-Azure AD supports declaring app roles for an application. When a user signs into an application, Azure AD includes a [roles claim](./access-tokens.md#payload-claims) for each role that the user has been granted for that application. Applications receive the tokens that contain the role claims and then can use the information for permission assignments. The roles assigned to the user determine the level of access to resources and functionality.

-graphResourceId=$(az ad sp list --display-name "Microsoft Graph" --query [0].objectId --out tsv)

-ΓÇï

-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md) (You are here.)

-* [Build resilience in your CIAM systems](resilience-b2c.md)

-* [Build resilience in your CIAM systems](resilience-b2c.md)

-* [Build resilience in your CIAM systems](resilience-b2c.md)

-* [Build resilience in your CIAM systems](resilience-b2c.md)

-[Studybugs](https://studybugs.com/signin), [Yello](https://yello.co/yello-for-microsoft-teams/), [LawVu](../saas-apps/lawvu-tutorial.md), [Formate eVo Mail](https://www.document-genetics.co.uk/formate-evo-erp-output-management), [Revenue Grid](https://app.revenuegrid.com/login), [Orbit for Office 365](https://azuremarketplace.microsoft.com/marketplace/apps/aad.orbitforoffice365?tab=overview), [Upmarket](https://app.upmarket.ai/), [Alinto Protect](https://protect.alinto.net/), [Cloud Concinnity](https://cloudconcinnity.com/), [Matlantis](https://matlantis.com/), [ModelGen for Visio (MG4V)](https://crecy.com.au/model-gen/), [NetRef: Classroom Management](https://oauth.net-ref.com/microsoft/sso), [VergeSense](../saas-apps/vergesense-tutorial.md), [iAuditor](../saas-apps/iauditor-tutorial.md), [Secutraq](https://secutraq.net/login), [Active and Thriving](../saas-apps/active-and-thriving-tutorial.md), [Inova](https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=1bacdba3-7a3b-410b-8753-5cc0b8125f81&response_type=code&redirect_uri=https:%2f%2fbroker.partneringplace.com%2fpartner-companion%2f&code_challenge_method=S256&code_challenge=YZabcdefghijklmanopqrstuvwxyz0123456789._-~&scope=1bacdba3-7a3b-410b-8753-5cc0b8125f81/.default), [TerraTrue](../saas-apps/terratrue-tutorial.md), [Facebook Work Accounts](../saas-apps/facebook-work-accounts-tutorial.md), [Beyond Identity Admin Console](../saas-apps/beyond-identity-admin-console-tutorial.md), [Visult](https://visult.app), [ENGAGE TAG](https://app.engagetag.com/), [Appaegis Isolation Access Cloud](../saas-apps/appaegis-isolation-access-cloud-tutorial.md), [CrowdStrike Falcon Platform](../saas-apps/crowdstrike-falcon-platform-tutorial.md), [MY Emergency Control](https://my-emergency.co.uk/app/auth/login), [AlexisHR](../saas-apps/alexishr-tutorial.md), [Teachme Biz](../saas-apps/teachme-biz-tutorial.md), [Zero Networks](../saas-apps/zero-networks-tutorial.md), [Mavim iMprove](https://improve.mavimcloud.com/), [Azumuta](https://app.azumuta.com/login?microsoft=true), [Frankli](https://beta.frankli.io/login), [Amazon Managed Grafana](../saas-apps/amazon-managed-grafana-tutorial.md), [Productive](../saas-apps/productive-tutorial.md), [Create!Webフロー](../saas-apps/createweb-tutorial.md), [Evercate](https://evercate.com/us/sign-up/), [Ezra Coaching](../saas-apps/ezra-coaching-tutorial.md), [Baldwin Safety and Compliance](../saas-apps/baldwin-safety-&-compliance-tutorial.md), [Nulab Pass (Backlog,Cacoo,Typetalk)](../saas-apps/nulab-pass-tutorial.md), [Metatask](../saas-apps/metatask-tutorial.md), [Contrast Security](../saas-apps/contrast-security-tutorial.md), [Animaker](../saas-apps/animaker-tutorial.md), [Traction Guest](../saas-apps/traction-guest-tutorial.md), [True Office Learning - LIO](../saas-apps/true-office-learning-lio-tutorial.md), [Qiita Team](../saas-apps/qiita-team-tutorial.md)

-> * [Single sign-on](facebook-work-accounts-tutorial.md) to Facebook Work Accounts (recommended)

- 

- 

- 1. Enter a valid **Name of the SSO Provider**.

- 1. In the **SAML URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.

- 1. In the **SAML Issuer URL** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.

- 1. **Enable SAML logout redirection** checkbox and in the **SAML Logout URL** textbox, paste the **Logout URL** value which you have copied from the Azure portal.

- 1. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **SAML Certificate** textbox.

- 1. Copy **Audience URL** value, paste this value into the **Identifier** textbox in the **Basic SAML Configuration** section in the Azure portal.

- 1. Copy **ACS (Assertion Consumer Service) URL** value, paste this value into the **Reply URL** text box in the **Basic SAML Configuration** section in the Azure portal.

- 1. In the **Test SSO Setup** section, enter a valid email in the textbox and click **Test SSO**.

- 1. Click **Save Changes**.

-description: Learn how to use kms etcd encryption with Azure Kubernetes Service (AKS)

-# Add KMS etcd encryption to an Azure Kubernetes Service (AKS) cluster

-This article shows you how to enable encryption at rest for your Kubernetes data in etcd using Azure Key Vault with Key Management Service (KMS) plugin. The KMS plugin allows you to:

-* Use a key in Key Vault for etcd encryption

-* Bring your own keys

-* Provide encryption at rest for secrets stored in etcd

-* Rotate the keys in Key Vault

-## Before you begin

-* An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).

-* Azure CLI version 2.39.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-> KMS only supports Konnectivity. You could use `kubectl get po -n kube-system` to check whether there is 'konnectivity-agent-xxx' pod running.

-* KMS etcd encryption doesn't work with System-Assigned Managed Identity. The keyvault access-policy is required to be set before the feature is enabled. In addition, System-Assigned Managed Identity isn't available until cluster creation, thus there's a cycle dependency.

-KMS supports [public key vault][Enable-KMS-with-public-key-vault] and [private key vault][Enable-KMS-with-private-key-vault] now.

->

-> If you need to recover your Key Vault or key, see the [Azure Key Vault recovery management with soft delete and purge protection](../key-vault/general/key-vault-recovery.md?tabs=azure-cli) documentation.

-Use `az keyvault create` to create a KeyVault.

-Use `az keyvault key show` to export the Key ID.

-The above example stores the Key ID in *KEY_ID*.

-Use `az keyvault create` to create a KeyVault using Azure Role Based Access Control.

-Use `az keyvault key show` to export the Key ID.

-The above example stores the Key ID in *KEY_ID*.

-

-Use `az identity create` to create a User-assigned managed identity.

-Use `az identity show` to get Identity Object ID.

-The above example stores the value of the Identity Object ID in *IDENTITY_OBJECT_ID*.

-Use `az identity show` to get Identity Resource ID.

-The above example stores the value of the Identity Resource ID in *IDENTITY_RESOURCE_ID*.

-If your key vault is not enabled with `--enable-rbac-authorization`, you could use `az keyvault set-policy` to create an Azure KeyVault policy.

-If your key vault is enabled with `--enable-rbac-authorization`, you need to assign the "Key Vault Crypto User" RBAC role which has decrypt, encrypt permission.

-Use below command to update all secrets. Otherwise, the old secrets aren't encrypted.

-> [!NOTE]

-> For larger clusters, you may wish to subdivide the secrets by namespace or script an update.

-### Rotate the existing keys

-After changing the key ID (including key name and key version), you could use [az aks update][az-aks-update] with the `--enable-azure-keyvault-kms`, `--azure-keyvault-kms-key-vault-network-access` and `--azure-keyvault-kms-key-id` parameters to rotate the exitsing keys of KMS.

-> Remember to update all secrets after key rotation. Otherwise, the secrets will be unaccessable if the old keys are not existing or working.

-Use below command to update all secrets. Otherwise, the old secrets are still encrypted with the previous key.

-> [!NOTE]

-> For larger clusters, you may wish to subdivide the secrets by namespace or script an update.

-> Deleting the key or the Azure Key Vault is not supported and will cause the secrets to be unrecoverable in the cluster.

->

-> If you need to recover your Key Vault or key, see the [Azure Key Vault recovery management with soft delete and purge protection](../key-vault/general/key-vault-recovery.md?tabs=azure-cli) documentation.

-Use `az keyvault create` to create a priate KeyVault.

-Without private endpoint, it's not supported to create or update keys in private key vault. To manage private key vault, you could refer to [Integrate Key Vault with Azure Private Link](../key-vault/general/private-link-service.md).

-Use `az identity create` to create a User-assigned managed identity.

-Use `az identity show` to get Identity Object ID.

-The above example stores the value of the Identity Object ID in *IDENTITY_OBJECT_ID*.

-Use `az identity show` to get Identity Resource ID.

-The above example stores the value of the Identity Resource ID in *IDENTITY_RESOURCE_ID*.

-If your key vault is not enabled with `--enable-rbac-authorization`, you could use `az keyvault set-policy` to create an Azure KeyVault policy.

-If your key vault is enabled with `--enable-rbac-authorization`, you need to assign a RBAC role which at least contains decrypt, encrypt permission.

-For private key vault, the AKS needs *Key Vault Contributor* role to create private link between private key vault and cluster.

-### Create an AKS cluster with private key vault and enable KMS etcd encryption

-Use below command to update all secrets. Otherwise, the old secrets aren't encrypted.

-> [!NOTE]

-> For larger clusters, you may wish to subdivide the secrets by namespace or script an update.

-### Rotate the existing keys

-After changing the key ID (including key name and key version), you could use [az aks update][az-aks-update] with the `--enable-azure-keyvault-kms`, `--azure-keyvault-kms-key-id`, `--azure-keyvault-kms-key-vault-network-access` and `--azure-keyvault-kms-key-vault-resource-id` parameters to rotate the existing keys of KMS.

-> Remember to update all secrets after key rotation. Otherwise, the secrets will be unaccessable if the old keys are not existing or working.

-Use below command to update all secrets. Otherwise, the old secrets are still encrypted with the previous key.

-> [!NOTE]

-> For larger clusters, you may wish to subdivide the secrets by namespace or script an update.

-> To change a different key vault with different mode (public, private), you could run `az aks update` directly. To change the mode of attached key vault, you need to diable KMS and re-enable it with new key vault ids.

-Use below command to disable the KMS on existing cluster and release the key vault.

-Use below command to re-enable the KMS with updated private key vault.

-After configuring KMS, you could enable [diagnostic-settings for key vault to check the encryption logs](../key-vault/general/howto-logging.md).

-Use below command to disable KMS on existing cluster.

-Use below command to update all secrets. Otherwise, the old secrets are still encrypted with the previous key.

-> [!NOTE]

-> For larger clusters, you may wish to subdivide the secrets by namespace or script an update.

-description: Prepay for Azure Cache for Redis compute resources with reserved capacity

-# Prepay for Azure Cache for Redis compute resources with reserved capacity

-Azure Cache for Redis now helps you save money by prepaying for compute resources compared to pay-as-you-go prices. With Azure Cache for Redis reserved capacity, you make an upfront commitment on cache for one or three years to get a significant discount on the compute costs. To purchase Azure Cache for Redis reserved capacity, you need to specify the Azure region, service tier, and term.

-You do not need to assign the reservation to specific Azure Cache for Redis instances. An already running Azure Cache for Redis or ones that are newly deployed will automatically get the benefit of reserved pricing, up to the reserved cache size. By purchasing a reservation, you are pre-paying for the compute costs for one or three years. As soon as you buy a reservation, the Azure Cache for Redis compute charges that match the reservation attributes are no longer charged at the pay-as-you go rates. A reservation does not cover networking or storage charges associated with the cache. At the end of the reservation term, the billing benefit expires and the Azure Cache for Redis is billed at the pay-as-you go price. Reservations do not auto-renew. For pricing information, see the [Azure Cache for Redis reserved capacity offering](https://azure.microsoft.com/pricing/details/cache).

-You can buy Azure Cache for Redis reserved capacity in the [Azure portal](https://portal.azure.com/). To buy the reserved capacity:

-* You must be in the owner role for at least one Enterprise or individual subscription with pay-as-you-go rates.

-* For Enterprise subscriptions, **Add Reserved Instances** must be enabled in the [EA portal](https://ea.azure.com/). Or, if that setting is disabled, you must be an EA Admin on the subscription.

-* For Cloud Solution Provider (CSP) program, only the admin agents or sales agents can purchase Azure Cache for Redis reserved capacity.

-For example, let's suppose that you're running two caches - one at 13 GB and the other at 26 GB. You'll need both for at least one year. Further, let's suppose that you plan to scale the existing 13-GB caches to 26 GB for a month to meet your seasonal demand, and then scale back. In this case, you can purchase either one P2-cache and one P3-cache or three P2-caches on a one-year reservation to maximize savings. You'll receive discount on the total amount of cache memory you reserve, independent of how that amount is allocated across your caches.

-Reserved capacity is sold in increments of nodes. Each shard contains 2 nodes by default. To buy reserved capacity for a shard, you buy 2 reserved capacity. For the number of nodes calculation, see "View Cost Calculation" on [Pricing calculator](https://azure.microsoft.com/pricing/calculator/). For an explanation of the architecture of a cache, see [A quick summary of cache architecture](cache-failover.md#a-quick-summary-of-cache-architecture).

-## Buy Azure Cache for Redis reserved capacity

-You can buy a reserved VM instance in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Reservations/CreateBlade/). Pay for the reservation [up front or with monthly payments](../cost-management-billing/reservations/prepare-buy-reservation.md).

-4. Fill in the required fields. Existing or new databases that match the attributes you select qualify to get the reserved capacity discount. The actual number of your Azure Cache for Redis instances that get the discount depend on the scope and quantity selected.

-

-| Subscription | The subscription used to pay for the Azure Cache for Redis reserved capacity reservation. The payment method on the subscription is charged the upfront costs for the Azure Cache for Redis reserved capacity reservation. The subscription type must be an enterprise agreement (offer numbers: MS-AZR-0017P or MS-AZR-0148P) or an individual agreement with pay-as-you-go pricing (offer numbers: MS-AZR-0003P or MS-AZR-0023P). For an enterprise subscription, the charges are deducted from the enrollment's Azure Prepayment (previously called monetary commitment) balance or charged as overage. For an individual subscription with pay-as-you-go pricing, the charges are billed to the credit card or invoice payment method on the subscription.

-| Scope | The reservationΓÇÖs scope can cover one subscription or multiple subscriptions (shared scope). If you select: </br></br> **Shared**, the reservation discount is applied to Azure Cache for Redis instances running in any subscriptions within your billing context. For enterprise customers, the shared scope is the enrollment and includes all subscriptions within the enrollment. For Pay-As-You-Go customers, the shared scope is all Pay-As-You-Go subscriptions created by the account administrator.</br></br> **Single subscription**, the reservation discount is applied to Azure Cache for Redis instances in this subscription. </br></br> **Single resource group**, the reservation discount is applied to Azure Cache for Redis instances in the selected subscription and the selected resource group within that subscription.</br></br>**Management group**, the reservation discount is applied to the matching resource in the list of subscriptions that are a part of both the management group and billing scope.

-| Region | The Azure region thatΓÇÖs covered by the Azure Cache for Redis reserved capacity reservation.

-| Pricing tier | The service tier for the Azure Cache for Redis servers.

-| Quantity | The amount of compute resources being purchased within the Azure Cache for Redis reserved capacity reservation. The quantity is a number of caches in the selected Azure region and service tier that are being reserved and will get the billing discount. For example, if you are running or planning to run an Azure Cache for Redis servers with the total cache capacity of 26 GB in the East US region, then you would specify a quantity that gives you the equivalent of 26 GB to maximize the benefit for all caches. The quantity could be one P3-cache or two P2-caches.

-Cache size flexibility helps you scale up or down within a service tier and region, without losing the reserved capacity benefit.

-* To learn how reserved capacity discounts are applied to Azure Cache for Redis, see [Understand the Azure reservation discount](../cost-management-billing/reservations/understand-azure-cache-for-redis-reservation-charges.md)

-* To learn more about Azure Reservations, see the following articles:

- * [What are Azure Reservations?](../cost-management-billing/reservations/save-compute-costs-reservations.md)

- * [Manage Azure Reservations](../cost-management-billing/reservations/manage-reserved-vm-instance.md)

- * [Understand Azure Reservations discount](../cost-management-billing/reservations/understand-reservation-charges.md)

- * [Understand reservation usage for your Pay-As-You-Go subscription](../cost-management-billing/reservations/understand-reservation-charges-mysql.md)

- * [Understand reservation usage for your Enterprise enrollment](../cost-management-billing/reservations/understand-reserved-instance-usage-ea.md)

- * [Azure Reservations in Partner Center Cloud Solution Provider (CSP) program](/partner-center/azure-reservations)

->This same collison can occur between a function app in a production slot and the same function app in a staging slot, when both slots use the same storage account.

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| **Service** | **FedRAMP High** | **DoD IL2** |

-| [Video Analyzer for Media](../../azure-video-indexer/index.yml) (formerly Video Indexer) | &#x2705; | &#x2705; |

-| [Cognitive

-| [Customer Lockbox](../../security/fundamentals/customer-lockbox-overview.md) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |

-| [Dynamics 365 Field Service](/dynamics365/field-service/overview) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |

-| [HDInsight](../../hdinsight/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

-| [Microsoft Defender for Cloud](../../defender-for-cloud/index.yml) (formerly Azure Security Center) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

-| [Power Automate](/power-automate/) (formerly Microsoft Flow) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |

-| [SignalR Service](../../azure-signalr/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | |

-> Custom tables must use a suffix of *_CL*.

- "roleName": "12345678-0000-0000-0000-0FEEDDADBEEF"

- "roleName": "87654321-0000-0000-0000-0FEEDDADBEEF"

-After the deployment completes, you're ready to test the what-if operation. This time you deploy a Bicep file that changes the virtual network. It's missing one the original tags, a subnet has been removed, and the address prefix has changed. Download a copy of the Bicep file.

-| Short-Codes | Modern Customer Agreement (Field Led) and Enterprise Agreement Only** |

-The toll-free verification process ensures that your services running on toll-free numbers (TFNs) comply with carrier policies and industry best practices. This also provides relevant service information to reduce the likelihood of false positive filtering and wrongful spam blocks.ΓÇ»

-September 30, 2022 onwards, all new TFNs must complete a toll-free verification process. All existing TFNs must complete a toll-free verification process by September 30, 2022. If unverified, the TFNs may face SMS service interruptions. Verification can take up to 2-3 weeks.

-This decision has been made to ensure that the toll-free messaging channel is aligned with both short code and 10 DLC, whereby all services are reviewed. It also ensures that the sending brand and the type of traffic your messaging channels deliver is known, documented, and verified.

-For submitting the toll-free verification form, go to the Azure Communications Service Resource that your toll-free number is associated with in Azure portal and navigate to the Phone numbers blade. Click on the Toll-Free verification application link displayed in the infobox at the top of the phone numbers blade.

-Once we receive your toll-free verification form, we will relay it to the toll-free messaging aggregator for them to review and approve it. This process takes 2-3 weeks. We will let you know any updates and the status of your applications via the email you provide in the application. For more questions about your submitted application, please email acstnrequest@microsoft.com.

-* Check whether SFTP server puts a limit on the number of connections from each IP address. If a limit exists, you might have to limit the number of concurrent logic app instances.

-* The SDK has several caches that have to be initialized, which might slow down the first few requests.

-* The connectivity mode should be direct and TCP.

-High network latency can be identified by using the [diagnostics string](/dotnet/api/microsoft.azure.documents.client.resourceresponsebase.requestdiagnosticsstring) in the V2 SDK or [diagnostics](/dotnet/api/microsoft.azure.cosmos.responsemessage.diagnostics#Microsoft_Azure_Cosmos_ResponseMessage_Diagnostics) in V3 SDK.

-If no [timeouts](troubleshoot-dot-net-sdk-request-timeout.md) are present and the diagnostics show single requests where the high latency is evident.

-Network interactions in the diagnostics will be for example:

-```json

-{

- "name": "Microsoft.Azure.Documents.ServerStoreModel Transport Request",

- "id": "0e026cca-15d3-4cf6-bb07-48be02e1e82e",

- "component": "Transport",

- "start time": "12: 58: 20: 032",

- "duration in milliseconds": 1638.5957

-}

-```

-Where the `duration in milliseconds` would show the latency.

-And the latency would be on the difference between `ResponseTime` and `RequestStartTime`:

-```bash

-RequestStartTime: 2020-03-09T22:44:49.5373624Z, RequestEndTime: 2020-03-09T22:44:49.9279906Z, Number of regions attempted:1

-ResponseTime: 2020-03-09T22:44:49.9279906Z, StoreResult: StorePhysicalAddress: rntbd://..., ...

-```

-This latency can have multiple causes:

-* Your application is not running in the same region as your Azure Cosmos DB account.

-* Your [PreferredLocations](/dotnet/api/microsoft.azure.documents.client.connectionpolicy.preferredlocations) or [ApplicationRegion](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.applicationregion) configuration is incorrect and is trying to connect to a different region to where your application is currently running on.

-* There might be a bottleneck on the Network interface because of high traffic. If the application is running on Azure Virtual Machines, there are possible workarounds:

- * Consider using a [Virtual Machine with Accelerated Networking enabled](../../virtual-network/create-vm-accelerated-networking-powershell.md).

- * Enable [Accelerated Networking on an existing Virtual Machine](../../virtual-network/create-vm-accelerated-networking-powershell.md#enable-accelerated-networking-on-existing-vms).

- * Consider using a [higher end Virtual Machine](../../virtual-machines/sizes.md).

-The [query metrics](sql-api-query-metrics.md) will help determine where the query is spending most of the time. From the query metrics, you can see how much of it is being spent on the back-end vs the client. Learn more about [troubleshooting query performance](troubleshoot-query-performance.md).

-* If the back-end query returns quickly, and spends a large time on the client check the load on the machine. It's likely that there are not enough resource and the SDK is waiting for resources to be available to handle the response.

-* If the back-end query is slow, try [optimizing the query](troubleshoot-query-performance.md) and looking at the current [indexing policy](../index-overview.md)

- > [!NOTE]

- > For improved performance, we recommend Windows 64-bit host processing. The SQL SDK includes a native ServiceInterop.dll to parse and optimize queries locally. ServiceInterop.dll is supported only on the Windows x64 platform. For Linux and other unsupported platforms where ServiceInterop.dll isn't available, an additional network call will be made to the gateway to get the optimized query.

-The SDK wasn't able to connect to Azure Cosmos DB.

-Service unavailable exceptions can surface when there are transient connectivity problems that are causing timeouts. Typically, the stack trace related to this scenario will contain a `TransportException` error. For example:

-```C#

-TransportException: A client transport error occurred: The request timed out while waiting for a server response.

-(Time: xxx, activity ID: xxx, error code: ReceiveTimeout [0x0010], base error: HRESULT 0x80131500

-```

-* Learn about performance guidelines for [.NET v3](performance-tips-dotnet-sdk-v3-sql.md) and [.NET v2](performance-tips.md).

-The Microsoft Defender for Cloud's overview page is an interactive dashboard that provides a unified view into the security posture of your hybrid cloud workloads. Additionally, it shows security alerts, coverage information, and more.

-### Vulnerabilities for running images are now visible with Defender for Container on your Windows containers

-Defender for Container now allows you to view vulnerabilities for your running Windows containers.

-When vulnerabilities are detected, Defender for Cloud shows the detected issues, and generates the following security recommendation [Running container images should have vulnerability findings resolved](https://ms.portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462c/showSecurityCenterCommandBar~/false).

-Learn more about [viewing your vulnerabilities for running images](defender-for-containers-introduction.md#view-vulnerabilities-for-running-images).

-# Tutorial: Integrate ServiceNow with Microsoft Defender for IoT

-> [!Note]

-> A new [Operational Technology Manager](https://store.servicenow.com/sn_appstore_store.do#!/store/application/31eed0f72337201039e2cb0a56bf65ef/1.1.2?referer=%2Fstore%2Fsearch%3Flistingtype%3Dallintegrations%25253Bancillary_app%25253Bcertified_apps%25253Bcontent%25253Bindustry_solution%25253Boem%25253Butility%25253Btemplate%26q%3Doperational%2520technology%2520manager&sl=sh) integration is now available from the ServiceNow store. The new integration streamlines Microsoft Defender for IoT sensor appliances, OT assets, network connections, and vulnerabilities to ServiceNowΓÇÖs Operational Technology (OT) data model.

->

->Please read the ServiceNowΓÇÖs supporting links and docs for the ServiceNow's terms of service.

->

->Microsoft Defender for IoT's current integration is not affected by the new integration and Microsoft keeps supporting it.

->

-> For more information, please see the [Service Graph Connector (SGC)](https://store.servicenow.com/sn_appstore_store.do#!/store/application/ddd4bf1b53f130104b5cddeeff7b1229) and [Vulnerability Response (VR)](https://store.servicenow.com/sn_appstore_store.do#!/store/application/463a7907c3313010985a1b2d3640dd7e) integrations with Microsoft Defender for IoT on the ServiceNow store.

-This tutorial will help you learn how to integrate, and use ServiceNow with Microsoft Defender for IoT.

-The ServiceNow Configuration Management Database (CMDB) is enriched, and supplemented with a rich set of device attributes that are pushed by the Defender for IoT platform. This ensures a comprehensive, and continuous visibility into the device landscape. This visibility lets you monitor, and respond from a single-pane-of-glass.

-In this tutorial, you learn how to:

-> [!div class="checklist"]

-> * Download the Defender for IoT application in ServiceNow

-> * Set up Defender for IoT to communicate with ServiceNow

-> * Create access tokens in ServiceNow

-> * Send Defender for IoT device attributes to ServiceNow

-> * Set up the integration using an HTTPS proxy

-> * View Defender for IoT detections in ServiceNow

-> * View connected devices

-## Prerequisites

-### Software requirements

-Access to ServiceNow and Defender for IoT

-> [!Note]

->If you are already working with a Defender for IoT and ServiceNow integration and upgrade using the on-premises management console. In that case, the previous data from Defender for IoT sensors should be cleared from ServiceNow.

-### Architecture

- To set up your system to work with an on-premises management console, you will need to disable the ServiceNow Sync, Forwarding Rules, and Proxy configurations on any sensors where they were set up.

-## Download the Defender for IoT application in ServiceNow

-To access the Defender for IoT application within ServiceNow, you will need to download the application from the ServiceNow application store.

-**To access the Defender for IoT application in ServiceNow**:

-1. Navigate to the [ServiceNow application store](https://store.servicenow.com/).

-1. Search for `Defender for IoT` or `CyberX IoT/ICS Management`.

- :::image type="content" source="media/tutorial-servicenow/search-results.png" alt-text="Screenshot of the search screen in ServiceNow.":::

-1. Select the application.

- :::image type="content" source="media/tutorial-servicenow/cyberx-app.png" alt-text="Screenshot of the search screen results.":::

-1. Select **Request App**.

- :::image type="content" source="media/tutorial-servicenow/sign-in.png" alt-text="Sign in to the application with your credentials.":::

-1. Sign in, and download the application.

-## Set up Defender for IoT to communicate with ServiceNow

-Configure Defender for IoT to push alert information to the ServiceNow tables. Defender for IoT alerts will appear in ServiceNow as security incidents. This can be done by defining a Defender for IoT forwarding rule to send alert information to ServiceNow.

-**To push alert information to the ServiceNow tables**:

-1. Sign in to the on-premises management console.

-1. Select **Forwarding**, in the left side pane.

-1. Select the :::image type="icon" source="media/tutorial-servicenow/plus-icon.png" border="false"::: button.

- :::image type="content" source="media/tutorial-servicenow/forwarding-rule.png" alt-text="Screenshot of the Create Forwarding Rule window.":::

-1. Add a rule name.

-1. Define criteria under which Defender for IoT will trigger the forwarding rule. Working with Forwarding rule criteria helps pinpoint and manage the volume of information sent from Defender for IoT to ServiceNow. The following options are available:

- - **Severity levels:** This is the minimum-security level incident to forward. For example, if **Minor** is selected, minor alerts, and any alert above this severity level will be forwarded. Levels are pre-defined by Defender for IoT.

- - **Protocols:** Only trigger the forwarding rule if the traffic detected was running over specific protocols. Select the required protocols from the drop-down list or choose them all.

- - **Engines:** Select the required engines or choose them all. Alerts from selected engines will be sent.

-1. Verify that **Report Alert Notifications** is selected.

-1. In the Actions section, select **Add** and then select **ServiceNow**.

- :::image type="content" source="media/tutorial-servicenow/select-servicenow.png" alt-text="Select ServiceNow from the dropdown options.":::

-1. Enter the ServiceNow action parameters:

- :::image type="content" source="media/tutorial-servicenow/parameters.png" alt-text="Fill in the ServiceNow action parameters.":::

-1. In the **Actions** pane, set the following parameters:

- | Parameter | Description |

- |--|--|

- | Domain | Enter the ServiceNow server IP address. |

- | Username | Enter the ServiceNow server username. |

- | Password | Enter the ServiceNow server password. |

- | Client ID | Enter the Client ID you received for Defender for IoT in the **Application Registries** page in ServiceNow. |

- | Client Secret | Enter the client secret string you created for Defender for IoT in the **Application Registries** page in ServiceNow. |

- | Report Type | **Incidents**: Forward a list of alerts that are presented in ServiceNow with an incident ID and short description of each alert.<br /><br />**Defender for IoT Application**: Forward full alert information, including the sensor details, the engine, the source, and destination addresses. The information is forwarded to the Defender for IoT on the ServiceNow application. |

-1. Select **SAVE**.

-Defender for IoT alerts will now appear as incidents in ServiceNow.

-## Create access tokens in ServiceNow

-A token is needed in order to allow ServiceNow to communicate with Defender for IoT.

-You'll need the `Client ID` and `Client Secret` that you entered when creating the Defender for IoT Forwarding rules. The Forwarding rules forward alert information to ServiceNow, and when configuring Defender for IoT to push device attributes to ServiceNow tables.

-## Send Defender for IoT device attributes to ServiceNow

-Configure Defender for IoT to push an extensive range of device attributes to the ServiceNow tables. To send attributes to ServiceNow, you must map your on-premises management console to a ServiceNow instance. This ensures that the Defender for IoT platform can communicate and authenticate with the instance.

-**To add a ServiceNow instance**:

-1. Sign in to your Defender for IoT on-premises management console.

-1. Select **System Settings**, and then **ServiceNow** from the on-premises management console Integration section.

- :::image type="content" source="media/tutorial-servicenow/servicenow.png" alt-text="Screenshot of the select the ServiceNow button.":::

-1. Enter the following sync parameters in the ServiceNow Sync dialog box.

- :::image type="content" source="media/tutorial-servicenow/sync.png" alt-text="Screenshot of the ServiceNow sync dialog box.":::

- Parameter | Description |

- |--|--|

- | Enable Sync | Enable and disable the sync after defining parameters. |

- | Sync Frequency (minutes) | By default, information is pushed to ServiceNow every 60 minutes. The minimum is 5 minutes. |

- | ServiceNow Instance | Enter the ServiceNow instance URL. |

- | Client ID | Enter the Client ID you received for Defender for IoT in the **Application Registries** page in ServiceNow. |

- | Client Secret | Enter the Client Secret string you created for Defender for IoT in the **Application Registries** page in ServiceNow. |

- | Username | Enter the username for this instance. |

- | Password | Enter the password for this instance. |

-1. Select **SAVE**.

-Verify that the on-premises management console is connected to the ServiceNow instance by reviewing the Last Sync date.

-## Set up the integrations using an HTTPS proxy

-When setting up the Defender for IoT and ServiceNow integration, the on-premises management console and the ServiceNow server communicate using port 443. If the ServiceNow server is behind a proxy, the default port can't be used.

-Defender for IoT supports an HTTPS proxy in the ServiceNow integration by enabling the change of the default port used for integration.

-**To configure the proxy**:

-1. Edit the global properties on the on-premises management console using the following command:

- ```bash

- sudo vim /var/cyberx/properties/global.properties

- ```

-2. Add the following parameters:

- - `servicenow.http_proxy.enabled=1`

- - `servicenow.http_proxy.ip=1.179.148.9`

- - `servicenow.http_proxy.port=59125`

-3. Select **Save and Exit**.

-4. Reset the on-premises management console using the following command:

- ```bash

- sudo monit restart all

- ```

-After the configurations are set, all the ServiceNow data is forwarded using the configured proxy.

-## View Defender for IoT detections in ServiceNow

-This article describes the device attributes and alert information presented in ServiceNow.

-**To view device attributes**:

-1. Sign in to ServiceNow.

-2. Navigate to **CyberX Platform**.

-3. Navigate to **Inventory**, or **Alert**.

- [:::image type="content" source="media/tutorial-servicenow/alert-list.png" alt-text="Screenshot of the Inventory or Alert.":::](media/tutorial-servicenow/alert-list.png#lightbox)

-## View connected devices

-To view connected devices:

-1. Select a device, and then select the **Appliance** listed in for that device.

- :::image type="content" source="media/tutorial-servicenow/appliance.png" alt-text="Screenshot of the desired appliance from the list.":::

-1. In the **Device Details** dialog box, select **Connected Devices**.

-## Clean up resources

-There are no resources to clean up.

-In this article, you learned how to get started with the ServiceNow integration. Continue on to learn about our [Cisco integration](./tutorial-forescout.md).

-description: How to use symmetric keys to provision devices with your Device Provisioning Service (DPS) instance

-# How to provision devices using symmetric key enrollment groups

-This article demonstrates how to securely provision multiple simulated symmetric key devices to a single IoT Hub using an enrollment group.

-If you can easily install a [hardware security module (HSM)](concepts-service.md#hardware-security-module) and a certificate, then that may be a better approach for identifying and provisioning your devices. Using an HSM will allow you to bypass updating the code deployed to all your devices, and you would not have a secret key embedded in your device images. This article assumes that neither an HSM or a certificate is a viable option. However, it is assumed that you do have some method of updating device code to use the Device Provisioning Service to provision these devices.

-This article also assumes that the device update takes place in a secure environment to prevent unauthorized access to the master group key or the derived device key.

-This article is oriented toward a Windows-based workstation. However, you can perform the procedures on Linux. For a Linux example, see [How to provision for multitenancy](how-to-provision-multitenant.md).

-> The sample used in this article is written in C. There is also a [C# device provisioning symmetric key sample](https://github.com/Azure-Samples/azure-iot-samples-csharp/tree/main/provisioning/Samples/device/SymmetricKeySample) available. To use this sample, download or clone the [azure-iot-samples-csharp](https://github.com/Azure-Samples/azure-iot-samples-csharp) repository and follow the in-line instructions in the sample code. You can follow the instructions in this article to create a symmetric key enrollment group using the portal and to find the ID Scope and enrollment group primary and secondary keys needed to run the sample. You can also create individual enrollments using the sample.

-The device code demonstrated in this article will follow the same pattern as the [Quickstart: Provision a simulated symmetric key device](quick-create-simulated-device-symm-key.md). The code will simulate a device using a sample from the [Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c). The simulated device will attest with an enrollment group instead of an individual enrollment as demonstrated in the quickstart.

-description: How to provision devices for multitenancy with your Device Provisioning Service (DPS) instance

-# How to provision for multitenancy

-This how-to shows how to securely provision multiple simulated symmetric key devices to a group of IoT Hubs using an [allocation policy](concepts-service.md#allocation-policy). Allocation policies that are defined by the provisioning service support a variety of allocation scenarios. Two common scenarios are:

-This article uses a simulated device sample from the [Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c) to demonstrate how to provision devices in a multitenant scenario across regions. You will perform the following steps in this article:

->It's recommended that you use the same resource group for all resources created in this article. This will make clean up easier after you are finished.

-For simplicity, this article uses [Symmetric key attestation](concepts-symmetric-key-attestation.md) with the enrollment. For a more secure solution, consider using [X.509 certificate attestation](concepts-x509-attestation.md) with a chain of trust.

-If you plan to continue working with resources created in this article, you can leave them. Otherwise, use the following steps to delete all resources created by this article to avoid unnecessary charges.

-The steps here assume that you created all resources in this article as instructed in the same resource group named **contoso-us-resource-group**.

-description: This tutorial uses enrollment groups. In this tutorial, you learn how to provision X.509 devices using a custom Hardware Security Module (HSM) and the C device SDK for Azure IoT Hub Device Provisioning Service (DPS).

- >Confirm that the Visual Studio prerequisites (Visual Studio and the 'Desktop development with C++' workload) are installed on your machine, **before** starting the `CMake` installation. Once the prerequisites are in place, and the download is verified, install the CMake build system. Also, be aware that older versions of the CMake build system fail to generate the solution file used in this article. Make sure to use the latest version of CMake.

-1. Create the directory structure, the database file (index.txt), and the serial number file (serial) used by OpenSSL commands in this article:

-While HSM hardware isn't required, it is recommended to protect sensitive information like the certificate's private key. If an actual HSM was being called by the sample, the private key wouldn't be present in the source code. Having the key in the source code exposes the key to anyone that can view the code. This is only done in this article to assist with learning.

-# Configure Microsoft Connected Cache for Device Update for Azure IoT Hub

-Microsoft Connected Cache is deployed to Azure IoT Edge gateways as an Azure IoT Edge Module. Like other Azure IoT Edge modules, MCC module deployment environment variables and container create options are used to configure Microsoft Connected Cache modules. This section defines the environment variables and container create options that are required for a customer to successfully deploy the Microsoft Connected Cache module for use by Device Update for Azure IoT Hub.

-## Microsoft Connected Cache Azure IoT Edge module deployment details

-Naming of the Microsoft Connected Cache module is at the discretion of the administrator. There are no other module or service interactions that rely on the name of the module for communication. Additionally, the parent child relationship of the Microsoft Connected Cache servers is not dependent on this module name, but rather the FQDN or Ip address of the Azure IoT Edge gateway that has been configured as discussed earlier.

-Microsoft Connected Cache Azure IoT Edge Module Environment Variables are used to pass basic module identity information and functional module settings to the container.

-| Variable Name | Value Format | Required/Optional | Functionality |

-| -- | | -- | |

-| CUSTOMER_ID | Azure Subscription ID GUID | Required | This is the customer's key, which provides secure<br>authentication of the cache node to Delivery Optimization<br>Services.<br>Required in order for module to function. |

-| CACHE_NODE_ID | Cache Node ID GUID | Required | Uniquely identifies the Microsoft Connected Cache<br>node to Delivery Optimization Services.<br>Required in order<br> for module to function. |

-| CUSTOMER_KEY | Customer Key GUID | Required | This is the customer's key, which provides secure<br>authentication of the cache node to Delivery Optimization Services.<br>Required in order for module to function.|

-| STORAGE_*N*_SIZE_GB | Where N is the cache drive | Required | Specify up to 9 drives to cache content and specify the maximum space in<br>Gigabytes to allocate for content on each cache drive. Examples:<br>STORAGE_1_SIZE_GB = 150<br>STORAGE_2_SIZE_GB = 50<br>The number of the drive must match the cache drive binding values specified<br>in the Container Create Option MicrosoftConnectedCache*N* value<br>Minimum size of the cache is 10GB.|

-| UPSTREAM_HOST | FQDN/IP | Optional | This value can specify an upstream Microsoft Connected<br>Cache node that acts as a proxy if the Connected Cache node<br> is disconnected from the internet. This setting is used to support<br> the Nested IoT scenario.<br>**Note:** Microsoft Connected Cache listens on http default port 80.|

-| UPSTREAM_PROXY | FQDN/IP:PORT | Optional | The outbound internet proxy.<br>This could also be the OT DMZ proxy if an ISA 95 network. |

-| CACHEABLE_CUSTOM_*N*_HOST | HOST/IP<br>FQDN | Optional | Required to support custom package repositories.<br>Repositories could be hosted locally or on the internet.<br>There is no limit to the number of custom hosts that can be configured.<br><br>Examples:<br>Name = CACHEABLE_CUSTOM_1_HOST Value = packages.foo.com<br> Name = CACHEABLE_CUSTOM_2_HOST Value = packages.bar.com |

-| CACHEABLE_CUSTOM_*N*_CANONICAL| Alias | Optional | Required to support custom package repositories.<br>This value can be used as an alias and will be used by the cache server to reference<br>different DNS names. For example, repository content hostname may be packages.foo.com,<br>but for different regions there could be an additional prefix that is added to the hostname<br>like westuscdn.packages.foo.com and eastuscdn.packages.foo.com.<br>By setting the canonical alias, you ensure that content is not duplicated<br>for content coming from the same host, but different CDN sources.<br>The format of the canonical value is not important, but it must be unique to the host.<br>It may be easiest to set the value to match the host value.<br><br>Examples based on Custom Host examples above:<br>Name = CACHEABLE_CUSTOM_1_CANONICAL Value = foopackages<br> Name = CACHEABLE_CUSTOM_2_CANONICAL Value = packages.bar.com |

-| IS_SUMMARY_PUBLIC | True or False | Optional | Enables viewing of the summary report on the local network or internet.<br>Use of an API key (discussed later) is required to view the summary report if set to true. |

-| IS_SUMMARY_ACCESS_UNRESTRICTED| True or False | Optional | Enables viewing of summary report on the local network or internet without<br>use of API key from any device in the network. Use if you don't want to lock down access<br>to viewing cache server summary data via the browser. |

-

-## Microsoft Connected Cache Azure IoT Edge module container create options

-Container create options for MCC module deployment provide control of the settings related to storage and ports used by the MCC module. This is the list of required container created variables used to deploy MCC.

-### Container to host OS drive mappings

-Required to map the container storage location to the storage location on the disk.< Up to nine locations can be specified.

->[!Note]

->The number of the drive must match the cache drive binding values specified in the environment variable STORAGE_*N*_SIZE_GB value, ```/MicrosoftConnectedCache*N*/:/nginx/cache*N*/```

-### Container to host TCP port mappings

-This option specifies the external machine http port that MCC listens on for content requests. The default HostPort is port 80 and other ports are not supported at this time as the ADU client makes requests on port 80 today. TCP port 8081 is the internal container port that the MCC listens on and cannot be changed.

-### Container service TCP port mappings

-The Microsoft Connected Cache module has a .NET Core service, which is used by the caching engine for various functions.

->[!Note]

->To support Azure IoT Nested Edge the HostPort must not be set to 5000 because the Registry proxy module is already listening on host port 5000.

-Sample Container Create Options

-The summary report is currently the only way for a customer to view caching data for the Microsoft Connected Cache instances deployed to Azure IoT Edge gateways. The report is generated at 15-second intervals and includes averaged stats for the period as well as aggregated stats for the lifetime of the module. The key stats that customers will be interested in are:

-* **hitBytes** - This is the sum of bytes delivered that came directly from cache.

-* **missBytes** - This is the sum of bytes delivered that Microsoft Connected Cache had to download from CDN to see the cache.

-* **eggressBytes** - This is the sum of hitBytes and missBytes and is the total bytes delivered to clients.

-* **hitRatioBytes** - This is the ratio of hitBytes to egressBytes. If 100% of eggressBytes delivered in a period were equal to the hitBytes this would be 1 for example.

-The summary report is available at `http://<FQDN/IP of Azure IoT Edge Gateway hosting MCC>:5001/summary` Replace \<Azure IoT Edge Gateway IP\> with the IP address or hostname of your IoT Edge gateway. (see environment variable details for information on visibility of this report).

-In a transparent gateway scenario, one or more devices can pass their messages through a single gateway device that maintains the connection to Azure IoT Hub. In these cases, the child devices may not have internet connectivity or may not be allowed to download content from the internet. The Microsoft Connected Cache Preview IoT Edge module will provide Device Update for Azure IoT Hub customers with the capability of an intelligent in-network cache, which enables image-based and package-based updates of Linux OS-based devices behind and IoT Edge gateway (downstream IoT devices), and will also help save bandwidth for Device Update for Azure IoT Hub customers.

-## How does Microsoft Connected Cache preview for Device Update for Azure IoT Hub work?

-Microsoft Connected Cache Preview is an intelligent, transparent cache for content published for Device Update for Azure IoT Hub content and can be customized to cache content from other sources like package repositories as well. Microsoft Connected Cache is a cold cache that is warmed by client requests for the exact file ranges requested by the Delivery Optimization client and does not pre-seed content. The diagram and step-by-step description below explains how Microsoft Connected Cache works within the Device Update for Azure IoT Hub infrastructure.

->In defining this flow, it has been assumed that the IoT Edge gateway has internet connectivity. For the downstream IoT Edge gateway (Nested Edge) scenario the "Content Delivery Network" (CDN) can be considered the MCC hosted on the parent IoT Edge gateway.

-1. Microsoft Connected Cache is deployed as an IoT Edge module to the on-prem server.

-2. Device Update for Azure IoT Hub clients are configured to download content from Microsoft Connected Cache by virtue of

-the GatewayHostName attribute of the device connection string for IoT leaf devices **OR** parent_hostname set in the config.toml for IoT Edge child devices.

-3. Device Update for Azure IoT Hub clients in both cases receive update content download commands from the Device Update for Azure IoT Hub service and request update content to the Microsoft Connected Cache instead of the CDN. Microsoft Connected Cache by default is configured to listen on http port 80, and the Delivery Optimization client makes the content request on port 80 so the parent must be configured to listen on this port. Only the http protocol is supported at this time.

-4. The Microsoft Connected Cache server downloads content from the CDN, seeds its local cache stored on disk and delivers the content to the Device Update for Azure IoT Hub client.

-

->[!Note]

->When using package-based updates, the Microsoft Connected Cache server will be configured by the admin with the required package hostname.

-5. Subsequent requests from other Device Update for Azure IoT Hub clients for the same update content will now come from cache and Microsoft Connected Cache will not make requests to the CDN for the same content.

-### Supporting Industrial IoT (IIoT) with parent/child hosting scenarios

-When a downstream or child IoT Edge gateway is hosting the Microsoft Connected Cache server, it will be configured to request update content from the parent IoT Edge gateway, hosting the Microsoft Connected Cache server. This is required for as many levels as necessary before reaching the parent IoT Edge gateway hosting a Microsoft Connected Cache server that has internet access. From the internet connected server, the content is requested from the CDN at which point the content is delivered back to the child IoT Edge gateway that originally requested the content. The content will be stored on disk at every level.

-## Access to the Microsoft Connected Cache preview for Device Update for Azure IoT Hub

-The Microsoft Connected Cache IoT Edge module is released as a preview for customers who are deploying solutions using Device Update for Azure IoT Hub. Access to the preview is by invitation. [Request Access](https://aka.ms/MCCForDeviceUpdateForIoT) to the Microsoft Connected Cache Preview for Device Update for IoT Hut and provide the information requested if you would like access to the module.

-# Device Update Security Model

-Device Update for IoT Hub offers a secure method to deploy updates for device firmware, images, and applications to your IoT devices. The workflow provides an end-to-end secure channel with a full chain-of-custody model that a device can use to prove an update is trusted, unmodified and intentional.

-Each step in the Device Update workflow is protected through various security features and processes to ensure that every step in the pipeline performs a secured handoff to the next. The Device Update Agent reference code identifies and properly manages any illegitimate update requests. The reference Agent also checks every download to ensure that the content is trusted, unmodified, and intentional.

-Once ingested into the service and stored in Azure, the update binary files and associated customer metadata are automatically encrypted at rest by the Azure storage service. The Device Update service does not automatically provide additional encryption, but does allow developers to encrypt content themselves before the content reaches the Device Update service.

-When an update is deployed to devices from the Device Update service, a signed message is sent over the protected IoT Hub channel to the device. The requestΓÇÖs signature is validated by the deviceΓÇÖs Device Update Agent as authentic.

-Any resulting binary download is secured through validation of the update manifest signature. The update manifest contains the binary file hashes, so once the manifest is trusted the Device Update agent trusts the hashes and matches them against the binaries. Once the update binary has been downloaded and verified, it is then handed off to the installer on the device.

-The Device Update Agent has embedded public keys that are used for all Device Update-compatible devices. These are the *root* keys. The corresponding private keys are controlled by Microsoft.

-Microsoft also generates a public/private key pair that is not included in the Device Update Agent or stored on the device. This is the *signing* key.

-When an update is imported into Device Update for IoT Hub, and the update manifest is generated by the service, the service signs the manifest using the signing key, and includes the signing key itself, which is signed by a root key. When the update manifest is sent to the device, the Device Update Agent receives the following signature data:

-The Device Update Agent uses the information defined above to validate that signature of the public signing key is signed by the root key. The Device Update Agent then validates that the update manifest signature is signed by the signing key. If all the signatures are correct, the update manifest is trusted by the Device Update Agent. Since the update manifest includes the file hashes that correspond to the update files themselves, the update files can then also be trusted if the hashes match.

-The `updateManifestSignature` is used to ensure that the information contained within the `updateManifest` has

-not been tampered with. The `updateManifestSignature` is produced using a JSON Web Signature with JSON Web Keys, allowing for source verification. The signature is a Base64Url Encoded string with three sections delineated by ".". Refer to the [jws_util.h helper methods](https://github.com/Azure/iot-hub-device-update/tree/main/src/utils/jws_utils) for parsing and verifying JSON keys and tokens.

-JSON Web Signature is a widely used [proposed IETF standard](https://tools.ietf.org/html/rfc7515) for signing

-content using JSON-based data structures. It is a way of ensuring integrity of data by verifying the signature

-of the data. Further information can be found in the JSON Web Signature (JWS) [RFC 7515](https://www.rfc-editor.org/info/rfc7515).

-JSON Web Tokens are an open, industry [standard](https://tools.ietf.org/html/rfc7519) method for representing

-claims securely between two parties.

-The set of root keys will change over time as it is proper to periodically rotate signing keys for security purposes. As a result, the Device Update Agent software will need to be updated with the latest set of root keys at intervals specified by the Device Update team.

-All signatures will be accommodated by a signing (public) key signed by one of the root keys. The signature will identify which root key was used to sign the signing key.

-A Device Update Agent must validate signatures by first validating that the signing (public) keyΓÇÖs signature is proper, valid, and signed by one of the approved root keys. Once the signing key is successfully validated, the signature itself may be validated by using the now trusted signing public key.

-Signing keys are rotated on a much quicker cadence than root keys, so expect messages signed by various different signing keys.

-Revocation of a signing key is managed by the Device Update service, so users should not attempt to cache signing keys. Always use the signing key accompanying a signature.

-### Securing the Device

-It is important to ensure that Device Update-related security assets are properly secured and protected on your device. Assets such as root keys need to be protected against modification. There are various ways to do this, such as using security devices (TPM, SGX, HSM, other security devices) or hard-coding them in the Device Update Agent as is done today in the reference implementation. The latter requires that the Device Update Agent code is digitally signed and the systemΓÇÖs Code Integrity support is enabled to protect against malicious modification of the Agent code.

-Additional security measures may be warranted, such as ensuring that handoff from component to component is performed in a secure way. For example, registering a specific isolated account to run the various components, and limiting network-based communications (e.g. REST API calls) to localhost only.

-**[Next Step: Learn more about how Device Update uses Azure RBAC](.\device-update-control-access.md)**

-## Overview

-Device Update for IoT Hub uses [IoT Plug and Play](./device-update-plug-and-play.md) to send data to devices during deployment. One of them is _update manifest_, a serialized JSON object string containing metadata of the update to install. It is also cryptographically signed to allow the Device Update Agent to verify its authenticity. Refer to [Device Update security](./device-update-security.md) for more information on how the update manifest is used to securely install content.

-It is important to understand the differences between the import manifest and the update manifest concepts in Device Update for IoT Hub:

-* The [import manifest](./import-concepts.md) is created by whoever creates the corresponding update. It describes the contents of the update that will be imported into Device Update for IoT Hub.

-* The update manifest is automatically generated by the Device Update for IoT Hub service, using some of the properties that were defined in the import manifest. It is used to communicate relevant information to the Device Update Agent during the update process.

-When an update manifest exceeds a certain size that prevents it from being communicated efficiently, Device Update for IoT Hub will send it to device in _detached_ format, also known as _mini update manifest_. A mini manifest is technically _metadata for update manifest_ and contains information needed for Device Update Agent to download the _full_ update manifest and verify its authenticity.

-## Trigger multiple runs

-If your trigger returns an array for your logic app to process, sometimes a "for each" loop might take too long to process each array item. Instead, you can use the **SplitOn** property in your trigger to *debatch* the array. Debatching splits up the array items and starts a new workflow instance that runs for each array item. This approach is useful, for example, when you want to poll an endpoint that might return multiple new items between polling intervals. For the maximum number of array items that **SplitOn** can process in a single logic app run, see [Limits and configuration](../logic-apps/logic-apps-limits-and-config.md#looping-debatching-limits).

-> [!NOTE]

-> You can't use **SplitOn** with a synchronous response pattern. Any workflow that uses **SplitOn** and includes a response action

-> runs asynchronously and immediately sends a `202 ACCEPTED` response.

->

-> When trigger concurrency is enabled, the [SplitOn limit](../logic-apps/logic-apps-limits-and-config.md#looping-debatching-limits)

-> is significantly reduced. If the number of items exceeds this limit, the SplitOn capability is disabled.

-

-If your trigger's Swagger file describes a payload that is an array, the **SplitOn** property is automatically added to your trigger. Otherwise, add this property inside the response payload that has

-Suppose you have an API that returns this response:

-Your logic app only needs the content from the array in `Rows`, so you can create a trigger like this example:

-Here are some considerations to review before you enable concurrency on a trigger:

-1. You can select any of the actions in the request timeline to see the specific status and substep details.

-> | [Azure Spring Apps Config Server Contributor](#azure-spring-apps-config-server-contributor) | Allow read, write and delete access to Azure Spring Apps Config Server | a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b |

-> | [Azure Spring Apps Config Server Reader](#azure-spring-apps-config-server-reader) | Allow read access to Azure Spring Apps Config Server | d04c6db6-4947-4782-9e91-30a88feb7be7 |

-> | [Azure Spring Apps Data Reader](#azure-spring-apps-data-reader) | Allow read access to Azure Spring Apps Data | b5537268-8956-4941-a8f0-646150406f0c |

-> | [Azure Spring Apps Service Registry Contributor](#azure-spring-apps-service-registry-contributor) | Allow read, write and delete access to Azure Spring Apps Service Registry | f5880b48-c26d-48be-b172-7927bfa1c8f1 |

-> | [Azure Spring Apps Service Registry Reader](#azure-spring-apps-service-registry-reader) | Allow read access to Azure Spring Apps Service Registry | cff1b556-2399-4e7e-856d-a8f754be7b65 |

-> | [Microsoft.DataProtection](resource-provider-operations.md#microsoftdataprotection)/providers/operations/read | |

- "Microsoft.DataProtection/providers/operations/read"

-> | [Microsoft.Storage](resource-provider-operations.md#microsoftstorage)/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | |

-### Azure Spring Apps Config Server Contributor

-Allow read, write and delete access to Azure Spring Apps Config Server [Learn more](../spring-apps/how-to-access-data-plane-azure-ad-rbac.md)

- "description": "Allow read, write and delete access to Azure Spring Apps Config Server",

- "roleName": "Azure Spring Apps Config Server Contributor",

-### Azure Spring Apps Config Server Reader

-Allow read access to Azure Spring Apps Config Server [Learn more](../spring-apps/how-to-access-data-plane-azure-ad-rbac.md)

- "description": "Allow read access to Azure Spring Apps Config Server",

- "roleName": "Azure Spring Apps Config Server Reader",

-### Azure Spring Apps Data Reader

-Allow read access to Azure Spring Apps Data

- "description": "Allow read access to Azure Spring Apps Data",

- "roleName": "Azure Spring Apps Data Reader",

-### Azure Spring Apps Service Registry Contributor

-Allow read, write and delete access to Azure Spring Apps Service Registry [Learn more](../spring-apps/how-to-access-data-plane-azure-ad-rbac.md)

- "description": "Allow read, write and delete access to Azure Spring Apps Service Registry",

- "roleName": "Azure Spring Apps Service Registry Contributor",

-### Azure Spring Apps Service Registry Reader

-Allow read access to Azure Spring Apps Service Registry [Learn more](../spring-apps/how-to-access-data-plane-azure-ad-rbac.md)

- "description": "Allow read access to Azure Spring Apps Service Registry",

- "roleName": "Azure Spring Apps Service Registry Reader",

-> | *none* | |

- "notActions": [],

-> | *none* | |

- "notActions": [],

- "Microsoft.SecurityInsights/incidents/*/Delete"

-> | *none* | |

- "dataActions": [],

-| [microsoft.storagesync](#microsoftstoragesync) |

-> | Microsoft.NetApp/netAppAccounts/backupVaults/read | Reads a Backup Vault resource. |

-> | Microsoft.NetApp/netAppAccounts/backupVaults/write | Writes a Backup Vault resource. |

-> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/ListReplications/action | |

-> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/BackupStatus/read | |

-> | Microsoft.NetApp/netAppAccounts/capacityPools/volumes/RestoreStatus/read | |

-> | Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | |

-> | Microsoft.Storage/storageAccounts/restorePoints/delete | |

-> | Microsoft.Storage/storageAccounts/restorePoints/read | |

-### microsoft.storagesync

-> | microsoft.storagesync/register/action | Registers the subscription for the Storage Sync Provider |

-> | microsoft.storagesync/unregister/action | Unregisters the subscription for the Storage Sync Provider |

-> | microsoft.storagesync/locations/checkNameAvailability/action | Checks that storage sync service name is valid and is not in use. |

-> | microsoft.storagesync/locations/operationresults/read | Gets the result for an asynchronous operation |

-> | microsoft.storagesync/locations/operations/read | Gets the status for an azure asynchronous operation |

-> | microsoft.storagesync/locations/workflows/operations/read | Gets the status of an asynchronous operation |

-> | microsoft.storagesync/operations/read | Gets a list of the Supported Operations |

-> | microsoft.storagesync/storageSyncServices/read | Read any Storage Sync Services |

-> | microsoft.storagesync/storageSyncServices/write | Create or Update any Storage Sync Services |

-> | microsoft.storagesync/storageSyncServices/delete | Delete any Storage Sync Services |

-> | microsoft.storagesync/storageSyncServices/privateEndpointConnectionProxies/validate/action | Validate any Private Endpoint ConnectionProxies |

-> | microsoft.storagesync/storageSyncServices/privateEndpointConnectionProxies/read | Read any Private Endpoint ConnectionProxies |

-> | microsoft.storagesync/storageSyncServices/privateEndpointConnectionProxies/write | Create or Update any Private Endpoint ConnectionProxies |

-> | microsoft.storagesync/storageSyncServices/privateEndpointConnectionProxies/updatePrivateEndpointProperties/action | Update any Private Endpoint ConnectionProxies |

-> | microsoft.storagesync/storageSyncServices/privateEndpointConnectionProxies/delete | Delete any Private Endpoint ConnectionProxies |

-> | microsoft.storagesync/storageSyncServices/privateEndpointConnections/read | Read any Private Endpoint Connections |

-> | microsoft.storagesync/storageSyncServices/privateEndpointConnections/write | Create or Update any Private Endpoint Connections |

-> | microsoft.storagesync/storageSyncServices/privateEndpointConnections/delete | Delete any Private Endpoint Connections |

-> | microsoft.storagesync/storageSyncServices/privateLinkResources/read | Read any Private Link Resources |

-> | microsoft.storagesync/storageSyncServices/providers/Microsoft.Insights/metricDefinitions/read | Gets the available metrics for Storage Sync Services |

-> | microsoft.storagesync/storageSyncServices/registeredServers/read | Read any Registered Server |

-> | microsoft.storagesync/storageSyncServices/registeredServers/write | Create or Update any Registered Server |

-> | microsoft.storagesync/storageSyncServices/registeredServers/delete | Delete any Registered Server |

-> | microsoft.storagesync/storageSyncServices/syncGroups/read | Read any Sync Groups |

-> | microsoft.storagesync/storageSyncServices/syncGroups/write | Create or Update any Sync Groups |

-> | microsoft.storagesync/storageSyncServices/syncGroups/delete | Delete any Sync Groups |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/read | Read any Cloud Endpoints |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/write | Create or Update any Cloud Endpoints |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/delete | Delete any Cloud Endpoints |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/prebackup/action | Call this action before backup |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/postbackup/action | Call this action after backup |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/prerestore/action | Call this action before restore |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/postrestore/action | Call this action after restore |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/restoreheartbeat/action | Restore heartbeat |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/triggerChangeDetection/action | Call this action to trigger detection of changes on a cloud endpoint's file share |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/afssharemetadatacertificatepublickeys/read | Gets the public keys info for AfsShareMetadata certificate |

-> | microsoft.storagesync/storageSyncServices/syncGroups/cloudEndpoints/operationresults/read | Gets the status of an asynchronous backup/restore operation |

-> | microsoft.storagesync/storageSyncServices/syncGroups/serverEndpoints/read | Read any Server Endpoints |

-> | microsoft.storagesync/storageSyncServices/syncGroups/serverEndpoints/write | Create or Update any Server Endpoints |

-> | microsoft.storagesync/storageSyncServices/syncGroups/serverEndpoints/delete | Delete any Server Endpoints |

-> | microsoft.storagesync/storageSyncServices/syncGroups/serverEndpoints/recallAction/action | Call this action to recall files to a server |

-> | microsoft.storagesync/storageSyncServices/workflows/read | Read Workflows |

-> | microsoft.storagesync/storageSyncServices/workflows/operationresults/read | Gets the status of an asynchronous operation |

-> | microsoft.storagesync/storageSyncServices/workflows/operations/read | Gets the status of an asynchronous operation |

-Azure service: [Media Services](/azure/media-services)

-> | Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/read | List the Sql Vulnerability Assessment baseline set by Sql Vulnerability Assessments |

-> | Microsoft.Sql/virtualClusters/updateManagedInstanceDnsServers/action | Synchronizes the DNS server configuration on an Azure SQL Virtual Cluster with the configuration of the Azure Virtual Network where the Virtual Cluster is located. |

-> | Microsoft.Sql/virtualClusters/write | Updates virtual cluster tags. |

-> | Microsoft.CognitiveServices/accounts/CustomVoice/endpoints/manifest/read | Returns an endpoint manifest which can be used in an on-premises container. |

-> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/base/manifest/read | Returns an manifest for this base model which can be used in an on-premises container. |

-> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/manifest/read | Returns an manifest for this model which can be used in an on-premises container. |

-> | Microsoft.IoTSecurity/locations/deviceGroups/alerts/learnAlert/action | Learn and close the alert |

-> | Microsoft.IoTSecurity/onPremiseSensors/read | Gets on-premises IoT Sensors |

-> | Microsoft.IoTSecurity/onPremiseSensors/write | Creates or updates on-premises IoT Sensors |

-> | Microsoft.IoTSecurity/onPremiseSensors/delete | Deletes on-premises IoT Sensors |

-> | Microsoft.IoTSecurity/onPremiseSensors/downloadActivation/action | Gets on-premises IoT Sensor Activation File |

-> | Microsoft.IoTSecurity/onPremiseSensors/downloadResetPassword/action | Downloads file for reset password of the on-premises IoT Sensor |

-> | microsoft.monitor/accounts/metrics/write | Write Monitoring Account metrics |

-> This skill is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-Start by opening [VS Code](https://code.visualstudio.com). Select the **Extensions** tab on the activity bar then search for *Azure Cognitive Search*. Find the extension in the search results, and select **Install**.

-Alternatively, you can install the [Azure Cognitive Search extension](https://aka.ms/vscode-search) from the VS Code marketplace in a web browser.

-You should see a new Azure tab appear on the activity bar if you didn't already have it.

-You should see your subscriptions appear. Select the subscription to see a list of the search services in the subscription.

-When you expand the search service, you will see tree items for each of the Cognitive Search resources: indexes, data sources, indexers, skillsets, and synonym maps.

-These tree items can be expanded to show any resources you have in your search service

-Paste the index definition from above into the window. Save the file and select **Upload** when prompted if you want to update the index. This will create the index and it will be available in the tree view.

-If there is a problem with your index definition, you should see an error message pop up explaining the error.

-If this happens, fix the issue and resave the file.

-Creating the index and populating the index are separate steps. In Azure Cognitive Search, the index contains all searchable data. In this scenario, the data is provided as JSON documents. The [Add, Update, or Delete Documents REST API](/rest/api/searchservice/addupdate-or-delete-documents) is used for this task.

-To add new documents in VS Code:

-2. This will open up a JSON editor that has inferred the schema of your index.

-3. Paste in the JSON below and then save the file. A prompt will open up asking you to confirm your changes. Select **Upload** to save the changes.

-4. Repeat this process for the three remaining documents

-Now that the index and document set are loaded, you can issue queries against them using [Search Documents REST API](/rest/api/searchservice/search-documents).

-To do this in VS Code:

-1. Right-click the index you want to search and select **Search index**. This will open an editor with a name similar to `sandbox-b946dcda48.azs`.

-search=wifi&$filter=Address/StateProvince eq 'FL'&$select=HotelId,HotelName,Rating&$orderby=Rating desc

-search=submlime cliff&$select=HotelId,HotelName,Rating&searchFields=HotelName

-Another common option to include in a query is `facets`. Facets allow you to build out filters on your UI to make it easy for users to know what values they can filter down to.

-If you'd like to view your search service in the portal, right-click the name of the search service and select **Open in Portal**. This will take you to the search service in the Azure portal.

-description: Quickstart showing how to create a service connection in Spring Cloud with the Azure CLI

-# Quickstart: Create a service connection in Spring Cloud with the Azure CLI

-The [Azure CLI](/cli/azure) is a set of commands used to create and manage Azure resources. The Azure CLI is available across Azure services and is designed to get you working quickly with Azure, with an emphasis on automation. This quickstart shows you several options to create an Azure Web PubSub instance with the Azure CLI.

-## View supported target service types

-Use the Azure CLI [[az spring-cloud connection](quickstart-cli-spring-cloud-connection.md)] command to create and manage service connections to your Spring Cloud application.

-```azurecli-interactive

-az provider register -n Microsoft.ServiceLinker

-az spring-cloud connection list-support-types --output table

-```

-### [Using an access key](#tab/Using-access-key)

-Use the Azure CLI command `az spring-cloud connection` to create a service connection to an Azure Blob Storage with an access key, providing the following information:

-```azurecli-interactive

-az spring-cloud connection create storage-blob --secret

-```

-> [!NOTE]

-> If you don't have a Blob Storage, you can run `az spring-cloud connection create storage-blob --new --secret` to provision a new one and directly get connected to your app service.

-### [Using Managed Identity](#tab/Using-Managed-Identity)

-> To use Managed Identity, you must have permission to manage [role assignments in Azure Active Directory](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). If you don't have this permission, your connection creation will fail. You can ask your subscription owner to grant you a role assignment permission or use an access key to create the connection.

-Use the Azure CLI command `az spring-cloud connection` to create a service connection to a Blob Storage with System-assigned Managed Identity, providing the following information:

-```azurecli-interactive

-az spring-cloud connection create storage-blob --system-identity

-```

-> [!NOTE]

-> If you don't have a Blob Storage, you can run `az spring-cloud connection create --system-identity --new --secret` to provision a new one and directly get connected to your app service.

-Use the Azure CLI [az spring-cloud connection](quickstart-cli-spring-cloud-connection.md) command to list connection to your Spring Cloud application, providing the following information:

-az spring-cloud connection list -g <your-spring-cloud-resource-group> --spring-cloud <your-spring-cloud-name>

-Follow the tutorials listed below to start building your own application with Service Connector.

-> [Tutorial: Spring Cloud + MySQL](./tutorial-java-spring-mysql.md)

-> [Tutorial: Spring Cloud + Apache Kafka on Confluent Cloud](./tutorial-java-spring-confluent-kafka.md)

-description: This quickstart shows you how to create a service connection in Spring Cloud from the Azure portal.

-# Quickstart: Create a service connection in Spring Cloud from the Azure portal

-This quickstart shows you how to create a new service connection with Service Connector in Spring Cloud from the Azure portal.

-## Create a new service connection in Azure Spring Cloud

-1. Select the **All resources** button from the left menu. Type **Azure Spring Cloud** in the filter and select the name of the Spring Cloud resource you want to use from the list.

-1. Select **Apps** and select the application name from the list.

-1. Select **Service Connector** from the left table of contents. Then select **Create**.

- | Setting | Suggested value | Description |

- | | - | -- |

- | **Subscription** | One of your subscriptions | The subscription where your target service is located. The target service is the service you want to connect to. The default value is the subscription for the App Service. |

- | **Service Type** | Azure Blob Storage | Target service type. If you don't have an Azure Blob storage, you can [create one](../storage/blobs/storage-quickstart-blobs-portal.md) or use another service type. |

- | **Connection Name** | Generated unique name | The connection name that identifies the connection between your App Service and target service |

- | **Storage account** | Your storage account | The target storage account you want to connect to. If you choose a different service type, select the corresponding target service instance. |

-1. Select **Next: Authentication** to select the authentication type. Then select **Connection string** to use access key to connect your Blob storage account.

-1. Then select **Next: Review + Create** to review the provided information. Then select **Create** to create the service connection. It might take one minute to complete the operation.

-## View service connections in Spring Cloud

-1. Select **Service Connector** to view the Spring Cloud connection to the target service.

-1. Select **>** to expand the list and access the properties required by your Spring boot application.

-1. Select the ellipsis **...** and **Validate**. You can see the connection validation details in the context pane from the right.

-Follow the tutorials listed below to start building your own application with Service Connector.

-> - [Tutorial: Spring Cloud + MySQL](./tutorial-java-spring-mysql.md)

-> - [Tutorial: Spring Cloud + Apache Kafka on Confluent Cloud](./tutorial-java-spring-confluent-kafka.md)