-No one wants to build a new endpoint from scratch, so we created some [reference code](https://aka.ms/scimreferencecode) for you to get started with [System for Cross-domain Identity Management (SCIM)](https://aka.ms/scimoverview). You can get your SCIM endpoint up and running with no code in just five minutes.

-This tutorial describes how to deploy the SCIM reference code in Azure and test it by using Postman or by integrating with the Azure Active Directory (Azure AD) SCIM client. This tutorial is intended for developers who want to get started with SCIM, or anyone interested in testing a SCIM endpoint.

-The steps here deploy the SCIM endpoint to a service by using [Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) and [Azure App Service](../../app-service/index.yml). The SCIM reference code can also be run locally, hosted by an on-premises server, or deployed to another external service.

-1. Go to the [reference code](https://github.com/AzureAD/SCIMReferenceCode) from GitHub and select **Clone or download**.

-1. Select **Open in Desktop**, or copy the link, open Visual Studio, and select **Clone or check out code** to enter the copied link and make a local copy.

-1. Go to the application in **Azure App Service** > **Configuration** and select **New application setting** to add the *Token__TokenIssuer* setting with the value `https://sts.windows.net/<tenant_id>/`. Replace `<tenant_id>` with your Azure AD tenant ID. If you want to test the SCIM endpoint by using [Postman](https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint), add an *ASPNETCORE_ENVIRONMENT* setting with the value `Development`.

- 

- When you test your endpoint with an enterprise application in the [Azure portal](use-scim-to-provision-users-and-groups.md#integrate-your-scim-endpoint-with-the-azure-ad-scim-client), you have two options. You can keep the environment in `Development` and provide the testing token from the `/scim/token` endpoint, or you can change the environment to `Production` and leave the token field empty.

-As an application developer, you can use the System for Cross-Domain Identity Management (SCIM) user management API to enable automatic provisioning of users and groups between your application and Azure AD. This article describes how to build a SCIM endpoint and integrate with the Azure AD provisioning service. The SCIM specification provides a common user schema for provisioning. When used in conjunction with federation standards like SAML or OpenID Connect, SCIM gives administrators an end-to-end, standards-based solution for access management.

-SCIM is a standardized definition of two endpoints: a `/Users` endpoint and a `/Groups` endpoint. It uses common REST verbs to create, update, and delete objects, and a pre-defined schema for common attributes like group name, username, first name, last name and email. Apps that offer a SCIM 2.0 REST API can reduce or eliminate the pain of working with a proprietary user management API. For example, any compliant SCIM client knows how to make an HTTP POST of a JSON object to the `/Users` endpoint to create a new user entry. Instead of needing a slightly different API for the same basic actions, apps that conform to the SCIM standard can instantly take advantage of pre-existing clients, tools, and code.

-The standard user object schema and rest APIs for management defined in SCIM 2.0 (RFC [7642](https://tools.ietf.org/html/rfc7642), [7643](https://tools.ietf.org/html/rfc7643), [7644](https://tools.ietf.org/html/rfc7644)) allow identity providers and apps to more easily integrate with each other. Application developers that build a SCIM endpoint can integrate with any SCIM-compliant client without having to do custom work.

-To automate provisioning to an application will require building and integrating a SCIM endpoint with the Azure AD SCIM client. Use the following steps to start provisioning users and groups into your application.

-

-1. Design your user and group schema

- Identify the application's objects and attributes to determine how they map to the user and group schema supported by the Azure AD SCIM implementation.

-1. Understand the Azure AD SCIM implementation

- Understand how the Azure AD SCIM client is implemented to model your SCIM protocol request handling and responses.

-1. Build a SCIM endpoint

- An endpoint must be SCIM 2.0-compatible to integrate with the Azure AD provisioning service. As an option, use Microsoft Common Language Infrastructure (CLI) libraries and code samples to build your endpoint. These samples are for reference and testing only; we recommend against using them as dependencies in your production app.

-1. Integrate your SCIM endpoint with the Azure AD SCIM client

- If your organization uses a third-party application to implement a profile of SCIM 2.0 that Azure AD supports, you can quickly automate both provisioning and deprovisioning of users and groups.

-1. Publish your application to the Azure AD application gallery

- Make it easy for customers to discover your application and easily configure provisioning.

-

-1. List the attributes your application requires, then categorize as attributes needed for authentication (e.g. loginName and email), attributes needed to manage the user lifecycle (e.g. status / active), and all other attributes needed for the application to work (e.g. manager, tag).

-1. Map SCIM attributes to the user attributes in Azure AD. If one of the attributes you have defined in your SCIM endpoint does not have a clear counterpart on the Azure AD user schema, guide the tenant administrator to extend their schema or use an extension attribute as shown below for the `tags` property.

-**Example list of required attributes**

-**Example schema defined by a JSON payload**

-| Azure Active Directory user | "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" |

-|department|urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|

-|employeeId|urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|

-| manager |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager |

-**Example list of user and group attributes**

-| Azure Active Directory group | urn:ietf:params:scim:schemas:core:2.0:Group |

-**Example list of group attributes**

-There are several endpoints defined in the SCIM RFC. You can start with the `/User` endpoint and then expand from there.

-|/Bulk|Bulk operations allow you to perform operations on a large collection of resource objects in a single operation (e.g. update memberships for a large group).|

-|/ServiceProviderConfig|Provides details about the features of the SCIM standard that are supported, for example the resources that are supported and the authentication method.|

-**Example list of endpoints**

-To support a SCIM 2.0 user management API, this section describes how the Azure AD SCIM client is implemented and shows how to model your SCIM protocol request handling and responses.

-|-|-|

-|Create users, and optionally also groups|[section 3.3](https://tools.ietf.org/html/rfc7644#section-3.3)|

-|Modify users or groups with PATCH requests|[section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Supporting ensures that groups and users are provisioned in a performant manner.|

-|Retrieve a known resource for a user or group created earlier|[section 3.4.1](https://tools.ietf.org/html/rfc7644#section-3.4.1)|

-|Query users or groups|[section 3.4.2](https://tools.ietf.org/html/rfc7644#section-3.4.2). By default, users are retrieved by their `id` and queried by their `username` and `externalId`, and groups are queried by `displayName`.|

-|The filter [excludedAttributes=members](#get-group) when querying the group resource|section 3.4.2.5|

-|Soft-deleting a user `active=false` and restoring the user `active=true`|The user object should be returned in a request whether or not the user is active. The only time the user should not be returned is when it is hard deleted from the application.|

-|Support the /Schemas endpoint|[section 7](https://tools.ietf.org/html/rfc7643#page-30) The schema discovery endpoint will be used to discover additional attributes.|

-|Support listing users and paginating|[section 3.4.2.4](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.4).|

-##### General:

-* `id` is a required property for all resources. Every response that returns a resource should ensure each resource has this property, except for `ListResponse` with zero members.

-* Values sent should be stored in the same format as what they were sent in. Invalid values should be rejected with a descriptive, actionable error message. Transformations of data should not happen between data being sent by Azure AD and data being stored in the SCIM application. (e.g. A phone number sent as 55555555555 should not be saved/returned as +5 (555) 555-5555)

-* Custom complex and multivalued attributes are supported but Azure AD does not have many complex data structures to pull data from in these cases. Simple paired name/value type complex attributes can be mapped to easily, but flowing data to complex attributes with three or more subattributes are not well supported at this time.

-* The "type" sub-attribute values of multivalued complex attributes must be unique. For example, there cannot be two different email addresses with the "work" sub-type.

-##### Retrieving Resources:

-##### /Users:

-* The entitlements attribute is not supported.

-* Any attributes that are considered for user uniqueness must be usable as part of a filtered query. (e.g. if user uniqueness is evaluated for both userName and emails[type eq "work"], a GET to /Users with a filter must allow for both _userName eq "user@contoso.com"_ and _emails[type eq "work"].value eq "user@contoso.com"_ queries.

-##### /Groups:

-* Groups must have uniqueness on the 'displayName' value for the purpose of matching between Azure Active Directory and the SCIM application. This is not a requirement of the SCIM protocol, but is a requirement for integrating a SCIM service with Azure Active Directory.

-##### /Schemas (Schema discovery):

-* Schema discovery is not currently supported on the custom non-gallery SCIM application, but it is being used on certain gallery applications. Going forward, schema discovery will be used as the sole method to add additional attributes to the schema of an existing gallery SCIM application.

-* If a value is not present, do not send null values.

-* Property values should be camel cased (e.g. readWrite).

-* The /schemas request will be made by the Azure AD SCIM client every time someone saves the provisioning configuration in the Azure portal or every time a user lands on the edit provisioning page in the Azure portal. Any additional attributes discovered will be surfaced to customers in the attribute mappings under the target attribute list. Schema discovery only leads to additional target attributes being added. It will not result in attributes being removed.

-

-The following illustration shows the messages that Azure AD sends to a SCIM service to manage the lifecycle of a user in your application's identity store.

-<br/>

-*User provisioning and deprovisioning sequence*

-Group provisioning and deprovisioning are optional. When implemented and enabled, the following illustration shows the messages that Azure AD sends to a SCIM service to manage the lifecycle of a group in your application's identity store. Those messages differ from the messages about users in two ways:

-<br/>

-*Group provisioning and deprovisioning sequence*

-This section provides example SCIM requests emitted by the Azure AD SCIM client and example expected responses. For best results, you should code your app to handle these requests in this format and emit the expected responses.

- - [Create User](#create-user) ([Request](#request) / [Response](#response))

- - [Get User](#get-user) ([Request](#request-1) / [Response](#response-1))

- - [Get User by query](#get-user-by-query) ([Request](#request-2) / [Response](#response-2))

- - [Get User by query - Zero results](#get-user-by-queryzero-results) ([Request](#request-3) / [Response](#response-3))

- - [Update User [Multi-valued properties]](#update-user-multi-valued-properties) ([Request](#request-4) / [Response](#response-4))

- - [Update User [Single-valued properties]](#update-user-single-valued-properties) ([Request](#request-5) / [Response](#response-5))

- - [Disable User](#disable-user) ([Request](#request-14) / [Response](#response-14))

- - [Delete User](#delete-user) ([Request](#request-6) / [Response](#response-6))

- - [Create Group](#create-group) ([Request](#request-7) / [Response](#response-7))

- - [Get Group](#get-group) ([Request](#request-8) / [Response](#response-8))

- - [Get Group by displayName](#get-group-by-displayname) ([Request](#request-9) / [Response](#response-9))

- - [Update Group [Non-member attributes]](#update-group-non-member-attributes) ([Request](#request-10) / [Response](#response-10))

- - [Update Group [Add Members]](#update-group-add-members) ([Request](#request-11) / [Response](#response-11))

- - [Update Group [Remove Members]](#update-group-remove-members) ([Request](#request-12) / [Response](#response-12))

- - [Delete Group](#delete-group) ([Request](#request-13) / [Response](#response-13))

- - [Discover schema](#discover-schema) ([Request](#request-15) / [Response](#response-15))

-###### Response (User not found. Note that the detail is not required, only status.)

-All services must be configured to use the following cipher suites, in the exact order specified below. Note that if you only have an RSA certificate, installed the ECDSA cipher suites do not have any effect. </br>

-The Azure AD provisioning service currently operates under the IP Ranges for AzureActiveDirectory as listed [here](https://www.microsoft.com/download/details.aspx?id=56519&WT.mc_id=rss_alldownloads_all). You can add the IP ranges listed under the AzureActiveDirectory tag to allow traffic from the Azure AD provisioning service into your application. Note that you will need to review the IP range list carefully for computed addresses. An address such as '40.126.25.32' could be represented in the IP range list as '40.126.0.0/18'. You can also programmatically retrieve the IP range list using the following [API](/rest/api/virtualnetwork/servicetags/list).

-Now that you have designed your schema and understood the Azure AD SCIM implementation, you can get started developing your SCIM endpoint. Rather than starting from scratch and building the implementation completely on your own, you can rely on a number of open source SCIM libraries published by the SCIM community.

-The open source .NET Core [reference code example](https://aka.ms/SCIMReferenceCode) published by the Azure AD provisioning team is one such resource that can jump start your development. Once you have built your SCIM endpoint, you will want to test it out. You can use the collection of [postman tests](https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint) provided as part of the reference code or run through the sample requests / responses provided [above](#user-operations).

-The _Microsoft.SCIM.WebHostSample_ project is a Visual Studio ASP.NET Core Web Application, based on the _Empty_ template. This allows the sample code to be deployed as standalone, hosted in containers or within Internet Information Services. It also implements the _Microsoft.SCIM.IProvider_ interface keeping classes in memory as a sample identity store.

- public class Startup

- {

- ...

- public IMonitor MonitoringBehavior { get; set; }

- public IProvider ProviderBehavior { get; set; }

- public Startup(IWebHostEnvironment env, IConfiguration configuration)

- {

- ...

- this.MonitoringBehavior = new ConsoleMonitor();

- this.ProviderBehavior = new InMemoryProvider();

- }

-The SCIM service must have an HTTP address and server authentication certificate of which the root certification authority is one of the following names:

-* Microsoft.SCIM.WebHostSample: https://localhost:5001

-* IIS Express: https://localhost:44359/

-Requests from Azure Active Directory include an OAuth 2.0 bearer token. Any service receiving the request should authenticate the issuer as being Azure Active Directory for the expected Azure Active Directory tenant.

-In the token, the issuer is identified by an iss claim, like `"iss":"https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/"`. In this example, the base address of the claim value, `https://sts.windows.net`, identifies Azure Active Directory as the issuer, while the relative address segment, _cbb1a5ac-f33b-45fa-9bf5-f37db0fed422_, is a unique identifier of the Azure Active Directory tenant for which the token was issued.

-The audience for the token will be the application template ID for the application in the gallery, each of the applications registered in a single tenant may receive the same `iss` claim with SCIM requests. The application template ID for all custom apps is _8adf8e6e-67b2-4cf2-a259-e3dc5476c621_. The token generated by the Azure AD provisioning service should only be used for testing. It should not be used in production environments.

-In the sample code, requests are authenticated using the Microsoft.AspNetCore.Authentication.JwtBearer package. The following code enforces that requests to any of the serviceΓÇÖs endpoints are authenticated using the bearer token issued by Azure Active Directory for a specified tenant:

- public void ConfigureServices(IServiceCollection services)

- if (_env.IsDevelopment())

- }

- else

- {

- services.AddAuthentication(options =>

- {

- options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;

- options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

- })

- .AddJwtBearer(options =>

- {

- options.Authority = " https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/";

- options.Audience = "8adf8e6e-67b2-4cf2-a259-e3dc5476c621";

- ...

- });

- }

- ...

- }

- public void Configure(IApplicationBuilder app)

- {

- ...

- app.UseAuthentication();

- app.UseAuthorization();

- ...

- }

-A bearer token is also required to use of the provided [postman tests](https://github.com/AzureAD/SCIMReferenceCode/wiki/Test-Your-SCIM-Endpoint) and perform local debugging using localhost. The sample code uses ASP.NET Core environments to change the authentication options during development stage and enable the use a self-signed token.

-Azure Active Directory queries the service for a user with an `externalId` attribute value matching the mailNickname attribute value of a user in Azure AD. The query is expressed as a Hypertext Transfer Protocol (HTTP) request such as this example, wherein jyoung is a sample of a mailNickname of a user in Azure Active Directory.

-In the sample code the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. Here is the signature of that method:

-If the response to a query to the web service for a user with an `externalId` attribute value that matches the mailNickname attribute value of a user doesn't return any users, then Azure AD requests that the service provision a user corresponding to the one in Azure AD. Here is an example of such a request:

-```

-In the sample code the request is translated into a call to the CreateAsync method of the serviceΓÇÖs provider. Here is the signature of that method:

-In a request to provision a user, the value of the resource argument is an instance of the Microsoft.SCIM.Core2EnterpriseUser class, defined in the Microsoft.SCIM.Schemas library. If the request to provision the user succeeds, then the implementation of the method is expected to return an instance of the Microsoft.SCIM.Core2EnterpriseUser class, with the value of the Identifier property set to the unique identifier of the newly provisioned user.

-To update a user known to exist in an identity store fronted by an SCIM, Azure Active Directory proceeds by requesting the current state of that user from the service with a request such as:

-In the sample code the request is translated into a call to the RetrieveAsync method of the serviceΓÇÖs provider. Here is the signature of that method:

-* SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"

-If a reference attribute is to be updated, then Azure Active Directory queries the service to determine whether the current value of the reference attribute in the identity store fronted by the service already matches the value of that attribute in Azure Active Directory. For users, the only attribute of which the current value is queried in this way is the manager attribute. Here is an example of a request to determine whether the manager attribute of a user object currently has a certain value:

-In the sample code the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. The value of the properties of the object provided as the value of the parameters argument are as follows:

-* parameters.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"

-Here, the value of the index x can be 0 and the value of the index y can be 1, or the value of x can be 1 and the value of y can be 0, depending on the order of the expressions of the filter query parameter.

-***Example 5. Request from Azure AD to an SCIM service to update a user***

-Here is an example of a request from Azure Active Directory to an SCIM service to update a user:

-```

-In the sample code the request is translated into a call to the UpdateAsync method of the serviceΓÇÖs provider. Here is the signature of that method:

-|ResourceIdentifier.Identifier|"54D382A4-2050-4C03-94D1-E769F1D15682"|

-|ResourceIdentifier.SchemaIdentifier|"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"|

-|(PatchRequest as PatchRequest2).Operations.Count|1|

-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).OperationName|OperationName.Add|

-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).Path.AttributePath|"manager"|

-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.Count|1|

-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Reference|http://.../scim/Users/2819c223-7f76-453a-919d-413861904646|

-|(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Value| 2819c223-7f76-453a-919d-413861904646|

-To deprovision a user from an identity store fronted by an SCIM service, Azure AD sends a request such as:

-```

-In the sample code the request is translated into a call to the DeleteAsync method of the serviceΓÇÖs provider. Here is the signature of that method:

-* ResourceIdentifier.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"

-## Integrate your SCIM endpoint with the Azure AD SCIM client

-> The Azure AD SCIM implementation is built on top of the Azure AD user provisioning service, which is designed to constantly keep users in sync between Azure AD and the target application, and implements a very specific set of standard operations. It's important to understand these behaviors to understand the behavior of the Azure AD SCIM client. For more information, see the section [Provisioning cycles: Initial and incremental](how-provisioning-works.md#provisioning-cycles-initial-and-incremental) in [How provisioning works](how-provisioning-works.md).

-Applications that support the SCIM profile described in this article can be connected to Azure Active Directory using the "non-gallery application" feature in the Azure AD application gallery. Once connected, Azure AD runs a synchronization process every 40 minutes where it queries the application's SCIM endpoint for assigned users and groups, and creates or modifies them according to the assignment details.

-1. Sign in to the [Azure AD portal](https://aad.portal.azure.com). Note that you can get access a free trial for Azure Active Directory with P2 licenses by signing up for the [developer program](https://developer.microsoft.com/office/dev-program)

- 

- *Azure AD application gallery*

- *Azure AD old app gallery experience*

- <br/>

- *Configuring provisioning in the Azure portal*

-1. Select **Test Connection** to have Azure Active Directory attempt to connect to the SCIM endpoint. If the attempt fails, error information is displayed.

-1. In the **Mappings** section, there are two selectable sets of [attribute mappings](customize-application-attributes.md): one for user objects and one for group objects. Select each one to review the attributes that are synchronized from Azure Active Directory to your app. The attributes selected as **Matching** properties are used to match the users and groups in your app for update operations. Select **Save** to commit any changes.

-1. If syncing only assigned users and groups (recommended), be sure to select the **Users and groups** tab and assign the users or groups you want to sync.

-If you're building an application that will be used by more than one tenant, you can make it available in the Azure AD application gallery. This will make it easy for organizations to discover the application and configure provisioning. Publishing your app in the Azure AD gallery and making provisioning available to others is easy. Check out the steps [here](../manage-apps/v2-howto-app-gallery-listing.md). Microsoft will work with you to integrate your application into our gallery, test your endpoint, and release onboarding [documentation](../saas-apps/tutorial-list.md) for customers to use.

-|Long-lived bearer token|Long-lived tokens do not require a user to be present. They are easy for admins to use when setting up provisioning.|Long-lived tokens can be hard to share with an admin without using insecure methods such as email. |Supported for gallery and non-gallery apps. |

-|OAuth authorization code grant|Access tokens are much shorter-lived than passwords, and have an automated refresh mechanism that long-lived bearer tokens do not have. A real user must be present during initial authorization, adding a level of accountability. |Requires a user to be present. If the user leaves the organization, the token is invalid and authorization will need to be completed again.|Supported for gallery apps, but not non-gallery apps. However, you can provide an access token in the UI as the secret token for short term testing purposes. Support for OAuth code grant on non-gallery is in our backlog, in addition to support for configurable auth / token URLs on the gallery app.|

-|OAuth client credentials grant|Access tokens are much shorter-lived than passwords, and have an automated refresh mechanism that long-lived bearer tokens do not have. Both the authorization code grant and the client credentials grant create the same type of access token, so moving between these methods is transparent to the API. Provisioning can be completely automated, and new tokens can be silently requested without user interaction. ||Supported for gallery apps, but not non-gallery apps. However, you can provide an access token in the UI as the secret token for short term testing purposes. Support for OAuth client credentials grant on non-gallery is in our backlog.|

-#### How to setup OAuth code grant flow

- 1. Azure AD provisioning services calls the token URL and provides the grant code. The third party application responds with the access token, refresh token, and expiry date

-> While it's not possible to setup OAuth on the non-gallery applications, you can manually generate an access token from your authorization server and input it as the secret token to a non-gallery application. This allows you to verify compatibility of your SCIM server with the Azure AD SCIM client before onboarding to the app gallery, which does support the OAuth code grant.

-**Long-lived OAuth bearer tokens:** If your application doesn't support the OAuth authorization code grant flow, instead generate a long lived OAuth bearer token that an administrator can use to setup the provisioning integration. The token should be perpetual, or else the provisioning job will be [quarantined](application-provisioning-quarantine-status.md) when the token expires.

-For additional authentication and authorization methods, let us know on [UserVoice](https://aka.ms/appprovisioningfeaturerequest).

-To help drive awareness and demand of our joint integration, we recommend you update your existing documentation and amplify the integration in your marketing channels. The below is a set of checklist activities we recommend you complete to support the launch

-> * Craft a blog post or press release that describes the joint integration, the benefits and how to get started. [Example: Imprivata and Azure Active Directory Press Release](https://www.imprivata.com/company/press/imprivata-introduces-iam-cloud-platform-healthcare-supported-microsoft)

-> * Create a help center article or technical documentation on how customers can get started. [Example: Envoy + Microsoft Azure Active Directory integration.](https://envoy.help/en/articles/3453335-microsoft-azure-active-directory-integration/

-After [adding a user for testing](/azure/active-directory/app-proxy/application-proxy-add-on-premises-application#add-a-user-for-testing), you can test the application by accessing https://www.fabrikam.one. The user will be prompted to authenticate in Azure AD, and upon successful authentication, will access the application.

-To prevent false positives, learn how to [Customize Web Application Firewall rules](/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal), configure [Web Application Firewall exclusion lists](/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal), or [Web Application Firewall custom rules](/azure/web-application-firewall/ag/create-custom-waf-rules).

-[waf-overview]: /azure/web-application-firewall/ag/ag-overview

-[appgw_quick]: /azure/application-gateway/quick-create-portal

-[appproxy-add-app]: /azure/active-directory/app-proxy/application-proxy-add-on-premises-application

-[appproxy-optimize]: /azure/active-directory/app-proxy/application-proxy-network-topology

-[appproxy-custom-domain]: /azure/active-directory/app-proxy/application-proxy-configure-custom-domain

-[private-dns]: /azure/dns/private-dns-getstarted-portal

-[waf-logs]: /azure/application-gateway/application-gateway-diagnostics#firewall-log

- // by setting DisableL1Cache to 'false'.

-# Quickstart: Sign in users in single-page apps (SPA) via the auth code flow

- deviceManagementAppId | a valid MDM application ID in Azure AD | device.deviceManagementAppId -eq "0000000a-0000-0000-c000-000000000000" for Intune MDM app ID

- > When targeting your users and groups, you won't be able to select users who have configured [SMS-based authentication](/azure/active-directory/authentication/howto-authentication-sms-signin). This is because users who have a "federated credential" on their user object are blocked to prevent external users from being added to outbound access settings. As a workaround, you can use the [Microsoft Graph API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0) to add the user's object ID directly or target a group the user belongs to.

- - **Guest user access is restricted to properties and memberships of their own directory objects (most restrictive)**: With this setting, guests can access only their own profiles. Guests are not allowed to see other users' profiles, groups, or group memberships.

- - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive)**: To allow guests in the organization to invite other guests including those who are not members of an organization, select this radio button.

-An Azure Active Directory (Azure AD) B2B collaboration or B2B direct connect user can decide to leave an organization at any time if they no longer need to use apps from that organization or maintain any association.

-B2B collaboration and B2B direct connect users can usually leave an organization on their own without having to contact an administrator. This option won't be available if it's not allowed by the organization, or if the user's account has been disabled. The user will need to contact the tenant admin, who can delete the account.

-## Leave an organization

-In your My Account portal, on the Organizations page, you can view and manage the organizations you have access to:

-

-To leave an organization, follow these steps.

-1. Go to your **My Account** page by doing one of the following:

-1. Under **Other organizations you collaborate with**, find the organization that you want to leave, and select **Leave**.

-## Account removal

-When a B2B collaboration user leaves an organization, the user's account is "soft deleted" in the directory. By default, the user object moves to the **Deleted users** area in Azure AD, but permanent deletion doesn't start for 30 days. This soft deletion enables the administrator to restore the user account, including groups and permissions, if the user makes a request to restore the account before it's permanently deleted.

-2. Under **Manage**, select **Users**.

-3. Select **Deleted users**.

-4. Select the check box next to a deleted user, and then select **Delete permanently**.

-You can enable collaboration across Microsoft clouds such as Microsoft Azure China 21Vianet or Microsoft Azure Government with additional configuration. Determine if any of your collaboration partners reside in a different Microsoft cloud. If so, you should [enable collaboration with these partners using Cross Tenant Access Settings](/azure/active-directory/external-identities/cross-cloud-settings).

-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)

- The tenant and its associated information is deleted.

-When a group has no owner, group-managing administrators are still able to manage the group. It is recommended for every group to have at least one owner. Once owners are assigned to a group, the last owner of the group cannot be removed. Please make sure to select another owner before removing the last owner from the group.

- After you remove the owner, you can return to the **Owners** page and see the name has been removed from the list of owners.

-Requests from directory applications are routed to the datacenter that they are physically closest to. Writes are transparently redirected to the primary replica to provide read-write consistency. Secondary replicas significantly extend the scale of partitions because the directories are typically serving reads most of the time.

-A system is more available if it is tolerant to hardware, network, and software failures. For each partition on the directory, a highly available master replica exists: The primary replica. Only writes to the partition are performed at this replica. This replica is being continuously and closely monitored, and writes can be immediately shifted to another replica (which becomes the new primary) if a failure is detected. During failover, there could be a loss of write availability typically of 1-2 minutes. Read availability is not affected during this time.

-A write is durably committed to at least two datacenters prior to it being acknowledged. This happens by first committing the write on the primary, and then immediately replicating the write to at least one other datacenter. This write action ensures that a potential catastrophic loss of the datacenter hosting the primary does not result in data loss.

-* For *reads*, the directory has secondary replicas and corresponding front-end services in an active-active configuration operating in multiple datacenters. In case of a failure of an entire datacenter, traffic will be automatically routed to a different datacenter.

-* For *writes*, the directory will fail over primary (master) replica across datacenters via planned (new primary is synchronized to old primary) or emergency failover procedures. Data durability is achieved by replicating any commit to at least two datacenters.

-Application writes using the Microsoft Graph API of Azure AD are abstracted from maintaining affinity to a directory replica for read-write consistency. The Microsoft Graph API service maintains a logical session, which has affinity to a secondary replica used for reads; affinity is captured in a ΓÇ£replica tokenΓÇ¥ that the service caches using a distributed cache in the secondary replica datacenter. This token is then used for subsequent operations in the same logical session. To continue using the same logical session, subsequent requests must be routed to the same Azure AD datacenter. It is not possible to continue a logical session if the directory client requests are being routed to multiple Azure AD datacenters; if this happens then the client has multiple logical sessions which have independent read-write consistencies.

-Azure AD implements daily backup of directory data and can use these backups to restore data in case of any service-wide issue.

-If any Azure AD service is not working as expected, action is immediately taken to restore functionality as quickly as possible. The most important metric Azure AD tracks is how quickly live site issues can be detected and mitigated for customers. We invest heavily in monitoring and alerts to minimize time to detect (TTD Target: <5 minutes) and operational readiness to minimize time to mitigate (TTM Target: <30 minutes).

-Using operational controls such as multi-factor authentication (MFA) for any operation, as well as auditing of all operations. In addition, using a just-in-time elevation system to grant necessary temporary access for any operational task-on-demand on an ongoing basis. For more information, see [The Trusted Cloud](https://azure.microsoft.com/support/trust-center).

-Azure Active Directory (Azure AD) stores its Customer Data in a geographical location based on the country you provided when you signed up for a Microsoft Online service. Microsoft Online services include Microsoft 365 and Azure.

-Additionally, certain Azure AD features do not yet support storage of Customer Data in Australia. Please go to the [Azure AD data map](https://msit.powerbi.com/view?r=eyJrIjoiYzEyZTc5OTgtNTdlZS00ZTVkLWExN2ItOTM0OWU4NjljOGVjIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9), for specific feature information. For example, Microsoft Azure AD Multi-Factor Authentication stores Customer Data in the US and processes it globally. See [Data residency and customer data for Azure AD Multi-Factor Authentication](../authentication/concept-mfa-data-residency.md).

-Identity data is stored by Azure AD in a geographical location based on the address provided by your organization when subscribing for a Microsoft Online service such as Microsoft 365 and Azure. For information on where your Identity Customer Data is stored, you can use the [Where is your data located?](https://www.microsoft.com/trustcenter/privacy/where-your-data-is-located) section of the Microsoft Trust Center.

-MFA stores Identity Customer Data in global datacenters. To learn more about the user information collected and stored by cloud-based Azure AD MFA and Azure MFA Server, see [Azure Multi-Factor Authentication user data collection](../authentication/concept-mfa-data-residency.md).

-Identity data is stored by Azure AD in a geographical location based on the address provided by your organization when it subscribed for a Microsoft Online service such as Microsoft 365 and Azure. For information on where your identity data is stored, you can use the [Where your data is located](https://www.microsoft.com/trust-center/privacy/data-location) section of the Microsoft Trust Center.

-For more information about what user information is collected by Azure Multi-Factor Authentication Server (MFA Server) and cloud-based Azure AD MFA, see [Azure Multi-Factor Authentication user data collection](../authentication/howto-mfa-reporting-datacollection.md).

-Services and applications that integrate with Azure AD have access to identity data. Evaluate each service and application you use to determine how identity data is processed by that specific service and application, and whether they meet your company's data storage requirements.

-When you're done, you will see a confirmation box thanking you for activating the license plan for your tenant.

-1. Open the **Welcome email**, and then click **Sign In**.

-When any new Microsoft 365 group is created, whether with dynamic or static membership, a welcome notification is sent to all users who are added to the group. When any attributes of a user or device change, all dynamic group rules in the organization are processed for potential membership changes. Users who are added then also receive the welcome notification. You can turn this behavior off in [Exchange PowerShell](/powershell/module/exchange/users-and-groups/Set-UnifiedGroup).

->[!Important]

- >[!Note]

- - If you have any key vaults, they'll be inaccessible and you'll have to fix them after association.

- After the directory is changed for the subscription, you will get a success message.

-For more information, see the Microsoft 365 [tenant id get](https://pnp.github.io/cli-microsoft365/cmd/tenant/id/id-get/) command reference.

-After a user requests to join a group, the request is forwarded to the group owner. If it's required, the owner can approve the request and the user is notified of the group membership. However, if you have multiple owners and one of them disapproves, the user is notified, but isn't added to the group. For more information and instructions about how to let your users request to join groups, see [Set up Azure AD so users can request to join groups](../enterprise-users/groups-self-service-management.md)

-Get started with the [Azure AD operational checks and actions](active-directory-ops-guide-ops.md).

-Get started with the [Authentication management checks and actions](active-directory-ops-guide-auth.md).

-Refer to the [Azure AD deployment plans](active-directory-deployment-plans.md) for implementation details on any capabilities you haven't deployed.

- - **Global privacy contact.** Type the email address for the person to contact for inquiries about personal data privacy. This person is also who Microsoft contacts if there's a data breach related to Azure Active Directory services . If there's no person listed here, Microsoft contacts your global administrators. For Microsoft 365 related privacy incident notifications please see [Microsoft 365 Message center FAQs](/microsoft-365/admin/manage/message-center?preserve-view=true&view=o365-worldwide#frequently-asked-questions)

-When a user account is deleted from the organization, the account is in a suspended state and all the related organization information is preserved. When you restore a user, this organization information is also restored.

-> [!Note]

-Your custom branding won't immediately appear when your users go to sites such as, www\.office.com. Instead, the user has to sign-in before your customized branding appears. After the user has signed in, the branding may take 15 minutes or longer to appear.

- It's recommended to use images without a strong subject focus, e.g., an opaque white box appears in the center of the screen, and could cover any part of the image depending on the dimensions of the viewable space.

- The image can't be taller than 60 pixels or wider than 280 pixels, and the file shouldnΓÇÖt be larger than 10KB. We recommend using a transparent image since the background might not match your logo background. We also recommend not adding padding around the image or it might make your logo look small.

-Add your custom branding to pages by modifying the end of the URL with the text, `?whr=yourdomainname`. This specific modification works on different types of pages, including the Multi-Factor Authentication (MFA) setup page, the Self-service Password Reset (SSPR) setup page, and the sign in page.

-Many Azure Active Directory (Azure AD) services require you to license each of your users or groups (and associated members) for that service. Only users with active licenses will be able to access and use the licensed Azure AD services for which that's true. Licenses are applied per tenant and do not transfer to other tenants.

-Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory &gt; Users &gt; Profile &gt; Settings** area in Azure AD. Any user whose usage location is not specified inherits the location of the Azure AD organization.

-* [Deploy Azure AD joined VMs in Azure Virtual Desktop - Azure](/azure/virtual-desktop/deploy-azure-ad-joined-vm)

-[Implement a cloud-first approach](road-to-the-cloud-implement.md)

-* **Enforce strong authentication** - Strong authentication must always be used when accessing the isolated environment services and infrastructure. Whenever possible, [passwordless authentication](/azure/active-directory/authentication/concept-authentication-passwordless) such as [Windows for Business Hello](/windows/security/identity-protection/hello-for-business/hello-overview) or a [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)) should be used.

-If managed identities aren't supported or not possible, consider [provisioning service principal objects](/azure/active-directory/develop/app-objects-and-service-principals).

-* Consider managing Conditional Access policies at scale with automation using [MS Graph CA API](/azure/active-directory/conditional-access/howto-conditional-access-apis)). For example, you can use the API to configure, manage, and monitor CA policies consistently across tenants.

-The following are additional operational considerations for Azure AD, specific to multiple isolated environments. Check the [Azure Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/), [Azure Security Benchmark](/security/benchmark/azure/) and [Azure AD Operations guide](/azure/active-directory/fundamentals/active-directory-ops-guide-ops) for detailed guidance to operate individual environments.

-* **Privileged role activity** - Configure and review security [alerts generated by Azure AD PIM](/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts). If locking down direct RBAC assignments isn't fully enforceable with technical controls (for example, Owner role has to be granted to product teams to do their job), then monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly to access the subscription with Azure RBAC.

-* [Resource isolation with multiple tenants](secure-with-azure-ad-multiple-tenants.md)

-**Human identities** are user objects that generally represent people in an organization. These identities are either created and managed directly in Azure AD or are synchronized from an on-premises Active Directory to Azure AD for a given organization. These types of identities are referred to as **local identities**. There can also be user objects invited from a partner organization or a social identity provider using [Azure AD B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). In this content, we refer to these types of identity as **external identities**.

-**Non-human identities** include any identity not associated with a human. This type of identity is an object such as an application that requires an identity to run. In this content, we refer to this type of identity as a **workload identity**. Various terms are used to describe this type of identity, including [application objects and service principals](/azure/marketplace/manage-aad-apps).

-* **Service principal object**. Although there are [exceptions](/azure/marketplace/manage-aad-apps), application objects can be considered the *definition* of an application. Service principal objects can be considered an instance of an application. Service principals generally reference an application object, and one application object can be referenced by multiple service principals across directories.

-Azure AD allows application and service principal objects to authenticate with a password (also known as an application secret), or with a certificate. The use of passwords for service principals is discouraged and [we recommend using a certificate](/azure/active-directory/develop/howto-create-service-principal-portal) whenever possible.

-* **Managed identities for Azure resources**. Managed identities are special service principals in Azure AD. This type of service principal can be used to authenticate against services that support Azure AD authentication without needing to store credentials in your code or handle secrets management. For more information, see [What are managed identities for Azure resources?](/azure/active-directory/managed-identities-azure-resources/overview)

-**Hybrid identity**. A hybrid identity is an identity that spans on-premises and cloud environments. This provides the benefit of being able to use the same identity to access on-premises and cloud resources. The source of authority in this scenario is typically an on-premises directory, and the identity lifecycle around provisioning, de-provisioning and resource assignment is also driven from on-premises. For more information, see [Hybrid identity documentation](/azure/active-directory/hybrid/).

-**Conditional Access**. Azure AD Conditional Access policies are tools to bring user and device context into the authorization flow when accessing Azure AD resources. Organizations should explore use of Conditional Access policies to allow, deny, or enhance authentication based on user, risk, device, and network context. For more information, see the [Azure AD Conditional Access documentation](/azure/active-directory/conditional-access/).

-**Device management**. Azure AD is used to manage the lifecycle and integration with cloud and on-premises device management infrastructures. It also is used to define policies to control access from cloud or on-premises devices to your organizational data. Azure AD provides the lifecycle services of devices in the directory and the credential provisioning to enable authentication. It also manages a key attribute of a device in the system that is the level of trust. This detail is important when designing a resource access policy. For more information, see [Azure AD Device Management documentation](/azure/active-directory/devices/).

-Azure AD also provides information on the actions that are being performed within Azure AD, and reports on security risks. For more information, see [Azure Active Directory reports and monitoring](/azure/active-directory/reports-monitoring/).

-* [Best practices](secure-with-azure-ad-best-practices.md)

-Administrative units restrict permissions in a role to any portion of your organization that you define. You could, for example, use administrative units to delegate the [Helpdesk Administrator](/azure/active-directory/roles/permissions-reference) role to regional support specialists, so they can manage users only in the region that they support. An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An administrative unit can contain only:

-For more information on administrative units, see [Administrative units in Azure Active Directory](/azure/active-directory/roles/administrative-units).

->Using [Named Locations](/azure/active-directory/conditional-access/location-condition) can present some challenges to your [zero-trust journey](https://www.microsoft.com/security/business/zero-trust). Verify that using Named Locations fits into your security strategy and principles.

-* **Identity compromise** - Within the boundary of a tenant, any identity can be assigned any role, given the one providing access has sufficient privileges. While the impact of compromised non-privileged identities is largely contained, compromised administrators can have broad impact. For example, if an Azure AD global administrator account is compromised, Azure resources can become compromised. To mitigate risk of identity compromise, or bad actors, implement [tiered administration](/security/compass/privileged-access-access-model) and ensure that you follow principles of least privilege for [Azure AD Administrator Roles](/azure/active-directory/roles/delegate-by-task). Similarly, ensure that you create CA policies that specifically exclude test accounts and test service principals from accessing resources outside of the test applications. For more information on privileged access strategy, see [Privileged access: Strategy](/security/compass/privileged-access-strategy).

-* [Best practices](secure-with-azure-ad-best-practices.md)

-A new tenant provides the ability to have a separate set of administrators. Organizations can choose to use corporate identities through [Azure AD B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). Similarly, organizations can implement [Azure Lighthouse](/azure/lighthouse/overview) for cross-tenant management of Azure resources so that non-production Azure subscriptions can be managed by identities in the production counterpart. Azure Lighthouse can't be used to manage services outside of Azure, such as Intune or Microsoft Endpoint Manager. For Managed Service Providers (MSPs), [Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-overview?view=o365-worldwide) is an admin portal that helps secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium, Microsoft 365 E3, or Windows 365 Business.

-* [Best practices](secure-with-azure-ad-best-practices.md)

-* **User permission check** - Permissions are assigned to users using [role-based access control (RBAC)](/azure/role-based-access-control/overview). An RBAC role specifies a set of permissions a user may take on a specific resource. RBAC helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

-* No central management or configuration of servers. For example, there's no Group Policy that can be applied to a group of servers. Organizations should consider deploying [Update Management in Azure](/azure/automation/update-management/overview) to manage patching and updates of these servers.

-* [Best practices](secure-with-azure-ad-best-practices.md)

-[Studybugs](https://studybugs.com/signin), [Yello](https://yello.co/yello-for-microsoft-teams/), [LawVu](../saas-apps/lawvu-tutorial.md), [Formate eVo Mail](https://www.document-genetics.co.uk/formate-evo-erp-output-management), [Revenue Grid](https://app.revenuegrid.com/login), [Orbit for Office 365](https://azuremarketplace.microsoft.com/marketplace/apps/aad.orbitforoffice365?tab=overview), [Upmarket](https://app.upmarket.ai/), [Alinto Protect](https://protect.alinto.net/), [Cloud Concinnity](https://cloudconcinnity.com/), [Matlantis](https://matlantis.com/), [ModelGen for Visio (MG4V)](https://crecy.com.au/model-gen/), [NetRef: Classroom Management](https://oauth.net-ref.com/microsoft/sso), [VergeSense](../saas-apps/vergesense-tutorial.md), [iAuditor](../saas-apps/iauditor-tutorial.md), [Secutraq](https://secutraq.net/login), [Active and Thriving](../saas-apps/active-and-thriving-tutorial.md), [Inova](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=1bacdba3-7a3b-410b-8753-5cc0b8125f81&response_type=code&redirect_uri=https:%2f%2fbroker.partneringplace.com%2fpartner-companion%2f&code_challenge_method=S256&code_challenge=YZabcdefghijklmanopqrstuvwxyz0123456789._-~&scope=1bacdba3-7a3b-410b-8753-5cc0b8125f81/.default), [TerraTrue](../saas-apps/terratrue-tutorial.md), [Facebook Work Accounts](../saas-apps/facebook-work-accounts-tutorial.md), [Beyond Identity Admin Console](../saas-apps/beyond-identity-admin-console-tutorial.md), [Visult](https://app.visult.io/), [ENGAGE TAG](https://app.engagetag.com/), [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-tutorial.md), [CrowdStrike Falcon Platform](../saas-apps/crowdstrike-falcon-platform-tutorial.md), [MY Emergency Control](https://my-emergency.co.uk/app/auth/login), [AlexisHR](../saas-apps/alexishr-tutorial.md), [Teachme Biz](../saas-apps/teachme-biz-tutorial.md), [Zero Networks](../saas-apps/zero-networks-tutorial.md), [Mavim iMprove](https://improve.mavimcloud.com/), [Azumuta](https://app.azumuta.com/login?microsoft=true), [Frankli](https://beta.frankli.io/login), [Amazon Managed Grafana](../saas-apps/amazon-managed-grafana-tutorial.md), [Productive](../saas-apps/productive-tutorial.md), [Create!Webフロー](../saas-apps/createweb-tutorial.md), [Evercate](https://evercate.com/us/sign-up/), [Ezra Coaching](../saas-apps/ezra-coaching-tutorial.md), [Baldwin Safety and Compliance](../saas-apps/baldwin-safety-&-compliance-tutorial.md), [Nulab Pass (Backlog,Cacoo,Typetalk)](../saas-apps/nulab-pass-tutorial.md), [Metatask](../saas-apps/metatask-tutorial.md), [Contrast Security](../saas-apps/contrast-security-tutorial.md), [Animaker](../saas-apps/animaker-tutorial.md), [Traction Guest](../saas-apps/traction-guest-tutorial.md), [True Office Learning - LIO](../saas-apps/true-office-learning-lio-tutorial.md), [Qiita Team](../saas-apps/qiita-team-tutorial.md)

-To learn more about trusts and how to deploy your own, visit [How trust relationships work for forests in Active Directory](/azure/active-directory-domain-services/concepts-forest-trust).

-

-You can also view the writeback state via MS Graph: [Get group](https://docs.microsoft.com/graph/api/group-get?view=graph-rest-beta&tabs=http)

-To see the default behavior in your environment for newly created groups use MS Graph: [directorySetting](https://docs.microsoft.com/graph/api/resources/directorysetting?view=graph-rest-beta)

-You can also use the PowerShell cmdlet [AzureADDirectorySetting](https://docs.microsoft.com/azure/active-directory/enterprise-users/groups-settings-cmdlets)

-To verify if Active Directory has been prepared for Exchange, see [Prepare Active Directory and domains for Exchange Server, Active Directory Exchange Server, Exchange Server Active Directory, Exchange 2019 Active Directory](https://docs.microsoft.com/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019#how-do-you-know-this-worked)

- - See [Configure Microsoft 365 Groups with on-premises Exchange hybrid](https://docs.microsoft.com/exchange/hybrid-deployment/set-up-microsoft-365-groups#prerequisites) for more information.

- - If you haven't [prepared AD for Exchange](https://docs.microsoft.com/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019), mail related attributes of groups won't be written back.

-> Azure Active Directory (AD) Connect follows the [Modern Lifecycle Policy](https://docs.microsoft.com/lifecycle/policies/modern). Changes for products and services under the Modern Lifecycle Policy may be more frequent and require customers to be alert for forthcoming modifications to their product or service.

-> Product governed by the Modern Policy follow a [continuous support and servicing model](https://docs.microsoft.com/lifecycle/overview/product-end-of-support-overview). Customers must take the latest update to remain supported.

-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).

- 2. To do this via PowerShell, use the: [New-AzureADDirectorySetting](https://docs.microsoft.com/azure/active-directory/enterprise-users/groups-settings-cmdlets) cmdlet.

- 3. Via MS Graph: [directorySetting](https://docs.microsoft.com/graph/api/resources/directorysetting?view=graph-rest-beta)

- 2. Disable [Azure AD Connect sync scheduler](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler)

-2. Disable [Azure AD Connect sync scheduler](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler)

-3. Open the [synchronization rule editor](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-create-custom-sync-rule)

-If you're updating the default behavior to delete groups when disabled for writeback or soft deleted, we recommend that you enable the [Active Directory Recycle Bin](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-recycle-bin) feature for your on-premises instances of Active Directory. This feature will allow you to manually restore previously deleted AD groups, so that they can be rejoined to their respective Azure AD groups, if they were accidentally disabled for writeback or soft deleted.

- [Conditional Access](/azure/active-directory/conditional-access/overview).

-architecture](/azure/active-directory/manage-apps/datawiza-with-azure-ad#datawiza-with-azure-ad-authentication-architecture).

- - See, [Quickstart: Create a new tenant in Azure Active Directory.](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant)

- - See, [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).

- - See, [Azure AD built-in roles, all roles](/azure/active-directory/roles/permissions-reference#all-roles).

-To provide an extra level of security for sign-ins, enforce multifactor authentication (MFA) for user sign-in. One way to achieve this is to [enable MFA on the Azure portal](/azure/active-directory/authentication/tutorial-enable-azure-mfa).

-* LMS and Education Management System Leaf supports **Just In Time** user provisioning.

- `https://<SUBDOMAIN>.leaf-hrm.jp/`

-In this section, a user called B.Simon is created in LMS and Education Management System Leaf. LMS and Education Management System Leaf supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in LMS and Education Management System Leaf, a new one is created after authentication.

-Once you configure LMS and Education Management System Leaf you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide)

-After you configure Salesforce, you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-If you don't have an Azure Key Vault instance available, follow [these steps](/azure/key-vault/general/quick-create-portal) to create a key vault using the Azure portal.

-## Use `command invoke` to run commands an with attached file or directory

-description: Introduction to API DevOps with Azure API Management, using Azure Resource Manager templates to manage API deployments in a CI/CD pipeline

-# CI/CD for API Management using Azure Resource Manager templates

-This article shows you how to use API DevOps with Azure API Management, through Azure Resource Manager templates. With the strategic value of APIs, a continuous integration and continuous deployment (CI/CD) pipeline has become an important aspect of API development. It allows organizations to automate deployment of API changes without error-prone manual steps, detect issues earlier, and ultimately deliver value to users faster.

-For details, tools, and code samples to implement the DevOps approach described in this article, see the open-source [Azure API Management DevOps Resource Kit](https://github.com/Azure/azure-api-management-devops-resource-kit) in GitHub. Because customers bring a wide range of engineering cultures and existing automation solutions, the approach isn't a one-size-fits-all solution.

-For architectural guidance, see:

-* **API Management landing zone accelerator**: [Reference architecture](/azure/architecture/example-scenario/integration/app-gateway-internal-api-management-function?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json) and [design guidance](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)

-## The problem

-Organizations today normally have multiple deployment environments (such as development, testing, and production) and use separate API Management instances for each environment. Some instances are shared by multiple development teams, who are responsible for different APIs with different release cadences.

-As a result, customers face the following challenges:

-* How to automate deployment of APIs into API Management

-* How to migrate configurations from one environment to another

-* How to avoid interference between different development teams that share the same API Management instance

-## Manage configurations in Resource Manager templates

-The following image illustrates the proposed approach.

-In this example, there are two deployment environments: *Development* and *Production*. Each has its own API Management instance.

-* API developers have access to the Development instance and can use it for developing and testing their APIs.

-* A designated team called the *API publishers* manages the Production instance.

-The key in this proposed approach is to keep all API Management configurations in [Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md). The organization should keep these templates in a source control system such as Git. As illustrated in the image, a Publisher repository contains all configurations of the Production API Management instance in a collection of templates:

-|Template |Description |

-|||

-|Service template | Service-level configurations of the API Management instance, such as pricing tier and custom domains. |

-|Shared templates | Shared resources throughout an API Management instance, such as groups, products, and loggers. |

-|API templates | Configurations of APIs and their subresources: operations, policies, diagnostic settings. |

-|Master (main) template | Ties everything together by [linking](../azure-resource-manager/templates/linked-templates.md) to all templates and deploying them in order. To deploy all configurations to an API Management instance, deploy the main template. You can also deploy each template individually. |

-API developers will fork the Publisher repository to a Developer repository and work on the changes for their APIs. In most cases, they focus on the API templates for their APIs and don't need to change the shared or service templates.

-## Migrate configurations to templates

-API developers face challenges when working with Resource Manager templates:

-* API developers often work with the [OpenAPI Specification](https://github.com/OAI/OpenAPI-Specification) and might not be familiar with Resource Manager schemas. Authoring templates manually might be error-prone.

- A tool called [Creator](https://github.com/Azure/azure-api-management-devops-resource-kit/blob/main/src/README.md#creator) in the resource kit can help automate the creation of API templates based on an Open API Specification file. Additionally, developers can supply API Management policies for an API in XML format.

-* For customers who are already using API Management, another challenge is to extract existing configurations into Resource Manager templates. For those customers, a tool called [Extractor](https://github.com/Azure/azure-api-management-devops-resource-kit/blob/main/src/README.md#Extractor) in the resource kit can help generate templates by extracting configurations from their API Management instances.

-## Workflow

-* After API developers have finished developing and testing an API, and have generated the API templates, they can submit a pull request to merge the changes to the publisher repository.

-* API publishers can validate the pull request and make sure the changes are safe and compliant. For example, they can check if only HTTPS is allowed to communicate with the API. Most validations can be automated as a step in the CI/CD pipeline.

-* Once the changes are approved and merged successfully, API publishers can choose to deploy them to the Production instance either on schedule or on demand. The deployment of the templates can be automated using [GitHub Actions](https://docs.github.com/en/actions), [Azure Pipelines](/azure/devops/pipelines), [Azure PowerShell](../azure-resource-manager/templates/deploy-powershell.md), [Azure CLI](../azure-resource-manager/templates/deploy-cli.md), or other tools.

-With this approach, an organization can automate the deployment of API changes into API Management instances, and it's easy to promote changes from one environment to another. Because different API development teams will be working on different sets of API templates and files, it prevents interference between different teams.

-## Video

-> [!VIDEO https://www.youtube.com/embed/4Sp2Qvmg6j8]

-## Next steps

-> The access tokens provided to your app via EasyAuth do not have scopes for other APIs, such as Graph, even if your application has permissions to access those APIs. To use these APIs, you will need to use Azure Resource Manager to configure the token returned so it can be used to authenticate to other services. For more information, see [Tutorial: Access Microsoft Graph from a secured .NET app as the user](/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=azure-resource-explorer) .

-[Azure portal]: https://portal.azure.com/

-az webapp list-runtimes --os windows | grep php

- For more information, see [Running Gunicorn](https://docs.gunicorn.org/en/stable/run.html) (docs.gunicorn.org). If you are using scale rules to scale your web app up and down, you can dynamically set the number of workers using the `NUM_CORES` environment variable in our startup command, for example: `--workers $((($NUM_CORES*2)+1))`. For more information on setting the recommended number of gunicorn workers, see [the Gunicorn FAQ](https://docs.gunicorn.org/en/stable/design.html#how-many-workers)

-| Region | Normal and dedicated host | Availability zone support |

-| -- | :-: | :-: |

-| Australia East | x | x |

-| Australia Southeast | x | |

-| Brazil South | x | x |

-| Canada Central | x | x |

-| Canada East | x | |

-| Central India | x | x |

-| Central US | x | x |

-| East Asia | x | x |

-| East US | x | x |

-| East US 2 | x | x |

-| France Central | x | x |

-| Germany West Central | x | x |

-| Japan East | x | x |

-| Korea Central | x | x |

-| North Central US | x | |

-| North Europe | x | x |

-| Norway East | x | x |

-| South Africa North | x | x |

-| South Central US | x | x |

-| Southeast Asia | x | x |

-| Sweden Central | x | x |

-| Switzerland North | x | x |

-| UAE North | x | |

-| UK South | x | x |

-| UK West | x | |

-| West Central US | x | |

-| West Europe | x | x |

-| West US | x | |

-| West US 2 | x | x |

-| West US 3 | x | x |

-| US Gov Texas | x | |

-| US Gov Arizona | x | |

-| US Gov Virginia | x | |

-The WordPress configuration is modified to use [Application Settings](reference-app-settings.md#wordpress) to connect to the MySQL database. To change the MySQL database password, see [update admin password](/azure/mysql/single-server/how-to-create-manage-server-portal#update-admin-password). Whenever the MySQL database credentials are changed, the [Application Settings](reference-app-settings.md#wordpress) also need to be updated. The [Application Settings for MySQL database](reference-app-settings.md#wordpress) begin with the **`DATABASE_`** prefix. For more information on updating MySQL passwords, see [WordPress on App Service](https://azure.github.io/AppService/2022/02/23/WordPress-on-App-Service-Public-Preview.html#known-limitations).

-> [Configure PHP app](configure-language-php.md)

-> |DATABASE_PASSWORD|Database|-|-|Database password used to connect to the MySQL database. To change the MySQL database password, see [update admin password](/azure/mysql/single-server/how-to-create-manage-server-portal#update-admin-password). Whenever the MySQL database password is changed, the Application Settings also need to be updated. |

- -->

-When you are finished, you will have a [Quarkus](https://quarkus.io) application storing data in [PostgreSQL](/azure/postgresql) database running on [Azure App Service on Linux](overview.md).

-This tutorial uses a sample Fruits list app with a web UI that calls a Quarkus REST API backed by [Azure Database for PostgreSQL](/azure/postgresql). The code for the app is available [on GitHub](https://github.com/quarkusio/quarkus-quickstarts/tree/main/hibernate-orm-panache-quickstart). To learn more about writing Java apps using Quarkus and PostgreSQL, see the [Quarkus Hibernate ORM with Panache Guide](https://quarkus.io/guides/hibernate-orm-panache) and the [Quarkus Datasource Guide](https://quarkus.io/guides/datasource).

-> [Java in App Service Linux dev guide](configure-language-java.md?pivots=platform-linux)

-The [Chromium browser](https://www.chromium.org/Home) [v80 update](https://chromiumdash.appspot.com/schedule) brought a mandate where HTTP cookies without [SameSite](https://tools.ietf.org/id/draft-ietf-httpbis-rfc6265bis-03.html#rfc.section.5.3.7) attribute have to be treated as SameSite=Lax. In the case of CORS (Cross-Origin Resource Sharing) requests, if the cookie has to be sent in a third-party context, it has to use *SameSite=None; Secure* attributes and it should be sent over HTTPS only. Otherwise, in an HTTP only scenario, the browser doesn't send the cookies in the third-party context. The goal of this update from Chrome is to enhance security and to avoid Cross-Site Request Forgery (CSRF) attacks.

-### Tags tab

-### Review + create tab

-* For a list of Azure services that support the managed identities for Azure resources feature, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).

-> Before you install this version (v1), we would like you to know about the [next version](../azure-functions/start-stop-vms/overview.md), which is in preview right now. This new version (v2) offers all the same functionality as this one, but is designed to take advantage of newer technology in Azure. It adds some of the commonly requested features from customers, such as multi-subscription support from a single Start/Stop instance.

->

-> Start/Stop VMs during off-hours (v1) will be deprecated soon and the date will be announced once V2 moves to general availability (GA).

-1. Follow the steps [here](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#enable-system-assigned-managed-identity-on-an-existing-vm) to enable the System-assigned managed identity on the VM.

-Ensure that you have [Identity Operator role permission](/azure/role-based-access-control/built-in-roles#managed-identity-operator) to add the user-assigned managed identity to your Automation account.

-[Application Gateway Standard v2](/azure/application-gateway/overview-v2) and Application Gateway with [WAF v2](/azure/web-application-firewall/ag/ag-overview) supports zonal and zone redundant deployments. For more information about zone redundancy, see [Regions and availability zones](az-overview.md).

-2. Follow the steps in [Create an application gateway](../application-gateway/quick-create-portal.md#create-an-application-gateway) or [Create an application gateway with a Web Application Firewall](/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal) to create a new Application Gateway v2 or Application Gateway v2 + WAF v2, respectively. You can reuse your existing Virtual Network or create a new one, but you must create a new frontend Public IP address.

-4. Follow the steps in [Create an application gateway](../application-gateway/quick-create-portal.md#create-an-application-gateway) or [Create an application gateway with a Web Application Firewall](/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal) to create a new Application Gateway v2 or Application Gateway v2 + WAF v2, respectively, using the same Virtual Network, subnets, and Public IP address that you used previously.

-Azure Functions support running [in-process](/azure/azure-functions/functions-dotnet-class-library) or [isolated-process](/azure/azure-functions/dotnet-isolated-process-guide). The main difference in App Configuration usage between the two modes is how the configuration is refreshed. In the in-process mode, you must make a call in each function to refresh the configuration. In the isolated-process mode, there is support for middleware. The App Configuration middleware, `Microsoft.Azure.AppConfiguration.Functions.Worker`, enables the call to refresh configuration automatically before each function is executed.

-> [Access App Configuration using managed identity](./howto-integrate-azure-managed-service-identity.md)

-In this article, you'll learn how to set up private access for your Azure App Configuration store, by creating a [private endpoint](/azure/private-link/private-endpoint-overview) with Azure Private Link. Private endpoints allow access to your App Configuration store using a private IP address from a virtual network.

- 1. Under **Private IP configuration**, select the option to allocate IP addresses dynamically. For more information, refer to [Private IP addresses](/azure/virtual-network/ip-services/private-ip-addresses#allocation-method).

-1. Check the connection state of your private link connection. When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](/azure/private-link/rbac-permissions), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request. For more information about the connection approval models, go to [Manage Azure Private Endpoints](/azure/private-link/manage-private-endpoint#private-endpoint-connections).

-When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](/azure/private-link/rbac-permissions), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request.

-For more information about the connection approval models, go to [Manage Azure Private Endpoints](/azure/private-link/manage-private-endpoint#private-endpoint-connections).

-If you have issues with a private endpoint, check the following guide: [Troubleshoot Azure Private Endpoint connectivity problems](/azure/private-link/troubleshoot-private-endpoint-connectivity).

->[Disable public access in Azure App Configuration](howto-disable-public-access.md)

-This project will use [dependency injection in .NET Azure Functions](/azure/azure-functions/functions-dotnet-dependency-injection) and add Azure App Configuration as an extra configuration source. Azure Functions support running [in-process](/azure/azure-functions/functions-dotnet-class-library) or [isolated-process](/azure/azure-functions/dotnet-isolated-process-guide). Pick the one that matches your requirements.

-> [Access App Configuration using managed identity](./howto-integrate-azure-managed-service-identity.md)

-> Make sure the password of provided domain service AD account here doesn't contain `!` as special characters.

-When you [create support requests](/azure/azure-portal/supportability/how-to-create-azure-support-request) for Azure Arc-enabled Kubernetes, the following version support policy applies:

-* Learn how to [use Azure Policy to apply configurations at scale](./use-azure-policy.md).

-## Version 1.16 - March 2022

-### Known issues

-### New features

-### Fixed

-The Event Grid helps you build automation into your cloud infrastructure, create serverless apps, and integrate across services and clouds. For more information, see [What is Azure Event Grid](/azure/event-grid/overview).

-For more information, see [Azure Cache for Redis with Azure Private Link](/azure/azure-cache-for-redis/cache-private-link).

-For more information, see [Manage Azure resources and monitor costs by creating automation tasks](/azure/logic-apps/create-automation-tasks-azure-resources).

-> For more information on setting these variables, see [Deploy models with Azure Machine Learning](/azure/machine-learning/how-to-deploy-managed-online-endpoints).

-For more information on entry script, see [Define scoring code.](/azure/machine-learning/how-to-deploy-managed-online-endpoints)

-For more information on inference configuration, see [Deploy models with Azure Machine Learning](/azure/machine-learning/how-to-deploy-managed-online-endpoints).

-> The code snippet assumes that `model` contains a registered model, and that `inference_config` contains the configuration for the inference environment. For more information, see [Deploy models with Azure Machine Learning](/azure/machine-learning/how-to-deploy-managed-online-endpoints).

-* Create a [Python app that uses Azure Cache for Redis](./cache-python-get-started.md)

- "type": "Microsoft.Storage/storageAccounts",

- "name": "[variables('storageAccountName')]",

- "apiVersion": "2019-06-01",

- "location": "[resourceGroup().location]",

- "kind": "StorageV2",

- "sku": {

- "name": "[parameters('storageAccountType')]"

- }

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"

- },

- {

- "name": "AzureWebJobsDashboard",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"

- }

- {

- "apiVersion": "2015-05-01",

- "name": "[variables('appInsightsName')]",

- "type": "Microsoft.Insights/components",

- "kind": "web",

- "location": "[resourceGroup().location]",

- "tags": {

- "[concat('hidden-link:', resourceGroup().id, '/providers/Microsoft.Web/sites/', variables('functionAppName'))]": "Resource"

- },

- "properties": {

- "Application_Type": "web",

- "ApplicationId": "[variables('appInsightsName')]"

- }

- },

- {

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]"

- }

-* [Consumption plan](#consumption) (default)

-* [Premium plan](#premium)

-* [App Service plan](#app-service-plan)

- "apiVersion": "2015-08-01",

- "type": "Microsoft.Web/sites",

- "name": "[variables('functionAppName')]",

- "location": "[resourceGroup().location]",

- "kind": "functionapp",

- "dependsOn": [

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"

- ]

- "siteConfig": {

- "appSettings": [

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"

- },

- {

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

- },

- {

- "name": "WEBSITE_NODE_DEFAULT_VERSION",

- "value": "~14"

- },

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~4"

- }

- ]

- }

- "siteConfig": {

- ]

- "apiVersion": "2016-03-01",

- "type": "Microsoft.Web/sites",

- "name": "[variables('functionAppName')]",

- "location": "[resourceGroup().location]",

- "kind": "functionapp",

- "dependsOn": [

- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"

- ],

- "properties": {

- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "siteConfig": {

- "appSettings": [

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"

- },

- {

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

- },

- {

- "name": "WEBSITE_NODE_DEFAULT_VERSION",

- "value": "~14"

- },

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~3"

- },

- {

- "name": "DOCKER_REGISTRY_SERVER_URL",

- "value": "[parameters('dockerRegistryUrl')]"

- },

- {

- "name": "DOCKER_REGISTRY_SERVER_USERNAME",

- "value": "[parameters('dockerRegistryUsername')]"

- },

- {

- "name": "DOCKER_REGISTRY_SERVER_PASSWORD",

- "value": "[parameters('dockerRegistryPassword')]"

- },

- {

- "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",

- "value": "false"

- }

- ],

- "linuxFxVersion": "DOCKER|myacr.azurecr.io/myimage:mytag"

- "parameters": {

- "kubeEnvironmentId" : {

- "type": "string"

- },

- "customLocationId" : {

- "type": "string"

- }

- "extendedLocation": {

- "type": "customlocation",

- "name": "[parameters('customLocationId')]"

- },

- "type": "Microsoft.Web/serverfarms",

- "apiVersion": "2020-12-01",

- "kind": "linux,kubernetes",

- "sku": {

- "name": "K1",

- "tier": "Kubernetes"

- },

- "extendedLocation": {

- "type": "customlocation",

- "name": "[parameters('customLocationId')]"

- "properties": {

- "name": "[variables('hostingPlanName')]",

- "location": "[parameters('location')]",

- "workerSizeId": "0",

- "numberOfWorkers": "1",

- "kubeEnvironmentProfile": {

- "id": "[parameters('kubeEnvironmentId')]"

- },

- "reserved": true

- }

- "apiVersion": "2018-11-01",

- "type": "Microsoft.Web/sites",

- "name": "[variables('appName')]",

- "kind": "kubernetes,functionapp,linux,container",

- "location": "[parameters('location')]",

- "extendedLocation": {

- "type": "customlocation",

- "name": "[parameters('customLocationId')]"

- },

- "dependsOn": [

- "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[variables('hostingPlanId')]"

- ],

- "properties": {

- "serverFarmId": "[variables('hostingPlanId')]",

- "siteConfig": {

- "linuxFxVersion": "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-appservice-quickstart",

- "appSettings": [

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~3"

- },

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"

- },

- {

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]"

- }

- ],

- "alwaysOn": true

- {

- "apiVersion": "2015-08-01",

- "name": "appsettings",

- "type": "config",

- "dependsOn": [

- "[resourceId('Microsoft.Web/Sites', parameters('appName'))]",

- "[resourceId('Microsoft.Web/Sites/sourcecontrols', parameters('appName'), 'web')]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"

- ],

- "properties": {

- "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]",

- "AzureWebJobsDashboard": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]",

- "FUNCTIONS_EXTENSION_VERSION": "~3",

- "FUNCTIONS_WORKER_RUNTIME": "dotnet",

- "Project": "src"

- }

- },

- {

- "apiVersion": "2015-08-01",

- "name": "web",

- "type": "sourcecontrols",

- "dependsOn": [

- "[resourceId('Microsoft.Web/sites/', parameters('appName'))]"

- ],

- "properties": {

- "RepoUrl": "[parameters('sourceCodeRepositoryURL')]",

- "branch": "[parameters('sourceCodeBranch')]",

- "IsManualIntegration": "[parameters('sourceCodeManualIntegration')]"

- }

- }

-* [PowerShell](../azure-resource-manager/templates/deploy-powershell.md)

-* [Azure CLI](../azure-resource-manager/templates/deploy-cli.md)

-* [Azure portal](../azure-resource-manager/templates/deploy-portal.md)

-* [REST API](../azure-resource-manager/templates/deploy-rest.md)

-* [Azure Functions developer reference](functions-reference.md)

-* [How to configure Azure function app settings](functions-how-to-use-azure-function-app-settings.md)

-* [Create your first Azure function](./functions-get-started.md)

-* Verify that the `allowSharedKeyAccess` setting is set to `true` which is its default value. For more information, see [Prevent Shared Key authorization for an Azure Storage account](../storage/common/shared-key-authorization-prevent.md?tabs=portal#verify-that-shared-key-access-is-not-allowed).

-## Container image unavailable (Linux)

-For Linux function apps that run from a container, the "Azure Functions runtime is unreachable" error can occur when the container image being referenced is unavailable or fails to start correctly.

-To confirm that the error is caused for this reason:

-1. Download the Docker logs ZIP file and review them locally, or review the docker logs from within Kudu.

-1. Check for any errors in the logs that would indicate that the container is unable to start successfully.

-Any such error would need to be remedied for the function to work correctly.

-When the container image can't be found, you should see a `manifest unknown` error in the Docker logs. In this case, you can use the Azure CLI commands documented at [How to target Azure Functions runtime versions](set-runtime-version.md?tabs=azurecli) to change the container image being reference. If you've deployed a custom container image, you need to fix the image and redeploy the updated version to the referenced registry.

-By default, function apps created in the Azure portal and by the Azure CLI are set to version 4.x. You can modify this version if needed. You can only downgrade the runtime version to 1.x after you create your function app but before you add any functions. Moving to a later version is allowed even with apps that have existing functions. When your app has existing functions, be aware of any breaking changes between versions before moving to a later runtime version. The following sections detail changes between versions:

-The following are some changes to be aware of before upgrading a 3.x app to 4.x. For a full list, see Azure Functions GitHub issues labeled [*Breaking Change: Approved*](https://github.com/Azure/azure-functions/issues?q=is%3Aissue+label%3A%22Breaking+Change%3A+Approved%22+is%3A%22closed+OR+open%22). More changes are expected during the preview period. Subscribe to [App Service Announcements](https://github.com/Azure/app-service-announcements/issues) for updates.

-The following are the language-specific changes to be aware of before upgrading a 2.x app to 3.x.

-When creating a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. This is because Functions relies on Azure Storage for operations such as managing triggers and logging function executions. Some storage accounts don't support queues and tables. These accounts include blob-only storage accounts and Azure Premium Storage.

-While you can use an existing storage account with your function app, you must make sure that it meets these requirements. Storage accounts created as part of the function app create flow in the Azure portal are guaranteed to meet these storage account requirements. In the portal, unsupported accounts are filtered out when choosing an existing storage account while creating a function app. In this flow, you are only allowed to choose existing storage accounts in the same region as the function app you're creating. To learn more, see [Storage account location](#storage-account-location).

-Every function app requires a storage account to operate. If that account is deleted your function app won't run. To troubleshoot storage-related issues, see [How to troubleshoot storage-related issues](functions-recover-storage-account.md). The following additional considerations apply to the Storage account used by function apps.

-For best performance, your function app should use a storage account in the same region, which reduces latency. The Azure portal enforces this best practice. If, for some reason, you need to use a storage account in a region different than your function app, you must create your function app outside of the portal.

-Functions uses Blob storage to persist important information, such as [function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys). When you apply a [lifecycle management policy](../storage/blobs/lifecycle-management-overview.md) to your Blob Storage account, the policy may remove blobs needed by the Functions host. Because of this, you shouldn't apply such policies to the storage account used by Functions. If you do need to apply such a policy, remember to exclude containers used by Functions, which are usually prefixed with `azure-webjobs` or `scm`.

-## Host ID considerations

-+ Use a separated storage account for each function app involved in the collision.

-+ Rename one of your function apps to a value less than 32 characters in length, which changes the computed host ID for the app and removes the collision.

-To learn how to create app settings, see [Work with application settings](functions-how-to-use-azure-function-app-settings.md#settings).

-Azure Files is set up by default for Premium and non-Linux Consumption plans to serve as a shared file system in high-scale scenarios. The file system is used by the platform for some features such as log streaming, but it primarily ensures consistency of the deployed function payload. When an app is [deployed using an external package URL](./run-functions-from-deployment-package.md), the app content is served from a separate read-only file system, so Azure Files can be omitted if desired. In such cases, a writeable file system is provided, but it is not guaranteed to be shared with all function app instances.

-When Azure Files isn't used, you must account for the following:

-* The app can't use Functions runtime v1.

-If the above are properly accounted for, you may create the app without Azure Files. Create the function app without specifying the `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE` application settings. You can do this by generating an ARM template for a standard deployment, removing these two settings, and then deploying the template.

-Because Functions use Azure Files during parts of the the dynamic scale-out process, scaling could be limited when running without Azure Files on Consumption and Premium plans.

-You can mount existing Azure Files shares to your Linux function apps. By mounting a share to your Linux function app, you can leverage existing machine learning models or other data in your functions. You can use the following command to mount an existing share to your Linux function app.

-Currently, only a `storage-type` of `AzureFiles` is supported. You can only mount five shares to a given function app. Mounting a file share may increase the cold start time by at least 200-300ms, or even more when the storage account is in a different region.

-Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Moreover, you may optionally use [Azure Disk encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) to encrypt Azure [Windows](../virtual-machines/windows/disk-encryption-overview.md) and [Linux](../virtual-machines/linux/disk-encryption-overview.md) IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of your data stored in Azure. This encryption includes [managed disks](../virtual-machines/managed-disks-overview.md), as described later in this section. Azure disk encryption uses the industry standard [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview) feature of Windows and the [DM-Crypt](https://en.wikipedia.org/wiki/Dm-crypt) feature of Linux to provide OS-based volume encryption that is integrated with Azure Key Vault.

-Encryption at host ensures that data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. Disks with encryption at host enabled aren't encrypted with Azure Storage encryption; instead, the server hosting your VM provides the encryption for your data, and that encrypted data flows into Azure Storage. For more information, see [Encryption at host - End-to-end encryption for your VM data](../virtual-machines/disk-encryption.md#encryption-at-hostend-to-end-encryption-for-your-vm-data). As mentioned previously, [Azure Disk encryption](../security/fundamentals/azure-disk-encryption-vms-vmss.md) for virtual machines and virtual machine scale sets isn't supported by Managed HSM. However, encryption at host with CMK is supported by Managed HSM.

-# Managing and maintaining the Log Analytics agent for Windows and Linux

-## Upgrading agent

-The Log Analytics agent for Windows and Linux can be upgraded to the latest release manually or automatically depending on the deployment scenario and environment the VM is running in. The following methods can be used to upgrade the agent.

-| Environment | Installation Method | Upgrade method |

->During the upgrade of the Log Analytics agent for Windows, it does not support configuring or reconfiguring a workspace to report to. To configure the agent, you need to follow one of the supported methods listed under [Adding or removing a workspace](#adding-or-removing-a-workspace).

-The **recommendation** is to enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) feature, using the following PowerShell commands.

-## Adding or removing a workspace

-> You can't configure the agent to report to more than one workspace during initial setup. [Add or remove a workspace](agent-manage.md#adding-or-removing-a-workspace) after installation by updating the settings from Control Panel or PowerShell.

- | Windows event logs | Log Analytics workspace - [Event](/azure/azure-monitor/reference/tables/Event) table | Information sent to the Windows event logging system |

-Azure Monitor Agent currently supports these Azure Monitor features:

-| [VM insights](../vm/vminsights-overview.md) | Preview | Dependency Agent extension, if youΓÇÖre using the Map Services feature | [Sign-up link](https://aka.ms/amadcr-privatepreviews) |

-Azure Monitor Agent currently supports these Azure

-| [Update Management](../../automation/update-management/overview.md) (available without Azure Monitor Agent) | Use Update Management v2 - Public preview | None | [Update management center (Public preview) documentation](/azure/update-center/) |

-Use the DCR Config Generator tool to parse Log Analytics Agent configuration from your workspaces and generate corresponding data collection rules automatically. You can then associate the rules to machines running the new agent using built-in association policies.

- Option 1:

- Option 2 (if you just want the DCR payload JSON file):

- $dcrJson = Get-DCRJson -ResourceGroupName $rgName -WorkspaceName $workspaceName -PlatformType $platformType $dcrJson | ConvertTo-Json -Depth 10 | Out-File "<filepath>\OutputFiles\dcr_output.json"

- | `FolderPath` | No | Path in which to save the new data collection rules. By default, Azure Monitor uses the current directory. |

-1. Review the output data collection rules. The script can produce two types of ARM template files, depending on the agent configuration in the target workspace:

- - **Condition**. Learn more about conditions for [metric alert rules](/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=metric#tabpanel_1_metric), [log alert rules](/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=log#tabpanel_1_log), and [activity log alert rules](/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=activity-log#tabpanel_1_activity-log)

-| [Redis](https://www.npmjs.com/package/redis) | 2.x |

-| [MySQL](https://www.npmjs.com/package/mysql) | 2.0.0 - 2.16.x |

-| [PostgreSql](https://www.npmjs.com/package/pg); | 6.x - 7.x |

-[roles]: ./resources-roles-access-control.md

-> [Availability sets](/archive/blogs/kaevans/autoscaling-azurevirtual-machines) are an older scaling feature for virtual machines with limited support. We recommend migrating to [virtual machine scale sets](/azure/virtual-machine-scale-sets/overview) for faster and more reliable autoscale support.

-[Predictive autoscale](/azure/azure-monitor/autoscale/autoscale-predictive) uses machine learning to help manage and scale Azure virtual machine scale sets with cyclical workload patterns. It forecasts the overall CPU load on your virtual machine scale set, based on historical CPU usage patterns. The scale set can then be scaled out in time to meet the predicted demand.

-Use your own custom metrics that your application generates. Configure your application to send metrics to [Application Insights](/azure/azure-monitor/app/app-insights-overview) so you can use those metrics decide when to scale.

- + Start an [Azure Automation runbook](/azure/automation/overview).

- + Call an [Azure Function](/azure/azure-functions/functions-overview).

- + Trigger an [Azure Logic App](/azure/logic-apps/logic-apps-overview).

-| Azure Virtual machines scale sets |[Overview of autoscale with Azure virtual machine scale sets](/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-overview) |

-+ [Scale virtual machine scale sets](/azure/virtual-machine-scale-sets/tutorial-autoscale-powershell?toc=/azure/azure-monitor/toc.json)

-+ [Autoscale using Resource Manager templates for virtual machine scale sets](/azure/virtual-machine-scale-sets/tutorial-autoscale-powershell?toc=/azure/azure-monitor/toc.json)

-+ [Troubleshooting Azure Monitor autoscale](/azure/azure-monitor/autoscale/autoscale-troubleshoot)

-Learn more about [Change Analysis](./change-analysis.md).

-[Transformations in Azure Monitor](/azure/azure-monitor/essentials/data-collection-transformations) allow you to filter or modify incoming data before it's stored in a Log Analytics workspace. They are implemented as a Kusto Query Language (KQL) statement in a [data collection rule (DCR)](data-collection-rule-overview.md). This article provides details on how this query is structured and limitations on the KQL language allowed.

-This guide walks you through migrating from using Azure diagnostic settings storage retention to using [Azure Storage lifecycle management](/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal) for retention.

-[Configure a lifecycle management policy](/azure/storage/blobs/lifecycle-management-policy-configure?tabs=azure-portal).

-find where TimeGenerated > ago(24h) project _IsBillable, Computer

-> The search job feature is currently in public preview and is not supported in workspaces with [customer-managed keys](customer-managed-keys.md).

-In View Designer, you can use the overview tile to represent and summarize the overall state. These are presented in seven tiles, ranging from numbers to charts. In workbooks, you can create similar visualizations and pin them to your [Azure portal Dashboard](/azure/azure-portal/azure-portal-dashboards). Just like the overview tiles in the Workspace summary, pinned workbook items will link directly to the workbook view.

- - Dependency Agent supports the same [Windows versions Log Analytics Agent supports](/azure/azure-monitor/agents/agents-overview#supported-operating-systems), except Windows Server 2008 SP2 and Azure Stack HCI.

-If you want to stop monitoring your VMs for a while or remove VM insights entirely, see [Disable monitoring of your VMs in VM insights](../vm/vminsights-optout.md).

-[Azure Backup](/azure/backup/) service provides an alternate backup tool for SAP HANA, where database and log backups are streamed into the

-the Azure Backup site on how to [Run SAP HANA native client backup to local disk on a database with Azure Backup enabled](/azure/backup/sap-hana-db-manage#run-sap-hana-native-client-backup-to-local-disk-on-a-database-with-azure-backup-enabled).

-([Copy or move data to Azure Storage by using AzCopy](/azure/storage/common/storage-use-azcopy-v10)).

-[Azure Storage types for SAP workload](/azure/virtual-machines/workloads/sap/planning-guide-storage) web page. Additionally there's a

-[Cost conscious solution with Azure premium storage](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#cost-conscious-solution-with-azure-premium-storage).

-# Azure Percept Studio overview

-description: Shows consumers of Managed Applications how to deploy a service catalog app through the Azure portal.

-# Quickstart: Deploy service catalog app through Azure portal

-In the [preceding quickstart](publish-service-catalog-app.md), you published a managed application definition. In this quickstart, you create a service catalog app from that definition.

-## Create service catalog app

- 

-1. Search for **Service Catalog Managed Application** and select it from the available options.

- 

-1. You see a description of the Managed Application service. Select **Create**.

- 

-1. The portal shows the managed application definitions that you have access to. From the available definitions, select the one you wish to deploy. In this quickstart, use the **Managed Storage Account** definition that you created in the preceding quickstart. Select **Create**.

- 

-1. Provide values for the **Basics** tab. Select the Azure subscription to deploy your service catalog app to. Create a new resource group named **applicationGroup**. Select a location for your app. When finished, select **OK**.

- 

-1. Provide a prefix for the storage account name. Select the type of storage account to create. When finished, select **OK**.

- 

-1. Review the summary. After validation succeeds, select **OK** to begin deployment.

- 

-After the service catalog app has been deployed, you have two new resource groups. One resource group holds the service catalog app. The other resource group holds the resources for the service catalog app.

-1. View the resource group named **applicationGroup** to see the service catalog app.

- 

-1. View the resource group named **applicationGroup{hash-characters}** to see the resources for the service catalog app.

- 

-* To learn how to create the definition files for a managed application, see [Create and publish a managed application definition](publish-service-catalog-app.md).

-* For Azure CLI, see [Deploy service catalog app with Azure CLI](./scripts/managed-application-cli-sample-create-application.md).

-* For PowerShell, see [Deploy service catalog app with PowerShell](./scripts/managed-application-poweshell-sample-create-application.md).

- For more details about comments and metadata see [Understand the structure and syntax of ARM templates](/azure/azure-resource-manager/templates/syntax#comments-and-metadata).

-In addition to the `comments` property, comments using the `//` syntax are supported. For more details about comments and metadata see [Understand the structure and syntax of ARM templates](/azure/azure-resource-manager/templates/syntax#comments-and-metadata). You may choose to save JSON files that contain `//` comments using the `.jsonc` file extension, to indicate the JSON file contains comments. The ARM service will also accept comments in any JSON file including parameters files.

-* For recommendations about how to build templates that work in all Azure cloud environments, see [Develop ARM templates for cloud consistency](./template-cloud-consistency.md).

-The value of the `--template-file` parameter must be a Bicep file or a `.json` or `.jsonc` file. The `.jsonc` file extension indicates the file can contain `//` style comments. The ARM system accepts `//` comments in `.json` files. It does not care about the file extension. For more details about comments and metadata see [Understand the structure and syntax of ARM templates](/azure/azure-resource-manager/templates/syntax#comments-and-metadata).

-For more details about comments and metadata see [Understand the structure and syntax of ARM templates](/azure/azure-resource-manager/templates/syntax#comments-and-metadata).

-* For tips on resolving common deployment errors, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](common-deployment-errors.md).

-In this tutorial series, you've created a template to deploy an Azure storage account. In the next two tutorials, you add an *App Service plan* and a *website*. Instead of creating templates from scratch, you learn how to export templates from the Azure portal and how to use sample templates from the [Azure Quickstart templates](https://azure.microsoft.com/resources/templates/). You customize those templates for your use. This tutorial focuses on exporting templates, and customizing the result for your template. It takes about **14 minutes** to complete.

-You must have Visual Studio Code with the Resource Manager Tools extension, and either Azure PowerShell or Azure CLI. For more information, see [template tools](template-tutorial-create-first-template.md#get-tools).

-At the end of the previous tutorial, your template had the following JSON:

-1. In **Search the Marketplace**, enter **App Service plan**, and then select **App Service plan**. Don't select **App Service plan (classic)**

-1. Enter:

- - **Subscription**: select your Azure subscription.

- - **Resource Group**: Select **Create new** and then specify a name. Provide a different resource group name than the one you have been using in this tutorial series.

- - **Name**: enter a name for the App service plan.

- - **Operating System**: select **Linux**.

- - **Region**: select an Azure location. For example, **Central US**.

- - **Pricing tier**: to save costs, change the SKU to **Basic B1** (under Dev/Test).

-1. Select **Export template**.

-> Typically, the exported template is more verbose than you might want when creating a template. For example, the SKU object in the exported template has five properties. This template works, but you could just use the `name` property. You can start with the exported template, and then modify it as you like to fit your requirements.

-The exported template gives you most of the JSON you need, but you need to customize it for your template. Pay particular attention to differences in parameters and variables between your template and the exported template. Obviously, the export process doesn't know the parameters and variables that you've already defined in your template.

-To run this deployment command, you must have the [latest version](/cli/azure/install-azure-cli) of Azure CLI.

-> If the deployment failed, use the `verbose` switch to get information about the resources being created. Use the `debug` switch to get more information for debugging.

-1. The resource group contains a storage account and an App Service plan.

-If you're stopping now, you might want to clean up the resources you deployed by deleting the resource group.

-1. From the Azure portal, select **Resource group** from the left menu.

-2. Enter the resource group name in the **Filter by name** field.

-3. Select the resource group name.

-You learned how to export a template from the Azure portal, and how to use the exported template for your template development. You can also use the Azure Quickstart templates to simplify template development.

-> [Use Azure Quickstart templates](template-tutorial-quickstart-template.md)

-1. Use [Secure Copy (SCP)](../../../virtual-machines/linux/copy-files-to-linux-vm-using-scp.md) to copy the files to your local machine.

-This tutorial walks you through the steps of creating an Azure Video Indexer account and its accompanying resources by using the Azure portal. The account created is an Azure Resource Manager (ARM) based account which is enabled with all Video Indexer features and capabilities. For information about different Azure Video Indexer account types, see the [Overview of account types](accounts-overview.md) topic.

-For more information, please see [Enable HCX over the internet](/azure/azure-vmware/enable-hcx-access-over-internet)

-Once complete, newer versions of VMware components appear. If you notice any issues or have any questions, contact our support team by opening a support ticket.

-To learn about the limits for the VMware Site Recovery Manager Add-On with the Azure VMware Soltuion, check the [Azure subscription and service limits, quotas, and constraints.](/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-vmware-solution-limits)

-## Prerequisites

-The architecture shows Internet access to and from your Azure VMware Solution private cloud using a Public IP directly to the NSX Edge.

-## Reference architecture

-Refer to [Azure Disk Encryption documentation](../security/fundamentals/azure-disk-encryption-vms-vmss.md).

-Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see the [What is Azure Bastion?](bastion-overview.md).

-When connecting to a Linux virtual machine using SSH, you can use both username/password and SSH keys for authentication. You can connect to your VM with SSH keys by using either:

-* A private key that you manually enter

-* A file that contains the private key information

-* Inbound port: Custom value (you will then need to specify this custom port when you connect to the VM via Azure Bastion)

-## <a name="username"></a>Connect: Using username and password

-1. Open the [Azure portal](https://portal.azure.com). Go to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

-1. After you select Bastion, click **Use Bastion**. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./quickstart-host-portal.md).

-1. On the **Connect using Azure Bastion** page, enter the **Username** and **Password**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-linux/password.png" alt-text="Screenshot shows Password authentication.":::

-1. Select **Connect** to connect to the VM.

-## <a name="privatekey"></a>Connect: Manually enter a private key

-1. Open the [Azure portal](https://portal.azure.com). Go to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

- :::image type="content" source="./media/bastion-connect-vm-ssh-linux/connect.png" alt-text="Screenshot of the overview for a virtual machine in Azure portal with Connect selected." lightbox="./media/bastion-connect-vm-ssh-linux/connect.png":::

-1. After you select Bastion, click **Use Bastion**. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./quickstart-host-portal.md).

-1. On the **Connect using Azure Bastion** page, enter the **Username** and **SSH Private Key**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-linux/ssh-private-key.png" alt-text="Screenshot of SSH Private Key authentication.":::

-1. Enter your private key into the text area **SSH Private Key** (or paste it directly).

-1. Select **Connect** to connect to the VM.

-## <a name="ssh"></a>Connect: Using a private key file

-1. Open the [Azure portal](https://portal.azure.com). Go to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

- :::image type="content" source="./media/bastion-connect-vm-ssh-linux/connect.png" alt-text="Screenshot depicts the overview for a virtual machine in Azure portal with Connect selected." lightbox="./media/bastion-connect-vm-ssh-linux/connect.png":::

-1. After you select Bastion, click **Use Bastion**. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./quickstart-host-portal.md).

-1. On the **Connect using Azure Bastion** page, enter the **Username** and **SSH Private Key from Local File**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-linux/private-key-file.png" alt-text="Screenshot depicts SSH Private Key file.":::

-1. Browse for the file, then select **Open**.

-1. Select **Connect** to connect to the VM. Once you click Connect, SSH to this virtual machine will directly open in the Azure portal. This connection is over HTML5 using port 443 on the Bastion service over the private IP of your virtual machine.

-## <a name="akv"></a>Connect: Using a private key stored in Azure Key Vault

-1. Open the [Azure portal](https://portal.azure.com). Go to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

- :::image type="content" source="./media/bastion-connect-vm-ssh-linux/connect.png" alt-text="Screenshot showing the overview for a virtual machine in Azure portal with Connect selected" lightbox="./media/bastion-connect-vm-ssh-linux/connect.png":::

-1. After you select Bastion, click **Use Bastion**. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./quickstart-host-portal.md).

-1. On the **Connect using Azure Bastion** page, enter the **Username** and select **SSH Private Key from Azure Key Vault**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-linux/ssh-key-vault.png" alt-text="Screenshot showing SSH Private Key from Azure Key Vault.":::

-1. Select the **Azure Key Vault** dropdown and select the resource in which you stored your SSH private key.

- * If you didnΓÇÖt set up an Azure Key Vault resource, see [Create a key vault](../key-vault/secrets/quick-create-powershell.md) and store your SSH private key as the value of a new Key Vault secret.

- * Make sure you have **List** and **Get** access to the secrets stored in the Key Vault resource. To assign and modify access policies for your Key Vault resource, see [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-portal.md).

- > [!NOTE]

- > Please store your SSH private key as a secret in Azure Key Vault using the **PowerShell** or **Azure CLI** experience. Storing your private key via the Azure Key Vault portal experience will interfere with the formatting and result in unsuccessful login. If you did store your private key as a secret using the portal experience and no longer have access to the original private key file, see [Update SSH key](../virtual-machines/extensions/vmaccess.md#update-ssh-key) to update access to your target VM with a new SSH key pair.

- >

- :::image type="content" source="./media/bastion-connect-vm-ssh-linux/private-key-stored.png" alt-text="Screenshot showing Azure Key Vault." lightbox="./media/bastion-connect-vm-ssh-linux/private-key-stored.png":::

-1. Select the **Azure Key Vault Secret** dropdown and select the Key Vault secret containing the value of your SSH private key.

-1. Select **Connect** to connect to the VM. Once you click **Connect**, SSH to this virtual machine will directly open in the Azure portal. This connection is over HTML5 using port 443 on the Bastion service over the private IP of your virtual machine.

-When connecting to a Windows virtual machine using SSH, you can use both username/password and SSH keys for authentication. You can connect to your VM with SSH keys by using either:

-* A private key that you manually enter

-* A file that contains the private key information

-Make sure that you have set up an Azure Bastion host for the virtual network in which the VM resides. For more information, see [Create an Azure Bastion host](tutorial-create-host-portal.md). Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in this virtual network.

-* Your Windows virtual machine is running Windows Server 2019 or later

-## <a name="username"></a>Connect: Using username and password

-1. Open the [Azure portal](https://portal.azure.com). Go to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connect.png" alt-text="Screenshot of overview for a virtual machine in Azure portal with Connect selected." lightbox="./media/bastion-connect-vm-ssh-windows/connect.png":::

-1. After you select Bastion, select **Use Bastion**. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./quickstart-host-portal.md).

-1. On the **Connect using Azure Bastion** page, expand the **Connection Settings** section and select **SSH**. If you plan to use an inbound port different from the standard SSH port (22), enter the **Port**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connection-settings.png" alt-text="Screenshot showing the Connection settings." lightbox="./media/bastion-connect-vm-ssh-windows/connection-settings.png":::

-1. Enter the **Username** and **Password**, and then select **Connect** to connect to the VM.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/authentication.png" alt-text="Screenshot of Password authentication." lightbox="./media/bastion-connect-vm-ssh-windows/authentication.png":::

-## <a name="privatekey"></a>Connect: Manually enter a private key

-1. Open the [Azure portal](https://portal.azure.com). Go to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connect.png" alt-text="Screenshot shows the overview for a virtual machine in Azure portal with Connect selected." lightbox="./media/bastion-connect-vm-ssh-windows/connect.png":::

-1. After you select Bastion, click **Use Bastion**. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./quickstart-host-portal.md).

-1. On the **Connect using Azure Bastion** page, expand the **Connection Settings** section and select **SSH**. If you plan to use an inbound port different from the standard SSH port (22), enter the **Port**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connection-settings-manual.png" alt-text="Screenshot of Connection settings." lightbox="./media/bastion-connect-vm-ssh-windows/connection-settings-manual.png":::

-1. Enter the **Username** and **SSH Private Key**. Enter your private key into the text area **SSH Private Key** (or paste it directly).

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/authentication-manual.png" alt-text="Screenshot of SSH key authentication." lightbox="./media/bastion-connect-vm-ssh-windows/authentication-manual.png":::

-1. Select **Connect** to connect to the VM.

-## <a name="ssh"></a>Connect: Using a private key file

-1. Open the [Azure portal](https://portal.azure.com). Go to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connect.png" alt-text="Screenshot depicts the overview for a virtual machine in Azure portal with Connect selected" lightbox="./media/bastion-connect-vm-ssh-windows/connect.png":::

-1. After you select Bastion, click **Use Bastion**. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./quickstart-host-portal.md).

-1. On the **Connect using Azure Bastion** page, expand the **Connection Settings** section and select **SSH**. If you plan to use an inbound port different from the standard SSH port (22), enter the **Port**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connection-settings-file.png" alt-text="Screenshot depicts Connection settings." lightbox="./media/bastion-connect-vm-ssh-windows/connection-settings-file.png":::

-1. Enter the **Username** and **SSH Private Key from Local File**. Browse for the file, then select **Open**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/authentication-file.png" alt-text="Screenshot depicts SSH key file." lightbox="./media/bastion-connect-vm-ssh-windows/authentication-file.png":::

-1. Select **Connect** to connect to the VM. Once you click Connect, SSH to this virtual machine will directly open in the Azure portal. This connection is over HTML5 using port 443 on the Bastion service over the private IP of your virtual machine.

-## <a name="akv"></a>Connect: Using a private key stored in Azure Key Vault

-1. Open the [Azure portal](https://portal.azure.com). Go to the virtual machine that you want to connect to, then click **Connect** and select **Bastion** from the dropdown.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connect.png" alt-text="Screenshot is the overview for a virtual machine in Azure portal with Connect selected." lightbox="./media/bastion-connect-vm-ssh-windows/connect.png":::

-1. After you select Bastion, click **Use Bastion**. If you didn't provision Bastion for the virtual network, see [Configure Bastion](./quickstart-host-portal.md).

-1. On the **Connect using Azure Bastion** page, expand the **Connection Settings** section and select **SSH**. If you plan to use an inbound port different from the standard SSH port (22), enter the **Port**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connection-settings-akv.png" alt-text="Screenshot showing Connection settings." lightbox="./media/bastion-connect-vm-ssh-windows/connection-settings-akv.png":::

-1. Enter the **Username** and select **SSH Private Key from Azure Key Vault**.

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/ssh-key-vault.png" alt-text="Screenshot showing SSH Private Key from Azure Key Vault.":::

-1. Select the **Azure Key Vault** dropdown and select the resource in which you stored your SSH private key.

- * If you didnΓÇÖt set up an Azure Key Vault resource, see [Create a key vault](../key-vault/secrets/quick-create-powershell.md) and store your SSH private key as the value of a new Key Vault secret.

- * Make sure you have **List** and **Get** access to the secrets stored in the Key Vault resource. To assign and modify access policies for your Key Vault resource, see [Assign a Key Vault access policy](../key-vault/general/assign-access-policy-portal.md).

- >[!NOTE]

- >Please store your SSH private key as a secret in Azure Key Vault using the **PowerShell** or **Azure CLI** experience. Storing your private key via the Azure Key Vault portal experience will interfere with the formatting and result in unsuccessful login. If you did store your private key as a secret using the portal experience and no longer have access to the original private key file, see [Update SSH key](../virtual-machines/extensions/vmaccess.md#update-ssh-key) to update access to your target VM with a new SSH key pair.

- >

- :::image type="content" source="./media/bastion-connect-vm-ssh-windows/private-key-stored.png" alt-text="Screenshot showing Azure Key Vault." lightbox="./media/bastion-connect-vm-ssh-windows/private-key-stored.png":::

-1. Select the **Azure Key Vault Secret** dropdown and select the Key Vault secret containing the value of your SSH private key.

-1. Select **Connect** to connect to the VM. Once you click **Connect**, SSH to this virtual machine will directly open in the Azure portal. This connection is over HTML5 using port 443 on the Bastion service over the private IP of your virtual machine.

-> [Bastion features and configuration settings](configuration-settings.md)<br>

-description: Learn how to use disk encryption configuration to encrypt nodes with a platform-managed key.

-# Create a pool with disk encryption enabled

-When you create an Azure Batch pool using [Virtual Machine Configuration](nodes-and-pools.md#virtual-machine-configuration), you can encrypt compute nodes in the pool with a platform-managed key by specifying the disk encryption configuration.

-This article explains how to create a Batch pool with disk encryption enabled.

-## Why use a pool with disk encryption configuration?

-With a Batch pool, you can access and store data on the OS and temporary disks of the compute node. Encrypting the server-side disk with a platform-managed key will safeguard this data with low overhead and convenience.

-Batch will apply one of these disk encryption technologies on compute nodes, based on pool configuration and regional supportability.

-You won't be able to specify which encryption method will be applied to the nodes in your pool. Instead, you provide the target disks you want to encrypt on their nodes, and Batch can choose the appropriate encryption method, ensuring the specified disks are encrypted on the compute node.

-> [!IMPORTANT]

-> If you are creating your pool with a Linux [custom image](batch-sig-images.md), you can only enable disk encryption only if your pool is using an [Encryption At Host Supported VM size](../virtual-machines/disk-encryption.md#supported-vm-sizes).

-> Encryption At Host is not currently supported on User Subscription Pools until the feature becomes [publicly available in Azure](../virtual-machines/disks-enable-host-based-encryption-portal.md#prerequisites).

-## Azure portal

-When creating a Batch pool in the the Azure portal, select either **TemporaryDisk** or **OsAndTemporaryDisk** under **Disk Encryption Configuration**.

-After the pool is created, you can see the disk encryption configuration targets in the pool's **Properties** section.

-## Examples

-The following examples show how to encrypt the OS and temporary disks on a Batch pool using the Batch .NET SDK, the Batch REST API, and the Azure CLI.

-### Batch .NET SDK

-```csharp

-pool.VirtualMachineConfiguration.DiskEncryptionConfiguration = new DiskEncryptionConfiguration(

- targets: new List<DiskEncryptionTarget> { DiskEncryptionTarget.OsDisk, DiskEncryptionTarget.TemporaryDisk }

- );

-```

-### Batch REST API

-REST API URL:

-```

-POST {batchURL}/pools?api-version=2020-03-01.11.0

-client-request-id: 00000000-0000-0000-0000-000000000000

-```

-Request body:

-```

-"pool": {

- "id": "pool2",

- "vmSize": "standard_a1",

- "virtualMachineConfiguration": {

- "imageReference": {

- "publisher": "Canonical",

- "offer": "UbuntuServer",

- "sku": "18.04-LTS"

- },

- "diskEncryptionConfiguration": {

- "targets": [

- "OsDisk",

- "TemporaryDisk"

- ]

- }

- "nodeAgentSKUId": "batch.node.ubuntu 18.04"

- },

- "resizeTimeout": "PT15M",

- "targetDedicatedNodes": 5,

- "targetLowPriorityNodes": 0,

- "taskSlotsPerNode": 3,

- "enableAutoScale": false,

- "enableInterNodeCommunication": false

-}

-```

-### Azure CLI

-```azurecli-interactive

-az batch pool create \

- --id diskencryptionPool \

- --vm-size Standard_DS1_V2 \

- --target-dedicated-nodes 2 \

- --image canonical:ubuntuserver:18.04-LTS \

- --node-agent-sku-id "batch.node.ubuntu 18.04" \

- --disk-encryption-targets OsDisk TemporaryDisk

-```

-## Next steps

-|`ipa` | Symbol |

-|-|-|

-| `ˈ` | Primary stress |

-| `ˌ` | Secondary stress |

-| `.` | Syllable boundary |

-| `ː` | Long |

-| `‿` | Linking |

-> [!NOTE]

-> long suprasegmental symbol is `ː` not the punctuation colon `:`.

- :::image type="content" source="../media/quickstart/resource-key.png" alt-text="Screenshot illustrating the resource key.":::

-## Sentence length limits

-When you're using the [BreakSentence](./reference/v3-0-break-sentence.md) function, sentence length is limited to 275 characters. There are exceptions for these languages:

-| Language | Code | Character limit |

-|-||--|

-| Chinese | `zh` | 166 |

-| German | `de` | 800 |

-| Italian | `it` | 800 |

-| Japanese | `ja` | 166 |

-| Portuguese | `pt` | 800 |

-| Spanish | `es` | 800 |

-| Thai | `th` | 180 |

-> [!NOTE]

-> This limit doesn't apply to translations.

-#### Document Translation custom endpoint

-https://<NAME-OF-YOUR-RESOURCE>.cognitiveservices.azure.us/translator/text/batch/v1.0

-description: Use this article to learn about access controls for Azure Cognitive Service for Language

-# Language role-based access control

-Azure Cognitive Service for Language supports Azure role-based access control (Azure RBAC), an authorization system for managing individual access to Azure resources. Using Azure RBAC, you assign different team members different levels of permissions for your projects authoring resources. See the [Azure RBAC documentation](/azure/role-based-access-control/) for more information.

-## Enable Azure Active Directory authentication

-To use Azure RBAC, you must enable Azure Active Directory authentication. You can [create a new resource with a custom subdomain](../../authentication.md) or [create a custom subdomain for your existing resource](../../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources).

-## Add role assignment to Language Authoring resource

-Azure RBAC can be assigned to a Language Authoring resource. To grant access to an Azure resource, you add a role assignment.

-1. In the [Azure portal](https://ms.portal.azure.com/), select **All services**.

-2. Select **Cognitive Services**, and navigate to your specific Language Authoring resource.

- > [!NOTE]

- > You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item. For example, selecting **Resource groups** and then navigating to a specific resource group.

-1. Select **Access control (IAM)** on the left navigation pane.

-1. Select **Add**, then select **Add role assignment**.

-1. On the **Role** tab on the next screen, select a role you want to add.

-1. On the **Members** tab, select a user, group, service principal, or managed identity.

-1. On the **Review + assign** tab, select **Review + assign** to assign the role.

-Within a few minutes, the target will be assigned the selected role at the selected scope. For help with these steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

-## Language role types

-Use the following table to determine access needs for your Language projects.

-These custom roles only apply to Language authoring resources.

-> [!NOTE]

-> * All prebuilt capabilities are accessible to all roles.

-> * The "Owner" and "Contributor" roles take priority over custom language roles.

-> * Azure Active Directory (Azure AD) is only used for custom Language roles.

-### Cognitive Services Language reader

-A user that should only be validating and reviewing the Language apps, typically a tester to ensure the application is performing well before deploying the project. They may want to review the applicationΓÇÖs assets to notify the app developers of any changes that need to be made, but do not have direct access to make them. Readers will have access to view the evaluation results.

- :::column span="":::

- **Capabilities**

- :::column-end:::

- :::column span="":::

- **API Access**

- :::column-end:::

- :::column span="":::

- * Read

- * Test

- :::column-end:::

- :::column span="":::

- * All GET APIs under:

- * [Language Authoring CLU APIs](/rest/api/language/conversational-analysis-authoring)

- * [Language Authoring Text Analysis APIs](/rest/api/language/text-analysis-authoring)

- * [Question Answering Projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects)

- * Only the `TriggerExportProjectJob` POST operation under:

- * [Language Authoring CLU export API](/rest/api/language/conversational-analysis-authoring/export?tabs=HTTP)

- * [Language Authoring Text Analysis export API](/rest/api/language/text-analysis-authoring/export?tabs=HTTP)

- * Only Export POST operation under:

- * [Question Answering Projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects/export)

- * All the Batch testing web APIs

- *[Language Runtime CLU APIs](/rest/api/language/conversation-analysis-runtime)

- *[Language Runtime Text Analysis APIs](/rest/api/language/text-analysis-runtime)

- :::column-end:::

-### Cognitive Services Language writer

-A user that is responsible for building and modifying an application, as a collaborator in a larger team. The collaborator can modify the Language apps in any way, train those changes, and validate/test those changes in the portal. However, this user shouldnΓÇÖt have access to deploying this application to the runtime, as they may accidentally reflect their changes in production. They also shouldnΓÇÖt be able to delete the application or alter its prediction resources and endpoint settings (assigning or unassigning prediction resources, making the endpoint public). This restricts this role from altering an application currently being used in production. They may also create new applications under this resource, but with the restrictions mentioned.

- :::column span="":::

- **Capabilities**

- :::column-end:::

- :::column span="":::

- **API Access**

- :::column-end:::

- :::column span="":::

- * All functionalities under Cognitive Services Language Reader.

- * Ability to:

- * Train

- * Write

- :::column-end:::

- :::column span="":::

- * All APIs under Language reader

- * All POST, PUT and PATCH APIs under:

- * [Language Authoring CLU APIs](/rest/api/language/conversational-analysis-authoring)

- * [Language Authoring Text Analysis APIs](/rest/api/language/text-analysis-authoring)

- * [Question Answering Projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects)

- Except for

- * Delete deployment

- * Delete trained model

- * Delete project

- * Deploy model

- :::column-end:::

-### Cognitive Services Language owner

-These users are the gatekeepers for the Language applications in production environments. They should have full access to any of the underlying functions and thus can view everything in the application and have direct access to edit any changes for both authoring and runtime environments

- :::column span="":::

- **Functionality**

- :::column-end:::

- :::column span="":::

- **API Access**

- :::column-end:::

- :::column span="":::

- * All functionalities under Cognitive Services Language Writer

- * Deploy

- * Delete

- :::column-end:::

- :::column span="":::

- * All APIs available under:

- * [Language Authoring CLU APIs](/rest/api/language/conversational-analysis-authoring)

- * [Language Authoring Text Analysis APIs](/rest/api/language/text-analysis-authoring)

- * [Question Answering Projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects)

-

- :::column-end:::

-> [!NOTE]

-> * To use conversation summarization, you must [submit an online request and have it approved](https://aka.ms/applyforconversationsummarization/).

-> * Conversation summarization is only available through Language resources in the following regions:

-> * North Europe

-> * East US

-> * UK South

-> * Conversation summarization is only available using:

-> * REST API

-> * Python

-* [Summarization overview](../overview.md)

-| Short-Codes | Modern Customer Agreement (Field Led) and Enterprise Agreement Only |

-Contoso.com: Announcing our Holiday Sale. Reply YES to save 5% on your next Contoso purchase. Txt OFF to stop, HELP for terms and conditions.

-To sign up for our last-minute travel deals, Press 1. Message and data rates may apply Visit margiestravel.com for privacy and terms and conditions.

-**Example:** Thanks for texting Contoso! Call 1-800-800-8000 for support.

-**Example:** Contoso Alerts: YouΓÇÖre opted out and will receive no further messages.

-Short Code availability is currently restricted to paid Azure enterprise subscriptions that have a billing address in the United States. Short Codes cannot be acquired on trial accounts or using Azure free credits. For more details, check out our [subscription eligibility page](../numbers/sub-eligibility-number-capability.md).

-Once you have submitted the short code program brief application in the Azure portal, Azure Communication Services works with the aggregators to get your application approved by each mobile carrier. This process generally takes 8-12 weeks.

-

-Azure Communication Services does not support text-to-911 functionality in the United States, but itΓÇÖs possible that you may have an obligation to do so under the rules of the Federal Communications Commission (FCC). You should assess whether the FCCΓÇÖs text-to-911 rules apply to your service or application. To the extent you're covered by these rules, you'll be responsible for routing 911 text messages to emergency call centers that request them. You're free to determine your own text-to-911 delivery model, but one approach accepted by the FCC involves automatically launching the native dialer on the userΓÇÖs mobile device to deliver 911 texts through the underlying mobile carrier.

-Navigate to the Short Codes blade in the resource menu and click on "Get" button to launch the short code program brief application wizard.

-The wizard on the short codes blade will walk you through a series of questions about the program as well as a description of content which helps carriers review and approve your short code program brief. For detailed guidance on how to fill out the program brief application please check [program brief filling guidelines](../../concepts/sms/program-brief-guidelines.md).

-The Short Code Program Brief registration requires details about your messaging program, including the user experience (e.g., call to action, opt-in, opt-out, and message flows) and information about your company. This information helps mobile carriers ensure that your program meets the CTIA (Cellular Telecommunications Industry Association) guidelines as well as regulatory requirements. A short code Program Brief application consists of the following 4 sections:

-You will first need to provide the program name and choose the country/region where you would like to provision the phone number.

-You can select from two short code types: Random, and Vanity. If you select a random short code, you will get a short code that is randomly selected by the U.S. Common Short Codes Association (CSCA). If you select a vanity short code, you are required to input a prioritized list of vanity short codes that youΓÇÖd like to use for your program. The alternatives in the list will be used if the first short code in your list is not available to lease. Example: 234567, 234578, 234589. You can look up the list of available short codes in the [US Short Codes Directory](https://usshortcodedirectory.com/).

-> Azure Communication Service currently only supports SMS. Please check [roadmap](https://github.com/Azure/Communication/blob/master/roadmap.md) for MMS launch.

-#### Enter program information

-This section requires you to provide details about your program such as recurrence of the program, messaging content, type and description of program, privacy policy, and terms of the program.

-This section captures sample messages related to opt-in, opt-out, and other message flows.

-Once completed, review the Program Brief information provided and submit the completed application through the Azure Portal.

-This program brief will now be automatically sent to the Azure Communication ServicesΓÇÖ service desk for review. The service desk specifically is looking to ensure that the provided information is in the right format before sending to all US mobile carriers for approval. The carriers will then review the details of the short code program, a process that can typically take between 8-12 weeks. Once carriers approve the program brief, you will be notified via email. You can now start sending and receiving messages on this short code for your messaging programs.

-Common questions and issues:

- - The associated Azure subscription billing address is located in the United States. You cannot move a resource to another subscription at this time.

- - Your Communication Services resource is provisioned in the United States data location. You cannot move a resource to another data location at this time.

-description: Handle inbound HTTPS calls from external services using Azure Logic Apps.

-# Receive and respond to inbound HTTPS requests in Azure Logic Apps

-With [Azure Logic Apps](../logic-apps/logic-apps-overview.md) and the built-in Request trigger and Response action, you can create automated tasks and workflows that can receive inbound requests over HTTPS. To send outbound requests instead, use the built-in [HTTP trigger or HTTP action](../connectors/connectors-native-http.md).

-For example, you can have your logic app:

-* Trigger a workflow when an external webhook event happens.

-* Receive and respond to an HTTPS call from another logic app.

-This article shows how to use the Request trigger and Response action so that your logic app can receive and respond to inbound calls.

-For more information about security, authorization, and encryption for inbound calls to your logic app, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [Azure Active Directory Open Authentication (Azure AD OAuth)](../active-directory/develop/index.yml), exposing your logic app with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests).

-> [!NOTE]

->

-> In a Standard logic app workflow that starts with the Request trigger (but not a webhook trigger), you can

-> use the Azure Functions provision for authenticating inbound calls sent to the endpoint created by that trigger

-> by using a managed identity. This provision is also known as "**Easy Auth**". For more information, review

-> [Trigger workflows in Standard logic apps with Easy Auth](https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/trigger-workflows-in-standard-logic-apps-with-easy-auth/ba-p/3207378).

-## Prerequisites

-* An Azure account and subscription. If you don't have a subscription, you can [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

-* Basic knowledge about [how to create logic apps](../logic-apps/quickstart-create-first-logic-app-workflow.md). If you're new to logic apps, review [What is Azure Logic Apps](../logic-apps/logic-apps-overview.md)?

-<a name="add-request"></a>

-## Add Request trigger

-This built-in trigger creates a manually callable endpoint that can handle *only* inbound requests over HTTPS. When a caller sends a request to this endpoint, the [Request trigger](../logic-apps/logic-apps-workflow-actions-triggers.md#request-trigger) fires and runs the logic app. For more information about how to call this trigger, see [Call, trigger, or nest workflows with HTTPS endpoints in Azure Logic Apps](../logic-apps/logic-apps-http-endpoint.md).

-Your logic app keeps an inbound request open only for a [limited time](../logic-apps/logic-apps-limits-and-config.md#http-limits). Assuming that your logic app includes a [Response action](#add-response), if your logic app doesn't send a response back to the caller after this time passes, your logic app returns a `504 GATEWAY TIMEOUT` status to the caller. If your logic app doesn't include a Response action, your logic app immediately returns a `202 ACCEPTED` status to the caller.

-1. Sign in to the [Azure portal](https://portal.azure.com). Create a blank logic app.

-1. After Logic App Designer opens, in the search box, enter `http request` as your filter. From the triggers list, select the **When an HTTP request is received** trigger.

- 

- The Request trigger shows these properties:

- 

- | **HTTP POST URL** | {none} | Yes | The endpoint URL that's generated after you save the logic app and is used for calling your logic app |

- | **Request Body JSON Schema** | `schema` | No | The JSON schema that describes the properties and values in the incoming request body |

-1. In the **Request Body JSON Schema** box, optionally enter a JSON schema that describes the body in the incoming request, for example:

- 

- The designer uses this schema to generate tokens for the properties in the request. That way, your logic app can parse, consume, and pass along data from the request through the trigger into your workflow.

- Here is the sample schema:

- When you enter a JSON schema, the designer shows a reminder to include the `Content-Type` header in your request and set that header value to `application/json`. For more information, see [Handle content types](../logic-apps/logic-apps-content-type.md).

- 

- Here's what this header looks like in JSON format:

- 

- 

- Here is the sample payload:

- 1. To enforce the inbound message to have the same exact fields that your schema describes, in your schema, add the `required` property and specify the required fields. Add the `addtionalProperties` and set the value to `false`.

- For example, the following schema specifies that the inbound message must have the `msg` field and not any other fields:

- If the inbound call's request body doesn't match your schema, the trigger returns an `HTTP 400 Bad Request` error.

-1. To specify additional properties, open the **Add new parameter** list, and select the parameters that you want to add.

- This example adds the **Method** property:

- 

- 

-1. Now, add another action as the next step in your workflow. Under the trigger, select **Next step** so that you can find the action that you want to add.

- For example, you can respond to the request by [adding a Response action](#add-response), which you can use to return a customized response and is described later in this topic.

- Your logic app keeps the incoming request open only for a [limited time](../logic-apps/logic-apps-limits-and-config.md#http-limits). Assuming that your logic app workflow includes a Response action, if the logic app doesn't return a response after this time passes, your logic app returns a `504 GATEWAY TIMEOUT` to the caller. Otherwise, if your logic app doesn't include a Response action, your logic app immediately returns a `202 ACCEPTED` response to the caller.

-1. When you're done, save your logic app. On the designer toolbar, select **Save**.

- This step generates the URL to use for sending the request that triggers the logic app. To copy this URL, select the copy icon next to the URL.

- 

-1. To test your logic app, send an HTTP request to the generated URL.

- For example, you can use a tool such as [Postman](https://www.getpostman.com/) to send the HTTP request. For more information about the trigger's underlying JSON definition and how to call this trigger, see these topics, [Request trigger type](../logic-apps/logic-apps-workflow-actions-triggers.md#request-trigger) and [Call, trigger, or nest workflows with HTTP endpoints in Azure Logic Apps](../logic-apps/logic-apps-http-endpoint.md).

-For more information about security, authorization, and encryption for inbound calls to your logic app, such as [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security), previously known as Secure Sockets Layer (SSL), [Azure Active Directory Open Authentication (Azure AD OAuth)](../active-directory/develop/index.yml), exposing your logic app with Azure API Management, or restricting the IP addresses that originate inbound calls, see [Secure access and data - Access for inbound calls to request-based triggers](../logic-apps/logic-apps-securing-a-logic-app.md#secure-inbound-requests).

-Here's more information about the outputs from the Request trigger:

-When you use the Request trigger to handle inbound requests, you can model the response and send the payload results back to the caller by using the built-in [Response action](../logic-apps/logic-apps-workflow-actions-triggers.md#response-action). You can use the Response action *only* with the Request trigger. This combination with the Request trigger and Response action creates the [request-response pattern](https://en.wikipedia.org/wiki/Request%E2%80%93response). Except for inside Foreach loops and Until loops, and parallel branches, you can add the Response action anywhere in your workflow.