+|  is an identity verification and proofing provider focused on stopping account takeover and registration fraud. It helps combat identity fraud and creates a trusted user experience. |

+ Title: Configure Azure Active Directory B2C with Deduce

+description: Learn how to integrate Azure AD B2C authentication with Deduce for identity verification

+# Configure Azure Active Directory B2C with Deduce to combat identity fraud and create a trusted user experience

+In this sample article, we provide guidance on how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with [Deduce](https://www.deduce.com/). Deduce is focused on stopping account takeover and registration fraudΓÇöthe fastest-growing fraud on the internet. The Deduce Identity Network is powered by a coalition of over 150,000 websites and apps who share logins, registrations, and checkouts with Deduce over 1.4 billion times per day.

+The resulting identity intelligence stops attacks before they become a financial problem and a corporate liability. It uses historical behavioral analysis as a predictor of trust so organizations can deliver a frictionless user experience for their best customers. A comprehensive range of risk and trust signals can inform every authentication decision with the Azure AD B2C instance.

+With this integration, organizations can extend their Azure AD B2C capabilities during the sign-up or sign in process to get additional insights about the user from the Deduce Insights API. Some of the attributes ingested by the Deduce API are:

+- Email

+- IP Address

+- User agent

+## Prerequisites

+To get started, you'll need:

+- An Azure subscription. If you don't have one, get a [free account](https://azure.microsoft.com/free).

+- An [Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.

+- [Register an application](./tutorial-register-applications.md)

+- [Contact Deduce](mailto:support@deduce.com) to configure a test or production environment.

+- Ability to use Azure AD B2C custom policies. If you can't, complete the steps in [Get started with custom policies in Azure AD B2C](custom-policy-overview.md) to learn how to use custom policies.

+## Scenario description

+The integration includes the following components:

+- **Azure AD B2C** ΓÇô The authorization server, responsible for verifying the user's credentials, also known as the identity provider.

+- **Deduce** ΓÇô The Deduce service takes inputs provided by the user and provides digital activity insights on the user's identity.

+- **Custom rest API** ΓÇô This API implements the integration between Azure AD B2C and the Deduce Insights API.

+The following architecture diagram shows the implementation:

+

+| Steps | Description |

+|:--|:|

+| 1. | User opens Azure AD B2C's sign-in page, and then signs in or signs up by entering their username.|

+| 2. | Azure AD B2C calls the middle layer API and passes on the user attributes.|

+| 3. | Middle layer API collects user attributes and transforms it into a format that the Deduce API can consume and then sends it to Deduce.|

+| 4. | Deduce consumes the information and processes it to validate user identification based on the risk analysis. Then, it returns the result to the middle layer API.|

+| 5. | Middle layer API processes the information and sends back risk, trust and info signals in the correct JSON format to Azure AD B2C.|

+| 6. | Azure AD B2C receives information back from the middle layer API. <br> If it shows a failure response, an error message is displayed to the user. <br> If it shows a success response, the user is authenticated and written into the directory. |

+## Onboard with Deduce

+To create a Deduce account, contact [Deduce support](mailto:support@deduce.com). Once an account is created, you'll receive a **Site ID**, and **API key** that you'll need for the API configuration.

+The following sections describe the integration process.

+### Step 1: Configure the Azure AD B2C policy

+Follow the instructions in [Get the starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#get-the-starter-pack) to learn how to set up your Azure AD B2C tenant and configure policies. This samples article is based on the Local Accounts starter pack.

+### Step 2: Customize the Azure AD B2C user interface

+In order to collect the user_agent from client-side, create your own `**ContentDefinition**` with an arbitrary ID to include the related JavaScript. Determine the end-user browser's user_agent string and store it as a claim in Azure AD B2C.

+1. Download the api.selfasserted, [selfAsserted.cshtml](https://login.microsoftonline.com/static/tenant/templates/AzureBlue/selfAsserted.cshtml), locally.

+1. Edit the selfAsserted.cshtml to include the following JavaScript before the closure of `</head>` defines an additional Style element to hide the panel-default.

+ ``` html

+ <style>

+ .panel-default {

+ margin: 0 auto;

+ width: 60%;

+ height: 0px;

+ background-color: #296ec6;

+ opacity: 1;

+ border-radius: .5rem;

+ border: none;

+ color: #fff;

+ font-size: 1em;

+ box-shadow: 0 0 30px 0 #dae1f7;

+ visibility: hidden;

+ }

+

+ </style>

+ ```

+1. Add the following JavaScript code before the closure of the `</body>`. This code reads the user_agent from the user's browser and the ContentDefinition is used in combination with the self-asserted technical profile to return user_agent as an output claim to the next orchestration step.

+ ``` html

+ <script>

+ $("#user_agent").hide().val(window.navigator.userAgent);

+ var img = new Image();

+ img.onload = function() {

+ document.getElementById("continue").click();

+ };

+ img.src = "https://login.microsoftonline.com/static/tenant/templates/images/logo.svg";

+ </script>

+ ```

+### Step 3: Configure your storage location

+1. Set up a [blob storage container in your storage account](../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container) and upload the previously edited `**selfAsserted.cshtml**` file to your blob container.

+1. Allow CORS access to storage container you created by following these instructions:

+ 1. Go to **Settings** >**Allowed Origin**, enter `https://your_tenant_name.b2clogin.com`. Replace `your-tenant- name` with the name of your Azure AD B2C tenant such as `fabrikam`. Use all lowercase letters when entering your tenant name.

+ 1. For **Allowed Methods**, select `GET` and `PUT`.

+ 1. Select **Save**.

+### Step 4: Configure Content Definition

+To customize the user interface, you specify a URL in the `ContentDefinition` element with customized HTML content. In the self-asserted technical profile or orchestration step, you point to that ContentDefinition identifier.

+1. Open the `TrustFrameworksExtension.xml` and define a new **ContentDefinition** to customize the [self-asserted technical profile](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).

+1. Find the `BuildingBlocks` element and add the `**api.selfassertedDeduce**` ContentDefinition:

+ ```xml

+ <BuildingBlocks>

+ ...

+ <ContentDefinitions>

+ <ContentDefinition Id="api.selfassertedDeduce">

+ <LoadUri>https://<STORAGE-ACCOUNT-NAME>.blob.core.windows.net/<CONTAINER>/selfAsserted.cshtml</LoadUri>

+ <RecoveryUri>~/common/default_page_error.html</RecoveryUri>

+ <DataUri>urn:com:microsoft:aad:b2c:elements:contract:selfasserted:2.1.7</DataUri>

+ <Metadata>

+ <Item Key="DisplayName">Signin and Signup Deduce</Item>

+ </Metadata>

+ </ContentDefinition>

+ </ContentDefinitions>

+ ...

+ </BuildingBlocks>

+ ```

+Replace LoadUri with the url pointing to the `selfAsserted.cshtml` file created in [step 1](#step-1-configure-the-azure-ad-b2c-policy).

+### Step 5: Add Deduce additional ClaimType

+The **ClaimsSchema** element defines the claim types that can be referenced as part of the policy. There are additional claims that Deduce supports and can be added.

+1. Open the `TrustFrameworksExtension.xml`

+1. In the `**BuildingBlocks**` element additional identity claims that Deduce supports can be added.

+ ```xml

+ <BuildingBlocks>

+ ...

+ <ClaimsSchema>

+ <!-- Claims for Deduce API request body -->

+ <ClaimType Id="site">

+ <DisplayName>Site ID</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Deduce Insight API site id</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="ip">

+ <DisplayName>IP Address</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="apikey">

+ <DisplayName>API Key</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="action">

+ <DisplayName>Contextual action</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <!-- End of Claims for Deduce API request body -->

+ <!-- Rest API call request body to deduce insight API -->

+ <ClaimType Id="deduce_requestbody">

+ <DisplayName>Request body for insight api</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Request body for insight api</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="deduce_trust_response">

+ <DisplayName>Response body for insight api</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Response body for insight api</AdminHelpText>

+ </ClaimType>

+ <!-- End of Rest API call request body to deduce insight API -->

+ <!-- Response claims from Deduce Insight API -->

+ <ClaimType Id="data.signals.trust">

+ <DisplayName>Trust collection</DisplayName>

+ <DataType>stringCollection</DataType>

+ <AdminHelpText>List of asserted trust</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.signals.info">

+ <DisplayName>Trust collection</DisplayName>

+ <DataType>stringCollection</DataType>

+ <AdminHelpText>List of asserted info</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.signals.risk">

+ <DisplayName>Trust collection</DisplayName>

+ <DataType>stringCollection</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.company_name">

+ <DisplayName>data.network.company_name</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.crawler_name">

+ <DisplayName>data.network.crawler_name</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.is_corporate">

+ <DisplayName>data.network.is_corporate</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.is_education">

+ <DisplayName>data.network.is_education</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.is_hosting">

+ <DisplayName>data.network.is_hosting</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.is_mobile">

+ <DisplayName>data.network.is_mobile</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.is_proxy">

+ <DisplayName>data.network.is_proxy"</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.is_tor">

+ <DisplayName>data.network.is_tor</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.is_vpn_capable">

+ <DisplayName>data.network.is_vpn_capable</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.is_vpn_confirmed">

+ <DisplayName>data.network.is_vpn_confirmed</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.is_vpn_suspect">

+ <DisplayName>data.network.is_vpn_suspect</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.isp_name">

+ <DisplayName>data.network.isp_name</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.network.vpn_name">

+ <DisplayName>data.network.vpn_name</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.geo.city">

+ <DisplayName>data.geo.city</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.geo.country">

+ <DisplayName>data.geo.country</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.geo.lat">

+ <DisplayName>data.geo.lat</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.geo.long">

+ <DisplayName>data.geo.long</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.geo.state">

+ <DisplayName>data.geo.state</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.device.ua_brand">

+ <DisplayName>data.device.ua_brand</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.device.ua_browser">

+ <DisplayName>data.device.ua_browser</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.device.ua_device_type">

+ <DisplayName>data.device.ua_device_type</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.device.ua_name">

+ <DisplayName>data.device.ua_name</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.device.ua_os">

+ <DisplayName>data.device.ua_os</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.device.ua_type">

+ <DisplayName>data.device.ua_type</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.device.ua_version">

+ <DisplayName>data.device.ua_version</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>List of asserted risk</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.email.ip_count">

+ <DisplayName>data.activity.email.ip_count</DisplayName>

+ <DataType>int</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.email.lastseen">

+ <DisplayName>data.activity.email.lastseen</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.email.frequency">

+ <DisplayName>data.activity.email.frequency</DisplayName>

+ <DataType>int</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.emailip.frequency">

+ <DisplayName>data.activity.emailip.frequency</DisplayName>

+ <DataType>int</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.emailip.lastseen">

+ <DisplayName>data.activity.emailip.lastseen</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.emailip.match">

+ <DisplayName>data.activity.emailip.match</DisplayName>

+ <DataType>boolean</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.emailip.rank_email">

+ <DisplayName>data.activity.emailip.rank_email</DisplayName>

+ <DataType>int</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.emailip.rank_ip">

+ <DisplayName>data.activity.emailip.rank_ip</DisplayName>

+ <DataType>int</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.ip.email_count">

+ <DisplayName>data.activity.ip.email_count</DisplayName>

+ <DataType>int</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.ip.lastseen">

+ <DisplayName>data.activity.ip.lastseen</DisplayName>

+ <DataType>string</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.activity.ip.frequency">

+ <DisplayName>data.activity.ip.frequency</DisplayName>

+ <DataType>int</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="data.sent_timestamp">

+ <DisplayName>datasent_timestamp</DisplayName>

+ <DataType>long</DataType>

+ <AdminHelpText>Add help text here</AdminHelpText>

+ </ClaimType>

+ <ClaimType Id="user_agent">

+ <DisplayName>User Agent</DisplayName>

+ <DataType>string</DataType>

+ <UserHelpText>Add help text here</UserHelpText>

+ <UserInputType>TextBox</UserInputType>

+ </ClaimType>

+ <ClaimType Id="correlationId">

+ <DisplayName>correlation ID</DisplayName>

+ <DataType>string</DataType>

+ </ClaimType>

+ <!-- End Response claims from Deduce Insight API -->

+ ...

+ </ClaimsSchema>

+ ...

+ </BuildingBlocks>

+ ```

+### Step 6: Add Deduce ClaimsProvider

+A **claims provider** is an interface to communicate with different types of parties via its [technical profiles](https://docs.microsoft.com/azure/active-directory-b2c/technicalprofiles).

+- `SelfAsserted-UserAgent` self-asserted technical profile is used to collect user_agent from client-side.

+- `deduce_insight_api` technical profile sends data to the Deduce RESTful service in an input claims collection and receives data back in an output claims collection. For more information, see [integrate REST API claims exchanges in your Azure AD B2C custom policy](https://docs.microsoft.com/azure/active-directory-b2c/api-connectors-overview?pivots=b2c-custom-policy)

+You can define Deduce as a claims provider by adding it to the **ClaimsProvider** element in the extension file of your policy.

+1. Open the `TrustFrameworkExtensions.xml`.

+1. Find the **ClaimsProvider** element. If it doesn't exist, add a new **ClaimsProvider** as follows:

+ ```xml

+ <ClaimsProvider>

+ <DisplayName>Deduce REST API</DisplayName>

+ <TechnicalProfiles>

+ <TechnicalProfile Id="SelfAsserted-UserAgent">

+ <DisplayName>Pre-login</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.SelfAssertedAttributeProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ContentDefinitionReferenceId">api.selfassertedDeduce</Item>

+ <Item Key="setting.showCancelButton">false</Item>

+ <Item Key="language.button_continue">Continue</Item>

+ </Metadata>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="user_agent" />

+ </OutputClaims>

+ </TechnicalProfile>

+ <TechnicalProfile Id="deduce_insight_api">

+ <DisplayName>Get customer insight data from deduce api</DisplayName>

+ <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.RestfulProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

+ <Metadata>

+ <Item Key="ServiceUrl">https://deduceproxyapi.azurewebsites.net/api/Deduce/DeduceInsights</Item>

+ <Item Key="AuthenticationType">None</Item>

+ <Item Key="SendClaimsIn">Body</Item>

+ <Item Key="ResolveJsonPathsInJsonTokens">true</Item>

+ <Item Key="AllowInsecureAuthInProduction">true</Item>

+ <Item Key="DebugMode">true</Item>

+ <Item Key="IncludeClaimResolvingInClaimsHandling">true</Item>

+ </Metadata>

+ <InputClaims>

+ <InputClaim ClaimTypeReferenceId="user_agent" />

+ <InputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />

+ <InputClaim ClaimTypeReferenceId="ip" DefaultValue="{Context:IPAddress}" AlwaysUseDefaultValue="true" />

+ <InputClaim ClaimTypeReferenceId="apikey" DefaultValue="<DEDUCE API KEY>" />

+ <InputClaim ClaimTypeReferenceId="action" DefaultValue="auth.success.password" />

+ <InputClaim ClaimTypeReferenceId="site" DefaultValue="<SITE>" />

+ </InputClaims>

+ <OutputClaims>

+ <OutputClaim ClaimTypeReferenceId="data.sent_timestamp" PartnerClaimType="data.sent_timestamp" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.ip.frequency" PartnerClaimType="data.activity.ip.frequency" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.ip.lastseen" PartnerClaimType="data.activity.ip.lastseen" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.ip.email_count" PartnerClaimType="data.activity.ip.email_count" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.email.ip_count" PartnerClaimType="data.activity.email.ip_count" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.email.lastseen" PartnerClaimType="data.activity.email.lastseen" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.email.frequency" PartnerClaimType="data.activity.email.frequency" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.frequency" PartnerClaimType="data.activity.emailip.frequency" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.lastseen" PartnerClaimType="data.activity.emailip.lastseen" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.match" PartnerClaimType="data.activity.emailip.match" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.rank_email" PartnerClaimType="data.activity.emailip.rank_email" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.rank_ip" PartnerClaimType="data.activity.emailip.rank_ip" />

+ <OutputClaim ClaimTypeReferenceId="data.signals.trust" PartnerClaimType="data.signals.trust" />

+ <OutputClaim ClaimTypeReferenceId="data.signals.info" PartnerClaimType="data.signals.info" />

+ <OutputClaim ClaimTypeReferenceId="data.signals.risk" PartnerClaimType="data.signals.risk" />

+ <OutputClaim ClaimTypeReferenceId="data.network.company_name" PartnerClaimType="data.network.company_name" />

+ <OutputClaim ClaimTypeReferenceId="data.network.crawler_name" PartnerClaimType="data.network.crawler_name" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_corporate" PartnerClaimType="data.network.is_corporate" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_education" PartnerClaimType="data.network.is_education" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_hosting" PartnerClaimType="data.network.is_hosting" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_mobile" PartnerClaimType="data.network.is_mobile" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_proxy" PartnerClaimType="data.network.is_proxy" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_tor" PartnerClaimType="data.network.is_tor" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_vpn_capable" PartnerClaimType="data.network.is_vpn_capable" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_vpn_confirmed" PartnerClaimType="data.network.is_vpn_confirmed" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_vpn_suspect" PartnerClaimType="data.network.is_vpn_suspect" />

+ <OutputClaim ClaimTypeReferenceId="data.network.isp_name" PartnerClaimType="data.network.isp_name" />

+ <OutputClaim ClaimTypeReferenceId="data.network.vpn_name" PartnerClaimType="data.network.vpn_name" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.city" PartnerClaimType="data.geo.city" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.country" PartnerClaimType="data.geo.country" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.lat" PartnerClaimType="data.geo.lat" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.long" PartnerClaimType="data.geo.long" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.state" PartnerClaimType="data.geo.state" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_brand" PartnerClaimType="data.device.ua_brand" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_browser" PartnerClaimType="data.device.ua_browser" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_device_type" PartnerClaimType="data.device.ua_device_type" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_name" PartnerClaimType="data.device.ua_name" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_os" PartnerClaimType="data.device.ua_os" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_type" PartnerClaimType="data.device.ua_type" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_version" PartnerClaimType="data.device.ua_version" />

+ </OutputClaims>

+ </TechnicalProfile>

+ </TechnicalProfiles>

+ </ClaimsProvider>

+ ```

+Replace `apikey` and `site` with the information provided by Deduce at the time of initial onboarding.

+### Step 7: Add a user journey

+At this point, the **Deduce RESTfull API** has been set up, but it's not yet available in any of the sign-up or sign-in pages. If you don't have your own custom user journey, create a duplicate of an existing template user journey, otherwise continue to the next step.

+1. Open the `TrustFrameworkBase.xml` file from the starter pack.

+1. Find and copy the entire contents of the **UserJourneys** element that includes 'Id=SignUpOrSignIn`.

+1. Open the `TrustFrameworkExtensions.xml` and find the **UserJourneys** element. If the element doesn't exist, add one.

+1. Paste the entire content of the **UserJourney** element that you copied as a child of the **UserJourneys** element.

+1. Rename the `Id` of the user journey. For example, `Id=CustomSignUpSignIn`

+### Step 8: Add Deduce API to a user journey

+Now that you've a user journey, add the orchestrations steps to call Deduce.

+1. Find the orchestration step element that includes `Type=CombinedSignInAndSignUp`, or `Type=ClaimsProviderSelection` in the user journey. It's usually the first orchestration step.

+1. Add a new orchestration step to invoke `SelfAsserted-UserAgent` technical profile.

+1. Add a new orchestration step to invoke `**deduce_insight_api**` technical profile.

+ The below example of UserJourney is based on local accounts starter pack:

+ ```xml

+ <UserJourneys>

+ <UserJourney Id="CustomSignUpOrSignIn">

+ <OrchestrationSteps>

+ <OrchestrationStep Order="1" Type="ClaimsExchange">

+ <ClaimsExchanges>

+ <ClaimsExchange Id="Browser-UserAgent" TechnicalProfileReferenceId="SelfAsserted-UserAgent" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <OrchestrationStep Order="2" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">

+ <ClaimsProviderSelections>

+ <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />

+ </ClaimsProviderSelections>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <OrchestrationStep Order="3" Type="ClaimsExchange">

+ <Preconditions>

+ <Precondition Type="ClaimsExist" ExecuteActionsIf="true">

+ <Value>objectId</Value>

+ <Action>SkipThisOrchestrationStep</Action>

+ </Precondition>

+ </Preconditions>

+ <ClaimsExchanges>

+ <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <!-- This step reads any user attributes that we may not have received when in the token. -->

+ <OrchestrationStep Order="4" Type="ClaimsExchange">

+ <ClaimsExchanges>

+ <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <OrchestrationStep Order="5" Type="ClaimsExchange">

+ <ClaimsExchanges>

+ <ClaimsExchange Id="DecideInsights" TechnicalProfileReferenceId="deduce_insight_api" />

+ </ClaimsExchanges>

+ </OrchestrationStep>

+ <OrchestrationStep Order="6" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="JwtIssuer" />

+ </OrchestrationSteps>

+ <ClientDefinition ReferenceId="DefaultWeb" />

+ </UserJourney>

+ </UserJourneys>

+ ```

+### Step 9: Configure the relying party policy

+The relying party policy specifies the user journey which Azure AD B2C will execute. You can also control what claims are passed to your application by adjusting the **OutputClaims** element of the **SignUpOrSignIn_WithDeduce** TechnicalProfile element. In this sample, the application will receive information back from the middle layer API:

+```xml

+ <RelyingParty>

+ <DefaultUserJourney ReferenceId="CustomSignUpOrSignIn" />

+ <UserJourneyBehaviors>

+ <ScriptExecution>Allow</ScriptExecution>

+ </UserJourneyBehaviors>

+ <TechnicalProfile Id="PolicyProfile">

+ <DisplayName>PolicyProfile</DisplayName>

+ <Protocol Name="OpenIdConnect" />

+ <OutputClaims>

+ <!-- <OutputClaim ClaimTypeReferenceId="user_agent" /> -->

+ <OutputClaim ClaimTypeReferenceId="displayName" />

+ <OutputClaim ClaimTypeReferenceId="givenName" />

+ <OutputClaim ClaimTypeReferenceId="surname" />

+ <OutputClaim ClaimTypeReferenceId="email" />

+ <OutputClaim ClaimTypeReferenceId="correlationId" DefaultValue="{Context:CorrelationId}" />

+ <OutputClaim ClaimTypeReferenceId="data.sent_timestamp" PartnerClaimType="data.sent_timestamp" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.ip.frequency" PartnerClaimType="data.activity.ip.frequency" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.ip.lastseen" PartnerClaimType="data.activity.ip.lastseen" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.ip.email_count" PartnerClaimType="data.activity.ip.email_count" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.email.ip_count" PartnerClaimType="data.activity.email.ip_count" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.email.lastseen" PartnerClaimType="data.activity.email.lastseen" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.email.frequency" PartnerClaimType="data.activity.email.frequency" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.frequency" PartnerClaimType="data.activity.emailip.frequency" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.lastseen" PartnerClaimType="data.activity.emailip.lastseen" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.match" PartnerClaimType="data.activity.emailip.match" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.rank_email" PartnerClaimType="data.activity.emailip.rank_email" />

+ <OutputClaim ClaimTypeReferenceId="data.activity.emailip.rank_ip" PartnerClaimType="data.activity.emailip.rank_ip" />

+ <OutputClaim ClaimTypeReferenceId="data.signals.trust" PartnerClaimType="data.signals.trust" />

+ <OutputClaim ClaimTypeReferenceId="data.signals.info" PartnerClaimType="data.signals.info" />

+ <OutputClaim ClaimTypeReferenceId="data.signals.risk" PartnerClaimType="data.signals.risk" />

+ <OutputClaim ClaimTypeReferenceId="data.network.company_name" PartnerClaimType="data.network.company_name" />

+ <OutputClaim ClaimTypeReferenceId="data.network.crawler_name" PartnerClaimType="data.network.crawler_name" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_corporate" PartnerClaimType="data.network.is_corporate" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_education" PartnerClaimType="data.network.is_education" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_hosting" PartnerClaimType="data.network.is_hosting" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_mobile" PartnerClaimType="data.network.is_mobile" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_proxy" PartnerClaimType="data.network.is_proxy" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_tor" PartnerClaimType="data.network.is_tor" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_vpn_capable" PartnerClaimType="data.network.is_vpn_capable" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_vpn_confirmed" PartnerClaimType="data.network.is_vpn_confirmed" />

+ <OutputClaim ClaimTypeReferenceId="data.network.is_vpn_suspect" PartnerClaimType="data.network.is_vpn_suspect" />

+ <OutputClaim ClaimTypeReferenceId="data.network.isp_name" PartnerClaimType="data.network.isp_name" />

+ <OutputClaim ClaimTypeReferenceId="data.network.vpn_name" PartnerClaimType="data.network.vpn_name" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.city" PartnerClaimType="data.geo.city" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.country" PartnerClaimType="data.geo.country" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.lat" PartnerClaimType="data.geo.lat" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.long" PartnerClaimType="data.geo.long" />

+ <OutputClaim ClaimTypeReferenceId="data.geo.state" PartnerClaimType="data.geo.state" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_brand" PartnerClaimType="data.device.ua_brand" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_browser" PartnerClaimType="data.device.ua_browser" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_device_type" PartnerClaimType="data.device.ua_device_type" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_name" PartnerClaimType="data.device.ua_name" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_os" PartnerClaimType="data.device.ua_os" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_type" PartnerClaimType="data.device.ua_type" />

+ <OutputClaim ClaimTypeReferenceId="data.device.ua_version" PartnerClaimType="data.device.ua_version" />

+ <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />

+ <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />

+ </OutputClaims>

+ <SubjectNamingInfo ClaimType="sub" />

+ </TechnicalProfile>

+ </RelyingParty>

+```

+### Step 10: Upload the custom policy

+1. Sign in to the [Azure portal](https://portal.azure.com/#home).

+1. Make sure you're using the directory that contains your Azure AD B2C tenant:

+ a. Select the **Directories + subscriptions** icon in the portal toolbar.

+ b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch** button next to it.

+1. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.

+1. Under Policies, select **Identity Experience Framework**.

+1. Select **Upload Custom Policy**, and then upload the two policy files that you changed, in the following order: the extension policy, for example `TrustFrameworkBase.xml`, then the relying party policy, such as `B2C_1A_signup`.

+### Step 11: Test your custom policy

+1. Select your relying party policy, for example `B2C_1A_signup`.

+1. For **Application**, select a web application that you [previously registered](./tutorial-register-applications.md). The **Reply URL** should show `https://jwt.ms`.

+1. Select the **Run now** button.

+1. The sign-up policy should invoke Deduce immediately. If sign-in is used, then select Deduce to sign in with Deduce.

+If the sign-in process is successful, your browser is redirected to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.

+## Next steps

+For additional information, review the following articles:

+- [Custom policies in Azure AD B2C](./custom-policy-overview.md)

+- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)

+|  is an identity verification and proofing provider focused on stopping account takeover and registration fraud. It helps combat identity fraud and creates a trusted user experience. |

+2. On the left menu, select **Access reviews**.

+3. Select **New access review** to create a new access review.

+4. In the **Select what to review** box, select which resource you want to review.

+5. If you selected **Teams + Groups**, you have two options:

+6. If you selected **Applications**, select one or more applications.

+8. Or if you are conducting group membership review, you can create access reviews for only the inactive users in the group. In the *Users scope* section, check the box next to **Inactive users (on tenant level)**. If you check the box, the scope of the review will focus on inactive users only, those who have not signed in either interactively or non-interactively to the tenant. Then, specify **Days inactive** with a number of days inactive up to 730 days (two years). Users in the group inactive for the specified number of days will be the only users in the review.

+ > [!NOTE]

+ > Recently created users are not affected when configuring the inactivity time. The Access Review will check if a user has been created in the time frame configured and disregard users who havenΓÇÖt existed for at least that amount of time. For example, if you set the inactivity time as 90 days and a guest user was created or invited less than 90 days ago, the guest user will not be in scope of the Access Review. This ensures that a user can sign in at least once before being removed.

+9. Select **Next: Reviews**.

+ > [!Note]

+ > An approver does not have to have an Azure AD administrative role themselves. They can be a regular user, such as an IT executive.

+ Title: 'Tutorial: Azure AD SSO integration with NetMotion Mobility'

+description: Learn how to configure single sign-on between Azure Active Directory and NetMotion Mobility.

+# Tutorial: Azure AD SSO integration with NetMotion Mobility

+In this tutorial, you'll learn how to integrate NetMotion Mobility with Azure Active Directory (Azure AD). When you integrate NetMotion Mobility with Azure AD, you can:

+* Control in Azure AD who has access to NetMotion Mobility.

+* Enable users to be signed-in with a NetMotion Mobility client with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* NetMotion Mobility 12.50 or later.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* NetMotion Mobility supports **SP** initiated SSO.

+* NetMotion Mobility supports **Just In Time** user provisioning.

+## Add NetMotion Mobility from the gallery

+To configure the integration of NetMotion Mobility into Azure AD, you need to add NetMotion Mobility from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **NetMotion Mobility** in the search box.

+1. Select **NetMotion Mobility** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for NetMotion Mobility

+Configure and test Azure AD SSO with NetMotion Mobility using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in NetMotion Mobility.

+To configure and test Azure AD SSO with NetMotion Mobility, perform the following steps:

+1. **[Configure Mobility for SAML-based Authentication](#configure-mobility-for-saml-based-authentication)** - to enable end users to authenticate using their Azure AD credentials.

+2. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+3. **[Configure NetMotion Mobility SSO](#configure-netmotion-mobility-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create NetMotion Mobility test user](#create-netmotion-mobility-test-user)** - to have a counterpart of B.Simon in NetMotion Mobility that is linked to the Azure AD representation of user.

+4. **[Test SAML-based User Authentication with the Mobility Client](#test-saml-based-user-authentication-with-the-mobility-client)** - to verify whether the configuration works.

+## Configure Mobility for SAML-based Authentication

+On the Mobility console, follow the procedures in the [Mobility Administrator Guide](https://help.netmotionsoftware.com/support/docs/MobilityXG/1250/help/mobilityhelp.htm#page/Mobility%2520Server%2Fintro.01.01.html%23) to accomplish the following:

+1. Create an [authentication profile](https://help.netmotionsoftware.com/support/docs/MobilityXG/1250/help/mobilityhelp.htm#page/Mobility%2520Server%2Fconfig.05.41.html%23ww2298330) for SAML ΓÇô to enable a set of Mobility users to use the SAML protocol.

+2. Configure [SAML-based user authentication](https://help.netmotionsoftware.com/support/docs/MobilityXG/1250/help/mobilityhelp.htm#context/nmcfgapp/saml_userconfig), in Mobility ΓÇô to set an SP URL and generate the mobilitySPmetadata.xml file which you will later import into Azure AD.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **NetMotion Mobility** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click on **Upload Metadata file** just above the **Basic SAML Configuration** section to import your mobilitySPMetadata.xml file into Azure AD.

+

+ 

+1. After importing the metadata file, on the **Basic SAML Configuration** section, perform the following steps to verify that the XML import has been completed successfully:

+ a. In the **Identifier** text box, verify that the URL is using the following pattern, where the variables in the following example URL match those for your Mobility server:

+ `https://<YourMobilityServerName>.<CustomerDomain>.<tld>/`

+ b. In the **Reply URL** text box, verify that the URL is using the following pattern:

+ `https://<YourMobilityServerName>.<CustomerDomain>.<tld>/saml/login`

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to NetMotion Mobility.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **NetMotion Mobility**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure NetMotion Mobility SSO

+Follow the instructions in the Mobility Administrator Guide for [Configuring IdP Settings in the Mobility Console](https://help.netmotionsoftware.com/support/docs/MobilityXG/1250/help/mobilityhelp.htm#context/nmcfgapp/saml_userconfig), import the Azure AD metadata file back into your Mobility server and complete the steps for IdP configuration.

+1. Once the Mobility authentication settings are configured, assign them to devices or device groups.

+1. Go to **Mobility console** > **Configure** > **Client Settings** and select the device or device group on the left that will use SAML-based authentication.

+1. Select **Authentication - Settings** Profile and choose the settings profile you created from the drop-down list.

+1. When you click **Apply**, the selected device or group is subscribed to the non-default settings.

+### Create NetMotion Mobility test user

+In this section, a user called B.Simon is created in NetMotion Mobility. NetMotion Mobility supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in NetMotion Mobility, a new one is created after authentication.

+## Test SAML-based User Authentication with the Mobility Client

+In this section, you test your Azure AD SAML configuration for client authentication.

+1. Follow the guidance in [Configuring Mobility Clients](https://help.netmotionsoftware.com/support/docs/MobilityXG/1250/help/mobilityhelp.htm#page/Mobility%2520Server%2Fusing.06.01.html%23), configure a client device that is assigned a SAML-based authentication profile to access the Mobility server pool you have configured for SAML-based authentication and attempt to connect.

+1. If you encounter problems during the test, follow the guidance under [Troubleshooting the Mobility Client](https://help.netmotionsoftware.com/support/docs/MobilityXG/1250/help/mobilityhelp.htm#page/Mobility%2520Server%2Ftrouble.14.02.html).

+## Register the `KubernetesConfiguration` service provider

+If you have not previously used cluster extensions, you may need to register the service provider with your subscription. You can check the status of the provider registration using the [az provider list][az-provider-list] command, as shown in the following example:

+```azurecli-interactive

+az provider list --query "[?contains(namespace,'Microsoft.KubernetesConfiguration')]" -o table

+```

+The *Microsoft.KubernetesConfiguration* provider should report as *Registered*, as shown in the following example output:

+```output

+Namespace RegistrationState RegistrationPolicy

+ - --

+Microsoft.KubernetesConfiguration Registered RegistrationRequired

+```

+If the provider shows as *NotRegistered*, register the provider using the [az provider register][az-provider-register] as shown in the following example:

+```azurecli-interactive

+az provider register --namespace Microsoft.KubernetesConfiguration

+```

+### Register the `KubernetesConfiguration` service provider

+If you have not previously used cluster extensions, you may need to register the service provider with your subscription. You can check the status of the provider registration using the [az provider list][az-provider-list] command, as shown in the following example:

+```azurecli-interactive

+az provider list --query "[?contains(namespace,'Microsoft.KubernetesConfiguration')]" -o table

+```

+The *Microsoft.KubernetesConfiguration* provider should report as *Registered*, as shown in the following example output:

+```output

+Namespace RegistrationState RegistrationPolicy

+ - --

+Microsoft.KubernetesConfiguration Registered RegistrationRequired

+```

+If the provider shows as *NotRegistered*, register the provider using the [az provider register][az-provider-register] as shown in the following example:

+```azurecli-interactive

+az provider register --namespace Microsoft.KubernetesConfiguration

+```

+In the following example, traffic to *EXTERNAL_IP/hello-world-one* is routed to the service named `aks-helloworld-one`. Traffic to *EXTERNAL_IP/hello-world-two* is routed to the `aks-helloworld-two` service. Traffic to *EXTERNAL_IP/static* is routed to the service named `aks-helloworld-one` for static assets.

+ Title: Quickstart - Create an Azure Kubernetes Service (AKS) cluster by using Bicep

+description: Learn how to quickly create a Kubernetes cluster using a Bicep file and deploy an application in Azure Kubernetes Service (AKS)

+#Customer intent: As a developer or cluster operator, I want to quickly create an AKS cluster and deploy an application so that I can see how to run applications using the managed Kubernetes service in Azure.

+# Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Bicep

+Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage clusters. In this quickstart, you'll:

+* Deploy an AKS cluster using a Bicep file.

+* Run a sample multi-container application with a web front-end and a Redis instance in the cluster.

+This quickstart assumes a basic understanding of Kubernetes concepts. For more information, see [Kubernetes core concepts for Azure Kubernetes Service (AKS)][kubernetes-concepts].

+## Prerequisites

+### [Azure CLI](#tab/azure-cli)

+* This article requires version 2.20.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+### [Azure PowerShell](#tab/azure-powershell)

+* If you're running PowerShell locally, install the Az PowerShell module and connect to your Azure account using the [Connect-AzAccount][connect-azaccount] cmdlet. For more information about installing the Az PowerShell module, see [Install Azure PowerShell][install-azure-powershell]. You'll also need Bicep CLI. For more information, see [Azure PowerShell](../../azure-resource-manager/bicep/install.md#azure-powershell). If using Azure Cloud Shell, the latest version is already installed.

+* To create an AKS cluster using a Bicep file, you provide an SSH public key. If you need this resource, see the following section; otherwise skip to the [Review the Bicep file](#review-the-bicep-file) section.

+* The identity you're using to create your cluster has the appropriate minimum permissions. For more details on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)](../concepts-identity.md).

+* To deploy a Bicep file, you need write access on the resources you're deploying and access to all operations on the Microsoft.Resources/deployments resource type. For example, to deploy a virtual machine, you need Microsoft.Compute/virtualMachines/write and Microsoft.Resources/deployments/* permissions. For a list of roles and permissions, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md).

+### Create an SSH key pair

+To access AKS nodes, you connect using an SSH key pair (public and private), which you generate using the `ssh-keygen` command. By default, these files are created in the *~/.ssh* directory. Running the `ssh-keygen` command will overwrite any SSH key pair with the same name already existing in the given location.

+1. Go to [https://shell.azure.com](https://shell.azure.com) to open Cloud Shell in your browser.

+1. Run the `ssh-keygen` command. The following example creates an SSH key pair using RSA encryption and a bit length of 4096:

+ ```console

+ ssh-keygen -t rsa -b 4096

+ ```

+For more information about creating SSH keys, see [Create and manage SSH keys for authentication in Azure][ssh-keys].

+## Review the Bicep file

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/aks/).

+The resource defined in the Bicep file:

+* [**Microsoft.ContainerService/managedClusters**](/azure/templates/microsoft.containerservice/managedclusters?tabs=bicep&pivots=deployment-language-bicep)

+For more AKS samples, see the [AKS quickstart templates][aks-quickstart-templates] site.

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name myResourceGroup --location eastus

+ az deployment group create --resource-group myResourceGroup --template-file main.bicep --parameters clusterName=<cluster-name> dnsPrefix=<dns-previs> linuxAdminUsername=<linux-admin-username> sshRSAPublicKey='<ssh-key>'

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name myResourceGroup -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName myResourceGroup -TemplateFile ./main.bicep -clusterName=<cluster-name> -dnsPrefix=<dns-prefix> -linuxAdminUsername=<linux-admin-username> -sshRSAPublicKey="<ssh-key>"

+ ```

+

+ Provide the following values in the commands:

+ * **Cluster name**: Enter a unique name for the AKS cluster, such as *myAKSCluster*.

+ * **DNS prefix**: Enter a unique DNS prefix for your cluster, such as *myakscluster*.

+ * **Linux Admin Username**: Enter a username to connect using SSH, such as *azureuser*.

+ * **SSH RSA Public Key**: Copy and paste the *public* part of your SSH key pair (by default, the contents of *~/.ssh/id_rsa.pub*).

+ It takes a few minutes to create the AKS cluster. Wait for the cluster to be successfully deployed before you move on to the next step.

+## Validate the Bicep deployment

+### Connect to the cluster

+To manage a Kubernetes cluster, use the Kubernetes command-line client, [kubectl][kubectl]. `kubectl` is already installed if you use Azure Cloud Shell.

+### [Azure CLI](#tab/azure-cli)

+1. Install `kubectl` locally using the [az aks install-cli][az-aks-install-cli] command:

+ ```azurecli

+ az aks install-cli

+ ```

+2. Configure `kubectl` to connect to your Kubernetes cluster using the [az aks get-credentials][az-aks-get-credentials] command. This command downloads credentials and configures the Kubernetes CLI to use them.

+ ```azurecli-interactive

+ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

+ ```

+3. Verify the connection to your cluster using the [kubectl get][kubectl-get] command. This command returns a list of the cluster nodes.

+ ```console

+ kubectl get nodes

+ ```

+ The following output example shows the three nodes created in the previous steps. Make sure the node status is *Ready*:

+ ```output

+ NAME STATUS ROLES AGE VERSION

+ aks-agentpool-41324942-0 Ready agent 6m44s v1.12.6

+ aks-agentpool-41324942-1 Ready agent 6m46s v1.12.6

+ aks-agentpool-41324942-2 Ready agent 6m45s v1.12.6

+ ```

+### [Azure PowerShell](#tab/azure-powershell)

+1. Install `kubectl` locally using the [Install-AzAksKubectl][install-azakskubectl] cmdlet:

+ ```azurepowershell

+ Install-AzAksKubectl

+ ```

+2. Configure `kubectl` to connect to your Kubernetes cluster using the [Import-AzAksCredential][import-azakscredential] cmdlet. The following cmdlet downloads credentials and configures the Kubernetes CLI to use them.

+ ```azurepowershell-interactive

+ Import-AzAksCredential -ResourceGroupName myResourceGroup -Name myAKSCluster

+ ```

+3. Verify the connection to your cluster using the [kubectl get][kubectl-get] command. This command returns a list of the cluster nodes.

+ ```azurepowershell-interactive

+ kubectl get nodes

+ ```

+ The following output example shows the three nodes created in the previous steps. Make sure the node status is *Ready*:

+ ```plaintext

+ NAME STATUS ROLES AGE VERSION

+ aks-agentpool-41324942-0 Ready agent 6m44s v1.12.6

+ aks-agentpool-41324942-1 Ready agent 6m46s v1.12.6

+ aks-agentpool-41324942-2 Ready agent 6m45s v1.12.6

+ ```

+## Deploy the application

+A [Kubernetes manifest file][kubernetes-deployment] defines a cluster's desired state, such as which container images to run.

+In this quickstart, you'll use a manifest to create all objects needed to run the [Azure Vote application][azure-vote-app]. This manifest includes two [Kubernetes deployments][kubernetes-deployment]:

+* The sample Azure Vote Python applications.

+* A Redis instance.

+Two [Kubernetes Services][kubernetes-service] are also created:

+* An internal service for the Redis instance.

+* An external service to access the Azure Vote application from the internet.

+1. Create a file named `azure-vote.yaml`.

+ * If you use the Azure Cloud Shell, this file can be created using `code`, `vi`, or `nano` as if working on a virtual or physical system

+1. Copy in the following YAML definition:

+ ```yaml

+ apiVersion: apps/v1

+ kind: Deployment

+ metadata:

+ name: azure-vote-back

+ spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: azure-vote-back

+ template:

+ metadata:

+ labels:

+ app: azure-vote-back

+ spec:

+ nodeSelector:

+ "kubernetes.io/os": linux

+ containers:

+ - name: azure-vote-back

+ image: mcr.microsoft.com/oss/bitnami/redis:6.0.8

+ env:

+ - name: ALLOW_EMPTY_PASSWORD

+ value: "yes"

+ resources:

+ requests:

+ cpu: 100m

+ memory: 128Mi

+ limits:

+ cpu: 250m

+ memory: 256Mi

+ ports:

+ - containerPort: 6379

+ name: redis

+

+ apiVersion: v1

+ kind: Service

+ metadata:

+ name: azure-vote-back

+ spec:

+ ports:

+ - port: 6379

+ selector:

+ app: azure-vote-back

+

+ apiVersion: apps/v1

+ kind: Deployment

+ metadata:

+ name: azure-vote-front

+ spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: azure-vote-front

+ template:

+ metadata:

+ labels:

+ app: azure-vote-front

+ spec:

+ nodeSelector:

+ "kubernetes.io/os": linux

+ containers:

+ - name: azure-vote-front

+ image: mcr.microsoft.com/azuredocs/azure-vote-front:v1

+ resources:

+ requests:

+ cpu: 100m

+ memory: 128Mi

+ limits:

+ cpu: 250m

+ memory: 256Mi

+ ports:

+ - containerPort: 80

+ env:

+ - name: REDIS

+ value: "azure-vote-back"

+

+ apiVersion: v1

+ kind: Service

+ metadata:

+ name: azure-vote-front

+ spec:

+ type: LoadBalancer

+ ports:

+ - port: 80

+ selector:

+ app: azure-vote-front

+ ```

+1. Deploy the application using the [kubectl apply][kubectl-apply] command and specify the name of your YAML manifest:

+ ```console

+ kubectl apply -f azure-vote.yaml

+ ```

+ The following example resembles output showing the successfully created deployments and

+ ```output

+ deployment "azure-vote-back" created

+ service "azure-vote-back" created

+ deployment "azure-vote-front" created

+ service "azure-vote-front" created

+ ```

+### Test the application

+When the application runs, a Kubernetes service exposes the application front end to the internet. This process can take a few minutes to complete.

+Monitor progress using the [kubectl get service][kubectl-get] command with the `--watch` argument.

+```console

+kubectl get service azure-vote-front --watch

+```

+The **EXTERNAL-IP** output for the `azure-vote-front` service will initially show as *pending*.

+```output

+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

+azure-vote-front LoadBalancer 10.0.37.27 <pending> 80:30572/TCP 6s

+```

+Once the **EXTERNAL-IP** address changes from *pending* to an actual public IP address, use `CTRL-C` to stop the `kubectl` watch process. The following example output shows a valid public IP address assigned to the service:

+```output

+azure-vote-front LoadBalancer 10.0.37.27 52.179.23.131 80:30572/TCP 2m

+```

+To see the Azure Vote app in action, open a web browser to the external IP address of your service.

+## Clean up resources

+### [Azure CLI](#tab/azure-cli)

+To avoid Azure charges, if you don't plan on going through the tutorials that follow, clean up your unnecessary resources. Use the [az group delete][az-group-delete] command to remove the resource group, container service, and all related resources.

+```azurecli-interactive

+az group delete --name myResourceGroup --yes --no-wait

+```

+### [Azure PowerShell](#tab/azure-powershell)

+To avoid Azure charges, if you don't plan on going through the tutorials that follow, clean up your unnecessary resources. Use the [Remove-AzResourceGroup][remove-azresourcegroup] cmdlet to remove the resource group, container service, and all related resources.

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name myResourceGroup

+```

+> [!NOTE]

+> In this quickstart, the AKS cluster was created with a system-assigned managed identity (the default identity option). This identity is managed by the platform and does not require removal.

+## Next steps

+In this quickstart, you deployed a Kubernetes cluster and then deployed a sample multi-container application to it.

+To learn more about AKS, and walk through a complete code to deployment example, continue to the Kubernetes cluster tutorial.

+> [!div class="nextstepaction"]

+> [AKS tutorial][aks-tutorial]

+<!-- LINKS - external -->

+[azure-vote-app]: https://github.com/Azure-Samples/azure-voting-app-redis.git

+[kubectl]: https://kubernetes.io/docs/user-guide/kubectl/

+[kubectl-apply]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#apply

+[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get

+[azure-dev-spaces]: /previous-versions/azure/dev-spaces/

+[aks-quickstart-templates]: https://azure.microsoft.com/resources/templates/?term=Azure+Kubernetes+Service

+<!-- LINKS - internal -->

+[kubernetes-concepts]: ../concepts-clusters-workloads.md

+[aks-monitor]: ../../azure-monitor/containers/container-insights-onboard.md

+[aks-tutorial]: ../tutorial-kubernetes-prepare-app.md

+[az-aks-browse]: /cli/azure/aks#az_aks_browse

+[az-aks-create]: /cli/azure/aks#az_aks_create

+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials

+[import-azakscredential]: /powershell/module/az.aks/import-azakscredential

+[az-aks-install-cli]: /cli/azure/aks#az_aks_install_cli

+[install-azakskubectl]: /powershell/module/az.aks/install-azakskubectl

+[az-group-create]: /cli/azure/group#az_group_create

+[az-group-delete]: /cli/azure/group#az_group_delete

+[remove-azresourcegroup]: /powershell/module/az.resources/remove-azresourcegroup

+[azure-cli-install]: /cli/azure/install-azure-cli

+[install-azure-powershell]: /powershell/azure/install-az-ps

+[connect-azaccount]: /powershell/module/az.accounts/Connect-AzAccount

+[sp-delete]: ../kubernetes-service-principal.md#additional-considerations

+[azure-portal]: https://portal.azure.com

+[kubernetes-deployment]: ../concepts-clusters-workloads.md#deployments-and-yaml-manifests

+[kubernetes-service]: ../concepts-network.md#services

+[ssh-keys]: ../../virtual-machines/linux/create-ssh-keys-detailed.md

+[az-ad-sp-create-for-rbac]: /cli/azure/ad/sp#az_ad_sp_create_for_rbac

+## Prerequisites

+### [Azure CLI](#tab/azure-cli)

+* This article requires version 2.0.64 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+* If you're running PowerShell locally, install the Az PowerShell module and connect to your Azure account using the [Connect-AzAccount][connect-azaccount] cmdlet. For more information about installing the Az PowerShell module, see [Install Azure PowerShell][install-azure-powershell]. If using Azure Cloud Shell, the latest version is already installed.

+* To create an AKS cluster using a Resource Manager template, you provide an SSH public key. If you need this resource, see the following section; otherwise skip to the [Review the template](#review-the-template) section.

+* The identity you are using to create your cluster has the appropriate minimum permissions. For more details on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)](../concepts-identity.md).

+* To deploy a Bicep file or ARM template, you need write access on the resources you're deploying and access to all operations on the Microsoft.Resources/deployments resource type. For example, to deploy a virtual machine, you need Microsoft.Compute/virtualMachines/write and Microsoft.Resources/deployments/* permissions. For a list of roles and permissions, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md).

+The template used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/aks/).

+The resource defined in the ARM template includes:

+* [**Microsoft.ContainerService/managedClusters**](/azure/templates/microsoft.containerservice/managedclusters?pivots=deployment-language-arm-template)

+1. Select or enter the following values.

+1. Select **Review + Create**.

+1. Configure `kubectl` to connect to your Kubernetes cluster using the [az aks get-credentials][az-aks-get-credentials] command. This command downloads credentials and configures the Kubernetes CLI to use them.

+1. Verify the connection to your cluster using the [kubectl get][kubectl-get] command. This command returns a list of the cluster nodes.

+ aks-agentpool-41324942-0 Ready agent 6m44s v1.12.6

+1. Configure `kubectl` to connect to your Kubernetes cluster using the [Import-AzAksCredential][import-azakscredential] cmdlet. The following cmdlet downloads credentials and configures the Kubernetes CLI to use them.

+1. Verify the connection to your cluster using the [kubectl get][kubectl-get] command. This command returns a list of the cluster nodes.

+ aks-agentpool-41324942-0 Ready agent 6m44s v1.12.6

+ 1. Optionally, if the API doesn't already require a subscription, select **Create subscription key connection parameter**.

+## Manage a custom connector

+You can manage your custom connector in your Power Apps or Power Platform environment. For details about settings, see [Create a custom connector from scratch](/connectors/custom-connectors/define-blank).

+1. Select your connector from the list of custom connectors.

+1. Select the pencil (Edit) icon to edit and test the custom connector.

+> To call the API from the Power Apps test console, you need to add the `https://flow.microsoft.com` URL as an origin to the [CORS policy](api-management-cross-domain-policies.md#CORS) in your API Management instance.

+## Update a custom connector

+From API Management, you can update a connector to target a different API or Power Apps environment, or to update authorization settings.

+1. Navigate to your API Management service in the Azure portal.

+1. In the menu, under **APIs**, select **Power Platform**.

+1. Select **Update a connector**.

+1. Select the API you want to update the connector for, update settings as needed, and select **Update**.

+#### Auto-Scale Rules

+When configuring auto-scale rules for horizontal scaling it is important to remove instances incrementally (one at a time) to ensure each removed instance can transfer its activity (such as handling a database transaction) to another member of the cluster. When configuring your autoscale rules in the Portal to scale down, use the following options:

+- **Operation**: "Decrease count by"

+- **Cool down**: "5 minutes" or greater

+- **Instance count**: 1

+You do not need to incrementally add instances (scaling out), you can add multiple instances to the cluster at a time.

+## Serve static files for Flask apps

+If your Flask web app includes static front-end files, first follow the instructions on [managing static files](https://flask.palletsprojects.com/en/2.1.x/tutorial/static/) in the Flask documentation. For an example of serving static files in a Flask application, see the [quickstart sample Flask application](https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart) on Github.

+To serve static files directly from a route on your application, you can use the [`send_from_directory`](https://flask.palletsprojects.com/en/2.2.x/api/#flask.send_from_directory) method:

+```python

+from flask import send_from_directory

+@app.route('/reports/<path:path>')

+def send_report(path):

+ return send_from_directory('reports', path)

+```

+You can use Private Endpoint for your Azure Web App to allow clients located in your private network to securely access the app over Private Link. The Private Endpoint uses an IP address from your Azure virtual network address space. Network traffic between a client on your private network and the Web App traverses over the virtual network and a Private Link on the Microsoft backbone network, eliminating exposure from the public Internet.

+- Securely connect to Web App from on-premises networks that connect to the virtual network using a VPN or ExpressRoute private peering.

+- Avoid any data exfiltration from your virtual network.

+If you just need a secure connection between your virtual network and your Web App, a Service Endpoint is the simplest solution.

+If you also need to reach the web app from on-premises through an Azure Gateway, a regionally peered virtual network, or a globally peered virtual network, Private Endpoint is the solution.

+A Private Endpoint is a special network interface (NIC) for your Azure Web App in a Subnet in your virtual network.

+When you create a Private Endpoint for your Web App, it provides secure connectivity between clients on your private network and your Web App. The Private Endpoint is assigned an IP Address from the IP address range of your virtual network.

+The connection between the Private Endpoint and the Web App uses a secure [Private Link][privatelink]. Private Endpoint is only used for incoming flows to your Web App. Outgoing flows won't use this Private Endpoint. You can inject outgoing flows to your network in a different subnet through the [virtual network integration feature][vnetintegrationfeature].

+>The virtual network integration feature cannot use the same subnet as Private Endpoint, this is a limitation of the virtual network integration feature.

+- You can enable multiple Private Endpoints in others virtual networks and Subnets, including virtual network in other regions.

+- The access restrictions configuration of a Web App isn't evaluated for traffic through the Private Endpoint.

+- You can eliminate the data exfiltration risk from the virtual network by removing all NSG rules where destination is tag Internet or Azure services. When you deploy a Private Endpoint for a Web App, you can only reach this specific Web App through the Private Endpoint. If you have another Web App, you must deploy another dedicated Private Endpoint for this other Web App.

+If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the Microsoft.Web resource provider. You can explicitly register the provider [by following this documentation][registerprovider], but it will also automatically be registered when creating the first web app in a subscription.

+description: This guide shows you how to use an Azure function to trigger the processing of documents that are uploaded to an Azure blob storage container.

+# Tutorial: Use Azure Functions and Python to process stored documents

+Form Recognizer can be used as part of an automated data processing pipeline built with Azure Functions. This guide will show you how to use Azure Functions to process documents that are uploaded to an Azure blob storage container. This workflow extracts table data from stored documents using the Form Recognizer layout model and saves the table data in a .csv file in Azure. You can then display the data using Microsoft Power BI (not covered here).

+>

+> * Create an Azure Storage account.

+> * Create an Azure Functions project.

+> * Extract layout data from uploaded forms.

+> * Upload extracted layout data to Azure Storage.

+* **Azure subscription** - [Create one for free](https://azure.microsoft.com/free/cognitive-services)

+* **A Form Recognizer resource**. Once you have your Azure subscription, create a [Form Recognizer resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) in the Azure portal to get your key and endpoint. You can use the free pricing tier (`F0`) to try the service, and upgrade later to a paid tier for production.

+ * After your resource deploys, select **Go to resource**. You need the key and endpoint from the resource you create to connect your application to the Form Recognizer API. You'll paste your key and endpoint into the code below later in the tutorial:

+ :::image type="content" source="media/containers/keys-and-endpoint.png" alt-text="Screenshot: keys and endpoint location in the Azure portal.":::

+* [**Python 3.6.x, 3.7.x, 3.8.x or 3.9.x**](https://www.python.org/downloads/) (Python 3.10.x isn't supported for this project).

+* The latest version of [**Visual Studio Code**](https://code.visualstudio.com/) (VS Code) with the following extensions installed:

+ * [**Azure Functions extension**](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions). Once it's installed, you should see the Azure logo in the left-navigation pane.

+ * [**Azure Functions Core Tools**](/azure/azure-functions/functions-run-local?tabs=v3%2Cwindows%2Ccsharp%2Cportal%2Cbash) version 3.x (Version 4.x isn't supported for this project).

+ * [**Python Extension**](https://marketplace.visualstudio.com/items?itemName=ms-python.python) for Visual Studio code. For more information, *see* [Getting Started with Python in VS Code](https://code.visualstudio.com/docs/python/python-tutorial)

+* [**Azure Storage Explorer**](https://azure.microsoft.com/features/storage-explorer/) installed.

+* **A local PDF document to analyze**. You can use our [sample pdf document](https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/curl/form-recognizer/sample-layout.pdf) for this project.

+1. [Create a general-purpose v2 Azure Storage account](https://portal.azure.com/#create/Microsoft.StorageAccount-ARM) in the Azure portal. If you don't know how to create an Azure storage account with a storage container, follow these quickstarts:

+ * [Create a storage account](../../storage/common/storage-account-create.md). When you create your storage account, select **Standard** performance in the **Instance details** > **Performance** field.

+ * [Create a container](../../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container). When you create your container, set **Public access level** to **Container** (anonymous read access for containers and files) in the **New Container** window.

+1. On the left pane, select the **Resource sharing (CORS)** tab, and remove the existing CORS policy if any exists.

+1. Once your storage account has deployed, create two empty blob storage containers, named **input** and **output**.

+1. Create a new folder named **functions-app** to contain the project and choose **Select**.

+1. Open Visual Studio Code and open the Command Palette (Ctrl+Shift+P). Search for and choose **Python:Select Interpreter** → choose an installed Python interpreter that is version 3.6.x, 3.7.x, 3.8.x or 3.9.x. This selection will add the Python interpreter path you selected to your project.

+1. Select the Azure logo from the left-navigation pane.

+ * You'll see your existing Azure resources in the Resources view.

+ * Select the Azure subscription that you're using for this project and below you should see the Azure Function App.

+ :::image type="content" source="media/tutorial-azure-function/azure-extensions-visual-studio-code.png" alt-text="Screenshot of a list showing your Azure resources in a single, unified view.":::

+1. Select the Workspace (Local) section located below your listed resources. Select the plus symbol and choose the **Create Function** button.

+ :::image type="content" source="media/tutorial-azure-function/workspace-create-function.png" alt-text="Screenshot showing where to begin creating an Azure function.":::

+1. When prompted, choose **Create new project** and navigate to the **function-app** directory. Choose **Select**.

+1. You'll be prompted to configure several settings:

+ * **Select a language** → choose Python.

+ * **Select a Python interpreter to create a virtual environment** → select the interpreter you set as the default earlier.

+ * **Select a template** → choose **Azure Blob Storage trigger** and give the trigger a name or accept the default name. Press **Enter** to confirm.

+ * **Select setting** → choose **➕Create new local app setting** from the dropdown menu.

+ * **Select subscription** → choose your Azure subscription with the storage account you created → select your storage account → then select the name of the storage input container (in this case, `input/{name}`). Press **Enter** to confirm.

+ * **Select how your would like to open your project** → choose **Open the project in the current window** from the dropdown window.

+1. Once you've completed these steps, VS Code will add a new Azure Function project with a *\_\_init\_\_.py* Python script. This script will be triggered when a file is uploaded to the **input** storage container:

+ ```python

+ import logging

+ import azure.functions as func

+ def main(myblob: func.InputStream):

+ logging.info(f"Python blob trigger function processed blob \n"

+ f"Name: {myblob.name}\n"

+ f"Blob Size: {myblob.length} bytes")

+ ```

+1. Press F5 to run the basic function. VS Code will prompt you to select a storage account to interface with.

+1. Select the storage account you created and continue.

+1. Open Azure Storage Explorer and upload the sample PDF document to the **input** container. Then check the VS Code terminal. The script should log that it was triggered by the PDF upload.

+ :::image type="content" source="media/tutorial-azure-function/visual-studio-code-terminal-test.png" alt-text="Screenshot of the VS Code terminal after uploading a new document.":::

+1. Stop the script before continuing.

+Next, you'll add your own code to the Python script to call the Form Recognizer service and parse the uploaded documents using the Form Recognizer [layout model](concept-layout.md).

+1. In VS Code, navigate to the function's *requirements.txt* file. This file defines the dependencies for your script. Add the following Python packages to the file:

+ ```txt

+ cryptography

+ azure-functions

+ azure-storage-blob

+ azure-identity

+ requests

+ pandas

+ numpy

+ ```

+1. Then, open the *\_\_init\_\_.py* script. Add the following `import` statements:

+ ```Python

+ import logging

+ from azure.storage.blob import BlobServiceClient

+ import azure.functions as func

+ import json

+ import time

+ from requests import get, post

+ import os

+ from collections import OrderedDict

+ import numpy as np

+ import pandas as pd

+ ```

+1. You can leave the generated `main` function as-is. You'll add your custom code inside this function.

+ ```python

+ # This part is automatically generated

+ def main(myblob: func.InputStream):

+ logging.info(f"Python blob trigger function processed blob \n"

+ f"Name: {myblob.name}\n"

+ f"Blob Size: {myblob.length} bytes")

+ ```

+1. The following code block calls the Form Recognizer [Analyze Layout](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeLayoutAsync) API on the uploaded document. Fill in your endpoint and key values.

+ ```Python

+ # This is the call to the Form Recognizer endpoint

+ endpoint = r"Your Form Recognizer Endpoint"

+ apim_key = "Your Form Recognizer Key"

+ post_url = endpoint + "/formrecognizer/v2.1/layout/analyze"

+ source = myblob.read()

+ headers = {

+ # Request headers

+ 'Content-Type': 'application/pdf',

+ 'Ocp-Apim-Subscription-Key': apim_key,

+ }

+ text1=os.path.basename(myblob.name)

+ ```

+ > [!IMPORTANT]

+ > Remember to remove the key from your code when you're done, and never post it publicly. For production, use a secure way of storing and accessing your credentials like [Azure Key Vault](../../key-vault/general/overview.md). For more information, *see* Cognitive Services [security](../../cognitive-services/cognitive-services-security.md).

+1. Next, add code to query the service and get the returned data.

+ ```Python

+ resp = requests.post(url = post_url, data = source, headers = headers)

+ if resp.status_code != 202:

+ print("POST analyze failed:\n%s" % resp.text)

+ quit()

+ print("POST analyze succeeded:\n%s" % resp.headers)

+ get_url = resp.headers["operation-location"]

+ wait_sec = 25

+ time.sleep(wait_sec)

+ # The layout API is async therefore the wait statement

+ resp =requests.get(url = get_url, headers = {"Ocp-Apim-Subscription-Key": apim_key})

+ resp_json = json.loads(resp.text)

+ status = resp_json["status"]

+ if status == "succeeded":

+ print("POST Layout Analysis succeeded:\n%s")

+ results=resp_json

+ else:

+ print("GET Layout results failed:\n%s")

+ quit()

+ ```

+1. Add the following code to connect to the Azure Storage **output** container. Fill in your own values for the storage account name and key. You can get the key on the **Access keys** tab of your storage resource in the Azure portal.

+ ```Python

+ # This is the connection to the blob storage, with the Azure Python SDK

+ blob_service_client = BlobServiceClient.from_connection_string("DefaultEndpointsProtocol=https;AccountName="Storage Account Name";AccountKey="storage account key";EndpointSuffix=core.windows.net")

+ container_client=blob_service_client.get_container_client("output")

+ ```

+ The following code parses the returned Form Recognizer response, constructs a .csv file, and uploads it to the **output** container.

+ > [!IMPORTANT]

+ > You will likely need to edit this code to match the structure of your own form documents.

+ ```python

+ # The code below extracts the json format into tabular data.

+ # Please note that you need to adjust the code below to your form structure.

+ # It probably won't work out-of-the-box for your specific form.

+ pages = results["analyzeResult"]["pageResults"]

+ def make_page(p):

+ res=[]

+ res_table=[]

+ y=0

+ page = pages[p]

+ for tab in page["tables"]:

+ for cell in tab["cells"]:

+ res.append(cell)

+ res_table.append(y)

+ y=y+1

+ res_table=pd.DataFrame(res_table)

+ res=pd.DataFrame(res)

+ res["table_num"]=res_table[0]

+ h=res.drop(columns=["boundingBox","elements"])

+ h.loc[:,"rownum"]=range(0,len(h))

+ num_table=max(h["table_num"])

+ return h, num_table, p

+ h, num_table, p= make_page(0)

+ for k in range(num_table+1):

+ new_table=h[h.table_num==k]

+ new_table.loc[:,"rownum"]=range(0,len(new_table))

+ row_table=pages[p]["tables"][k]["rows"]

+ col_table=pages[p]["tables"][k]["columns"]

+ b=np.zeros((row_table,col_table))

+ b=pd.DataFrame(b)

+ s=0

+ for i,j in zip(new_table["rowIndex"],new_table["columnIndex"]):

+ b.loc[i,j]=new_table.loc[new_table.loc[s,"rownum"],"text"]

+ s=s+1

+ ```

+1. Finally, the last block of code uploads the extracted table and text data to your blob storage element.

+ ```Python

+ # Here is the upload to the blob storage

+ tab1_csv=b.to_csv(header=False,index=False,mode='w')

+ name1=(os.path.splitext(text1)[0]) +'.csv'

+ container_client.upload_blob(name=name1,data=tab1_csv)

+ ```

+1. Press F5 to run the function again.

+1. Use Azure Storage Explorer to upload a sample PDF form to the **input** storage container. This action should trigger the script to run, and you should then see the resulting .csv file (displayed as a table) in the **output** container.

+* Learn more about the [layout model](concept-layout.md)

+#### The August release introduces the following new capabilities and updates:

+* **Copy Models** Custom models can be copied across Form Recognizer services from within the Studio. The operation enables the promotion of a trained model to other environments and regions.

+* [**prebuilt-idDocument**](concept-id-document.md). Data extraction support for US state ID, social security, and green cards. Support for passport visa information.

+* [**prebuilt-businessCard**](concept-business-card.md). Address parsing support to extract subfields for address components like address, city, state, country, and zip code.

+[**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-net/blob/Azure.AI.FormRecognizer_4.0.0-beta.4/sdk/formrecognizer/Azure.AI.FormRecognizer/CHANGELOG.md)

+[**Package (NuGet)**](https://www.nuget.org/packages/Azure.AI.FormRecognizer/4.0.0-beta.4)

+[**SDK reference documentation**](/dotnet/api/azure.ai.formrecognizer?view=azure-dotnet-preview&preserve-view=true)

+[**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-jav)

+ [**Package (Maven)**](https://search.maven.org/artifact/com.azure/azure-ai-formrecognizer/4.0.0-beta.5/jar)

+ [**SDK reference documentation**](/java/api/overview/azure/ai-formrecognizer-readme?view=azure-java-preview&preserve-view=true)

+ [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-js/blob/%40azure/ai-form-recognizer_4.0.0-beta.4/sdk/formrecognizer/ai-form-recognizer/CHANGELOG.md)

+ [**Package (npm)**](https://www.npmjs.com/package/@azure/ai-form-recognizer/v/4.0.0-beta.4)

+ [**SDK reference documentation**](/javascript/api/@azure/ai-form-recognizer/?view=azure-node-preview&preserve-view=true)

+ [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b5/sdk/formrecognizer/azure-ai-formrecognizer/CHANGELOG.md)

+ [**Package (PyPi)**](https://pypi.org/project/azure-ai-formrecognizer/3.2.0b5/)

+ [**SDK reference documentation**](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer?view=azure-python-preview&preserve-view=true)

+* [Custom Document models and modes](concept-custom.md):

+* [W-2 prebuilt model](concept-w2.md) (prebuilt-tax.us.w2).

+* [Read prebuilt model](concept-read.md) (prebuilt-read).

+* [Invoice prebuilt model (Spanish)](concept-invoice.md#supported-languages-and-locales) (prebuilt-invoice).

+ [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/CHANGELOG.md#400-beta3-2022-02-10)

+ [**Package (NuGet)**](https://www.nuget.org/packages/Azure.AI.FormRecognizer/4.0.0-beta.3)

+ [**SDK reference documentation**](/dotnet/api/azure.ai.formrecognizer.documentanalysis?view=azure-dotnet-preview&preserve-view=true)

+ [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-jav#400-beta4-2022-02-10)

+ [**Package (Maven)**](https://search.maven.org/artifact/com.azure/azure-ai-formrecognizer/4.0.0-beta.4/jar)

+ [**SDK reference documentation**](/java/api/overview/azure/ai-formrecognizer-readme?view=azure-java-preview&preserve-view=true)

+ [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/CHANGELOG.md#400-beta3-2022-02-10)

+ [**Package (npm)**](https://www.npmjs.com/package/@azure/ai-form-recognizer/v/4.0.0-beta.3)

+ [**SDK reference documentation**](/javascript/api/@azure/ai-form-recognizer/?view=azure-node-preview&preserve-view=true)

+ [**Changelog/Release History**](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b3/sdk/formrecognizer/azure-ai-formrecognizer/CHANGELOG.md#320b3-2022-02-10)

+ [**Package (PyPI)**](https://pypi.org/project/azure-ai-formrecognizer/3.2.0b3/)

+ [**SDK reference documentation**](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer?view=azure-python-preview&preserve-view=true)

+ Title: "Apply Flux v2 configurations at-scale using Azure Policy"

+description: "Apply Flux v2 configurations at-scale using Azure Policy"

+keywords: "Kubernetes, K8s, Arc, AKS, Azure, containers, GitOps, Flux v2, policy"

+# Apply Flux v2 configurations at-scale using Azure Policy

+You can use Azure Policy to apply Flux v2 configurations (`Microsoft.KubernetesConfiguration/fluxConfigurations` resource type) at scale on Azure Arc-enabled Kubernetes (`Microsoft.Kubernetes/connectedClusters`) or AKS (`Microsoft.ContainerService/managedClusters`) clusters.

+To use Azure Policy, select a built-in policy definition and create a policy assignment. You can search for **flux** to find all of the Flux v2 policy definitions. When creating the policy assignment:

+1. Set the scope for the assignment.

+ * The scope will be all resource groups in a subscription or management group or specific resource groups.

+2. Set the parameters for the Flux v2 configuration that will be created.

+Once the assignment is created, the Azure Policy engine identifies all Azure Arc-enabled Kubernetes clusters located within the scope and applies the GitOps configuration to each cluster.

+To enable separation of concerns, you can create multiple policy assignments, each with a different Flux v2 configuration pointing to a different source. For example, one git repository may be used by cluster admins and other repositories may be used by application teams.

+> [!TIP]

+> There are built-in policy definitions for these scenarios:

+> * Flux extension install (required for all scenarios): `Configure installation of Flux extension on Kubernetes cluster`

+> * Flux configuration using public Git repository (generally a test scenario): `Configure Kubernetes clusters with Flux v2 configuration using public Git repository`

+> * Flux configuration using private Git repository with SSH auth: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets`

+> * Flux configuration using private Git repository with HTTPS auth: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets`

+> * Flux configuration using private Git repository with HTTPS CA cert auth: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate`

+> * Flux configuration using private Git repository with local K8s secret: `Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets`

+> * Flux configuration using private Bucket source and KeyVault secrets: `Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault`

+> * Flux configuration using private Bucket source and local K8s secret: `Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets`

+## Prerequisite

+Verify you have `Microsoft.Authorization/policyAssignments/write` permissions on the scope (subscription or resource group) where you'll create this policy assignment.

+## Create a policy assignment

+1. In the Azure portal, navigate to **Policy**.

+1. In the **Authoring** section of the sidebar, select **Definitions**.

+1. In the "Kubernetes" category, choose the "Configure Kubernetes clusters with specified GitOps configuration using no secrets" built-in policy definition.

+1. Select **Assign**.

+1. Set the **Scope** to the management group, subscription, or resource group to which the policy assignment will apply.

+ * If you want to exclude any resources from the policy assignment scope, set **Exclusions**.

+1. Give the policy assignment an easily identifiable **Name** and **Description**.

+1. Ensure **Policy enforcement** is set to **Enabled**.

+1. Select **Next**.

+1. Set the parameter values to be used while creating the `fluxConfigurations` resource.

+ * For more information about parameters, see the [tutorial on deploying Flux v2 configurations](./tutorial-use-gitops-flux2.md).

+1. Select **Next**.

+1. Enable **Create a remediation task**.

+1. Verify **Create a managed identity** is checked, and that the identity will have **Contributor** permissions.

+ * For more information, see the [Create a policy assignment quickstart](../../governance/policy/assign-policy-portal.md) and the [Remediate non-compliant resources with Azure Policy article](../../governance/policy/how-to/remediate-resources.md).

+1. Select **Review + create**.

+After creating the policy assignment, the configuration is applied to new Azure Arc-enabled Kubernetes or AKS clusters created within the scope of policy assignment.

+For existing clusters, you may need to manually run a remediation task. This task typically takes 10 to 20 minutes for the policy assignment to take effect.

+## Verify a policy assignment

+1. In the Azure portal, navigate to one of your Azure Arc-enabled Kubernetes or AKS clusters.

+1. In the **Settings** section of the sidebar, select **GitOps**.

+ * In the configurations list, you should see the configuration created by the policy assignment.

+1. In the **Kubernetes resources** section of the sidebar, select **Namespaces** and **Workloads**.

+ * You should see the namespace and artifacts that were created by the Flux configuration.

+ * You should see the objects described by the manifests in the Git repo deployed on the cluster.

+## Next steps

+[Set up Azure Monitor for Containers with Azure Arc-enabled Kubernetes clusters](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md).

+ Title: "Apply Flux v1 configurations at-scale using Azure Policy"

+description: "Apply Flux v1 configurations at-scale using Azure Policy"

+keywords: "Kubernetes, Arc, Azure, K8s, containers, GitOps, Flux v1, policy"

+# Apply Flux v1 configurations at-scale using Azure Policy

+You can use Azure Policy to apply Flux v1 configurations (`Microsoft.KubernetesConfiguration/sourceControlConfigurations` resource type) at scale on Azure Arc-enabled Kubernetes clusters (`Microsoft.Kubernetes/connectedclusters`).

+> [!NOTE]

+> This article is for GitOps with Flux v1. GitOps with Flux v2 is now available for Azure Arc-enabled Kubernetes and Azure Kubernetes Service (AKS) clusters; [go to the article for using policy with Flux v2](./use-azure-policy-flux-2.md). Eventually Azure will stop supporting GitOps with Flux v1, so begin using Flux v2 as soon as possible.

+1. Select **Assign**.

+1. Set the parameter values to be used while creating the `sourceControlConfigurations` resource.

+1. In the **Kubernetes resources** section of the sidebar, select **Namespaces** and **Workloads**.

+ * You should see the namespace and artifacts that were created by the Flux configuration.

+ * You should see the objects described by the manifests in the Git repo deployed on the cluster.

+|`https://azurearcfork8sdev.azurecr.io` |Azure Arc for Kubernetes container image download |

+|`adhs.events.data.microsoft.com ` |Required diagnostic data sent to Microsoft from control plane nodes|

+|`v20.events.data.microsoft.com` |Required diagnostic data sent to Microsoft from the Azure Stack HCI or Windows Server host|

+URLs used by other Arc agents:

+|Agent resource | Description |

+|||

+|`https://management.azure.com` |Azure Resource Manager|

+|`https://login.microsoftonline.com` |Azure Active Directory|

+### KVA timeout error

+Azure Arc resource bridge is a Kubernetes management cluster that is deployed in an appliance VM directly on the on-premises infrastructure. While trying to deploy Azure Arc resource bridge, a "KVA timeout error" may appear if there is a networking problem that doesn't allow communication of the Arc Resource Bridge appliance VM to the host, DNS, network or internet. This error is typically displayed for the following reasons:

+- The appliance VM IP address doesn't have DNS resolution.

+- The appliance VM IP address doesn't have internet access to download the required image.

+- The host doesn't have routability to the appliance VM IP address.

+To resolve this error, ensure that all IP addresses assigned to the Arc Resource Bridge appliance VM can be resolved by DNS and have access to the internet, and that the host can successfully route to the IP addresses.

+* Integrating System Center Operations Manager with US Government cloud requires the following:

+> The combination of APPINSIGHTS_JAVASCRIPT_ENABLED and urlCompression is not supported. For more info see the explanation in the [troubleshooting section](#appinsights_javascript_enabled-and-urlcompression-isnt-supported).

+|XDT_MicrosoftApplicationInsights_Mode | In default mode, only essential features are enabled in order to ensure optimal performance. | `default` or `recommended`. |

+|XDT_MicrosoftApplicationInsights_BaseExtensions | Controls if SQL & Azure table text will be captured along with the dependency calls. Performance warning: application cold startup time will be affected. This setting requires the `InstrumentationEngine`. | `~1` |

+Upgrading from version 2.8.9 happens automatically, without any extra actions. The new monitoring bits are delivered in the background to the target app service, and on application restart they'll be picked up.

+To check which version of the extension you're running, go to `https://scm.yoursitename.azurewebsites.net/ApplicationInsights`.

+Starting with version 2.8.9 the pre-installed site extension is used. If you're an earlier version, you can update via one of two ways:

+2. Browse to `https://scm.yoursitename.azurewebsites.net/ApplicationInsights`.

+ If it isn't running, follow the [enable Application Insights monitoring instructions](#enable-auto-instrumentation-monitoring).

+ If a similar value isn't present, it means the application isn't currently running or isn't supported. To ensure that the application is running, try manually visiting the application url/application endpoints, which will allow the runtime information to become available.

+ If not, add `APPINSIGHTS_INSTRUMENTATIONKEY` and `APPLICATIONINSIGHTS_CONNECTION_STRING` with your ikey guid to your application settings.

+When you create a web app with the `ASP.NET` runtimes in Azure App Services it deploys a single static HTML page as a starter website. The static webpage also loads a ASP.NET managed web part in IIS. This allows for testing codeless server-side monitoring, but doesn't support automatic client-side monitoring.

+If you wish to test out codeless server and client-side monitoring for ASP.NET in an Azure App Services web app, we recommend following the official guides for [creating an ASP.NET Framework web app](../../app-service/quickstart-dotnetcore.md?tabs=netframework48) and then use the instructions in the current article to enable monitoring.

+### APPINSIGHTS_JAVASCRIPT_ENABLED and urlCompression isn't supported

+- 500.53 URL rewrite module error with message Outbound rewrite rules can't be applied when the content of the HTTP response is encoded ('gzip').

+This is due to the APPINSIGHTS_JAVASCRIPT_ENABLED application setting being set to true and content-encoding being present at the same time. This scenario isn't supported yet. The workaround is to remove APPINSIGHTS_JAVASCRIPT_ENABLED from your application settings. Unfortunately this means that if client/browser-side JavaScript instrumentation is still required, manual SDK references are needed for your webpages. Follow the [instructions](https://github.com/Microsoft/ApplicationInsights-JS#snippet-setup-ignore-if-using-npm-setup) for manual instrumentation with the JavaScript SDK.

+|`IKeyExists:false`|This value indicates that the instrumentation key isn't present in the AppSetting, `APPINSIGHTS_INSTRUMENTATIONKEY`. Possible causes: The values may have been accidentally removed, forgot to set the values in automation script, etc. | Make sure the setting is present in the App Service application settings.

+3. Choose the Log Analytics workspace where you want all future ingested Application Insights telemetry to be stored. It can either be a Log Analytics workspace in the same subscription, or in a different subscription that shares the same Azure AD tenant. The Log Analytics workspace doesn't have to be in the same resource group as the Application Insights resource.

+## Frequently asked questions

+### Is there any implication on the cost from migration?

+There's usually no difference, with a couple of exceptions.

+ - Migrated Application Insights resources can use [Log Analytics Commitment Tiers](../logs/cost-logs.md#commitment-tiers) to reduce cost if the data volumes in the workspace are high enough.

+ - Grandfathered Application Insights resources will no longer get 1 GB per month free from the original Application Insights pricing model.

+### How will telemetry capping work?

+You can set a [daily cap on the Log Analytics workspace](../logs/daily-cap.md#application-insights).

+There's no strict (billing-wise) capping available.

+### How will ingestion-based sampling work?

+There are no changes to ingestion-based sampling.

+### Will there be any gap in data collected during migration?

+No. We merge data during query time.

+### Will my old logs queries continue to work?

+Yes, they'll continue to work.

+### Will my dashboards that have pinned metric and log charts continue to work after migration?

+Yes, they'll continue to work.

+### Will migration impact AppInsights API accessing data?

+No, migration won't impact existing API access to data. After migration, you'll be able to access data directly from a workspace using a [slightly different schema](#workspace-based-resource-changes).

+### Will there be any impact on Live Metrics or other monitoring experiences?

+No, there's no impact to [Live Metrics](live-stream.md#live-metrics-monitor--diagnose-with-1-second-latency) or other monitoring experiences.

+### What happens with Continuous export after migration?

+Continuous export doesn't support workspace-based resources.

+You'll need to switch to [Diagnostic Settings](../essentials/diagnostic-settings.md#diagnostic-settings-in-azure-monitor).

+**Warning Message:** *Your customized Application Insights retention settings won't apply to data sent to the workspace. You'll need to reconfigure these separately.*

+Prior to the introduction of [workspace-based Application Insights resources](create-workspace-resource.md), Application Insights data was stored separate from other log data in Azure Monitor. Both are based on Azure Data Explorer and use the same Kusto Query Language (KQL). Workspace-based Application Insights resources data is stored in a Log Analytics workspace, together with other monitoring data and application data. This simplifies your configuration by allowing you to analyze data across multiple solutions more easily, and to use the capabilities of workspaces.

+The structure of a Log Analytics workspace is described in [Log Analytics workspace overview](../logs/log-analytics-workspace-overview.md). For a classic application, the data isn't stored in a Log Analytics workspace. It uses the same query language, and you create and run queries by using the same Log Analytics tool in the Azure portal. Data items for classic applications are stored separately from each other. The general structure is the same as for workspace-based applications, although the table and column names are different.

+Most of the columns have the same name with different capitalization. Since KQL is case-sensitive, you'll need to change each column name along with the table names in existing queries. Columns with changes in addition to capitalization are highlighted. You can still use your classic Application Insights queries within the **Logs** pane of your Application Insights resource, even if it's a workspace-based resource. The new property names are required for when querying from within the context of the Log Analytics workspace experience.

+# Troubleshoot Azure Monitor's Change Analysis

+# Visualizations for Change Analysis in Azure Monitor

+By default, the graph displays changes from within the past 24 hours help with immediate problems.

+1. Select the **Change history** tab.

+1. For the Azure Monitor Change Analysis service to scan for changes in users' subscriptions, a resource provider needs to be registered. Upon selecting the **Change history** tab, the tool will automatically register **Microsoft.ChangeAnalysis** resource provider.

+# Use Change Analysis in Azure Monitor

+- [Azure Resource Manager resource properties.](#azure-resource-manager-resource-properties-changes)

+- [Resource configuration changes.](#resource-configuration-changes)

+- [App Service Function and Web App in-guest changes.](#changes-in-azure-app-services-function-and-web-apps-in-guest-changes)

+Change Analysis also tracks [resource dependency changes](#dependency-changes) to diagnose and monitor an application end-to-end.

+Using [Azure Resource Graph](../../governance/resource-graph/overview.md), Change Analysis provides a historical record of how the Azure resources that host your application have changed over time. The following basic configuration settings are set using Azure Resource Manager and tracked by Azure Resource Graph:

+### Resource configuration changes

+In addition to the settings set via Azure Resource Manager, you can set configuration settings using the CLI, Bicep, etc., such as:

+- IP Configuration rules

+- TLS settings

+- Extension versions

+These setting changes are not captured by Azure Resource Graph. Change Analysis fills this gap by capturing snapshots of changes in those main configuration properties, like changes to the connection string, etc. Snapshots are taken of configuration changes and change details every up to 6 hours. [See known limitations.](#limitations)

+### Changes in Azure App Services Function and Web Apps (in-guest changes)

+Every 30 minutes, Change Analysis captures the configuration state of a web application. For example, it can detect changes in the application environment variables, configuration files, and WebJobs. The tool computes the differences and presents the changes.

+If you don't see file changes within 30 minutes or configuration changes within 6 hours, refer to [our troubleshooting guide](./change-analysis-troubleshoot.md#cannot-see-in-guest-changes-for-newly-enabled-web-app). [See known limitations.](#limitations)

+#### Web App diagnose and solve problems navigator (preview)

+Currently the following dependencies are supported in **Web App Diagnose and solve problems | Navigator**:

+## Limitations

+- **OS environment**: For Azure App Services Function and Web App in-guest changes, Change Analysis currently only works with Windows environments, not Linux.

+- **Web app deployment changes**: Code deployment change information might not be available immediately in the Change Analysis tool. To view the latest changes in Change Analysis, select **Refresh**.

+- **App Services file changes**: File changes take up to 30 minutes to display.

+- **App Services configuration changes**: Due to the snapshot approach to configuration changes, timestamps of configuration changes could take up to 6 hours to display from when the change actually happened.

+| Resource configurations and settings changes | Change Analysis securely queries and computes IP Configuration rules, TLS settings, and extension versions to provide more change details in the app. | [Azure Resource Manager configuration changes](./change/change-analysis.md#azure-resource-manager-resource-properties-changes) |

+ Title: Azure activity log insights

+description: Learn how to monitor changes to resources and resource groups in an Azure subscription with Azure Monitor activity log insights.

+#customer-intent: As an IT manager, I want to understand how I can use activity log insights to monitor changes to resources and resource groups in an Azure subscription.

+# Monitor changes to resources and resource groups with Azure Monitor activity log insights

+Activity log insights provide you with a set of dashboards that monitor the changes to resources and resource groups in a subscription. The dashboards also present data about which users or services performed activities in the subscription and the activities' status. This article explains how to onboard and view activity log insights in the Azure portal.

+Before you use activity log insights, you must [enable sending logs to your Log Analytics workspace](./diagnostic-settings.md).

+## How do activity log insights work?

+Azure Monitor stores all activity logs you send to a [Log Analytics workspace](../logs/log-analytics-workspace-overview.md) in a table called `AzureActivity`.

+Activity log insights are a curated [Log Analytics workbook](../visualize/workbooks-overview.md) with dashboards that visualize the data in the `AzureActivity` table. For example, data might include which administrators deleted, updated, or created resources and whether the activities failed or succeeded.

+## View resource group or subscription-level activity log insights

+To view activity log insights at the resource group or subscription level:

+1. In the Azure portal, select **Monitor** > **Workbooks**.

+1. In the **Insights** section, select **Activity Logs Insights**.

+ :::image type="content" source="media/activity-log/open-activity-log-insights-workbook.png" lightbox= "media/activity-log/open-activity-log-insights-workbook.png" alt-text="Screenshot that shows how to locate and open the Activity Logs Insights workbook on a scale level.":::

+1. At the top of the **Activity Logs Insights** page, select:

+ 1. One or more subscriptions from the **Subscriptions** dropdown.

+ 1. Resources and resource groups from the **CurrentResource** dropdown.

+ 1. A time range for which to view data from the **TimeRange** dropdown.

+## View resource-level activity log insights

+>[!Note]

+> Activity log insights does not currently support Application Insights resources.

+To view activity log insights at the resource level:

+1. In the Azure portal, go to your resource and select **Workbooks**.

+1. In the **Activity Logs Insights** section, select **Activity Logs Insights**.

+ :::image type="content" source="media/activity-log/activity-log-resource-level.png" lightbox= "media/activity-log/activity-log-resource-level.png" alt-text="Screenshot that shows how to locate and open the Activity Logs Insights workbook on a resource level.":::

+1. At the top of the **Activity Logs Insights** page, select a time range for which to view data from the **TimeRange** dropdown:

+

+ * **Azure Activity Log Entries** shows the count of activity log records in each activity log category.

+

+ :::image type="content" source="media/activity-log/activity-logs-insights-category-value.png" lightbox= "media/activity-log/activity-logs-insights-category-value.png" alt-text="Screenshot that shows Azure activity logs by category value.":::

+

+ * **Activity Logs by Status** shows the count of activity log records in each status.

+

+ :::image type="content" source="media/activity-log/activity-logs-insights-status.png" lightbox= "media/activity-log/activity-logs-insights-status.png" alt-text="Screenshot that shows Azure activity logs by status.":::

+

+ * At the subscription and resource group level, **Activity Logs by Resource** and **Activity Logs by Resource Provider** show the count of activity log records for each resource and resource provider.

+

+ :::image type="content" source="media/activity-log/activity-logs-insights-resource.png" lightbox= "media/activity-log/activity-logs-insights-resource.png" alt-text="Screenshot that shows Azure activity logs by resource.":::

+## Next steps

+Learn more about:

+* [Activity logs](./activity-log.md)

+* [The activity log event schema](activity-log-schema.md)

+If you're collecting activity logs using the legacy collection method, we recommend you [export activity logs to your Log Analytics workspace](#send-to-log-analytics-workspace) and disable the legacy collection using the [Data Sources - Delete API](/rest/api/loganalytics/data-sources/delete?tabs=HTTP) as follows:

+1. List all data sources connected to the workspace using the [Data Sources - List By Workspace API](/rest/api/loganalytics/data-sources/list-by-workspace?tabs=HTTP#code-try-0) and filter for activity logs by setting `filter=kind='AzureActivityLog'`.

+ :::image type="content" source="media/activity-log/data-sources-list-by-workspace-api.png" alt-text="Screenshot showing the configuration of the Data Sources - List By Workspace API." lightbox="media/activity-log/data-sources-list-by-workspace-api.png":::

+1. Copy the name of the connection you want to disable from the API response.

+ :::image type="content" source="media/activity-log/data-sources-list-by-workspace-api-connection.png" alt-text="Screenshot showing the connection information you need to copy from the output of the Data Sources - List By Workspace API." lightbox="media/activity-log/data-sources-list-by-workspace-api-connection.png":::

+

+1. Use the [Data Sources - Delete API](/rest/api/loganalytics/data-sources/delete?tabs=HTTP) to stop collecting activity logs for the specific resource.

+ :::image type="content" source="media/activity-log/data-sources-delete-api.png" alt-text="Screenshot of the configuration of the Data Sources - Delete API." lightbox="media/activity-log/data-sources-delete-api.png":::

+### Managing legacy log profiles

+#### [PowerShell](#tab/powershell)

+#### [CLI](#tab/cli)

+reviewer: cweining

+## What is Bring Your Own Storage (BYOS) and why might I need it?

+When you use Application Insights Profiler or Snapshot Debugger, artifacts generated by your application are uploaded into Azure storage accounts over the public Internet. For these artifacts and storage accounts, Microsoft controls and covers the cost for:

+* Processing and analysis.

+* Encryption-at-rest and lifetime management policies.

+When you configure Bring Your Own Storage (BYOS), artifacts are uploaded into a storage account that you control. That means you control and are responsible for the cost of:

+* The encryption-at-rest policy and the Lifetime management policy.

+* Network access.

+> BYOS is required if you are enabling Private Link or Customer-Managed Keys.

+> * [Learn more about Private Link for Application Insights](../logs/private-link-security.md).

+> * [Learn more about Customer-Managed Keys for Application Insights](../logs/customer-managed-keys.md).

+1. Agents running in your Virtual Machines or App Service will upload artifacts (profiles, snapshots, and symbols) to blob containers in your account.

+ This process involves contacting the Profiler or Snapshot Debugger service to obtain a Shared Access Signature (SAS) token to a new blob in your storage account.

+1. The Profiler or Snapshot Debugger service will:

+ 1. Analyze the incoming blob.

+ 1. Write back the analysis results and log files into blob storage.

+

+ Depending on available compute capacity, this process may occur anytime after upload.

+1. When you view the Profiler traces or Snapshot Debugger analysis, the service fetches the analysis results from blob storage.

+* Create your Storage Account in the same location as your Application Insights resource.

+ For example, if your Application Insights resource is in West US 2, your Storage Account must be also in West US 2.

+* Grant the `Storage Blob Data Contributor` role to the Azure AD application named `Diagnostic Services Trusted Storage Access` via the [Access Control (IAM)](/role-based-access-control/role-assignments-portal.md) page in your storage account.

+* If Private Link is enabled, allow connection to our Trusted Microsoft Service from your virtual network.

+## Enable BYOS

+First, the Application Insights Profiler, and Snapshot Debugger service needs to be granted access to the storage account. To grant access, add the role `Storage Blob Data Contributor` to the Azure AD application named `Diagnostic Services Trusted Storage Access` via the Access Control (IAM) page in your storage account as shown in Figure 1.0.

+Steps:

+

+ :::image type="content" source="media/profiler-bring-your-own-storage/add-role-assignment-page.png" alt-text="Screenshot showing how to add role assignment page in Azure portal.":::

+ *Figure 1.0*

+After you added the role, it will appear under the "**Role assignments**" section, like the below Figure 1.1.

+ :::image type="content" source="media/profiler-bring-your-own-storage/figure-11.png" alt-text="Screenshot showing the IAM screen after Role assignments.":::

+ *Figure 1.1*

+If you're also using Private Link, it's required one additional configuration to allow connection to our Trusted Microsoft Service from your Virtual Network. or more information, see [Storage Network Security documentation](../../storage/common/storage-network-security.md#trusted-microsoft-services).

+* Using Azure PowerShell cmdlets.

+* Using the Azure CLI.

+* Using Azure Resource Manager templates.

+#### [PowerShell](#tab/azure-powershell)

+1. Sign in with your Azure account subscription.

+ For more information on how to sign in, refer to the [Connect-AzAccount documentation](/powershell/module/az.accounts/connect-azaccount).

+

+#### [Azure CLI](#tab/azure-cli)

+

+

+#### [Resource Manager Template](#tab/azure-resource-manager)

+1. Create an Azure Resource Manager template file with the following content (*byos.template.json*):

+1. Run the following PowerShell command to deploy the above template:

+ Syntax:

+

+ | `application_insights_name` | The name of the Application Insights resource to enable BYOS. |

+ | `storage_account_name` | The name of the Storage Account resource that you'll use as your BYOS. |

+

+ ResourceGroupName : byos-test

+1. Enable code-level diagnostics (Profiler/Debugger) on the workload of interest through the Azure portal. In this example, **App Service** > **Application Insights**.

+ :::image type="content" source="media/profiler-bring-your-own-storage/figure-20.png" alt-text="Screenshot showing the code level diagnostics on Azure portal.":::

+ *Figure 2.0*

+## Troubleshoot

+### Template schema '{schema_uri}' isn't supported

+### No registered resource provider found for location '{location}'

+### Storage Account location should match AI component location

+For general Snapshot Debugger troubleshooting, refer to the [Snapshot Debugger Troubleshoot documentation](../app/snapshot-debugger-troubleshoot.md).

+### If I have enabled Profiler/Snapshot Debugger and BYOS, will my data be migrated into my Storage Account?

+ *No, it won't.*

+### Will BYOS work with encryption-at-rest and Customer-Managed Key?

+

+ *Yes, to be precise, BYOS is a requisite to have Profiler/Snapshot Debugger enabled with Customer-Manager Keys.*

+### Will BYOS work in an environment isolated from the Internet?

+

+ *Yes, BYOS is a requirement for isolated network scenarios.*

+### Will BYOS work with both Customer-Managed Keys and Private Link enabled?

+

+ *Yes, it can be possible.*

+### If I have enabled BYOS, can I go back using Diagnostic Services storage accounts to store my data collected?

+

+ *Yes, you can, but we don't currently support data migration from your BYOS.*

+### After enabling BYOS, will I take over of all the related costs of storage and networking?

+ *Yes.*

+## Prerequisites

+reviewer: cweining

+We recommend that you run your application on the Basic service tier, or higher, when using Snapshot Debugger.

+Snapshot Debugger is pre-installed as part of the App Services runtime, but you need to turn it on to get snapshots for your App Service app. To enable Snapshot Debugger for an app, follow the instructions below:

+> [!NOTE]

+> If you're using a preview version of .NET Core, or your application references Application Insights SDK (directly or indirectly via a dependent assembly), follow the instructions for [Enable Snapshot Debugger for other environments](snapshot-debugger-vm.md) to include the [`Microsoft.ApplicationInsights.SnapshotCollector`](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package with the application.

+After you've deployed your .NET app:

+1. Go to the Azure control panel for your App Service.

+1. Go to the **Settings** > **Application Insights** page.

+ :::image type="content" source="./media/snapshot-debugger/application-insights-app-services.png" alt-text="Screenshot showing the Enable App Insights on App Services portal.":::

+1. Either follow the instructions on the page to create a new resource or select an existing App Insights resource to monitor your app.

+1. Switch Snapshot Debugger toggles to **On**.

+

+ :::image type="content" source="./media/snapshot-debugger/enablement-ui.png" alt-text="Screenshot showing how to add App Insights site extension.":::

+

+1. Snapshot Debugger is now enabled using an App Services App Setting.

+ :::image type="content" source="./media/snapshot-debugger/snapshot-debugger-app-setting.png" alt-text="Screenshot showing App Setting for Snapshot Debugger.":::

+If you're running a different type of Azure service, here are instructions for enabling Snapshot Debugger on other supported platforms:

+* [Azure Function](snapshot-debugger-function-app.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Cloud Services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Service Fabric services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [Azure Virtual Machines and virtual machine scale sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+* [On-premises virtual or physical machines](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json)

+

+|Connection String Property | US Government Cloud | China Cloud |

+To turn-on Azure AD for snapshot ingestion:

+ 1. For System-Assigned Managed identity, see the following [documentation](../../app-service/overview-managed-identity.md?tabs=portal%2chttp#add-a-system-assigned-identity).

+ 1. For User-Assigned Managed identity, see the following [documentation](../../app-service/overview-managed-identity.md?tabs=portal%2chttp#add-a-user-assigned-identity).

+1. Configure and turn on Azure AD in your Application Insights resource. For more information, see the following [documentation](../app/azure-ad-authentication.md?tabs=net#configuring-and-enabling-azure-ad-based-authentication)

+1. Add the following application setting, used to let Snapshot Debugger agent know which managed identity to use:

+|APPLICATIONINSIGHTS_AUTHENTICATION_STRING | Authorization=AD |

+|APPLICATIONINSIGHTS_AUTHENTICATION_STRING | Authorization=AD;ClientId={Client id of the User-Assigned Identity} |

+To disable Snapshot Debugger, repeat the [steps for enabling](#installation). However, switch the Snapshot Debugger toggles to **Off**.

+For an Azure App Service, you can set app settings within the Azure Resource Manager template to enable Snapshot Debugger and Profiler. For example:

+Below you can find scenarios where Snapshot Collector isn't supported:

+|You're using the Snapshot Collector SDK in your application directly (*.csproj*) and have enabled the advanced option "Interop".| The local Application Insights SDK (including Snapshot Collector telemetry) will be lost and no Snapshots will be available. <br/> Your application could crash at startup with `System.ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.` <br/> [Learn more about the Application Insights feature "Interop".](../app/azure-web-apps-net-core.md#troubleshooting) | If you're using the advanced option "Interop", use the codeless Snapshot Collector injection (enabled through the Azure portal). |

+* Generate traffic to your application that can trigger an exception. Then, wait 10 to 15 minutes for snapshots to be sent to the Application Insights instance.

+* See [snapshots](snapshot-debugger.md?toc=/azure/azure-monitor/toc.json#view-snapshots-in-the-portal) in the Azure portal.

+* For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](snapshot-debugger-troubleshoot.md?toc=/azure/azure-monitor/toc.json).

+[snapshot-debugger-app-setting]:./media/snapshot-debugger/snapshot-debugger-app-setting.png

+reviewer: cweining

+We recommend that you run your application on the Basic service tier or higher when using Snapshot Debugger.

+To enable Snapshot Debugger in your Function app, add the `snapshotConfiguration` property to your *host.json* file and redeploy your function. For example:

+Snapshot Debugger is pre-installed as part of the Azure Functions runtime and is disabled by default. Since it's included in the runtime, you don't need to add extra NuGet packages or application settings.

+In the simple .NET Core Function app example below, `.csproj`, `{Your}Function.cs`, and `host.json` has Snapshot Debugger enabled:

+***`Project.csproj`***

+`{Your}Function.cs`

+`Host.json`

+To disable Snapshot Debugger in your Function app, update your `host.json` file by setting the `snapshotConfiguration.isEnabled` property to `false`.

+We recommend that you have Snapshot Debugger enabled on all your apps to ease diagnostics of application exceptions.

+* Generate traffic to your application that can trigger an exception. Then, wait 10 to 15 minutes for snapshots to be sent to the Application Insights instance.

+* [View snapshots](snapshot-debugger.md?toc=/azure/azure-monitor/toc.json#view-snapshots-in-the-portal) in the Azure portal.

+* Customize Snapshot Debugger configuration based on your use-case on your Function app. For more information, see [snapshot configuration in host.json](../../azure-functions/functions-host-json.md#applicationinsightssnapshotconfiguration).

+* For help with troubleshooting Snapshot Debugger issues, see [Snapshot Debugger troubleshooting](snapshot-debugger-troubleshoot.md?toc=/azure/azure-monitor/toc.json).

+reviewer: cweining

+Below you can find scenarios where Snapshot Collector isn't supported:

+|When using the Snapshot Collector SDK in your application directly (*.csproj*) and you have enabled the advance option "Interop".| The local Application Insights SDK (including Snapshot Collector telemetry) will be lost, therefore, no Snapshots will be available. <br/> Your application could crash at startup with `System.ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor` <br/> For more information about the Application Insights feature "Interop", see the [documentation.](../app/azure-web-apps-net-core.md#troubleshooting) | If you're using the advance option "Interop", use the codeless Snapshot Collector injection (enabled thru the Azure portal UX) |

+|Connection String Property | US Government Cloud | China Cloud |

+|Property | US Government Cloud | China Cloud |

+Make sure you're using the correct instrumentation key in your published application. Usually, the instrumentation key is read from the *ApplicationInsights.config* file. Verify the value is the same as the instrumentation key for the Application Insights resource that you see in the portal.

+If you have an ASP.NET application that's hosted in Azure App Service or in IIS on a virtual machine, your application could fail to connect to the Snapshot Debugger service due to a missing SSL security protocol.

+[The Snapshot Debugger endpoint requires TLS version 1.2](snapshot-debugger-upgrade.md?toc=/azure/azure-monitor/toc.json). The set of SSL security protocols is one of the quirks enabled by the `httpRuntime targetFramework` value in the `system.web` section of `web.config`.

+If the `httpRuntime targetFramework` is 4.5.2 or lower, then TLS 1.2 isn't included by default.

+> The `httpRuntime targetFramework` value is independent of the target framework used when building your application.

+To check the setting, open your *web.config* file and find the system.web section. Ensure that the `targetFramework` for `httpRuntime` is set to 4.6 or above.

+> Modifying the `httpRuntime targetFramework` value changes the runtime quirks applied to your application and can cause other, subtle behavior changes. Be sure to test your application thoroughly after making this change. For a full list of compatibility changes, see [Re-targeting changes](/dotnet/framework/migration-guide/application-compatibility#retargeting-changes).

+> If the `targetFramework` is 4.7 or above then Windows determines the available protocols. In Azure App Service, TLS 1.2 is available. However, if you're using your own virtual machine, you may need to enable TLS 1.2 in the OS.

+1. Select **Advanced Tools**, or search for **Kudu**.

+1. Select **Go**.

+1. Once you are on the Kudu management site, in the URL, **append the following `/DiagnosticServices` and press enter**.

+* If Snapshot Debugger was enabled by including the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package, use Visual Studio's NuGet Package Manager to make sure you're using the latest version of `Microsoft.ApplicationInsights.SnapshotCollector`.

+After a snapshot is created, a minidump file (*.dmp*) is created on disk. A separate uploader process creates that minidump file and uploads it, along with any associated PDBs, to Application Insights Snapshot Debugger storage. After the minidump has uploaded successfully, it's deleted from disk. The log files for the uploader process are kept on disk. In an App Service environment, you can find these logs in `D:\Home\LogFiles`. Use the Kudu management site for App Service to find these log files.

+1. Select **Advanced Tools**, or search for **Kudu**.

+1. Select **Go**.

+1. In the **Debug console** drop-down list, select **CMD**.

+1. Select **LogFiles**.

+> The example above is from version 1.2.0 of the `Microsoft.ApplicationInsights.SnapshotCollector` NuGet package. In earlier versions, the uploader process is called `MinidumpUploader.exe` and the log is less detailed.

+For applications that *aren't* hosted in App Service, the uploader logs are in the same folder as the minidumps: `%TEMP%\Dumps\<ikey>` (where `<ikey>` is your instrumentation key).

+1. Modify your role's startup code to add an environment variable that points to the `SnapshotStore` local resource. For Worker Roles, the code should be added to your role's `OnStart` method:

+1. Update your role's *ApplicationInsights.config* file to override the temporary folder location used by `SnapshotCollector`

+* Fabric_Folder_App_Temp

+* LOCALAPPDATA

+* APPDATA

+* TEMP

+If a suitable folder can't be found, Snapshot Collector reports an error saying *"Couldn't find a suitable shadow copy folder."*

+Since these errors usually happen during startup, they'll usually be followed by an `ExceptionDuringConnect` error saying *Uploader failed to start*."

+To work around these errors, you can specify the shadow copy folder manually via the `ShadowCopyFolder` configuration option. For example, using *ApplicationInsights.config*:

+Or, if you're using *appsettings.json* with a .NET Core application:

+1. Select **Search**.

+1. Type `ai.snapshot.id` in the Search text box and press Enter.

+1. Using the timestamp from the Uploader log, adjust the Time Range filter of the search to cover that time range.

+The IPs used by Application Insights Snapshot Debugger are included in the Azure Monitor service tag. For more information, see [Service Tags documentation](../../virtual-network/service-tags-overview.md).

+reviewer: cweining

+To provide the best possible security for your data, Microsoft is moving away from TLS 1.0 and TLS 1.1, which have been shown to be vulnerable to determined attackers. If you're using an older version of the site extension, it will require an upgrade to continue working. This document outlines the steps needed to upgrade your Snapshot debugger to the latest version.

+You can follow two primary upgrade paths, depending on how you enabled the Snapshot Debugger:

+* Via site extension

+* Via an SDK/NuGet added to your application

+This article discusses both upgrade paths.

+> Older versions of Application Insights used a private site extension called *Application Insights extension for Azure App Service*. The current Application Insights experience is enabled by setting App Settings to light up a pre-installed site extension.

+1. Go to to your resource that has Application Insights and Snapshot debugger enabled. For example, for a Web App, go to to the App Service resource:

+ :::image type="content" source="./media/snapshot-debugger-upgrade/app-service-resource.png" alt-text="Screenshot of individual App Service resource named DiagService01.":::

+1. After you've navigated to your resource, click on the **Extensions** blade and wait for the list of extensions to populate:

+ :::image type="content" source="./media/snapshot-debugger-upgrade/application-insights-site-extension-to-be-deleted.png" alt-text="Screenshot of App Service Extensions showing Application Insights extension for Azure App Service installed.":::

+1. If any version of *Application Insights extension for Azure App Service* is installed, select it and click **Delete**. Confirm **Yes** to delete the extension and wait for the delete to complete before moving to the next step.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/application-insights-site-extension-delete.png" alt-text="Screenshot of App Service Extensions showing Application Insights extension for Azure App Service with the Delete button highlighted.":::

+1. Go to the **Overview** blade of your resource and select **Application Insights**:

+ :::image type="content" source="./media/snapshot-debugger-upgrade/application-insights-button.png" alt-text="Screenshot of three buttons. Center button with name Application Insights is selected.":::

+1. If this is the first time you've viewed the Application Insights blade for this App Service, you'll be prompted to turn on Application Insights. Select **Turn on Application Insights**.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/turn-on-application-insights.png" alt-text="Screenshot of the first-time experience for the Application Insights blade with the Turn on Application Insights button highlighted.":::

+1. In the Application Insights settings blade, switch the Snapshot Debugger setting toggles to **On** and select **Apply**.

+ If you decide to change *any* Application Insights settings, the **Apply** button on the bottom of the blade will be activated.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/view-application-insights-data.png" alt-text="Screenshot of Application Insights App Service Configuration page with Apply button highlighted in red.":::

+1. After you click **Apply**, you'll be asked to confirm the changes.

+ :::image type="content" source="./media/snapshot-debugger-upgrade/apply-monitoring-settings.png" alt-text="Screenshot of App Service's apply monitoring prompt.":::

+1. Click **Yes** to apply the changes and wait for the process to complete.

+reviewer: cweining

+If your ASP.NET or ASP.NET Core application runs in App Service and requires a customized Snapshot Debugger configuration, or a preview version of .NET Core, start with the [Enable Snapshot Debugger for App Services how-to guide](snapshot-debugger-app-service.md).

+If your application runs in Azure Service Fabric, Cloud Service, Virtual Machines, or on-premises machines, you can skip enabling Snapshot Debugger on App Services and jump into following this guide.

+### Prerequisite

+[Enable Application Insights in your web app](../app/asp-net.md).

+1. Include the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package in your app.

+1. If needed, customize the Snapshot Debugger configuration added to [ApplicationInsights.config](../app/configuration-with-applicationinsights-config.md).

+ The default Snapshot Debugger configuration is mostly empty and all settings are optional. Here's an example showing a configuration equivalent to the default configuration:

+1. Snapshots are collected only on exceptions that are reported to Application Insights. In some cases (for example, older versions of the .NET platform), you might need to [configure exception collection](../app/asp-net-exceptions.md#exceptions) to see exceptions with snapshots in the portal.

+### Prerequisites

+[Enable Application Insights in your ASP.NET Core web app](../app/asp-net-core.md), if you haven't done it yet.

+> [!NOTE]

+> Be sure that your application references version 2.1.1, or newer, of the Microsoft.ApplicationInsights.AspNetCore package.

+1. Include the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package in your app.

+1. Modify your application's `Startup` class to add and configure the Snapshot Collector's telemetry processor.

+ 1. If [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package version 1.3.5 or above is used, then add the following using statements to *Startup.cs*:

+ Add the following at the end of the ConfigureServices method in the `Startup` class in *Startup.cs*:

+ 1. If [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package version 1.3.4 or below is used, then add the following using statements to *Startup.cs*.

+ Add the following `SnapshotCollectorTelemetryProcessorFactory` class to `Startup` class:

+1. If needed, customize the Snapshot Debugger configuration by adding a `SnapshotCollectorConfiguration` section to *appsettings.json*.

+ All settings in the Snapshot Debugger configuration are optional. Here's an example showing a configuration equivalent to the default configuration:

+1. Add the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package in your app.

+1. Snapshots are collected only on exceptions that are reported to Application Insights. You may need to modify your code to report them. The exception handling code depends on the structure of your application, but an example is below:

+reviewer: cweining

+When an exception occurs, you can automatically collect a debug snapshot from your live web application. The debug snapshot shows the state of source code and variables at the moment the exception was thrown. The Snapshot Debugger in [Azure Application Insights](../app/app-insights-overview.md):

+* Monitors system-generated logs from your web app.

+* Collects snapshots on your top-throwing exceptions.

+* Provides information you need to diagnose issues in production.

+Simply include the [Snapshot collector NuGet package](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) in your application and configure collection parameters in [`ApplicationInsights.config`](../app/configuration-with-applicationinsights-config.md).

+Snapshots appear on [**Exceptions**](../app/asp-net-exceptions.md) in the Application Insights blade of the Azure portal.

+You can view debug snapshots in the portal to see the call stack and inspect variables at each call stack frame. To get a more powerful debugging experience with source code, open snapshots with Visual Studio Enterprise. You can also [set SnapPoints to interactively take snapshots](/visualstudio/debugger/debug-live-azure-applications) without waiting for an exception.

+> Client applications (for example, WPF, Windows Forms or UWP) aren't supported.

+> Owners and contributors don't automatically have this role. If they want to view snapshots, they must add themselves to the role.

+Subscription owners should assign the [Application Insights Snapshot Debugger](../../role-based-access-control/role-assignments-portal.md) role to users who will inspect snapshots. This role can be assigned to individual users or groups by subscription owners for the target Application Insights resource or its resource group or subscription.

+Assign the Debugger role to the **Application Insights Snapshot**.

+For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

+> Snapshots may contain personal data or other sensitive information in variable and parameter values. Snapshot data is stored in the same region as your App Insights resource.

+After an exception has occurred in your application and a snapshot has been created, you should have snapshots to view in the Azure portal within 5 to 10 minutes. To view snapshots, in the **Failure** pane, either:

+* Select the **Operations** button when viewing the **Operations** tab, or

+* Select the **Exceptions** button when viewing the **Exceptions** tab.

+Snapshots might include sensitive information. By default, you can only view snapshots if you've been assigned the `Application Insights Snapshot Debugger` role.

+1. To open the `.diagsession` file, you need to have the Snapshot Debugger Visual Studio component installed. The Snapshot Debugger component is a required component of the ASP.NET workload in Visual Studio and can be selected from the Individual Component list in the Visual Studio installer. If you're using a version of Visual Studio before Visual Studio 2017 version 15.5, you'll need to install the extension from the [Visual Studio Marketplace](https://aka.ms/snapshotdebugger).

+1. After you open the snapshot file, the Minidump Debugging page in Visual Studio appears. Click **Debug Managed Code** to start debugging the snapshot. The snapshot opens to the line of code where the exception was thrown so that you can debug the current state of the process.

+ :::image type="content" source="./media/snapshot-debugger/open-snapshot-visual-studio.png" alt-text="Screenshot showing the debug snapshot in Visual Studio.":::

+The Snapshot Collector is implemented as an [Application Insights Telemetry Processor](../app/configuration-with-applicationinsights-config.md#telemetry-processors-aspnet). When your application runs, the Snapshot Collector Telemetry Processor is added to your application's system-generated logs pipeline.

+Each time your application calls `TrackException`, a counter is incremented for the appropriate Problem ID. When the counter reaches the `ThresholdForSnapshotting` value, the Problem ID is added to a Collection Plan.

+If there's a match, then a snapshot of the running process is created. The snapshot is assigned a unique identifier and the exception is stamped with that identifier. After the `FirstChanceException` handler returns, the thrown exception is processed as normal. Eventually, the exception reaches the `TrackException` method again where it, along with the snapshot identifier, is reported to Application Insights.

+The main process continues to run and serve traffic to users with little interruption. Meanwhile, the snapshot is handed off to the Snapshot Uploader process. The Snapshot Uploader creates a minidump and uploads it to Application Insights along with any relevant symbol (*.pdb*) files.

+> * A process snapshot is a suspended clone of the running process.

+> * Creating the snapshot takes about 10 to 20 milliseconds.

+> * The default value for `ThresholdForSnapshotting` is 1. This is also the minimum value. Therefore, your app has to trigger the same exception **twice** before a snapshot is created.

+> * Set `IsEnabledInDeveloperMode` to true if you want to generate snapshots while debugging in Visual Studio.

+> * The snapshot creation rate is limited by the `SnapshotsPerTenMinutesLimit` setting. By default, the limit is one snapshot every ten minutes.

+> * No more than 50 snapshots per day may be uploaded.

+### Data retention

+Debug snapshots are stored for 15 days. The default data retention policy is set on a per-application basis. If you need to increase this value, you can request an increase by opening a support case in the Azure portal. For each Application Insights instance, a maximum number of 50 snapshots are allowed per day.

+> For more information on the different symbol options that are available, see the [Visual Studio documentation](/visualstudio/ide/reference/advanced-build-settings-dialog-box-csharp). For best results, we recommend that you use "Full", "Portable" or "Embedded".

+> Install the Application Insights Site Extension in your App Service to get de-optimization support.

+Azure NetApp Files Standard network features are supported for the following regions:

+* Southeast Asia

+| Number of IPs in a VNet (including immediately peered VNets) accessing volumes in an Azure NetApp Files hosting VNet | [Same standard limits as VMs](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits) | 1000 |

+> Upgrade from Basic to Standard network feature is not currently supported.

+> [!IMPORTANT]

+> Conversion between Basic and Standard networking features is not currently supported.

+With Standard network features, VMs are able to connect to volumes in another region via global or cross-region VNet peering. The above diagram adds a second region to the configuration in the [local VNet peering section](#vnet-peering). For VNet 4 in this diagram, an Azure NetApp Files volume is created in a delegated subnet and can be mounted on VM5 in the application subnet.

+| Number of IPs in a VNet (including immediately peered VNets) accessing volumes in an Azure NetApp Files hosting VNet | <ul><li>**Basic**: 1000</li><li>**Standard**: [Same standard limits as VMs](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits)</li></ul> | No |

+If you're using Azure NetApp Files with Azure Active Directory Domain Services, the organizational unit path is `OU=AADDC Computers` when you configure Active Directory for your NetApp account.

+## What network authentication methods are supported for SMB volumes in Azure NetApp Files?

+NTLMv2 and Kerberos network authentication methods are supported with SMB volumes in Azure NetApp Files. NTLMv1 and LanManager are disabled and are not supported.

+A template spec is a resource type for storing an Azure Resource Manager template (ARM template) for later deployment. This resource type enables you to share ARM templates with other users in your organization. Just like any other Azure resource, you can use Azure role-based access control (Azure RBAC) to share the template spec. You can use Azure CLI or Azure PowerShell to create template specs by providing Bicep files. The Bicep files are transpiled into ARM JSON templates before they're stored. Currently, you can't import a Bicep file from the Azure portal to create a template spec resource.

+## Required permissions

+To create a template spec, you need **write** access to `Microsoft.Resources/templateSpecs` and `Microsoft.Resources/templateSpecs/versions`.

+To deploy a template spec, you need **read** access to `Microsoft.Resources/templateSpecs` and `Microsoft.Resources/templateSpecs/versions`. You also need **write** access to any resources deployed by the template spec, and access to `Microsoft.Resources/deployments/*`.

+The size of a template spec is limited to approximated 2 MB. If a template spec size exceeds the limit, you'll get the **TemplateSpecTooLarge** error code. The error message says:

+[Tags](../management/tag-resources.md) help you logically organize your resources. You can add tags to template specs by using Azure PowerShell and Azure CLI. The following example shows how to specify tags when creating the template spec:

+The next example shows how to apply tags when updating an existing template spec:

+Both the template and its versions can have tags. The tags are applied or inherited depending on the parameters you specify.

+| Template spec | Version | Version parameter | Tag parameter | Tag values |

+| - | - | -- | - | |

+| Exists | N/A | Not specified | Specified | applied to the template spec |

+| Exists | New | Specified | Not specified | inherited from the template spec to the version |

+| New | New | Specified | Specified | applied to both template spec and version |

+| Exists | New | Specified | Specified | applied to the version |

+| Exists | Exists | Specified | Specified | applied to the version |

+description: Describes the Microsoft.Common.TextBox UI element for Azure portal that's used for adding unformatted text.

+The `TextBox` user-interface (UI) element can be used to add unformatted text. The element is a single-line input field, but supports multi-line input with the `multiLine` property.

+Example of single-line text box.

+Example of multi-line text box.

+In this example, when you enter a storage account name and exit the text box, the control checks if the name is valid and if it's available. If the name is invalid or already exists, an error message is displayed. A storage account name that's valid and available is shown in the output.

+{

+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",

+ "handler": "Microsoft.Azure.CreateUIDef",

+ "version": "0.1.2-preview",

+ "parameters": {

+ "basics": [

+ {

+ "method": "POST",

+ "path": "[concat(subscription().id, '/providers/Microsoft.Storage/checkNameAvailability?api-version=2021-09-01')]",

+ "body": {

+ "name": "[basics('txtStorageName')]",

+ "type": "Microsoft.Storage/storageAccounts"

+ }

+ },

+ {

+ "validations": [

+ {

+ "isValid": "[basics('nameApi').nameAvailable]",

+ "message": "[basics('nameApi').message]"

+ }

+ ]

+ }

+ ],

+ "steps": [],

+ "outputs": {

+ "textBox": "[basics('txtStorageName')]"

+ }

+}

+- To learn more about functions, see [CreateUiDefinition functions](create-uidefinition-functions.md).

+## Microsoft.Management

+* managementGroups

+* aliases

+In this tutorial, you learn how to use [parameter files](parameter-files.md) to store the values you pass in during deployment. In the previous tutorials, you used inline parameters with your deployment command. This approach worked for testing your Azure Resource Manager template (ARM template), but when automating deployments it can be easier to pass a set of values for your environment. Parameter files make it easier to package parameter values for a specific environment. In this tutorial, you create parameter files for development and production environments. This instruction takes **12 minutes** to complete.

+You need to have Visual Studio Code with the Resource Manager Tools extension, and either Azure PowerShell or Azure Command-Line Interface (CLI). For more information, see [template tools](template-tutorial-create-first-template.md#get-tools).

+Your template has many parameters you can provide during deployment. At the end of the previous tutorial, your template had the following JSON file:

+Parameter files are JSON files with a structure that's similar to your template. In the file, you provide the parameter values you want to pass in during deployment.

+Within the parameter file, you provide values for the parameters in your template. The name of each parameter in your parameter file needs to match the name of a parameter in your template. The name is case-insensitive but to easily see the matching values we recommend that you match the casing from the template.

+You can't specify a parameter name in your parameter file that doesn't match a parameter name in the template. You get an error when you provide unknown parameters.

+In Visual Studio Code, create a new file with the following content. Save the file with the name _azuredeploy.parameters.dev.json_.

+This file is your parameter file for the production environment. Notice that it uses **Standard_GRS** for the storage account, names resources with a **contoso** prefix, and sets the `Environment` tag to **Production**. In a real production environment, you would also want to use an app service with a SKU other than free, but we use that SKU for this tutorial.

+First, let's deploy to the dev environment.

+To run this deployment command, you need to have the [latest version](/cli/azure/install-azure-cli) of Azure CLI.

+Now, we deploy to the production environment.

+> If the deployment fails, use the `verbose` switch to get information about the resources you're creating. Use the `debug` switch to get more information for debugging.

+1. You see the two new resource groups you deploy in this tutorial.

+1. From the Azure portal, select **Resource groups** from the left menu.

+1. Select the hyperlinked resource group name next to the check box. If you complete this series, you have three resource groups to delete - **myResourceGroup**, **myResourceGroupDev**, and **myResourceGroupProd**.

+1. Select the **Delete resource group** icon from the top menu.

+

+ > [!CAUTION]

+ > Deleting a resource group is irreversible.

+1. Type the resource group name in the pop-up window that displays and select **Delete**.

+Congratulations. You've finished this introduction to deploying templates to Azure. Let us know if you have any comments and suggestions in the feedback section.

+# Embed Azure Video Indexer widgets in your apps

+Opting in isn't required at this time. However, in the future, using simplified compute node communication will be required and defaulted for all Batch accounts.

+> Custom Neural Voice training is currently only available in some regions. But you can easily copy a neural voice model from those regions to other regions. For more information, see the [regions for Custom Neural Voice](regions.md#speech-service).

+> [!NOTE]

+> Custom Neural Voice training is currently only available in some regions. But you can easily copy a neural voice model from those regions to other regions. For more information, see the [regions for Custom Neural Voice](regions.md#speech-service).

+- [Deploy and use your voice model](how-to-deploy-and-use-endpoint.md)

+> Custom Neural Voice training is currently only available in some regions. But you can easily copy a neural voice model from those regions to other regions. For more information, see the [regions for Custom Neural Voice](regions.md#speech-service).

+- **Lightweight**: You don't need a large data set. Simply provide a word or phrase to boost its recognition.

+You can use phrase lists with the [Speech Studio](speech-studio-overview.md), [Speech SDK](quickstarts/setup-platform.md), or [Speech Command Line Interface (CLI)](spx-overview.md).

+- If you need a phrase list for languages that are not currently supported.

+- If you need to do batch transcription. The Batch transcription API does not support phrase lists.

+> [!TIP]

+> You can use phrase lists with both standard and custom speech.

+> * Translator container is in gated preview and to use it you must submit an online request, and have it approved. For more information, _see_ [Request approval to run container](#request-approval-to-run-container) below.

+> * Translator container supports limited features compared to the cloud offerings. Form more information, _see_ [**Container translate methods**](translator-container-supported-parameters.md).

+You'll also need to have:

+|Azure CLI (command-line interface) |<ul><li> The [Azure CLI](/cli/azure/install-azure-cli) enables you to use a set of online commands to create and manage Azure resources. It's available to install in Windows, macOS, and Linux environments and can be run in a Docker container and Azure Cloud Shell.</li></ul> |

+The following table describes the minimum and recommended CPU cores and memory to allocate for the Translator container.

+* Each core must be at least 2.6 gigahertz (GHz) or faster.

+* For every language pair, it's recommended to have 2 GB of memory. By default, the Translator offline container has four language pairs.

+* The core and memory correspond to the `--cpus` and `--memory` settings, which are used as part of the `docker run` command.

+ The container provides a REST-based Translator endpoint API. Here's an example request:

+In the `Program.cs` replace all the existing code with the following script:

+| `{LICENSE_MOUNT}` | The path where the license will be downloaded, and mounted. | `/host/license:/path/to/license/directory` |

+| `{CONTAINER_LICENSE_DIRECTORY}` | Location of the license folder on the container's local filesystem. | `/path/to/license/directory` |

+docker run --rm -it -p 5000:5000 \

+{IMAGE} \

+Mounts:License={CONTAINER_LICENSE_DIRECTORY}

+| `{LICENSE_MOUNT}` | The path where the license will be located and mounted. | `/host/license:/path/to/license/directory` |

+| `{CONTAINER_LICENSE_DIRECTORY}` | Location of the license folder on the container's local filesystem. | `/path/to/license/directory` |

+| `{CONTAINER_OUTPUT_DIRECTORY}` | Location of the output folder on the container's local filesystem. | `/path/to/output/directory` |

+docker run --rm -it -p 5000:5000 --memory {MEMORY_SIZE} --cpus {NUMBER_CPUS} \

+{IMAGE} \

+Mounts:License={CONTAINER_LICENSE_DIRECTORY}

+Mounts:Output={CONTAINER_OUTPUT_DIRECTORY}

+The [speech-to-text](../speech-service/speech-container-howto.md?tabs=stt) and [neural text-to-speech](../speech-service/speech-container-howto.md?tabs=ntts) containers provide a default directory for writing the license file and billing log at runtime. The default directories are /license and /output respectively.

+When you're mounting these directories to the container with the `docker run -v` command, make sure the local machine directory is set ownership to `user:group nonroot:nonroot` before running the container.

+- Cloud-based Confidential OS disk encryption before the first boot.

+## Confidential OS disk encryption

+Confidential OS disk encryption is optional, because this process can lengthen the initial VM creation time. You can choose between:

+ - A confidential VM with Confidential OS disk encryption before VM deployment that uses platform-managed keys (PMK) or a customer-managed key (CMK).

+ - A confidential VM without Confidential OS disk encryption before VM deployment.

+For further integrity and protection, confidential VMs offer [Secure Boot](/windows-hardware/design/device-experiences/oem-secure-boot) by default when confidential OS disk encryption is selected.

+- Microsoft Azure Virtual Machine Scale Sets with Confidential OS disk encryption enabled

+OS images for confidential VMs have to meet certain security and compatibility requirements. Qualified images support the secure mounting, attestation, optional [confidential OS disk encryption](confidential-vm-overview.md#confidential-os-disk-encryption), and isolation from underlying cloud infrastructure. These images include:

+Exports are scheduled using Coordinated Universal Time (UTC). The Exports API always uses and displays UTC.

+There are two ways to purchase a virtual machine software reservation:

+**Option 1**

+1. Navigate to Reservations, select **Add**, and then select **Virtual Machine**. The Azure Marketplace shows offers that have reservation pricing.

+2. Select the desired Virtual machine software plan that you want to buy.

+ Any virtual machine software reservation that matches the attributes of what you buy gets a discount. The actual number of deployments that get the discount depend on the scope and quantity selected.

+3. Select a subscription. It's used to pay for the plan.

+ The subscription payment method is charged the upfront costs for the reservation. To buy a reservation, you must have owner role or reservation purchaser role on an Azure subscription that's of type Enterprise (MS-AZR-0017P or MS-AZR-0148P) or Pay-As-You-Go (MS-AZR-0003P or MS-AZR-0023P) or Microsoft Customer Agreement.

+ - For an enterprise subscription, the reservation purchase charges aren't deducted from the enrollment's Azure Prepayment (previously called monetary commitment) balance. The charges are billed to the subscription's credit card or invoice payment method.

+ - For an individual subscription with pay-as-you-go pricing, the charges are billed to the subscription's credit card or invoice payment method.

+4. Select a scope. The scope can cover one subscription or multiple subscriptions (using a shared scope).

+ - Single subscription - The plan discount is applied to matching usage in the subscription.

+ - Shared - The plan discount is applied to matching instances in any subscription in your billing context. For enterprise customers, the billing context is the enrollment and includes all subscriptions in the enrollment. For individual plan with pay-as-you-go pricing customers, the billing context is all individual plans with pay-as-you-go pricing subscriptions created by the account administrator.

+ - Management group - Applies the reservation discount to the matching resource in the list of subscriptions that are a part of both the management group and billing scope.

+ - Single resource group - Applies the reservation discount to the matching resources in the selected resource group only.

+5. Select a product to choose the VM size and the image type. The discount will apply to matching resources and has instance size flexibility turned on.

+6. Select a one-year or three-year term.

+7. Choose a quantity, which is the number of prepaid VM instances that can get the billing discount.

+8. Add the product to the cart, review, and purchase.

+**Option 2**

+1. Browse to Marketplace to view offers that have reservation pricing. Apply a **Pricing** filter for **Reservation**.

+2. Select the desired Virtual machine software offer that you want to buy. Then select the desired plan.

+ Any virtual machine software reservation that matches the attributes of what you buy gets a discount. The actual number of deployments that get the discount depend on the scope and quantity selected.

+3. Select a subscription. It's used to pay for the plan.

+ The subscription payment method is charged the upfront costs for the reservation. To buy a reservation, you must have owner role or reservation purchaser role on an Azure subscription that's of type Enterprise (MS-AZR-0017P or MS-AZR-0148P) or Pay-As-You-Go (MS-AZR-0003P or MS-AZR-0023P) or Microsoft Customer Agreement.

+ - For an enterprise subscription, these reservation purchase charges aren't deducted from the enrollment's Azure Prepayment (previously called monetary commitment) balance. The charges are billed to the subscription's credit card or invoice payment method.

+> You will need to enable multifactor authentication for the user who manages the VMs and images that are deployed on your device from the cloud. The cloud operations will fail if the user doesn't have multifactor authentication enabled. For steps to enable multifactor authentication click [here](/azure/active-directory/authentication/tutorial-enable-azure-mfa.md)

+Multiple network interfaces can be associated with one virtual switch. Each network interface on your VM has a static or a dynamic IP address assigned to it. With IP addresses assigned to multiple network interfaces on your VM, certain capabilities are enabled on your VM. For example, your VM can host multiple websites or services with different IP addresses and SSL certificates on a single server. A VM on your device can serve as a network virtual appliance, such as a firewall or a load balancer. <!--Is it possible to do that on ASE?-->

+ $ERDirectAuthorization = Get-AzExpressRoutePortAuthorization -ExpressRoutePortObject $ERPort -Name $Name

+1. Redeem the authorization to create the ExpressRoute Direct circuit in different subscription or Azure Active Directory tenant with the following command:

+ New-AzExpressRouteCircuit -Name $Name -ResourceGroupName $RGName -Location $Location -SkuTier $SkuTier -SkuFamily $SkuFamily -BandwidthInGbps $BandwidthInGbps -AuthorizationKey $$ERDirectAuthorization.AuthorizationKey

+| **Hong Kong2** | [iAdvantage MEGA-i](https://www.iadvantage.net/index.php/locations/mega-i) | 2 | East Asia | Supported | China Mobile International, China Telecom Global, Equinix, iAdvantage, Megaport, PCCW Global Limited, SingTel |

+ Title: 'Quickstart: Create an Azure Firewall with multiple public IP addresses - Bicep'

+description: In this quickstart, you learn how to use a Bicep file to create an Azure Firewall with multiple public IP addresses.

+# Quickstart: Create an Azure Firewall with multiple public IP addresses - Bicep

+In this quickstart, you use a Bicep file to deploy an Azure Firewall with multiple public IP addresses from a public IP address prefix. The deployed firewall has NAT rule collection rules that allow RDP connections to two Windows Server 2019 virtual machines.

+For more information about Azure Firewall with multiple public IP addresses, see [Deploy an Azure Firewall with multiple public IP addresses using Azure PowerShell](deploy-multi-public-ip-powershell.md).

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+## Review the Bicep file

+This Bicep file creates an Azure Firewall with two public IP addresses, along with the necessary resources to support the Azure Firewall.

+The Bicep file used in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/fw-docs-qs).

+Multiple Azure resources are defined in the template:

+- [**Microsoft.Network/networkSecurityGroups**](/azure/templates/microsoft.network/networksecuritygroups)

+- [**Microsoft.Network/publicIPPrefix**](/azure/templates/microsoft.network/publicipprefixes)

+- [**Microsoft.Network/publicIPAddresses**](/azure/templates/microsoft.network/publicipaddresses)

+- [**Microsoft.Network/virtualNetworks**](/azure/templates/microsoft.network/virtualnetworks)

+- [**Microsoft.Compute/virtualMachines**](/azure/templates/microsoft.compute/virtualmachines)

+- [**Microsoft.Storage/storageAccounts**](/azure/templates/microsoft.storage/storageAccounts)

+- [**Microsoft.Network/networkInterfaces**](/azure/templates/microsoft.network/networkinterfaces)

+- [**Microsoft.Network/azureFirewalls**](/azure/templates/microsoft.network/azureFirewalls)

+- [**Microsoft.Network/routeTables**](/azure/templates/microsoft.network/routeTables)

+## Deploy the Bicep file

+1. Save the Bicep file as **main.bicep** to your local computer.

+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

+ # [CLI](#tab/CLI)

+ ```azurecli

+ az group create --name exampleRG --location eastus

+ az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminUsername=<admin-username>

+ ```

+ # [PowerShell](#tab/PowerShell)

+ ```azurepowershell

+ New-AzResourceGroup -Name exampleRG -Location eastus

+ New-AzResourceGroupDeployment -ResourceGroupName exampleRG -TemplateFile ./main.bicep -adminUsername "<admin-username>"

+ ```

+

+ > [!NOTE]

+ > Replace **\<admin-username\>** with the admin username for the backend server.

+ You will be prompt to enter the admin password.

+ When the deployment finishes, you should see a message indicating the deployment succeeded.

+## Validate the deployment

+In the Azure portal, review the deployed resources. Note the firewall public IP addresses.

+Use Remote Desktop Connection to connect to the firewall public IP addresses. Successful connection demonstrates firewall NAT rules that allow the connection to the backend servers.

+## Clean up resources

+When you no longer need the resources that you created with the firewall, delete the resource group. This removes the firewall and all the related resources.

+To delete the resource group, call the `Remove-AzResourceGroup` cmdlet:

+```azurepowershell-interactive

+Remove-AzResourceGroup -Name "exampleRG"

+```

+## Next steps

+> [!div class="nextstepaction"]

+> [Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal](tutorial-hybrid-portal.md)

+ Title: Open-source components and versions - Azure HDInsight 4.0

+description: Learn about the open-source components and versions in Azure HDInsight 4.0.

+In this article, you learn about the open-source components and versions in Azure HDInsight 4.0.

+## Open-source components available with HDInsight version 4.0

+The Open-source component versions associated with HDInsight 4.0 are listed in the following table.

+# Known issues: Azure Health Data Services

+This article describes the currently known issues with Azure Health Data Services and its different service types (FHIR service, DICOM service, and MedTech service) that seamlessly work with one another.

+ Title: Create a private endpoint for Azure IoT Central | Microsoft Docs

+1. On the **Basics** tab, enter a name and select a region for your private endpoint. Then select **Next: Resource**.

+1. On the same tab, in the **Private IP configuration** section, select **Dynamically allocate IP address**.

+1. Select **Next: DNS**.

+1. On the **DNS** tab, select **Yes** for **Integrate with private DNS zone.** The private DNS resolves all the required endpoints to private IP addresses in your virtual network.

+To restrict public access for your devices to IoT Central, turn off access from public endpoints. After you turn off public access, devices can't connect to IoT Central from public networks, and must use a private endpoint:

+## Prerequisite

+* [Monitor your IoT hub](monitor-iot-hub.md)

+This article shows you how to use the [Azure IoT Tools for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools) to create an Azure IoT hub. You can create one without an existing IoT project or create one from an existing IoT project.

+## Prerequisites

+## Create an IoT hub without an IoT Project

+The following steps show how to create an IoT Hub without an IoT Project in Visual Studio Code (VS Code).

+1. In VS Code, open the **Explorer** view.

+2. At the bottom of the Explorer, expand the **Azure IoT Hub** section.

+ :::image type="content" source="./media/iot-hub-create-use-iot-toolkit/azure-iot-hub-devices.png" alt-text="A screenshot that shows the location of the Azure IoT Hub section in VS Code." lightbox="./media/iot-hub-create-use-iot-toolkit/azure-iot-hub-devices.png":::

+3. Select **Create IoT Hub** from the list in the **Azure IoT Hub** section.

+ :::image type="content" source="./media/iot-hub-create-use-iot-toolkit/create-iot-hub.png" alt-text="A screenshot that shows the location of the Create IoT Hub list item in VS Code." lightbox="./media/iot-hub-create-use-iot-toolkit/create-iot-hub.png":::

+5. A pop-up will show in the bottom-right corner to let you sign in to Azure for the first time, if you're not signed in already.

+6. From the command palette at the top of VS Code, select your Azure subscription.

+7. Select your resource group.

+8. Select a location.

+9. Select a pricing tier.

+10. Enter a globally unique name for your IoT hub, then press **Enter**.

+11. Wait a few minutes until the IoT hub is created. You'll see a confirmation in the output console.

+## Create an IoT hub and device in an existing IoT project

+The following steps show how to create an IoT Hub and register a device to the hub within an existing IoT project in Visual Studio (VS) Code.

+This method allows you to provision in VS Code without leaving your development environment.

+1. In the new opened project window, click `F1` to open the command palette, type and select **Azure IoT Device Workbench: Provision Azure Services...**.

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/provision.png" alt-text="A screenshot that shows how to open the command palette in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/provision.png":::

+ > [!NOTE]

+ > If you have not signed in Azure. Follow the pop-up notification for signing in.

+1. Select the subscription you want to use.

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/select-subscription.png" alt-text="A screenshot that shows how to choose your Azure subscription in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/select-subscription.png":::

+1. Select an existing resource group or create a new [resource group](../azure-resource-manager/management/overview.md#terminology).

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/select-resource-group.png" alt-text="A screenshot that shows how to choose a resource group or create a new one in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/select-resource-group.png":::

+1. In the resource group you specified, follow the prompts to select an existing IoT Hub or create a new Azure IoT Hub.

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/iot-hub-provision.png" alt-text="A screenshot that shows the first prompt in choosing an existing IoT Hub in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/iot-hub-provision.png":::

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/select-iot-hub.png" alt-text="A screenshot that shows the second prompt in choosing an existing IoT Hub in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/select-iot-hub.png":::

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/iot-hub-selected.png" alt-text="A screenshot that shows the third prompt in choosing an existing IoT Hub in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/iot-hub-selected.png":::

+1. In the output window, you'll see the Azure IoT Hub provisioned.

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/iot-hub-provisioned.png" alt-text="A screenshot that shows the output window in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/iot-hub-provisioned.png":::

+1. Select or create a new IoT Hub Device in the Azure IoT Hub you provisioned.

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/iot-device-provision.png" alt-text="A screenshot that shows the fourth prompt in choosing an existing IoT Hub in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/iot-device-provision.png":::

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/select-iot-device.png" alt-text="A screenshot that shows an example of an existing IoT Hub in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/select-iot-device.png":::

+1. Now you have an Azure IoT Hub provisioned and a device created in it. The device connection string will be saved in VS Code.

+ :::image type="content" source="media/iot-hub-create-use-iot-toolkit/provision-done.png" alt-text="A screenshot that shows IoT Hub details in the output window in VS Code." lightbox="media/iot-hub-create-use-iot-toolkit/provision-done.png":::

+Now that you've deployed an IoT hub using the Azure IoT Tools for Visual Studio Code, explore these articles:

+* UK South

+ Title: Block access to and from other tenants

+description: Block connections between your tenant and other Azure Active Directory (Azure AD) tenants in Azure Logic Apps.

+# Customer intent: As a developer, I want to prevent access to and from other Azure Active Directory tenants.

+# Block connections to and from other tenants in Azure Logic Apps (Preview)

+[Block connector usage in Azure Logic Apps](block-connections-connectors.md)

+ | Property | Required | Type | Description |

+ |-|-||-|

+ | **Policy name** | Yes | String | The name that you want to use for the authorization policy |

+ | **Claims** | Yes | String | The claim types and values that your workflow accepts from inbound calls. Here are the available claim types: <br><br>- **Issuer** <br>- **Audience** <br>- **Subject** <br>- **JWT ID** (JSON Web Token identifier) <br><br>Requirements: <br><br>- At a minimum, the **Claims** list must include the **Issuer** claim, which has a value that starts with `https://sts.windows.net/` or `https://login.microsoftonline.com/` as the Azure AD issuer ID. <br>- Each claim must be a single string value, not an array of values. For example, you can have a claim with **Role** as the type and **Developer** as the value. You can't have a claim that has **Role** as the type and the values set to **Developer** and **Program Manager**. <br>- The claim value is limited to a [maximum number of characters](logic-apps-limits-and-config.md#authentication-limits). <br><br>For more information about these claim types, review [Claims in Azure AD security tokens](../active-directory/azuread-dev/v1-authentication-scenarios.md#claims-in-azure-ad-security-tokens). You can also specify your own claim type and value. |

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning SDK or CLI extension you are using:"]

+> * [v1](./v1/concept-network-data-access.md)

+> * [v2 (current version)](how-to-administrate-data-authentication.md)

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning CLI extension you are using:"]

+> * [v1](v1/how-to-train-with-datasets.md)

+> * [v2 (current version)](how-to-read-write-data-v2.md)

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning developer platform you are using:"]

+> * [v1](concept-network-data-access.md)

+> * [v2 (current version)](../how-to-administrate-data-authentication.md)

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning CLI extension you are using:"]

+> * [v1](how-to-train-with-datasets.md)

+> * [v2 (current version)](../how-to-read-write-data-v2.md)

+Operations are useful to respond to any requests that come through the webhook as part of ChangePlan, ChangeQuantity, and ReInstate actions. This provides an opportunity to accept or reject a request by patch that webhook operation with Success or Failure by using the below APIs.

+This only applies to webhook events such as ChangePlan, ChangeQuantity, and ReInstate that need an ACK. No action is needed from the independent software vendor (ISV) on Renew, Suspend, and Unsubscribe events because they are notify-only events.

+ * Unsubscribe (notify only, no ACK needed)

+ * Unsubscribe (notify only, no ACK needed)

+This is a notify only event. There is no send to ACK for this event.

+| Offers | ISVs can now publish 1-year and 3-year prices for their Virtual Machine plans to let customers save money when they commit for a long-term agreement. To learn more, see [Plan a virtual machine offer](azure-vm-plan-pricing-and-availability.md#configure-reservation-pricing-optional). | 2022-08-24 |

+This article shows how to use Terraform to deploy an Azure MySQL Flexible Server Database in a virtual network (VNet).

+In this article, you learn how to:

+ [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/main.tf)]

+ [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/mysql-fs-db.tf)]

+ [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/variables.tf)]

+1. Create a file named `outputs.tf` and insert the following code:

+ [!code-terraform[master](~/terraform_samples/quickstart/201-mysql-fs-db/outputs.tf)]

+Azure Orbital Analytics provides the ability to downlink spaceborne data from Azure Orbital Ground Station (AOGS), first- or third-party archives, or customer-acquired data directly into Azure. This data is efficiently stored using Azure Data and Storage services. From there, you can convert raw spaceborne sensor data into analysis-ready data using Azure Orbital Analytics processing pipelines.

+Derive insights on data by applying AI models, integrating applications, and more. Partner AI models and Microsoft tools extract the highest precision results. Finally, deliver data to destinations such as Microsoft Teams, Power Platform, or process it using open-source tools. Azure Orbital Analytics enables scenarios including land classification, asset monitoring, object detection, and more.

+Azure Orbital Analytics is the pathway between satellite operators and Microsoft customers. Partnerships with [Airbus](https://www.airbus.com/en), [Blackshark.ai](https://blackshark.ai/technology/), and [Orbital Insight](https://orbitalinsight.com/) enable information extraction and publishing to EsriΓÇÖs ArcGIS workflows.

+- [Spaceborne data analysis with Azure Synapse Analytics](/azure/architecture/industries/aerospace/geospatial-processing-analytics)

+ Title: Create Dynatrace for Azure resource - Azure partner solutions

+In this quickstart, you create a new instance of Dynatrace for Azure. You can either create a new Dynatrace environment or [link to an existing Dynatrace environment](dynatrace-link-to-existing.md#link-to-existing-dynatrace-environment).

+ Title: Configure pre-deployment to use Dynatrace with Azure - Azure partner solutions

+To set up the Dynatrace for Azure, you must have **Owner** or **Contributor** access on the Azure subscription. [Confirm that you have the appropriate access](../../role-based-access-control/check-access.md) before starting the setup.

+ Title: Manage your Dynatrace for Azure integration - Azure partner solutions

+This article describes how to manage the settings for Dynatrace for Azure.

+ Title: Linking to an existing Dynatrace for Azure resource - Azure partner solutions

+When you use the integrated experience for Dynatrace in the Azure portal, your billing and monitoring for the following entities is tracked in the portal.

+ Title: Dynatrace for Azure overview - Azure partner solutions

+Dynatrace for Azure offering in the Azure Marketplace enables you to create and manage Dynatrace environments using the Azure portal with a seamlessly integrated experience. This enables you to use Dynatrace as a monitoring solution for your Azure workloads through a streamlined workflow, starting from procurement, all the way to configuration and management.

+ Title: Troubleshooting Dynatrace for Azure - Azure partner solutions

+This article describes how to contact support when working with a Dynatrace for Azure resource. Before contacting support, see [Fix common errors](#fix-common-errors).

+| [Dynatrace for Azure](./dynatrace/dynatrace-overview.md) | Use Dynatrace for Azure for monitoring your workloads using the Azure portal. |

+## App retry during database request failures

+```csharp

+using System;

+using System.Data;

+using System.Runtime.InteropServices;

+using System.Text;

+using Npgsql;

+namespace Driver

+{

+ public class Reconnect

+ {

+ static string connStr = new NpgsqlConnectionStringBuilder("Server = <host name>; Database = citus; Port = 5432; User Id = citus; Password = {Your Password}; Ssl Mode = Require; Pooling = true; Minimum Pool Size=0; Maximum Pool Size =50;TrustServerCertificate = true").ToString();

+ static string executeRetry(string sql, int retryCount)

+ {

+ for (int i = 0; i < retryCount; i++)

+ {

+ try

+ {

+ using (var conn = new NpgsqlConnection(connStr))

+ {

+ conn.Open();

+ DataTable dt = new DataTable();

+ using (var _cmd = new NpgsqlCommand(sql, conn))

+ {

+ NpgsqlDataAdapter _dap = new NpgsqlDataAdapter(_cmd);

+ _dap.Fill(dt);

+ conn.Close();

+ if (dt != null)

+ {

+ if (dt.Rows.Count > 0)

+ {

+ int J = dt.Rows.Count;

+ StringBuilder sb = new StringBuilder();

+ for (int k = 0; k < dt.Rows.Count; k++)

+ {

+ for (int j = 0; j < dt.Columns.Count; j++)

+ {

+ sb.Append(dt.Rows[k][j] + ",");

+ }

+ sb.Remove(sb.Length - 1, 1);

+ sb.Append("\n");

+ }

+ return sb.ToString();

+ }

+ }

+ }

+ }

+ return null;

+ }

+ catch (Exception e)

+ {

+ Thread.Sleep(60000);

+ Console.WriteLine(e.Message);

+ }

+ }

+ return null;

+ }

+ static void Main(string[] args)

+ {

+ string result = executeRetry("select 1",5);

+ Console.WriteLine(result);

+ }

+ }

+}

+```

+db.url=jdbc:postgresql://<host>:5432/citus?ssl=true&sslmode=require

+db.username=citus

+db.password=<password>

+ datasource.setAutoCommit(true);

+private static void inMemory(Connection connection) throws SQLException,IOException

+ log.info("Copying inmemory data into table");

+

+ final List<String> rows = new ArrayList<>();

+ rows.add("0,Target,Sunnyvale,California,94001");

+ rows.add("1,Apollo,Guntur,Andhra,94003");

+

+ final BaseConnection baseConnection = (BaseConnection) connection.unwrap(Connection.class);

+ final CopyManager copyManager = new CopyManager(baseConnection);

+ // COPY command can change based on the format of rows. This COPY command is for above rows.

+ final String copyCommand = "COPY pharmacy FROM STDIN with csv";

+

+ try (final Reader reader = new StringReader(String.join("\n", rows))) {

+## App retry during database request failures

+```java

+package test.crud;

+import java.sql.Connection;

+import java.sql.PreparedStatement;

+import java.sql.ResultSet;

+import java.sql.ResultSetMetaData;

+import java.util.logging.Logger;

+import com.zaxxer.hikari.HikariDataSource;

+public class DemoApplication

+{

+ private static final Logger log;

+ static

+ {

+ System.setProperty("java.util.logging.SimpleFormatter.format", "[%4$-7s] %5$s %n");

+ log = Logger.getLogger(DemoApplication.class.getName());

+ }

+ private static final String DB_USERNAME = "citus";

+ private static final String DB_PASSWORD = "<Your Password>";

+ private static final String DB_URL = "jdbc:postgresql://<Server Name>:5432/citus?sslmode=require";

+ private static final String DB_DRIVER_CLASS = "org.postgresql.Driver";

+ private static HikariDataSource datasource;

+ private static String executeRetry(String sql, int retryCount) throws InterruptedException

+ {

+ Connection con = null;

+ PreparedStatement pst = null;

+ ResultSet rs = null;

+ for (int i = 1; i <= retryCount; i++)

+ {

+ try

+ {

+ datasource = new HikariDataSource();

+ datasource.setDriverClassName(DB_DRIVER_CLASS);

+ datasource.setJdbcUrl(DB_URL);

+ datasource.setUsername(DB_USERNAME);

+ datasource.setPassword(DB_PASSWORD);

+ datasource.setMinimumIdle(10);

+ datasource.setMaximumPoolSize(1000);

+ datasource.setAutoCommit(true);

+ datasource.setLoginTimeout(3);

+ log.info("Connecting to the database");

+ con = datasource.getConnection();

+ log.info("Connection established");

+ log.info("Read data");

+ pst = con.prepareStatement(sql);

+ rs = pst.executeQuery();

+ StringBuilder builder = new StringBuilder();

+ int columnCount = rs.getMetaData().getColumnCount();

+ while (rs.next())

+ {

+ for (int j = 0; j < columnCount;)

+ {

+ builder.append(rs.getString(j + 1));

+ if (++j < columnCount)

+ builder.append(",");

+ }

+ builder.append("\r\n");

+ }

+ return builder.toString();

+ }

+ catch (Exception e)

+ {

+ Thread.sleep(60000);

+ System.out.println(e.getMessage());

+ }

+ }

+ return null;

+ }

+ public static void main(String[] args) throws Exception

+ {

+ String result = executeRetry("select 1", 5);

+ System.out.print(result);

+ }

+}

+```

+ host: '<host>',

+ password: '<your password>',

+## App retry during database request failures

+```javascript

+const { Pool } = require('pg');

+const { sleep } = require('sleep');

+const pool = new Pool({

+ host: '<host>',

+ port: 5432,

+ user: 'citus',

+ password: '<your password>',

+ database: 'citus',

+ ssl: true,

+ connectionTimeoutMillis: 0,

+ idleTimeoutMillis: 0,

+ min: 10,

+ max: 20,

+});

+(async function() {

+ res = await executeRetry('select nonexistent_thing;',5);

+ console.log(res);

+ process.exit(res ? 0 : 1);

+})();

+async function executeRetry(sql,retryCount)

+{

+ for (let i = 0; i < retryCount; i++) {

+ try {

+ result = await pool.query(sql)

+ return result;

+ } catch (err) {

+ console.log(err.message);

+ sleep(60);

+ }

+ }

+ // didn't succeed after all the tries

+ return null;

+}

+```

+## App retry during database request failures

+```python

+import psycopg2

+import time

+from psycopg2 import pool

+host = "<host>"

+dbname = "citus"

+user = "citus"

+password = "{your password}"

+sslmode = "require"

+conn_string = "host={0} user={1} dbname={2} password={3} sslmode={4}".format(

+ host, user, dbname, password, sslmode)

+postgreSQL_pool = psycopg2.pool.SimpleConnectionPool(1, 20, conn_string)

+def executeRetry(query, retryCount):

+ for x in range(retryCount):

+ try:

+ if (postgreSQL_pool):

+ # Use getconn() to Get Connection from connection pool

+ conn = postgreSQL_pool.getconn()

+ cursor = conn.cursor()

+ cursor.execute(query)

+ return cursor.fetchall()

+ break

+ except Exception as err:

+ print(err)

+ postgreSQL_pool.putconn(conn)

+ time.sleep(60)

+ return None

+print(executeRetry("select 1", 5))

+```

+## App retry during database request failures

+```ruby

+require 'pg'

+def executeretry(sql,retryCount)

+ begin

+ for a in 1..retryCount do

+ begin

+ # NOTE: Replace the host and password arguments in the connection string.

+ # (The connection string can be obtained from the Azure portal)

+ connection = PG::Connection.new("host=<Server Name> port=5432 dbname=citus user=citus password={Your Password} sslmode=require")

+ resultSet = connection.exec(sql)

+ return resultSet.each

+ rescue PG::Error => e

+ puts e.message

+ sleep 60

+ ensure

+ connection.close if connection

+ end

+ end

+ end

+ return nil

+end

+var = executeretry('select 1',5)

+if var !=nil then

+ var.each do |row|

+ puts 'Data row = (%s)' % [row]

+ end

+end

+```

+## Is there support for Private endpoints, VNET and IP restrictions?

+Private endpoints, VNET, and IP restrictions are supported for data share for storage. Blob should be chosen as the target sub-resource when creating a private endpoint for storage accounts.

+1. Go to the Azure portal [portal.azure.com](https://ms.portal.azure.com/)

+# Indexer connections to a SQL Server instance on an Azure virtual machine

+A connection from Azure Cognitive Search to SQL Server instance on a virtual machine is a public internet connection. In order for secure connections to succeed, you'll need to satisfy the following requirements:

+After you've installed the certificate on your VM, you're ready to complete the following steps in this article.

+1. Check the properties of the certificate to verify the subject name is the fully qualified domain name (FQDN) of the Azure VM.

+ You can use a tool like CertUtils or the Certificates snap-in to view the properties. You can get the FQDN from the VM service blade's Essentials section, in the **Public IP address/DNS name label** field, in the [Azure portal](https://portal.azure.com/).

+

+ The FQDN is typically formatted as `<your-VM-name>.<region>.cloudapp.azure.com`

+ Although SQL Server Configuration Manager is often used for this task, you can't use it for this scenario. It won't find the imported certificate because the FQDN of the VM on Azure doesn't match the FQDN as determined by the VM (it identifies the domain as either the local computer or the network domain to which it's joined). When names don't match, use regedit to specify the certificate.

+ 1. In regedit, browse to this registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\[MSSQL13.MSSQLSERVER]\MSSQLServer\SuperSocketNetLib\Certificate`.

+ The `[MSSQL13.MSSQLSERVER]` part varies based on version and instance name.

+ 1. Set the value of the **Certificate** key to the **thumbprint** (without spaces) of the TLS/SSL certificate you imported to the VM.

+ There are several ways to get the thumbprint, some better than others. If you copy it from the **Certificates** snap-in in MMC, you'll probably pick up an invisible leading character [as described in this support article](https://support.microsoft.com/kb/2023869/), which results in an error when you attempt a connection. Several workarounds exist for correcting this problem. The easiest is to backspace over and then retype the first character of the thumbprint to remove the leading character in the key value field in regedit. Alternatively, you can use a different tool to copy the thumbprint.

+ Make sure the SQL Server service account is granted appropriate permission on the private key of the TLS/SSL certificate. If you overlook this step, SQL Server won't start. You can use the **Certificates** snap-in or **CertUtils** for this task.

+## Connect to SQL Server

+After you set up the encrypted connection required by Azure Cognitive Search, you'll connect to the instance through its public endpoint. The following article explains the connection requirements and syntax:

+## Configure the network security group

+It isn't unusual to configure the [network security group](../virtual-network/network-security-groups-overview.md) and corresponding Azure endpoint or Access Control List (ACL) to make your Azure VM accessible to other parties. Chances are you've done this before to allow your own application logic to connect to your SQL Azure VM. It's no different for an Azure Cognitive Search connection to your SQL Azure VM.

+1. Obtain the IP address of your search service. See the [following section](#restrict-access-to-the-azure-cognitive-search) for instructions.

+1. Add the search IP address to the IP filter list of the security group. Either one of following articles explains the steps:

+ + [Tutorial: Filter network traffic with a network security group using the Azure portal](/azure/virtual-network/tutorial-filter-network-traffic)

+ + [Create, change, or delete a network security group](/azure/virtual-network/manage-network-security-group)

+IP addressing can pose a few challenges that are easily overcome if you're aware of the issue and potential workarounds. The remaining sections provide recommendations for handling issues related to IP addresses in the ACL.

+You can find out the IP address by pinging the FQDN (for example, `<your-search-service-name>.search.windows.net`) of your search service. Although it's possible for the search service IP address to change, it's unlikely that it will change. The IP address tends to be static for the lifetime of the service.

+If you're using the Azure portal to create an indexer, you must grant the portal inbound access to your SQL Azure virtual machine. An inbound rule in the firewall requires that you provide the IP address of the portal.

+To get the portal IP address, ping `stamp2.ext.search.windows.net`, which is the domain of the traffic manager. The request will time out, but the IP address will be visible in the status message. For example, in the message "Pinging azsyrie.northcentralus.cloudapp.azure.com [52.252.175.48]", the IP address is "52.252.175.48".

+With configuration out of the way, you can now specify a SQL Server on Azure VM as the data source for an Azure Cognitive Search indexer. For more information, see [Index data from Azure SQL](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md).

+description: Add full text search to big data on Apache Spark that's been loaded and transformed through the open-source library, SynapseML. In this walkthrough, you'll load invoice files into data frames, apply machine learning through SynapseML, then send it into a generated search index.

+In this walkthrough, you'll set up a workbook that includes the following actions:

+¹ This article includes instructions for loading the package.

+² You can use the free tier for this walkthrough but [choose a higher tier](search-sku-tier.md) if data volumes are large. You'll need the [API key](search-security-api-keys.md#find-existing-keys) for this resource.

+³ This walkthrough uses Azure Forms Recognizer and Azure Translator. In the instructions below, you'll provide a [Cognitive Services multi-service key](../cognitive-services/cognitive-services-apis-create-account.md?tabs=multiservice%2cwindows#get-the-keys-for-your-resource) and the region, and it will work for both services.

+⁴ In this walkthrough, Azure Databricks provides the computing platform. You could also use Azure Synapse Analytics or any other computing platform supported by `synapseml`. The Azure Databricks article listed in the prerequisites includes multiple steps. For this walkthrough, follow only the instructions in "Create a workspace".

+> All of the above Azure resources support security features in the Microsoft Identity platform. For simplicity, this walkthrough assumes key-based authentication, using endpoints and keys copied from the portal pages of each service. If you implement this workflow in a production environment, or share the solution with others, remember to replace hard-coded keys with integrated security or encrypted keys.

+ :::image type="content" source="media/search-synapseml-cognitive-services/install-library-from-maven.png" alt-text="Screenshot of Maven package specification." border="true":::

+This code loads a few external files from an Azure storage account that's used for demo purposes. The files are various invoices, and they're read into a data frame.

+## Add form recognition

+The output from this step should look similar to the next screenshot. Notice how the forms analysis is packed into a densely structured column, which is difficult to work with. The next transformation resolves this issue by parsing the column into rows and columns.

+## Restructure form recognition output

+This code loads [FormOntologyLearner](https://mmlspark.blob.core.windows.net/docs/0.10.0/pyspark/synapse.ml.cognitive.html#module-synapse.ml.cognitive.FormOntologyTransformer), a transformer that analyzes the output of Form Recognizer transformers and infers a tabular data structure. The output of AnalyzeInvoices is dynamic and varies based on the features detected in your content. Furthermore, the transformer consolidates output into a single column. Because the output is dynamic and consolidated, it's difficult to use in downstream transformations that require more structure.

+Notice how this transformation recasts the nested fields into a table, which enables the next two transformations. This screenshot is trimmed for brevity. If you're following along in your own notebook, you'll have 19 columns and 26 rows.

+## Add translations

+## Add a search index with AzureSearchWriter

+You can check the search service pages in Azure portal to explore the index definition created by AzureSearchWriter.

+<!-- > [!NOTE]

+> If you can't use default search index, you can provide an external custom definition in JSON, passing its URI as a string in the "indexJson" property. Generate the default index first so that you know which fields to specify, and then follow with customized properties if you need specific analyzers, for example. -->

+Paste the following code into the seventh cell and then run it. No modifications are required, except that you might want to vary the syntax or try more examples to further explore your content:

+There's no transformer or module that issues queries. This cell is a simple call to the [Search Documents REST API](/rest/api/searchservice/search-documents).

+This particular example is searching for the word "door" (`"search": "door"`). It also returns a "count" of the number of matching documents, and selects just the contents of the "Description' and "Translations" fields for the results. If you want to see the full list of fields, remove the "select" parameter.

+> [Tutorial: Text Analytics with Cognitive Services](../synapse-analytics/machine-learning/tutorial-text-analytics-use-mmlspark.md)

+General purpose V2 storage accounts (Hot and Cool tier) | Supported | Usage of GPv2 is recommended because GPv1 does not support ZRS (Zonal Redundant Storage).

+Azure Spring Apps supports Java LTS versions with the most recent builds, currently Java 8, Java 11, and Java 17 are supported.

+### For how long will Java 8, Java 11, and Java 17 LTS versions be supported?

+See [Java long-term support for Azure and Azure Stack](/azure/developer/java/fundamentals/java-support-on-azure).

+ $subnetid=(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)

+| |*StorSimple Manager encountered an internal error. Wait for a few minutes and then try the operation again. If the issue persists, contact Microsoft Support. (Error code: 1074161829)* |This generic error has multiple causes, but one possibility encountered is that the StorSimple device manager reached the limit of 50 appliances. Check if the most recently run jobs in the device manager have suddenly started to fail with this error, which would suggest this is the problem. The mitigation for this particular issue is to remove any offline StorSimple 8001 appliances created and used by the Data Manager Service. You can file a support ticket or delete them manually in the portal. Make sure to only delete offline 8001 series appliances. |

+| |*Cannot proceed as volume is in non-NTFS format* |Only NTFS volumes, non dedupe enabled, can be used by the migration service. If you have a differently formatted volume, like ReFS or a third-party format, the migration service won't be able to migrate this volume. See the [Known limitations](#known-limitations) section. |

+| |*Contact support. No suitable partition found on the disk* |The StorSimple disk that is supposed to have the volume specified for migration doesn't appear to have a partition for said volume. That is unusual and can indicate a corruption or management mis-alignment. Your only option to further investigate this issue is to file a support ticket. |

+| |*Timed out* |The estimation phase failing with a timeout is typically an issue with either the StorSimple appliance, or the source Volume Backup being slow and sometimes even corrupt. If re-running the backup doesn't work, then filing a support ticket is your best course of action. |

+| |*Could not find file &lt;path&gt; </br>Could not find a part of the path* |The job definition allows you to provide a source sub-path. This error is shown when that path does not exist. For instance: *\Share1 > \Share\Share1* </br> In this example you've specified *\Share1* as a sub-path in the source, mapping to another sub-path in the target. However, the source path does not exist (was misspelled?). Note: Windows is case preserving but not case dependent. Meaning specifying *\Share1* and *\share1* is equivalent. Also: Target paths that don't exist will be automatically created. |

+|**Copying Files** |*The account being accessed does not support HTTP* |This is an Azure Files bug that is being fixed. The temporary mitigation is to disable internet routing on the target storage account or use the Microsoft routing endpoint. |

+| |*The specified share is full* |If the target is a premium Azure file share, ensure you have provisioned sufficient capacity for the share. Temporary over-provisioning is a common practice. If the target is a standard Azure file share, check that the target share has the "large file share" feature enabled. Standard storage is growing as you use the share. However, if you use a legacy storage account as a target, you might encounter a 5 TiB share limit. You will have to manually enable the ["Large file share"](storage-how-to-create-file-share.md#enable-large-files-shares-on-an-existing-account) feature. Fix the limits on the target and re-run the job. |

+During the copy phase of a migration job run, individual namespace items (files and folders) can encounter errors. The following table lists the most common errors and suggests mitigation options when possible.

+|**Copy** |*-2146233088 </br>The server is busy.* |Rerun the job if there are too many failures. If there are only very few errors, you can try running the job again, but often a manual copy of the failed items can be faster. Then resume the migration by skipping to processing the next backup. |

+| |*-2146233088 </br>Operation could not be completed within the specified time.* |Rerun the job if there are too many failures. If there are only very few errors, you can try running the job again, but often a manual copy of the failed items can be faster. Then resume the migration by skipping to processing the next backup. |

+| |*Upload timed out or copy not started* |Rerun the job if there are too many failures. If there are only very few errors, you can try running the job again, but often a manual copy of the failed items can be faster. Then resume the migration by skipping to processing the next backup. |

+| |*-2146233029 </br>The operation was cancelled.* |Rerun the job if there are too many failures. If there are only very few errors, you can try running the job again, but often a manual copy of the failed items can be faster. Then resume the migration by skipping to processing the next backup. |

+| |*Not a valid Win32 FileTime. Parameter name: fileTime* |In this case, the file can be accessed but can't be evaluated for copy because a timestamp the migration engine depends on is either corrupted or was written by an application in an incorrect format. There is not much you can do, because you can't change the timestamp in the backup. If retaining this file is important, perhaps on the latest version (last backup containing this file) you manually copy the file, fix the timestamp, and then move it to the target Azure file share. This option doesn't scale very well but is an option for high-value files where you want to have at least one version retained in your target. |

+| |*-2146232798 </br>Safe handle has been closed* |Often a transient error. Rerun the job if there are too many failures. If there are only very few errors, you can try running the job again, but often a manual copy of the failed items can be faster. Then resume the migration by skipping to processing the next backup. |

+| |*Bad request* |This error indicates that the source file has certain characteristics that could not be copied to the Azure file share. Most notably there could be invisible control characters in a file name or 1 byte of a double byte character in the file name or file path. You can use the copy logs to get path names, copy the files to a temporary location, rename the paths to remove the unsupported characters, and then robocopy again to the Azure file share. You can then resume the migration by skipping to the next backup to be processed. |

+ CountryName, PopulationCount

+ [Year] = 2019

+ [PopulationCount] DESC;

+Azure Virtual Desktop supports different types of identities depending on which configuration you choose. This section explains which identities you can use for each configuration.

+Since users must be discoverable through Azure Active Directory (Azure AD) to access the Azure Virtual Desktop, user identities that exist only in Active Directory Domain Services (AD DS) aren't supported. This includes standalone Active Directory deployments with Active Directory Federation Services (AD FS).

+Azure Virtual Desktop supports cloud-only identities when using [Azure AD-joined VMs](deploy-azure-ad-joined-vm.md). These users are created and managed directly in Azure AD.

+### Third-party identity providers

+If you're using an Identity Provider (IdP) other than Azure AD to manage your user accounts, you must ensure that:

+- Your IdP is [federated with Azure AD](../active-directory/devices/azureadjoin-plan.md#federated-environment).

+- Your session hosts are Azure AD-joined or [Hybrid Azure AD-joined](../active-directory/devices/hybrid-azuread-join-plan.md).

+- You enable [Azure AD authentication](configure-single-sign-on.md) to the session host.

+To access Azure Virtual Desktop resources, you must first authenticate to the service by signing in with an Azure AD account. Authentication happens whenever you subscribe to a workspace to retrieve your resources and connect to apps or desktops. You can use [third-party identity providers](../active-directory/devices/azureadjoin-plan.md#federated-environment) as long as they federate with Azure AD.

+### Passwordless authentication

+You can use any authentication type supported by Azure AD, such as [Windows Hello for Business](/security/identity-protection/hello-for-business/hello-overview) and other [passwordless authentication options](../active-directory/authentication/concept-authentication-passwordless.md) (for example, FIDO keys), to authenticate to the service.

+To use a smart card to authenticate to Azure AD, you must first [configure AD FS for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) or [configure Azure AD certificate-based authentication](../active-directory/authentication/concept-certificate-based-authentication.md).

+If you haven't already enabled [single sign-on](#single-sign-on-sso) or saved your credentials locally, you'll also need to authenticate to the session host when launching a connection. The following list describes which types of authentication each Azure Virtual Desktop client currently supports.

+- The Windows Desktop client supports the following authentication methods:

+ - Smart card

+ - [Azure AD authentication](configure-single-sign-on.md)

+- The Windows Store client supports the following authentication method:

+- The web client supports the following authentication method:

+- The Android client supports the following authentication method:

+- The iOS client supports the following authentication method:

+- The macOS client supports the following authentication method:

+>In order for authentication to work properly, your local machine must also be able to access the [required URLs for Remote Desktop clients](safe-url-list.md#remote-desktop-clients).

+SSO allows the connection to skip the session host credential prompt and automatically sign the user in to Windows. For session hosts that are Azure AD-joined or Hybrid Azure AD-joined, it's recommended to enable [SSO using Azure AD authentication](configure-single-sign-on.md). Azure AD authentication provides other benefits including passwordless authentication and support for third-party identity providers.

+Azure Virtual Desktop also supports [SSO using Active Directory Federation Services (AD FS)](configure-adfs-sso.md) for the Windows Desktop and web clients.

+Without SSO, the client will prompt users for their session host credentials for every connection. The only way to avoid being prompted is to save the credentials in the client. We recommend you only save credentials on secure devices to prevent other users from accessing your resources.

+### Smart card and Windows Hello for Business

+Azure Virtual Desktop supports both NT LAN Manager (NTLM) and Kerberos for session host authentication, however Smart card and Windows Hello for Business can only use Kerberos to sign in. To use Kerberos, the client needs to get Kerberos security tickets from a Key Distribution Center (KDC) service running on a domain controller. To get tickets, the client needs a direct networking line-of-sight to the domain controller. You can get a line-of-sight by connecting directly within your corporate network, using a VPN connection or setting up a [KDC Proxy server](key-distribution-center-proxy.md).

+### In-session passwordless authentication (preview)

+> [!IMPORTANT]

+> In-session passwordless authentication is currently in public preview.

+> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+Azure Virtual Desktop supports in-session passwordless authentication (preview) using [Windows Hello for Business](/security/identity-protection/hello-for-business/hello-overview) or security devices like FIDO keys. Passwordless authentication is currently only available for certain versions of Windows Insider. When deploying new session hosts, choose one of the following images:

+- Windows 11 version 22H2 Enterprise, (Preview) - X64 Gen 2.

+- Windows 11 version 22H2 Enterprise multi-session, (Preview) - X64 Gen2.

+Passwordless authentication is enabled by default when the local PC and session hosts use one of the supported operating systems above. You can disable it using the [WebAuthn redirection](configure-device-redirections.md#webauthn-redirection) RDP property.

+When enabled, all WebAuthn requests in the session are redirected to the local PC. You can use Windows Hello for Business or locally attached security devices to complete the authentication process.

+To access Azure AD resources with Windows Hello for Business or security devices, you must enable the FIDO2 Security Key as an authentication method for your users. To enable this method, follow the steps in [Enable FIDO2 security key method](../active-directory/authentication/howto-authentication-passwordless-security-key.md#enable-fido2-security-key-method).

+### In-session smart card authentication

+To use a smart card in your session, make sure you've installed the smart card drivers on the session host and enabled [smart card redirection](configure-device-redirections.md#smart-card-redirection). Review the [client comparison chart](/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#other-redirection-devices-etc) to make sure your client supports smart card redirection.

+- Having issues connecting to Azure AD-joined VMs? Look at [Troubleshoot connections to Azure AD-joined VMs](troubleshoot-azure-ad-connections.md).

+- Having issues with in-session passwordless authentication? See [Troubleshoot WebAuthn redirection](troubleshoot-device-redirections.md#webauthn-redirection).

+- Want to use smart cards from outside your corporate network? Review how to set up a [KDC Proxy server](key-distribution-center-proxy.md).

+ Title: Configure device redirection - Azure

+description: How to configure device redirection for Azure Virtual Desktop.

+# Configure device redirection

+Configuring device redirection for your Azure Virtual Desktop environment allows you to use printers, USB devices, microphones, and other peripheral devices in the remote session. Some device redirections require changes to both Remote Desktop Protocol (RDP) properties and Group Policy settings.

+## Supported device redirection

+Each client supports different kinds of device redirections. Check out [Compare the clients](/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare) for the full list of supported device redirections for each client.

+## Setup device redirection

+You can use the following RDP properties and Group Policy settings to configure device redirection.

+### COM port redirection

+### WebAuthn redirection

+Set the following RDP property to configure WebAuthn redirection:

+- `redirectwebauthn:i:1` enables WebAuthn redirection.

+- `redirectwebauthn:i:0` disables WebAuthn redirection.

+When enabled, WebAuthn requests from the session are sent to the local PC to be completed using the local Windows Hello for Business or security devices like FIDO keys. For more information, see [In-session passwordless authentication](authentication.md#in-session-passwordless-authentication-preview).

+ Title: Configure single sign-on for Azure Virtual Desktop - Azure

+description: How to configure single sign-on for an Azure Virtual Desktop environment.

+# Configure single sign-on for Azure Virtual Desktop

+> [!IMPORTANT]

+> Single sign-on using Azure AD authentication is currently in public preview.

+> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+This article will walk you through the process of configuring single sign-on (SSO) using Azure AD authentication for Azure Virtual Desktop (preview). When you enable SSO, you can use passwordless authentication and third-party Identity Providers that federate with Azure AD to sign in to your resources.

+> [!NOTE]

+> Azure Virtual Desktop (classic) doesn't support this feature.

+## Prerequisites

+Single sign-on is currently only available for certain versions of Windows Insider. When deploying new session hosts, you must choose one of the following images:

+ - Windows 11 version 22H2 Enterprise, (Preview) - X64 Gen 2.

+ - Windows 11 version 22H2 Enterprise multi-session, (Preview) - X64 Gen2.

+You can enable SSO for connections to Azure Active Directory (AD)-joined VMs. You can also use SSO to access Hybrid Azure AD-joined VMs, but only after creating a Kerberos Server object. Azure Virtual Desktop doesn't support this solution with VMs joined to Azure AD Domain Services.

+> [!NOTE]

+> Hybrid Azure AD-joined Windows Server 2019 VMs don't support SSO.

+Currently, the [Windows Desktop client](./user-documentation/connect-windows-7-10.md) is the only client that supports SSO. The local PC must be running Windows 10 or later. There's no domain join requirement for the local PC.

+SSO is currently supported in the Azure Public cloud.

+## Enable single sign-on

+If your host pool contains Hybrid Azure AD-joined session hosts, you must first enable Azure AD Kerberos in your environment by creating a Kerberos Server object. Azure AD Kerberos enables the authentication needed with the domain controller. We recommended you also enable Azure AD Kerberos for Azure AD-joined session hosts if you have a Domain Controller (DC). Azure AD Kerberos provides a single sign-on experience when accessing legacy Kerberos-based applications or network shares. To enable Azure AD Kerberos in your environment, follow the steps to [Create a Kerberos Server object](../active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md#create-a-kerberos-server-object) on your DC.

+To enable SSO on your host pool, you must [customize an RDP property](customize-rdp-properties.md). You can find the **Azure AD Authentication** property under the **Connection information** tab in the Azure portal or set the **enablerdsaadauth:i:1** property using PowerShell.

+> [!IMPORTANT]

+> If you enable SSO on your Hybrid Azure AD-joined VMs before you create the Kerberos server object, you won't be able to connect to the VMs, and you'll see an error message saying the specific log on session doesn't exist.

+### Allow remote desktop connection dialog

+When enabling single sign-on, you'll currently be prompted to authenticate to Azure AD and allow the Remote Desktop connection when launching a connection to a new host. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect.

+## Next steps

+- Check out [In-session passwordless authentication (preview)](authentication.md#in-session-passwordless-authentication-preview) to learn how to enable passwordless authentication.

+- If you're accessing Azure Virtual Desktop from our Windows Desktop client, see [Connect with the Windows Desktop client](./user-documentation/connect-windows-7-10.md).

+- If you encounter any issues, go to [Troubleshoot connections to Azure AD-joined VMs](troubleshoot-azure-ad-connections.md).

+You can customize a host pool's Remote Desktop Protocol (RDP) properties, such as multi-monitor experience and audio redirection, to deliver an optimal experience for your users based on their needs. If you'd like to change the default RDP file properties, you can customize RDP properties in Azure Virtual Desktop by either using the Azure portal or by using the *-CustomRdpProperty* parameter in the **Update-AzWvdHostPool** cmdlet.

+|Redirections enabled|Drives, clipboard, printers, COM ports, smart cards, devices, usbdevicestore, and WebAuthn|

+>- A null CustomRdpProperty field will apply all default RDP properties to your host pool. An empty CustomRdpProperty field won't apply any default RDP properties to your host pool.

+You can reset individual custom RDP properties to their default values by following the instructions in [Add or edit a single custom RDP property](#add-or-edit-a-single-custom-rdp-property). You can also reset all custom RDP properties for a host pool by running the following PowerShell cmdlet:

+Now that you've customized the RDP properties for a given host pool, you can sign in to an Azure Virtual Desktop client to test them as part of a user session. These next how-to guides will tell you how to connect to a session using the client of your choice:

+The following known limitations may affect access to your on-premises or Active Directory domain-joined resources and should be considered when deciding whether Azure AD-joined VMs are right for your environment. We currently recommend Azure AD-joined VMs for scenarios where users only need access to cloud-based resources or Azure AD-based authentication.

+### Single sign-on

+You can enable a single sign-on experience using Azure AD authentication when accessing Azure AD-joined VMs. Follow the steps to [Configure single sign-on](configure-single-sign-on.md) to provide a seamless connection experience.

+Now that you've deployed some Azure AD joined VMs, we recommend enabling single sign-on before connecting with a supported Azure Virtual Desktop client to test it as part of a user session. To learn more, check out these articles:

+- [Configure single sign-on](configure-single-sign-on.md)

+- [Create a profile container with Azure Files and Azure AD](create-profile-container-azure-ad.md)

+Users can sign into Azure Virtual Desktop from anywhere using different devices and clients. However, there are certain measures you should take to help keep yourself and your users safe. Using Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) with Azure Virtual Desktop prompts users during the sign-in process for another form of identification in addition to their username and password. You can enforce MFA for Azure Virtual Desktop using Conditional Access, and can also configure whether it applies to the web client, mobile apps, desktop clients, or all clients.

+How often a user is prompted to reauthenticate depends on [Azure AD session lifetime configuration settings](../active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md#azure-ad-session-lifetime-configuration-settings). For example, if their Windows client device is registered with Azure AD, it will receive a [Primary Refresh Token](../active-directory/devices/concept-primary-refresh-token.md) (PRT) to use for single sign-on (SSO) across applications. Once issued, a PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device.

+Learn how to enforce MFA for Azure Virtual Desktop and optionally configure sign-in frequency below.

+ - If you're using Azure Virtual Desktop (based on Azure Resource Manager), you can configure MFA on two different apps:

+ - **Azure Virtual Desktop** (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07), which applies when the user subscribes to a feed and authenticates to the Azure Virtual Desktop Gateway during a connection.

+ - **Microsoft Remote Desktop** (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c), which applies when the user authenticates to the session host when [single sign-on](configure-single-sign-on.md) is enabled.

+### The user name or password is incorrect

+If you can't sign in and keep receiving an error message that says your credentials are incorrect, first make sure you're using the right credentials. If you keep seeing error messages, check to make sure you've fulfilled the following requirements:

+- Have you assigned the **Virtual Machine User Login** role-based access control (RBAC) permission to the virtual machine (VM) or resource group for each user?

+- Does your Conditional Access policy exclude multi-factor authentication requirements for the **Azure Windows VM sign-in** cloud application?

+If you've answered "no" to either of those questions, you'll need to reconfigure your multi-factor authentication. To reconfigure your multi-factor authentication, follow the instructions in [Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access](set-up-mfa.md#azure-ad-joined-session-host-vms).

+### A specified logon session does not exist. It may already have been terminated.

+If you come across an error that says, **An authentication error occurred. A specified logon session does not exist. It may already have been terminated**, verify that you properly created and configured the Kerberos server object when [configuring single sign-on](configure-single-sign-on.md).

+## Provide feedback

+Visit the [Azure Virtual Desktop Tech Community](https://techcommunity.microsoft.com/t5/azure-virtual-desktop/bd-p/AzureVirtualDesktopForum) to discuss the Azure Virtual Desktop service with the product team and active community members.

+ Title: Device redirections in Azure Virtual Desktop - Azure

+description: How to resolve issues with device redirections in Azure Virtual Desktop.

+# Troubleshoot device redirections for Azure Virtual Desktop

+>[!IMPORTANT]

+>This content applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects.

+Use this article to resolve issues with device redirections in Azure Virtual Desktop.

+## WebAuthn redirection

+If WebAuthn requests from the session aren't redirected to the local PC, check to make sure you've fulfilled the following requirements:

+- Are you using supported operating systems for [in-session passwordless authentication](authentication.md#in-session-passwordless-authentication-preview) on both the local PC and session host?

+- Have you enabled WebAuthn redirection as a [device redirection](configure-device-redirections.md#webauthn-redirection)?

+If you've answered "yes" to both of the earlier questions but still don't see the option to use Windows Hello for Business or security keys when accessing Azure AD resources, make sure you've enabled the FIDO2 security key method for the user account in Azure AD. To enable this method, follow the directions in [Enable FIDO2 security key method](../active-directory/authentication/howto-authentication-passwordless-security-key.md#enable-fido2-security-key-method).

+If a user signs in to the session host with a single-factor credential like username and password, then tries to access an Azure AD resource that requires MFA, they may not be able to use Windows Hello for Business. The user should follow these instructions to authenticate properly:

+1. If the user isn't prompted for a user account, they should first sign out.

+1. On the **account selection** page, select **Use another account**.

+1. Next, choose **Sign-in options** at the bottom of the window.

+1. After that, select **Sign in with Windows Hello or a security key**. They should see an option to select Windows Hello or security authentication methods.

+## Provide feedback

+Visit the [Azure Virtual Desktop Tech Community](https://techcommunity.microsoft.com/t5/azure-virtual-desktop/bd-p/AzureVirtualDesktopForum) to discuss the Azure Virtual Desktop service with the product team and active community members.

+## Next steps

+- For an overview on troubleshooting Azure Virtual Desktop and the escalation tracks, see [Troubleshooting overview, feedback, and support](troubleshoot-set-up-overview.md).

+- To troubleshoot issues while creating an Azure Virtual Desktop environment and host pool in an Azure Virtual Desktop environment, see [Environment and host pool creation](troubleshoot-set-up-issues.md).

+- To troubleshoot issues while configuring a virtual machine (VM) in Azure Virtual Desktop, see [Session host virtual machine configuration](troubleshoot-vm-configuration.md).

+- To troubleshoot issues related to the Azure Virtual Desktop agent or session connectivity, see [Troubleshoot common Azure Virtual Desktop Agent issues](troubleshoot-agent.md).

+- To troubleshoot issues when using PowerShell with Azure Virtual Desktop, see [Azure Virtual Desktop PowerShell](troubleshoot-powershell.md).

+- To go through a troubleshooting tutorial, see [Tutorial: Troubleshoot Resource Manager template deployments](../azure-resource-manager/templates/template-tutorial-troubleshoot.md).

+> [!NOTE]

+> We recommend that new customers choose [virtual machine scale sets with flexible orchestration mode](../virtual-machine-scale-sets/overview.md) for high availability with the widest range of features. Virtual machine scale sets allow VM instances to be centrally managed, configured, and updated, and will automatically increase or decrease the number of VM instances in response to demand or a defined schedule. Availability sets only offer high availability.

+Each virtual machine in your availability set is assigned an **update domain** and a **fault domain** by the underlying Azure platform. Each availability set can be configured with up to three fault domains and twenty update domains. These configurations cannot be changed once the availability set has been created. Update domains indicate groups of virtual machines and underlying physical hardware that can be rebooted at the same time. When more than five virtual machines are configured within a single availability set with five update domains, the sixth virtual machine is placed into the same update domain as the first virtual machine, the seventh in the same update domain as the second virtual machine, and so on. The order of update domains being rebooted may not proceed sequentially during planned maintenance, but only one update domain is rebooted at a time. A rebooted update domain is given 30 minutes to recover before maintenance is initiated on a different update domain.

+- **Confidential disk encryption** binds disk encryption keys to the virtual machine's TPM and makes the protected disk content accessible only to the VM. The TPM and VM guest state is always encrypted in attested code using keys released by a secure protocol that bypasses the hypervisor and host operating system. Currently only available for the OS disk. Encryption at host may be used for other disks on a Confidential VM in addition to Confidential Disk Encryption. For full details, see [DCasv5 and ECasv5 series confidential VMs](../confidential-computing/confidential-vm-overview.md#confidential-os-disk-encryption).

+- [DCasv5 and ECasv5 series confidential VMs](../confidential-computing/confidential-vm-overview.md#confidential-os-disk-encryption)

+To update the SSH public key of a user, create a file named `update_ssh_key.json` and add settings in the following format. Replace `username` and `ssh_key` with your own information:

+To reset a user password, create a file named `reset_user_password.json` and add settings in the following format. Replace `username` and `password` with your own information:

+To restart the SSH daemon and reset the SSH configuration to default values, create a file named `reset_sshd.json`. Add the following text:

+To delete a user, create a file named `delete_user.json` and add the following content. Change the data for `remove_user` to the user you're trying to delete:

+To check and then repair the disk, create a file named `disk_check_repair.json` and add settings in the following format. Change the data for `repair_disk` to the disk you're trying to repair:

+> | Variable | Description | Type | Notes |

+> | -- | --| -- | |

+> | `ANF_HANA_data` | Create Azure NetApp Files volume for HANA data. | Optional | |

+> | `ANF_HANA_data_use_existing_volume` | Use existing Azure NetApp Files volume for HANA data. | Optional | Use for pre-created volumes |

+> | `ANF_HANA_data_volume_name` | Azure NetApp Files volume name for HANA data. | Optional | |

+> | `ANF_HANA_data_volume_size` | Azure NetApp Files volume size in GB for HANA data. | Optional | default size 256 |

+> | `ANF_HANA_data_volume_throughput` | Azure NetApp Files volume throughput for HANA data. | Optional | default is 128 MBs/s |

+> | | | | |

+> | `ANF_HANA_log` | Create Azure NetApp Files volume for HANA log. | Optional | |

+> | `ANF_HANA_log_use_existing` | Use existing Azure NetApp Files volume for HANA log. | Optional | Use for pre-created volumes |

+> | `ANF_HANA_log_volume_name` | Azure NetApp Files volume name for HANA log. | Optional | |

+> | `ANF_HANA_log_volume_size` | Azure NetApp Files volume size in GB for HANA log. | Optional | default size 128 |

+> | `ANF_HANA_log_volume_throughput` | Azure NetApp Files volume throughput for HANA log. | Optional | default is 128 MBs/s |

+> | | | | |

+> | `ANF_HANA_shared` | Create Azure NetApp Files volume for HANA shared. | Optional | |

+> | `ANF_HANA_shared_use_existing` | Use existing Azure NetApp Files volume for HANA shared. | Optional | Use for pre-created volumes |

+> | `ANF_HANA_shared_volume_name` | Azure NetApp Files volume name for HANA shared. | Optional | |

+> | `ANF_HANA_shared_volume_size` | Azure NetApp Files volume size in GB for HANA shared. | Optional | default size 128 |

+> | `ANF_HANA_shared_volume_throughput` | Azure NetApp Files volume throughput for HANA shared. | Optional | default is 128 MBs/s |

+> | | | | |

+> | `ANF_sapmnt` | Create Azure NetApp Files volume for sapmnt. | Optional | |

+> | `ANF_sapmnt_use_existing_volume` | Use existing Azure NetApp Files volume for sapmnt. | Optional | Use for pre-created volumes |

+> | `ANF_sapmnt_volume_name` | Azure NetApp Files volume name for sapmnt. | Optional | |

+> | `ANF_sapmnt_volume_size` | Azure NetApp Files volume size in GB for sapmnt. | Optional | default size 128 |

+> | `ANF_sapmnt_throughput` | Azure NetApp Files volume throughput for sapmnt. | Optional | default is 128 MBs/s |

+> | | | | |

+> | `ANF_usr_sap` | Create Azure NetApp Files volume for usrsap. | Optional | |

+> | `ANF_usr_sap_use_existing` | Use existing Azure NetApp Files volume for usrsap. | Optional | Use for pre-created volumes |

+> | `ANF_usr_sap_volume_name` | Azure NetApp Files volume name for usrsap. | Optional | |

+> | `ANF_usr_sap_volume_size` | Azure NetApp Files volume size in GB for usrsap. | Optional | default size 128 |

+> | `ANF_usr_sap_throughput` | Azure NetApp Files volume throughput for usrsap. | Optional | default is 128 MBs/s |

+> | `ANF_qos_type` | The Quality of Service type of the pool (Auto or Manual). | Optional | |

+> | `ANF_use_existing_pool` | Use existing the Azure NetApp Files Capacity Pool. | Optional | |

+> | `ANF_account_arm_id` | Azure resource identifier for the Azure NetApp Files Account. | Optional | For brown field deployments. |

+> | `ANF_transport_volume_use_existing` | Defines if an existing transport volume is used. | Optional | |

+> | `ANF_transport_volume_name` | Defines the transport volume name. | Optional | For brown field deployments. |

+> | `ANF_install_volume_use_existing` | Defines if an existing install volume is used. | Optional | |

+> | `ANF_install_volume_name` | Defines the install volume name. | Optional | For brown field deployments. |

+> | `ANF_install_volume_size` | Defines the size of the install volume in GB. | Optional | |

+> | `ANF_install_volume_throughput` | Defines the throughput of the install volume. | Optional | |

+```azurecli

+```azurecli

+ --subscription "<subscription_id>"

+Update the Azure Virtual Network Manager extension for Azure CLI.

+```azurecli

+az extension update --name virtual-network-manager

+```

+Before you can deploy Azure Virtual Network Manager, you have to create a resource group to host a network manager with [az group create](/cli/azure/group#az-group-create). This example creates a resource group named **myAVNMResourceGroup** in the **westus** location:

+```azurecli

+Define the scope and access type this Network Manager instance will have. Create the scope by using [az network manager create](/cli/azure/network/manager#az-network-manager-create). Replace the value *<subscription_id>* with the subscription you want Virtual Network Manager to manage virtual networks for. For management groups, replace *<mgName\>* with the management group to manage.

+```azurecli

+ --network-manager-scopes subscriptions="/subscriptions/<subscription_id>"

+## Create a network group

+Virtual Network Manager applies configurations to groups of VNets by placing them in **Network Groups.** Create a network group with [az network manager group create](/cli/azure/network/manager/group#az-network-manager-group-create).

+```azurecli

+az network manager group create \

+ --name "myNetworkGroup" \

+ --network-manager-name "myAVNM" \

+ --resource-group "myAVNMResourceGroup" \

+ --description "Network Group for Production virtual networks"

+```

+## Create virtual networks

+Create five virtual networks with [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create). This example creates virtual networks named **VNetA**, **VNetB**,**VNetC** and **VNetD** in the **West US** location. Each virtual network will have a tag of **networkType** used for dynamic membership. If you already have virtual networks you want create a mesh network with, you can skip to the next section.

+```azurecli

+ --address-prefix "10.0.0.0/16" \

+ --tags "NetworkType=Prod"

+ --address-prefix "10.1.0.0/16" \

+ --tags "NetworkType=Prod"

+ --address-prefix "10.2.0.0/16" \

+ --tags "NetworkType=Prod"

+az network vnet create \

+ --name "VNetD" \

+ --resource-group "myAVNMResourceGroup" \

+ --address-prefix "10.3.0.0/16" \

+ --tags "NetworkType=Test"

+az network vnet create \

+ --name "VNetE" \

+ --resource-group "myAVNMResourceGroup" \

+ --address-prefix "10.4.0.0/16" \

+ --tags "NetworkType=Test"

+```

+```azurecli

+az network vnet subnet create \

+ --name "default" \

+ --resource-group "myAVNMResourceGroup" \

+ --vnet-name "VNetD" \

+ --address-prefix "10.3.0.0/24"

+az network vnet subnet create \

+ --name "default" \

+ --resource-group "myAVNMResourceGroup" \

+ --vnet-name "VNetE" \

+ --address-prefix "10.4.0.0/24"

+## Define membership for a mesh configuration

+Azure Virtual Network manager allows you two methods for adding membership to a network group. Static membership involves manually adding virtual networks, and dynamic membership involves using Azure Policy to dynamically add virtual networks based on conditions. Choose the option you wish to complete for your mesh configuration membership:

+### Static membership option

+Using **static membership**, you'll manually add 3 VNets for your Mesh configuration to your Network Group with [az network manager group static-member create](/cli/azure/network/manager/group/static-member#az-network-manager-group-static-member-create). Replace <subscription_id> with the subscription these VNets were created under.

+```azurecli

+az network manager group static-member create \

+ --name "VNetA" \

+ --network-group "myNetworkGroup" \

+ --network-manager "myAVNM" \

+ --resource-group "myAVNMResourceGroup" \

+ --resource-id "/subscriptions/<subscription_id>/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/virtualnetworks/VNetA"

+```

+```azurecli

+az network manager group static-member create \

+ --name "VNetB" \

+ --network-group "myNetworkGroup" \

+ --network-manager "myAVNM" \

+ --resource-group "myAVNMResourceGroup" \

+ --resource-id "/subscriptions/<subscription_id>/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/virtualnetworks/VNetB"

+```

+```azurecli

+az network manager group static-member create \

+ --name "VNetC" \

+ --network-group "myNetworkGroup" \

+ --network-manager "myAVNM" \

+ --resource-group "myAVNMResourceGroup" \

+ --resource-id "/subscriptions/<subscription_id>/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/virtualnetworks/VNetC"

+```

+### Dynamic membership option

+Using [Azure Policy](concept-azure-policy-integration.md), you'll dynamically add the three VNets with a tag **networkType** value of *Prod* to the Network Group. These are the three virtual networks to become part of the mesh configuration.

+> [!NOTE]

+> Policies can be applied to a subscription or management group, and must always be defined *at or above* the level they're created. Only virtual networks within a policy scope are added to a Network Group.

+### Create a Policy definition

+Create a Policy definition with [az policy definition create](/cli/azure/policy/definition#az-policy-definition-create) for virtual networks tagged as **Prod**. Replace *<subscription_id>* with the subscription you want to apply this policy to. If you want to apply it to a management group, replace `--subscription <subscription_id>` with `--management-group <mgName>`

+```azurecli

+az policy definition create \

+ --name "ProdVNets" \

+ --description "Choose Prod virtual networks only" \

+ --rules "{\"if\":{\"allOf\":[{\"field\":\"Name\",\"contains\":\"VNet\"},{\"field\":\"tags['NetworkType']\",\"equals\":\"Prod\"}]},\"then\":{\"effect\":\"addToNetworkGroup\",\"details\":{\"networkGroupId\":\"/subscriptions/<subscription_id>/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/myNetworkGroup\"}}}" \

+ --subscription <subscription_id> \

+ --mode "Microsoft.Network.Data"

+```

+### Apply a Policy definition

+Once a policy is defined, it must also be applied with [az policy assignment create](/cli/azure/policy/assignment#az-policy-assignment-create). Replace *<subscription_id>* with the subscription you want to apply this policy to. If you want to apply it to a management group, replace `--scope "/subscriptions/<subscription_id>"` with `--scope "/providers/Microsoft.Management/managementGroups/<mgName>`, and replace *<mgName\>* with your management group.

+```azurecli

+az policy assignment create \

+ --name "ProdVNets" \

+ --description "Take only virtual networks tagged NetworkType:Prod" \

+ --scope "/subscriptions/<subscription_id>" \

+ --policy "/subscriptions/<subscription_id>/providers/Microsoft.Authorization/policyDefinitions/ProdVNets"

+Now that the Network Group is created, and has the correct VNets, create a mesh network topology configuration with [az network manager connect-config create](/cli/azure/network/manager/connect-config#az-network-manager-connect-config-create). Replace <subscription_id> with your subscription.

+```azurecli

+ --description "Production Mesh Connectivity Config Example" \

+ --applies-to-groups network-group-id="/subscriptions/<subscription_id>/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/myNetworkGroup" \

+For the configuration to take effect, commit the configuration to the target regions with [az network manager post-commit](/cli/azure/network/manager#az-network-manager-post-commit):

+```azurecli

+#Currently broken - can only do via portal

+ --configuration-ids "/subscriptions/<subscription_id>/resourceGroups/myANVMResourceGroup/providers/Microsoft.Network/networkManagers/myAVNM/connectivityConfigurations/connectivityconfig" \

+## Verify configuration

+Virtual Networks will display configurations applied to them with [az network manager list-effective-connectivity-config](/cli/azure/network/manager#az-network-manager-list-effective-connectivity-config):

+```azurecli

+az network manager list-effective-connectivity-config \

+ --resource-group "myAVNMResourceGroup" \

+ --virtual-network-name "VNetA"

+az network manager list-effective-connectivity-config \

+ --resource-group "myAVNMResourceGroup" \

+ --virtual-network-name "VNetB"

+az network manager list-effective-connectivity-config \

+ --resource-group "myAVNMResourceGroup" \

+ --virtual-network-name "VNetC"

+az network manager list-effective-connectivity-config \

+ --resource-group "myAVNMResourceGroup" \

+ --virtual-network-name "VNetD"

+```

+For the virtual networks that are part of the connectivity configuration, you'll see an output similar to this:

+```json

+{

+ "skipToken": "",

+ "value": [

+ {

+ "appliesToGroups": [

+ {

+ "groupConnectivity": "None",

+ "isGlobal": "False",

+ "networkGroupId": "/subscriptions/<subscription_id>/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/myNetworkGroup",

+ "useHubGateway": "False"

+ }

+ ],

+ "configurationGroups": [

+ {

+ "description": "Network Group for Production virtual networks",

+ "id": "/subscriptions/<subscription_id>/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/networkManagers/myAVNM/networkGroups/myNetworkGroup",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "myAVNMResourceGroup"

+ }

+ ],

+ "connectivityTopology": "Mesh",

+ "deleteExistingPeering": "False",

+ "description": "Production Mesh Connectivity Config Example",

+ "hubs": [],

+ "id": "/subscriptions/<subscription_id>/resourceGroups/myAVNMResourceGroup/providers/Microsoft.Network/networkManagers/myAVNM/connectivityConfigurations/connectivityconfig",

+ "isGlobal": "False",

+ "provisioningState": "Succeeded",

+ "resourceGroup": "myAVNMResourceGroup"

+ }

+ ]

+}

+```

+For virtual networks not part of the network group like **VNetD**, you'll see an output similar to this:

+```json

+az network manager list-effective-connectivity-config --resource-group "myAVNMResourceGroup" --virtual-network-name "VNetD-test"

+{

+ "skipToken": "",

+ "value": []

+}

+```

+ ```azurecli

+ ```azurecli

+ ```azurecli

+ ```azurecli

+ ```azurecli

+[Block network traffic with security admin rules](how-to-block-network-traffic-portal.md)

+[Create a secured hub and spoke network](tutorial-create-secured-hub-and-spoke.md)

+ Title: Add a dual-stack network to an existing virtual machine - Azure CLI

+description: Learn how to add a dual-stack network to an existing virtual machine using the Azure CLI.

+ms.devlang: azurecli

+# Add a dual-stack network to an existing virtual machine using the Azure CLI

+In this article, you'll add IPv6 support to an existing virtual network. You'll configure an existing virtual machine with both IPv4 and IPv6 addresses. When completed, the existing virtual network will support private IPv6 addresses. The existing virtual machine network configuration will contain a public and private IPv4 and IPv6 address.

+## Prerequisites

+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).

+- This tutorial requires version 2.0.28 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.

+- An existing virtual network, public IP address and virtual machine in your subscription that is configured for IPv4 support only. For more information about creating a virtual network, public IP address and a virtual machine, see [Quickstart: Create a Linux virtual machine with the Azure CLI](/azure/virtual-machines/linux/quick-create-cli).

+ - The example virtual network used in this article is named **myVNet**. Replace this value with the name of your virtual network.

+

+ - The example virtual machine used in this article is named **myVM**. Replace this value with the name of your virtual machine.

+

+ - The example public IP address used in this article is named **myPublicIP**. Replace this value with the name of your public IP address.

+## Add IPv6 to virtual network

+In this section, you'll add an IPv6 address space and subnet to your existing virtual network.

+Use [az network vnet update](/cli/azure/network/vnet#az-network-vnet-update) to update the virtual network.

+```azurecli-interactive

+az network vnet update \

+ --address-prefixes 10.0.0.0/16 2404:f800:8000:122::/63 \

+ --resource-group myResourceGroup \

+ --name myVNet

+```

+Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update) to create the subnet.

+```azurecli-interactive

+az network vnet subnet update \

+ --address-prefixes 10.0.0.0/24 2404:f800:8000:122::/64 \

+ --name myBackendSubnet \

+ --resource-group myResourceGroup \

+ --vnet-name myVNet

+```

+## Create IPv6 public IP address

+In this section, you'll create a IPv6 public IP address for the virtual machine.

+Use [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create) to create the public IP address.

+```azurecli-interactive

+ az network public-ip create \

+ --resource-group myResourceGroup \

+ --name myPublicIP-Ipv6 \

+ --sku Standard \

+ --version IPv6 \

+ --zone 1 2 3

+```

+## Add IPv6 configuration to virtual machine

+Use [az network nic ip-config create](/cli/azure/network/nic/ip-config#az-network-nic-ip-config-create) to create the IPv6 configuration for the NIC. The **`--nic-name`** used in the example is **myvm569**. Replace this value with the name of the network interface in your virtual machine.

+```azurecli-interactive

+ az network nic ip-config create \

+ --resource-group myResourceGroup \

+ --name Ipv6config \

+ --nic-name myvm569 \

+ --private-ip-address-version IPv6 \

+ --vnet-name myVNet \

+ --subnet myBackendSubnet \

+ --public-ip-address myPublicIP-IPv6

+```

+## Next steps

+In this article, you learned how to create an Azure Virtual machine with a dual-stack network.

+For more information about IPv6 and IP addresses in Azure, see:

+- [Overview of IPv6 for Azure Virtual Network.](ipv6-overview.md)

+- [What is Azure Virtual Network IP Services?](ip-services-overview.md)

+ Title: Add a dual-stack network to an existing virtual machine - Azure portal

+description: Learn how to add a dual stack network to an existing virtual machine using the Azure portal.

+# Add a dual-stack network to an existing virtual machine using the Azure portal

+In this article, you'll add IPv6 support to an existing virtual network. You'll configure an existing virtual machine with both IPv4 and IPv6 addresses. When completed, the existing virtual network will support private IPv6 addresses. The existing virtual machine network configuration will contain a public and private IPv4 and IPv6 address.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An existing virtual network, public IP address and virtual machine in your subscription that is configured for IPv4 support only. For more information about creating a virtual network, public IP address and a virtual machine, see [Quickstart: Create a Linux virtual machine in the Azure portal](/azure/virtual-machines/linux/quick-create-portal).

+ - The example virtual network used in this article is named **myVNet**. Replace this value with the name of your virtual network.

+

+ - The example virtual machine used in this article is named **myVM**. Replace this value with the name of your virtual machine.

+

+ - The example public IP address used in this article is named **myPublicIP**. Replace this value with the name of your public IP address.

+## Add IPv6 to virtual network

+In this section, you'll add an IPv6 address space and subnet to your existing virtual network.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+2. In the search box at the top of the portal, enter **Virtual network**. Select **Virtual networks** in the search results.

+3. Select **myVNet** in **Virtual networks**.

+4. Select **Address space** in **Settings**.

+5. Select the box **Add additional address range**. Enter **2404:f800:8000:122::/63**.

+6. Select **Save**.

+7. Select **Subnets** in **Settings**.

+8. In **Subnets**, select your subnet name from the list. In this example, the subnet name is **default**.

+9. In the subnet configuration, select the box **Add IPv6 address space**.

+10. In **IPv6 address space**, enter **2404:f800:8000:122::/64**.

+11. Select **Save**.

+## Create IPv6 public IP address

+In this section, you'll create a IPv6 public IP address for the virtual machine.

+1. In the search box at the top of the portal, enter **Public IP address**. Select **Public IP addresses** in the search results.

+2. Select **+ Create**.

+3. Enter or select the following information in **Create public IP address**.

+ | Setting | Value |

+ | - | -- |

+ | IP version | Select IPv6. |

+ | SKU | Select **Standard**. |

+ | **IPv6 IP Address Configuration** | |

+ | Name | Enter **myPublicIP-IPv6**. |

+ | Idle timeout (minutes) | Leave the default of **4**. |

+ | Subscription | Select your subscription. |

+ | Resource group | Select your resource group. In this example, the resource group is named **myResourceGroup**. |

+ | Location | Select your location. In this example, the location is **East US 2**. |

+ | Availability zone | Select **Zone-redundant**. |

+4. Select **Create**.

+## Add IPv6 configuration to virtual machine

+The virtual machine must be stopped to add the IPv6 configuration to the existing virtual machine. You'll stop the virtual machine and add the IPv6 configuration to the existing virtual machine's network interface.

+1. In the search box at the top of the portal, enter **Virtual machine**. Select **Virtual machines** in the search results.

+2. Select **myVM** or your existing virtual machine name.

+3. Stop **myVM**.

+4. Select **Networking** in **Settings**.

+5. Select your network interface name next to **Network Interface:**. In this example, the network interface is named **myvm404**.

+6. Select **IP configurations** in **Settings** of the network interface.

+7. In **IP configurations**, select **+ Add**.

+8. Enter or select the following information in **Add IP configuration**.

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter **Ipv6config**. |

+ | IP version | Select **IPv6**. |

+ | **Private IP address settings** | |

+ | Allocation | Leave the default of **Dynamic**. |

+ | Public IP address | Select **Associate**. |

+ | Public IP address | Select **myPublic-IPv6**. |

+9. Select **OK**.

+10. Start **myVM**.

+## Next steps

+In this article, you learned how to add a dual stack IP configuration to an existing virtual network and virtual machine.

+For more information about IPv6 and IP addresses in Azure, see:

+- [Overview of IPv6 for Azure Virtual Network.](ipv6-overview.md)

+- [What is Azure Virtual Network IP Services?](ip-services-overview.md)

+1. Open PowerShell on **myVM2**, enter `ping myVM1`.

+> When an update is made to the address space for a virtual network, you will need to sync the virtual network peer for each remote peered VNet to learn of the new address space updates. We recommend that you run sync after every resize address space operation instead of performing multiple resizing operations and then running the sync operation.

+Synching of virtual network peers can be performed through the Azure portal or with Azure PowerShell. We recommend that you run sync after every resize address space operation instead of performing multiple resizing operations and then running the sync operation. To learn how to update the address space for a peered virtual network, see [Updating the address space for a peered virtual network](./update-virtual-network-peering-address-space.md).

+ Title: 'Configure BGP peering to an NVA: Azure portal'

+# Configure BGP peering to an NVA - Azure portal

+This article helps you configure an Azure Virtual WAN hub router to peer with a Network Virtual Appliance (NVA) in your virtual network using BGP Peering via the Azure portal. The virtual hub router learns routes from the NVA in a spoke VNet that is connected to a virtual WAN hub. The virtual hub router also advertises the virtual network routes to the NVA. For more information, see [Scenario: BGP peering with a virtual hub](scenario-bgp-peering-hub.md).

+Verify that you've met the following criteria before beginning your configuration:

+Once you have the settings configured, click **Review + Create** to validate, then click **Create**. The hub will begin provisioning. After the hub is created, go to the hub's **Overview** page. When provisioning is completed, the **Routing status** is **Provisioned**.

+After your hub router status is provisioned, create a connection between your hub and VNet.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. On the portal page for your virtual WAN, in the left pane, select **Hubs** to view the list of hubs. Click a hub to configure a BGP peer.

+1. On the **Virtual Hub** page, in the left pane, select **BGP Peers**. On the **BGP Peers** page, click **+ Add** to add a BGP peer.

+ :::image type="content" source="./media/create-bgp-peering-hub-portal/bgp-peers.png" alt-text="Screenshot of BGP Peers page.":::

+1. On the **Add BGP Peer** page, complete the following fields.

+ * **Name** ΓÇô Resource name to identify a specific BGP peer.

+1. Click **Add** to complete the BGP peer configuration. You can view the peer on the **BGP Peers** page.

+ :::image type="content" source="./media/create-bgp-peering-hub-portal/view-peer.png" alt-text="Screenshot of the BGP peers page with the new peer.":::

+### Modify a BGP peer

+1. On the **Virtual Hub** resource, go to the **BGP Peers** page.

+1. Select the BGP peer.

+1. Click **…** at the end of the line for the peer, then select **Edit** from the dropdown.

+1. On the **Edit BGP Peer** page, make any necessary changes, then click **Add**.

+### Delete a BGP peer

+1. On the **Virtual Hub** resource, go to the **BGP Peers** page.

+1. Select the BGP peer.

+1. Click **…** at the end of the line for the peer, then select **Delete** from the dropdown.

+1. Click **Confirm** to confirm that you want to delete this resource.

+For more information about BGP scenarios, see [Scenario: BGP peering with a virtual hub](scenario-bgp-peering-hub.md).