Microsoft peering, the NAT IP addresses that are used are either customer provided or are provided by the service provider. To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. To find your public peering ExpressRoute circuit IP addresses, [open a support ticket with ExpressRoute](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview) via the Azure portal. Learn more about [NAT for ExpressRoute public and Microsoft peering.](../expressroute/expressroute-nat.md#nat-requirements-for-azure-public-peering)

-1. Select the **RESOURCE MANAGEMENT** menu called **Virtual network**.

-1. Check that you've selected to allow access from **Selected networks**.

-1. To grant access to an internet IP range, enter the IP address or address range (in [CIDR format](https://tools.ietf.org/html/rfc4632)) under **Firewall** > **Address Range**. Only valid public IP (non-reserved) addresses are accepted.

- 

-1. To remove an IP network rule, select the trash can <span class="docon docon-delete x-hidden-focus"></span> icon next to the address range.

- 

-1. Install the [Azure PowerShell](/powershell/azure/install-azure-powershell) and [sign in](/powershell/azure/authenticate-azureps), or select **Try it**.

-1. List IP network rules.

- ```azurepowershell-interactive

- $parameters = @{

- "ResourceGroupName"= "myresourcegroup"

- "Name"= "myaccount"

-}

- -ResourceGroupName "myresourcegroup"

- -Name "myaccount"

- -IPAddressOrRange "16.17.18.19"

- -ResourceGroupName "myresourcegroup"

- -Name "myaccount"

- -IPAddressOrRange "16.17.18.0/24"

- -ResourceGroupName "myresourcegroup"

- -Name "myaccount"

- -IPAddressOrRange "16.17.18.19"

- -ResourceGroupName "myresourcegroup"

- -Name "myaccount"

- -IPAddressOrRange "16.17.18.0/24"

-1. Install the [Azure CLI](/cli/azure/install-azure-cli) and [sign in](/cli/azure/authenticate-azure-cli), or select **Try it**.

-1. List IP network rules.

- -g "myresourcegroup" -n "myaccount" --query ipRules

- -g "myresourcegroup" -n "myaccount" \

- --ip-address "16.17.18.19"

- -g "myresourcegroup" -n "myaccount" \

- --ip-address "16.17.18.0/24"

- -g "myresourcegroup" -n "myaccount" \

- --ip-address "16.17.18.19"

- -g "myresourcegroup" -n "myaccount" \

- --ip-address "16.17.18.0/24"

-> Be sure to [set the default rule](#change-the-default-network-access-rule) to **deny**, or network rules have no effect.

-You can use [private endpoints](../private-link/private-endpoint-overview.md) for your Azure AI services resources to allow clients on a virtual network (VNet) to securely access data over a [Private Link](../private-link/private-link-overview.md). The private endpoint uses an IP address from the VNet address space for your Azure AI services resource. Network traffic between the clients on the VNet and the resource traverses the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

-* Secure your Azure AI services resource by configuring the firewall to block all connections on the public endpoint for the Azure AI services service.

-* Increase security for the VNet, by enabling you to block exfiltration of data from the VNet.

-* Securely connect to Azure AI services resources from on-premises networks that connect to the VNet using [VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoutes](../expressroute/expressroute-locations.md) with private-peering.

-### Conceptual overview

-A private endpoint is a special network interface for an Azure resource in your [VNet](../virtual-network/virtual-networks-overview.md). Creating a private endpoint for your Azure AI services resource provides secure connectivity between clients in your VNet and your resource. The private endpoint is assigned an IP address from the IP address range of your VNet. The connection between the private endpoint and the Azure AI services service uses a secure private link.

-Applications in the VNet can connect to the service over the private endpoint seamlessly, using the same connection strings and authorization mechanisms that they would use otherwise. The exception is the Speech Services, which require a separate endpoint. See the section on [Private endpoints with the Speech Services](#private-endpoints-with-the-speech-services). Private endpoints can be used with all protocols supported by the Azure AI services resource, including REST.

-Private endpoints can be created in subnets that use [Service Endpoints](../virtual-network/virtual-network-service-endpoints-overview.md). Clients in a subnet can connect to one Azure AI services resource using private endpoint, while using service endpoints to access others.

-When you create a private endpoint for an Azure AI services resource in your VNet, a consent request is sent for approval to the Azure AI services resource owner. If the user requesting the creation of the private endpoint is also an owner of the resource, this consent request is automatically approved.

-Azure AI services resource owners can manage consent requests and the private endpoints, through the '*Private endpoints*' tab for the Azure AI services resource in the [Azure portal](https://portal.azure.com).

-### Private endpoints

-When creating the private endpoint, you must specify the Azure AI services resource it connects to. For more information on creating a private endpoint, see:

-* [Create a private endpoint using the Private Link Center in the Azure portal](../private-link/create-private-endpoint-portal.md)

-* [Create a private endpoint using Azure CLI](../private-link/create-private-endpoint-cli.md)

-* [Create a private endpoint using Azure PowerShell](../private-link/create-private-endpoint-powershell.md)

-### Connecting to private endpoints

-> Azure OpenAI Service uses a different private DNS zone and public DNS zone forwarder than other Azure AI services. Refer to the [Azure services DNS zone configuration article](../private-link/private-endpoint-dns.md#azure-services-dns-zone-configuration) for the correct zone and forwarder names.

-Clients on a VNet using the private endpoint should use the same connection string for the Azure AI services resource as clients connecting to the public endpoint. The exception is the Speech Services, which require a separate endpoint. See the section on [Private endpoints with the Speech Services](#private-endpoints-with-the-speech-services). We rely upon DNS resolution to automatically route the connections from the VNet to the Azure AI services resource over a private link.

-We create a [private DNS zone](../dns/private-dns-overview.md) attached to the VNet with the necessary updates for the private endpoints, by default. However, if you're using your own DNS server, you may need to make more changes to your DNS configuration. The section on [DNS changes](#dns-changes-for-private-endpoints) below describes the updates required for private endpoints.

-### Private endpoints with the Speech Services

-See [Using Speech Services with private endpoints provided by Azure Private Link](Speech-Service/speech-services-private-link.md).

-### DNS changes for private endpoints

-When you create a private endpoint, the DNS CNAME resource record for the Azure AI services resource is updated to an alias in a subdomain with the prefix `privatelink`. By default, we also create a [private DNS zone](../dns/private-dns-overview.md), corresponding to the `privatelink` subdomain, with the DNS A resource records for the private endpoints.

-When you resolve the endpoint URL from outside the VNet with the private endpoint, it resolves to the public endpoint of the Azure AI services resource. When resolved from the VNet hosting the private endpoint, the endpoint URL resolves to the private endpoint's IP address.

-This approach enables access to the Azure AI services resource using the same connection string for clients in the VNet hosting the private endpoints and clients outside the VNet.

-If you're using a custom DNS server on your network, clients must be able to resolve the fully qualified domain name (FQDN) for the Azure AI services resource endpoint to the private endpoint IP address. Configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet.

-> When using a custom or on-premises DNS server, you should configure your DNS server to resolve the Azure AI services resource name in the 'privatelink' subdomain to the private endpoint IP address. You can do this by delegating the 'privatelink' subdomain to the private DNS zone of the VNet, or configuring the DNS zone on your DNS server and adding the DNS A records.

-For more information on configuring your own DNS server to support private endpoints, see the following articles:

-* [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server)

-* [DNS configuration for private endpoints](../private-link/private-endpoint-overview.md#dns-configuration)

-* Explore the various [Azure AI services](./what-are-ai-services.md)

-* Learn more about [Azure Virtual Network Service Endpoints](../virtual-network/virtual-network-service-endpoints-overview.md)

-You can store the results of a batch transcription to a writable Azure Blob storage container using option `destinationContainerUrl` in the [batch transcription creation request](#create-a-transcription-job). Note however that this option is only using [ad hoc SAS](batch-transcription-audio-data.md#sas-url-for-batch-transcription) URI and doesn't support [Trusted Azure services security mechanism](batch-transcription-audio-data.md#trusted-azure-services-security-mechanism). The Storage account resource of the destination container must allow all external traffic.

-zone_pivot_groups: programming-languages-set-twenty-two

-**DNS for private endpoints:** Review the general principles of [DNS for private endpoints in Azure AI services resources](../cognitive-services-virtual-networks.md#dns-changes-for-private-endpoints). Then confirm that your DNS configuration is working correctly by performing the checks described in the following sections.

-| Max number of simultaneous model trainings | N/A | 3 |

-Containers enable you to run several features of the Translator service in your own environment. Containers are great for specific security and data governance requirements. In this article you'll learn how to download, install, and run a Translator container.

-> * To use the Translator container, you must submit an online request, and have it approved. For more information, _see_ [Request approval to run container](#request-approval-to-run-container) below.

-> * Translator container supports limited features compared to the cloud offerings. Form more information, _see_ [**Container translate methods**](translator-container-supported-parameters.md).

-To get started, you'll need an active [**Azure account**](https://azure.microsoft.com/free/cognitive-services/). If you don't have one, you can [**create a free account**](https://azure.microsoft.com/free/).

-You'll also need to have:

-| Familiarity with Docker | <ul><li>You should have a basic understanding of Docker concepts, like registries, repositories, containers, and container images, as well as knowledge of basic `docker` [terminology and commands](/dotnet/architecture/microservices/container-docker-introduction/docker-terminology).</li></ul> |

-| Translator resource | <ul><li>An Azure [Translator](https://portal.azure.com/#create/Microsoft.CognitiveServicesTextTranslation) resource with region other than 'global', associated API key and endpoint URI. Both values are required to start the container and can be found on the resource overview page.</li></ul>|

-* The container provides a homepage at `\` as a visual validation that the container is running.

-* You can open your favorite web browser and navigate to the external IP address and exposed port of the container in question. Use the various request URLs below to validate the container is running. The example request URLs listed below are `http://localhost:5000`, but your specific container may vary. Keep in mind that you're navigating to your container's **External IP address** and exposed port.

-> The feature described in this document, Azure AD Integration (legacy) was **deprecated on June 1st, 2023**. At this time, no new clusters can be created with Azure AD Integration (legacy). All Azure AD Integration (legacy) AKS clusters will be migrated to AKS-managed Azure AD automatically starting from August 1st, 2023.

-When you create an Azure Blob storage resource for use with AKS, you can create the resource in the node resource group. This approach allows the AKS cluster to access and manage the blob storage resource. If instead you create the blob storage resource in a separate resource group, you must grant the Azure Kubernetes Service managed identity for your cluster the [Contributor][rbac-contributor-role] role to the blob storage resource group.

- containers:

- - name: mypod

- image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

- resources:

- requests:

- cpu: 100m

- memory: 128Mi

- limits:

- cpu: 250m

- memory: 256Mi

- volumeMounts:

- - mountPath: "/mnt/azure"

- name: volume

- volumes:

- - name: volume

- persistentVolumeClaim:

- claimName: my-azurefile

-* The **cluster autoscaler** watches for pods that can't be scheduled on nodes because of resource constraints. The cluster then automatically increases the number of nodes.

- --docker-bridge-address 172.17.0.1/16 \

- * *--docker-bridge-address* is optional. The address lets the AKS nodes communicate with the underlying management platform. This IP address must not be within the virtual network IP address range of your cluster and shouldn't overlap with other address ranges in use on your network. The default value is 172.17.0.1/16.

-> --network-plugin kubenet --network-policy calico \

- --name azurelinuxpool \

-> Inbound, external traffic flows from the load balancer to the virtual network for your AKS cluster. The virtual network has a network security group (NSG) which allows all inbound traffic from the load balancer. This NSG uses a [service tag][service-tags] of type *LoadBalancer* to allow traffic from the load balancer.

-> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022, and the project will be archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2023.

- * East US

- * UK South

- * Central India

- * Australia East

-

-By default, the built-in PHP container runs the Apache server. At start-up, it runs `apache2ctl -D FOREGROUND"`. If you like, you can run a different command at start-up, by running the following command in the [Cloud Shell](https://shell.azure.com):

-The default PHP image for App Service uses Apache, and it doesn't let you customize the site root for your app. To work around this limitation, add an *.htaccess* file to your repository root with the following content:

-<IfModule mod_rewrite.c>

- RewriteEngine on

- RewriteCond %{REQUEST_URI} ^(.*)

- RewriteRule ^(.*)$ /public/$1 [NC,L,QSA]

-</IfModule>

-If you would rather not use *.htaccess* rewrite, you can deploy your Laravel application with a [custom Docker image](quickstart-custom-container.md) instead.

-To customize PHP_INI_SYSTEM directives (see [php.ini directives](https://www.php.net/manual/ini.list.php)), you can't use the *.htaccess* approach. App Service provides a separate mechanism using the `PHP_INI_SCAN_DIR` app setting.

-The deployment process places the package on the shared file drive correctly (see [Kudu publish API reference](#kudu-publish-api-reference)). For that reason, deploying WAR/JAR/EAR packages using [FTP](deploy-ftp.md) or WebDeploy is not recommended.

-The steps you follow for your project depends on whether you're using [Entity Framework](/ef/ef6/) (default for ASP.NET) or [Entity Framework Core](/ef/core/) (default for ASP.NET Core).

-# [Entity Framework Core](#tab/efcore)

-1. In Visual Studio, open the Package Manager Console and add the NuGet package [Microsoft.Data.SqlClient](https://www.nuget.org/packages/Microsoft.Data.SqlClient):

- ```powershell

- Install-Package Microsoft.Data.SqlClient -Version 5.1.0

- ```

-1. In the [ASP.NET Core and SQL Database tutorial](tutorial-dotnetcore-sqldb-app.md), the `MyDbConnection` connection string in *appsettings.json* isn't used at all yet. The local environment and the Azure environment both get connection strings from their respective environment variables in order to keep connection secrets out of the source file. But now with Active Directory authentication, there are no more secrets. In *appsettings.json*, replace the value of the `MyDbConnection` connection string with:

- ```json

- "Server=tcp:<server-name>.database.windows.net;Authentication=Active Directory Default; Database=<database-name>;"

- ```

- > [!NOTE]

- > The [Active Directory Default](/sql/connect/ado-net/sql/azure-active-directory-authentication#using-active-directory-default-authentication) authentication type can be used both on your local machine and in Azure App Service. The driver attempts to acquire a token from Azure Active Directory using various means. If the app is deployed, it gets a token from the app's managed identity. If the app is running locally, it tries to get a token from Visual Studio, Visual Studio Code, and Azure CLI.

- >

- That's everything you need to connect to SQL Database. When you debug in Visual Studio, your code uses the Azure AD user you configured in [2. Set up your dev environment](#2-set-up-your-dev-environment). You'll set up SQL Database later to allow connection from the managed identity of your App Service app. The `DefaultAzureCredential` class caches the token in memory and retrieves it from Azure AD just before expiration. You don't need any custom code to refresh the token.

-1. Type `Ctrl+F5` to run the app again. The same CRUD app in your browser is now connecting to the Azure SQL Database directly, using Azure AD authentication. This setup lets you run database migrations from Visual Studio.

-* For PowerShell details, see [PowerShell Docs](/powershell/scripting/overview).

-Each pricing tier has different limits for client connections, memory, and bandwidth. If your cache approaches maximum capacity for these metrics over a sustained period of time, a recommendation is created. For more information about the metrics and limits reviewed by the **Recommendations** tool, see the following table:

-⁴ Service SDK types include types from the [Azure SDK for .NET](/dotnet/azure/sdk/azure-sdk-for-dotnet) such as [BlobClient](/dotnet/api/azure.storage.blobs.blobclient). For the isolated process model, support from some extensions is currently in preview, and Service Bus triggers do not yet support message settlement scenarios.

-|[Microsoft.Azure.Functions.Worker]| For **Generally Available** extensions in the table below: 1.18.0 or later<br/>For extensions that have **preview support**: 1.15.0-preview1 |

-|[Microsoft.Azure.Functions.Worker.Sdk]|For **Generally Available** extensions in the table below: 1.13.0 or later<br/>For extensions that have **preview support**: 1.11.0-preview1 |

-| [Azure Tables][tables-sdk-types] | _Trigger does not exist_ | **Preview support** | _SDK types not recommended.¹_ |

-dotnet add package Microsoft.Azure.Functions.Worker.ApplicationInsights --prerelease

-[TableEntity]: /dotnet/api/azure.data.tables.tableentity

-[NuGet package]: https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage

-[storage-5.x]: https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage/5.0.0

-When running on Windows, the Node.js version is set by the [linuxfxversion](./functions-app-settings.md#linuxfxversion) site setting. This setting can be updated using the Azure CLI.

-The section outlines the various changes that you need to make to your local project to move it to the isolated worker model. Some of the steps change based on your target version of .NET. Use the tabs to select the instructions which match your desired version.

-+ You shouldn't deploy your package to Azure Blob Storage as a public blob. Instead, use a private container with a [Shared Access Signature (SAS)](../vs-azure-tools-storage-manage-with-storage-explorer.md#generate-a-sas-in-storage-explorer) or [use a managed identity](#fetch-a-package-from-azure-blob-storage-using-a-managed-identity) to enable the Functions runtime to access the package.

-<!--

- > [!NOTE]

- > If the manifest included in the drawing package is incomplete or contains errors, the onboarding tool will not go directly to the **Review + Create** tab, but instead goes to the tab where you are best able to address the issue.

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js" />

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css">

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css">

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

-## v3 (preview)

-## v2 (latest)

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css">

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css">

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css">

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

- <link rel="stylesheet" href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.css" type="text/css" />

- <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/2/atlas.min.js"></script>

-To add a community library, use the `ConfigureOpenTelemetryMeterProvider` or `ConfigureOpenTelemetryTraceProvider` methods.

-builder.Services.AddOpenTelemetry().UseAzureMonitor();

-builder.Services.Configure<ApplicationInsightsSamplerOptions>(options => { options.SamplingRatio = 0.1F; });

-> - March 31, 2023 ΓÇô The Diagnostic Settings Storage Retention feature will no longer be available to configure new retention rules for log data. If you have configured retention settings, you'll still be able to see and change them.

-> - September 30, 2023 ΓÇô You will no longer be able to use the API or Azure portal to configure retention setting unless you're changing them to *0*. Existing retention rules will still be respected.

-1. On the **Filters** tab, under **Blob prefix** set path or prefix to the container or logs you want the retention rule to apply to.

-For example, for all Function App logs, you could use the container *insights-logs-functionapplogs* to set the retention for all Function App logs.

-To set the rule for a specific subscription, resource group, and function app name, use *insights-logs-functionapplogs/resourceId=/SUBSCRIPTIONS/\<your subscription Id\>/RESOURCEGROUPS/\<your resource group\>/PROVIDERS/MICROSOFT.WEB/SITES/\<your function app name\>*.

-> This tutorial uses ARM templates to configure the components required to support the Logs ingestion API. See [Tutorial: Send data to Azure Monitor Logs with Logs ingestion API (Azure portal)](tutorial-logs-ingestion-api.md) for a similar tutorial that uses Azure Resource Manager templates to configure these components.

-* In a cross-region replication setting, Azure NetApp Files backup can be configured on a source volume only. Azure NetApp Files backup isn't supported on a cross-region replication *destination* volume.

-2. Select **Resource groups**

- :::image type="content" source="./media/manage-resource-groups-portal/manage-resource-groups-add-group.png" alt-text="Screenshot of the Azure portal with 'Resource groups' and 'Add' highlighted.":::

-3. Select **Add**.

-4. Enter the following values:

- - **Subscription**: Select your Azure subscription.

- - **Resource group**: Enter a new resource group name.

- :::image type="content" source="./media/manage-resource-groups-portal/manage-resource-groups-create-group.png" alt-text="Screenshot of the Create Resource Group form in the Azure portal with fields for Subscription, Resource group, and Region.":::

-5. Select **Review + Create**

-6. Select **Create**. It takes a few seconds to create a resource group.

-7. Select **Refresh** from the top menu to refresh the resource group list, and then select the newly created resource group to open it. Or select **Notification**(the bell icon) from the top, and then select **Go to resource group** to open the newly created resource group

- :::image type="content" source="./media/manage-resource-groups-portal/manage-resource-groups-add-group-go-to-resource-group.png" alt-text="Screenshot of the Azure portal with the 'Go to resource group' button in the Notifications panel.":::

-2. To list the resource groups, select **Resource groups**

- :::image type="content" source="./media/manage-resource-groups-portal/manage-resource-groups-list-groups.png" alt-text="Screenshot of the Azure portal displaying a list of resource groups.":::

-3. To customize the information displayed for the resource groups, select **Edit columns**. The following screenshot shows the additional columns you could add to the display:

-2. Select **Resource groups**.

-3. Select the resource group you want to open.

-2. Select **Delete resource group**.

- :::image type="content" source="./media/manage-resource-groups-portal/delete-group.png" alt-text="Screenshot of the Azure portal with the Delete resource group button highlighted in a specific resource group.":::

-Locking prevents other users in your organization from accidentally deleting or modifying critical resources, such as Azure subscription, resource group, or resource.

-2. In the left pane, select **Locks**.

-3. To add a lock to the resource group, select **Add**.

-4. Enter **Lock name**, **Lock type**, and **Notes**. The lock types include **Read-only**, and **Delete**.

- :::image type="content" source="./media/manage-resource-groups-portal/manage-resource-groups-add-lock.png" alt-text="Screenshot of the Add Lock form in the Azure portal with fields for Lock name, Lock type, and Notes.":::

-* serverGroups

-* serversv2

-* applicationGatewayWebApplicationFirewallPolicies

-* bastionHosts

-* dnsForwardingRulesets

-* dnsForwardingRulesets/forwardingRules

-* dnsForwardingRulesets/virtualNetworkLinks

-* dnsResolvers

-* dnsResolvers/inboundEndpoints

-* dnsResolvers/outboundEndpoints

-* dnszones

-* dnszones/A

-* dnszones/AAAA

-* dnszones/all

-* dnszones/CAA

-* dnszones/CNAME

-* dnszones/MX

-* dnszones/NS

-* dnszones/PTR

-* dnszones/recordsets

-* dnszones/SOA

-* dnszones/SRV

-* dnszones/TXT

-* expressRouteCrossConnections

-* privateDnsZones

-* privateDnsZones/A

-* privateDnsZones/AAAA

-* privateDnsZones/all

-* privateDnsZones/CNAME

-* privateDnsZones/MX

-* privateDnsZones/PTR

-* privateDnsZones/SOA

-* privateDnsZones/SRV

-* privateDnsZones/TXT

-* privateDnsZones/virtualNetworkLinks

-* trafficmanagerprofiles

-* virtualNetworks/privateDnsZoneLinks

-## Microsoft.StoragePool

-* diskPools

-* diskPools/iscsiTargets

->[!IMPORTANT]

->Currently, rotating your NSX-T Manager *cloudadmin* credentials isn't supported. To rotate your NSX-T Manager password, submit a [support request](https://rc.portal.azure.com/#create/Microsoft.Support). This process might impact running HCX services.

-In this article, you'll rotate the cloudadmin credentials (vCenter Server *CloudAdmin* credentials) for your Azure VMware Solution private cloud. Although the password for this account doesn't expire, you can generate a new one at any time.

->If you use your cloudadmin credentials to connect services to vCenter Server in your private cloud, those connections will stop working once you rotate your password. Those connections will also lock out the cloudadmin account unless you stop those services before rotating the password.

-Consider and determine which services connect to vCenter Server as *cloudadmin@vsphere.local* before you rotate the password. These services may include VMware services such as HCX, vRealize Orchestrator, vRealize Operations Manager, VMware Horizon, or other third-party tools used for monitoring or provisioning.

-Instead of using the cloudadmin user to connect services to vCenter Server, we recommend individual accounts for each service. For more information about setting up separate accounts for connected services, see [Access and Identity Concepts](./concepts-identity.md).

-1. Select **Generate new password**.

-

-

-

-## Update HCX Connector

-Now that you've covered resetting your vCenter Server credentials for Azure VMware Solution, you may want to learn about:

-description: This article provides information on authorizing access to Azure Web PubSub Service resources using Azure Active Directory.

-*[1] security principal: a user/resource group, an application, or a service principal such as system-assigned identities and user-assigned identities.*

- Full access to data-plane permissions, including read/write REST APIs and Auth APIs.

- This role is the most common used for building an upstream server.

- Use to grant read-only REST APIs permissions to Web PubSub resources.

- It's used when you'd like to write a monitoring tool that calling **ONLY** Web PubSub data-plane **READONLY** REST APIs.

-To learn more about roles and role assignments, see

-To learn how to create custom roles, see

-description: Learn about Azure Web PubSub Service internals, the architecture, the connections and how data is transmitted.

-# Azure Web PubSub service internals

-* **Service**: Azure Web PubSub Service.

-1. A *client* connects to the service `/client` endpoint using WebSocket transport. Service forward every WebSocket frame to the configured upstream(server). The WebSocket connection can connect with any custom subprotocol for the server to handle, or it can connect with the service-supported subprotocol `json.webpubsub.azure.v1`, which empowers the clients to do pub/sub directly. Details are described in [client protocol](#client-protocol).

-var client1 = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub1');

-var client2 = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub1', 'custom.subprotocol')

-var pubsub = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub1', 'json.webpubsub.azure.v1');

-* Join a group, for example:

- ```json

- {

- "type": "joinGroup",

- "group": "<group_name>"

- }

- ```

-* Leave a group, for example:

- ```json

- {

- "type": "leaveGroup",

- "group": "<group_name>"

- }

- ```

-* Publish messages to a group, for example:

- ```json

- {

- "type": "sendToGroup",

- "group": "<group_name>",

- "data": { "hello": "world" }

- }

- ```

-* Send custom events to the upstream server, for example:

- ```json

- {

- "type": "event",

- "event": "<event_name>",

- "data": { "hello": "world" }

- }

- ```

-You may have noticed that for a [simple WebSocket client](#the-simple-websocket-client), the *server* is a **must have** role to receive the `message` events from clients. A simple WebSocket connection always triggers a `message` event when it sends messages, and always relies on the server-side to process messages and do other operations. With the help of the `json.webpubsub.azure.v1` subprotocol, an authorized client can join a group and publish messages to a group directly. It can also route messages to different event handlers / event listeners by customizing the *event* the message belongs.

-var client1 = new WebSocket("wss://xxx.webpubsub.azure.com/client/hubs/hub1", "json.webpubsub.azure.v1");

-client1.onmessage = e => {

- if (e.data) {

- var message = JSON.parse(e.data);

- if (message.type === "message"

- && message.group === "Group1"){

- // Only print messages from Group1

- console.log(message.data);

- }

-client1.onopen = e => {

- client1.send(JSON.stringify({

- type: "joinGroup",

- group: "Group1"

- }));

-* Synchronous events (blocking)

- Synchronous events block the client workflow.

- * `connect`: This event is for event handler only. When the client starts a WebSocket handshake, the event is triggered and developers can use `connect` event handler to handle the WebSocket handshake, determine the subprotocol to use, authenticate the client, and join the client to groups.

- * `message`: This event is triggered when a client sends a message.

-* Asynchronous events (non-blocking)

- Asynchronous events don't block the client workflow, it acts as some notification to server. When such an event trigger fails, the service logs the error detail.

- * `connected`: This event is triggered when a client connects to the service successfully.

- * `disconnected`: This event is triggered when a client disconnected with the service.

-As you may have noticed when we describe the PubSub WebSocket clients, that a client can publish to other clients only when it's *authorized* to. The `role`s of the client determines the *initial* permissions the client have:

-| Role | Permission |

-|||

-| Not specified | The client can send events.

-| `webpubsub.joinLeaveGroup` | The client can join/leave any group.

-| `webpubsub.sendToGroup` | The client can publish messages to any group.

-| `webpubsub.joinLeaveGroup.<group>` | The client can join/leave group `<group>`.

-| `webpubsub.sendToGroup.<group>` | The client can publish messages to group `<group>`.

- - Step1: Enable Identity for the Web PubSub service

- - Step2: Select from existing Azure AD application that stands for your webhook web app

-The server is by nature an authorized user. With the help of the *event handler role*, the server knows the metadata of the clients, for example, `connectionId` and `userId`, so it can:

- - Close a client connection

- - Send messages to a client

- - Send messages to clients that belong to the same user

- - Add a client to a group

- - Add clients authenticated as the same user to a group

- - Remove a client from a group

- - Remove clients authenticated as the same user from a group

- - Publish messages to a group

- - Grant publish/join permissions to some specific group or to all groups

- - Revoke publish/join permissions for some specific group or for all groups

- - Check if the client has permission to join or publish to some specific group or to all groups

-You may have noticed that the *event handler role* handles communication from the service to the server while *the manager role* handles communication from the server to the service. After combining the two roles, the data flow between service and server looks similar to the following diagram using HTTP protocol.

-Azure Web PubSub Service supports Azure Active Directory (Azure AD) authorizing requests from [Azure applications](../active-directory/develop/app-objects-and-service-principals.md).

- 

-

-1. Copy the value of the **client secret** and then paste it to a secure location.

- > [!NOTE]

- > The secret will display only once.

-This sample shows how to assign a `Web PubSub Service Owner` role to a service principal (application) over a Web PubSub resource.

-3. Search for and select the application that you would like to assign the role to.

-4. Click **Next**.

-5. Click **Review + assign** to confirm the change.

-To learn more about how to assign and manage Azure role assignments, see these articles:

- 1. Select **x-www-form-urlencoded**.

- 2. Add `grant_type` key, and type `client_credentials` for the value.

- 3. Add `client_id` key, and paste the value of **Application (client) ID** in the **Overview** tab of the application you created earlier.

- 4. Add `client_secret` key, and paste the value of client secret you noted down earlier.

- 5. Add `resource` key, and type `https://webpubsub.azure.com` for the value.

-6. Select **Send** to send the request to get the token. You see the token in the `access_token` field.

-Azure Web PubSub Service supports Azure Active Directory (Azure AD) authorizing requests from [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).

-## Add role assignments on Azure portal

-This sample shows how to assign a `Web PubSub Service Owner` role to a system-assigned identity over a Web PubSub resource.

-2. Click **Next**.

-3. Click **Review + assign** to confirm the change.

-To learn more about how to assign and manage Azure role assignments, see these articles:

- ```java

- package com.webpubsub.tutorial;

- import com.azure.core.credential.TokenCredential;

- import com.azure.identity.DefaultAzureCredentialBuilder;

- public class App {

- public static void main(String[] args) {

- TokenCredential credential = new DefaultAzureCredentialBuilder().build();

- }

- }

- ```

- `credential` can be any class that inherits from `TokenCredential` class.

- - EnvironmentCredential

- - ClientSecretCredential

- - ClientCertificateCredential

- - ManagedIdentityCredential

- - VisualStudioCredential

- - VisualStudioCodeCredential

- - AzureCliCredential

- To learn more, see [Azure Identity client library for Java](/java/api/overview/azure/identity-readme)

-2. Then create a `client` with `endpoint`, `hub`, and `credential`.

- ```Java

- package com.webpubsub.tutorial;

- import com.azure.core.credential.TokenCredential;

- import com.azure.identity.DefaultAzureCredentialBuilder;

- import com.azure.messaging.webpubsub.WebPubSubServiceClient;

- import com.azure.messaging.webpubsub.WebPubSubServiceClientBuilder;

- public class App {

- public static void main(String[] args) {

- TokenCredential credential = new DefaultAzureCredentialBuilder().build();

- // create the service client

- WebPubSubServiceClient client = new WebPubSubServiceClientBuilder()

- .endpoint("<endpoint>")

- .credential(credential)

- .hub("<hub>")

- .buildClient();

- }

- }

- ```

- Learn how to use this client, see [Azure Web PubSub service client library for Java](/java/api/overview/azure/messaging-webpubsub-readme)

- ```javascript

- const { DefaultAzureCredential } = require('@azure/identity')

- let credential = new DefaultAzureCredential();

- ```

- `credential` can be any class that inherits from `TokenCredential` class.

- - EnvironmentCredential

- - ClientSecretCredential

- - ClientCertificateCredential

- - ManagedIdentityCredential

- - VisualStudioCredential

- - VisualStudioCodeCredential

- - AzureCliCredential

- To learn more, see [Azure Identity client library for JavaScript](/javascript/api/overview/azure/identity-readme)

-2. Then create a `client` with `endpoint`, `hub`, and `credential`.

- ```javascript

- const { DefaultAzureCredential } = require('@azure/identity')

- let credential = new DefaultAzureCredential();

- let serviceClient = new WebPubSubServiceClient("<endpoint>", credential, "<hub>");

- ```

- Learn how to use this client, see [Azure Web PubSub service client library for JavaScript](/javascript/api/overview/azure/web-pubsub-readme)

- Install-Package Azure.Messaging.WebPubSub

- ```C#

- using Azure.Identity;

- namespace chatapp

- {

- public class Program

- {

- public static void Main(string[] args)

- {

- var credential = new DefaultAzureCredential();

- }

- }

- }

- ```

- `credential` can be any class that inherits from `TokenCredential` class.

- - EnvironmentCredential

- - ClientSecretCredential

- - ClientCertificateCredential

- - ManagedIdentityCredential

- - VisualStudioCredential

- - VisualStudioCodeCredential

- - AzureCliCredential

- To learn more, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/identity-readme)

-2. Then create a `client` with `endpoint`, `hub`, and `credential`.

- ```C#

- using Azure.Identity;

- using Azure.Messaging.WebPubSub;

-

- public class Program

- {

- public static void Main(string[] args)

- {

- var credential = new DefaultAzureCredential();

- var client = new WebPubSubServiceClient(new Uri("<endpoint>"), "<hub>", credential);

- }

- }

- ```

- Or inject it into `IServiceCollections` with our `BuilderExtensions`.

- ```C#

- using System;

- using Azure.Identity;

- using Microsoft.Extensions.Azure;

- using Microsoft.Extensions.Configuration;

- using Microsoft.Extensions.DependencyInjection;

- namespace chatapp

- {

- public class Startup

- {

- public Startup(IConfiguration configuration)

- {

- Configuration = configuration;

- }

- public IConfiguration Configuration { get; }

- public void ConfigureServices(IServiceCollection services)

- {

- services.AddAzureClients(builder =>

- {

- var credential = new DefaultAzureCredential();

- builder.AddWebPubSubServiceClient(new Uri("<endpoint>"), "<hub>", credential);

- });

- }

- }

- }

- ```

- Learn how to use this client, see [Azure Web PubSub service client library for .NET](/dotnet/api/overview/azure/messaging.webpubsub-readme)

- ```python

- from azure.identity import DefaultAzureCredential

- credential = DefaultAzureCredential()

- ```

- `credential` can be any class that inherits from `TokenCredential` class.

- - EnvironmentCredential

- - ClientSecretCredential

- - ClientCertificateCredential

- - ManagedIdentityCredential

- - VisualStudioCredential

- - VisualStudioCodeCredential

- - AzureCliCredential

- To learn more, see [Azure Identity client library for Python](/python/api/overview/azure/identity-readme)

-2. Then create a `client` with `endpoint`, `hub`, and `credential`.

- ```python

- from azure.identity import DefaultAzureCredential

- credential = DefaultAzureCredential()

- client = WebPubSubServiceClient(hub="<hub>", endpoint="<endpoint>", credential=credential)

- ```

- Learn how to use this client, see [Azure Web PubSub service client library for Python](/python/api/overview/azure/messaging-webpubsubservice-readme)

-description: Quickstart showing how to create a Web PubSub resource from Azure portal, using Azure CLI and a Bicep template

-> * An Azure account with an active subscription. [Create a free Azure account](https://azure.microsoft.com/free/), if don't have one already.

-

-

-1. Select the New button found on the upper left-hand corner of the Azure portal. In the New screen, type **Web PubSub** in the search box and press enter.

- :::image type="content" source="./media/create-instance-portal/search-web-pubsub-in-portal.png" alt-text="Screenshot of searching the Azure Web PubSub in portal.":::

- | Setting | Suggested value | Description |

- | | - | -- |

- | **Resource name** | Globally unique name | The globally unique Name that identifies your new Web PubSub service instance. Valid characters are `a-z`, `A-Z`, `0-9`, and `-`. |

- | **Subscription** | Your subscription | The Azure subscription under which this new Web PubSub service instance is created. |

- | **[Resource Group]** | myResourceGroup | Name for the new resource group in which to create your Web PubSub service instance. |

- | **Location** | West US | Choose a [region](https://azure.microsoft.com/regions/) near you. |

- | **Pricing tier** | Free | You can first try Azure Web PubSub service for free. Learn more details about [Azure Web PubSub service pricing tiers](https://azure.microsoft.com/pricing/details/web-pubsub/) |

- | **Unit count** | - | Unit count specifies how many connections your Web PubSub service instance can accept. Each unit supports 1,000 concurrent connections at most. It is only configurable in the Standard tier. |

- :::image type="content" source="./media/howto-develop-create-instance/create-web-pubsub-instance-in-portal.png" alt-text="Screenshot of creating the Azure Web PubSub instance in portal.":::

-The [Azure CLI](/cli/azure) is a set of commands used to create and manage Azure resources. The Azure CLI is available across Azure services and is designed to get you working quickly with Azure, with an emphasis on automation.

- # [CLI](#tab/CLI)

- ```azurecli

- az group create --name exampleRG --location eastus

- az deployment group create --resource-group exampleRG --template-file main.bicep

- ```

- # [PowerShell](#tab/PowerShell)

- ```azurepowershell

- New-AzResourceGroup -Name exampleRG -Location eastus

- New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep

- ```

-

- When the deployment finishes, you should see a message indicating the deployment succeeded.

-> [!div class="nextstepaction"]

-1. [Add a managed identity to your Web PubSub service](#add-a-managed-identity-to-your-web-pubsub-service)

-2. [Grant the managed identity an `Azure Event Hubs Data sender` role](#grant-the-managed-identity-an-azure-event-hubs-data-sender-role)

-3. [Add an event listener rule to your service settings](#add-an-event-listener-rule-to-your-service-settings)

-1. Find your service from **Azure portal**. Navigate to **Settings**. Then select **Add** to configure your event listener. For an existing hub configuration, select **...** on right side will navigate to the same editing page.

- :::image type="content" source="media/howto-develop-event-listener/eventhub-consumer-connected-event.png" alt-text="Screenshot of a printed connected event in the Event Hubs consumer client app":::

- :::image type="content" source="media/howto-develop-event-listener/web-pubsub-client-specify-event-name.png" alt-text="The area of the WebSocket client app to generate a user event":::

-> [!div class="nextstepaction"]

-<!--TODO: Add demo-->

-The event handler handles the incoming client events. Event handlers are registered and configured in the service through the Azure portal or Azure CLI. When a client event is triggered, the service can send the event to the appropriate event handler. The Web PubSub service now supports the event handler as the server-side, which exposes the publicly accessible endpoint for the service to invoke when the event is triggered. In other words, it acts as a **webhook**.

-For every event, the service formulates an HTTP POST request to the registered upstream endpoint and expects an HTTP response.

-1. Go to your Azure Web PubSub service page in the **Azure portal**.

-1. Select **Settings** from the menu.

-1. In the event handler page, configure the following fields:

- 1. Enter the server webhook URL in the **URL Template** field.

- 1. Select the **System events** that you want to subscribe to.

- 1. Select the **User events** that you want to subscribe to.

- 1. Select **Authentication** method to authenticate upstream requests.

- 1. Select **Confirm**.

-Commands | Description

-`create` | Create hub settings for WebPubSub Service.

-`delete` | Delete hub settings for WebPubSub Service.

-`list` | List all hub settings for WebPubSub Service.

-`show` | Show hub settings for WebPubSub Service.

-`update` | Update hub settings for WebPubSub Service.

- ```js

- var pubsub = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub1', 'json.reliable.webpubsub.azure.v1');

- ```

- ```js

- var pubsub = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub1', 'protobuf.reliable.webpubsub.azure.v1');

- ```

-Websocket connections rely on TCP. When the connection doesn't drop, messages are lossless and delivered in order. To prevent message loss over dropped connections, the Web PubSub service retains the connection status information, including group and message information. This information is used to restore the client on connection recovery

-When the client reconnects to the service using reliable subprotocols, the client will receive a `Connected` message containing the `connectionId` and `reconnectionToken`. The `connectionId` identifies the session of the connection in the service.

- "type":"system",

- "event":"connected",

- "connectionId": "<connection_id>",

- "reconnectionToken": "<reconnection_token>"

-Clients that send events to event handlers or publish messages to other clients are called publishers. Publishers should set `ackId` in the message to receive an acknowledgment from the Web PubSub service that publishing the message was successful or not.

-The `ackId` is the identifier of the message, each new message should use a unique ID. The original `ackId` should be used when resending a message.

- "type": "sendToGroup",

- "group": "group1",

- "dataType" : "text",

- "data": "text data",

- "ackId": 1

- "type": "ack",

- "ackId": 1,

- "success": true

-When the service experiences a transient internal error and the message can't be sent to subscriber, the publisher will receive an ack with `success: false`. The publisher should read the error to determine whether or not to resend the message. If the message is resent, the same `ackId` should be used.

- "type": "ack",

- "ackId": 1,

- "success": false,

- "error": {

- "name": "InternalServerError",

- "message": "Internal server error"

- }

-If the service's ack response is lost because the WebSocket connection dropped, the publisher should resend the message with the same `ackId` after recovery. When the message was previously processed by the service, it will send an ack containing a `Duplicate` error. The publisher should stop resending this message.

- "type": "ack",

- "ackId": 1,

- "success": false,

- "error": {

- "name": "Duplicate",

- "message": "Message with ack-id: 1 has been processed"

- }

- "type": "sequenceAck",

- "sequenceId": 1

-> - The current set of access keys will be permanently deleted.

-> - Tokens signed with current set of access keys will become unavailable.

-> - Signature will **NOT** be attached in the upstream request header. Please visit *[how to validate access token](./howto-use-managed-identity.md#validate-access-tokens)* to learn how to validate requests via Azure AD token.

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "resource_name": {

- "defaultValue": "test-for-disable-aad",

- "type": "String"

- }

- },

- "variables": {},

- "resources": [

- {

- "type": "Microsoft.SignalRService/WebPubSub",

- "apiVersion": "2022-08-01-preview",

- "name": "[parameters('resource_name')]",

- "location": "eastus",

- "sku": {

- "name": "Premium_P1",

- "tier": "Premium",

- "size": "P1",

- "capacity": 1

- },

- "properties": {

- "tls": {

- "clientCertEnabled": false

- },

- "networkACLs": {

- "defaultAction": "Deny",

- "publicNetwork": {

- "allow": [

- "ServerConnection",

- "ClientConnection",

- "RESTAPI",

- "Trace"

- ]

- },

- "privateEndpoints": []

- },

- "publicNetworkAccess": "Enabled",

- "disableLocalAuth": true,

- "disableAadAuth": false

- }

- }

- ]

-A client, be it a browser 💻, a mobile app 📱, or an IoT device 💡, uses a **Client Access URL** to connect and authenticate with your resource. This URL follows a pattern of `wss://<service_name>.webpubsub.azure.com/client/hubs/<hub_name>?access_token=<token>`. This article shows you several ways to get the Client Access URL.

- * Configure user ID

- ```js

- let token = await serviceClient.getClientAccessToken({ userId: "user1" });

- ```

- * Configure the lifetime of the token

- ```js

- let token = await serviceClient.getClientAccessToken({ expirationTimeInMinutes: 5 });

- ```

- * Configure a role that can join group `group1` directly when it connects using this Client Access URL

- ```js

- let token = await serviceClient.getClientAccessToken({ roles: ["webpubsub.joinLeaveGroup.group1"] });

- ```

- * Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL

- ```js

- let token = await serviceClient.getClientAccessToken({ roles: ["webpubsub.sendToGroup.group1"] });

- ```

- * Configure a group `group1` that the client joins once it connects using this Client Access URL

- ```js

- let token = await serviceClient.getClientAccessToken({ groups: ["group1"] });

- ```

- * Configure user ID

- ```csharp

- var url = service.GetClientAccessUri(userId: "user1");

- ```

- * Configure the lifetime of the token

- ```csharp

- var url = service.GetClientAccessUri(expiresAfter: TimeSpan.FromMinutes(5));

- ```

- * Configure a role that can join group `group1` directly when it connects using this Client Access URL

- ```csharp

- var url = service.GetClientAccessUri(roles: new string[] { "webpubsub.joinLeaveGroup.group1" });

- ```

- * Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL

- ```csharp

- var url = service.GetClientAccessUri(roles: new string[] { "webpubsub.sendToGroup.group1" });

- ```

- * Configure a group `group1` that the client joins once it connects using this Client Access URL

- ```csharp

- var url = service.GetClientAccessUri(groups: new string[] { "group1" });

- ```

- * Configure user ID

- ```python

- token = service.get_client_access_token(user_id="user1")

- ```

- * Configure the lifetime of the token

- ```python

- token = service.get_client_access_token(minutes_to_expire=5)

- ```

- * Configure a role that can join group `group1` directly when it connects using this Client Access URL

- ```python

- token = service.get_client_access_token(roles=["webpubsub.joinLeaveGroup.group1"])

- ```

- * Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL

- ```python

- token = service.get_client_access_token(roles=["webpubsub.sendToGroup.group1"])

- ```

- * Configure a group `group1` that the client joins once it connects using this Client Access URL

- ```python

- token = service.get_client_access_token(groups=["group1"])

- ```

- * Configure user ID

- ```java

- GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();

- option.setUserId(id);

- WebPubSubClientAccessToken token = service.getClientAccessToken(option);

- ```

- * Configure the lifetime of the token

- ```java

- GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();

- option.setExpiresAfter(Duration.ofDays(1));

- WebPubSubClientAccessToken token = service.getClientAccessToken(option);

- ```

- * Configure a role that can join group `group1` directly when it connects using this Client Access URL

- ```java

- GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();

- option.addRole("webpubsub.joinLeaveGroup.group1");

- WebPubSubClientAccessToken token = service.getClientAccessToken(option);

- ```

- * Configure a role that the client can send messages to group `group1` directly when it connects using this Client Access URL

- ```java

- GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();

- option.addRole("webpubsub.sendToGroup.group1");

- WebPubSubClientAccessToken token = service.getClientAccessToken(option);

- ```

- * Configure a group `group1` that the client joins once it connects using this Client Access URL

- ```java

- GetClientAccessTokenOptions option = new GetClientAccessTokenOptions();

- option.setGroups(Arrays.asList("group1")),

- WebPubSubClientAccessToken token = service.getClientAccessToken(option);

- ```

- 1. For the URI, enter `https://{Endpoint}/api/hubs/{hub}/:generateToken?api-version=2022-11-01`

- 2. On the **Auth** tab, select **Bearer Token** and paste the Azure AD token fetched in the previous step

- 3. Select **Send** and you see the Client Access Token in the response:

- ```json

- {

- "token": "ABCDEFG.ABC.ABC"

- }

- ```

-This article describes the built-in policies for Azure Web PubSub Service.

-* You can assign policy definitions using the [Azure portal](../governance/policy/assign-policy-portal.md), [Azure CLI](../governance/policy/assign-policy-azurecli.md), a [Resource Manager template](../governance/policy/assign-policy-template.md), or the Azure Policy SDKs.

-* Policy assignments can be scoped to a resource group, a subscription, or an [Azure management group](../governance/management-groups/overview.md).

-* You can enable or disable [policy enforcement](../governance/policy/concepts/assignment-structure.md#enforcement-mode) at any time.

-* Web PubSub policy assignments apply to existing and new Web PubSub resources within the scope.

-1. Use the filters to display by **Scope**, **Type** or **Compliance state**. Use search list by name or

- ID.

- [  ](./media/howto-monitor-azure-policy/azure-policy-compliance.png#lightbox)

-1. Select a policy to review aggregate compliance details and events.

-* Learn more about Azure Policy [definitions](../governance/policy/concepts/definition-structure.md) and [effects](../governance/policy/concepts/effects.md)

-* Create a [custom policy definition](../governance/policy/tutorials/create-custom-policy-definition.md)

-* Learn more about [governance capabilities](../governance/index.yml) in Azure

-[terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/

-This how-to guide provides an overview of Azure Web PubSub resource logs and some tips for using the logs to troubleshoot certain problems. Logs can be used for issue identification, connection tracking, message tracing, HTTP request tracing, and analysis.

-## What are resource logs?

-There are three types of resource logs: *Connectivity*, *Messaging*, and *HTTP requests*.

-> - The real-time resource logs captured by live trace tool will be billed as messages (outbound traffic).

-> - The live trace tool does not currently support Azure Active Directory authentication. You must enable access keys to use live trace. Under **Settings**, select **Keys**, and then enable **Access Key**.

-> - The Azure Web PubSub service Free Tier instance has a daily limit of 20,000 messages (outbound traffic). Live trace can cause you to unexpectedly reach the daily limit.

- :::image type="content" source="./media/howto-troubleshoot-diagnostic-logs/diagnostic-logs-with-live-trace-tool.png" alt-text="Screenshot of launching the live trace tool.":::

-* **Capture**: Begin to capture the real-time resource logs from Azure Web PubSub.

-* **Clear**: Clear the captured real-time resource logs.

-* **Log filter**: The live trace tool lets you filter the captured real-time resource logs with one specific key word. The common separators (for example, space, comma, semicolon, and so on) will be treated as part of the key word.

-* **Status**: The status shows whether the live trace tool is connected or disconnected with the specific instance.

-The real-time resource logs captured by live trace tool contain detailed information for troubleshooting.

-| Name | Description |

-| | |

-| Time | Log event time |

-| Log Level | Log event level, can be [Trace \| Debug \| Informational \| Warning \| Error] |

-| Event Name | Operation name of the event |

-| Message | Detailed message for the event |

-| Exception | The run-time exception of Azure Web PubSub service |

-| Hub | User-defined hub name |

-| Connection ID | Identity of the connection |

-| User ID | User identity|

-| IP | Client IP address |

-| Route Template | The route template of the API |

-| Http Method | The Http method (POST/GET/PUT/DELETE) |

-| URL | The uniform resource locator |

-| Trace ID | The unique identifier to the invocation |

-| Status Code | The Http response code |

-| Duration | The duration between receiving the request and processing the request |

-| Headers | The additional information passed by the client and the server with an HTTP request or response |

- :::image type="content" source="./media/howto-troubleshoot-diagnostic-logs/diagnostic-settings-list.png" alt-text="Screenshot of viewing diagnostic settings and create a new one":::

- :::image type="content" source="./media/howto-troubleshoot-diagnostic-logs/diagnostic-settings-details.png" alt-text="Screenshot of configuring diagnostic setting detail":::

-> [!NOTE]

-> The storage account should be in the same region as Azure Web PubSub service.

-Name | Description

-time | Log event time

-level | Log event level

-resourceId | Resource ID of your Azure SignalR Service

-location | Location of your Azure SignalR Service

-category | Category of the log event

-operationName | Operation name of the event

-callerIpAddress | IP address of your server or client

-properties | Detailed properties related to this log event. For more detail, see the properties table below

-Name | Description

-collection | Collection of the log event. Allowed values are: `Connection`, `Authorization` and `Throttling`

-connectionId | Identity of the connection

-userId | Identity of the user

-message | Detailed message of log event

-hub | User-defined Hub Name |

-routeTemplate | The route template of the API |

-httpMethod | The Http method (POST/GET/PUT/DELETE) |

-url | The uniform resource locator |

-traceId | The unique identifier to the invocation |

-statusCode | The Http response code |

-duration | The duration between the request is received and processed |

-headers | The additional information passed by the client and the server with an HTTP request or response |

-1. On the **Diagnostic setting** page, under **Destination details**, select **Send to Log Analytics workspace.

- :::image type="content" alt-text="Log Analytics menu item" source="./media/howto-troubleshoot-diagnostic-logs/log-analytics-menu-item.png" lightbox="./media/howto-troubleshoot-diagnostic-logs/log-analytics-menu-item.png":::

- :::image type="content" alt-text="Query log in Log Analytics" source="./media/howto-troubleshoot-diagnostic-logs/query-log-in-log-analytics.png" lightbox="./media/howto-troubleshoot-diagnostic-logs/query-log-in-log-analytics.png":::

- :::image type="content" alt-text="Sample query in Log Analytics" source="./media/howto-troubleshoot-diagnostic-logs/log-analytics-sample-query.png" lightbox="./media/howto-troubleshoot-diagnostic-logs/log-analytics-sample-query.png":::

-Name | Description

-TimeGenerated | Log event time

-Collection | Collection of the log event. Allowed values are: `Connection`, `Authorization` and `Throttling`

-OperationName | Operation name of the event

-Location | Location of your Azure SignalR Service

-Level | Log event level

-CallerIpAddress | IP address of your server/client

-Message | Detailed message of log event

-UserId | Identity of the user

-ConnectionId | Identity of the connection

-ConnectionType | Type of the connection. Allowed values are: `Server` \| `Client`. `Server`: connection from server side; `Client`: connection from client side

-TransportType | Transport type of the connection. Allowed values are: `Websockets` \| `ServerSentEvents` \| `LongPolling`

-| Reason | Description |

-| - | - |

-| Connection count reaches limit | Connection count reaches limit of your current price tier. Consider scale up service unit

-| Service reloading, reconnect | Azure Web PubSub service is reloading. You need to implement your own reconnect mechanism or manually reconnect to Azure Web PubSub service |

-| Internal server transient error | Transient error occurs in Azure Web PubSub service, should be auto recovered

-If you find that you can't establish client connections to Azure Web PubSub service, check your resource logs. If you see `Connection count reaches limit` in the resource log, you established too many connections to Azure Web PubSub service and reached the connection count limit. Consider scaling up your Azure Web PubSub service instance. If you see `Message count reaches limit` in the resource log and you're using the Free tier, it means you used up the quota of messages. If you want to send more messages, consider changing your Azure Web PubSub service instance to Standard tier. For more information, see [Azure Web PubSub service Pricing](https://azure.microsoft.com/pricing/details/web-pubsub/).

-> [!Important]

-> Azure Web PubSub Service can support only one managed identity. That means you can add either a system-assigned identity or a user-assigned identity.

-4. On the **System assigned** tab, switch **Status** to **On**. Select **Save**.

- :::image type="content" source="media/howto-use-managed-identity/system-identity-portal.png" alt-text="Add a system-assigned identity in the portal":::

- :::image type="content" source="media/howto-use-managed-identity/user-identity-portal.png" alt-text="Add a user-assigned identity in the portal":::

- :::image type="content" source="media/howto-use-managed-identity/msi-settings.png" alt-text="msi-setting":::

- - Use default AAD application.

- - Select from existing AAD applications. The application ID of the one you choose will be used.

- - Specify an AAD application. The value should be [Resource ID of an Azure service](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication)

- > [!NOTE]

- > If you validate an access token by yourself in your service, you can choose any one of the resource formats. If you use Azure role-based access control (Azure RBAC) for a data plane, you must use the resource that the service provider requests.

-> * Build a serverless real-time chat app

-> * Work with Web PubSub function trigger bindings and output bindings

-> * Deploy the function to Azure Function App

-> * Configure Azure Authentication

-> * Configure Web PubSub Event Handler to route events and messages to the application

-* A code editor, such as [Visual Studio Code](https://code.visualstudio.com/)

-* [Node.js](https://nodejs.org/en/download/), version 10.x.

- > [!NOTE]

- > For more information about the supported versions of Node.js, see [Azure Functions runtime versions documentation](../azure-functions/functions-versions.md#languages).

-* [Azure Functions Core Tools](https://github.com/Azure/azure-functions-core-tools#installing) (v4 or higher preferred) to run Azure Function apps locally and deploy to Azure.

-* The [Azure CLI](/cli/azure) to manage Azure resources.

-* A code editor, such as [Visual Studio Code](https://code.visualstudio.com/).

-* [Azure Functions Core Tools](https://github.com/Azure/azure-functions-core-tools#installing) (v4 or higher preferred) to run Azure Function apps locally and deploy to Azure.

-* The [Azure CLI](/cli/azure) to manage Azure resources.

-* A code editor, such as [Visual Studio Code](https://code.visualstudio.com/).

-* [Azure Functions Core Tools](https://github.com/Azure/azure-functions-core-tools#installing) (v4 or higher preferred) to run Azure Function apps locally and deploy to Azure.

-* The [Azure CLI](/cli/azure) to manage Azure resources.

- # [JavaScript](#tab/javascript)

- ```bash

- func init --worker-runtime javascript

- ```

- # [C# in-process](#tab/csharp-in-process)

- ```bash

- func init --worker-runtime dotnet

- ```

- # [C# isolated process](#tab/csharp-isolated-process)

- ```bash

- func init --worker-runtime dotnet-isolated

- ```

-

- # [JavaScript](#tab/javascript)

- Update `host.json`'s extensionBundle to version _3.3.0_ or later to get Web PubSub support.

- ```json

- {

- "version": "2.0",

- "extensionBundle": {

- "id": "Microsoft.Azure.Functions.ExtensionBundle",

- "version": "[3.3.*, 4.0.0)"

- }

- }

- ```

-

- # [C# in-process](#tab/csharp-in-process)

- ```bash

- dotnet add package Microsoft.Azure.WebJobs.Extensions.WebPubSub

- ```

- # [C# isolated process](#tab/csharp-isolated-process)

- ```bash

- dotnet add package Microsoft.Azure.Functions.Worker.Extensions.WebPubSub --prerelease

- ```

- ```bash

- func new -n index -t HttpTrigger

- ```

- ```json

- {

- "bindings": [

- {

- "authLevel": "anonymous",

- "type": "httpTrigger",

- "direction": "in",

- "name": "req",

- "methods": [

- "get",

- "post"

- ]

- },

- {

- "type": "http",

- "direction": "out",

- "name": "res"

- }

- ]

- }

- ```

- ```js

- var fs = require('fs');

- var path = require('path');

- module.exports = function (context, req) {

- var index = context.executionContext.functionDirectory + '/../https://docsupdatetracker.net/index.html';

- context.log("https://docsupdatetracker.net/index.html path: " + index);

- fs.readFile(index, 'utf8', function (err, data) {

- if (err) {

- console.log(err);

- context.done(err);

- }

- context.res = {

- status: 200,

- headers: {

- 'Content-Type': 'text/html'

- },

- body: data

- };

- context.done();

- });

- }

- ```

- ```c#

- [FunctionName("index")]

- public static IActionResult Run([HttpTrigger(AuthorizationLevel.Anonymous)] HttpRequest req, ExecutionContext context, ILogger log)

- {

- var indexFile = Path.Combine(context.FunctionAppDirectory, "https://docsupdatetracker.net/index.html");

- log.LogInformation($"https://docsupdatetracker.net/index.html path: {indexFile}.");

- return new ContentResult

- {

- Content = File.ReadAllText(indexFile),

- ContentType = "text/html",

- };

- }

- ```

-

- # [C# isolated process](#tab/csharp-isolated-process)

- ```c#

- [Function("index")]

- public HttpResponseData Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post")] HttpRequestData req, FunctionContext context)

- {

- var path = Path.Combine(context.FunctionDefinition.PathToAssembly, "../https://docsupdatetracker.net/index.html");

- _logger.LogInformation($"https://docsupdatetracker.net/index.html path: {path}.");

- var response = req.CreateResponse();

- response.WriteString(File.ReadAllText(path));

- response.Headers.Add("Content-Type", "text/html");

- return response;

- }

- ```

- ```bash

- func new -n negotiate -t HttpTrigger

- ```

- > [!NOTE]

- > In this sample, we use [AAD](../app-service/configure-authentication-user-identities.md) user identity header `x-ms-client-principal-name` to retrieve `userId`. And this won't work in a local function. You can make it empty or change to other ways to get or generate `userId` when playing in local. For example, let client type a user name and pass it in query like `?user={$username}` when call `negotiate` function to get service connection url. And in the `negotiate` function, set `userId` with value `{query.user}`.

-

- # [JavaScript](#tab/javascript)

- - Update `negotiate/function.json` and copy following json codes.

- ```json

- {

- "bindings": [

- {

- "authLevel": "anonymous",

- "type": "httpTrigger",

- "direction": "in",

- "name": "req"

- },

- {

- "type": "http",

- "direction": "out",

- "name": "res"

- },

- {

- "type": "webPubSubConnection",

- "name": "connection",

- "hub": "simplechat",

- "userId": "{headers.x-ms-client-principal-name}",

- "direction": "in"

- }

- ]

- }

- ```

- - Update `negotiate/index.js` and copy following codes.

- ```js

- module.exports = function (context, req, connection) {

- context.res = { body: connection };

- context.done();

- };

- ```

- # [C# in-process](#tab/csharp-in-process)

- - Update `negotiate.cs` and replace `Run` function with following codes.

- ```c#

- [FunctionName("negotiate")]

- public static WebPubSubConnection Run(

- [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,

- [WebPubSubConnection(Hub = "simplechat", UserId = "{headers.x-ms-client-principal-name}")] WebPubSubConnection connection,

- ILogger log)

- {

- log.LogInformation("Connecting...");

- return connection;

- }

- ```

- - Add `using` statements in header to resolve required dependencies.

- ```c#

- using Microsoft.Azure.WebJobs.Extensions.WebPubSub;

- ```

- # [C# isolated process](#tab/csharp-isolated-process)

- - Update `negotiate.cs` and replace `Run` function with following codes.

- ```c#

- [Function("negotiate")]

- public HttpResponseData Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post")] HttpRequestData req,

- [WebPubSubConnectionInput(Hub = "simplechat", UserId = "{headers.x-ms-client-principal-name}")] WebPubSubConnection connectionInfo)

- {

- var response = req.CreateResponse(HttpStatusCode.OK);

- response.WriteAsJsonAsync(connectionInfo);

- return response;

- }

- ```

- ```json

- {

- "bindings": [

- {

- "type": "webPubSubTrigger",

- "direction": "in",

- "name": "data",

- "hub": "simplechat",

- "eventName": "message",

- "eventType": "user"

- },

- {

- "type": "webPubSub",

- "name": "actions",

- "hub": "simplechat",

- "direction": "out"

- }

- ]

- }

- ```

- ```js

- module.exports = async function (context, data) {

- context.bindings.actions = {

- "actionName": "sendToAll",

- "data": `[${context.bindingData.request.connectionContext.userId}] ${data}`,

- "dataType": context.bindingData.dataType

- };

- // UserEventResponse directly return to caller

- var response = {

- "data": '[SYSTEM] ack.',

- "dataType" : "text"

- };

- return response;

- };

- ```

- # [C# in-process](#tab/csharp-in-process)

- - Update `message.cs` and replace `Run` function with following codes.

- ```c#

- [FunctionName("message")]

- public static async Task<UserEventResponse> Run(

- [WebPubSubTrigger("simplechat", WebPubSubEventType.User, "message")] UserEventRequest request,

- BinaryData data,

- WebPubSubDataType dataType,

- [WebPubSub(Hub = "simplechat")] IAsyncCollector<WebPubSubAction> actions)

- {

- await actions.AddAsync(WebPubSubAction.CreateSendToAllAction(

- BinaryData.FromString($"[{request.ConnectionContext.UserId}] {data.ToString()}"),

- dataType));

- return new UserEventResponse

- {

- Data = BinaryData.FromString("[SYSTEM] ack"),

- DataType = WebPubSubDataType.Text

- };

- }

- ```

- - Add `using` statements in header to resolve required dependencies.

- ```c#

- using Microsoft.Azure.WebJobs.Extensions.WebPubSub;

- using Microsoft.Azure.WebPubSub.Common;

- ```

-

- # [C# isolated process](#tab/csharp-isolated-process)

- - Update `message.cs` and replace `Run` function with following codes.

- ```c#

- [Function("message")]

- [WebPubSubOutput(Hub = "simplechat")]

- public SendToAllAction Run(

- [WebPubSubTrigger("simplechat", WebPubSubEventType.User, "message")] UserEventRequest request)

- {

- return new SendToAllAction

- {

- Data = BinaryData.FromString($"[{request.ConnectionContext.UserId}] {request.Data.ToString()}"),

- DataType = request.DataType

- };

- }

- ```

- ```html

- <html>

- <body>

- <h1>Azure Web PubSub Serverless Chat App</h1>

- <div id="login"></div>

- <p></p>

- <input id="message" placeholder="Type to chat...">

- <div id="messages"></div>

- <script>

- (async function () {

- let authenticated = window.location.href.includes('?authenticated=true');

- if (!authenticated) {

- // auth

- let login = document.querySelector("#login");

- let link = document.createElement('a');

- link.href = `${window.location.origin}/.auth/login/aad?post_login_redirect_url=/api/index?authenticated=true`;

- link.text = "login";

- login.appendChild(link);

- }

- else {

- // negotiate

- let messages = document.querySelector('#messages');

- let res = await fetch(`${window.location.origin}/api/negotiate`, {

- credentials: "include"

- });

- let url = await res.json();

- // connect

- let ws = new WebSocket(url.url);

- ws.onopen = () => console.log('connected');

- ws.onmessage = event => {

- let m = document.createElement('p');

- m.innerText = event.data;

- messages.appendChild(m);

- };

- let message = document.querySelector('#message');

- message.addEventListener('keypress', e => {

- if (e.charCode !== 13) return;

- ws.send(message.value);

- message.value = '';

- });

- }

- })();

- </script>

- </body>

- </html>

- ```

- # [JavaScript](#tab/javascript)

- # [C# in-process](#tab/csharp-in-process)

- Since C# project compiles files to a different output folder, you need to update your `*.csproj` to make the content page go with it.

- ```xml

- <ItemGroup>

- <None Update="https://docsupdatetracker.net/index.html">

- <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

- </None>

- </ItemGroup>

- ```

- # [C# isolated process](#tab/csharp-isolated-process)

- Since C# project compiles files to a different output folder, you need to update your `*.csproj` to make the content page go with it.

- ```xml

- <ItemGroup>

- <None Update="https://docsupdatetracker.net/index.html">

- <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

- </None>

- </ItemGroup>

- ```

-* A resource group, which is a logical container for related resources.

-* A storage account, which is used to maintain state and other information about your functions.

-* A function app, which provides the environment for executing your function code. A function app maps to your local function project and lets you group functions as a logical unit for easier management, deployment and sharing of resources.

-Use the following commands to create these items.

- ```azurecli

- az login

- ```

- ```azurecli

- az group create -n WebPubSubFunction -l <REGION>

- ```

- ```azurecli

- az storage account create -n <STORAGE_NAME> -l <REGION> -g WebPubSubFunction

- ```

- # [JavaScript](#tab/javascript)

- ```azurecli

- az functionapp create --resource-group WebPubSubFunction --consumption-plan-location <REGION> --runtime node --runtime-version 14 --functions-version 4 --name <FUNCIONAPP_NAME> --storage-account <STORAGE_NAME>

- ```

- > [!NOTE]

- > Check [Azure Functions runtime versions documentation](../azure-functions/functions-versions.md#languages) to set `--runtime-version` parameter to supported value.

- # [C# in-process](#tab/csharp-in-process)

- ```azurecli

- az functionapp create --resource-group WebPubSubFunction --consumption-plan-location <REGION> --runtime dotnet --functions-version 4 --name <FUNCIONAPP_NAME> --storage-account <STORAGE_NAME>

- ```

- # [C# isolated process](#tab/csharp-isolated-process)

- ```azurecli

- az functionapp create --resource-group WebPubSubFunction --consumption-plan-location <REGION> --runtime dotnet-isolated --functions-version 4 --name <FUNCIONAPP_NAME> --storage-account <STORAGE_NAME>

- ```

- After you have successfully created your function app in Azure, you're now ready to deploy your local functions project by using the [func azure functionapp publish](./../azure-functions/functions-run-local.md) command.

- ```bash

- func azure functionapp publish <FUNCIONAPP_NAME>

- ```

- - Hub Name: `simplechat`

- - URL Template: **https://<FUNCTIONAPP_NAME>.azurewebsites.net/runtime/webhooks/webpubsub?code=<APP_KEY>**

- - User Event Pattern: *

- - System Events: -(No need to configure in this sample)

-* [Microsoft(Azure AD)](../app-service/configure-authentication-provider-aad.md)

-* [Facebook](../app-service/configure-authentication-provider-facebook.md)

-* [Google](../app-service/configure-authentication-provider-google.md)

-* [Twitter](../app-service/configure-authentication-provider-twitter.md)

-In this quickstart, you learned how to run a serverless chat application. Now, you could start to build your own application.

-> [!div class="nextstepaction"]

-> [!div class="nextstepaction"]

-> [!div class="nextstepaction"]

-> [Explore more Azure Web PubSub samples](https://github.com/Azure/azure-webpubsub/tree/main/samples)

-Claim Type | Is Required | Description

-||

-`aud` | true | Should be the **SAME** as your HTTP request url. For example, a broadcast request's audience looks like: `https://example.webpubsub.azure.com/api/hubs/myhub/:send?api-version=2022-11-01`.

-`exp` | true | Epoch time when this token will be expired.

- audience: request.url,

- expiresIn: "1h",

- algorithm: "HS256",

- });

-Like using `AccessKey`, a [JSON Web Token (JWT)](https://en.wikipedia.org/wiki/JSON_Web_Token) is also required to authenticate the HTTP request.

-**The difference is**, in this scenario, JWT Token is generated by Azure Active Directory.

-## APIs

-| Operation Group | Description |

-|--|-|

-|[Service Status](/rest/api/webpubsub/dataplane/health-api)| Provides operations to check the service status |

-|[Hub Operations](/rest/api/webpubsub/dataplane/web-pub-sub)| Provides operations to manage the connections and send messages to them. |

-[//]: # ({x-version-update-start;com.azure:azure-messaging-webpubsub;current})

-[//]: # ({x-version-update-end})

-better performance compared to the default SSL implementation within the JDK. For more information, including how to reduce the dependency size, see [performance tuning][https://github.com/Azure/azure-sdk-for-java/wiki/Performance-Tuning].

-const serviceClient = new WebPubSubServiceClient("<ConnectionString>", "<hubName>");

-const { WebPubSubServiceClient, AzureKeyCredential } = require("@azure/web-pubsub");

-const serviceClient = new WebPubSubServiceClient("<Endpoint>", key, "<hubName>");

-const { WebPubSubServiceClient, AzureKeyCredential } = require("@azure/web-pubsub");

-const serviceClient = new WebPubSubServiceClient("<Endpoint>", key, "<hubName>");

-const serviceClient = new WebPubSubServiceClient("<ConnectionString>", "<hubName>");

-const serviceClient = new WebPubSubServiceClient("<ConnectionString>", "<hubName>");

-const serviceClient = new WebPubSubServiceClient("<ConnectionString>", "<hubName>");

-const serviceClient = new WebPubSubServiceClient("<ConnectionString>", "<hubName>");

-await serviceClient.sendToUser("user1", "Hi there!", { contentType: "text/plain" });

-const serviceClient = new WebPubSubServiceClient("<ConnectionString>", "<hubName>");

-const serviceClient = new WebPubSubServiceClient("<ConnectionString>", "<hubName>");

- console.log(`Azure WebPubSub Upstream ready at http://localhost:3000${handler.path}`)

- userId: "<userId>"

- allowedEndpoints: ["https://<yourAllowedService>.webpubsub.azure.com"]

- console.log(`Azure WebPubSub Upstream ready at http://localhost:3000${handler.path}`)

- "https://<yourAllowedService2>.webpubsub.azure.com"

- ]

- console.log(`Azure WebPubSub Upstream ready at http://localhost:3000${handler.path}`)

- path: "/customPath1"

- console.log(`Azure WebPubSub Upstream ready at http://localhost:3000${handler.path}`)

- }

- console.log(`Azure WebPubSub Upstream ready at http://localhost:3000${handler.path}`)

- ```python

- >>> from azure.messaging.webpubsubservice import WebPubSubServiceClient

- >>> from azure.identity import DefaultAzureCredential

- >>> service = WebPubSubServiceClient(endpoint='<endpoint>', hub='hub', credential=DefaultAzureCredential())

- ```

-description: A list of code samples showing how to authenticate and connect to Web PubSub resource(s)

-

-The client can be a browser, a mobile app, an IoT device or even an EV charging point as long as it supports WebSocket. A client is limited to publishing and subscribing to messages.

-While the client's role is often limited, the application server's role goes beyond simply receiving and publishing messages. Before a client tries to connect with your Web PubSub resource, it goes to the application server for a Client Access Token first. The token is used to establish a persistent WebSocket connection with your Web PubSub resource.

-| Use case | Description |

-| [Using connection string](https://github.com/Azure/azure-webpubsub/blob/main/samples/csharp/chatapp/Startup.cs#L29) | Applies to application server only.

-| [Using Client Access Token](https://github.com/Azure/azure-webpubsub/blob/main/samples/csharp/chatapp/wwwroot/https://docsupdatetracker.net/index.html#L13) | Applies to client only. Client Access Token is generated on the application server.

-| [Anonymous connection](https://github.com/Azure/azure-webpubsub/blob/main/samples/csharp/clientWithCert/client/Program.cs#L15) | Anonymous connection allows clients to connect with Azure Web PubSub directly without going to an application server for a Client Access Token first. This is useful for clients that have limited networking capabilities, like an EV charging point.

-| Use case | Description |

-| Use case | Description |

-| Use case | Description |

-3. Add configuration so that the server can connect with your Web PubSub for Socket.IO resource.

- const wpsOptions = {

- };

- ```

-

-4. Locate in your server-side code where Socket.IO server is created and append `.useAzureSocketIO(wpsOptions)`:

- ```javascript

- const io = require("socket.io")();

- useAzureSocketIO(io, wpsOptions);

->[!IMPORTANT]

-> `useAzureSocketIO` is an asynchronous method. Here we `await`. So you need to wrap it and related code in an asynchronous function.

-5. If you use the following server APIs, add `async` before using them as they're asynchronous with Web PubSub for Socket.IO.

-* [Back up Windows Servers](backup-windows-with-mars-agent.md)

-For more information, see [What is Azure Bastion](bastion-overview.md).

- a. Obtain the VCEK certificate by running the following command ΓÇô it obtains the cert from a well-known IMDS endpoint:

- lOG_ANALYTICS_KEY=$(az monitor log-analytics workspace get-shared-keys \

- lOG_ANALYTICS_KEY_ENC=$(printf %s $lOG_ANALYTICS_KEY | base64 -w0) # Needed for the next step

- $lOG_ANALYTICS_KEY=$(az monitor log-analytics workspace get-shared-keys `

- $lOG_ANALYTICS_KEY_ENC=[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($lOG_ANALYTICS_KEY))

- --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.sharedKey=${lOG_ANALYTICS_KEY_ENC}"

- --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.sharedKey=${lOG_ANALYTICS_KEY_ENC}"

- --servers "$ACI_IP"

-> If you are using port 29 to have only 3 IP addresses, we recommend always to go one range above or below. For example, use port 28 so you can have at least 1 or more IP buffer per container group. By doing this, you can avoid containers in stuck, not able start or not able to stop states.

-## Customer Managed Key does not exist

-You see this error when the customer managed key isn't found on the specified Azure Key Vault.

-To get started with intra-account offline container copy for Azure Cosmos DB for MongoDB accounts, register for the **Intra-account offline container copy (MongoDB)** preview feature flag in [Preview Features](access-previews.md) in the Azure portal. Once the registration is complete, the preview is effective for all API for MongoDB accounts in the subscription.

-| Internet expsed VM has high severity vulnerabilities and has insecure secret that is used to authenticate to storage account | An Azure virtual machine is reachable from the internet, has high severity vulnerabilities and has secret that can authenticate to an Azure storage account |

-| Exposed to the internet | Indicates that a resource is exposed to the internet. Supports port filtering. [Learn more](concept-data-security-posture-prepare.md#exposed-to-the-internetallows-public-access) | Azure virtual machine, AWS EC2, Azure storage account, Azure SQL server, Azure Cosmos DB, AWS S3, Kubernetes pod, Azure SQL Managed Instance, Azure MySQL Single Server, Azure MySQL Flexible Server, Azure PostgreSQL Single Server, Azure PostgreSQL Flexible Server, Azure MariaDB Single Server, Synapse Workspace, RDS Instance |

-| Contains sensitive data <br/> <br/> Prerequisite: [Enable data-aware security for storage accounts in Defender CSPM](data-security-posture-enable.md), or [leverage Microsoft Purview Data Catalog to protect sensitive data](information-protection.md). | Indicates that a resource contains sensitive data. | Azure Storage Account, Azure Storage Account Container, AWS S3 bucket, Azure SQL Server, Azure SQL Database, Azure Data Lake Storage Gen2, Azure Database for PostgreSQL, Azure Database for MySQL, Azure Synapse Analytics, Azure Cosmos DB accounts |

-| Has tags | Lists the resource tags of the cloud resource | All Azure and AWS resources |

-| Allows public access | Indicates that a public read access is allowed to the resource with no authorization required. [Learn more](concept-data-security-posture-prepare.md#exposed-to-the-internetallows-public-access) | Azure storage account, AWS S3 bucket, GitHub repository |

-| Has high severity vulnerabilities | Indicates that a resource has high severity vulnerabilities | Azure VM, AWS EC2, Container image |

-| Vulnerable to remote code execution | Indicates that a resource has vulnerabilities allowing remote code execution | Azure VM, AWS EC2, Container image |