+<!--Hide portal steps until SP bug is fixed

+-->

+To restore the app using Microsoft Graph, you must restore both the application object and the service principal. For more information, see the [Restore deleted item](/graph/api/directory-deleteditems-restore) API.

+To restore the application object:

+To restore the service principal object:

+1. Select **Configure**, then select **API Access**.

+This article covers how to improve the security of user sign-in by adding the application and location in Microsoft Authenticator app push notifications.

+| ID | String | The authentication method policy identifier. |

+| ID | String | Object ID of an Azure AD user or group. |

+The value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we'll use **any**, but if you don't want to allow passwordless, use **push**.

+1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

+1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

+1. Under the **Manage** menu header, select **Authentication methods** > **Policies**.

+1. From the list of available authentication methods, select **Microsoft Authenticator**.

+ 

+1. Select the target users, select the three dots on the right, and choose **Configure**.

+ 

+1. Select the **Authentication mode**, and then for **Show additional context in notifications (Preview)**, select **Enable**, and then select **Done**.

+Additional context isn't supported for Network Policy Server (NPS).

+This article covers how to enable number matching in Microsoft Authenticator push notifications to improve user sign-in security.

+When a user responds to an MFA push notification using the Authenticator app, they'll be presented with a number. They need to type that number into the app to complete the approval.

+If the user doesn't have an OTP method registered, they'll continue to get the **Approve**/**Deny** experience. A user with number matching disabled will always see the **Approve**/**Deny** experience.

+| ID | String | The authentication method policy identifier. |

+| ID | String | Object ID of an Azure AD user or group. |

+| targetType | authenticationMethodTargetType | Possible values are: **user**, **group**.<br>Note: You'll be able to only set one group or user for number matching. |

+You'll need to change the **numberMatchingRequiredState** from **default** to **enabled**.

+Note that the value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we'll use **any**, but if you don't want to allow passwordless, use **push**.

+To confirm this update has applied, please run the GET request below using the endpoint below.

+We'll need to change the **numberMatchingRequiredState** value from **default** to **enabled.**

+You'll need to change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.

+To turn number matching off, you'll need to PATCH remove **numberMatchingRequiredState** from **enabled** to **disabled**/**default**.

+To enable number matching in the Azure portal, complete the following steps:

+1. Sign-in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

+1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

+1. Under the **Manage** menu header, select **Authentication methods** > **Policies**.

+1. From the list of available authentication methods, select **Microsoft Authenticator**.

+ 

+1. Select the target users, select the three dots on the right, and choose **Configure**.

+ 

+1. Select the **Authentication mode**, and then for **Require number matching (Preview)**, select **Enable**, and then select **Done**.

+ 

+Number matching isn't supported for Apple Watch notifications. Apple Watch need to use their phone to approve notifications when number matching is enabled.

+[Authentication methods in Azure Active Directory](concept-authentication-authenticator-app.md)

+ Title: SMS-based user sign-in for Azure Active Directory

+description: Learn how to configure and enable users to sign-in to Azure Active Directory using SMS

+To simplify and secure sign-in to applications and services, Azure Active Directory (Azure AD) provides multiple authentication options. SMS-based authentication lets users sign-in without providing, or even knowing, their user name and password. After their account is created by an identity administrator, they can enter their phone number at the sign-in prompt. They receive an authentication code via text message that they can provide to complete the sign-in. This authentication method simplifies access to applications and services, especially for Frontline workers.

+* SMS-based authentication has reached general availability, and we're working to remove the **(Preview)** label in the Azure portal.

+1. Sign-in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

+1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

+1. Under the **Manage** menu header, select **Authentication methods** > **Policies**.

+1. From the list of available authentication methods, select **Text message**.

+ 

+1. Set **Enable** to *Yes*. Then select the **Target users**.

+Users are now enabled for SMS-based authentication, but their phone number must be associated with the user profile in Azure AD before they can sign-in. The user can [set this phone number themselves](https://support.microsoft.com/account-billing/set-up-sms-sign-in-as-a-phone-verification-method-0aa5b3b3-a716-4ff2-b0d6-31d2bcfbac42) in *My Account*, or you can assign the phone number using the Azure portal. Phone numbers can be set by *global admins*, *authentication admins*, or *privileged authentication admins*.

+The following scenarios and troubleshooting steps can used if you have problems with enabling and using SMS-based sign-in.

+If a user has already registered for Azure AD Multi-Factor Authentication and / or self-service password reset (SSPR), they already have a phone number associated with their account. This phone number isn't automatically available for use with SMS-based sign-in.

+- For more ways to sign-in to Azure AD without a password, such as the Microsoft Authenticator App or FIDO2 security keys, see [Passwordless authentication options for Azure AD][concepts-passwordless].

+1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

+1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

+1. Under the **Manage** menu header, select **Authentication methods** > **Policies**.

+1. From the list of available authentication methods, select **Temporary Access Pass**.

+ 

+1. Set the **Enable** to **Yes** to enable the policy. Then select the **Target** users.

+

+ 

+1. (Optional) Select **Configure** and modify the default Temporary Access Pass settings, such as setting maximum lifetime, or length.

+

+1. Select **Save** to apply the policy.

+ | Minimum lifetime | 1 hour | 10 ΓÇô 43,200 Minutes (30 days) | Minimum number of minutes that the Temporary Access Pass is valid. |

+ | Maximum lifetime | 8 hours | 10 ΓÇô 43,200 Minutes (30 days) | Maximum number of minutes that the Temporary Access Pass is valid. |

+ | Default lifetime | 1 hour | 10 ΓÇô 43,200 Minutes (30 days) | Default values can be override by the individual passes, within the minimum and maximum lifetime configured by the policy. |

+1. Select **Azure Active Directory**, browse to Users, select a user, such as *Chris Green*, then choose **Authentication methods**.

+1. Below **Choose method**, select **Temporary Access Pass**.

+1. Define a custom activation time or duration and select **Add**.

+1. Once added, the details of the Temporary Access Pass are shown. Make a note of the actual Temporary Access Pass value. You provide this value to the user. You can't view this value after you select **Ok**.

+For more information, see [New-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/new-mguserauthenticationtemporaryaccesspassmethod&preserve-view=true) and [Get-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/get-mguserauthenticationtemporaryaccesspassmethod?view=graph-powershell-beta&preserve-view=true).

+The most common use for a Temporary Access Pass is for a user to register authentication details during the first sign-in or device setup, without the need to complete extra security prompts. Authentication methods are registered at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). Users can also update existing authentication methods here.

+1. If the user is included in the Temporary Access Pass policy, they'll see a screen to enter their Temporary Access Pass.

+Users managing their security information at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) will see an entry for the Temporary Access Pass. If a user does not have any other registered methods, they'll be presented a banner at the top of the screen requesting them to add a new sign-in method. Users can additionally view the TAP expiration time, and delete the TAP if no longer needed.

+- On already Azure AD Joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business.

+- On Hybrid Azure AD Joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to set up Windows Hello for Business.

+For more information, see [Remove-MgUserAuthenticationTemporaryAccessPassMethod](/powershell/module/microsoft.graph.identity.signins/remove-mguserauthenticationtemporaryaccesspassmethod?view=graph-powershell-beta&preserve-view=true).

+- When using a one-time Temporary Access Pass to register a Passwordless method such as FIDO2 or Phone sign-in, the user must complete the registration within 10 minutes of sign-in with the one-time Temporary Access Pass. This limitation doesn't apply to a Temporary Access Pass that can be used more than once.

+- Users in scope for Self Service Password Reset (SSPR) registration policy *or* [Identity Protection Multi-factor authentication registration policy](../identity-protection/howto-identity-protection-configure-mfa-policy.md) will be required to register authentication methods after they've signed in with a Temporary Access Pass.

+Users in scope for these policies will get redirected to the [Interrupt mode of the combined registration](concept-registration-mfa-sspr-combined.md#combined-registration-modes). This experience doesn't currently support FIDO2 and Phone Sign-in registration.

+- A Temporary Access Pass can't be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter.

+- If a Temporary Access Pass isn't offered to a user during sign-in, check the following:

+ - The user has a valid Temporary Access Pass, and if it's one-time use, it wasnΓÇÖt used yet.

+ - Azure AD Graph: email, offline_access, openid, profile, User.read

+ - Azure AD Graph: email, offline_access, openid, profile, User.read, User.read.all, and User.readbasic.all

+description: Grant controls in an Azure Active Directory Conditional Access policy.

+Within a Conditional Access policy, an administrator can use access controls to grant or block access to resources.

+The control for blocking access considers any assignments and prevents access based on the Conditional Access policy configuration.

+**Block access** is a powerful control that you should apply with appropriate knowledge. Policies with block statements can have unintended side effects. Proper testing and validation are vital before you enable the control at scale. Administrators should use tools such as [Conditional Access report-only mode](concept-conditional-access-report-only.md) and [the What If tool in Conditional Access](what-if-tool.md) when making changes.

+When administrators choose to combine these options, they can use the following methods:

+- Require all the selected controls (control *and* control)

+- Require one of the selected controls (control *or* control)

+By default, Conditional Access requires all selected controls.

+### Require Multi-Factor Authentication

+Selecting this checkbox requires users to perform Azure Active Directory (Azure AD) Multi-factor Authentication. You can find more information about deploying Azure AD Multi-Factor Authentication in [Planning a cloud-based Azure AD Multi-Factor Authentication deployment](../authentication/howto-mfa-getstarted.md).

+[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) satisfies the requirement for multifactor authentication in Conditional Access policies.

+Organizations that have deployed Intune can use the information returned from their devices to identify devices that meet specific policy compliance requirements. Intune sends compliance information to Azure AD so Conditional Access can decide to grant or block access to resources. For more information about compliance policies, see [Set rules on devices to allow access to resources in your organization by using Intune](/intune/protect/device-compliance-get-started).

+A device can be marked as compliant by Intune for any device operating system or by a third-party mobile device management system for Windows 10 devices. You can find a list of supported third-party mobile device management systems in [Support third-party device compliance partners in Intune](/mem/intune/protect/device-compliance-partners).

+Devices must be registered in Azure AD before they can be marked as compliant. You can find more information about device registration in [What is a device identity?](../devices/overview.md).

+The **Require device to be marked as compliant** control:

+ - Considers Microsoft Edge in InPrivate mode a non-compliant device.

+> On Windows 7, iOS, Android, macOS, and some third-party web browsers, Azure AD identifies the device by using a client certificate that is provisioned when the device is registered with Azure AD. When a user first signs in through the browser, the user is prompted to select the certificate. The user must select this certificate before they can continue to use the browser.

+You can use the Microsoft Defender for Endpoint app with the approved client app policy in Intune to set the device compliance policy to Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while you're setting up Conditional Access. Although Microsoft Defender for Endpoint on Android and iOS (app ID dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it has permission to report device security posture. This permission enables the flow of compliance information to Conditional Access.

+Organizations can choose to use the device identity as part of their Conditional Access policy. Organizations can require that devices are hybrid Azure AD joined by using this checkbox. For more information about device identities, see [What is a device identity?](../devices/overview.md).

+When you use the [device-code OAuth flow](../develop/v2-oauth2-device-code.md), the required grant control for the managed device or a device state condition isn't supported. This is because the device that is performing authentication can't provide its device state to the device that is providing a code. Also, the device state in the token is locked to the device performing authentication. Use the **Require Multi-Factor Authentication** control instead.

+The **Require hybrid Azure AD joined device** control:

+ - Only supports domain-joined Windows down-level (before Windows 10) and Windows current (Windows 10+) devices.

+ - Doesn't consider Microsoft Edge in InPrivate mode as a hybrid Azure AD-joined device.

+Organizations can require that an approved client app is used to access selected cloud apps. These approved client apps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile device management solution.

+To apply this grant control, the device must be registered in Azure AD, which requires using a broker app. The broker app can be Microsoft Authenticator for iOS, or either Microsoft Authenticator or Microsoft Company Portal for Android devices. If a broker app isn't installed on the device when the user attempts to authenticate, the user is redirected to the appropriate app store to install the required broker app.

+The following client apps support this setting:

+ - The approved client apps support the Intune mobile application management feature.

+ - The **Require approved client app** requirement:

+ - Only supports the iOS and Android for device platform condition.

+ - Requires a broker app to register the device. The broker app can be Microsoft Authenticator for iOS, or either Microsoft Authenticator or Microsoft Company Portal for Android devices.

+- Conditional Access can't consider Microsoft Edge in InPrivate mode an approved client app.

+- Conditional Access policies that require Microsoft Power BI as an approved client app don't support using Azure AD Application Proxy to connect the Power BI mobile app to the on-premises Power BI Report Server.

+See [Require approved client apps for cloud app access with Conditional Access](app-based-conditional-access.md) for configuration examples.

+In your Conditional Access policy, you can require that an [Intune app protection policy](/intune/app-protection-policy) is present on the client app before access is available to the selected cloud apps.

+To apply this grant control, Conditional Access requires that the device is registered in Azure AD, which requires using a broker app. The broker app can be either Microsoft Authenticator for iOS or Microsoft Company Portal for Android devices. If a broker app isn't installed on the device when the user attempts to authenticate, the user is redirected to the app store to install the broker app.

+Applications must have the Intune SDK with policy assurance implemented and must meet certain other requirements to support this setting. Developers who are implementing applications with the Intune SDK can find more information on these requirements in the SDK documentation.

+The following client apps support this setting:

+- Nine Mail - Email and Calendar

+> Kaizala, Skype for Business, and Visio don't support the **Require app protection policy** grant. If you require these apps to work, use the **Require approved apps** grant exclusively. Using the "or" clause between the two grants will not work for these three applications.

+Apps for the app protection policy support the Intune mobile application management feature with policy protection.

+The **Require app protection policy** control:

+- Only supports iOS and Android for device platform condition.

+- Requires a broker app to register the device. On iOS, the broker app is Microsoft Authenticator. On Android, the broker app is Intune Company Portal.

+See [Require app protection policy and an approved client app for cloud app access with Conditional Access](app-protection-based-conditional-access.md) for configuration examples.

+### Require password change

+When user risk is detected, administrators can employ the user risk policy conditions to have the user securely change a password by using Azure AD self-service password reset. Users can perform a self-service password reset to self-remediate. This process will close the user risk event to prevent unnecessary alerts for administrators.

+When a user is prompted to change a password, they'll first be required to complete multifactor authentication. Make sure all users have registered for multifactor authentication, so they're prepared in case risk is detected for their account.

+> Users must have previously registered for self-service password reset before triggering the user risk policy.

+The following restrictions apply when you configure a policy by using the password change control:

+- The policy must be assigned to "all cloud apps." This requirement prevents an attacker from using a different app to change the user's password and resetting their account risk by signing in to a different app.

+- **Require password change** can't be used with other controls, such as requiring a compliant device.

+- The password change control can only be used with the user and group assignment condition, cloud app assignment condition (which must be set to "all"), and user risk conditions.

+If your organization has created terms of use, other options might be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources that the policy protects. You can find more information about terms of use in [Azure Active Directory terms of use](terms-of-use.md).

+Custom controls is a preview capability of Azure AD. When you use custom controls, your users are redirected to a compatible service to satisfy authentication requirements that are separate from Azure AD. For more information, check out the [Custom controls](controls.md) article.

+ - [Multi-factor authenticationΓÇï](concept-conditional-access-grant.md#require-multi-factor-authentication)

+- Require user reauthentication for risky sign-ins with the [require multifactor authentication](concept-conditional-access-grant.md#require-multi-factor-authentication) grant control.

+# Access Azure AD protected resources from an app in Google Cloud

+| **Operating Systems** | Windows 11, Windows 10 or 8.1 except Home editions |

+A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices. In this article, we will provide details on how a PRT is issued, used, and protected on Windows 10 or newer devices. We recommend using the latest versions of Windows 10, Windows 11 and Windows Server 2019+ to get the best SSO experience.

+* **Web Account Manager** (WAM): WAM is the default token broker on Windows 10 or newer devices. WAM also provides a plugin framework that identity providers can build on and enable SSO to their applications relying on that identity provider.

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. Select **Assignments** to see a list of active assignments.

+1. Select a specific assignment to see more details.

+1. To see a list of assignments that didn't have all resource roles properly provisioned, select the filter status and select **Delivering**.

+1. To see expired assignments, select the filter status and select **Expired**.

+1. To download a CSV file of the filtered list, select **Download**.

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. In the left menu, select **Assignments**.

+1. Select **New assignment** to open Add user to access package.

+1. In the **Select policy** list, select a policy that the users' future requests and lifecycle will be governed and tracked by. If you want the selected users to have different policy settings, you can select **Create new policy** to add a new policy.

+1. Set the date and time you want the selected users' assignment to start and end. If an end date isn't provided, the policy's lifecycle settings will be used.

+1. If the selected policy includes additional requestor information, select **View questions** to answer them on behalf of the users, then select **Save**.

+1. Select **Add** to directly assign the selected users to the access package.

+ After a few moments, select **Refresh** to see the users in the Assignments list.

+1. In the left menu, select **Access packages** and then open the access package in which you want to add a user.

+1. In the left menu, select **Assignments**.

+1. Set the date and time you want the selected users' assignment to start and end. If an end date isn't provided, the policy's lifecycle settings will be used.

+1. Select **Add** to directly assign the selected users to the access package.

+1. After a few moments, select **Refresh** to see the users in the Assignments list.

+For example, if you want to ensure all the users who are currently members of a group also have assignments to an access package, you can use this cmdlet to create requests for those users who don't currently have assignments. Note that this cmdlet will only create assignments; it doesn't remove assignments for users who are no longer members of a group.

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. In the left menu, select **Assignments**.

+1. Select the check box next to the user whose assignment you want to remove from the access package.

+1. Select the **Remove** button near the top of the left pane.

+All access packages must be put in a container called a catalog. A catalog defines what resources you can add to your access package. If you don't specify a catalog, your access package will be put into the general catalog. Currently, you can't move an existing access package to a different catalog.

+If you're an access package manager, you can't add resources you own to a catalog. You're restricted to using the resources available in the catalog. If you need to add resources to a catalog, you can ask the catalog owner.

+1. Select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages**.

+1. Select **New access package**.

+ You'll only see catalogs you have permission to create access packages in. To create an access package in an existing catalog, you must be either a Global administrator, Identity Governance administrator or User administrator, or you must be a catalog owner or access package manager in that catalog.

+ If you're a Global administrator, an Identity Governance administrator, a User administrator, or catalog creator and you would like to create your access package in a new catalog that's not listed, select **Create new catalog**. Enter the Catalog name and description and then select **Create**.

+ The access package you're creating, and any resources included in it, will be added to the new catalog. You can also add additional catalog owners later, and add attributes to the resources you put in the catalog. Read [Add resource attributes in the catalog](entitlement-management-catalog-create.md#add-resource-attributes-in-the-catalog) to learn more about how to edit the attributes list for a specific catalog resource and the prerequisite roles.

+1. Select **Next**.

+1. Select the resource type you want to add (**Groups and Teams**, **Applications**, or **SharePoint sites**).

+ If you're creating the access package in the General catalog or a new catalog, you'll be able to pick any resource from the directory that you own. You must be at least a Global administrator, a User administrator, or Catalog creator.

+ If you're creating the access package in an existing catalog, you can select any resource that is already in the catalog without owning it.

+ If you're a Global administrator, a User administrator, or catalog owner, you have the additional option of selecting resources you own that aren't yet in the catalog. If you select resources not currently in the selected catalog, these resources will also be added to the catalog for other catalog administrators to build access packages with. To see all the resources that can be added to the catalog, check the **See all** check box at the top of the Select pane. If you only want to select resources that are currently in the selected catalog, leave the check box **See all** unchecked (default state).

+1. Select **Next**.

+1. Select **Create** to create the access package.

+1. [List the accessPackageResources in the catalog](/graph/api/entitlementmanagement-list-accesspackagecatalogs?tabs=http&view=graph-rest-beta&preserve-view=true) and [create an accessPackageResourceRequest](/graph/api/entitlementmanagement-post-accesspackageresourcerequests?tabs=http&view=graph-rest-beta&preserve-view=true) for any resources that aren't yet in the catalog.

+1. [List the accessPackageResourceRoles](/graph/api/accesspackage-list-accesspackageresourcerolescopes?tabs=http&view=graph-rest-beta&preserve-view=true) of each accessPackageResource in an accessPackageCatalog. This list of roles will then be used to select a role, when later creating an accessPackageResourceRoleScope.

+When you create access packages, they're discoverable by default. This means that if a policy allows a user to request the access package, they'll automatically see the access package listed in their My Access portal. However, you can change the **Hidden** setting so that the access package isn't listed in the user's My Access portal.

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. On the Overview page, select **Edit**.

+ If set to **Yes**, the access package won't be listed in the user's My Access portal. The only way a user can view the access package is if they have the direct **My Access portal link** to the access package. For more information, see [Share link to request an access package](entitlement-management-access-package-settings.md).

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. In the left menu, select **Assignments** and remove access for all users.

+1. In the left menu, select **Overview** and then select **Delete**.

+1. In the delete message that appears, select **Yes**.

+In Azure AD entitlement management, you can configure multiple policies, with different settings for each user community that will need access through an access package. For example, employees might only need manager approval to get access to certain apps, but guests coming in from other organizations may require both a sponsor and a resource team departmental manager to approve. In a policy for users already in the directory, you can specify a particular group of users for who can request access. However, you may have a requirement to avoid a user obtaining excessive access. To meet this requirement, you'll want to further restrict who can request access, based on the access the requestor already has.

+With the separation of duties settings on an access package, you can configure that a user who is a member of a group or who already has an assignment to one access package can't request an additional access package.

+If youΓÇÖve been using Microsoft Identity Manager or other on-premises identity management systems for automating access for on-premises apps, then you can integrate these systems with Azure AD entitlement management as well. If you'll be controlling access to Azure AD-integrated apps through entitlement management, and want to prevent users from having incompatible access, you can configure that an access package is incompatible with a group. That could be a group, which your on-premises identity management system sends into Azure AD through Azure AD Connect. This check ensures a user will be unable to request an access package, if that access package would give access that's incompatible with access the user has in on-premises apps.

+1. Select **Azure Active Directory**, and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package which users will request.

+1. In the left menu, select **Separation of duties**.

+1. If you wish to prevent users who have another access package assignment already from requesting this access package, select on **Add access package** and select the access package that the user would already be assigned.

+1. If you wish to prevent users who have an existing group membership from requesting this access package, then select on **Add group** and select the group that the user would already be in.

+Follow these steps to view the list of other access packages that have indicated that they're incompatible with an existing access package:

+1. Select **Azure Active Directory**, and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package.

+1. In the left menu, select **Separation of duties**.

+1. Select on **Incompatible With**.

+If you're configuring incompatible access settings on an access package that already has users assigned to it, then any of those users who also have an assignment to the incompatible access package or groups won't be able to re-request access.

+1. Select **Azure Active Directory**, and then select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package where you'll be configuring incompatible assignments.

+1. In the left menu, select **Assignments**.

+1. Select the **Download** button and save the resulting CSV file as the first file with a list of assignments.

+1. In the navigation bar, select **Identity Governance**.

+1. In the left menu, select **Access packages** and then open the access package that you plan to indicate as incompatible.

+1. In the left menu, select **Assignments**.

+1. Select the **Download** button and save the resulting CSV file as the second file with a list of assignments.

+If an access package has been configured as incompatible, then a user who has an assignment to that incompatible access package can't request the access package, nor can an administrator make a new assignment that would be incompatible.

+For example, if the **Production environment** access package has marked the **Development environment** package as incompatible, and a user has an assignment to the **Development environment** access package, then the access package manager for **Production environment** can't create an assignment for that user to the **Production environment**. In order to proceed with that assignment, the user's existing assignment to the **Development environment** access package must first be removed.

+If there's an exceptional situation where separation of duties rules might need to be overridden, then configuring an additional access package to capture the users who have overlapping access rights will make it clear to the approvers, reviewers, and auditors the exceptional nature of those assignments.

+This policy could have as its lifecycle settings a much shorter expiration number of days than a policy on other access packages, or require more frequent access reviews, with regular oversight so that users don't retain access longer than necessary.

+1. To see if there have been changes to application role assignments for an application that weren't created due to access package assignments, then you can select the workbook named *Application role assignment activity*. If you select to omit entitlement activity, then only changes to application roles that weren't made by entitlement management are shown. For example, you would see a row if a global administrator had directly assigned a user to an application role.

+Azure AD Connect can be set up in an Active-Passive High Availability setup, where one server will actively push changes to the synced AD objects to Azure AD and the passive server will stage these changes in the event it will need to take over.

+Note: You cannot set up Azure AD Connect in an Active-Active setup. It must be Active-Passive

+Ensure that only 1 Azure AD Connect server is actively syncing changes.

+For more information on setting up an Azure AD Connect sync server in Staging Mode, see [staging mode](how-to-connect-sync-staging-server.md)

+You may need to perform a failover of the Sync Servers for several reasons, such as upgrading the version of Azure AD Connect, or receiving an alert that the health service of the Sync Service is not receiving up to date information. In these events you can attempt a failover of the Sync Servers by following the below steps.

+#### Prerequisites

+- One currently active Azure AD Connect Sync Server

+- One staging Azure AD Connect Sync Server

+#### Changing Currently Active Sync Server to Staging Mode

+We need to ensure that only one Sync Server is syncing changes at any given time throughout this process. If the currently Active Sync Server is reachable you can perform the below steps to move it to Staging Mode. If it is not reachable, ensure that the server or VM does not regain access unexpectedly either by shutting down the server or isolating it from outbound connections and proceed to the steps on how to change the currently Staging Sync Server to Active Mode.

+1. For the currently Active Azure AD Connect server, open the Azure AD Connect Console and click "Configure staging mode" then Next:

+[Insert Image: "active_server_menu.png"]

+2. You will need to sign into Azure AD with Global Admin or Hybrid Identity Admin credentials:

+[Insert Image: "active_server_sign_in.png"]

+3. Tick the box for Staging Mode and click Next:

+[Insert Image: "active_server_staging_mode.png"]

+4. The Azure AD Connect server will check for installed components and then prompt you whether you want to start the sync process:

+[Insert Image: "active_server_config.png"]

+Since the server will be in staging mode, it will not write changes to Azure AD, but retain any changes to the AD in its Connector Space, ready to write them.

+It is recommended to leave the sync process on for the server in Staging Mode, so if it becomes active, it will quickly take over and won't have to do a large sync to catch up to the current state of the AD/Azure AD sync.

+5. After selecting whether to start or stop the sync process and clicking Configure, the Azure AD Connect server will configure itself into Staging Mode.

+When this is completed, you will be prompted with a screen that confirms Staging Mode is enabled.

+You can click Exit to finish this.

+6. You can confirm that the server is successfully in Staging Mode by opening the Synchronization Service console.

+From here, there should be no more Export jobs since the change and Full & Delta Imports will be suffixed with "(Stage Only)" like below:

+[Insert Image "active_server_sync_server_mgmr.png"]

+#### Changing Currently Staging Sync Server to Active Mode

+At this point, all of our Azure AD Connect Sync Servers should be in Staging Mode and not exporting changes.

+We can now move our Staging Sync Server to Active mode and actively sync changes.

+1. Now move to the Azure AD Connect server that was originally in Staging Mode and open the Azure AD Connect console.

+Click on "Configure staging mode" and click Next:

+[Insert Image: "staging_server_menu.png"]

+Note the message at the bottom of the Console that indicates this server is in Staging Mode.

+2. Sign into Azure AD, then go to the Staging Mode screen.

+Untick the box for Staging Mode and click Next

+[Insert Image: "staging_server_staging_mode.png"]

+As per the warning on this page, it is important to ensure no other Azure AD Connect server is actively syncing.

+There should only be one active Azure AD Connect sync server at any time.

+3. When you are prompted to start the sync process, tick this box and click Configure:

+[Insert Image: "staging_server_config.png"]

+4. Once the process is finished you should get the below confirmation screen where you can click Exit to finish:

+[Insert Image: "staging_server_confirmation.png"]

+5. You can again confirm that this is working by opening the Sync Service Console and checking if Export jobs are running:

+[Insert Image: "staging_server_sync_server_mgmr.png"]

+> [!NOTE]

+> The ability to reset a password includes the ability to update the following sensitive attributes required for [self-service password reset](../authentication/concept-sspr-howitworks.md):

+> - businessPhones

+> - mobilePhone

+> - otherMails

+ Title: 'Tutorial: Configure Ideagen Cloud for automatic user provisioning with Azure Active Directory | Microsoft Docs'

+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Ideagen Cloud.

+documentationcenter: ''

+writer: Thwimmer

+ms.assetid: 9d86a706-03d3-4a7e-b76b-2197d6641af4

+ms.devlang: na

+# Tutorial: Configure Ideagen Cloud for automatic user provisioning

+This tutorial describes the steps you need to perform in both Ideagen Cloud and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Ideagen Cloud](https://www.ideagen.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+## Capabilities supported

+> [!div class="checklist"]

+> * Create users in Ideagen Cloud.

+> * Remove users in Ideagen Cloud when they do not require access anymore.

+> * Keep user attributes synchronized between Azure AD and Ideagen Cloud.

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).

+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* The Tenant URL and Secret Token.

+* Global Administrative rights for the Active Directory.

+* Access rights to set up Enterprise applications.

+## Step 1. Plan your provisioning deployment

+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. Determine what data to [map between Azure AD and Ideagen Cloud](../app-provisioning/customize-application-attributes.md).

+## Step 2. Configure Ideagen Cloud to support provisioning with Azure AD

+1. Login to [Ideagen Home](https://cktenant-homev2-scimtest1.ideagenhomedev.com). Click on the **Administration** icon to show the left hand side menu.

+ 

+

+2. Navigate to **Authentication** page under the **Manage tenant** sub menu.

+ 

+3. Scroll down in the Authentication page to **Client Token** section and click on **Regenerate**.

+ 

+4. **Copy** and save the Bearer Token. This value will be entered in the Secret Token * field in the Provisioning tab of your Ideagen Cloud application in the Azure portal.

+ 

+## Step 3. Add Ideagen Cloud from the Azure AD application gallery

+Add Ideagen Cloud from the Azure AD application gallery to start managing provisioning to Ideagen Cloud. If you have previously setup Ideagen Cloud for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4. Define who will be in scope for provisioning

+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5. Configure automatic user provisioning to Ideagen Cloud

+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in Ideagen Cloud based on user and/or group assignments in Azure AD.

+### To configure automatic user provisioning for Ideagen Cloud in Azure AD:

+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

+ 

+1. In the applications list, select **Ideagen Cloud**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your Ideagen Cloud Tenant URL and corresponding Secret Token. Click **Test Connection** to ensure Azure AD can connect to Ideagen Cloud. If the connection fails, ensure your Ideagen Cloud account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Ideagen Cloud**.

+1. Review the user attributes that are synchronized from Azure AD to Ideagen Cloud in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Ideagen Cloud for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Ideagen Cloud API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Ideagen Cloud|

+ |||||

+ |userName|String|&check;|&check;

+ |active|Boolean||&check;

+ |displayName|String||&check;

+ |title|String|

+ |emails[type eq "work"].value|String||&check;

+ |preferredLanguage|String||

+ |name.givenName|String||&check;

+ |name.familyName|String||&check;

+ |externalId|String||&check;

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Azure AD provisioning service for Ideagen Cloud, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users and/or groups that you would like to provision to Ideagen Cloud by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you are ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

+## Step 6. Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+> The process for integrating SmarterU with Azure Active Directory is also documented and maintained in the [SmarterU help system](https://support.smarteru.com/docs/sso-azure-active-directory).

+ 1. In the **Identifier** text box, type a URL using the following pattern: `https://portal.speexx.com/auth/saml/<customername>`

+ 1. In the **Reply URL** text box, type a URL using the following pattern: `https://portal.speexx.com/auth/saml/<customername>/adfs/postResponse`

+ 1. In the **Sign-on URL** text box, type a URL using the following pattern: `https://portal.speexx.com/auth/saml/<customername>`

+

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Speexx Client support team](mailto:support@speexx.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+Once you configure Speexx you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+The data on the object storage can be accessed by applications using BlobFuse or Network File System (NFS) 3.0 protocol. Before the introduction of the Azure Blob storage CSI driver (preview), the only option was to manually install an unsupported driver to access Blob storage from your application running on AKS. When the Azure Blob storage CSI driver (preview) is enabled on AKS, there are two built-in storage classes: *azureblob-fuse-premium* and *azureblob-nfs-premium*.

+Perform the steps in this [link][csi-blob-storage-open-source-driver-uninstall-steps] if you previously installed the [CSI Blob Storage open-source driver][csi-blob-storage-open-source-driver] to access Azure Blob storage from your cluster.

+Use the [kubectl get sc][kubectl-get] command to see the storage classes. The following example shows the `azureblob-fuse-premium` and `azureblob-nfs-premium` storage classes available within an AKS cluster:

+ volume.beta.kubernetes.io/storage-class: azureblob-nfs-premium

+ volume.beta.kubernetes.io/storage-class: azureblob-fuse-premium

+[csi-blob-storage-open-source-driver-uninstall-steps]: https://github.com/kubernetes-sigs/blob-csi-driver](https://github.com/kubernetes-sigs/blob-csi-driver/blob/master/docs/install-csi-driver-master.md#clean-up-blob-csi-driver

+[azure-csi-blob-storage-static]: azure-csi-blob-storage-static.md

+Since Azure Disks are mounted as *ReadWriteOnce*, they're only available to a single node. For storage volumes that can be accessed by pods on multiple nodes simultaneously, use Azure Files.

+AKS provides a fully configured AKS image that already contains the [NVIDIA device plugin for Kubernetes][nvidia-github].

+The above command adds a node pool named *gpunp* to the *myAKSCluster* in the *myResourceGroup* resource group. The command also sets the VM size for the node in the node pool to *Standard_NC6*, enables the cluster autoscaler, configures the cluster autoscaler to maintain a minimum of one node and a maximum of three nodes in the node pool, specifies a specialized AKS GPU image nodes on your new node pool, and specifies a *sku=gpu:NoSchedule* taint for the node pool.

+* [Configure a Kubernetes cluster for ML model training or deployment][azureml-aks].

+* [Deploy a model with an online endpoint][azureml-deploy].

+[azureml-aks]: ../machine-learning/how-to-attach-kubernetes-anywhere.md

+[azureml-deploy]: ../machine-learning/how-to-deploy-managed-online-endpoints.md

+ Title: Use Pod Security Admission in Azure Kubernetes Service (AKS)

+description: Learn how to enable and use Pod Security Admission with Azure Kubernetes Service (AKS).

+# Use Pod Security Admission in Azure Kubernetes Service (AKS)

+Pod Security Admission enforces Pod Security Standards policies on pods running in a namespace. Pod Security Admission is enabled by default in AKS and is controlled by adding labels to a namespace. For more information about Pod Security Admission, see [Enforce Pod Security Standards with Namespace Labels][kubernetes-psa]. For more information about the Pod Security Standards used by Pod Security Admission, see [Pod Security Standards][kubernetes-pss].

+## Before you begin

+- An Azure subscription. If you don't have an Azure subscription, you can create a [free account](https://azure.microsoft.com/free).

+- [Azure CLI installed](/cli/azure/install-azure-cli).

+- An existing AKS cluster running Kubernetes version 1.23 or higher.

+## Enable Pod Security Admission for a namespace in your cluster

+To enable PSA for a namespace in your cluster, set the `pod-security.kubernetes.io/enforce` label with the policy value you want to enforce. For example:

+```azurecli-interactive

+kubectl label --overwrite ns NAMESPACE pod-security.kubernetes.io/enforce=restricted

+```

+The above command enforces the `restricted` policy for the *NAMESPACE* namespace.

+You can also enable Pod Security Admission for all your namespaces. For example:

+```azurecli-interactive

+kubectl label --overwrite ns --all pod-security.kubernetes.io/warn=baseline

+```

+The above example will generate a user-facing warning if any pods are deployed to any namespace that does not meet the `baseline` policy.

+## Example of enforcing a Pod Security Admission policy with a deployment

+Create two namespaces, one with the `restricted` policy and one with the `baseline` policy.

+```azurecli-interactive

+kubectl create namespace test-restricted

+kubectl create namespace test-privileged

+kubectl label --overwrite ns test-restricted pod-security.kubernetes.io/enforce=restricted pod-security.kubernetes.io/warn=restricted

+kubectl label --overwrite ns test-privileged pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=privileged

+```

+Both the `test-restricted` and `test-privileged` namespaces will block running pods as well as generate a user-facing warning if any pods attempt to run that do not meet the configured policy.

+Attempt to deploy pods to the `test-restricted` namespace.

+```azurecli-interactive

+kubectl apply --namespace test-restricted -f https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml

+```

+Notice you get a warning that the pods violate the configured policy.

+```output

+...

+Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "azure-vote-back" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "azure-vote-back" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "azure-vote-back" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "azure-vote-back" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

+deployment.apps/azure-vote-back created

+service/azure-vote-back created

+Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "azure-vote-front" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "azure-vote-front" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "azure-vote-front" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "azure-vote-front" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

+deployment.apps/azure-vote-front created

+service/azure-vote-front created

+```

+Confirm there are no pods running in the `test-restricted` namespace.

+```azurecli-interactive

+kubectl get pods --namespace test-restricted

+```

+```output

+$ kubectl get pods --namespace test-restricted

+No resources found in test-restricted namespace.

+```

+Attempt to deploy pods to the `test-privileged` namespace.

+```azurecli-interactive

+kubectl apply --namespace test-privileged -f https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml

+```

+Notice there are no warnings about pods not meeting the configured policy.

+Confirm you have pods running in the `test-privileged` namespace.

+```azurecli-interactive

+kubectl get pods --namespace test-privileged

+```

+```output

+$ kubectl get pods --namespace test-privileged

+NAME READY STATUS RESTARTS AGE

+azure-vote-back-6fcdc5cbd5-svbdf 1/1 Running 0 2m29s

+azure-vote-front-5f4b8d498-tqzwv 1/1 Running 0 2m28s

+```

+Delete both the `test-restricted` and `test-privileged` namespaces.

+```azurecli-interactive

+kubectl delete namespace test-restricted test-privileged

+```

+## Next steps

+In this article, you learned how to enable Pod Security Admission an AKS cluster. For more information about Pod Security Admission, see [Enforce Pod Security Standards with Namespace Labels][kubernetes-psa]. For more information about the Pod Security Standards used by Pod Security Admission, see [Pod Security Standards][kubernetes-pss].

+<!-- LINKS - Internal -->

+[kubernetes-psa]: https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/

+[kubernetes-pss]: https://kubernetes.io/docs/concepts/security/pod-security-standards/

+## Assessing impact with Azure Advisor

+In order to make the migration easier, we have introduced new Azure Advisor recommendations:

+- **Use self-hosted gateway v2** recommendation - Identifies Azure API Management instances where the usage of self-hosted gateway v0.x or v1.x was identified.

+- **Use Configuration API v2 for self-hosted gateways** recommendation - Identifies Azure API Management instances where the usage of Configuration API v1 for self-hosted gateway was identified.

+We highly recommend customers to use ["All Recommendations" overview in Azure Advisor](https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/All) to determine if a migration is required. Use the filtering options to see if one of the above recommendations is present.

+- Learn more about the various gateways in our [API gateway overview](api-management-gateways-overview.md)

+## Change MySQL password

+The WordPress configuration is modified to use [Application Settings](reference-app-settings.md#wordpress) to connect to the MySQL database. To change the MySQL database password, see [update admin password](/azure/mysql/single-server/how-to-create-manage-server-portal#update-admin-password). Whenever the MySQL database credentials are changed, the [Application Settings](reference-app-settings.md#wordpress) also need to be updated. The [Application Settings for MySQL database](reference-app-settings.md#wordpress) begin with the **`DATABASE_`** prefix. For more information on updating MySQL passwords, see [WordPress on App Service](https://azure.github.io/AppService/2022/02/23/WordPress-on-App-Service-Public-Preview.html#known-limitations).

+## Change WordPress admin password

+Save a copy of [arcdata-deployer.yaml](https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/arcdata-deployer.yaml), and replace the placeholder `{{NAMESPACE}}` in the file with the namespace created in the previous step, for example: `arc`. Run the following command to create the deployer service account with the edited file.

+- [Create a data controller in indirect connectivity mode with Kubernetes tools such as `kubectl` or `oc`](create-data-controller-using-kubernetes-native-tools.md)

+ | Windows 10, 11 desktops, workstations | [Client installer (Public preview)](./azure-monitor-agent-windows-client.md) | Installs the agent by using a Windows MSI installer. |

+ | Windows 10, 11 laptops | [Client installer (Public preview)](./azure-monitor-agent-windows-client.md) | Installs the agent by using a Windows MSI installer. The installer works on laptops, but the agent *isn't optimized yet* for battery or network consumption. |

+ | Performance | Azure Monitor Metrics (Public preview)¹ - Insights.virtualmachine namespace<br>Log Analytics workspace - [Perf](/azure/azure-monitor/reference/tables/perf) table | Numerical values measuring performance of different aspects of operating system and workloads |

+| Text logs and Windows IIS logs | Public preview | None | [Collect text logs with Azure Monitor Agent (Public preview)](data-collection-text-log.md) |

+| [Update Management](../../automation/update-management/overview.md) (available without Azure Monitor Agent) | Use Update Management v2 - Public preview | None | [Update management center (Public preview) documentation](/azure/update-center/) |

+> Proxy configuration is not supported for [Azure Monitor Metrics (Public preview)](../essentials/metrics-custom-overview.md) as a destination. If you're sending metrics to this destination, it will use the public internet without any proxy.

+| | Windows Client OS | X (Public preview) | | |

+| | File based logs | X (Public preview) | X | X |

+| | IIS logs | X (Public preview) | X | X |

+| | VM Insights | | X (Public preview) | |

+| | File based logs | X (Public preview) | | | |

+| | VM Insights | X (Public preview) | X | | |

+| | Container Insights | X (Public preview) | X | | |

+² Using the Azure Monitor agent [client installer (Public preview)](./azure-monitor-agent-windows-client.md)

+³ Not all kernel versions are supported. For more information, see [Dependency Agent Linux support](../vm/vminsights-dependency-agent-maintenance.md#dependency-agent-linux-support).

+- [Create a data collection rule](data-collection-rule-azure-monitor-agent.md) to collect data from the agent and send it to Azure Monitor.

+# Tools for migrating from Log Analytics Agent to Azure Monitor Agent

+* The connector wasn't defined correctly.

+**Error**:

+* "Failed to add ITSM Connection named "XXX" due to Bad Request. Error: Bad request. Invalid parameters provided for connection. Http Exception: Status Code Forbidden."

+* "Failed to update ITSM Connection credentials"

+**Cause**: The IP address of ITSM application isn't allow ITSM connections from partners ITSM tools.

+**Resolution**: In order to list the ITSM IP addresses to allow ITSM connections from partners ITSM tools, we recommend the to list the whole public IP range of Azure region where their LogAnalytics workspace belongs. [details here](https://www.microsoft.com/download/details.aspx?id=56519) For regions EUS/WEU/EUS2/WUS2/US South Central the customer can list ActionGroup network tag only.

+**Cause**: There can be one of two options either the token need to be refreshed or there's missing integration user rights.

+During the interactive retention period, data is available for monitoring, troubleshooting and analytics. When you no longer use the logs, but still need to keep the data for compliance or occasional investigation, archive the logs to save costs.

+Archived data stays in the same table, alongside the data that's available for interactive queries.

+When you set a total retention period that's longer than the interactive retention period, Log Analytics automatically archives the relevant data immediately at the end of the retention period.

+If you change the archive settings on a table with existing data, the relevant data in the table is also affected immediately. For example, if you have an existing table with 30 days of interactive retention and no archive period and you change the retention policy to eight days of interactive retention and one year total retention, Log Analytics immediately archives any data that's older than eight days.

+You can access archived data by [running a search job](search-jobs.md) or [restoring archived logs](restore.md).

+

+This example sets the table's interactive retention to the workspace default of 30 days, and the total retention to two years, which means that the archive duration is 23 months.

+This example sets table's interactive retention to 30 days, and the total retention to two years, which means that the archive duration is 23 months:

+The charge for maintaining archived logs is calculated based on the volume of data you archive, in GB, and the number or days for which you archive the data.

+## Set data retention for Classic Application Insights resources

+Workspace-based Application Insights resources store data in a Log Analytics workspace, so it's included in the data retention and archive settings for the workspace. However, classic Application Insights resources have separate retention settings.

+The default retention for Application Insights resources is 90 days. You can select different retention periods for each Application Insights resource. The full set of available retention periods is 30, 60, 90, 120, 180, 270, 365, 550 or 730 days.

+| summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk

+| summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk

+## July, 2022

+### General

+| Article | Description |

+|:|:|

+|[Sources of data in Azure Monitor](data-sources.md)|Updated with Azure Monitor agent and Logs ingestion API.|

+### Agents

+| Article | Description |

+|:|:|

+|[Azure Monitor Agent overview](agents/agents-overview.md)| Restructure of the Agents section. A single Azure Monitor Agent is replacing all of Azure Monitor's legacy monitoring agents.

+|[Enable network isolation for the Azure Monitor agent](agents/azure-monitor-agent-data-collection-endpoint.md)|Rewritten to better describe configuration of network isolation.

+### Alerts

+| Article | Description |

+|:|:|

+|[Azure Monitor Alerts Overview](alerts/alerts-overview.md)|Updated the logic for the time to resolve behavior in stateful log alerts.

+### Application Insights

+| Article | Description |

+|:|:|

+|[Azure Monitor Application Insights Java](app/java-in-process-agent.md)|OpenTelemetry-based auto-instrumentation for Java applications has an updated Supported Custom Telemetry table.

+|[Application Insights API for custom events and metrics](app/api-custom-events-metrics.md)|Clarification has been added that valueCount and itemCount have a minimum value of 1.

+|[Telemetry sampling in Azure Application Insights](app/sampling.md)|Sampling documentation has been updated to warn of the potential impact on alerting accuracy.

+|[Azure Monitor Application Insights Java (redirect to OpenTelemetry)](app/java-in-process-agent-redirect.md)|Java Auto-Instrumentation now redirects to OpenTelemetry documentation.

+|[Azure Application Insights for ASP.NET Core applications](app/asp-net-core.md)|Updated .NET Core FAQ

+|[Create a new Azure Monitor Application Insights workspace-based resource](app/create-workspace-resource.md)|We've linked out to Microsoft.Insights components for more information on Properties.

+|[Application Insights SDK support guidance](app/sdk-support-guidance.md)|SDK support guidance has been updated and clarified.

+|[Azure Monitor Application Insights Java](app/java-in-process-agent.md)|Example code has been updated.

+|[IP addresses used by Azure Monitor](app/ip-addresses.md)|The IP/FQDN table has been updated.

+|[Continuous export of telemetry from Application Insights](app/export-telemetry.md)|The continuous export notice has been updated and clarified.

+|[Set up availability alerts with Application Insights](app/availability-alerts.md)|Custom Alert Rule and Alert Frequency sections have been added.

+### Autoscale

+| Article | Description |

+|:|:|

+| [How-to guide for setting up autoscale for a web app with a custom metric](autoscale/autoscale-custom-metric.md) |General rewrite to improve clarity.|

+[Overview of autoscale in Microsoft Azure](autoscale/autoscale-overview.md)|General rewrite to improve clarity.|

+### Containers

+| Article | Description |

+|:|:|

+|[Overview of Container insights](containers/container-insights-overview.md)|Added information about deprecation of Docker support.|

+|[Enable Container insights](containers/container-insights-onboard.md)|All Container insights content updated for new support of managed identity authentication using Azure Monitor agent.|

+### Essentials

+| Article | Description |

+|:|:|

+|[Tutorial - Editing Data Collection Rules](essentials/data-collection-rule-edit.md)|New article.|

+|[Data Collection Rules in Azure Monitor](essentials/data-collection-rule-overview.md)|General rewrite to improve clarity.|

+|[Data collection transformations](essentials/data-collection-transformations.md)|General rewrite to improve clarity.|

+|[Data collection in Azure Monitor](essentials/data-collection.md)|New article.|

+|[How to Migrate from Diagnostic Settings Storage Retention to Azure Storage Lifecycle Policy](essentials/migrate-to-azure-storage-lifecycle-policy.md)|New article.|

+### Logs

+| Article | Description |

+|:|:|

+|[Logs ingestion API in Azure Monitor (Preview)](logs/logs-ingestion-api-overview.md)|Custom logs API renamed to Logs ingestion API.

+|[Tutorial - Send data to Azure Monitor Logs using REST API (Resource Manager templates)](logs/tutorial-logs-ingestion-api.md)|Custom logs API renamed to Logs ingestion API.

+|[Tutorial - Send data to Azure Monitor Logs using REST API (Azure portal)](logs/tutorial-logs-ingestion-portal.md)|Custom logs API renamed to Logs ingestion API.

+### Virtual Machines

+| Article | Description |

+|:|:|

+|[What is VM insights?](vm/vminsights-overview.md)|All VM insights content updated for new support of Azure Monitor agent.

+ "secure-secrets-in-params": {

+ "level": "warning"

+ },

+ Title: Linter rule - secure secrets in parameters

+description: Linter rule - secure secrets in parameters

+# Linter rule - secure secrets in parameters

+This rule finds parameters whose names look like secrets but without the [secure decorator](./parameters.md#decorators), for example: a parameter name contains the following keywords:

+- password

+- pwd

+- secret

+- accountkey

+- acctkey

+## Linter rule code

+Use the following value in the [Bicep configuration file](bicep-config-linter.md) to customize rule settings:

+`secure-secrets-in-params`

+## Solution

+Use the [secure decorator](./parameters.md#decorators) for the parameters that contain secrets. The secure decorator marks the parameter as secure. The value for a secure parameter isn't saved to the deployment history and isn't logged.

+The following example fails this test because the parameter name may contain secrets.

+```bicep

+param mypassword string

+```

+You can fix it by adding the secure decorator:

+```bicep

+@secure()

+param mypassword string

+```

+## Silencing false positives

+Sometimes this rule alerts on parameters that don't actually contain secrets. In these cases, you can disable the warning for this line by adding `#disable-next-line secure-secrets-in-params` before the line with the warning. For example:

+```bicep

+#disable-next-line secure-secrets-in-params // Doesn't contain a secret

+param mypassword string

+```

+It's good practice to add a comment explaining why the rule doesn't apply to this line.

+## Next steps

+For more information about the linter, see [Use Bicep linter](./linter.md).

+- [secure-secrets-in-params](./linter-rule-secure-secrets-in-parameters.md)

+- A cannot-delete lock on a **resource group** that contains **Azure Machine Learning** workspaces prevents autoscaling of [Azure Machine Learning compute clusters](../../machine-learning/concept-compute-target.md#azure-machine-learning-compute-managed) from working correctly. With the lock, autoscaling can't remove unused nodes. Your solution consumes more resources than are required for the workload.

+To create a resource group, use [az group create](/cli/azure/group#az-group-create).

+To delete a lock, use [az lock delete](/cli/azure/lock#az-lock-delete).

+description: Describes common Azure deployment errors for resources that are deployed with Bicep files or Azure Resource Manager templates (ARM templates).

+This article describes common Azure deployment errors, and provides information about solutions. Azure resources can be deployed with Bicep files or Azure Resource Manager templates (ARM templates). If you can't find the error code for your deployment error, see [Find error code](find-error-code.md).

+| AccountNameInvalid | Follow naming guidelines for storage accounts. | [Resolve errors for storage account names](error-storage-account-name.md) |

+| InaccessibleImage | Azure Container Instance deployment fails. You might need to include the image's tag with the syntax `registry/image:tag` to deploy the container. For a private registry, verify your credentials are correct. | [Find error code](find-error-code.md) |

+| InvalidResourceLocation | Provide a unique name for the storage account. | [Resolve errors for storage account names](error-storage-account-name.md) |

+| StorageAccountAlreadyTaken <br> StorageAccountAlreadyExists | Provide a unique name for the storage account. | [Resolve errors for storage account names](error-storage-account-name.md) |

+| StorageAccountInAnotherResourceGroup | Provide a unique name for the storage account. | [Resolve errors for storage account names](error-storage-account-name.md) |

+ Title: Resolve errors for storage account names

+description: Describes how to resolve errors for Azure storage account names that can occur during deployment with a Bicep file or Azure Resource Manager template (ARM template).

+This article describes how to resolve errors for Azure storage account names that can occur during deployment with a Bicep file or Azure Resource Manager template (ARM template). Common causes for an error are a storage account name with invalid characters or a storage account that uses the same name as an existing storage account. Storage account names must be globally unique across Azure.

+An invalid storage account name causes an error code during deployment. The following are some examples of errors for storage account names.

+### Account name invalid

+If your storage account name includes prohibited characters, like an uppercase letter or special character like an exclamation point.

+### Invalid resource location

+If you try to deploy a new storage account with the same name and in the same resource group, but use a different location as an existing storage account in your Azure subscription. The error indicates the storage account already exists and can't be created in the new location. Select a different name to create the new storage account.

+Code=InvalidResourceLocation

+Message=The resource 'storageckrexph7isnoc' already exists in location 'westus'

+in resource group 'demostorage'. A resource with the same name cannot be created in location 'eastus'.

+Please select a new resource name.

+```

+### Storage account in another resource group

+If you try to deploy a new storage account with the same name and location as an existing storage account but in a different resource group in your subscription.

+```Output

+Code=StorageAccountInAnotherResourceGroup

+Message=The account storageckrexph7isnoc is already in another resource group in this subscription.

+### Storage account already taken

+If you try to deploy a new storage account with the same name as a storage account that already exists in Azure. The existing storage account name might be in your subscription or tenant, or anywhere across Azure. Storage account names must be globally unique across Azure.

+```Output

+Code=StorageAccountAlreadyTaken

+Message=The storage account named storageckrexph7isnoc is already taken.

+```

+Common reasons for an error are because the storage account name uses invalid characters or is a duplicate name. Storage account names must meet the following criteria:

+- Length between 3 and 24 characters with only lowercase letters and numbers.

+- Must be globally unique across Azure. Storage account names can't be duplicated in Azure.

+You can create a unique name by concatenating a prefix or suffix with a value from the `uniqueString` function.

+The following examples specify a prefix with the string `storage` that's concatenated with the value from `uniqueString`.

+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {

+The following examples use a parameter named `storageNamePrefix` that creates a prefix with a maximum of 11 characters.

+You then concatenate the `storageNamePrefix` parameter's value with the `uniqueString` value to create a storage account name.

+Depending on how you configure your Key Vault permission model, you may need to grant permissions at different places.

+#### [Vault access policy](#tab/vault-access-policy)

+If you're using Key Vault built-in access policy as Key Vault permission model:

+ :::image type="content" alt-text="Screenshot of built-in access policy selected as Key Vault permission model." source="media\howto-custom-domain\portal-key-vault-perm-model-access-policy.png" :::

+#### [Azure role-based access control](#tab/azure-rbac)

+If you're using Azure role-based access control as Key Vault permission model:

+ :::image type="content" alt-text="Screenshot of Azure RBAC selected as Key Vault permission model." source="media\howto-custom-domain\portal-key-vault-perm-model-rbac.png" :::

+1. Go to your Key Vault resource.

+1. In the menu pane, select **Access control (IAM)**.

+1. Click **Add**. Select **Add role assignment**.

+ :::image type="content" alt-text="Screenshot of Key Vault IAM." source="media\howto-custom-domain\portal-key-vault-iam.png" :::

+1. Under the **Role** tab, select **Key Vault Secrets User**. Click **Next**.

+ :::image type="content" alt-text="Screenshot of role tab when adding role assignment to Key Vault." source="media\howto-custom-domain\portal-key-vault-role.png" :::

+1. Under the **Members** tab, select **Managed identity**. 1. Search for the Azure SignalR Service resource name or the user assigned identity name. Click **Next**.

+ :::image type="content" alt-text="Screenshot of members tab when adding role assignment to Key Vault." source="media\howto-custom-domain\portal-key-vault-members.png" :::

+1. Click **Review + assign**.

+--

+### To generate an access token

+1. [Deploy Azure VMware Solution](./deploy-azure-vmware-solution.md) private cloud and a dedicated virtual network connected via ExpressRoute gateway. The virtual network gateway should be configured with the Ultra performance SKU and have FastPath enabled. For more information, see [Configure networking for your VMware private cloud](tutorial-configure-networking.md) and [Network planning checklist](tutorial-network-checklist.md).

+1. Create an [NFSv3 volume for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-create-volumes.md) in the same virtual network created in the previous step.

+Depending on how you configure your Key Vault permission model, you may need to grant permissions at different places.

+#### [Vault access policy](#tab/vault-access-policy)

+If you're using Key Vault built-in access policy as Key Vault permission model:

+ :::image type="content" alt-text="Screenshot of built-in access policy selected as Key Vault permission model." source="media\howto-custom-domain\portal-key-vault-perm-model-access-policy.png" :::

+#### [Azure role-based access control](#tab/azure-rbac)

+If you're using Azure role-based access control as Key Vault permission model:

+ :::image type="content" alt-text="Screenshot of Azure RBAC selected as Key Vault permission model." source="media\howto-custom-domain\portal-key-vault-perm-model-rbac.png" :::

+1. Go to your Key Vault resource.

+1. In the menu pane, select **Access control (IAM)**.

+1. Click **Add**. Select **Add role assignment**.

+ :::image type="content" alt-text="Screenshot of Key Vault IAM." source="media\howto-custom-domain\portal-key-vault-iam.png" :::

+1. Under the **Role** tab, select **Key Vault Secrets User**. Click **Next**.

+ :::image type="content" alt-text="Screenshot of role tab when adding role assignment to Key Vault." source="media\howto-custom-domain\portal-key-vault-role.png" :::

+1. Under the **Members** tab, select **Managed identity**. 1. Search for the Azure Web PubSub Service resource name or the user assigned identity name. Click **Next**.

+ :::image type="content" alt-text="Screenshot of members tab when adding role assignment to Key Vault." source="media\howto-custom-domain\portal-key-vault-members.png" :::

+1. Click **Review + assign**.

+--

+# Create an RDP connection to a Linux VM using Azure Bastion

+This article shows you how to securely and seamlessly create an RDP connection to your Linux VMs located in an Azure virtual network directly through the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. You can also [connect to a Linux VM using SSH](bastion-connect-vm-ssh-linux.md).

+Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it's provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see [What is Azure Bastion?](bastion-overview.md)

+## Prerequisites

+Before you begin, verify that you've met the following criteria:

+* Make sure that you have set up an Azure Bastion host for the virtual network in which the VM resides. For more information, see [Create an Azure Bastion host](tutorial-create-host-portal.md). Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in this virtual network.

+* To use RDP with a Linux virtual machine, you must also ensure that you have xrdp installed and configured on the Linux VM. To learn how to do this, see [Use xrdp with Linux](../virtual-machines/linux/use-remote-desktop.md).

+* Bastion must be configured with the [Standard SKU](configuration-settings.md#skus).

+* You must use username/password authentication.

+* Inbound port: Custom value (you'll then need to specify this custom port when you connect to the VM via Azure Bastion)

+Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it's provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see [What is Azure Bastion?](bastion-overview.md)

+Before you begin, verify that you've met the following criteria:

+ * Make sure that you have set up an Azure Bastion host for the virtual network in which the VM is located. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in the virtual network.

+* Inbound port: RDP (3389) ***or***

+* Inbound port: Custom value (you'll then need to specify this custom port when you connect to the VM via Azure Bastion)

+ Title: "Tutorial: Use Multivariate Anomaly Detector in Azure Synapse Analytics"

+description: Learn how to use the Multivariate Anomaly Detector with Azure Synapse Analytics.

+# Tutorial: Use Multivariate Anomaly Detector in Azure Synapse Analytics

+Use this tutorial to detect anomalies among multiple variables in Azure Synapse Analytics in very large datasets and databases. This solution is perfect for scenarios like equipment predictive maintenance. The underlying power comes from the integration with [SynapseML](https://microsoft.github.io/SynapseML/), an open-source library that aims to simplify the creation of massively scalable machine learning pipelines. It can be installed and used on any Spark 3 infrastructure including your **local machine**, **Databricks**, **Synapse Analytics**, and others.

+For more information, see [SynapseML estimator for Multivariate Anomaly Detector](https://microsoft.github.io/SynapseML/docs/documentation/estimators/estimators_cognitive/#fitmultivariateanomaly).

+In this tutorial, you'll learn how to:

+> [!div class="checklist"]

+> * Use Azure Synapse Analytics to detect anomalies among multiple variables in Synapse Analytics.

+> * Train a multivariate anomaly detector model and inference in separate notebooks in Synapse Analytics.

+> * Get anomaly detection result and root cause analysis for each anomaly.

+## Prerequisites

+In this section, you'll create the following resources in the Azure portal:

+* An **Anomaly Detector** resource to get access to the capability of Multivariate Anomaly Detector.

+* An **Azure Synapse Analytics** resource to use the Synapse Studio.

+* A **Storage account** to upload your data for model training and anomaly detection.

+* A **Key Vault** resource to hold the key of Anomaly Detector and the connection string of the Storage Account.

+### Create Anomaly Detector and Azure Synapse Analytics resources

+* [Create a resource for Azure Synapse Analytics](https://portal.azure.com/#create/Microsoft.Synapse) in the Azure portal, fill in all the required items.

+* [Create an Anomaly Detector](https://portal.azure.com/#create/Microsoft.CognitiveServicesAnomalyDetector) resource in the Azure portal.

+* Sign in to [Azure Synapse Analytics](https://web.azuresynapse.net/) using your subscription and Workspace name.

+ 

+### Create a storage account resource

+* [Create a storage account resource](https://portal.azure.com/#create/Microsoft.StorageAccount) in the Azure portal. After your storage account is built, **create a container** to store intermediate data, since SynapseML will transform your original data to a schema that Multivariate Anomaly Detector supports. (Refer to Multivariate Anomaly Detector [input schema](../how-to/multivariate-how-to.md#input-data-schema))

+ > [!NOTE]

+ > For the purposes of this example only we are setting the security on the container to allow anonymous read access for containers and blobs since it will only contain our example .csv data. For anything other than demo purposes this is **not recommended**.

+ 

+### Create a Key Vault to hold Anomaly Detector Key and storage account connection string

+* Create a key vault and configure secrets and access

+ 1. Create a [key vault](https://portal.azure.com/#create/Microsoft.KeyVault) in the Azure portal.

+ 2. Go to Key Vault > Access policies, and grant the [Azure Synapse workspace](/azure/data-factory/data-factory-service-identity?context=/azure/synapse-analytics/context/context&tabs=synapse-analytics) permission to read secrets from Azure Key Vault.

+ 

+* Create a secret in Key Vault to hold the Anomaly Detector key

+ 1. Go to your Anomaly Detector resource, **Anomaly Detector** > **Keys and Endpoint**. Then copy either of the two keys to the clipboard.

+ 2. Go to **Key Vault** > **Secret** to create a new secret. Specify the name of the secret, and then paste the key from the previous step into the **Value** field. Finally, select **Create**.

+ 

+* Create a secret in Key Vault to hold Connection String of Storage account

+ 1. Go to your Storage account resource, select **Access keys** to copy one of your Connection strings.

+ 

+ 2. Then go to **Key Vault** > **Secret** to create a new secret. Specify the name of the secret (like *myconnectionstring*), and then paste the Connection string from the previous step into the **Value** field. Finally, select **Create**.

+## Using a notebook to conduct Multivariate Anomaly Detection in Synapse Analytics

+### Create a notebook and a Spark pool

+1. Sign in [Azure Synapse Analytics](https://web.azuresynapse.net/) and create a new Notebook for coding.

+ 

+2. Select **Manage pools** in the page of notebook to create a new Apache Spark pool if you donΓÇÖt have one.

+ 

+### Writing code in notebook

+1. Install the latest version of SynapseML with the Anomaly Detection Spark models. You can also install SynapseML in Spark Packages, Databricks, Docker, etc. Please refer to [SynapseML homepage](https://microsoft.github.io/SynapseML/).

+ If you're using **Spark 3.1**, please use the following code:

+ ```python

+ %%configure -f

+ {

+ "name": "synapseml",

+ "conf": {

+ "spark.jars.packages": "com.microsoft.azure:synapseml_2.12:0.9.5-13-d1b51517-SNAPSHOT",

+ "spark.jars.repositories": "https://mmlspark.azureedge.net/maven",

+ "spark.jars.excludes": "org.scala-lang:scala-reflect,org.apache.spark:spark-tags_2.12,org.scalactic:scalactic_2.12,org.scalatest:scalatest_2.12",

+ "spark.yarn.user.classpath.first": "true"

+ }

+ }

+ ```

+ If you're using **Spark 3.2**, please use the following code:

+ ```python

+ %%configure -f

+ {

+ "name": "synapseml",

+ "conf": {

+ "spark.jars.packages": " com.microsoft.azure:synapseml_2.12:0.9.5 ",

+ "spark.jars.repositories": "https://mmlspark.azureedge.net/maven",

+ "spark.jars.excludes": "org.scala-lang:scala-reflect,org.apache.spark:spark-tags_2.12,org.scalactic:scalactic_2.12,org.scalatest:scalatest_2.12,io.netty:netty-tcnative-boringssl-static",

+ "spark.yarn.user.classpath.first": "true"

+ }

+ }

+ ```

+2. Import the necessary modules and libraries.

+ ```python

+ from synapse.ml.cognitive import *

+ from notebookutils import mssparkutils

+ import numpy as np

+ import pandas as pd

+ import pyspark

+ from pyspark.sql.functions import col

+ from pyspark.sql.functions import lit

+ from pyspark.sql.types import DoubleType

+ import synapse.ml

+ ```

+3. Load your data. Compose your data in the following format, and upload it to a cloud storage that Spark supports like an Azure Storage Account. The timestamp column should be in `ISO8601` format, and the feature columns should be `string` type. **Download sample data [here](https://sparkdemostorage.blob.core.windows.net/mvadcsvdata/spark-demo-data.csv)**.

+ ```python

+ df = spark.read.format("csv").option("header", True).load("wasbs://[container_name]@[storage_account_name].blob.core.windows.net/[csv_file_name].csv")

+

+ df = df.withColumn("sensor_1", col("sensor_1").cast(DoubleType())) \

+ .withColumn("sensor_2", col("sensor_2").cast(DoubleType())) \

+ .withColumn("sensor_3", col("sensor_3").cast(DoubleType()))

+

+ df.show(10)

+ ```

+ 

+4. Train a multivariate anomaly detection model.

+ 

+ ```python

+ #Input your key vault name and anomaly key name in key vault.

+ anomalyKey = mssparkutils.credentials.getSecret("[key_vault_name]","[anomaly_key_secret_name]")

+ #Input your key vault name and connection string name in key vault.

+ connectionString = mssparkutils.credentials.getSecret("[key_vault_name]", "[connection_string_secret_name]")

+

+ #Specify information about your data.

+ startTime = "2021-01-01T00:00:00Z"

+ endTime = "2021-01-02T09:18:00Z"

+ timestampColumn = "timestamp"

+ inputColumns = ["sensor_1", "sensor_2", "sensor_3"]

+ #Specify the container you created in Storage account, you could also initialize a new name here, and Synapse will help you create that container automatically.

+ containerName = "[container_name]"

+ #Set a folder name in Storage account to store the intermediate data.

+ intermediateSaveDir = "intermediateData"

+

+ simpleMultiAnomalyEstimator = (FitMultivariateAnomaly()

+ .setSubscriptionKey(anomalyKey)

+ #In .setLocation, specify the region of your Anomaly Detector resource, use lowercase letter like: eastus.

+ .setLocation("[anomaly_detector_region]")

+ .setStartTime(startTime)

+ .setEndTime(endTime)

+ .setContainerName(containerName)

+ .setIntermediateSaveDir(intermediateSaveDir)

+ .setTimestampCol(timestampColumn)

+ .setInputCols(inputColumns)

+ .setSlidingWindow(200)

+ .setConnectionString(connectionString))

+ ```

+ Trigger training process through these codes.

+ ```python

+ model = simpleMultiAnomalyEstimator.fit(df)

+ type(model)

+ ```

+5. Trigger inference process.

+ ```python

+ startInferenceTime = "2021-01-02T09:19:00Z"

+ endInferenceTime = "2021-01-03T01:59:00Z"

+ result = (model

+ .setStartTime(startInferenceTime)

+ .setEndTime(endInferenceTime)

+ .setOutputCol("results")

+ .setErrorCol("errors")

+ .setTimestampCol(timestampColumn)

+ .setInputCols(inputColumns)

+ .transform(df))

+ ```

+6. Get inference results.

+ ```python

+ rdf = (result.select("timestamp",*inputColumns, "results.contributors", "results.isAnomaly", "results.severity").orderBy('timestamp', ascending=True).filter(col('timestamp') >= lit(startInferenceTime)).toPandas())

+

+ def parse(x):

+ if type(x) is list:

+ return dict([item[::-1] for item in x])

+ else:

+ return {'series_0': 0, 'series_1': 0, 'series_2': 0}

+

+ rdf['contributors'] = rdf['contributors'].apply(parse)

+ rdf = pd.concat([rdf.drop(['contributors'], axis=1), pd.json_normalize(rdf['contributors'])], axis=1)

+ rdf

+ ```

+ The inference results will look as followed. The `severity` is a number between 0 and 1, showing the severe degree of an anomaly. The last three columns indicate the `contribution score` of each sensor, the higher the number is, the more anomalous the sensor is.

+ 

+## Clean up intermediate data (optional)

+By default, the anomaly detector will automatically upload data to a storage account so that the service can process the data. To clean up the intermediate data, you could run the following codes.

+```python

+simpleMultiAnomalyEstimator.cleanUpIntermediateData()

+model.cleanUpIntermediateData()

+```

+## Use trained model in another notebook with model ID (optional)

+If you have the need to run training code and inference code in separate notebooks in Synapse, you could first get the model ID and use that ID to load the model in another notebook by creating a new object.

+1. Get the model ID in the training notebook.

+ ```python

+ model.getModelId()

+ ```

+2. Load the model in inference notebook.

+

+ ```python

+ retrievedModel = (DetectMultivariateAnomaly()

+ .setSubscriptionKey(anomalyKey)

+ .setLocation("eastus")

+ .setOutputCol("result")

+ .setStartTime(startTime)

+ .setEndTime(endTime)

+ .setContainerName(containerName)

+ .setIntermediateSaveDir(intermediateSaveDir)

+ .setTimestampCol(timestampColumn)

+ .setInputCols(inputColumns)

+ .setConnectionString(connectionString)

+ .setModelId('5bXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXe9'))

+ ```

+## Learn more

+### About Anomaly Detector

+* Learn about [what is Multivariate Anomaly Detector](../overview-multivariate.md).

+* SynapseML documentation with [Multivariate Anomaly Detector feature](https://microsoft.github.io/SynapseML/docs/documentation/estimators/estimators_cognitive/#fitmultivariateanomaly).

+* Recipe: [Cognitive Services - Multivariate Anomaly Detector](https://microsoft.github.io/SynapseML/docs/next/features/cognitive_services/CognitiveServices).

+* Need support? [Join the Anomaly Detector Community](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR2Ci-wb6-iNDoBoNxrnEk9VURjNXUU1VREpOT0U1UEdURkc0OVRLSkZBNC4u).

+### About Synapse

+* Quick start: [Configure prerequisites for using Cognitive Services in Azure Synapse Analytics](/azure/synapse-analytics/machine-learning/tutorial-configure-cognitive-services-synapse#create-a-key-vault-and-configure-secrets-and-access).

+* Visit [SynpaseML new website](https://microsoft.github.io/SynapseML/) for the latest docs, demos, and examples.

+* Learn more about [Synapse Analytics](/azure/synapse-analytics/).

+* Read about the [SynapseML v0.9.5 release](https://github.com/microsoft/SynapseML/releases/tag/v0.9.5) on GitHub.

+* TTS Service July 2022, new voices in Public Preview and new viseme feature blend shapes were released. See details below.

+To request the ability to use customer-managed keys, fill out and submit theΓÇ»[Language service Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk). It will take approximately 3-5 business days to hear back on the status of your request. Depending on demand, you may be placed in a queue and approved as space becomes available. Once approved for using CMK with Language services, you'll need to create a new Language resource from the Azure portal.

+* [Language service Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk)

+description: Learn how to move your Text Analytics applications to use the latest version of the Language service.

+ Title: "How to: Use Language service features asynchronously"

+description: Learn how to send Language service API requests asynchronously.

+# How to use Language service features asynchronously

+ 1. Include additional Language ervice features in the `tasks` object, to be performed on your data at the same time.

+* **Automatically splitting the testing set from training data**: The system will split your labeled data between the training and testing sets, according to the percentages you choose. The system will attempt to have a representation of all classes in your training set. The recommended percentage split is 80% for training and 20% for testing.

+|Authoring/Subscription key|[Azure portal](https://azure.microsoft.com/free/cognitive-services/)|These keys are used to access the Language service APIs). These APIs let you edit the questions and answers in your knowledge base, and publish your knowledge base. These keys are created when you create a new resource.<br><br>Find these keys on the **Cognitive Services** resource on the **Keys and Endpoint** page.|

+ms.

+- ΓÇ£Text RecordsΓÇ¥ in Question Answering features refer to the query submitted by the user to the runtime, and it is a concept common to all features within Language service

+ Title: Capabilities for Teams external user

+description: Calling capabilities of Azure Communication Services support for Teams external users

+# Capabilities for Teams external users

+In this article, you will learn which capabilities are supported for Teams external users using Azure Communication Services SDKs.

+When Teams external users leave the meeting, or the meeting ends, they can no longer send or receive new chat messages and no longer have access to messages sent and received during the meeting.

+- [Authenticate as Teams external user](../../../quickstarts/access-tokens.md)

+- [Join Teams meeting audio and video as Teams external user](../../../quickstarts/voice-video-calling/get-started-teams-interop.md)

+- [Join Teams meeting chat as Teams external user](../../../quickstarts/chat/meeting-interop.md)

+description: Known issues and limitations of Azure Communication Services support for Teams external users

+- [Authenticate as Teams external user](../../../quickstarts/access-tokens.md)

+- [Join Teams meeting audio and video as Teams external user](../../../quickstarts/voice-video-calling/get-started-teams-interop.md)

+- [Join Teams meeting chat as Teams external user](../../../quickstarts/chat/meeting-interop.md)

+ Title: Communication as Teams external user

+description: Introduction to Azure Communication Services support for Teams external users

+# Communication as Teams external user

+You can use Azure Communication Services to build applications that enable external users to join and participate in Teams meetings as Teams anonymous users. Customers can join Teams meetings from within your applications or websites. The main benefits are:

+You can create an identity and access token for Teams external users on Azure portal without a single line of code. [Here are steps how to do it](../../../quickstarts/identity/quick-create-identity.md).

+The [Azure Communication Services Calling Hero Sample](../../../samples/calling-hero-sample.md) demonstrates how developers can use Azure Communication Services Calling Web SDK to join a Teams meeting from a web application as a Teams external user. You can experiment with the capability with single-click deployment to Azure.

+The [Azure Communication Services Authentication Hero Sample](../../../samples/trusted-auth-sample.md) demonstrates how developers can use Azure Communication Services Identity SDK to get access tokens as Teams users. You can clone the GitHub repository and follow a simple guide to set up your service for authentication in Azure.

+The data flow for joining Teams meetings is available at the [client and server architecture page](../../client-and-server-architecture.md). When implementing the experience, you must implement client logic for real-time communication and server logic for authentication. The following articles will guide you in implementing the communication for Teams external users.

+- [Authenticate as Teams external user](../../../quickstarts/identity/access-token-teams-external-users.md)

+- [Stateful Client (Meeting)](https://azure.github.io/communication-ui-library/?path=/story/composites-meeting-basicexample--basic-example)

+- [Join Teams meeting audio and video as Teams external user](../../../quickstarts/voice-video-calling/get-started-teams-interop.md)

+- [Join Teams meeting chat as Teams external user](../../../quickstarts/chat/meeting-interop.md)

+- [Join meeting options](../../../how-tos/calling-sdk/teams-interoperability.md)

+The following table show supported use cases for Teams external user with Azure Communication

+- [1] Teams external users can join a channel Teams meeting with audio and video, but they won't be able to send or receive any chat messages

+- [2] Teams external users may join a Teams webinar. However, the presenter and attendee roles aren't honored for Teams external users. Thus Teams external users on Azure Communication Services SDKs could perform actions not intended for attendees, such as screen sharing, turning their camera on/off, or unmuting themselves, if your application provides UX for those actions.

+- [Authenticate as Teams external user](../../../quickstarts/identity/access-token-teams-external-users.md)

+- [Join Teams meeting audio and video as Teams external user](../../../quickstarts/voice-video-calling/get-started-teams-interop.md)

+- [Join Teams meeting chat as Teams external user](../../../quickstarts/chat/meeting-interop.md)

+ Title: User privacy for Teams external users

+description: User privacy requirements in Azure Communication Services support for Teams external users

+All chat messages sent by Teams users or Communication Services users during a Teams meeting are stored in the geographic region associated with the Microsoft 365 organization hosting the meeting. For more information, review the article [Location of data in Microsoft Teams](/microsoftteams/location-of-data-in-teams). For each Teams external user joining via Azure Communication Services SDKs in the meetings, there is a copy of the most recently sent message stored in the geographic region associated with the Communication Services resource used to develop the Communication Services application. Review the article [Region availability and data residency](./privacy.md).

+- [Authenticate as Teams external user](../../../quickstarts/access-tokens.md)

+- [Join Teams meeting audio and video as Teams external user](../../../quickstarts/voice-video-calling/get-started-teams-interop.md)

+- [Join Teams meeting chat as Teams external user](../../../quickstarts/chat/meeting-interop.md)

+ Title: Teams controls for Teams external user

+description: Teams administrator controls to impact Azure Communication Services support for Teams external users

+Teams administrators have the following policies to control the experience for Teams external users in Teams meetings.

+| [Anonymous users can join a meeting](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings) | organization-wide | If disabled, Teams external users can't join Teams meeting | ✔️ |

+| [Let anonymous people join a meeting](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings) | per-organizer | If disabled, Teams external users can't join Teams meeting | ✔️ |

+| [Let anonymous people start a meeting](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings)| per-organizer | If enabled, Teams external users can start a Teams meeting without Teams user | ✔️ |

+| [Automatically admit people](/microsoftteams/meeting-policies-participants-and-guests#automatically-admit-people) | per-organizer | If set to "Everyone", Teams external users can bypass lobby. Otherwise, Teams external users have to wait in the lobby until an authenticated user admits them.| ✔️ |

+| [Blocked anonymous join client types](/powershell/module/skype/set-csteamsmeetingpolicy) | per-organizer | If property "BlockedAnonymousJoinClientTypes" is set to "Teams" or "Null", the Teams external users via Azure Communication Services can join Teams meeting | ✔️ |

+- [Authenticate as Teams external user](../../../quickstarts/access-tokens.md)

+- [Join Teams meeting audio and video as Teams external user](../../../quickstarts/voice-video-calling/get-started-teams-interop.md)

+- [Join Teams meeting chat as Teams external user](../../../quickstarts/chat/meeting-interop.md)

+ Title: Teams client experience for Teams external user

+description: Teams client experience of Azure Communication Services support for Teams external users

+Teams external user joining Teams meeting with Azure Communication Services SDKs will be represented in Teams client as any other Teams anonymous user. Teams external users will be marked as "external" in the participant's lists as Teams clients. As Teams anonymous users, their capabilities in the Teams meeting will be limited regardless of the assigned Teams meeting role.

+- [Authenticate as Teams external user](../../../quickstarts/access-tokens.md)

+- [Join Teams meeting audio and video as Teams external user](../../../quickstarts/voice-video-calling/get-started-teams-interop.md)

+- [Join Teams meeting chat as Teams external user](../../../quickstarts/chat/meeting-interop.md)

+ Title: Azure AD API permissions for communication as Teams user

+description: This article describes Azure AD API permissions for communication as a Teams user with Azure Communication Services.

+# Azure AD permissions for communication as Teams user

+In this article, you will learn about Azure AD permissions available for communication as a Teams user in Azure Communication Services.

+## Delegated permissions

+| Permission | Display string | Description | Admin consent required | Microsoft account supported |

+|: |: |: |: |: |

+| _`https://auth.msft.communication.azure.com/Teams.ManageCalls`_ | Manage calls in Teams | Start, join, forward, transfer, or leave Teams calls and update call properties. | No | No |

+| _`https://auth.msft.communication.azure.com/Teams.ManageChats`_ | Manage chats in Teams | Create, read, update, and delete 1:1 or group chat threads on behalf of the signed-in user. Read, send, update, and delete messages in chat threads on behalf of the signed-in user. | No | No |

+## Application permissions

+None.

+## Roles for granting consent on behalf of a company

+- Global admin

+- Application admin

+- Cloud application admin

+Find more details in [Azure Active Directory documentation](/azure/active-directory/roles/permissions-reference.md).

+Azure Communication Services maintains a directory of identities, use the [DeleteIdentity](/rest/api/communication/communication-identity/delete?tabs=HTTP) API to remove them. Deleting an identity will revoke all associated access tokens and delete their chat messages. For more information on how to remove an identity [see this page](../quickstarts/access-tokens.md).

+| Identity | [REST](/rest/api/communication/communication-identity) | Service| Manage users, access tokens|

+You can use Azure Communication Services and Graph API to integrate communication as Teams users into your products. Teams users can communicate with other people in and outside their organization. The benefits for enterprises are:

+- No requirement to download Teams desktop, mobile or web clients for Teams users

+- Teams users don't lose context by switching between applications for day-to-day work and Teams client for communication

+- Teams is a single source for chat messages and call history within the organization

+- Teams policies control communication across applications

+The benefits of using API surface for developers are:

+- Browser support on mobile devices

+- User interface (UI) customization

+- No additional Teams licenses are required

+- Tenants bring policies and configurations inside your app without extra work

+You can also use Graph API to implement [chat](/graph/api/resources/chat) and [calling](/graph/api/resources/call) capabilities on the server side. This article concentrates on the client experience.

+## Use cases

+Here are real-world examples of applications:

+- Independent software vendor (ISV) builds a customer service web application for receptionists to route calls within an organization. Receptionists in multiple organizations use this product tailored for their needs to route calls to subject matter experts (SMEs) within the organization.

+- Manufacturer of augmented reality headset adds video calling capability into the product to enable remote assistance with subject matter experts joining via Teams clients. Teams user sees an incoming call from a frontline worker that shares the augmented reality and provides guidance directly from Teams client.

+- Independent software vendor (ISV) builds an application for customer outreach via multiple channels. ISV adds Teams chat and calling capabilities into their product to enable communication with enterprise users directly from their application.

+- Bank has decided to replace their limited Teams application for wealth management with direct integration of calling as Teams user into their existing wealth management application. This application now integrates calling capability as part of the process instead of incorporating processes inside the Teams client.

+## Prototyping

+Developers can experiment with the capabilities on multiple levels to evaluate, learn and customize the product. Low/no-code options are currently in development.

+### Single-click deployment

+The [Azure Communication Services Authentication Hero Sample](../samples/trusted-auth-sample.md) demonstrates how developers can use Azure Communication Services Identity SDK to get access tokens as Teams users. You can clone the GitHub repository and follow a simple guide to set up your service for authentication in Azure.

+The calling and chat hero sample for Teams users is currently in development.

+### Coding

+Communication as Teams user leverages Graph API for chat and Azure Communication Services for calling. In each case, you need to authenticate the Teams user and then implement the logic for communication.

+The diagrams in the next sections demonstrate multi-tenant use cases where the fictional company Fabrikam is the customer of the fictional company Contoso. Contoso builds multi-tenant SaaS product that Fabrikam's administrator purchases for its employees.

+#### Calling

+Voice, video, and screen-sharing capabilities are provided via [Azure Communication Services Calling SDKs](./interop/teams-user-calling.md). The following diagram shows an overview of the process you'll follow as you integrate your calling experiences with Azure Communication Services support Teams identities.

+You can use the Azure Communication Services Identity SDK to exchange Azure Active Directory (Azure AD) access tokens of Teams users for Communication Identity access tokens.

+

+The following articles will guide you in implementing the calling for Teams users:

+- [Authenticate as Teams user](../quickstarts/manage-teams-identity.md)

+- [Add video calling as Teams user to your client app](../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md)

+- [How-to use calling SDK as Teams user](../how-tos/cte-calling-sdk/manage-calls.md)

+#### Chat

+Use Graph API to integrate 1:1 chat, group chat, meeting chat, and channel capabilities into your product.

+

+The following articles will guide you in implementing the chat for Teams users:

+- [Authenticate as Teams user](/graph/auth-v2-user)

+- [Send message as Teams user](/graph/api/chat-post-messages)

+- [Receive message as Teams user on webhook](/graph/teams-changenotifications-chatMessage) and then push message to the client with, for example, [SignalR](/azure/azure-signalr/signalr-overview).

+- [Poll messages for Teams user](/graph/api/chat-list-messages)

+## Supported use cases

+The following table show supported use cases for Teams users with Azure Communication Services and Graph API:

+| Scenario | Supported |

+| | |

+| Make a voice-over-IP (VoIP) call to Teams user | ✔️ |

+| Make a phone (PSTN) call | ✔️ |

+| Accept incoming voice-over-IP (VoIP) call for Teams user | ✔️ |

+| Accept incoming phone (PSTN) for Teams user | ✔️ |

+| Join Teams meeting | ✔️ |

+| Join channel Teams meeting | ✔️ |

+| Join Teams webinar [1] | ✔️ |

+| [Join Teams live events](/microsoftteams/teams-live-events/what-are-teams-live-events).| ❌ |

+| Join [Teams meeting scheduled in an application for personal use](https://www.microsoft.com/microsoft-teams/teams-for-home) | ❌ |

+| Join Teams 1:1 or group call | ❌ |

+| Send a message to 1:1 chat, group chat or Teams meeting chat| ✔️ |

+| Get messages from 1:1 chat, group chat or Teams meeting chat | ✔️ |

+- [1] Teams users may join a Teams webinar. However, the presenter and attendee roles aren't honored for Teams users. Thus Teams users on Azure Communication Services SDKs could perform actions not intended for attendees, such as screen sharing, turning their camera on/off, or unmuting themselves if your application provides UX for those actions.

+## Pricing

+Teams users can join the Teams meeting experience, manage calls, and manage chats via existing Teams desktop, mobile, and web clients or Graph API without additional charge. Teams users using Azure Communication Services SDKs will pay

+[standard Azure Communication Services consumption](https://azure.microsoft.com/pricing/details/communication-services/) for audio and video. There's no additional fee for the interoperability capability itself. You can find more details on [Teams interoperability pricing here](./pricing/teams-interop-pricing.md).

+- [Start a call to Teams user as a Teams user](../quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md)

+> Teams external users interoperability for Teams meetings is now generally available to all Communication Services applications and Teams organizations.

+> Support for Teams users in Azure Communication Services SDK is in public preview and available to Web-based applications.

+- **[External user](#external-user).** You control user authentication, and users of your custom applications don't need to have Azure Active Directory identities or Teams licenses. This model allows you to build custom applications for non-Teams users to connect and communicate with Teams users.

+- **[Teams user](#teams-user).** Azure Active Directory controls user authentication, and users of your custom application must have Teams licenses. This model allows you to build custom applications for Teams users to enable specialized workflows or experiences that are impossible with the existing Teams clients.

+|Feature|External user| Teams user|

+## External user

+The bring your own identity (BYOI) authentication model allows you to build custom applications for external users to connect and communicate with Teams users. You control user authentication, and users of your custom applications don't need to have Azure Active Directory identities or Teams licenses. The first scenario that has been enabled allows users of your application to join Microsoft Teams meetings as external accounts, similar to [anonymous users that join meetings](/microsoftteams/meeting-settings-in-teams#allow-anonymous-users-to-join-meetings) using the Teams web application. This is ideal for business-to-consumer applications that combine employees (familiar with Teams) and external users (using a custom application) into a meeting experience. In the future, we will be enabling additional scenarios, including direct calling and chat which will allow your application to initiate calls and chats with Teams users outside the context of a Teams meeting.

+## Teams user

+Developers can use [Communication Services Calling SDK with Teams identity](./interop/teams-user-calling.md) to build custom applications for Teams users. Custom applications can enable specialized workflows for Teams users, such as managing incoming and outgoing phone calls or bringing Teams calling experience into devices not supported with the standard Teams client. Azure Active Directory authenticates Teams users, and all attributes and details about the user are bound to their Azure Active Directory account.

+When a Communication Services endpoint connects to a Teams meeting or Teams call using a Teams identity, the endpoint is treated like a Teams user with a Teams client. The experience is driven by policies assigned to users within and outside of the organization. Teams users can join Teams meetings, place calls to other Teams users, receive calls from phone numbers, and transfer an ongoing call to the Teams call queue or share screen.

+Teams users authenticate against Azure Active Directory in the client application. Developers then exchange authentication tokens from Azure Active Directory for access tokens via the Communication Services Identity SDK. This exchange creates a connection between Azure Active Directory and Communication Services. You are encouraged to implement an exchange of tokens in your backend services as credentials for Azure Communication Services sign exchange requests. In your backend services, you can require any additional authentication.

+- Via custom Communication Services applications as **External users** using the bring your own identity authentication model.

+Interoperability between Azure Communication Services and Microsoft Teams enables your applications and users to participate in Teams calls, meetings, and chats. It is your responsibility to ensure that the users of your application are notified when recording or transcription are enabled in a Teams call or meeting.

+Microsoft will indicate to you via the Azure Communication Services API that recording or transcription has commenced, and you must communicate this fact, in real-time, to your users within your application's user interface. You agree to indemnify Microsoft for all costs and damages incurred due to your failure to comply with this obligation.

+All usage of Azure Communication Service APIs and SDKs increments [Azure Communication Service billing meters](https://azure.microsoft.com/pricing/details/communication-services/). Interactions with Microsoft Teams, such as joining a meeting or initiating a phone call using a Teams allocated number, will increment these meters. However, there is no additional fee for the Teams interoperability capability itself, and there is no pricing distinction between the BYOI and Microsoft 365 authentication options.

+Find more details for External user interoperability:

+- [Get access tokens for external user](../quickstarts/access-tokens.md)

+- [Join Teams meeting call as a external user](../quickstarts/voice-video-calling/get-started-teams-interop.md)

+- [Join Teams meeting chat as a external user](../quickstarts/chat/meeting-interop.md)

+ Title: Quickstart - Create and manage access tokens for Teams external users

+description: Learn how to manage identities and access tokens for Teams external users by using the Azure Communication Services Identity SDK.

+zone_pivot_groups: acs-azcli-js-csharp-java-python

+# Quickstart: Create and manage access tokens for Teams external users

+Teams external users are authenticated as Azure Communication Services users in Teams. With an access token for Azure Communication Services users, you can use chat and calling SDKs to join Teams meeting audio, video, and chat as Teams external user. The quickstart here is identical to [identity and access token management of Azure Communication Services users](../access-tokens.md).

+In this quickstart, you'll learn how to use the Azure Communication Services SDKs to create identities and manage your access tokens. For production use cases, we recommend that you generate access tokens on a [server-side service](../../concepts/client-and-server-architecture.md).

+## Use identity for monitoring and metrics

+The user ID is a primary key for logs and metrics collected through Azure Monitor. To view all of a user's calls, for example, you can set up your authentication in a way that maps a specific Azure Communication Services identity (or identities) to a single user.

+Learn more about [authentication concepts](../../concepts/authentication.md), call diagnostics through [log analytics](../../concepts/analytics/log-analytics.md), and [metrics](../../concepts/metrics.md) that are available to you.

+## Clean up resources

+Delete the resource or resource group to clean up and remove a Communication Services subscription. Deleting a resource group also deletes any other resources that are associated with it. For more information, see the "Clean up resources" section of [Create and manage Communication Services resources](../create-communication-resource.md#clean-up-resources).

+## Next steps

+In this quickstart, you learned how to:

+> [!div class="checklist"]

+> * Manage Teams external user identity

+> * Issue access tokens for Teams external user

+> * Use the Communication Services Identity SDK

+> [!div class="nextstepaction"]

+> [Add Teams meeting voice to your app](../voice-video-calling/get-started-teams-interop.md)

+You might also want to:

+ - [Learn about authentication](../../concepts/authentication.md)

+ - [Add Teams meeting chat to your app](../chat/meeting-interop.md)

+ - [Learn about client and server architecture](../../concepts/client-and-server-architecture.md)

+ - [Deploy trusted authentication service hero sample](../../samples/trusted-auth-sample.md)

+1. Run the `az containerapp identity assign` command to assign the identity to the app. The identities parameter is a space separated list.

+az containerapp identity show --name <APP_NAME> --resource-group <GROUP_NAME>

+For ARM template users, see the [Resource Manager reference](/azure/templates/microsoft.containerinstance/containergroups) to see how the dnsNameLabelReusePolicy field fits into the existing schema.

+Azure Cosmos DB is a fully managed platform-as-a-service (PaaS). To begin using Azure Cosmos DB, create an Azure Cosmos DB account in an Azure resource group in your subscription. You then create databases and containers within the account.

+Your Azure Cosmos DB account contains a unique DNS name and can be managed using the Azure portal, ARM or Bicep templates, Azure PowerShell, Azure CLI, or any of the Azure Management SDK's or REST API. For more information, see [how to manage your Azure Cosmos DB account](how-to-manage-database-account.md). For replicating your data and throughput across multiple Azure regions, you can add and remove Azure regions to your account at any time. You can configure your account to have either a single region or multiple write regions. For more information, see [how to add and remove Azure regions to your account](how-to-manage-database-account.md). You can configure the [default consistency](consistency-levels.md) level on an account.

+Currently, you can create a maximum of 50 Azure Cosmos DB accounts under an Azure subscription (this is a soft limit that can be increased via support request). A single Azure Cosmos DB account can virtually manage an unlimited amount of data and provisioned throughput. To manage your data and provisioned throughput, you can create one or more databases within your account, then one or more containers to store your data. The following image shows the hierarchy of elements in an Azure Cosmos DB account:

+In Azure Cosmos DB, a database is similar to a namespace. A database is simply a group of containers. The following table shows how a database is mapped to various API-specific entities:

+| Azure Cosmos DB entity | SQL API | Cassandra API | Azure Cosmos DB API for MongoDB | Gremlin API | Table API |

+> With Table API accounts, to maintain compatibility with Azure Storage Tables, tables in Azure Cosmos DB are created at the account level.

+An Azure Cosmos DB container is where data is stored. Unlike most relational databases which scale up with larger VM sizes, Azure Cosmos DB scales out. Data is stored on one or more servers, called partitions. To increase throughput or storage, more partitions are added. This provides a virtually an unlimited amount of throughput and storage for a container. When a container is created, you need to supply a partition key. This is a property you select from your documents to store. The value of that property is then used to route data to the partition to be written, updated, or deleted. It can also be used in the WHERE clause in queries for efficient data retrieval.

+The underlying storage mechanism for data in Azure Cosmos DB is called a physical partition. These can have a throughput amount up to 10,000 RU/s and store up to 50 GB of data. Azure Cosmos DB abstracts this with a logical partition which can store up to 20 GB of data. Logical partitions allow the service to provide greater elasticity and better management of data on the underlying physical partitions as more partitions are added. To learn more about partitioning and partition keys, see [Partition data](partitioning-overview.md).

+* **Dedicated throughput**: The throughput provisioned on a container is exclusively reserved for that container. There are two types of dedicated throughput, standard and autoscale. To learn more, see [How to provision throughput on a container](how-to-provision-container-throughput.md).

+* **Shared throughput**: Here throughput is specified at the database level, then shared with up to 25 containers within the database, (excluding containers that have been configured with dedicated throughput). This can be a good option when all of the containers in the database have similar requests and storage needs or when you don't need predictable performance on the data. To learn more, see [How to provision throughput on a database](how-to-provision-database-throughput.md).

+> You can not go between dedicated and shared throughput. Containers created in a shared throughput database, cannot be updated to have dedicated throughput. To change a container from shared to dedicated throughput, a new container must be created and data copied to it.

+Containers are schema-agnostic. Items within a container can have arbitrary schemas or different entities so long as they share the same partition key. For example, an item that represents a customer and one or more items representing all their orders, can be placed in the *same container*. By default, all data added to a container is automatically indexed without requiring explicit indexing. You can customize the indexing for a container by configuring its [indexing policy](index-overview.md).

+You can set [Time to Live (TTL)](time-to-live.md) on selected items in a container or for the entire container to silently delete those items automatically in the background with unused throughput to avoid impacting performance. However, even if not deleted, any data that has expired will not appear in any reads made. To learn more, see [Configure TTL on your container](how-to-time-to-live.md).

+Azure Cosmos DB provides a built-in change data capture capability called, [change feed](change-feed.md) that can be used to subscribe to all the changes to data within your container. For more information, see [Change feed in Azure Cosmos DB](change-feed.md).

+Data within a container must have a unique `id` property value for each logical partition key value. This can be useful when you want to have a unique constraint within your container. You can also specify a [unique key constraint](unique-keys.md) on your Azure Cosmos DB container that uses one or more different properties and ensures uniqueness of one or more values per logical partition key. If you create a container by using a unique key policy, no new or updated items with values that duplicate the values specified by the unique key constraint can be created. To learn more, see [Unique key constraints](unique-keys.md).

+> When creating containers, make sure you donΓÇÖt create two containers with the same name but different casing. Some parts of the Azure platform are not case-sensitive, and this can result in confusion/collision of telemetry and actions on containers with such names.

+An Azure Cosmos DB container has a set of system-defined properties. Depending on which API you use, some properties might not be directly exposed. The following table describes the list of system-defined properties:

+|id | User-configurable | Name of the container | Yes | Yes | Yes | Yes | Yes |

+|indexingPolicy | User-configurable | Provides the ability to change indexes | Yes | No | Yes | Yes | Yes |

+Depending on which API you use, data can represent either an item in a container, a document in a collection, a row in a table, or a node or edge in a graph. The following table shows the mapping of API-specific entities to an Azure Cosmos item:

+| Azure Cosmos DB item | Item | Row | Document | Node or edge | Item |

+| System-defined property | System-generated or user-defined| Purpose | SQL API | Cassandra API | Azure Cosmos DB API for MongoDB | Gremlin API | Table API |

+> Uniqueness of the `id` property is enforced within each logical partition. Multiple documents can have the same `id` property with different partition key values.

+| Operation | SQL API | Cassandra API | Azure Cosmos DB API for MongoDB | Gremlin API | Table API |

+| | | | | | |

+| Insert, Replace, Delete, Upsert, Read | Yes | Yes | Yes | Yes | Yes |

+* [How-to manage your Azure Cosmos DB account](how-to-manage-database-account.md)

+* [VNET service endpoint for your Azure Cosmos DB account](how-to-configure-vnet-service-endpoint.md)

+* [IP-firewall for your Azure Cosmos DB account](how-to-configure-firewall.md)

+* [How-to add and remove Azure regions to your Azure Cosmos DB account](how-to-manage-database-account.md)

+* [Azure Cosmos DB SLAs](https://azure.microsoft.com/support/legal/sla/cosmos-db/)

+>- If want to use the public Azure integration runtime to connect to your Blob storage by leveraging the **Allow trusted Microsoft services to access this storage account** option enabled on Azure Storage firewall, you must use [managed identity authentication](#managed-identity). For more information about the Azure Storage firewalls settings, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md).

+>- If want to use the public Azure integration runtime to connect to the Data Lake Storage Gen2 by leveraging the **Allow trusted Microsoft services to access this storage account** option enabled on Azure Storage firewall, you must use [managed identity authentication](#managed-identity). For more information about the Azure Storage firewalls settings, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md).

+>[!Note]

+> Contacts table is not supported.

+This SQL server connector supports the following authentication types. See the corresponding sections for details.

+- [SQL authentication](#sql-authentication)

+- [Windows authentication](#windows-authentication)

+>[!TIP]

+>If you hit an error with the error code "UserErrorFailedToConnectToSqlServer" and a message like "The session limit for the database is XXX and has been reached," add `Pooling=false` to your connection string and try again.

+### SQL authentication

+To use SQL authentication, the following properties are supported:

+| connectionString | Specify **connectionString** information that's needed to connect to the SQL Server database. Specify a login name as your user name, and ensure the database that you want to connect is mapped to this login. Refer to the following samples. | Yes |

+| password | If you want to put a password in Azure Key Vault, pull the `password` configuration out of the connection string. For more information, see the JSON example following the table and [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md). |No |

+**Example: Use SQL authentication**

+**Example: Use SQL authentication with a password in Azure Key Vault**

+ "password": {

+ "type": "AzureKeyVaultSecret",

+ "store": {

+ "referenceName": "<Azure Key Vault linked service name>",

+ "type": "LinkedServiceReference"

+ },

+ "secretName": "<secretName>"

+**Example: Use Always Encrypted**

+```json

+{

+ "name": "SqlServerLinkedService",

+ "properties": {

+ "type": "SqlServer",

+ "typeProperties": {

+ "connectionString": "Data Source=<servername>\\<instance name if using named instance>;Initial Catalog=<databasename>;Integrated Security=False;User ID=<username>;Password=<password>;"

+ },

+ "alwaysEncryptedSettings": {

+ "alwaysEncryptedAkvAuthType": "ServicePrincipal",

+ "servicePrincipalId": "<service principal id>",

+ "servicePrincipalKey": {

+ "type": "SecureString",

+ "value": "<service principal key>"

+ }

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+### Windows authentication

+To use Windows authentication, the following properties are supported:

+| Property | Description | Required |

+|: |: |: |

+| type | The type property must be set to **SqlServer**. | Yes |

+| connectionString | Specify **connectionString** information that's needed to connect to the SQL Server database. Refer to the following samples.

+| userName | Specify a user name. An example is **domainname\\username**. |Yes |

+| password | Specify a password for the user account you specified for the user name. Mark this field as **SecureString** to store it securely. Or, you can [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). |Yes |

+| alwaysEncryptedSettings | Specify **alwaysencryptedsettings** information that's needed to enable Always Encrypted to protect sensitive data stored in SQL server by using either managed identity or service principal. For more information, see [Using Always Encrypted](#using-always-encrypted) section. If not specified, the default always encrypted setting is disabled. |No |

+| connectVia | This [integration runtime](concepts-integration-runtime.md) is used to connect to the data store. Learn more from [Prerequisites](#prerequisites) section. If not specified, the default Azure integration runtime is used. |No |

+> [!NOTE]

+> Windows authentication is not supported in data flow.

+**Example: Use Windows authentication**

+**Example: Use Windows authentication with a password in Azure Key Vault**

+ "annotations": [],

+ "connectionString": "Data Source=<servername>\\<instance name if using named instance>;Initial Catalog=<databasename>;Integrated Security=True;",

+ "userName": "<domain\\username>",

+ "password": {

+ "type": "AzureKeyVaultSecret",

+ "store": {

+ "referenceName": "<Azure Key Vault linked service name>",

+ "type": "LinkedServiceReference"

+ },

+ "secretName": "<secretName>"

+| **Security Policy and Regulatory Compliance** | Customize a security policy for your subscription and also compare the configuration of your resources with requirements in industry standards, regulations, and benchmarks. | | :::image type="icon" source="./media/icons/yes-icon.png"::: |

+ Title: Endpoint protection recommendations in Microsoft Defender for Cloud

+> [!NOTE]

+> By default, the micro agent sends logs and telemetry to the cloud for troubleshooting and monitoring purposes. This behavior can be configured or turned off through the twin.

+### Log collector-specific settings

+| Setting Name | Setting options | Description | Default |

+|--|--|--|--|

+| **LogCollector_Disabled** | `True`/`False` | Disables the Logs collector. | `False` |

+| **LogCollector_MessageFrequency** | `Low`/`Medium`/`High` | Defines the frequency in which to send Log events. | `Low` |

+## Configure data collection

+Configure data collection settings for Defender for IoT in your IoT hub, such as a Log Analytics workspace and other advanced settings.

+**To configure Defender for IoT data collection**:

+1. In your IoT hub, select **Defender for IoT > Settings**. The **Enable Microsoft Defender for IoT** option is toggled on by default.

+1. In the **Workspace configuration** area, toggle the **On** option to connect to a Log Analytics workspace, and then select the Azure subscription and Log Analytics workspace you want to connect to.

+ If you need to create a new workspace, select the **Create New Workspace** link.

+ Select **Access to raw security data** to export raw security events from your devices to the Log Analytics workspace that you'd selected above.

+1. In the **Advanced settings** area, the following options are selected by default. Clear the selection as needed:

+ - **In-depth security recommendations and custom alerts**. Allows Defender for IoT access to the device's twin data in order to generate alerts based on that data.

+ - **IP data collection**. Allows Defender for IoT access to the device's incoming and outgoing IP addresses to generate alerts based on suspicious connections.

+1. Select **Save** to save your settings.

+Defender for IoT network sensors receive traffic from two main sources, either by switch mirror ports (SPAN ports) or network TAPs. The network sensor's management port connects to the business, corporate, or sensor management network for network management from the Azure portal or an on-premises management system.

+Defender for IoT routes all traffic from all European regions to the *West Europe* regional datacenter. It routes traffic from all remaining regions to the *East US* regional datacenter.

+If you're using a legacy experience of Defender for IoT and are connecting through your own IoT Hub, the IoT Hub supported regions are also relevant for your organization. For more information, see [IoT Hub supported regions](https://azure.microsoft.com/global-infrastructure/services/?products=iot-hub).

+7. Read the information on the page, and select **Redeploy** button.

+8. Check the status of the redeploy operation in the **Notifications** window.

+ },

+ "role": "{role}"

+ "room": {

+ "id": "{roomId}"

+ },

+ "isTwoParty": false,

+ "correlationId": "{correlationId}",

+ "isRoomsCall": true

+ },

+ "role": "{role}"

+ "room": {

+ "id": "{roomId}"

+ },

+ "isTwoParty": false,

+ "correlationId": "{correlationId}",

+ "isRoomsCall": true

+ },

+ "role": "{role}"

+ },

+ "role": "{role}"

+ "room": {

+ "id": "{roomId}"

+ },

+ "isTwoParty": false,

+ "correlationId": "{correlationId}",

+ "isRoomsCall": true

+ },

+ "role": "{role}"

+ },

+ "role": "{role}"

+ "room": {

+ "id": "{roomId}"

+ },

+ "isTwoParty": false,

+ "correlationId": "{correlationId}",

+ "isRoomsCall": true

+| **[Liquid Intelligent Technologies ](https://liquidcloud.africa/connect/)** |Supported |Supported | Cape Town, Johannesburg |

+| **[Windstream](https://www.windstreamenterprise.com/solutions/)**| Equinix | Chicago, Silicon Valley, Washington DC |

+## Container Apps

+> [!NOTE]

+> In the [update manifest]( https://docs.microsoft.com/azure/iot-hub-device-update/update-manifest), each step should have different ΓÇ£installedCriteriaΓÇ¥ string if that string is being used to determine whether the step should be performed or not.

+> [!NOTE]

+> Steps Content Handler:

+> IsInstalled validation logic: The Device Update agentΓÇÖs [step handler]( https://github.com/Azure/iot-hub-device-update/blob/main/src/content_handlers/steps_handler/README.md) checks to see if particular update is already installed (i.e., IsInstalled() resulted in a result code ΓÇ£900ΓÇ¥ i.e., is installed is ΓÇÿtrueΓÇÖ). To avoid installing an update that is already on the device the DU agent will skip future steps because we use it to determine whether to perform the step or not.

+> Reporting an update result: The result of a step handler execution must be written to ADUC_Result struct in a desired result file as specified in --result-file option [learn more]( https://github.com/Azure/iot-hub-device-update/blob/main/src/content_handlers/steps_handler/README.md#steps-content-handler). Then based on results of the execution, for success return 0, for any fatal errors return -1 or 0xFF.

+Azure IoT Hub is a fully managed service that helps enable reliable and secure bi-directional communications between millions of devices and a solution back end.

+This article shows you how to:

+* Send cloud-to-device messages, from your solution backend, to a single device through IoT Hub

+* Receive cloud-to-device messages on a device

+* Request delivery acknowledgment (*feedback*), from your solution backend, for messages sent to a device from IoT Hub

+* **SimulatedDevice**: a modified version of the app created in [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp), which connects to your IoT hub and receives cloud-to-device messages.

+* **SendCloudToDevice**: sends a cloud-to-device message to the device app through IoT Hub and then receives its delivery acknowledgment.

+> IoT Hub has SDK support for many device platforms and languages (C, Java, Python, and JavaScript) through [Azure IoT device SDKs](iot-hub-devguide-sdks.md).

+You can find more information on cloud-to-device messages in [D2C and C2D Messaging with IoT Hub](iot-hub-devguide-messaging.md).

+* A complete working version of the [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-java) quickstart or the [Configure message routing with IoT Hub](tutorial-routing.md) article. This cloud-to-device article builds on the quickstart.

+In this section, modify your device app to receive cloud-to-device messages from the IoT hub.

+For more information about the cloud-to-device message lifecycle and how IoT Hub processes cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+In this article, you create a back-end service to send cloud-to-device messages through your IoT Hub. To send cloud-to-device messages, your service needs the **service connect** permission. By default, every IoT Hub is created with a shared access policy named **service** that grants this permission.

+In this section, you create a .NET console app that sends cloud-to-device messages to the simulated device app. You need the device ID from your device and your IoT hub connection string.

+1. In Visual Studio, select **File** > **New** > **Project**. In **Create a new project**, select **Console App (.NET Framework)**, and then select **Next**.

+ :::image type="content" source="./media/iot-hub-csharp-csharp-c2d/sendcloudtodevice-project-configure.png" alt-text="Screenshot of the 'Configure a new project' popup in Visual Studio." lightbox="./media/iot-hub-csharp-csharp-c2d/sendcloudtodevice-project-configure.png":::

+It's possible to request delivery (or expiration) acknowledgments from IoT Hub for each cloud-to-device message. This option enables the solution back end to easily inform, retry, or compensation logic. For more information about cloud-to-device feedback, see [D2C and C2D Messaging with IoT Hub](iot-hub-devguide-messaging.md).

+In this article, you learned how to send and receive cloud-to-device messages.

+Azure IoT Hub is a fully managed service that helps enable reliable and secure bi-directional communications between millions of devices and a solution back end.

+* Receive cloud-to-device messages on a device

+* **sample-device**: the same app created in [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md), which connects to your IoT hub and receives cloud-to-device messages.

+> IoT Hub has SDK support for many device platforms and languages (including C, Java, Python, and JavaScript) through the [Azure IoT device SDKs](iot-hub-devguide-sdks.md).

+You can find more information on cloud-to-device messages in the [messaging section of the IoT Hub developer guide](iot-hub-devguide-messaging.md).

+## Prerequisites

+Azure IoT Hub is a fully managed service that helps enable reliable and secure bi-directional communications between millions of devices and a solution back end.

+This article shows you how to:

+* Send cloud-to-device messages, from your solution backend, to a single device through IoT Hub

+* Receive cloud-to-device messages on a device

+* Request delivery acknowledgment (*feedback*), from your solution backend, for messages sent to a device from IoT Hub

+* **SimulatedDevice**: a modified version of the app created in [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp), which connects to your IoT hub and receives cloud-to-device messages.

+* **SendCloudToDevice**: sends a cloud-to-device message to the device app through IoT Hub and then receives its delivery acknowledgment.

+> IoT Hub has SDK support for many device platforms and languages (C, Java, Python, and JavaScript) through the [Azure IoT device SDKs](iot-hub-devguide-sdks.md).

+You can find more information on [cloud-to-device messages in the IoT Hub developer guide](iot-hub-devguide-messaging.md).

+* A complete working version of the [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-java) quickstart or the [Configure message routing with IoT Hub](tutorial-routing.md) article. This cloud-to-device article builds on the quickstart.

+In this section, modify your device app to receive cloud-to-device messages from the IoT hub.

+For more information about the cloud-to-device message lifecycle and how IoT Hub processes cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+In this article you create a backend service to send cloud-to-device messages through your IoT Hub. To send cloud-to-device messages, your service needs the **service connect** permission. By default, every IoT Hub is created with a shared access policy named **service** that grants this permission.

+In this section, you create a Java console app that sends cloud-to-device messages to the simulated device app. You need the device ID from your device and your IoT hub connection string.

+ > For simplicity, this article does not implement a retry policy. In production code, you should implement retry policies (such as exponential backoff) as suggested in the article [Transient Fault Handling](/azure/architecture/best-practices/transient-faults).

+Azure IoT Hub is a fully managed service that helps enable reliable and secure bi-directional communications between millions of devices and a solution back end.

+This article shows you how to:

+* Send cloud-to-device messages, from your solution backend, to a single device through IoT Hub

+* Receive cloud-to-device messages on a device

+* Request delivery acknowledgment (*feedback*), from your solution backend, for messages sent to a device from IoT Hub

+* **SimulatedDevice**: a modified version of the app created in [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp), which connects to your IoT hub and receives cloud-to-device messages.

+* **SendCloudToDevice**: sends a cloud-to-device message to the device app through IoT Hub and then receives its delivery acknowledgment.

+> IoT Hub has SDK support for many device platforms and languages (C, Java, Python, and JavaScript) through the [Azure IoT device SDKs](iot-hub-devguide-sdks.md).

+You can find more information on cloud-to-device messages in the [IoT Hub developer guide](iot-hub-devguide-messaging.md).

+* A complete working version of the [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-java) quickstart or the [Configure message routing with IoT Hub](tutorial-routing.md) article. This article builds on the quickstart.

+* Node.js version 10.0.x or later. [Prepare your development environment](https://github.com/Azure/azure-iot-sdk-node/tree/main/doc/node-devbox-setup.md) describes how to install Node.js for this article on either Windows or Linux.

+In this section, modify your device app to receive cloud-to-device messages from the IoT hub.

+For more information about the cloud-to-device message lifecycle and how IoT Hub processes cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+In this article, you create a backend service to send cloud-to-device messages through your IoT Hub. To send cloud-to-device messages, your service needs the **service connect** permission. By default, every IoT Hub is created with a shared access policy named **service** that grants this permission.

+In this section, you create a Node.js console app that sends cloud-to-device messages to the simulated device app. You need the device ID from your device and your IoT hub connection string.

+Azure IoT Hub is a fully managed service that helps enable reliable and secure bi-directional communications between millions of devices and a solution back end.

+This article shows you how to:

+* Send cloud-to-device messages, from your solution backend, to a single device through IoT Hub

+* Receive cloud-to-device messages on a device

+* **SimulatedDevice.py**: a modified version of the app created in [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-python), which connects to your IoT hub and receives cloud-to-device messages.

+* **SendCloudToDeviceMessage.py**: sends cloud-to-device messages to the simulated device app through IoT Hub.

+You can find more information on cloud-to-device messages in the [IoT Hub developer guide](iot-hub-devguide-messaging.md).

+* A complete working version of the [Send telemetry from a device to an IoT hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-java) quickstart or the [Configure message routing with IoT Hub](tutorial-routing.md) article. This cloud-to-device article builds on the quickstart.

+In this section, you create a Python console app to simulate a device and receive cloud-to-device messages from the IoT hub.

+For more information about the cloud-to-device message lifecycle and how IoT Hub processes cloud-to-device messages, see [Send cloud-to-device messages from an IoT hub](iot-hub-devguide-messages-c2d.md).

+In this article, you create a backend service to send cloud-to-device messages through your IoT Hub. To send cloud-to-device messages, your service needs the **service connect** permission. By default, every IoT Hub is created with a shared access policy named **service** that grants this permission.

+In this section, you create a Python console app that sends cloud-to-device messages to the simulated device app. You need the device ID from your device and your IoT hub connection string.

+- **Release**: It securely releases a key to authorized code running within a confidential compute environment. It requires an attestation that the Trusted Execution Environment (TEE) meets the requirements of the keyΓÇÖs release_policy.

+ - *release*: Release a key to a confidential compute environment which matches the release_policy of the key

+1. Select **Add** > **Add role assignment**.

+> If using a version of Azure Lab Services prior to the [August 2022 Update](lab-services-whats-new.md), see [Administrator guide when using lab accounts](administrator-guide-1.md).

+We recommend that you invest time up front to plan the structure of your resource groups. It's *not* possible to change a lab plan or compute gallery resource group once it's created. If you need to change the resource group for these resources, you'll need to delete and re-create them.

+A lab plan set of configurations that influence the creation of a lab. A lab plan can be associated with zero or more labs. When you're getting started with Azure Lab Services, it's most common to have a single lab plan. As your lab usage scales up, you can choose to create more lab plans later.

+- Create a new set of labs for each semester, quarter, or other academic system you're using. For classes that need to use the same image, you should use a [compute gallery](#azure-compute-gallery). This way, you can reuse images across labs and academic periods.

+When you're determining how to structure your labs, consider the following points:

+ To set different quotas for users, you must create separate labs. However, it's possible to add more hours to specific users after you have set the quota.

+The compute gallery is an optional resource that you might not need immediately if you're starting with only a few labs. However, a compute gallery offers many benefits that are helpful as you scale up to more labs:

+ It's useful to create a custom image or make changes (software, configuration, and so on) to an image from the Azure Marketplace gallery. For example, it's common for educators to require different software or tooling be installed. Rather than requiring students to manually install these prerequisites on their own, different versions of the template VM image can be exported to the compute gallery. You can then use these image versions when you create new labs.

+ You can save and reuse an image so that you don't have to configure it from scratch each time that you create a new lab. For example, if multiple classes need to use the same image, you can create it once and export it to the compute gallery so that it can be shared across labs.

+When you set up your Azure Lab Services resources, you're required to provide a region or location of the data center that will host the resources. Lab plans can enable one or more regions in which labs may be created. The next sections describe how a region or location might affect each resource that is involved with setting up a lab.

+- **Lab**. The location that a lab exists in varies, and doesn't need to be in the same location as the lab plan. Administrators control which regions labs can be created in through the lab plan settings. A general rule is to set a resource's region to one that is closest to its users. For labs, this means creating the lab that is closest to your students. For online courses whose students are located all over the world, use your best judgment to create a lab that is centrally located. Or you can split a class into multiple labs according to your students' regions.

+ However, the Contributor *can't* grant other users access to either lab plans or labs.

+ When set on the lab plan, this role enables the user account to create labs from the lab plan. The user account can also see existing labs that are in the same resource group as the lab plan. When applied to a resource group, this role enables the user to view existing lab and create new labs. They'll have full control over any labs they create as they're assigned as Owner to those created labs. For more information, see [Add a user to the Lab Creator role](./tutorial-setup-lab-plan.md#add-a-user-to-the-lab-creator-role).

+ A key difference between the lab Owner and Contributor roles is that only an Owner can grant other users access to manage a lab. A Contributor *can't* grant other users access to manage a lab.

+ When applied to a resource group or a lab, this role enables the user to have limited ability to manage existing labs. This role won't give the user the ability to create new labs. In an existing lab, the user can manage users, adjust individual users' quota, manage schedules, and start/stop VMs. The user account will be able to publish a lab. The user won't have the ability to change lab capacity or change quota at the lab level. The user won't be able to change the template title or description.

+ When applied to a resource group, enables the user to view, but not change, all lab plans and lab resources. External resources like image galleries and virtual networks that may be connected to a lab plan aren't included.

+When you're assigning roles, it helps to follow these tips:

+- To give educators the ability to manage specific labs, but *not* the ability to create new labs, assign them either the Owner or Contributor role for each lab that they'll manage. For example, you might want to allow a professor and a teaching assistant to co-own a lab.

+Your school may need to do content filtering to prevent students from accessing inappropriate websites. For example, to comply with the [Children's Internet Protection Act (CIPA)](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act). Lab Services doesn't offer built-in support for content filtering.

+By default, Azure Lab Services hosts each lab's virtual network within a Microsoft-managed Azure subscription. You'll need to use [advanced networking](how-to-connect-vnet-injection.md) in the lab plan. Make sure to check known limitations of VNet injection before proceeding.

+- If you plan to use the [auto-shutdown settings](./cost-management-guide.md#automatic-shutdown-settings-for-cost-control), you'll need to unblock several Azure host names with the 3rd party software. The auto-shutdown settings use a diagnostic extension that must be able to communicate back to Lab Services. Otherwise, the auto-shutdown settings will fail to enable for the lab.

+- You may also want to have each student use a non-admin account on their VM so that they can't uninstall the content filtering software. Adding a non-admin account must be done when creating the lab.

+With Lab Services, if you create a lab with a template, the lab VMs will have the same SID. Even if you use a *generalized* image to create a lab, the template VM and student VMs will all have the same machine SID. The VMs have the same SID because the template VM's image is in a *specialized* state when it's published to create the student VMs.

+If you plan to use an endpoint management tool or similar software, we recommend that you don't use template VMs for your labs.

+Creating a compute gallery and attaching it to your lab plan is free. No cost is incurred until you save an image version to the gallery. The pricing for using a compute gallery is ordinarily fairly negligible, but it's important to understand how it's calculated, because it isn't included in the pricing for Azure Lab Services.

+When you save an image version by using a lab template VM, Azure Lab Services first stores it in a source region. However, you'll most likely need to replicate the source image version to one or more target regions.

+It's important for lab plan administrators to manage costs by routinely deleting unneeded image versions from the gallery.

+If you're close to or have reached your subscription's core limit, you'll see messages from Azure Lab Services. Actions that are affected by core limits include:

+If you reach the cores limit, you can request a limit increase to continue using Azure Lab Services. The request process is a checkpoint to ensure your subscription isn't involved in any cases of fraud or unintentional, sudden large-scale deployments.

+ - Location. Location will be a [geography](https://azure.microsoft.com/global-infrastructure/geographies/#geographies) or region, if using the [August 2022 Update](lab-services-whats-new.md).

+Once you submit the support request, we'll review the request. If necessary, we'll contact you to get more details.

+Some rare subscription types that are more commonly used for fraud can have a default limit of zero standard cores and zero GPU cores. If you're using one of these subscription types, your admin needs to request a limit increase before you can use Azure Lab Services.

+Azure Lab Services hosts lab resources, including VMs, within special Microsoft-managed Azure subscriptions that aren't visible to customers. With the [August 2022 Update](lab-services-whats-new.md), VM capacity is dedicated to each customer. Previous to this update, VM capacity was available from a large pool shared by customers.

+| VM image | [Data Science Virtual Machine for Linux (Ubuntu)](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804). This image provides deep learning frameworks and tools for machine learning and data science. To view the full list of installed tools on this image, see [What's included on the DSVM?](../machine-learning/data-science-virtual-machine/overview.md#whats-included-on-the-dsvm). |

+| Template Virtual Machine Settings | Optionally, choose **Use a virtual machine image without customization**. If you're using the [August 2022 Update](lab-services-whats-new.md) and the DSVM has all the tools that your class requires, you can skip the template customization step. |

+Labs can be created without needing a template VM, if using the [August 2022 Update](lab-services-whats-new.md). The Marketplace or Azure Compute Gallery image is used as-is to create the student's VMs.

+Azure Lab Services was designed with three major personas in mind: administrators, educators, and students. You'll see these three roles mentioned throughout Azure Lab Services documentation. This section describes each persona and the tasks they're typically responsible for.

+Below is the basic architecture of a lab without advanced networking enabled. The lab plan is hosted in your subscription. The student VMs, along with the resources needed to support the VMs are hosted in a subscription owned by Azure Lab Services. LetΓÇÖs talk about what is in Azure Lab Service's subscriptions in more detail.

+By default, each lab is isolated by its own virtual network.

+If the lab is using [advanced networking](how-to-connect-vnet-injection.md), then each lab is using the same subnet that has been delegated to Azure Lab Services and connected to the lab plan. You'll also be responsible for creating an [NSG with an inbound security rule to allow RDP and SSH traffic](how-to-connect-vnet-injection.md#associate-delegated-subnet-with-nsg) so students can connect to their VMs.

+You can filter by service or resource type. To see only costs associated with Azure Lab Services, set the **service name** filter equal to **azure lab services**. If filtering on **resource type**, include `Microsoft.Labservices/labaccounts` resource type. If using the [August 2022 Update](lab-services-whats-new.md), also include the `Microsoft.LabServices/labs` resource type.

+If you're using the [August 2022 Update](lab-services-whats-new.md), the entries in are formatted differently. The **Resource** column will show entries in the form `{lab name}/{number}` for Azure Lab Services. Some tags are added automatically to each entry when using the August 2022 Update.

+In the [August 2022 Update](lab-services-whats-new.md):

+1. Select **Add** > **Add role assignment**.

+1. Select **Add** > **Add role assignment**.

+> If using a version of Azure Lab Services prior to the [August 2022 Update](lab-services-whats-new.md), see [Attach or detach a shared image gallery to a lab account in Azure Lab Services](how-to-attach-detach-shared-image-gallery-1.md).

+ Title: Firewall settings for labs when using lab accounts

+description: Learn how to determine the public IP address of VMs in a lab created using a lab account so information can be added to firewall rules.

+# Firewall settings for labs when using lab accounts

+Each organization or school will configure their own network in a way that best fits their needs. Sometimes that includes setting firewall rules that block Remote Desktop Protocol (RDP) or Secure Shell (SSH) connections to machines outside their own network. Because Azure Lab Services runs in the public cloud, some extra configuration maybe needed to allow students to access their VM when connecting from the campus network.

+Each lab uses single public IP address and multiple ports. All VMs, both the template VM and student VMs, will use this public IP address. The public IP address won't change for the life of lab. Each VM will have a different port number. The port numbers range is 49152 - 65535. The combination of public IP address and port number is used to connect educators and students to the correct VM. This article will cover how to find the specific public IP address used by a lab. That information can be used to update inbound and outbound firewall rules so students can access their VMs.

+>[!IMPORTANT]

+>Each lab will have a different public IP address.

+> [!NOTE]

+> If your school needs to perform content filtering, such as for compliance with the [Children's Internet Protection Act (CIPA)](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act), you will need to use 3rd party software. For more information, read guidance on [content filtering with Lab Services](./administrator-guide.md#content-filtering).

+## Find public IP for a lab

+The public IP addresses for each lab are listed in the **All labs** page of the Lab Services lab account. For directions how to find the **All labs** page, see [View labs in a lab account](manage-labs-1.md#view-labs-in-a-lab-account).

+>[!NOTE]

+>You won't see the public IP address if the template machine for your lab isn't published yet.

+## Conclusion

+Now we know the public IP address for the lab. Inbound and outbound rules can be created for the organization's firewall for the public IP address and the port range 49152 - 65535. Once the rules are updated, students can access their VMs without the network firewall blocking access.

+## Next steps

+- As an admin, [enable labs to connect your vnet](how-to-connect-vnet-injection.md).

+- As an educator, work with your admin to [create a lab with a shared resource](how-to-create-a-lab-with-shared-resource.md).

+- As an educator, [publish your lab](how-to-create-manage-template.md#publish-the-template-vm).

+description: Learn how to determine the public IP address of VMs in a lab created using a lab plan so information can be added to firewall rules.

+ms.lab-

+> [!NOTE]

+> If using a version of Azure Lab Services prior to the [August 2022 Update](lab-services-whats-new.md), see [Firewall settings for labs when using lab accounts](how-to-configure-firewall-settings-1.md).

+Each lab uses single public IP address and multiple ports. All VMs, both the template VM and student VMs, will use this public IP address. The public IP address won't change for the life of lab. Each VM will have a different port number. The port ranges for SSH connections are 4980-4989 and 5000-6999. The port ranges for RDP connections are 4990-4999 and 7000-8999. The combination of public IP address and port number is used to connect educators and students to the correct VM. This article will cover how to find the specific public IP address used by a lab. That information can be used to update inbound and outbound firewall rules so students can access their VMs.

+If using a customizable lab, then we can get the public ip anytime after the lab is created. If using a non-customizable lab, the lab must be published and have capacity of at least 1 to be able to get the public IP for the lab.

+We're going to use the Az.LabServices PowerShell module to get the public IP address for a lab. For more examples using Az.LabServices PowerShell module and how to use it, see [Quickstart: Create a lab plan using PowerShell and the Azure modules](quick-create-lab-plan-powershell.md) and [Quickstart: Create a lab using PowerShell and the Azure module](quick-create-lab-powershell.md). For more information about cmdlets available in the Az.LabServices PowerShell module, see [Az.LabServices reference](/powershell/module/az.labservices/)

+```powershell

+$ResourceGroupName = "MyResourceGroup"

+$LabName = "MyLab"

+$LabPublicIP = $null

+$lab = Get-AzLabServicesLab -Name $LabName -ResourceGroupName $ResourceGroupName

+if (-not $lab){

+ Write-Error "Could find lab $($LabName) in resource group $($ResourceGroupName)."

+}

+if($lab.NetworkProfilePublicIPId){

+ #Lab is using advance networking

+ # Get public IP from networking properties

+ $LabPublicIP = Get-AzResource -ResourceId $lab.NetworkProfilePublicIPId | Get-AzPublicIpAddress | Select-Object -expand IpAddress

+}else{

+ #Get first VM from lab

+ # If customizable lab, this is the template VM

+ # If non-customizable lab, this is the first VM published.

+ $vm = $lab | Get-AzLabServicesVM | Select -First 1

+ if ($vm){

+ if($vm.ConnectionProfileSshAuthority){

+ $connectionAuthority = $vm.ConnectionProfileSshAuthority.Split(":")[0]

+ }else{

+ $connectionAuthority = $vm.ConnectionProfileRdpAuthority.Split(":")[0]

+ }

+ $LabPublicIP = [System.Net.DNS]::GetHostByName($connectionAuthority).AddressList.IPAddressToString | Where-Object {$_} | Select -First 1

+ }

+}

+if ($LabPublicIP){

+ Write-Output "Public IP for $($lab.Name) is $LabPublicIP."

+}else{

+ Write-Error "Lab must be published to get public IP address."

+}

+```

+Now we know the public IP address for the lab. Inbound and outbound rules can be created for the organization's firewall for the public IP address and the port ranges 4980-4989, 5000-6999, and 7000-8999. Once the rules are updated, students can access their VMs without the network firewall blocking access.

+- As an educator, [publish your lab](how-to-create-manage-template.md#publish-the-template-vm).

+Some organizations have advanced network requirements and configurations that they want to apply to labs. For example, network requirements can include a network traffic control, ports management, access to resources in an internal network, etc. Certain on-premises networks are connected to Azure Virtual Network either through [ExpressRoute](../expressroute/expressroute-introduction.md) or [Virtual Network Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md). These services must be set up outside of Azure Lab Services. To learn more about connecting an on-premises network to Azure using ExpressRoute, see [ExpressRoute overview](../expressroute/expressroute-introduction.md). For on-premises connectivity using a Virtual Network Gateway, the gateway, specified virtual network, network security group, and the lab plan all must be in the same region.

+In the Azure Lab Services [August 2022 Update](lab-services-whats-new.md), customers may take control of the network for the labs using virtual network (VNet) injection. You can now tell Lab Services which virtual network to use, and we'll inject the necessary resources into your network. With VNet injection, you can connect to on premise resources such as licensing servers and use user defined routes (UDRs). VNet injection replaces the [peering to your virtual network](how-to-connect-peer-virtual-network.md), as was done in previous versions.

+> Advanced networking (VNet injection) must be configured when creating a lab plan. It can't be added later.

+> [!NOTE]

+> If your school needs to perform content filtering, such as for compliance with the [Children's Internet Protection Act (CIPA)](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act), you will need to use 3rd party software. For more information, read guidance on [content filtering with Lab Services](./administrator-guide.md#content-filtering).

+## Prerequisites

+Before you configure advanced networking for your lab plan, complete the following tasks:

+1. [Create a virtual network](../virtual-network/quick-create-portal.md). The virtual network must be in the same region as the lab plan.

+1. [Create a subnet](../virtual-network/virtual-network-manage-subnet.md) for the virtual network.

+1. [Delegate the subnet](#delegate-the-virtual-network-subnet-for-use-with-a-lab-plan) to **Microsoft.LabServices/labplans**.

+1. [Create a network security group (NSG)](../virtual-network/manage-network-security-group.md).

+1. [Create an inbound rule to allow traffic from SSH and RDP ports](/azure/virtual-network/manage-network-security-group).

+1. [Associate the NSG to the delegated subnet](#associate-delegated-subnet-with-nsg).

+Now that the prerequisites have been completed, you can [use advanced networking to connect your virtual network during lab plan creation](#connect-the-virtual-network-during-lab-plan-creation).

+1. Create a [virtual network](../virtual-network/manage-virtual-network.md) and [subnet](../virtual-network/virtual-network-manage-subnet.md).

+2. Open the **Subnets** page for your virtual network.

+3. Select the subnet you wish to delegate to Lab Services and open the property window for that subnet.

+4. For the **Delegate subnet to a service** property, select **Microsoft.LabServices/labplans**. Select **Save**.

+5. Verify the lab plan service appears in the **Delegated to** column.

+## Associate delegated subnet with NSG

+> [!WARNING]

+> An NSG with inbound rules for RDP and/or SSH is required to allow access to the template and lab VMs.

+For connectivity to lab VMs, it's required to associate an NSG with the subnet delegated to Lab Services. We'll create an NSG, add an inbound rule to allow both SSH and RDP traffic, and then associate the NSG with the delegated subnet.

+1. [Create a network security group (NSG)](../virtual-network/manage-network-security-group.md), if not done already.

+2. Create an inbound security rule allowing RDP and SSH traffic.

+ 1. Select **Inbound security rules** on the left menu.

+ 2. Select **+ Add** from the top menu bar. Fill in the details for adding the inbound security rule as follows:

+ 1. For **Source**, select **Any**.

+ 2. For **Source port ranges**, select **\***.

+ 3. For **Destination**, select **IP Addresses**.

+ 4. For **Destination IP addresses/CIDR ranges**, select subnet range previously created subnet.

+ 5. For **Service**, select **Custom**.

+ 6. For **Destination port ranges**, enter **22, 3389**. Port 22 is for Secure Shell protocol (SSH). Port 3389 is for Remote Desktop Protocol (RDP).

+ 7. For **Protocol**, select **Any**.

+ 8. For **Action**, select **Allow**.

+ 9. For **Priority**, select **1000**. Priority must be higher than other **Deny** rules for RDP and/or SSH.

+ 10. For **Name**, enter **AllowRdpSshForLabs**.

+ 11. Select **Add**.

+ :::image type="content" source="media/how-to-connect-vnet-injection/nsg-add-inbound-rule.png" lightbox="media/how-to-connect-vnet-injection/nsg-add-inbound-rule.png" alt-text="Screenshot of Add inbound rule window for Network security group.":::

+ 3. Wait for the rule to be created.

+ 4. Select **Refresh** on the menu bar. Our new rule will now show in the list of rules.

+3. Associate the NSG with the delegated subnet.

+ 1. Select **Subnets** on the left menu.

+ 1. Select **+ Associate** from the top menu bar.

+ 1. On the **Associate subnet** page, do the following actions:

+ 1. For **Virtual network**, select previously created virtual network.

+ 2. For **Subnet**, select previously created subnet.

+ 3. Select **OK**.

+ :::image type="content" source="media/how-to-connect-vnet-injection/associate-nsg-with-subnet.png" lightbox="media/how-to-connect-vnet-injection/associate-nsg-with-subnet.png" alt-text="Screenshot of Associate subnet page in the Azure portal.":::

+1. Search for **lab plan**. (**Lab plan** can also be found under the **DevOps** category.)

+- Azure Firewall isn't currently supported.

+> If using a version of Azure Lab Services prior to the [August 2022 Update](lab-services-whats-new.md), see [How to create a lab with a shared resource in Azure Lab Services when using lab accounts](how-to-create-a-lab-with-shared-resource-1.md).

+When you're creating a lab, there might be some resources that need to be shared among all the students in a lab. For example, you have a licensing server or SQL Server for a database class. This article will discuss the steps to enable the shared resource for a lab. We'll also talk about how to limit access to the shared resource.

+A template in a lab is a base VM image from which all users' virtual machines are created. Modify the template VM so that it's configured with exactly what you want to provide to the lab users. You can provide a name and description of the template that the lab users see. Then, you publish the template to make instances of the template VM available to your lab users. When you publish a template, Azure Lab Services creates VMs in the lab using the template. The number of VMs created during publish equals lab capacity. If using [Teams integration](lab-services-within-teams-overview.md), or [Canvas integration](lab-services-within-canvas-overview.md), the number of VMs created during publish equals the number of users in the lab. All virtual machines have the same configuration as the template.

+When you create a lab, the template VM is created but it's not started. You can start it, connect to it, and install any pre-requisite software for the lab, and then publish it. When you publish the template VM, it's automatically shut down for you if you haven't done so. This article describes how to manage a template VM of a lab.

+1. Once you connect to the template and make changes, it will no longer have the same setup as the virtual machines last published to your users. Template changes won't be reflected on your students' existing virtual machines until after you publish again.

+3. You see the **status of publishing** the template on page. If using [Azure Lab Services August 2022 Update](lab-services-whats-new.md), publishing can take up to 20 minutes.

+4. Wait until the publishing is complete and then switch to the **Virtual machines pool** page by selecting **Virtual machines** on the left menu or by selecting **Virtual machines** tile. Confirm that you see virtual machines that are in **Unassigned** state. These VMs aren't assigned to students yet. They should be in **Stopped** state. You can start a student VM, connect to the VM, stop the VM, and delete the VM on this page. You can start them in this page or let your students start the VMs.

+> Prior to the [August 2022 Update](lab-services-whats-new.md), Linux labs only support automatic shut down when users disconnect and when VMs are started but users don't connect. Support also varies depending on [specific distributions and versions of Linux](../virtual-machines/extensions/diagnostics-linux.md#supported-linux-distributions). Shutdown settings are not supported by the [Data Science Virtual Machine - Ubuntu 18.04](https://azuremarketplace.microsoft.com/marketplace/apps/microsoft-dsvm.ubuntu-1804) image.

+ 2. For the **Auto-shutdown of virtual machines** option, specify whether you want the VM to be automatically shut down when user disconnects. You can also specify how long the VM should wait for the user to reconnect before automatically shutting down. For more information, see [Enable automatic shutdown of VMs on disconnect](how-to-enable-shutdown-disconnect.md).

+> You can also use the Az.LabServices PowerShell module to manage labs. For more information, see the [Az.LabServices home page on GitHub](https://aka.ms/azlabs/samples/PowerShellModule).

+- As an admin, use the [Az.LabServices PowerShell module](https://aka.ms/azlabs/samples/PowerShellModule) to manage lab accounts.

+In the [April 2022 Update](lab-services-whats-new.md), redeploying VMs replaces the previous reset VM behavior. In the Lab Services web portal: [https://labs.azure.com](https://labs.azure.com), the command is named **Troubleshoot** and is available in the student's view of their VMs. For more information and instructions on how students can redeploy their VMs, see: [Redeploy VMs](how-to-reset-and-redeploy-vm.md#redeploy-vms).

+In the [April 2022 Update](lab-services-whats-new.md), redeploying VMs replaces the previous reset VM behavior. In the Lab Services web portal: [https://labs.azure.com](https://labs.azure.com), the command is named **Troubleshoot** and is available in the student's view of their VMs.

+> Reset password option is not available for labs created without a template using the [April 2022 Updates](lab-services-whats-new.md).

+Using the [Azure Lab Services portal](https://labs.azure.com/virtualmachines) is the preferred method for a student to stop their lab VM. However, with the [April 2022 Updates](lab-services-whats-new.md), Azure Lab Services will detect when a student shuts down their VM using the OS shutdown command. After a long delay to ensure the VM wasn't being restarted, the lab VM will be marked as stopped and billing will discontinue.

+- **Fast and flexible setup of a lab**. Lab owners can quickly [set up a lab](tutorial-setup-lab.md) for their needs. Azure Lab Services takes care of all Azure infrastructure including built-in scaling and resiliency of infrastructure for labs.

+- **Simplified experience for lab users**. Students who are invited to a lab get immediate access to the resources you give them inside your labs. They just need to sign in to see the full list of virtual machines for all labs that they can access. They can select a single button to connect to the virtual machines and start working. Users don't need Azure subscriptions to use the service. [Lab users can register](how-to-use-lab.md) to a lab with a registration code and can access the lab anytime to use the lab's resources.

+- **Cost optimization and analysis**. [Keep your budget in check](cost-management-guide.md) by controlling exactly how many hours your lab users can use the virtual machines. Set up [schedules](how-to-create-schedules.md) in the lab to allow users to use the virtual machines only during designated time slots. Set up [auto-shutdown policies](how-to-configure-auto-shutdown-lab-plans.md) to avoid unneeded VM usage. Keep track of [individual users' usage](how-to-manage-classroom-labs.md) and [set limits](how-to-configure-student-usage.md#set-quotas-for-users).

+- **Automatic management of Azure infrastructure and scale** Azure Lab Services is a managed service, which means that provisioning and management of a lab's underlying infrastructure is handled automatically by the service. You can just focus on preparing the right lab experience for your users. Let the service handle the rest and roll out your lab's virtual machines to your audience. Scale your lab to hundreds of virtual machines with a single action.

+- Provide students with a lab of virtual machines configured with exactly what's needed for a class. Give each student a limited number of hours for using the VMs for homework or personal projects.

+- Move your school's physical computer lab into the cloud. Automatically scale the number of VMs only to the maximum usage and cost threshold that you set on the lab.

+- Quickly create a lab of virtual machines for hosting a hackathon. Delete the lab with a single action once you're done.

+[Azure Lab Services August 2022 Update](lab-services-whats-new.md)) doesn't move or store customer data outside the region it's deployed in. However, accessing Azure Lab Services resources through the Azure Lab Services portal may cause customer data to cross regions.

+There are no guarantees customer data will stay in the region it's deployed to when using Azure Lab Services previous to the August 2022 Update.

+## Data at rest

+Azure Lab Services encrypts all content using Microsoft managed encryption key.

+description: Learn what's new in the Azure Lab Services August 2022 Updates.

+# What's new in Azure Lab Services August 2022 Update

+**[Canvas Integration](how-to-get-started-create-lab-within-canvas.md)**. Now, educators don't have to leave Canvas to create their labs. Students can connect to a virtual machine from inside their course.

+**[More built-in roles](administrator-guide.md#rbac-roles)**. Previously, there was only the Lab Creator built-in role. We've added a few more roles including Lab Operator and Lab Assistant. Lab operators can manage existing labs, but not create new ones. Lab assistants can only help students by starting, stopping, or redeploying virtual machines. Lab assistants can't adjust quota or set schedules.

+**[Updates to lab owner experience](how-to-manage-labs.md)**. Choose to skip the template creation process when creating a new lab if you already have an image ready to use. We've also added the ability to add a non-admin user to lab VMs.

+|Lab account served as a container for the labs. A change to the lab account often affected the labs under it.|The lab plan serves as a collection of configurations and settings that are applied when a lab is **created**. If you change a lab plan's settings, these changes won't affect any existing labs that were previously created from the lab plan. (The exception is the internal help information, which will affect all labs.)|

+Don't forget to assign user permissions on the lab plan and the lab plan's resource group. Permission assignments for new labs may also be required if labs are created for educators instead of by them.

+Use the following checklist to get started with Azure Lab Services August 2022 Update:

+As you migrate, there likely will be a time when you're using both the August 2022 Update and the current version of Azure Lab Services. You might have both lab accounts and lab plans that coexist in your subscription and that access the same external resources.

+Let's cover each step to get started with the August 2022 Update in more detail.

+1. **Configure shared resources**. Optionally, [configure licensing servers](how-to-create-a-lab-with-shared-resource.md). For VMs that require access to a licensing server, create a lab using a lab plan with [advanced networking](how-to-connect-vnet-injection.md#connect-the-virtual-network-during-lab-plan-creation). You can reuse the same Azure Compute Gallery and the licensing servers that you use with your lab accounts.

+1. **Validate images**. Each of the VM sizes has been remapped to use a newer Azure VM Compute SKU. If using an [attached compute gallery](how-to-attach-detach-shared-image-gallery.md), validate images with new [Azure VM Compute SKUs](administrator-guide.md#vm-sizing). Validate that each image in the compute gallery is replicated to regions the lab plans and labs are in.

+1. **Configure integrations**. Optionally, configure [integration with Canvas](lab-services-within-canvas-overview.md) including [adding the app and linking lab plans](how-to-get-started-create-lab-within-canvas.md). Alternately, configure [integration with Teams](lab-services-within-teams-overview.md) by [adding the app to Teams groups](how-to-get-started-create-lab-within-teams.md).

+1. **Create labs**. Create labs to test educator and student experience in preparation for general availability of the updates. Lab administrators and educators should validate performance based on common student workloads.

+1. **Update cost management reports.** Update reports to include the new cost entry type, `Microsoft.LabServices/labs`, for labs created using the August 2022 Update. [Built-in and custom tags](cost-management-guide.md#understand-the-entries) allow for [grouping](../cost-management-billing/costs/quick-acm-cost-analysis.md) in cost analysis. For more information about tracking costs, see [Cost management for Azure Lab Services](cost-management-guide.md).

+1. Select the **Lab plans** tile, select **Create**.

+To use Azure PowerShell, first verify the Az.LabServices module is installed. Then use the **Get-AzLabServicesLabPlan** cmdlet.

+To use Azure PowerShell, first verify the Az.LabServices module is installed. Then use the **Get-AzLabServicesLab** cmdlet.

+> To learn more about the integrated Az module experience available with the August 2022 Update, see [Quickstart: Create a lab plan using PowerShell and the Azure modules](quick-create-lab-plan-powershell.md).

+The [Az.LabServices](https://github.com/Azure/azure-devtestlab/tree/master/samples/ClassroomLabs/Modules/Library) PowerShell module simplifies the management of Azure Lab Services. This module provides composable functions to create, query, update and delete resources, such as labs, lab accounts, VMs, and images.

+> If you're using a version of Azure Lab Services prior to the [August 2022 Update](lab-services-whats-new.md), see [Specify Marketplace images available to lab creators](specify-marketplace-images-1.md).

+ Title: Troubleshooting lab creation

+description: This guide helps to fix common issues you might experience when using Azure Lab Services to create labs.

+# Troubleshooting lab creation in Azure Lab Services

+This article provides several common reasons why an educator might not be able to create a lab successfully and what to do to resolve the issue.

+## You can't see a virtual machine image

+Possible issues:

+- The Azure Compute Gallery is not connected to the lab plan. To connect an Azure Compute Gallery, see [Attach or detach a compute gallery](/azure/lab-services/how-to-attach-detach-shared-image-gallery).

+- The image is not enabled by the administrator. This applies to both Marketplace images and Azure Compute Gallery images. To enable images, see [Specify marketplace images for labs](specify-marketplace-images.md).

+- The image in the attached Azure Compute Gallery is not replicated to the same location as the lab plan. For more information, see [Store and share images in an Azure Compute Gallery](/azure/virtual-machines/shared-image-galleries).

+- Image sizes greater than 127GB or with multiple disks are not supported.

+## The preferred virtual machine size is not available

+Possible issues:

+- A quota is not yet requested or you need to request more quota. To request quota, see [Request a limit increase](capacity-limits.md#request-a-limit-increase).

+- A quota is granted in a location other than what is enabled for the selected lab plan. For more information, see [Request a limit increase](capacity-limits.md#request-a-limit-increase).

+>[!NOTE]

+> You can run a script to query for lab quotas across all your regions. For more information, see the [PowerShell Quota script](https://aka.ms/azlabs/scripts/quota-powershell).

+## You don't see multiple regions/locations to choose from

+Possible issues:

+- The administrator only enabled one region for the lab plan. To specify regions, see [Configure regions for labs](create-and-configure-labs-admin.md).

+- Lab plan uses advanced networking. The lab plan and all labs must be in the same region as the network. For more information, see [Use advanced networking](how-to-connect-vnet-injection.md).

+## Next steps

+For more information about setting up and managing labs, see:

+- [Manage lab plans](how-to-manage-lab-plans.md)

+- [Lab setup guide](setup-guide.md)

+ Title: Use advanced networking in Azure Lab Services | Microsoft Docs

+description: Create an Azure Lab Services lab plan with advanced networking. Create two labs and verify they share same virtual network when published.

+# Tutorial: Set up lab to lab communication with advanced networking

+Azure Lab Services provides a feature called advanced networking. Advanced networking enables you to control the network for labs created using lab plans. Advanced networking is used to enable various scenarios including [connecting to licensing servers](how-to-create-a-lab-with-shared-resource.md), using [hub-spoke model for Azure Networking](/azure/architecture/reference-architectures/hybrid-networking/), lab to lab communication, etc.

+Let's focus on the lab to lab communication scenario. For our example, we'll create labs for a web development class. Each student will need access to both a server VM and a client VM. The server and client VMs must be able to communicate with each other. We'll test communication by configuring Internet Control Message Protocol (ICMP) for each VM and allowing the VMs to ping each other.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Create a resource group

+> * Create a virtual network and subnet

+> * Delegate subnet to Azure Lab Services

+> * Create a network security group

+> * Update the network security group inbound rules

+> * Associate the network security group to virtual network

+> * Create a lab plan using advanced networking

+> * Create two labs

+> * Enable ICMP on the templates VMs

+> * Publish both labs

+> * Test communication between lab VMs

+## Prerequisites

+An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+## Create a resource group

+The following steps show how to use the Azure portal to [create a resource group](/azure/azure-resource-manager/management/manage-resource-groups-portal). For simplicity, we'll put all resources for this tutorial in the same resource group.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Select **Resource groups**.

+1. Select **+ Create** from the top menu.

+1. On the **Basics** tab of the **Create a resource group** page, do the following actions:

+ 1. For **Subscription**, choose the subscription in which you want to create your labs.

+ 1. For **Resource group**, type **MyResourceGroup**.

+ 1. For **Region**, select the region closest to you. For more information about available regions, see [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies).

+ :::image type="content" source="media/tutorial-create-lab-with-advanced-networking/create-resource-group.png" alt-text="Screenshot of create new resource group page in the Azure portal.":::

+1. Select **Review + Create**.

+1. Review the summary, and select **Create**.

+## Create a virtual network and subnet

+The following steps show how to use the Azure portal to create a virtual network and subnet that can be used with Azure Lab Services.

+> [!IMPORTANT]

+> When using Azure Lab Services with advanced networking, the virtual network, subnet, lab plan and lab must all be in the same region. For more information about which regions are supported by various products, see [Azure products by region](https://azure.microsoft.com/global-infrastructure/services/?products=lab-services).

+1. Open **MyResourceGroup** created previously.

+1. Select **+ Create** in the upper left corner of the Azure portal and search for "virtual network".

+1. Select the **Virtual network** tile and then select **Create**.

+1. On the **Basics** tab of the **Create virtual network**, do the following actions:

+ 1. For **Subscription**, choose the same subscription as the resource group.

+ 1. For **Resource group**, choose **MyResourceGroup**.

+ 1. For **Name**, enter **MyVirtualNetwork**.

+ 1. For **Region**, choose region that is also supported by Azure Lab Services. For more information about supported regions, see [Azure Lab Services by region](https://azure.microsoft.com/global-infrastructure/services/?products=lab-services).

+ 1. Select **Next: IP Addresses**.

+ :::image type="content" source="media/tutorial-create-lab-with-advanced-networking/create-virtual-network-basics-page.png" alt-text="Screenshot of Basics tab of Create virtual network page in the Azure portal.":::

+1. One the **IP Addresses** tab, create a subnet that will be used by the labs.

+ 1. Select **+ Add subnet**

+ 1. For **Subnet name**, enter **labservices-subnet**.

+ 1. For **Subnet address range**, enter range in CIDR notation. For example, 10.0.1.0/24 will have enough IP addresses for 251 lab VMs. (Five IP addresses are reserved by Azure for every subnet.) To create a subnet with more available IP addresses for VMs, use a different CIDR prefix length. For example, 10.0.0.0/20 would have room for over 4000 IP addresses for lab VMs. For more information about adding subnets, see [Add a subnet](/azure/virtual-network/virtual-network-manage-subnet).

+ 1. Select **OK**.

+1. Select **Review + Create**.

+1. Once validation passes, select **Create**.

+## Delegate subnet to Azure Lab Services

+In this section, we'll configure the subnet to be used with Azure Lab Services. To tell Azure Lab Services that a subnet may be used, the subnet must be [delegated to the service](/azure/virtual-network/manage-subnet-delegation).

+1. Open the **MyVirtualNetwork** resource.

+1. Select the **Subnets** item on the left menu.

+1. Select **labservices-subnet** subnet.

+1. Under the **Subnet delegation** section, select **Microsoft.LabServices/labplans** for the **Delegate subnet to a service** setting.

+1. Select **Save**.

+## Create a network security group

+An NSG is required when using advanced networking in Azure Lab Services. In this section, we'll create the NSG. In the following section, we'll add some inbound rules needed to access lab VMs.

+To create an NSG, complete the following steps:

+1. Select **+ Create a Resource** in the upper left corner of the Azure portal and search for "network security group".

+1. Select the **Network security group** tile and then select **Create**.

+1. On the **Basics** tab, of the **Create network security group**, do the following actions:

+ 1. For **Subscription**, choose the same subscription as used previously.

+ 1. For **Resource group**, choose **MyResourceGroup**.

+ 1. For the **Name**, enter **MyNsg**.

+ 1. For **Region**, choose same region as **MyVirtualNetwork** that was created previously.

+ 1. Select **Review + Create**.

+ :::image type="content" source="media/tutorial-create-lab-with-advanced-networking/create-network-security-group-basics-tab.png" alt-text="Screenshot of the Basics tab of the Create Network security group page in the Azure portal.":::

+1. When validation passes, select **Create**.

+## Update the network security group inbound rules

+To ensure that students can RDP to the lab VMs, we need to create an **Allow** security rule. When using Linux, we need to adapt the rule for SSH. Let's create a rule that allows both RDP and SSH traffic. We'll use the subnet range defined in the previous section.

+1. Open **MyNsg**.

+1. Select **Inbound security rules** on the left menu.

+1. Select **+ Add** from the top menu bar. Fill in the details for adding the inbound security rule as follows:

+ 1. For **Source**, select **Any**.

+ 1. For **Source port ranges**, select **\***.

+ 1. For **Destination**, select **IP Addresses**.

+ 1. For **Destination IP addresses/CIDR ranges**, select subnet range from **labservices-subnet** created previously.

+ 1. For **Service**, select **Custom**.

+ 1. For **Destination port ranges**, enter **22, 3389**. Port 22 is for Secure Shell protocol (SSH). Port 3389 is for Remote Desktop Protocol (RDP).

+ 1. For **Protocol**, select **Any**.

+ 1. For **Action**, select **Allow**.

+ 1. For **Priority**, select **1000**. Priority must be higher than other **Deny** rules for RDP and/or SSH.

+ 1. For **Name**, enter **AllowRdpSshForLabs**.

+ 1. Select **Add**.

+ :::image type="content" source="media/tutorial-create-lab-with-advanced-networking/nsg-add-inbound-rule.png" alt-text="Screenshot of Add inbound rule window for Network security group.":::

+1. Wait for the rule to be created.

+1. Select **Refresh** on the menu bar. Our new rule will now show in the list of rules.

+## Associate network security group to virtual network

+We now have an NSG with an inbound security rule to allow lab VMs to connect to the virtual network. Let's associate the NSG with the virtual network we created earlier.

+1. Open **MyVirtualNetwork**.

+1. Select **Subnets** on the left menu.

+1. Select **+ Associate** from the top menu bar.

+1. On the **Associate subnet** page, do the following actions:

+ 1. For **Virtual network**, select **MyVirtualNetwork**.

+ 1. For **Subnet**, select **labservices-subnet**.

+ 1. Select **OK**.

+> [!WARNING]

+> Connecting the network security group to the subnet is a **required step**. Students will not be able to connect to their VMs if there is no network security group associated with the subnet.

+## Create a lab plan using advanced networking

+Now that we have the network created and configured, we can create the lab plan.

+1. Select **Create a resource** in the upper left-hand corner of the Azure portal.

+1. Search for **lab plan**.

+1. On the **Lab plan** tile, select the **Create** dropdown and choose **Lab plan**.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/select-lab-plans-service.png" alt-text="All Services -> Lab Services":::

+1. On the **Basics** tab of the **Create a lab plan** page, do the following actions:

+ 1. For **Azure subscription**, select the subscription used earlier.

+ 2. For **Resource group**, select an existing resource group or select **Create new**, and enter a name for the new resource group.

+ 3. For **Name**, enter a lab plan name. For more information about naming restrictions, see [Microsoft.LabServices resource name rules](../azure-resource-manager/management/resource-name-rules.md#microsoftlabservices).

+ 4. For **Region**, select a location/region in which you want to create the lab plan.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/lab-plan-basics-page.png" alt-text="Screenshot of the basics page for lab plan creation.":::

+1. Select **Next: Networking**.

+1. On the **Networking** tab, do the following actions:

+ 1. Check **Enable advanced networking**.

+ 1. For **Virtual network**, choose **MyVirtualNetwork**.

+ 1. For **Subnet**, choose **labservices-subnet**.

+ 1. Select **Review + Create**.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/lab-plan-networking-page.png" alt-text="Screenshot of the networking page for lab plan creation.":::

+1. When the validation succeeds, select **Create**.

+> [!NOTE]

+> Advanced networking can only be enabled when lab plans are created. Advanced networking can't be added later.

+## Create two labs

+Next, let's create two labs that are using advanced networking. These labs will use the **labservices-subnet** we associated with Azure Lab Services. Any lab VMs created using **MyLabPlan** will be able to communicate with each other. Communication can be restricted by using NSGs, firewalls, etc.

+To create a lab, see the following steps. We'll run the steps twice. Once to create the lab with the server VMs and once to create the lab with the client VMs.

+1. Navigate to Lab Services web site: [https://labs.azure.com](https://labs.azure.com).

+1. Select **Sign in** and enter your credentials. Azure Lab Services supports organizational accounts and Microsoft accounts.

+1. Select **MyResourceGroup** from the dropdown on the menu bar.

+1. Select **New lab**.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/new-lab-button.png" alt-text="Screenshot of Azure Lab Services portal. New lab button is highlighted.":::

+1. In the **New Lab** window, do the following actions:

+ 1. Specify a **name**. The name should be easily identifiable. We'll use **MyServerLab** for the lab with the server VMs and **MyClientLab** for the lab with the client VMs. For more information about naming restrictions, see [Microsoft.LabServices resource name rules](../azure-resource-manager/management/resource-name-rules.md#microsoftlabservices).

+ 1. Choose a **virtual machine image**. For simplicity we'll use **Windows 11 Pro**, but you can choose another available image if you want. For more information about enabling virtual machine images, see [Specify Marketplace images available to lab creators](specify-marketplace-images.md).

+ 1. For **size**, select **Medium**.

+ 1. **Region** will only have one region. When a lab uses advanced networking, the lab must be in the same region as the associated subnet.

+ 1. Select **Next**.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/new-lab-window.png" alt-text="Screenshot of the New lab window for Azure Lab Services.":::

+1. On the **Virtual machine credentials** page, specify default administrator credentials for all VMs in the lab. Specify the **name** and **password** for the administrator. By default all the student VMs will have the same password as the one specified here. Select **Next**.

+ :::image type="content" source="./media/tutorial-setup-lab/virtual-machine-credentials.png" alt-text="Screenshot that shows the Virtual machine credentials window when creating a new Azure Lab Services lab.":::

+ > [!IMPORTANT]

+ > Make a note of user name and password. They won't be shown again.

+1. On the **Lab policies** page, leave the default selections and select **Next**.

+ :::image type="content" source="./media/tutorial-setup-lab/quota-for-each-user.png" alt-text="Screenshot of the Lab policy window when creating a new Azure Lab Services lab.":::

+1. On the **Template virtual machine settings** window, leave the selection on **Create a template virtual machine**. Select **Finish**.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/template-virtual-machine-settings.png" alt-text="Screenshot of the Template virtual machine settings windows when creating a new Azure Lab Services lab.":::

+1. You should see the following screen that shows the status of the template VM creation.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/create-template-vm-progress.png" alt-text="Screenshot of status of the template VM creation.":::

+1. Wait for the template VM to be created.

+## Enable ICMP on the lab templates

+Once the labs have been created, we'll enable ICMP (ping). Using ping is a simple example to show the template and lab VMs from different labs may communicate with each other. First, we'll enable ICMP on the template VMs for both labs. Enabling ICMP on the template VM will also enable it on the lab VMs. Once the labs are published, the lab VMs will be able to ping each other.

+To enable ICMP, complete the following steps for each template VM in each lab.

+1. On the **Template** page for the lab, start and connect to the template VM.

+ 1. Select **Start template**.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/lab-start-template.png" alt-text="Screenshot of Azure Lab Services template page. The Start template menu button is highlighted.":::

+ > [!NOTE]

+ > Template VMs incur **cost** when running, so ensure that the template VM is shutdown when you donΓÇÖt need it to be running.

+ 1. Once the template is started, select **Connect to template**.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/lab-connect-to-template.png" alt-text="Screenshot of Azure Lab Services template page. The Connect to template menu button is highlighted.":::

+Now that were logged on to the template VM, let's modify the firewall rules on the VM to allow ICMP. Since we're using Windows 11, we can use PowerShell and the [Enable-NetFilewallRule](/powershell/module/netsecurity/enable-netfirewallrule) cmdlet. To open a PowerShell window:

+1. Select the Start button.

+1. Type "PowerShell"

+1. Select the **Windows PowerShell** app.

+Run the following code:

+```powershell

+Enable-NetFirewallRule -Name CoreNet-Diag-ICMP4-EchoRequest-In

+Enable-NetFirewallRule -Name CoreNet-Diag-ICMP4-EchoRequest-Out

+```

+On the **Template** page for the lab, select **Stop** to stop the template VM.

+## Publish both labs

+In this step, you publish the lab. When you publish the template VM, Azure Lab Services creates VMs in the lab by using the template. All virtual machines have the same configuration as the template.

+1. On the **Template** page, select **Publish**.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/lab-publish-template.png" alt-text="Screenshot of Azure Lab Services template page. The Publish menu button is highlighted.":::

+1. Enter the number of machines that are needed for the lab, then select **Publish**.

+ :::image type="content" source="./media/tutorial-create-lab-with-advanced-networking/publish-template-number-vms.png" alt-text="Screenshot of confirmation window for publish action of Azure.":::

+ > [!WARNING]

+ > Publishing is an irreversible action! It can't be undone.

+1. You see the **status of publishing** the template page. Wait until the publishing is complete.

+## Test communication between lab VMs

+In this section weΓÇÖll, wrap up by showing that the two student virtual machines in different labs are able to communicate with each other.

+First, let's start and connect to a lab VM from each lab. Complete the following steps for each lab.

+1. Open the lab in the [Azure Lab Services website](https://labs.azure.com).

+1. Select **Virtual machine pool** on the left menu.

+1. Select a single VM listed in the virtual machine pool.

+1. Take note of the **Private IP Address** for the VM. We'll need the private IP addresses of both the server lab and client lab VMs later.

+1. Select the **State** slider to change the state from **Stopped** to **Starting**.

+ > [!NOTE]

+ > When an educator turns on a student VM, quota for the student isn't affected. Quota for a user specifies the number of lab hours available to a student outside of the scheduled class time. For more information on quotas, see [Set quotas for users](how-to-configure-student-usage.md?#set-quotas-for-users).

+1. Once the **State** is **Running**, select the connect icon for the running VM. Open the download RDP file to connect to the VM. For more information about connection experiences on different operating systems, see [Connect to a lab VM](connect-virtual-machine.md).

+Now we can use the ping utility to test cross-lab communication. From the lab VM in the server lab, open a command prompt. Use `ping {ip-address}`. The `{ip-address}` is the **Private IP Address** of the client VM, that we noted previously. Test can also be done from the VM from the client lab to the lab VM in the server lab.

+When done, navigate to the **Virtual machine pool** page for each lab, select the lab VM and select the **State** slider to stop the lab VM.

+## Clean up resources

+If you're not going to continue to use this application, delete the virtual network, network security group, lab plan and labs with the following steps:

+1. In the [Azure portal](https://portal.azure.com), select the resource group you want to delete.

+1. Select **Delete resource group**.

+1. To confirm the deletion, type the name of the resource group

+## Next steps

+>[!div class="nextstepaction"]

+>[Add students to the labs](how-to-configure-student-usage.md)

+1. Select **Add** > **Add role assignment**.

+1. Search for **lab plan**. (**Lab plan** can also be found under the **DevOps** category.)

+1. On the **Lab plan** tile, select the **Create** dropdown and choose **Lab plan**.

+ :::image type="content" source="./media/tutorial-setup-lab/template-page-publish-button.png" alt-text="Screenshot of Azure Lab Services template page. The Publish template menu button is highlighted.":::

+ > [!WARNING]

+ > Publishing is an irreversible action! It can't be undone.

+ :::image type="content" source="./media/tutorial-setup-lab/publish-template-progress.png" alt-text="Screenshot of Azure Lab Services template page. The publishing in progress message is highlighted.":::

+ :::image type="content" source="./media/tutorial-setup-lab/virtual-machines-stopped.png" alt-text="Screenshot of virtual machines stopped. The virtual machine pool menu is highlighted.":::

+> [!NOTE]

+> When an educator turns on a student VM, quota for the student isn't affected. Quota for a user specifies the number of lab hours available to a student outside of the scheduled class time. For more information on quotas, see [Set quotas for users](how-to-configure-student-usage.md?#set-quotas-for-users).

+* [Create a text labeling project and export labels (preview)](how-to-create-text-labeling-projects.md)

+### Data labeling

+# [Data labeler](#tab/labeler)

+# [Labeling team lead](#tab/team-lead)

+ "Name": "Labeling Team Lead",

+ "IsCustom": true,

+ "Description": "Team lead for Labeling Projects",

+ "Actions": [

+ "Microsoft.MachineLearningServices/workspaces/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/write",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read"

+ ],

+ "NotActions": [

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/write",

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/delete",

+ "Microsoft.MachineLearningServices/workspaces/labeling/export/action"

+ ],

+ "AssignableScopes": [

+ "/subscriptions/<subscription_id>"

+ ]

+# [Vendor account manager](#tab/vendor-admin)

+A vendor account manager can help manage all the vendor roles and perform any labeling action. They cannot modify projects or view MLAssist experiments.

+`Vendor_admin_role.json` :

+```json

+{

+ "Name": "Vendor account admin",

+ "IsCustom": true,

+ "Description": "Vendor account admin for Labeling Projects",

+ "Actions": [

+ "Microsoft.MachineLearningServices/workspaces/read",

+ "Microsoft.MachineLearningServices/workspaces/experiments/runs/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/write",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/export/action",

+ "Microsoft.MachineLearningServices/workspaces/datasets/registered/read"

+ ],

+ "AssignableScopes": [

+ "/subscriptions/<subscription_id>"

+ ]

+}

+```

+# [Customer QA](#tab/customer-qa)

+A customer quality assurance role can view project dashboards, preview datasets, export a labeling project, and review submitted labels. This role can't submit labels.

+`customer_qa_role.json` :

+```json

+{

+ "Name": "Customer QA",

+ "IsCustom": true,

+ "Description": "Customer QA for Labeling Projects",

+ "Actions": [

+ "Microsoft.MachineLearningServices/workspaces/read",

+ "Microsoft.MachineLearningServices/workspaces/experiments/runs/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/export/action",

+ "Microsoft.MachineLearningServices/workspaces/datasets/registered/read"

+ ],

+ "AssignableScopes": [

+ "/subscriptions/<subscription_id>"

+ ]

+}

+```

+# [Vendor QA](#tab/vendor-qa)

+A vendor quality assurance role can perform a customer quality assurance role, but cannot preview the dataset.

+`vendor_qa_role.json`:

+```json

+{

+ "Name": "Vendor QA",

+ "IsCustom": true,

+ "Description": "Vendor QA for Labeling Projects",

+ "Actions": [

+ "Microsoft.MachineLearningServices/workspaces/read",

+ "Microsoft.MachineLearningServices/workspaces/experiments/runs/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read",

+ "Microsoft.MachineLearningServices/workspaces/labeling/export/action"

+ ],

+ "AssignableScopes": [

+ "/subscriptions/<subscription_id>"

+ ]

+}

+```

+- [Using a service principal with AKS](../aks/kubernetes-service-principal.md) is **not supported** by Azure Machine Learning. The AKS cluster must use a **system-assigned managed identity** instead.

+- If you have previously followed the steps from [AzureML AKS v1 document](./v1/how-to-create-attach-kubernetes.md) to create or attach your AKS as inference cluster, please use the following link to [clean up the legacy azureml-fe related resources](./v1/how-to-create-attach-kubernetes.md#delete-azureml-fe-related-resources) before you continue the next step.

+|Azure Arc-enabled Kubernetes or AKS|Reader|Applicable for both Arc-enabled Kubernetes cluster and AKS cluster.|

+>

+> Compute attach won't create the Kubernetes namespace automatically or validate whether the kubernetes namespace existed. You need to verify that the specified namespace exists in your cluster, otherwise, any AzureML workloads submitted to this compute will fail.

+ * **(Optional)** Enter Kubernetes namespace, which defaults to `default`. All machine learning workloads will be sent to the specified Kubernetes namespace in the cluster. Compute attach won't create the Kubernetes namespace automatically or validate whether the kubernetes namespace exists. You need to verify that the specified namespace exists in your cluster, otherwise, any AzureML workloads submitted to this compute will fail.

+## Supported paths

+When you provide a model you want to register, you'll need to specify a `path` parameter that points to the data or job location. Below is a table that shows the different data locations supported in Azure Machine Learning and examples for the `path` parameter:

+|Location | Examples |

+|||

+|A path on your local computer | `mlflow-model/model.pkl` |

+|A path on an AzureML Datastore | `azureml://datastores/<datastore-name>/paths/<path_on_datastore>` |

+|A path from an AzureML job | `azureml://jobs/<job-name>/outputs/<output-name>/paths/<path-to-model-relative-to-the-named-output-location>` |

+|A path from an MLflow job | `runs:/<run-id>/<path-to-model-relative-to-the-root-of-the-artifact-location>` |

+## Supported modes

+When you run a job with model inputs/outputs, you can specify the *mode* - for example, whether you would like the model to be read-only mounted or downloaded to the compute target. The table below shows the possible modes for different type/mode/input/output combinations:

+Type | Input/Output | `direct` | `download` | `ro_mount`

+ | | :: | :: | :: |

+`custom` file | Input | Γ£ô | | |

+`custom` folder | Input | Γ£ô | Γ£ô | Γ£ô |

+`mlflow` | Input | | Γ£ô | Γ£ô |

+`custom` file | Output | Γ£ô | Γ£ô | Γ£ô |

+`custom` folder | Output | Γ£ô | Γ£ô | Γ£ô |

+`mlflow` | Output | Γ£ô | Γ£ô | Γ£ô |

+The examples use the shorthand `azureml` scheme for pointing to a path on the `datastore` by using the syntax `azureml://datastores/<datastore-name>/paths/<path_on_datastore>`.

+|**Public workspace, all other resources in a virtual network** | Public IP | Public IP (service endpoint) <br> **- or -** <br> Private IP (private endpoint) | Public IP | Private IP |

+* [Deploy machine learning models to Azure](/azure/machine-learning/how-to-deploy-managed-online-endpoints)

+* [Deploy a trained model](how-to-deploy-managed-online-endpoints.md)

+Azure Machine Learning is still in development in air-gap Regions.

+| [Kubernetes compute](./how-to-attach-kubernetes-anywhere.md) | GA | NO | NO |

+| [FPGA-based Hardware Accelerated Models](./v1/how-to-deploy-fpga-web-service.md) | GA | NO | NO |

+| [Azure Stack Edge with FPGA](./v1/how-to-deploy-fpga-web-service.md#deploy-to-a-local-edge-server) | Public Preview | NO | NO |

+| [Kubernetes compute](./how-to-attach-kubernetes-anywhere.md) | GA | NO | NO |

+> **For unsupported storage solutions** (those not listed in the table below), you may run into issues connecting and working with your data. We suggest you [move your data](#move-data-to-supported-azure-storage-solutions) to a supported Azure storage solution. Doing this may also help with additional scenarios, like saving data egress cost during ML experiments.

+* [Deploy a model](../how-to-deploy-and-where.md)

+ Title: Deploy ML models to FPGAs

+description: Learn about field-programmable gate arrays. You can deploy a web service on an FPGA with Azure Machine Learning for ultra-low latency inference.

+# Deploy ML models to field-programmable gate arrays (FPGAs) with Azure Machine Learning

+In this article, you learn about FPGAs and how to deploy your ML models to an Azure FPGA using the [hardware-accelerated models Python package](/python/api/azureml-accel-models/azureml.accel) from [Azure Machine Learning](../overview-what-is-azure-machine-learning.md).

+## What are FPGAs?

+FPGAs contain an array of programmable logic blocks, and a hierarchy of reconfigurable interconnects. The interconnects allow these blocks to be configured in various ways after manufacturing. Compared to other chips, FPGAs provide a combination of programmability and performance.

+FPGAs make it possible to achieve low latency for real-time inference (or model scoring) requests. Asynchronous requests (batching) aren't needed. Batching can cause latency, because more data needs to be processed. Implementations of neural processing units don't require batching; therefore the latency can be many times lower, compared to CPU and GPU processors.

+You can reconfigure FPGAs for different types of machine learning models. This flexibility makes it easier to accelerate the applications based on the most optimal numerical precision and memory model being used. Because FPGAs are reconfigurable, you can stay current with the requirements of rapidly changing AI algorithms.

+

+|Processor| Abbreviation |Description|

+||:-:||

+|Application-specific integrated circuits|ASICs|Custom circuits, such as Google's Tensor Processor Units (TPU), provide the highest efficiency. They can't be reconfigured as your needs change.|

+|Field-programmable gate arrays|FPGAs|FPGAs, such as those available on Azure, provide performance close to ASICs. They're also flexible and reconfigurable over time, to implement new logic.|

+|Graphics processing units|GPUs|A popular choice for AI computations. GPUs offer parallel processing capabilities, making it faster at image rendering than CPUs.|

+|Central processing units|CPUs|General-purpose processors, the performance of which isn't ideal for graphics and video processing.|

+## FPGA support in Azure

+Microsoft Azure is the world's largest cloud investment in FPGAs. Microsoft uses FPGAs for deep neural networks (DNN) evaluation, Bing search ranking, and software defined networking (SDN) acceleration to reduce latency, while freeing CPUs for other tasks.

+FPGAs on Azure are based on Intel's FPGA devices, which data scientists and developers use to accelerate real-time AI calculations. This FPGA-enabled architecture offers performance, flexibility, and scale, and is available on Azure.

+Azure FPGAs are integrated with Azure Machine Learning. Azure can parallelize pre-trained DNN across FPGAs to scale out your service. The DNNs can be pre-trained, as a deep featurizer for transfer learning, or fine-tuned with updated weights.

+|Scenarios & configurations on Azure|Supported DNN models|Regional support|

+|--|--|-|

+|+ Image classification and recognition scenarios<br/>+ TensorFlow deployment (requires Tensorflow 1.x)<br/>+ Intel FPGA hardware|- ResNet 50<br/>- ResNet 152<br/>- DenseNet-121<br/>- VGG-16<br/>- SSD-VGG|- East US<br/>- Southeast Asia<br/>- West Europe<br/>- West US 2|

+To optimize latency and throughput, your client sending data to the FPGA model should be in one of the regions above (the one you deployed the model to).

+The **PBS Family of Azure VMs** contains Intel Arria 10 FPGAs. It will show as "Standard PBS Family vCPUs" when you check your Azure quota allocation. The PB6 VM has six vCPUs and one FPGA. PB6 VM is automatically provisioned by Azure Machine Learning during model deployment to an FPGA. It's only used with Azure ML, and it can't run arbitrary bitstreams. For example, you won't be able to flash the FPGA with bitstreams to do encryption, encoding, etc.

+## Deploy models on FPGAs

+You can deploy a model as a web service on FPGAs with [Azure Machine Learning Hardware Accelerated Models](/python/api/azureml-accel-models/azureml.accel). Using FPGAs provides ultra-low latency inference, even with a single batch size.

+In this example, you create a TensorFlow graph to preprocess the input image, make it a featurizer using ResNet 50 on an FPGA, and then run the features through a classifier trained on the ImageNet data set. Then, the model is deployed to an AKS cluster.

+### Prerequisites

+- An Azure subscription. If you don't have one, create a [pay-as-you-go](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go) account (free Azure accounts aren't eligible for FPGA quota).

+- An Azure Machine Learning workspace and the Azure Machine Learning SDK for Python installed, as described in [Create a workspace](../how-to-manage-workspace.md).

+

+- The hardware-accelerated models package: `pip install --upgrade azureml-accel-models[cpu]`

+

+- The [Azure CLI](/cli/azure/install-azure-cli)

+- FPGA quota. Submit a [request for quota](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR2nac9-PZhBDnNSV2ITz0LNUN0U5S0hXRkNITk85QURTWk9ZUUFUWkkyTC4u), or run this CLI command to check quota:

+ ```azurecli-interactive

+ az vm list-usage --location "eastus" -o table --query "[?localName=='Standard PBS Family vCPUs']"

+ ```

+ Make sure you have at least 6 vCPUs under the __CurrentValue__ returned.

+### Define the TensorFlow model

+Begin by using the [Azure Machine Learning SDK for Python](/python/api/overview/azure/ml/intro) to create a service definition. A service definition is a file describing a pipeline of graphs (input, featurizer, and classifier) based on TensorFlow. The deployment command compresses the definition and graphs into a ZIP file, and uploads the ZIP to Azure Blob storage. The DNN is already deployed to run on the FPGA.

+1. Load Azure Machine Learning workspace

+ ```python

+ import os

+ import tensorflow as tf

+

+ from azureml.core import Workspace

+

+ ws = Workspace.from_config()

+ print(ws.name, ws.resource_group, ws.location, ws.subscription_id, sep='\n')

+ ```

+1. Preprocess image. The input to the web service is a JPEG image. The first step is to decode the JPEG image and preprocess it. The JPEG images are treated as strings and the result are tensors that will be the input to the ResNet 50 model.

+ ```python

+ # Input images as a two-dimensional tensor containing an arbitrary number of images represented a strings

+ import azureml.accel.models.utils as utils

+ tf.reset_default_graph()

+

+ in_images = tf.placeholder(tf.string)

+ image_tensors = utils.preprocess_array(in_images)

+ print(image_tensors.shape)

+ ```

+1. Load featurizer. Initialize the model and download a TensorFlow checkpoint of the quantized version of ResNet50 to be used as a featurizer. Replace "QuantizedResnet50" in the code snippet to import other deep neural networks:

+ - QuantizedResnet152

+ - QuantizedVgg16

+ - Densenet121

+ ```python

+ from azureml.accel.models import QuantizedResnet50

+ save_path = os.path.expanduser('~/models')

+ model_graph = QuantizedResnet50(save_path, is_frozen=True)

+ feature_tensor = model_graph.import_graph_def(image_tensors)

+ print(model_graph.version)

+ print(feature_tensor.name)

+ print(feature_tensor.shape)

+ ```

+1. Add a classifier. This classifier was trained on the ImageNet data set.

+ ```python

+ classifier_output = model_graph.get_default_classifier(feature_tensor)

+ print(classifier_output)

+ ```

+1. Save the model. Now that the preprocessor, ResNet 50 featurizer, and the classifier have been loaded, save the graph and associated variables as a model.

+ ```python

+ model_name = "resnet50"

+ model_save_path = os.path.join(save_path, model_name)

+ print("Saving model in {}".format(model_save_path))

+

+ with tf.Session() as sess:

+ model_graph.restore_weights(sess)

+ tf.saved_model.simple_save(sess, model_save_path,

+ inputs={'images': in_images},

+ outputs={'output_alias': classifier_output})

+ ```

+1. Save input and output tensors **as you will use them for model conversion and inference requests**.

+ ```python

+ input_tensors = in_images.name

+ output_tensors = classifier_output.name

+ print(input_tensors)

+ print(output_tensors)

+ ```

+ The following models are listed with their classifier output tensors for inference if you used the default classifier.

+ + Resnet50, QuantizedResnet50

+ ```python

+ output_tensors = "classifier_1/resnet_v1_50/predictions/Softmax:0"

+ ```

+ + Resnet152, QuantizedResnet152

+ ```python

+ output_tensors = "classifier/resnet_v1_152/predictions/Softmax:0"

+ ```

+ + Densenet121, QuantizedDensenet121

+ ```python

+ output_tensors = "classifier/densenet121/predictions/Softmax:0"

+ ```

+ + Vgg16, QuantizedVgg16

+ ```python

+ output_tensors = "classifier/vgg_16/fc8/squeezed:0"

+ ```

+ + SsdVgg, QuantizedSsdVgg

+ ```python

+ output_tensors = ['ssd_300_vgg/block4_box/Reshape_1:0', 'ssd_300_vgg/block7_box/Reshape_1:0', 'ssd_300_vgg/block8_box/Reshape_1:0', 'ssd_300_vgg/block9_box/Reshape_1:0', 'ssd_300_vgg/block10_box/Reshape_1:0', 'ssd_300_vgg/block11_box/Reshape_1:0', 'ssd_300_vgg/block4_box/Reshape:0', 'ssd_300_vgg/block7_box/Reshape:0', 'ssd_300_vgg/block8_box/Reshape:0', 'ssd_300_vgg/block9_box/Reshape:0', 'ssd_300_vgg/block10_box/Reshape:0', 'ssd_300_vgg/block11_box/Reshape:0']

+ ```

+### Convert the model to the Open Neural Network Exchange format (ONNX)

+Before you can deploy to FPGAs, convert the model to the [ONNX](https://onnx.ai/) format.

+1. [Register](../concept-model-management-and-deployment.md) the model by using the SDK with the ZIP file in Azure Blob storage. Adding tags and other metadata about the model helps you keep track of your trained models.

+ ```python

+ from azureml.core.model import Model

+ registered_model = Model.register(workspace=ws,

+ model_path=model_save_path,

+ model_name=model_name)

+ print("Successfully registered: ", registered_model.name,

+ registered_model.description, registered_model.version, sep='\t')

+ ```

+ If you've already registered a model and want to load it, you may retrieve it.

+ ```python

+ from azureml.core.model import Model

+ model_name = "resnet50"

+ # By default, the latest version is retrieved. You can specify the version, i.e. version=1

+ registered_model = Model(ws, name="resnet50")

+ print(registered_model.name, registered_model.description,

+ registered_model.version, sep='\t')

+ ```

+1. Convert the TensorFlow graph to the ONNX format. You must provide the names of the input and output tensors, so your client can use them when you consume the web service.

+ ```python

+ from azureml.accel import AccelOnnxConverter

+ convert_request = AccelOnnxConverter.convert_tf_model(

+ ws, registered_model, input_tensors, output_tensors)

+ # If it fails, you can run wait_for_completion again with show_output=True.

+ convert_request.wait_for_completion(show_output=False)

+ # If the above call succeeded, get the converted model

+ converted_model = convert_request.result

+ print("\nSuccessfully converted: ", converted_model.name, converted_model.url, converted_model.version,

+ converted_model.id, converted_model.created_time, '\n')

+ ```

+### Containerize and deploy the model

+Next, create a Docker image from the converted model and all dependencies. This Docker image can then be deployed and instantiated. Supported deployment targets include Azure Kubernetes Service (AKS) in the cloud or an edge device such as [Azure Azure Stack Edge](../../databox-online/azure-stack-edge-overview.md). You can also add tags and descriptions for your registered Docker image.

+ ```python

+ from azureml.core.image import Image

+ from azureml.accel import AccelContainerImage

+ image_config = AccelContainerImage.image_configuration()

+ # Image name must be lowercase

+ image_name = "{}-image".format(model_name)

+ image = Image.create(name=image_name,

+ models=[converted_model],

+ image_config=image_config,

+ workspace=ws)

+ image.wait_for_creation(show_output=False)

+ ```

+ List the images by tag and get the detailed logs for any debugging.

+ ```python

+ for i in Image.list(workspace=ws):

+ print('{}(v.{} [{}]) stored at {} with build log {}'.format(

+ i.name, i.version, i.creation_state, i.image_location, i.image_build_log_uri))

+ ```

+#### Deploy to an Azure Kubernetes Service Cluster

+1. To deploy your model as a high-scale production web service, use AKS. You can create a new one using the Azure Machine Learning SDK, CLI, or [Azure Machine Learning studio](https://ml.azure.com).

+ ```python

+ from azureml.core.compute import AksCompute, ComputeTarget

+

+ # Specify the Standard_PB6s Azure VM and location. Values for location may be "eastus", "southeastasia", "westeurope", or "westus2". If no value is specified, the default is "eastus".

+ prov_config = AksCompute.provisioning_configuration(vm_size = "Standard_PB6s",

+ agent_count = 1,

+ location = "eastus")

+

+ aks_name = 'my-aks-cluster'

+ # Create the cluster

+ aks_target = ComputeTarget.create(workspace=ws,

+ name=aks_name,

+ provisioning_configuration=prov_config)

+ ```

+ The AKS deployment may take around 15 minutes. Check to see if the deployment succeeded.

+ ```python

+ aks_target.wait_for_completion(show_output=True)

+ print(aks_target.provisioning_state)

+ print(aks_target.provisioning_errors)

+ ```

+1. Deploy the container to the AKS cluster.

+ ```python

+ from azureml.core.webservice import Webservice, AksWebservice

+

+ # For this deployment, set the web service configuration without enabling auto-scaling or authentication for testing

+ aks_config = AksWebservice.deploy_configuration(autoscale_enabled=False,

+ num_replicas=1,

+ auth_enabled=False)

+

+ aks_service_name = 'my-aks-service'

+

+ aks_service = Webservice.deploy_from_image(workspace=ws,

+ name=aks_service_name,

+ image=image,

+ deployment_config=aks_config,

+ deployment_target=aks_target)

+ aks_service.wait_for_deployment(show_output=True)

+ ```

+#### Deploy to a local edge server

+All [Azure Azure Stack Edge devices](../../databox-online/azure-stack-edge-overview.md) contain an FPGA for running the model. Only one model can be running on the FPGA at one time. To run a different model, just deploy a new container. Instructions and sample code can be found in [this Azure Sample](https://github.com/Azure-Samples/aml-hardware-accelerated-models).

+### Consume the deployed model

+Lastly, use the sample client to call into the Docker image to get predictions from the model. Sample client code is available:

+- [Python](https://github.com/Azure/aml-real-time-ai/blob/master/pythonlib/amlrealtimeai/client.py)

+- [C#](https://github.com/Azure/aml-real-time-ai/blob/master/sample-clients/csharp)

+The Docker image supports gRPC and the TensorFlow Serving "predict" API.

+You can also download a sample client for TensorFlow Serving.

+```python

+# Using the grpc client in Azure ML Accelerated Models SDK package

+from azureml.accel import PredictionClient

+address = aks_service.scoring_uri

+ssl_enabled = address.startswith("https")

+address = address[address.find('/')+2:].strip('/')

+port = 443 if ssl_enabled else 80

+# Initialize Azure ML Accelerated Models client

+client = PredictionClient(address=address,

+ port=port,

+ use_ssl=ssl_enabled,

+ service_name=aks_service.name)

+```

+Since this classifier was trained on the ImageNet data set, map the classes to human-readable labels.

+```python

+import requests

+classes_entries = requests.get(

+ "https://raw.githubusercontent.com/Lasagne/Recipes/master/examples/resnet50/imagenet_classes.txt").text.splitlines()

+# Score image with input and output tensor names

+results = client.score_file(path="./snowleopardgaze.jpg",

+ input_name=input_tensors,

+ outputs=output_tensors)

+# map results [class_id] => [confidence]

+results = enumerate(results)

+# sort results by confidence

+sorted_results = sorted(results, key=lambda x: x[1], reverse=True)

+# print top 5 results

+for top in sorted_results[:5]:

+ print(classes_entries[top[0]], 'confidence:', top[1])

+```

+### Clean up resources

+To avoid unnecessary costs, clean up your resources **in this order**: web service, then image, and then the model.

+```python

+aks_service.delete()

+aks_target.delete()

+image.delete()

+registered_model.delete()

+converted_model.delete()

+```

+## Next steps

+ Title: Deploy a model for inference with GPU

+description: This article teaches you how to use Azure Machine Learning to deploy a GPU-enabled Tensorflow deep learning model as a web service.service and score inference requests.

+# Deploy a deep learning model for inference with GPU

+This article teaches you how to use Azure Machine Learning to deploy a GPU-enabled model as a web service. The information in this article is based on deploying a model on Azure Kubernetes Service (AKS). The AKS cluster provides a GPU resource that is used by the model for inference.

+Inference, or model scoring, is the phase where the deployed model is used to make predictions. Using GPUs instead of CPUs offers performance advantages on highly parallelizable computation.

+> [!IMPORTANT]

+> When using the Azure ML __SDK v1__, GPU inference is only supported on Azure Kubernetes Service. When using the Azure ML __SDK v2__ or __CLI v2__, you can use an online endpoint for GPU inference. For more information, see [Deploy and score a machine learning model with an online endpoint](../how-to-deploy-managed-online-endpoints.md).

+> For inference using a __machine learning pipeline__, GPUs are only supported on Azure Machine Learning Compute. For more information on using ML pipelines, see [Tutorial: Build an Azure Machine Learning pipeline for batch scoring](../tutorial-pipeline-batch-scoring-classification.md).

+> [!TIP]

+> Although the code snippets in this article use a TensorFlow model, you can apply the information to any machine learning framework that supports GPUs.

+> [!NOTE]

+> The information in this article builds on the information in the [How to deploy to Azure Kubernetes Service](how-to-deploy-azure-kubernetes-service.md) article. Where that article generally covers deployment to AKS, this article covers GPU specific deployment.

+## Prerequisites

+* An Azure Machine Learning workspace. For more information, see [Create an Azure Machine Learning workspace](../quickstart-create-resources.md).

+* A Python development environment with the Azure Machine Learning SDK installed. For more information, see [Azure Machine Learning SDK](/python/api/overview/azure/ml/install).

+* A registered model that uses a GPU.

+ * To learn how to register models, see [Deploy Models](/azure/machine-learning/how-to-deploy-managed-online-endpoints).

+ * To create and register the Tensorflow model used to create this document, see [How to Train a TensorFlow Model](../how-to-train-tensorflow.md).

+* A general understanding of [How and where to deploy models](/azure/machine-learning/how-to-deploy-managed-online-endpoints).

+## Connect to your workspace

+To connect to an existing workspace, use the following code:

+> [!IMPORTANT]

+> This code snippet expects the workspace configuration to be saved in the current directory or its parent. For more information on creating a workspace, see [Create workspace resources](../quickstart-create-resources.md). For more information on saving the configuration to file, see [Create a workspace configuration file](../how-to-configure-environment.md#workspace).

+```python

+from azureml.core import Workspace

+# Connect to the workspace

+ws = Workspace.from_config()

+```

+## Create a Kubernetes cluster with GPUs

+Azure Kubernetes Service provides many different GPU options. You can use any of them for model inference. See [the list of N-series VMs](https://azure.microsoft.com/pricing/details/virtual-machines/linux/#n-series) for a full breakdown of capabilities and costs.

+The following code demonstrates how to create a new AKS cluster for your workspace:

+```python

+from azureml.core.compute import ComputeTarget, AksCompute

+from azureml.exceptions import ComputeTargetException

+# Choose a name for your cluster

+aks_name = "aks-gpu"

+# Check to see if the cluster already exists

+try:

+ aks_target = ComputeTarget(workspace=ws, name=aks_name)

+ print('Found existing compute target')

+except ComputeTargetException:

+ print('Creating a new compute target...')

+ # Provision AKS cluster with GPU machine

+ prov_config = AksCompute.provisioning_configuration(vm_size="Standard_NC6")

+ # Create the cluster

+ aks_target = ComputeTarget.create(

+ workspace=ws, name=aks_name, provisioning_configuration=prov_config

+ )

+ aks_target.wait_for_completion(show_output=True)

+```

+> [!IMPORTANT]

+> Azure will bill you as long as the AKS cluster exists. Make sure to delete your AKS cluster when you're done with it.

+For more information on using AKS with Azure Machine Learning, see [How to deploy to Azure Kubernetes Service](how-to-deploy-azure-kubernetes-service.md).

+## Write the entry script

+The entry script receives data submitted to the web service, passes it to the model, and returns the scoring results. The following script loads the Tensorflow model on startup, and then uses the model to score data.

+> [!TIP]

+> The entry script is specific to your model. For example, the script must know the framework to use with your model, data formats, etc.

+```python

+import json

+import numpy as np

+import os

+import tensorflow as tf

+from azureml.core.model import Model

+def init():

+ global X, output, sess

+ tf.reset_default_graph()

+ model_root = os.getenv('AZUREML_MODEL_DIR')

+ # the name of the folder in which to look for tensorflow model files

+ tf_model_folder = 'model'

+ saver = tf.train.import_meta_graph(

+ os.path.join(model_root, tf_model_folder, 'mnist-tf.model.meta'))

+ X = tf.get_default_graph().get_tensor_by_name("network/X:0")

+ output = tf.get_default_graph().get_tensor_by_name("network/output/MatMul:0")

+ sess = tf.Session()

+ saver.restore(sess, os.path.join(model_root, tf_model_folder, 'mnist-tf.model'))

+def run(raw_data):

+ data = np.array(json.loads(raw_data)['data'])

+ # make prediction

+ out = output.eval(session=sess, feed_dict={X: data})

+ y_hat = np.argmax(out, axis=1)

+ return y_hat.tolist()

+```

+This file is named `score.py`. For more information on entry scripts, see [How and where to deploy](/azure/machine-learning/how-to-deploy-managed-online-endpoints).

+## Define the conda environment

+The conda environment file specifies the dependencies for the service. It includes dependencies required by both the model and the entry script. Please note that you must indicate azureml-defaults with verion >= 1.0.45 as a pip dependency, because it contains the functionality needed to host the model as a web service. The following YAML defines the environment for a Tensorflow model. It specifies `tensorflow-gpu`, which will make use of the GPU used in this deployment:

+```yaml

+name: project_environment

+dependencies:

+ # The Python interpreter version.

+ # Currently Azure ML only supports 3.5.2 and later.

+- python=3.6.2

+- pip:

+ # You must list azureml-defaults as a pip dependency

+ - azureml-defaults>=1.0.45

+ - numpy

+ - tensorflow-gpu=1.12

+channels:

+- conda-forge

+```

+For this example, the file is saved as `myenv.yml`.

+## Define the deployment configuration

+> [!IMPORTANT]

+> AKS does not allow pods to share GPUs, you can have only as many replicas of a GPU-enabled web service as there are GPUs in the cluster.

+The deployment configuration defines the Azure Kubernetes Service environment used to run the web service:

+```python

+from azureml.core.webservice import AksWebservice

+gpu_aks_config = AksWebservice.deploy_configuration(autoscale_enabled=False,

+ num_replicas=3,

+ cpu_cores=2,

+ memory_gb=4)

+```

+For more information, see the reference documentation for [AksService.deploy_configuration](/python/api/azureml-core/azureml.core.webservice.akswebservice#deploy-configuration-autoscale-enabled-none--autoscale-min-replicas-none--autoscale-max-replicas-none--autoscale-refresh-seconds-none--autoscale-target-utilization-none--collect-model-data-none--auth-enabled-none--cpu-cores-none--memory-gb-none--enable-app-insights-none--scoring-timeout-ms-none--replica-max-concurrent-requests-none--max-request-wait-time-none--num-replicas-none--primary-key-none--secondary-key-none--tags-none--properties-none--description-none--gpu-cores-none--period-seconds-none--initial-delay-seconds-none--timeout-seconds-none--success-threshold-none--failure-threshold-none--namespace-none--token-auth-enabled-none--compute-target-name-none-).

+## Define the inference configuration

+The inference configuration points to the entry script and an environment object, which uses a docker image with GPU support. Please note that the YAML file used for environment definition must list azureml-defaults with version >= 1.0.45 as a pip dependency, because it contains the functionality needed to host the model as a web service.

+```python

+from azureml.core.model import InferenceConfig

+from azureml.core.environment import Environment, DEFAULT_GPU_IMAGE

+myenv = Environment.from_conda_specification(name="myenv", file_path="myenv.yml")

+myenv.docker.base_image = DEFAULT_GPU_IMAGE

+inference_config = InferenceConfig(entry_script="score.py", environment=myenv)

+```

+For more information on environments, see [Create and manage environments for training and deployment](how-to-use-environments.md).

+For more information, see the reference documentation for [InferenceConfig](/python/api/azureml-core/azureml.core.model.inferenceconfig).

+## Deploy the model

+Deploy the model to your AKS cluster and wait for it to create your service.

+```python

+from azureml.core.model import Model

+# Name of the web service that is deployed

+aks_service_name = 'aks-dnn-mnist'

+# Get the registerd model

+model = Model(ws, "tf-dnn-mnist")

+# Deploy the model

+aks_service = Model.deploy(ws,

+ models=[model],

+ inference_config=inference_config,

+ deployment_config=gpu_aks_config,

+ deployment_target=aks_target,

+ name=aks_service_name)

+aks_service.wait_for_deployment(show_output=True)

+print(aks_service.state)

+```

+For more information, see the reference documentation for [Model](/python/api/azureml-core/azureml.core.model.model).

+## Issue a sample query to your service

+Send a test query to the deployed model. When you send a jpeg image to the model, it scores the image. The following code sample downloads test data and then selects a random test image to send to the service.

+```python

+# Used to test your webservice

+import os

+import urllib

+import gzip

+import numpy as np

+import struct

+import requests

+# load compressed MNIST gz files and return numpy arrays

+def load_data(filename, label=False):

+ with gzip.open(filename) as gz:

+ struct.unpack('I', gz.read(4))

+ n_items = struct.unpack('>I', gz.read(4))

+ if not label:

+ n_rows = struct.unpack('>I', gz.read(4))[0]

+ n_cols = struct.unpack('>I', gz.read(4))[0]

+ res = np.frombuffer(gz.read(n_items[0] * n_rows * n_cols), dtype=np.uint8)

+ res = res.reshape(n_items[0], n_rows * n_cols)

+ else:

+ res = np.frombuffer(gz.read(n_items[0]), dtype=np.uint8)

+ res = res.reshape(n_items[0], 1)

+ return res

+# one-hot encode a 1-D array

+def one_hot_encode(array, num_of_classes):

+ return np.eye(num_of_classes)[array.reshape(-1)]

+# Download test data

+os.makedirs('./data/mnist', exist_ok=True)

+urllib.request.urlretrieve('http://yann.lecun.com/exdb/mnist/t10k-images-idx3-ubyte.gz', filename='./data/mnist/test-images.gz')

+urllib.request.urlretrieve('http://yann.lecun.com/exdb/mnist/t10k-labels-idx1-ubyte.gz', filename='./data/mnist/test-labels.gz')

+# Load test data from model training

+X_test = load_data('./data/mnist/test-images.gz', False) / 255.0

+y_test = load_data('./data/mnist/test-labels.gz', True).reshape(-1)

+# send a random row from the test set to score

+random_index = np.random.randint(0, len(X_test)-1)

+input_data = "{\"data\": [" + str(list(X_test[random_index])) + "]}"

+api_key = aks_service.get_keys()[0]

+headers = {'Content-Type': 'application/json',

+ 'Authorization': ('Bearer ' + api_key)}

+resp = requests.post(aks_service.scoring_uri, input_data, headers=headers)

+print("POST to url", aks_service.scoring_uri)

+print("label:", y_test[random_index])

+print("prediction:", resp.text)

+```

+For more information on creating a client application, see [Create client to consume deployed web service](../how-to-consume-web-service.md).

+## Clean up the resources

+If you created the AKS cluster specifically for this example, delete your resources after you're done.

+> [!IMPORTANT]

+> Azure bills you based on how long the AKS cluster is deployed. Make sure to clean it up after you are done with it.

+```python

+aks_service.delete()

+aks_target.delete()

+```

+## Next steps

+* [Deploy model on FPGA](how-to-deploy-fpga-web-service.md)

+* [Deploy model with ONNX](../concept-onnx.md#deploy-onnx-models-in-azure)

+* [Train TensorFlow DNN Models](../how-to-train-tensorflow.md)

+- The collected data is securely stored in Cosmos DB in a Microsoft subscription. The data is deleted when you delete the project. Storage is handled by Azure Migrate. You can't specifically choose a storage account for collected data.

+## Can I add multiple server credentials on appliance?

+Yes, we now support multiple server credentials to perform software inventory (discovery of installed applications), agentless dependency analysis, and discovery of SQL Server instances and databases. [Learn more](add-server-credentials.md) on how to provide credentials on the appliance configuration manager.

+## What type of server credentials can I add on the appliance?

+- Use assessment type **Azure SQL** when you want to assess your on-premises SQL Server in your VMware, Microsoft Hyper-V, and Physical/ Baremetal environments as well as IaaS Servers of other public clouds such as AWS, GCP, etc. for migration to SQL Server on Azure VM or Azure SQL Database or Azure SQL Managed Instance. [Learn More](concepts-azure-sql-assessment-calculation.md).

+Discovery and assessment of SQL Server instances and databases running in your VMware, Microsoft Hyper-V, and Physical/ Baremetal environments as well as IaaS Servers of other public clouds such as AWS, GCP, etc is now in preview. Get started with [this tutorial](tutorial-discover-vmware.md). If you want to try out this feature in an existing project, ensure that you have completed the [prerequisites](how-to-discover-sql-existing-project.md) in this article.

+- If you are not able to see a previously created group while creating the assessment, remove any server without a SQL instance from the group.

+You can create a single **Azure SQL** assessment consisting of desired SQL servers across VMware, Microsoft Hyper-V and Physical/ Baremetal environments as well as IaaS Servers of other public clouds such as AWS, GCP, etc. A single assessment covers readiness, SKUs, estimated costs and migration blockers for all the available SQL migration targets in Azure - Azure SQL Managed Instance, Azure SQL Database and SQL Server on Azure VM. You can then compare the assessment output for the desired targets. [Learn More](./concepts-azure-sql-assessment-calculation.md)

+This article provides an overview of assessments for migrating on-premises SQL Server instances from a VMware, Microsoft Hyper-V, and Physical environment to SQL Server on Azure VM or Azure SQL Database or Azure SQL Managed Instance using the [Azure Migrate: Discovery and assessment tool](./migrate-services-overview.md#azure-migrate-discovery-and-assessment-tool).

+**Azure SQL** | Assessments to migrate your on-premises SQL servers from your VMware, Microsoft Hyper-V, and Physical environment to SQL Server on Azure VM or Azure SQL Database or Azure SQL Managed Instance.

+- To create an assessment, you need to set up an Azure Migrate appliance for VMware, Hyper-V or Physical environment, whichever applicable. The appliance discovers on-premises servers, and sends metadata and performance data to Azure Migrate. [Learn more](migrate-appliance.md).

+> Currently the discovery of ASP.NET web apps is only available with appliance used for discovery of servers running in your VMware enviornment. These feature is not available for servers running in your Hyper-V enviornment and for physical servers or servers running on other clouds like AWS, GCP etc.

+ - Verify the permissions required to perform software inventory. You need a guest user account for Windows servers, and a regular/normal user account (non-sudo access) for all Linux servers.

+- Software inventory also identifies the SQL Server instances running in your VMware, Microsoft Hyper-V and Physical/ Bare-metal environments as well as IaaS services of other public cloud.

+> Currently the discovery of ASP.NET web apps is only available with appliance used for discovery of servers running in your VMware environment.

+- In case you are discovering assets on VMware environment then, Make sure servers where you're running app-discovery have PowerShell version 2.0 or later installed, and VMware Tools (later than 10.2.0) is installed.

+> [!Note]

+> Even though the processes in this document are covered for VMware, the processes are similar for Microsoft Hyper-V and Physical environment.

+> Discovery and assessment for SQL Server instances and databases is available across the Microsoft Hyper-V and Physical environment also.

+**Discovery and assessment of servers running in Hyper-V environment** | Azure Migrate: Discovery and assessment | Discover servers running in your Hyper-V environment.<br/><br/> Perform discovery of installed software inventory, SQL Server instances and databases, and agentless dependency analysis.<br/><br/> Collect server configuration and performance metadata for assessments.

+**Discovery and assessment of physical or virtualized servers on-premises** | Azure Migrate: Discovery and assessment | Discover physical or virtualized servers on-premises.<br/><br/> Perform discovery of installed software inventory, ASP.NET web apps, SQL Server instances and databases, and agentless dependency analysis.<br/><br/> Collect server configuration and performance metadata for assessments.

+- **SQL discovery and assessment agent**: sends the configuration and performance metadata of SQL Server instances and databases to Azure.

+> The last 3 services are only available in the appliance used for discovery and assessment of servers running in your VMware environment.

+**Appliance services** | The appliance has the following

+**Appliance services** | The appliance has the following

+**Data collection frequency** | Configuration metadata is collected and sent every 15 minutes. <br/><br/> Performance metadata is collected every 50 minutes to send a data point to Azure. <br/><br/> Software inventory data is sent to Azure once every 24 hours. <br/><br/> Agentless dependency data is collected every 5 minutes, aggregated on appliance and sent to Azure every 6 hours. <br/><br/> The SQL Server configuration data is updated once every 24 hours and the performance data is captured every 30 seconds. <br/><br/> The web apps configuration data is updated once every 24 hours. Performance data is not captured for web apps.| Configuration metadata is collected and sent every 30 minutes. <br/><br/> Performance metadata is collected every 30 seconds and is aggregated to send a data point to Azure every 15 minutes.<br/><br/> Software inventory data is sent to Azure once every 24 hours. <br/><br/> Agentless dependency data is collected every 5 minutes, aggregated on appliance and sent to Azure every 6 hours.<br/><br/> The SQL Server configuration data is updated once every 24 hours and the performance data is captured every 30 seconds.| Configuration metadata is collected and sent every 3 hours. <br/><br/> Performance metadata is collected every 5 minutes to send a data point to Azure.<br/><br/> Software inventory data is sent to Azure once every 24 hours. <br/><br/> Agentless dependency data is collected every 5 minutes, aggregated on appliance and sent to Azure every 6 hours.<br/><br/> The SQL Server configuration data is updated once every 24 hours and the performance data is captured every 30 seconds.

+## SQL Server instance and database discovery requirements

+[Software inventory](how-to-discover-applications.md) identifies SQL Server instances. Using this information, the appliance attempts to connect to respective SQL Server instances through the Windows authentication or SQL Server authentication credentials that are provided in the appliance configuration manager. Appliance can connect to only those SQL Server instances to which it has network line of sight, whereas software inventory by itself may not need network line of sight.

+After the appliance is connected, it gathers configuration and performance data for SQL Server instances and databases. SQL Server configuration data is updated once every 24 hours. Performance data is captured every 30 seconds.

+Support | Details

+ |

+**Supported servers** | supported only for servers running SQL Server in your VMware, Microsoft Hyper-V, and Physical/ Baremetal environments as well as IaaS Servers of other public clouds such as AWS, GCP, etc. You can discover up to 300 SQL Server instances or 6,000 SQL databases, whichever is less.

+**Windows servers** | Windows Server 2008 and later are supported.

+**Linux servers** | Currently not supported.

+**Authentication mechanism** | Both Windows and SQL Server authentication are supported. You can provide credentials of both authentication types in the appliance configuration manager.

+**SQL Server access** | Azure Migrate requires a Windows user account that is a member of the sysadmin server role.

+**SQL Server versions** | SQL Server 2008 and later are supported.

+**SQL Server editions** | Enterprise, Standard, Developer, and Express editions are supported.

+**Supported SQL configuration** | Currently, only discovery for standalone SQL Server instances and corresponding databases is supported.<br /><br /> Identification of Failover Cluster and Always On availability groups is not supported.

+**Supported SQL services** | Only SQL Server Database Engine is supported. <br /><br /> Discovery of SQL Server Reporting Services (SSRS), SQL Server Integration Services (SSIS), and SQL Server Analysis Services (SSAS) is not supported.

+> [!NOTE]

+> By default, Azure Migrate uses the most secure way of connecting to SQL instances i.e. Azure Migrate encrypts communication between the Azure Migrate appliance and the source SQL Server instances by setting the TrustServerCertificate property to `true`. Additionally, the transport layer uses SSL to encrypt the channel and bypass the certificate chain to validate trust. Hence, the appliance server must be set up to trust the certificate's root authority.

+>

+> However, you can modify the connection settings, by selecting **Edit SQL Server connection properties** on the appliance.[Learn more](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) to understand what to choose.

+[Dependency analysis](concepts-dependency-visualization.md) helps you analyze the dependencies between the discovered servers which can be easily visualized with a map view in Azure Migrate project and can be used to group related servers for migration to Azure. The following table summarizes the requirements for setting up agentless dependency analysis:

+## SQL Server instance and database discovery requirements

+[Software inventory](how-to-discover-applications.md) identifies SQL Server instances. Using this information, the appliance attempts to connect to respective SQL Server instances through the Windows authentication or SQL Server authentication credentials that are provided in the appliance configuration manager. Appliance can connect to only those SQL Server instances to which it has network line of sight, whereas software inventory by itself may not need network line of sight.

+After the appliance is connected, it gathers configuration and performance data for SQL Server instances and databases. SQL Server configuration data is updated once every 24 hours. Performance data is captured every 30 seconds.

+Support | Details

+ |

+**Supported servers** | supported only for servers running SQL Server in your VMware, Microsoft Hyper-V, and Physical/ Baremetal environments as well as IaaS Servers of other public clouds such as AWS, GCP, etc. You can discover up to 300 SQL Server instances or 6,000 SQL databases, whichever is less.

+**Windows servers** | Windows Server 2008 and later are supported.

+**Linux servers** | Currently not supported.

+**Authentication mechanism** | Both Windows and SQL Server authentication are supported. You can provide credentials of both authentication types in the appliance configuration manager.

+**SQL Server access** | Azure Migrate requires a Windows user account that is a member of the sysadmin server role.

+**SQL Server versions** | SQL Server 2008 and later are supported.

+**SQL Server editions** | Enterprise, Standard, Developer, and Express editions are supported.

+**Supported SQL configuration** | Currently, only discovery for standalone SQL Server instances and corresponding databases is supported.<br /><br /> Identification of Failover Cluster and Always On availability groups is not supported.

+**Supported SQL services** | Only SQL Server Database Engine is supported. <br /><br /> Discovery of SQL Server Reporting Services (SSRS), SQL Server Integration Services (SSIS), and SQL Server Analysis Services (SSAS) is not supported.

+> [!NOTE]

+> By default, Azure Migrate uses the most secure way of connecting to SQL instances i.e. Azure Migrate encrypts communication between the Azure Migrate appliance and the source SQL Server instances by setting the TrustServerCertificate property to `true`. Additionally, the transport layer uses SSL to encrypt the channel and bypass the certificate chain to validate trust. Hence, the appliance server must be set up to trust the certificate's root authority.

+>

+> However, you can modify the connection settings, by selecting **Edit SQL Server connection properties** on the appliance.[Learn more](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) to understand what to choose.

+**Server requirements** | For software inventory, VMware Tools must be installed and running on your servers. The VMware Tools version must be version 10.2.1 or later.<br /><br /> Windows servers must have PowerShell version 2.0 or later installed.<br/><br/>WMI must be enabled and available on Windows servers to gather the details of the roles and features installed on the servers.

+**Supported servers** | supported only for servers running SQL Server in your VMware, Microsoft Hyper-V, and Physical/ Baremetal environments as well as IaaS Servers of other public clouds such as AWS, GCP, etc. You can discover up to 300 SQL Server instances or 6,000 SQL databases, whichever is less.

+[Dependency analysis](concepts-dependency-visualization.md) helps you analyze the dependencies between the discovered servers which can be easily visualized with a map view in Azure Migrate project and can be used to group related servers for migration to Azure. The following table summarizes the requirements for setting up agentless dependency analysis:

+- Learn how to [prepare for a VMware assessment](./tutorial-discover-vmware.md).

+Azure Migrate supports discovery of SQL Server instances and databases running on on-premises machines by using Azure Migrate: Discovery and assessment. See the [Discovery](tutorial-discover-vmware.md) tutorial to get started.

+* [Software inventory](how-to-discover-applications.md) identifies the SQL Server instances that are running on the servers. Using the information it collects, the appliance attempts to connect to the SQL Server instances through the Windows authentication credentials or the SQL Server authentication credentials that are provided on the appliance. Then, it gathers data on SQL Server databases and their properties. The SQL Server discovery is performed once every 24 hours.

+* Appliance can connect to only those SQL Server instances to which it has network line of sight, whereas software inventory by itself may not need network line of sight.

+* SQL Server instances and databases data begin to appear in the portal within 24 hours after you start discovery.

+* By default, Azure Migrate uses the most secure way of connecting to SQL instances that is, Azure Migrate encrypts communication between the Azure Migrate appliance and the source SQL Server instances by setting the TrustServerCertificate property to `true`. Additionally, the transport layer uses SSL to encrypt the channel and bypass the certificate chain to validate trust. Hence, the appliance server must be set up to trust the certificate's root authority. However, you can modify the connection settings, by selecting **Edit SQL Server connection properties** on the appliance. [Learn more](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) to understand what to choose.

+ :::image type="content" source="./media/tutorial-discover-vmware/sql-connection-properties.png" alt-text="Screenshot that shows how to edit SQL Server connection properties.":::

+* [Software inventory](how-to-discover-applications.md) identifies the SQL Server instances that are running on the servers. Using the information it collects, the appliance attempts to connect to the SQL Server instances through the Windows authentication credentials or the SQL Server authentication credentials that are provided on the appliance. Then, it gathers data on SQL Server databases and their properties. The SQL Server discovery is performed once every 24 hours.

+* Appliance can connect to only those SQL Server instances to which it has network line of sight, whereas software inventory by itself may not need network line of sight.

+* SQL Server instances and databases data begin to appear in the portal within 24 hours after you start discovery.

+* By default, Azure Migrate uses the most secure way of connecting to SQL instances that is, Azure Migrate encrypts communication between the Azure Migrate appliance and the source SQL Server instances by setting the TrustServerCertificate property to `true`. Additionally, the transport layer uses SSL to encrypt the channel and bypass the certificate chain to validate trust. Hence, the appliance server must be set up to trust the certificate's root authority. However, you can modify the connection settings, by selecting **Edit SQL Server connection properties** on the appliance. [Learn more](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) to understand what to choose.

+ :::image type="content" source="./media/tutorial-discover-vmware/sql-connection-properties.png" alt-text="Screenshot that shows how to edit SQL Server connection properties.":::

+The user account on your servers must have the required permissions to initiate discovery of installed applications, agentless dependency analysis, and SQL Server instances and databases. You can provide the user account information in the appliance configuration manager. The appliance doesn't install agents on the servers.

+* For Windows servers, create an account (local or domain) that has administrator permissions on the servers. To discover SQL Server instances and databases, the Windows or SQL Server account must be a member of the sysadmin server role. Learn how to [assign the required role to the user account](/sql/relational-databases/security/authentication-access/server-level-roles).

+> You can add multiple server credentials in the Azure Migrate appliance configuration manager to initiate discovery of installed applications, agentless dependency analysis, and SQL Server instances and databases. You can add multiple domain, Windows (non-domain), Linux (non-domain), or SQL Server authentication credentials. Learn how to [add server credentials](add-server-credentials.md).

+In **Step 3: Provide server credentials to perform software inventory, agentless dependency analysis, discovery of SQL Server instances and databases in your Microsoft HyperV environment.**, you can provide multiple server credentials. If you don't want to use any of these appliance features, you can disable the slider and proceed with discovery of servers running on Hyper-V hosts/clusters. You can change this option at any time.

+ You can provide domain/, Windows(non-domain)/, Linux(non-domain)/, and SQL Server authentication credentials. Learn how to [provide credentials](add-server-credentials.md) and how we handle them.

+1. Review the [required permissions](add-server-credentials.md#required-permissions) on the account for discovery of installed applications, agentless dependency analysis, and discovery SQL Server instances and databases.

+ When you select **Save** or **Add more**, the appliance validates the domain credentials with the domain's Active Directory instance for authentication. Validation is made after each addition to avoid account lockouts as the appliance iterates to map credentials to respective servers.

+If validation fails, you can select a **Failed** status to see the validation error. Fix the issue, and then select **Revalidate credentials** to reattempt validation of the credentials.

+* [Software inventory](how-to-discover-applications.md) identifies the SQL Server instances that are running on the servers. Using the information it collects, the appliance attempts to connect to the SQL Server instances through the Windows authentication credentials or the SQL Server authentication credentials that are provided on the appliance. Then, it gathers data on SQL Server databases and their properties. The SQL Server discovery is performed once every 24 hours.

+* Appliance can connect to only those SQL Server instances to which it has network line of sight, whereas software inventory by itself may not need network line of sight.

+* SQL Server instances and databases data begin to appear in the portal within 24 hours after you start discovery.

+* By default, Azure Migrate uses the most secure way of connecting to SQL instances that is, Azure Migrate encrypts communication between the Azure Migrate appliance and the source SQL Server instances by setting the TrustServerCertificate property to `true`. Additionally, the transport layer uses SSL to encrypt the channel and bypass the certificate chain to validate trust. Hence, the appliance server must be set up to trust the certificate's root authority. However, you can modify the connection settings, by selecting **Edit SQL Server connection properties** on the appliance. [Learn more](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) to understand what to choose.

+ :::image type="content" source="./media/tutorial-discover-vmware/sql-connection-properties.png" alt-text="Screenshot that shows how to edit SQL Server connection properties.":::

+ > [!Note]

+ > To discover SQL Server databases on Windows Servers, both Windows and SQL Server authentication are supported. You can provide credentials of both authentication types in the appliance configuration manager. Azure Migrate requires a Windows user account that is a member of the sysadmin server role.

+> If you want to perform software inventory (discovery of installed applications) and enable agentless dependency analysis on Linux servers, it recommended to use Option 1.

+* [Software inventory](how-to-discover-applications.md) identifies the SQL Server instances that are running on the servers. Using the information it collects, the appliance attempts to connect to the SQL Server instances through the Windows authentication credentials or the SQL Server authentication credentials that are provided on the appliance. Then, it gathers data on SQL Server databases and their properties. The SQL Server discovery is performed once every 24 hours.

+* Appliance can connect to only those SQL Server instances to which it has network line of sight, whereas software inventory by itself may not need network line of sight.

+* SQL Server instances and databases data begin to appear in the portal within 24 hours after you start discovery.

+* By default, Azure Migrate uses the most secure way of connecting to SQL instances that is, Azure Migrate encrypts communication between the Azure Migrate appliance and the source SQL Server instances by setting the TrustServerCertificate property to `true`. Additionally, the transport layer uses SSL to encrypt the channel and bypass the certificate chain to validate trust. Hence, the appliance server must be set up to trust the certificate's root authority. However, you can modify the connection settings, by selecting **Edit SQL Server connection properties** on the appliance. [Learn more](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine) to understand what to choose.

+ :::image type="content" source="./media/tutorial-discover-vmware/sql-connection-properties.png" alt-text="Screenshot that shows how to edit SQL Server connection properties.":::

+## Update (August 2022)

+- SQL discovery and assessment for Microsoft Hyper-V and Physical/ Bare-metal environments as well as IaaS services of other public cloud.

+- Agentless VMware migration now supports concurrent replication of 300 VMs per vCenter.

+- Support to allow Azure sign-in from appliance for tenant where tenant restriction has been configured.

+ - Ensure **AKS-HCI** is selected in the **Platform** field.

+1. [Create a user-assigned managed identity in Azure](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity). You must have a managed identity created to run the deployment. This managed identity must have the following permissions when running a deployment. After the deployment is done, the managed identity can be deleted. Based on your ARM template choices, you'll need some or all of the following roles and permissions assigned to your managed identity:

+- Automation rules can also be [the mechanism by which you run a playbook](whats-new.md#automation-rules-for-alerts-preview) in response to an **alert** *not associated with an incident*.

+|**Requires log filtering** | Use Logstash <br><br>Use Azure Functions <br><br> Use LogicApps <br><br> Use custom code (.NET, Python) | While filtering can lead to cost savings, and ingests only the required data, some Microsoft Sentinel features are not supported, such as [UEBA](identify-threats-with-entity-behavior-analytics.md), [entity pages](entity-pages.md), [machine learning](bring-your-own-ml.md), and [fusion](fusion.md). <br><br>When configuring log filtering, you'll need to make updates in resources such as threat hunting queries and analytics rules |

+ Title: Use entities to classify and analyze data in Microsoft Sentinel

+## Entity identifiers

+### Strong and weak identifiers

+### Supported entities

+Information about entity pages can now be found at [Investigate entities with entity pages in Microsoft Sentinel](entity-pages.md).

+ Title: Investigate entities with entity pages in Microsoft Sentinel

+description: Use entity pages to get information about entities that you come across in your incident investigations. Gain insights into entity activities and assess risk.

+# Investigate entities with entity pages in Microsoft Sentinel

+When you come across a user account, a hostname / IP address, or an Azure resource in an incident investigation, you may decide you want to know more about it. For example, you might want to know its activity history, whether it's appeared in other alerts or incidents, whether it's done anything unexpected or out of character, and so on. In short, you want information that can help you determine what sort of threat these entities represent and guide your investigation accordingly.

+## Entity pages

+In these situations, you can select the entity (it will appear as a clickable link) and be taken to an **entity page**, a datasheet full of useful information about that entity. You can also arrive at an entity page by searching directly for entities on the Microsoft Sentinel **entity behavior** page. The types of information you will find on entity pages include basic facts about the entity, a timeline of notable events related to this entity and insights about the entity's behavior.

+More specifically, entity pages consist of three parts:

+- The left-side panel contains the entity's identifying information, collected from data sources like Azure Active Directory, Azure Monitor, Azure Activity, Azure Resource Manager, Microsoft Defender for Cloud, CEF/Syslog, and Microsoft 365 Defender (with all its components).

+- The center panel shows a [graphical and textual timeline](#the-timeline) of notable events related to the entity, such as alerts, bookmarks, [anomalies](soc-ml-anomalies.md), and activities. Activities are aggregations of notable events from Log Analytics. The queries that detect those activities are developed by Microsoft security research teams, and you can now [add your own custom queries to detect activities](customize-entity-activities.md) of your choosing.

+- The right-side panel presents [behavioral insights](#entity-insights) on the entity. These insights are continuously developed by Microsoft security research teams. They are based on various data sources and provide context for the entity and its observed activities, helping you to quickly identify [anomalous behavior](soc-ml-anomalies.md) and security threats.

+## The timeline

+The timeline is a major part of the entity page's contribution to behavior analytics in Microsoft Sentinel. It presents a story about entity-related events, helping you understand the entity's activity within a specific time frame.

+You can choose the **time range** from among several preset options (such as *last 24 hours*), or set it to any custom-defined time frame. Additionally, you can set filters that limit the information in the timeline to specific types of events or alerts.

+The following types of items are included in the timeline:

+- Alerts - any alerts in which the entity is defined as a **mapped entity**. Note that if your organization has created [custom alerts using analytics rules](./detect-threats-custom.md), you should make sure that the rules' entity mapping is done properly.

+- Bookmarks - any bookmarks that include the specific entity shown on the page.

+- Anomalies - UEBA detections based on dynamic baselines created for each entity across various data inputs and against its own historical activities, those of its peers, and those of the organization as a whole.

+- Activities - aggregation of notable events relating to the entity. A wide range of activities are collected automatically, and you can now [customize this section by adding activities](customize-entity-activities.md) of your own choosing.

+## Entity insights

+Entity insights are queries defined by Microsoft security researchers to help your analysts investigate more efficiently and effectively. The insights are presented as part of the entity page, and provide valuable security information on hosts and users, in the form of tabular data and charts. Having the information here means you don't have to detour to Log Analytics. The insights include data regarding sign-ins, group additions, anomalous events and more, and include advanced ML algorithms to detect anomalous behavior.

+The insights are based on the following data sources:

+- Syslog (Linux)

+- SecurityEvent (Windows)

+- AuditLogs (Azure AD)

+- SigninLogs (Azure AD)

+- OfficeActivity (Office 365)

+- BehaviorAnalytics (Microsoft Sentinel UEBA)

+- Heartbeat (Azure Monitor Agent)

+- CommonSecurityLog (Microsoft Sentinel)

+## How to use entity pages

+Entity pages are designed to be part of multiple usage scenarios, and can be accessed from incident management, the investigation graph, bookmarks, or directly from the entity search page under **Entity behavior** in the Microsoft Sentinel main menu.

+Entity page information is stored in the **BehaviorAnalytics** table, described in detail in the [Microsoft Sentinel UEBA reference](ueba-reference.md).

+## Supported entity pages

+Microsoft Sentinel currently offers the following entity pages:

+- User account

+- Host

+- IP address (**Preview**)

+ > [!NOTE]

+ > The **IP address entity page** (now in preview) contains **geolocation data** supplied by the **Microsoft Threat Intelligence service**. This service combines geolocation data from Microsoft solutions and third-party vendors and partners. The data is then available for analysis and investigation in the context of a security incident. For more information, see also [Enrich entities in Microsoft Sentinel with geolocation data via REST API (Public preview)](geolocation-data-api.md).

+- Azure resource (**Preview**)

+## Next steps

+In this document, you learned about getting information about entities in Microsoft Sentinel using entity pages. For more information about entities and how you can use them, see the following articles:

+- [Classify and analyze data using entities in Microsoft Sentinel](entities.md).

+- [Customize activities on entity page timelines](customize-entity-activities.md).

+- [Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel](identify-threats-with-entity-behavior-analytics.md)

+- [Enable entity behavior analytics](./enable-entity-behavior-analytics.md) in Microsoft Sentinel.

+- [Hunt for security threats](./hunting.md).

+## What is User and Entity Behavior Analytics (UEBA)?

+### Entity pages

+Information about **entity pages** can now be found at [Investigate entities with entity pages in Microsoft Sentinel](entity-pages.md).

+For example, for an **Impossible travel** incident, after confirming with the user that a VPN was used, navigate from the incident to the user entity page. Use the data displayed there to determine whether the locations captured are included in the user's commonly known locations.

+1. Select **Info** on the right, and then select **View full details** to jump to the [user entity page](entity-pages.md) to drill down further.

+ For example, note whether this is the user's first Potential Password spray incident, or watch the user's sign-in history to understand whether the failures were anomalous.

+* If you're already skilled up on Microsoft Sentinel, keep track of [what's new](whats-new.md) or join the [Microsoft Cloud Security Private Community](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR-kibZAPJAVBiU46J6wWF_5URDFSWUhYUldTWjdJNkFMVU1LTEU4VUZHMy4u) program for an earlier view into upcoming releases.

+* **Import business data as a watchlist**: For example, import lists of users with privileged system access, or terminated employees. Then, use the watchlist to create allowlists and blocklists to detect or prevent those users from logging in to the network.

+* **Reduce alert fatigue**: Create allowlists to suppress alerts from a group of users, such as users from authorized IP addresses who perform tasks that would normally trigger the alert. Prevent benign events from becoming alerts.

+You might also want to read the [documentation article on incident investigation](investigate-cases.md). As part of the investigation, you'll also use the [entity pages](entity-pages.md) to get more information about entities related to your incident or identified as part of your investigation.

+This section describes the enrichments UEBA adds to Microsoft Sentinel entities, along with all their details, that you can use to focus and sharpen your security incident investigations. These enrichments are displayed on [entity pages](entity-pages.md#how-to-use-entity-pages) and can be found in the following Log Analytics tables, the contents and schema of which are listed below:

+- The **IdentityInfo** table is where identity information synchronized to UEBA from Azure Active Directory (and from on-premises Active Directory via Microsoft Defender for Identity) is stored.

+The following table describes the behavior analytics data displayed on each [entity details page](entity-pages.md#how-to-use-entity-pages) in Microsoft Sentinel.

+For more information, see [Entity pages](entity-pages.md).

+The Azure Sentinel entity details pages provide an [Insights pane](entity-pages.md#entity-insights), which displays behavioral insights on the entity and help to quickly identify anomalies and security threats.

+- [Azure resource entity page (Preview)](#azure-resource-entity-page-preview)

+- [New data sources for User and entity behavior analytics (UEBA) (Preview)](#new-data-sources-for-user-and-entity-behavior-analytics-ueba-preview)

+- [Microsoft Sentinel Solution for SAP is now generally available](#microsoft-sentinel-solution-for-sap-is-now-generally-available)

+### Azure resource entity page (Preview)

+Azure resources such as Azure Virtual Machines, Azure Storage Accounts, Azure Key Vault, Azure DNS, and more are essential parts of your network. Threat actors might attempt to obtain sensitive data from your storage account, gain access to your key vault and the secrets it contains, or infect your virtual machine with malware. The new [Azure resource entity page](entity-pages.md) is designed to help your SOC investigate incidents that involve Azure resources in your environment, hunt for potential attacks, and assess risk.

+You can now gain a 360-degree view of your resource security with the new entity page, which provides several layers of security information about your resources.

+First, it provides some basic details about the resource: where it is located, when it was created, to which resource group it belongs, the Azure tags it contains, etc. Further, it surfaces information about access management: how many owners, contributors, and other roles are authorized to access the resource, and what networks are allowed access to it; what is the permission model of the key vault, is public access to blobs allowed in the storage account, and more. Finally, the page also includes some integrations, such as Microsoft Defender for Cloud, Defender for Endpoint, and Purview, that enrich the information about the resource.

+### New data sources for User and entity behavior analytics (UEBA) (Preview)

+The [Security Events data source](ueba-reference.md#ueba-data-sources) for UEBA, which until now included only event ID 4624 (An account was successfully logged on), now includes four more event IDs and types, currently in **PREVIEW**:

+ - 4625: An account failed to log on.

+ - 4648: A logon was attempted using explicit credentials.

+ - 4672: Special privileges assigned to new logon.

+ - 4688: A new process has been created.

+Having user data for these new event types in your workspace will provide you with more and higher-quality insights into the described user activities, from Active Directory and Azure AD enrichments to anomalous activity to matching with internal Microsoft threat intelligence, all further enabling your incident investigations to piece together the attack story.

+As before, to use this data source you must enable the [Windows Security Events data connector](data-connectors-reference.md#windows-security-events-via-ama). If you have enabled the Security Events data source for UEBA, you will automatically begin receiving these new event types without having to take any additional action.

+It's likely that the inclusion of these new event types will result in the ingestion of somewhat more *Security Events* data, billed accordingly. Individual event IDs cannot be enabled or disabled independently; only the whole Security Events data set together. You can, however, filter the event data at the source if you're using the new [AMA-based version of the Windows Security Events data connector](data-connectors-reference.md#windows-security-events-via-ama).

+- [Sync user entities from your on-premises Active Directory with Microsoft Sentinel (Preview)](#sync-user-entities-from-your-on-premises-active-directory-with-microsoft-sentinel-preview)

+- [Automation rules for alerts (Preview)](#automation-rules-for-alerts-preview)

+### Sync user entities from your on-premises Active Directory with Microsoft Sentinel (Preview)

+### Automation rules for alerts (Preview)

+ "properties": {

+ ...

+ "zonalResiliency": "true",

+ ...

+ }

+[sfmc-multi-az-nodes]: ./media/how-to-managed-cluster-availability-zones/sfmc-multi-az-nodes.png

+ Invoke-AzResourceAction -ResourceId <cluster resource id> -Parameters $params -Action listUpgradableVersions -Force

+ <button class="btn btn-success text-left btn-block" ng-click="add(vote.Key)">

+ <button class="btn btn-danger pull-right btn-block" ng-click="remove(vote.Key)">

+[Rollup 63](https://support.microsoft.com/topic/update-rollup-63-for-azure-site-recovery-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) | 9.50.6419.1 | 5.1.7626.0 | 9.50.6419.1 | 5.1.7626.0 | 2.0.9249.0

+## Updates (August 2022)

+### Update Rollup 63

+[Update rollup 63](https://support.microsoft.com/topic/update-rollup-63-for-azure-site-recovery-992e63af-aa94-4ea6-8d1b-2dd89a9cc70b) provides the following updates:

+**Update** | **Details**

+ |

+**Providers and agents** | Updates to Site Recovery agents and providers as detailed in the rollup KB article.

+**Issue fixes/improvements** | A number of fixes and improvement as detailed in the rollup KB article.

+**Azure VM disaster recovery** | Added support for Oracle Linux 8.6 Linux distro.

+**VMware VM/physical disaster recovery to Azure** | Added support for Oracle Linux 8.6 Linux distro.<br/><br/> Introduced the migration capability to move existing replications from classic to modernized experience for disaster recovery of VMware virtual machines, enabled using Azure Site Recovery. [Learn more](move-from-classic-to-modernized-vmware-disaster-recovery.md).

+ - To mount a VHD on Linux, consult the documentation for your Linux distribution.

+- If you're continuously hitting the metadata operations limit that a single Azure file share can accommodate (2,000 operations per file share), we suggest separating the file share into multiple file shares within the same storage account.

+When connecting to your Event Hub in no code editor, it is recommended that you create a new Consumer Group (which is the default option). This helps in avoiding the Event Hub reach the concurrent readersΓÇÖ limit. To understand more about Consumer groups and whether you should select an existing Consumer Group or create a new one, see [Consumer groups](../event-hubs/event-hubs-features.md). If your Event Hub is in Basic tier, you can only use the existing $Default Consumer group. If your Event Hub is in Standard or Premium tiers, you can create a new consumer group.

+ 

+When connecting to the Event Hub, if you choose ΓÇÿManaged IdentityΓÇÖ as Authentication mode, then the Azure Event Hubs Data owner role will be granted to the Managed Identity for the Stream Analytics job. To learn more about Managed Identity for Event Hub, see [Event Hubs Managed Identity](event-hubs-managed-identity.md).

+Managed identities eliminate the limitations of user-based authentication methods, like the need to reauthenticate because of password changes or user token expirations that occur every 90 days.

+ 

+After you set up your Event Hub's details and select **Connect**, you can add fields manually by using **+ Add field** if you know the field names. To instead detect fields and data types automatically based on a sample of the incoming messages, select **Autodetect fields**. Selecting the gear symbol allows you to edit the credentials if needed. When Stream Analytics job detect the fields, you'll see them in the list. You'll also see a live preview of the incoming messages in the **Data Preview** table under the diagram view.

+## Reference data inputs

+Reference data is either static or changes slowly over time. It is typically used to enrich incoming streaming and do lookups in your job. For example, you might join data in the data stream input to data in the reference data, much as you would perform a SQL join to look up static values.For more information about reference data inputs, see [Using reference data for lookups in Stream Analytics](stream-analytics-use-reference-data.md).

+### ADLS Gen2 as reference data

+Reference data is modeled as a sequence of blobs in ascending order of the date/time specified in the blob name. Blobs can only be added to the end of the sequence by using a date/time greater than the one specified by the last blob in the sequence. Blobs are defined in the input configuration. For more information, see [Use reference data from Blob Storage for a Stream Analytics job](data-protection.md).

+First, you have to select your ADLS Gen2. To see details about each field, see Azure Blob Storage section in [Azure Blob Storage Reference data input](stream-analytics-use-reference-data.md).

+ 

+Then, upload a JSON of array file and the fields in the file will be detected. Use this reference data to perform transformation with Streaming input data from Event Hub.

+ 

+When connecting to ADLS Gen2, if you choose ‘Managed Identity’ as Authentication mode, then the Storage Blob Data Contributor role will be granted to the Managed Identity for the Stream Analytics job. To learn more about Managed Identity for ADLS Gen2, see [Storage Blob Managed Identity](blob-output-managed-identity.md). Managed identities eliminate the limitations of user-based authentication methods, like the need to reauthenticate because of password changes or user token expirations that occur every 90 days.

+ 

+When connecting to Azure Cosmos DB, if you choose ‘Managed Identity’ as Authentication mode, then the Contributor role will be granted to the Managed Identity for the Stream Analytics job.To learn more about Managed Identity for Cosmos DB, see [Cosmos DB Managed Identity](cosmos-db-managed-identity.md). Managed identities eliminate the limitations of user-based authentication methods, like the need to reauthenticate because of password changes or user token expirations that occur every 90 days.

+ 

+## Data preview, errors and metrics

+### Metrics

+If the job is running, you can monitor the health of your job by navigating to Metrics tab. The four metrics shown by default are Watermark delay, Input events, Backlogged input events, Output events. You can use these to understand if the events are flowing in & output of the job without any input backlog. You can select more metrics from the list.To understand all the metrics in details, see [Stream Analytics metrics](stream-analytics-job-metrics.md).

+ 

+You can save the job anytime while creating it. Once you have configured the Event Hub, transformations, and Streaming outputs for the job, you can Start the job.

+**Note**: While the no code editor is in Preview, the Azure Stream Analytics service is Generally Available.

+> **IMPORTANT, PLEASE NOTE THE BELOW LIMITATIONS:**

+> - **The Azure ML integration is not currently supported in Synapse Workspaces with Data Exfiltration Protection.** If you are **not** using data exfiltration protection and want to connect to Azure ML using private endpoints, you can set up a managed AzureML private endpoint in your Synapse workspace. [Read more about managed private endpoints](../security/how-to-create-managed-private-endpoints.md)

+> - **AzureML linked service is not supported with self hosted integration runtimes.** This applies to Synapse workspaces with and without Data Exfiltration Protection.

+> - Autoscale is currently only available in the public cloud.

+>Deploying scaling plans with autoscale is currently limited to the following Azure regions in the public cloud:

+Certain modifications may be applied to specific VMs instead of the global scale set properties. Currently, the only VM-specific update that is supported is to attach/detach data disks to/from VMs in the scale set. This feature is in preview. For more information, see the [preview documentation](https://github.com/Azure/vm-scale-sets/tree/master/z_deprecated/preview/disk).

+The previous example will start with `capacity` as 2 and length of `virtualMachinesAllocated` and `virtualMachinesAssociated` as 0.

+The status of the Capacity Reservation will now show `capacity` as 2 and length of `virtualMachinesAllocated` and `virtualMachinesAssociated` as 1.

+The `capacity` is 2 and the length of `virtualMachinesAllocated` and `virtualMachinesAssociated` is 3.

+- [Remove a VM scale set](capacity-reservation-remove-virtual-machine-scale-set.md)

+>

+> Make sure the disks are set to `detach` as the [delete](../delete.md) option. If they are set to `delete`, update the VMs before deleting the VMs.

+>

+3. In the left-hand menu, search for and select **View advanced system settings**.

+2. In the left-hand menu, search for and select **View advanced system settings**.

+ Title: Configure a Deployer Web Application for SAP Deployment Automation Framework

+# Configure the Control Plane Web Application

+As a part of the SAP automation framework control plane, you can optionally create an interactive web application that will assist you in creating the required configuration files and deploying SAP workload zones and systems using Azure Pipelines.

+> [!IMPORTANT]

+> Control Plane Web Application is currently in PREVIEW and not yet available in the main branch.

+## Deploy via Azure Pipelines

+The web app allows you to create SAP workload zone objects and system infrastructure objects. These objects are essentially another representation of the Terraform configuration file.

+## Deploy the Control Plane Web Application

+> [!IMPORTANT]

+> Control Plane Web Application is currently in PREVIEW and not yet available in the main branch.

+A [network security group (NSG)](../virtual-network/network-security-groups-overview.md) contains a list of Access Control List (ACL) rules that allow or deny network traffic to subnets, NICs, or both. NSGs can be associated with either subnets or individual NICs connected to a subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VMs in that subnet. Traffic to an individual NIC can be restricted by associating an NSG directly to a NIC.

+|Bot300600|Unknown bots detected by threat intelligence<br />(This rule also includes IP addresses matched to the Tor network.)|

+* **Access Resource log**: You can use this log to view Application Gateway access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. This log contains individual records for each request and associates that request to the unique Application Gateway that processed the request. Unique Application Gateway instances can be identified by the property instanceId.