-The Azure AD B2C App registrations experience is based on the general [App Registration experience](https://developer.microsoft.com/identity/blogs/new-app-registrations-experience-is-now-generally-available/) for any Azure AD tenant, but is tailored for Azure AD B2C tenants.

-Learn more about [permissions and consent](../active-directory/develop/v2-permissions-and-consent.md).

-Azure AD B2C uses [Azure Active Directory monitoring](../active-directory/reports-monitoring/overview-monitoring.md). Unlike Azure AD tenants, an Azure AD B2C tenant can't have a subscription associated with it. So, we need to take extra steps to enable the integration between Azure AD B2C and Log Analytics, which is where we send the logs.

-> In order to add permissions for an Azure AD group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Azure Active Directory](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).

-1. With **Azure Active Directory** still selected in your **Azure AD B2C** directory, select **Groups**, and then select a group. If you don't have an existing group, create a **Security** group, then add members. For more information, follow the procedure [Create a basic group and add members using Azure Active Directory](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).

-You're ready to [create diagnostic settings](../active-directory/reports-monitoring/overview-monitoring.md) in the Azure portal.

-> It can take up to 15 minutes after an event is emitted for it to [appear in a Log Analytics workspace](../azure-monitor/logs/data-ingestion-time.md). Also, learn more about [Active Directory reporting latencies](../active-directory/reports-monitoring/reference-reports-latencies.md), which can impact the staleness of data and play an important role in reporting.

-Alerts are created by alert rules in Azure Monitor and can automatically run saved queries or custom log searches at regular intervals. You can create alerts based on specific performance metrics or when certain events occur. You can also create alerts on absence of an event, or when a number of events occur within a particular time window. For example, alerts can be used to notify you when average number of sign-ins exceeds a certain threshold. For more information, see [Create alerts](../azure-monitor/alerts/alerts-log.md).

-Azure Active Directory B2C (Azure AD B2C) is a separate service from [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). It's built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allows self-service sign-up to applications.

-| Learn how to troubleshoot Azure AD B2C | Learn how to [troubleshoot custom policies](./troubleshoot-custom-policies.md?tabs=applications) during development. Learn what a normal authentication flow looks like and use tools for discovering anomalies and errors. For example, use [Application Insights](troubleshoot-with-application-insights.md) to review output logs of user journeys. |

-| Load testing | Azure AD B2C can scale, but your application can scale only if all of its dependencies can scale. Load-test your APIs and CDN. Learn more about [Resilience through developer best practices](../active-directory/fundamentals/resilience-b2c-developer-best-practices.md).|

-* [Node.js runtime](https://nodejs.org/en/download/) and [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).

-* [Enable authentication in your own web API](enable-authentication-web-api.md)

-* [Node.js runtime](https://nodejs.org/en/download/) and [npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm). To test that you have Node.js and npm correctly installed on your machine, you can type `node --version` and `npm --version` in a terminal or command prompt.

-This article uses a sample [Windows Presentation Foundation (WPF) desktop](/visualstudio/designers/getting-started-with-wpf) application to illustrate how to add Azure Active Directory B2C (Azure AD B2C) authentication to your desktop apps.

-A computer that's running [Visual Studio 2019](https://www.visualstudio.com/downloads/) with .NET desktop development.

-1. [Download the .zip file](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop.git), or clone the sample web application from the [GitHub repo](https://github.com/Azure-Samples/active-directory-b2c-dotnet-desktop.git).

-To safeguard access to sites, web browsers will introduce a new secure-by-default model that assumes all cookies should be protected from external access unless otherwise specified. The Chrome browser is the first to implement this change, starting with [Chrome 80 in February 2020](https://www.chromium.org/updates/same-site). For more information about preparing for the change in Chrome, see [Developers: Get Ready for New SameSite=None; Secure Cookie Settings](https://blog.chromium.org/2019/10/developers-get-ready-for-new.html) on the Chromium Blog.

-1. [Add your custom domain name to Azure AD](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name-to-azure-ad).

-1. Get the example of a conditional access policy that checks the host name from [GitHub](https://github.com/azure-ad-b2c/samples/blob/master/policies/check-host-name).

-Custom email verification requires the use of a third-party email provider like [Mailjet](https://Mailjet.com), [SendGrid](./custom-email-sendgrid.md), or [SparkPost](https://sparkpost.com), a custom REST API, or any HTTP-based email provider (including your own). This article describes setting up a solution that uses Mailjet.

-With a Mailjet account created and the Mailjet API key stored in an Azure AD B2C policy key, create a Mailjet [dynamic transactional template](https://sendgrid.com/docs/ui/sending-email/how-to-send-an-email-with-dynamic-transactional-templates/).

-Custom email verification requires the use of a third-party email provider like [SendGrid](https://sendgrid.com), [Mailjet](https://Mailjet.com), or [SparkPost](https://sparkpost.com), a custom REST API, or any HTTP-based email provider (including your own). This article describes setting up a solution that uses SendGrid.

-> SendGrid offers customers the ability to send emails from shared IP and [dedicated IP addresses](https://sendgrid.com/docs/ui/account-and-settings/dedicated-ip-addresses/). When using dedicated IP addresses, you need to build your own reputation properly with an IP address warm-up. For more information, see [Warming Up An Ip Address](https://sendgrid.com/docs/ui/sending-email/warming-up-an-ip-address/).

-With a SendGrid account created and SendGrid API key stored in an Azure AD B2C policy key, create a SendGrid [dynamic transactional template](https://sendgrid.com/docs/ui/sending-email/how-to-send-an-email-with-dynamic-transactional-templates/).

-You can customize your Azure AD B2C pages with a banner logo, background image, and background color by using Azure Active Directory [Company branding](../active-directory/fundamentals/customize-branding.md). The company branding includes signing up, signing in, profile editing, and password resetting.

-1. Follow the steps in [Add branding to your organization's Azure Active Directory sign-in page](../active-directory/fundamentals/customize-branding.md).

-> Managing Azure AD B2C custom policies with Azure Pipelines currently uses **preview** operations available on the Microsoft Graph API `/beta` endpoint. Use of these APIs in production applications is not supported. For more information, see the [Microsoft Graph REST API beta endpoint reference](/graph/api/overview?toc=.%2fref%2ftoc.json&view=graph-rest-beta&preserve-view=true).

-* [Azure DevOps Services](/azure/devops/user-guide/)

-[devops-pipelines]: /azure/devops/pipelines

-> Managing Azure AD B2C custom policies with Azure Pipelines currently uses **preview** operations available on the Microsoft Graph API `/beta` endpoint. Use of these APIs in production applications is not supported. For more information, see the [Microsoft Graph REST API beta endpoint reference](/graph/api/overview?toc=.%2fref%2ftoc.json&view=graph-rest-beta&preserve-view=true).

-The GitHub Action for deploying Azure AD B2C custom policies uses the secret to acquire an access token that is used to interact with the Microsoft Graph API. For more information, see [Creating encrypted secrets for a repository](https://docs.github.com/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository).

-The workflow you created is triggered by the [push](https://docs.github.com/actions/reference/events-that-trigger-workflows#push) event. If you prefer, you can choose another event to trigger the workflow, for example a [pull request](https://docs.github.com/actions/reference/events-that-trigger-workflows#pull_request).

-You can also schedule a workflow to run at specific UTC times using [POSIX cron syntax](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/crontab.html#tag_20_25_07). The schedule event allows you to trigger a workflow at a scheduled time. For more information, see [Scheduled events](https://docs.github.com/actions/reference/events-that-trigger-workflows#scheduled-events).

-| app-routing.module.ts | [Angular routing module](https://angular.io/tutorial/toh-pt5) | This component enables navigation by interpreting a browser URL and loading the corresponding component. In this walkthrough, you add some components to the routing module, and you protect components with [MSAL Guard](https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/docs/msal-guard.md). Only authorized users can access the protected components. |

-1. Uses the Angular [HttpClient](https://angular.io/guide/http) class to call the web API.

-You can use an existing React app, or [create a new React App](https://reactjs.org/docs/create-a-new-react-app.html). To create a new project, run the following commands in your command shell:

-* The [Microsoft Technical Community](https://techcommunity.microsoft.com/) is the place for our IT pro partners and customers to collaborate, share, and learn. The [Microsoft Technical Community Info Center](https://techcommunity.microsoft.com/t5/Community-Info-Center/ct-p/Community-Info-Center) is used for announcements, blog posts, ask-me-anything (AMA) interactions with experts, and more. You can also [join the community to submit your ideas](https://techcommunity.microsoft.com/t5/Communities/ct-p/communities).

-To enable sign-in for users with an AD FS account in Azure Active Directory B2C (Azure AD B2C), create an Application Group in your AD FS. For more information, see [Build a web application using OpenID Connect with AD FS 2016 and later](/windows-server/identity/ad-fs/development/enabling-openid-connect-with-ad-fs)

-Follow the guidelines how to [offer Sign in with Apple](https://developer.apple.com/design/human-interface-guidelines/sign-in-with-apple/overview/introduction/). Apple provides several **Sign in with Apple** buttons you can use to let people set up an account and sign in. If necessary, create a custom button to offer Sign in with Apple. Learn how to [display a Sign in with Apple button](https://developer.apple.com/design/human-interface-guidelines/sign-in-with-apple/overview/buttons/).

-If you want to get the `family_name`, and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/active-directory-optional-claims.md).

-If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/active-directory-optional-claims.md).

-To enable sign-in for users with an eBay account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [eBay developer console](https://developer.ebay.com). For more information, see [Creating a developer account](https://developer.ebay.com/api-docs/static/creating-edp-account.html). If you don't already have an eBay developer account, sign up at [https://developer.ebay.com/signin](https://developer.ebay.com/signin?tab=register).

-To enable sign-in with a GitHub account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [GitHub Developer](https://github.com/settings/developers) portal. For more information, see [Creating an OAuth App](https://docs.github.com/en/free-pro-team@latest/developers/apps/creating-an-oauth-app). If you don't already have a GitHub account, you can sign up at [https://www.github.com/](https://www.github.com/).

-To enable sign-in for users with a LinkedIn account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in [LinkedIn Developers website](https://www.developer.linkedin.com/). For more information, see [Authorization Code Flow](/linkedin/shared/authentication/authorization-code-flow). If you don't already have a LinkedIn account, you can sign up at [https://www.linkedin.com/](https://www.linkedin.com/).

-1. Sign in to the [LinkedIn Developers website](https://www.developer.linkedin.com/) with your LinkedIn account credentials.

-If you want to get the `family_name` and `given_name` claims from Azure AD, you can configure optional claims for your application in the Azure portal UI or application manifest. For more information, see [How to provide optional claims to your Azure AD app](../active-directory/develop/active-directory-optional-claims.md).

-To enable sign-in for users with a Salesforce account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in your Salesforce [App Manager](https://login.salesforce.com/). For more information, see [Configure Basic Connected App Settings](https://help.salesforce.com/articleView?id=connected_app_create_basics.htm), and [Enable OAuth Settings for API Integration](https://help.salesforce.com/articleView?id=connected_app_create_api_integration.htm)

-1. For **Metadata url**, enter the URL of the [Salesforce OpenID Connect Configuration document](https://help.salesforce.com/articleView?id=remoteaccess_using_openid_discovery_endpoint.htm). For a sandbox, login.salesforce.com is replaced with test.salesforce.com. For a community, login.salesforce.com is replaced with the community URL, such as username.force.com/.well-known/openid-configuration. The URL must be HTTPS.

-4. The **METADATA** is set to the URL of the [Salesforce OpenID Connect Configuration document](https://help.salesforce.com/articleView?id=remoteaccess_using_openid_discovery_endpoint.htm). For a sandbox, login.salesforce.com is replaced with test.salesforce.com. For a community, login.salesforce.com is replaced with the community URL, such as username.force.com/.well-known/openid-configuration. The URL must be HTTPS.

-For information about troubleshooting custom policies, see [Troubleshoot Azure AD B2C custom policies and Identity Experience Framework](./troubleshoot-custom-policies.md).

-This article focuses on working with **consumer accounts** in the Azure portal. For information about creating and deleting Work and Guest accounts, see [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md).

-For details about restoring a user within the first 30 days after deletion, or for permanently deleting a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/active-directory-users-restore.md).

-For automated user management scenarios, for example migrating users from another identity provider to your Azure AD B2C directory, see [Azure AD B2C: User migration](user-migration.md).

-Azure AD B2C is a separate service from [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md). It is built on the same technology as Azure AD but for a different purpose. It allows businesses to build customer facing applications, and then allow anyone to sign-up and into those applications with no restrictions on user account.

-In this sample, we'll use a [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md) that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.

-7. Replace startup class with the following code in the [ASP.NET MVC web app](../active-directory/develop/tutorial-v2-asp-webapp.md).

- > Create or modify certificates with correct custom domain name settings. </br> Go to techdocs.akamai.com for [Configure HTTPS hostnames](https://learn.akamai.com/en-us/webhelp/property-manager/https-delivery-with-property-manager/GUID-9EE0EB6A-E62B-4F5F-9340-60CBD093A429.html).

- - Go to arkoselabs.com to [request a demo](https://www.arkoselabs.com/book-a-demo/)

-1. Go to arkoselabs.com to [book a demo](https://www.arkoselabs.com/book-a-demo/).

-3. Navigate to the [Arkose Portal](https://dashboard.arkoselabs.com/login) sign-in page.

-5. [Create a storage account](../storage/common/storage-account-create.md?tabs=azure-portal&toc=%2fazure%2fstorage%2fblobs%2ftoc.json).

-Learn to integrate Azure Active Directory (Azure AD B2C) authentication with [Asignio](https://www.asignio.com/). With this integration, provide passwordless, soft biometric, and multifactor authentication experience to customers. Asignio uses patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature helps to reduce passwords, fraud, phishing, and credential reuse through omni-channel authentication.

-In this tutorial, learn to integrate Azure Active Directory B2C (Azure AD B2C) authentication with [Transmit Security](https://www.transmitsecurity.com/bindid) BindID, a passwordless authentication solution. BindID uses strong Fast Identity Online (FIDO2) biometric authentication for reliable omni-channel authentication. The solution ensures a smooth sign in experience for customers across devices and channels, while reducing fraud, phishing, and credential reuse.

- * Go to transmitsecurity.com to [get started](https://www.transmitsecurity.com/developer?utm_signup=dev_hub#try)

-In this tutorial, you can learn how to configure the [Cloudflare Web Application Firewall (WAF)](https://www.cloudflare.com/waf/) solution for Azure Active Directory B2C (Azure AD B2C) tenant with custom domain. Use Cloudflare WAF to help protect organizations from malicious attacks that can exploit vulnerabilities such as SQL Injection, and cross-site scripting (XSS).

-On cloudflare.com, you can [create an account](https://dash.cloudflare.com/sign-up). To enable WAF, on [Application Services]([https://www.cloudflare.com/plans/](https://www.cloudflare.com/plans/#price-matrix) select **Pro**, which is required.

-Go to your Cloudflare settings, and use the Cloudflare content to [configure the WAF](https://www.cloudflare.com/waf/) and learn about other security tools.

-Learn more about [Experian](https://www.experian.com/decision-analytics/account-opening-fraud/microsoft-integration) solutions, services, etc.

-1. Create an Experian account. To get started, go to [Experian](https://www.experian.com/decision-analytics/account-opening-fraud/microsoft-integration) and scroll to the bottom for the contact form.

-Go to f5.com resources and white papers for: [Easily Configure Secure Access to All Your Applications via Azure AD](https://www.f5.com/services/resources/white-papers/easily-configure-secure-access-to-all-your-applications-via-azure-active-directory)

- * 90-day BIG-IP full feature [trial license](https://www.f5.com/trial/big-ip-trial.php)

-To upgrade the Guided Configuration, go to my.f5.com for [K85454683: Upgrade F5 BIG-IP Guided Configuration on the BIG-IP system](https://support.f5.com/csp/article/K85454683).

-To learn more BIG-IP iRules, go to support.f5.com for [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145).

-[Grit Software Systems Visual Identity Experience Framework (IEF) Editor](https://www.gritiam.com/iefeditor), is a tool that saves time during Azure Active Directory B2C (Azure AD B2C) authentication deployment. It supports multiple languages without the need to write code. It also has a no code debugger for user journeys.

-In this tutorial, learn to configure Azure Active Directory B2C (Azure AD B2C) with [HYPR](https://get.hypr.com). When Azure AD B2C is the identity provider (IdP), you can integrate HYPR with customer applications for passwordless authentication. HYPR replaces passwords with public key encryptions that help prevent fraud, phishing, and credential reuse.

- - Request a HYPR [custom demo](https://get.hypr.com/free-trial)

- - For example, see [HYPR SDK for Java Web](https://docs.hypr.com/integratinghypr/docs/hypr-java-web-sdk)

-Deploy the provided [API code](https://github.com/azure-ad-b2c/partner-integrations/tree/master/samples/IDology/Api) to an Azure service. The code can be published from Visual Studio, following these [instructions](/visualstudio/deployment/quickstart-deploy-to-azure).

-1. Follow the instructions at [itsme](https://business.itsme.be/en) to complete the configuration.

- * Go to keyless.io to [Request a demo](https://keyless.io/go)

-In this tutorial, learn how to extend the capabilities of Azure Active Directory B2C (Azure AD B2C) with [PingAccess](https://www.pingidentity.com/en/software/pingaccess.html) and [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html). PingAccess provides access to applications and APIs, and a policy engine for authorized user access. PingFederate is an enterprise federation server for user authentication and single sign-on, an authority that permits customers, employees, and partners to access applications from devices. Use them together to enable secure hybrid access (SHA).

-In answer to these concerns, the approach in this tutorial is an Azure AD B2C, [PingAccess](https://www.pingidentity.com/en/software/pingaccess.html), and [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) integration.

-For more information, see [Microsoft Graph PowerShell documentation](/powershell/microsoftgraph).

-In this tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) with Strata [Maverics Identity Orchestrator](https://www.strata.io/maverics-identity-orchestrator/), which helps protect on-premises applications. It connects to identity systems, migrates users and credentials, synchronizes policies and configurations, and abstracts authentication and session management. Use Strata to transition from legacy, to Azure AD B2C, without rewriting applications.

-To get software and documentation, go to strata.io [Contact Strata Identity](https://www.strata.io/contact/). Determine Orchestrator prerequisites. Install and configure.

-2. Place the package on the system you'd like to install Maverics. If you're copying to a remote host, use SSH [scp](https://www.ssh.com/ssh/scp/).

-Learn more: [WhoIAM, Products and Services, Branded Identity Management System](https://www.whoiam.ai/brims/)

-For more information about WhoIAM BRIMS, request documentation on [WhoIAM, Contact Us](https://www.whoiam.ai/brims/).

-* (Optional) A [Postman platform](https://www.getpostman.com/) to test secured access

-To ensure that only authenticated callers can access your API, you can validate your Azure API Management configuration by calling the API with [Postman](https://www.getpostman.com/).

-1. Create a new `GET` request in [Postman](https://www.getpostman.com/). For the request URL, specify the speakers list endpoint of the API you published as one of the prerequisites. For example:

-|Sign-in|NA|Malicious sign-in's may try to brute force accounts or use leaked credentials|[Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection)|

-|Email OTP|NA|Fraudulent attempts to brute force or exhaust resources|[Endpoint protection](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business-b?ef_id=_k_22063a2ad7b719a498ec5e7edc5d6500_k_&OCID=AIDcmm7ol8ekjr_SEM__k_22063a2ad7b719a498ec5e7edc5d6500_k_&msclkid=22063a2ad7b719a498ec5e7edc5d6500) and [Authenticator App](/azure/active-directory/authentication/concept-authentication-authenticator-app)|

-|Multifactor authentication controls|NA|Unsolicited phone calls or SMS messages or resource exhaustion.|[Endpoint protection](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business-b?ef_id=_k_22063a2ad7b719a498ec5e7edc5d6500_k_&OCID=AIDcmm7ol8ekjr_SEM__k_22063a2ad7b719a498ec5e7edc5d6500_k_&msclkid=22063a2ad7b719a498ec5e7edc5d6500) and [Authenticator App](/azure/active-directory/authentication/concept-authentication-authenticator-app)|

-Azure AD B2C is compliant with [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749), [OpenID Connect (OIDC)](https://openid.net/certification), and [SAML](http://saml.xml.org/saml-specifications) protocols. It provides user authentication and single sign-on (SSO) functionality, with the endpoints listed in the following table.

-| [Groups](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md) | Groups can be used to manage administrative and user accounts.| Groups can be used to manage administrative accounts. You can't perform [group-based assignment of enterprise applications](../active-directory/manage-apps/assign-user-or-group-access-portal.md).|

-| [Roles and administrators](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md)| Fully supported for administrative and user accounts. | Roles are not supported with [consumer accounts](user-overview.md#consumer-user). Consumer accounts don't have access to any Azure resources.|

-The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](../active-directory/fundamentals/active-directory-users-restore.md).

-If you're not using [Conditional Access](conditional-access-user-flow.md), you can enable [Azure AD security defaults](../active-directory/fundamentals/concept-fundamentals-security-defaults.md) to force all administrative accounts to use MFA.

-1. Review your directory settings. Then select **Create**. Learn more about [troubleshooting deployment errors](../azure-resource-manager/templates/common-deployment-errors.md).

-A work account is created the same way for all tenants based on Azure AD. To create a work account, you can use the information in [Quickstart: Add new users to Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md). A work account is created using the **New user** choice in the Azure portal.

-Audit logs are published to the same pipeline as other activities for Azure Active Directory, so they can be accessed through the [Azure Active Directory reporting API](/graph/api/directoryaudit-list). For more information, see [Get started with the Azure Active Directory reporting API](../active-directory/reports-monitoring/concept-reporting-api.md).

-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

-[azure-ad-password-sync]: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md#password-hash-sync-process-for-azure-ad-domain-services

-[concepts-forest]: concepts-resource-forest.md

-[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md

-[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md

-[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md

-[New-AzureAdServicePrincipal]: /powershell/module/AzureAD/New-AzureADServicePrincipal

-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

-[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md

-[whatis-azuread]: ../active-directory/fundamentals/active-directory-whatis.md

->If you would like to see directory extensions synchronized by Azure AD Connect, click **Enterprise App** and look for the Application ID of the **Tenant Schema Extension App**. For more information, see [Azure AD Connect sync: Directory extensions](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard).

-To sync onPremisesExtensionAttributes or directory extensions from on-premises to Azure AD, [configure Azure AD Connect](../active-directory/hybrid/how-to-connect-sync-feature-directory-extensions.md).

-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

-[Connect-AzAccount]: /powershell/module/Az.Accounts/Connect-AzAccount

-[Connect-AzureAD]: /powershell/module/AzureAD/Connect-AzureAD

-[New-AzResourceGroup]: /powershell/module/Az.Resources/New-AzResourceGroup

-[Get-AzureRMSubscription]: /powershell/module/AzureRM.Profile/Get-AzureRmSubscription

-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

-[New-ADServiceAccount]: /powershell/module/activedirectory/New-AdServiceAccount

-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

-[connect-windows-server-vm]: join-windows-vm.md#connect-to-the-windows-server-vm

-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

-[Set-ADComputer]: /powershell/module/activedirectory/set-adcomputer

-[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md

-* Using ```ADSIEdit``` as described in this [article](https://petri.com/active-directory-security-understanding-adminsdholder-object ).

->[!IMPORTANT]

->Currently, only the generic SQL and LDAP connectors are supported for use with the Azure AD ECMA Connector Host.

-In addition to the **core** user schema, the SCIM standard defines an **enterprise** user extension with a model for extending the user schema to meet your applicationΓÇÖs needs.

-For example, if your application requires both a user's email and userΓÇÖs manager, use the **core** schema to collect the userΓÇÖs email and the **enterprise** user schema to collect the userΓÇÖs manager.

-|workMail|emails[type eq ΓÇ£workΓÇ¥].value|Mail|

-The _Microsoft.SCIM_ project is the library that defines the components of the web service that conforms to the SCIM specification. It declares the interface _Microsoft.SCIM.IProvider_, requests are translated into calls to the providerΓÇÖs methods, which would be programmed to operate on an identity store.

-In the sample code, requests are authenticated using the Microsoft.AspNetCore.Authentication.JwtBearer package. The following code enforces that requests to any of the serviceΓÇÖs endpoints are authenticated using the bearer token issued by Azure AD for a specified tenant:

-The following code enforces that requests to any of the serviceΓÇÖs endpoints are authenticated using a bearer token signed with a custom key:

-In the sample code, the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. Here's the signature of that method:

-In the sample code, the request is translated into a call to the CreateAsync method of the serviceΓÇÖs provider. Here's the signature of that method:

-In the sample code, the request is translated into a call to the RetrieveAsync method of the serviceΓÇÖs provider. Here's the signature of that method:

-In the sample code, the request is translated into a call to the QueryAsync method of the serviceΓÇÖs provider. The value of the properties of the object provided as the value of the parameters argument are as follows:

-In the sample code, the request is translated into a call to the UpdateAsync method of the serviceΓÇÖs provider. Here's the signature of that method:

-In the sample code, the request is translated into a call to the DeleteAsync method of the serviceΓÇÖs provider. Here's the signature of that method:

-> * Create a help center article or technical documentation on how customers can get started. [Example: Envoy + Microsoft Azure AD integration.](https://envoy.help/en/articles/3453335-microsoft-azure-active-directory-integration/

-)

- * [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide&preserve-view=true )

-* [Working with the Azure AD entitlement management API](/graph/api/resources/entitlementmanagement-overview?view=graph-rest-1.0&preserve-view=true )

-* [accessPackage resource type](/graph/api/resources/accesspackage?view=graph-rest-1.0&preserve-view=true )

-* [Azure AD access reviews](/graph/api/resources/accessreviewsv2-overview?view=graph-rest-1.0&preserve-view=true )

-* [connectedOrganization resource type](/graph/api/resources/connectedorganization?view=graph-rest-1.0&preserve-view=true )

-* [entitlementManagementSettings resource type](/graph/api/resources/entitlementmanagementsettings?view=graph-rest-1.0&preserve-view=true )

-### Automate provisioning to SQL and LDAP based applications

- Many applications don't support the SCIM standard, and customers have historically used connectors developed for MIM to connect to them. The Azure AD provisioning service supports reusing connectors developed for MIM and provisioning users into applications that rely on an LDAP user store or a SQL database.

-Many applications may not yet support SCIM or rely on SQL / LDAP databases. Microsoft partners have developed SCIM gateways that allow you to synchronize users between Azure AD and various systems such as mainframes, HR systems, and legacy databases. In the image below, the SCIM Gateways are built and managed by partners.

-For federated domains, MFA may be enforced by Azure AD Conditional Access or by the on-premises federation provider. Each federated domain has a Microsoft Graph PowerShell security setting named **federatedIdpMfaBehavior**. You can set **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` so Azure AD accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Azure AD redirects the request to the federated identity provider to perform MFA. For more information, see [federatedIdpMfaBehavior](/graph/api/resources/internaldomainfederation?view=graph-rest-beta#federatedidpmfabehavior-values&preserve-view=true ).

-> 

-[Additional sign-in options work only for personal Microsoft accounts](https://azure.microsoft.com/updates/microsoft-account-signin-options/ ) but can't be used for signing in to work or school account resources.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator).

-1. Select Microsoft Entra ID (Azure AD) > **Users** > **All users**.

-1. In the Manage section, select **Custom security attributes (preview)**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator).

-1. Select Microsoft Entra ID (Azure AD) > **Users** > **All users**.

-1. In the Manage section, select **Custom security attributes (preview)**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator).

-1. Select Microsoft Entra ID (Azure AD) > **Users** > **All users**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator).

-1. Select Microsoft Entra ID (Azure AD) > **Users** > **All users**.

-1. In the Manage section, select **Custom security attributes (preview)**.

-Custom security attribute assignments for users are supported in Azure portal, PowerShell, and Microsoft Graph APIs. Custom security attribute assignments are not supported in My Apps or Microsoft 365 admin center.

-1. Select the user flow where you want to add the Facebook identity provider.

-1. Under Settings, select **Identity providers**

-You can also remove federation using the Microsoft Graph API [samlOrWsFedExternalDomainFederation](/graph/api/resources/samlorwsfedexternaldomainfederation?view=graph-rest-beta&preserve-view=true ) resource type.

-description: Instructions about how to add a custom domain using Azure Active Directory.

-# Add your custom domain name using the Azure portal

-Azure Active Directory (Azure AD) tenants come with an initial domain name, *\<domainname>.onmicrosoft.com*. You can't change or delete the initial domain name, but you can add your organization's names. Adding custom domain names helps you to create user names that are familiar to your users, such as *alain\@contoso.com*.

-## Create your directory in Azure AD

-After you get your domain name, you can create your first Azure AD directory. Sign in to the [Azure portal](https://portal.azure.com) for your directory, using an account with the **Owner** role for the subscription.

->[!IMPORTANT]

->The person who creates the tenant is automatically the Global administrator for that tenant. The Global administrator can add additional administrators to the tenant.

->[!TIP]

-> If you plan to federate your on-premises Windows Server AD with Azure AD, then you need to select **I plan to configure this domain for single sign-on with my local Active Directory** when you run the Azure AD Connect tool to synchronize your directories.

-> You also need to register the same domain name you select for federating with your on-premises directory in the **Azure AD Domain** step in the wizard. To see what that setup looks like, see [Verify the Azure AD domain selected for federation](../hybrid/connect/how-to-connect-install-custom.md#verify-the-azure-ad-domain-selected-for-federation). If you don't have the Azure AD Connect tool, you can [download it here](https://go.microsoft.com/fwlink/?LinkId=615771).

-## Add your custom domain name to Azure AD

-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory.

-1. Search for and select *Azure Active Directory* from any page. Then select **Custom domain names** > **Add custom domain**.

-1. In **Custom domain name**, enter your organization's new name, in this example, *contoso.com*. Select **Add domain**.

- >[!IMPORTANT]

- >You must include *.com*, *.net*, or any other top-level extension for this to work. When adding a custom domain, the Password Policy values will be inherited from the initial domain.

- The unverified domain is added. The **contoso.com** page appears showing your DNS information. Save this information. You need it later to create a TXT record to configure DNS.

-After you add your custom domain name to Azure AD, you must return to your domain registrar and add the Azure AD DNS information from your copied TXT file. Creating this TXT record for your domain verifies ownership of your domain name.

-Go back to your domain registrar and create a new TXT record for your domain based on your copied DNS information. Set the time to live (TTL) to 3600 seconds (60 minutes), and then save the record.

->[!IMPORTANT]

->You can register as many domain names as you want. However, each domain gets its own TXT record from Azure AD. Be careful when you enter the TXT file information at the domain registrar. If you enter the wrong or duplicate information by mistake, you'll have to wait until the TTL times out (60 minutes) before you can try again.

-After you register your custom domain name, make sure it's valid in Azure AD. The propagation from your domain registrar to Azure AD can be instantaneous or it can take a few days, depending on your domain registrar.

-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory.

-1. Search for and select *Azure Active Directory* from any page, then select **Custom domain names**.

-1. On the **contoso.com** page, select **Verify** to make sure your custom domain is properly registered and is valid for Azure AD.

-After you've verified your custom domain name, you can delete your verification TXT or MX file.

-If Azure AD can't verify a custom domain name, try the following suggestions:

- If you can't update the record on the registrar site, share the entry with someone who has permissions to add the entry and verify it's correct.

-# Add or delete users using Azure Active Directory

-Add new users or delete existing users from your Azure Active Directory (Azure AD) tenant. To add or delete users, you must be a User Administrator or Global Administrator.

-1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role.

-1. Navigate to **Azure Active Directory** > **Users**.

-1. Select either **Create new user** or **Invite external user** from the menu. You can change this setting on the next screen.

- - **Identity:** Add a user name and display name for the user. **User name** and **Name** are required and can't contain accent characters. You can also add a first and last name.

- The domain part of the user name must use either the initial default domain name, *\<yourdomainname>.onmicrosoft.com*, or a custom domain name, such as *contoso.com*. For more information about how to create a custom domain name, see [Add your custom domain name using the Azure portal](add-custom-domain.md).

- - **Groups and roles:** Optional. Add the user to one or more existing groups. Group membership can be set at any time. For more information about adding users to groups, see the [manage groups article](how-to-manage-groups.md).

- - **Settings:** Optional. Toggle the option to block sign-in for the user or set the user's default location.

- - **Job info**: Optional. Add the user's job title, department, company name, and manager. These details can be updated at any time. For more information about adding other user info, see [How to manage user profile information](./how-to-manage-user-profile-info.md).

-1. Select **Create**.

-The user is created and added to your Azure AD organization.

-You can also invite new guest user to collaborate with your organization by selecting **Invite user** from the **New user** page. If your organization's external collaboration settings are configured to allow guests, the user will be emailed an invitation they must accept in order to begin collaborating. For more information about inviting B2B collaboration users, see [Invite B2B users to Azure Active Directory](../external-identities/add-users-administrator.md).

-You can delete an existing user using Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com) using one of the appropriate roles listed above.

-1. Go to **Azure Active Directory** > **Users**.

-1. Search for and select the user you want to delete from your Azure AD tenant.

-1. Select **Delete user**.

-The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](./users-restore.md).

->[!Note]

->To update the identity, contact information, or job information for users whose source of authority is Windows Server Active Directory, you must use Windows Server Active Directory. After you complete the update, you must wait for the next synchronization cycle to complete before you'll see the changes.

-1. On the overview page, select **Manage tenants**

- 

-1. On the Configuration tab, enter the following information:

- 

- - Type your desired Organization name (for example _Contoso Organization_) into the **Organization name** box.

- - Type your desired Initial domain name (for example _Contosoorg_) into the **Initial domain name** box.

- - Select your desired Country/Region or leave the _United States_ option in the **Country or region** box.

-> Ensure your directory has at least two accounts with global administrator privileges assigned to them. This will help in the case that one global administrator is locked out. For more detail see the article, [Manage emergency access accounts in Azure AD](../roles/security-emergency-access.md).

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Click **Azure Active Directory** > **Custom security attributes (Preview)**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Click **Azure Active Directory** > **Custom security attributes (Preview)**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Click **Azure Active Directory** > **Custom security attributes (Preview)**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Click **Azure Active Directory** > **Custom security attributes (Preview)**.

-# [Portal](#tab/azure-portal)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Click **Azure Active Directory**.

-1. In the left navigation menu, click **Custom security attributes (Preview)**.

-# [Portal](#tab/azure-portal)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Click **Azure Active Directory**.

-1. In the left navigation menu, click **Roles and administrators**.

- - **Sign in.** Choose this link if you have an existing tenant, and then sign in using your existing administrator account. You must be a global administrator on the tenant where the licenses are being activated.

-#Customer intent: As a brand-new Azure AD administrator, I need to view my organizationΓÇÖs groups along with the assigned members, so I can manage permissions to apps and services for people in my organization.

-# Quickstart: Create a group with members and view all groups and members in Azure Active Directory

-You can view your organization's existing groups and group members using the Azure portal. Groups are used to manage users that all need the same access and permissions for potentially restricted apps and services.

-In this quickstart, youΓÇÖll set up a new group and assign members to the group. Then you'll view your organization's group and assigned members. Throughout this guide, you'll create a user and group that you can use in other Azure AD Fundamentals quickstarts and tutorials.

-<a name='sign-in-to-the-azure-portal'></a>

-## Sign in to the [Azure portal](https://portal.azure.com)

-You must sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the directory.

-1. Go to **Azure Active Directory** > **Groups**.

-

-

-A user must exist before being added as a group member, so you'll need to create a new user. For this quickstart, we've added a user named _Alain Charon_. Check the "Custom domain names" tab first to get the verified domain name in which to create users. For more information about creating a user, see [How to add or delete users](./add-users.md).

-1. Go to **Azure Active Directory** > **Users**.

-1. Select **New user**.

- - **Name:** Type _Alain Charon_.

- - **User name:** Type *alain\@contoso.com*.

-Now that you have a group and a user, you can add _Alain Charon_ as a member to the _MDM policy - West_ group. For more information about adding group members, see the [Manage groups](how-to-manage-groups.md) article.

-1. Go to **Azure Active Directory** > **Groups**.

-2. From the **Groups - All groups** page, search for and select the **MDM policy - West** group.

-3. From the **MDM policy - West Overview** page, select **Members** from the **Manage** area.

-4. Select **Add members**, and then search and select **Alain Charon**.

-5. Choose **Select**.

-You can see all the groups for your organization in the **Groups - All groups** page of the Azure portal.

- The **Groups - All groups** page appears, showing all your active groups.

-Search the **Groups ΓÇô All groups** page to find the **MDM policy ΓÇô West** group.

-1. From the **Groups - All groups** page, type _MDM_ into the **Search** box.

-The group you just created is used in other articles in the Azure AD Fundamentals documentation. If you'd rather not use this group, you can delete it and its assigned members using the following steps:

-1. On the **Groups - All groups** page, search for the **MDM policy - West** group.

- The **MDM policy - West Overview** page appears.

- The group and its associated members are deleted.

- 

- >[!Important]

- >This doesn't delete the user Alain Charon, just his membership in the deleted group.

-Advance to the next article to learn how to associate a subscription to your Azure AD directory.

-All Azure subscriptions have a trust relationship with an Azure Active Directory (Azure AD) instance. Subscriptions rely on their trusted Azure AD to authenticate and authorize security principals and devices. When a subscription expires, the trusted instance of the Azure AD service remains, but the security principals lose access to Azure resources. Subscriptions can only trust a single directory while one Azure AD may be trusted by multiple subscriptions.

-When a user signs up for a Microsoft cloud service, a new Azure AD tenant is created and the user is made a member of the Global Administrator role. However, when an owner of a subscription joins their subscription to an existing tenant, the owner isn't assigned to the Global Administrator role.

-> [!Important]

-1. Sign in and select the subscription you want to use from the [Subscriptions page in Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).

-Microsoft Support access requests (preview) enable you to [give Microsoft Support engineers access to diagnostic data](concept-support-access-requests.md) in your identity service to help solve support requests you submitted to Microsoft. You can use the Microsoft Entra admin center and the Azure Active Directory (Azure AD) portal to manage Microsoft Support access requests (preview).

-Only authorized users in your tenant can view and manage Microsoft Support access requests. To view, approve, and reject Microsoft Support access requests, a role must have the permission `microsoft.azure.supportTickets/allEntities/allTasks`. To see which Azure AD roles have this permission, search the [Azure AD built-in roles](../roles/permissions-reference.md) for the required permission.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to **Diagnose and solve problems**.

-# How to create, invite, and delete users (preview)

-This article explains how to create a new user, invite an external guest, and delete a user in your Azure Active Directory (Azure AD) tenant.

-The updated experience for creating new users covered in this article is available as an Azure AD preview feature. This feature is enabled by default, but you can opt out by going to **Azure AD** > **Preview features** and disabling the **Create user experience** feature. For more information about previews, see [Universal License Terms For Online Services](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all).

-1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role.

-1. Navigate to **Azure Active Directory** > **Users**.

-1. Select **Create new user** from the menu.

-There are six categories of user properties you can provide. These properties can be added or updated after the user is created. To manage these details, go to **Azure AD** > **Users** and select a user to update.

-1. Sign in to the [Azure portal](https://portal.azure.com) in the **User Administrator** role. A role with Guest Inviter privileges can also invite external users.

-1. Navigate to **Azure Active Directory** > **Users**.

-1. Select **Invite external user** from the menu.

-1. Go to **Azure AD** > **Users** and select the invited guest user.

-1. Sign in to the [Azure portal](https://portal.azure.com) using one of the appropriate roles.

-1. Go to **Azure Active Directory** > **Users**.

-1. Search for and select the user you want to delete from your Azure AD tenant.

-The user is deleted and no longer appears on the **Users - All users** page. The user can be seen on the **Deleted users** page for the next 30 days and can be restored during that time. For more information about restoring a user, see [Restore or remove a recently deleted user using Azure Active Directory](./users-restore.md).

->[!Note]

->To update the identity, contact information, or job information for users whose source of authority is Windows Server Active Directory, you must use Windows Server Active Directory. After you complete the update, you must wait for the next synchronization cycle to complete before you'll see the changes.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator for the directory.

-2. Browse to **Azure Active Directory** > **Company branding** > **Customize**.

-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global Administrator account for the directory.

-2. Go to **Azure Active Directory** > **Company branding** > **Add browser language**.

-1. Select **Azure Active Directory**.

-1. Select **Properties**.

-## Open a support request in Azure Active Directory

-1. Sign in to the [Azure portal](https://portal.azure.com) and open **Azure Active Directory**.

-

-1. Scroll down to **Troubleshooting + Support** and select **New support request**.

-You can create a basic group and add your members at the same time using the Azure Active Directory (Azure AD) portal. Azure AD roles that can manage groups include **Groups Administrator**, **User Administrator**, **Privileged Role Administrator**, or **Global Administrator**. Review the [appropriate Azure AD roles for managing groups](../roles/delegate-by-task.md#groups)

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Go to **Azure Active Directory** > **Groups** > **New group**.

- - This option is only available with Premium P1 or P2 licenses.

-Members and owners can be added to and removed from existing Azure AD groups. The process is the same for members and owners. You'll need the **Groups Administrator** or **User Administrator** role to add and remove members and owners.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Go to **Azure Active Directory** > **Groups**.

-1. Go to **Azure Active Directory** > **Groups**.

-Using Azure AD, you can edit a group's name, description, or membership type. You'll need the **Groups Administrator** or **User Administrator** role to edit a group's settings.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Go to **Azure Active Directory** > **Groups**. The **Groups - All groups** page appears, showing all of your active groups.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Go to **Azure Active Directory** > **Groups**.

-1. On the **Groups - All groups** page, search for and select the group you want to become a member of another group.

-1. On the **Groups - All groups** page, search for and select the group you need to remove as a member of another group.

-You can delete an Azure AD group for any number of reasons, but typically it will be because you:

-To delete a group, you'll need the **Groups Administrator** or **User Administrator** role.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Go to **Azure Active Directory** > **Groups**.

-3. Search for and select the group you want to delete.

-4. Select **Delete**.

- The group is deleted from your Azure Active Directory tenant.

-The KMSI setting is managed in the **User settings** of Azure Active Directory (Azure AD).

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Go to **Azure Active Directory** > **Users** > **User settings**.

-Details about the sign-in error are found in the **Sign-in logs** in Azure AD. Select the impacted user from the list and locate the following details in the **Basic info** section.

-You can stop users from seeing the interrupt by setting the **Show option to remain signed in** setting to **No** in the user settings. This setting disables the KMSI prompt for all users in your Azure AD directory.

-You also can use the [persistent browser session controls in Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md) to prevent users from seeing the KMSI prompt. This option allows you to disable the KMSI prompt for a select group of users (such as the global administrators) without affecting sign-in behavior for everyone else in the directory.

-You can use the Microsoft Entra admin center and the Azure Active Directory (Azure AD) portal to manage Microsoft Support access requests (preview). Microsoft Support access requests enable you to [give Microsoft Support engineers access to identity diagnostic data](concept-support-access-requests.md) in your identity service to help solve support requests you submitted to Microsoft.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to **Diagnose and solve problems**.

-This article covers how to add user profile information, such as a profile picture and job-specific information. You can also choose to allow users to connect their LinkedIn accounts or restrict access to the Azure AD administration portal. Some settings may be managed in more than one area of Azure AD. For more information about adding new users, see [How to add or delete users in Azure Active Directory](./add-users.md).

-When new users are created, only some details are added to their user profile. If your organization needs more details, they can be added after the user is created.

-1. Sign in to the [Azure portal](https://portal.azure.com) in the User Administrator role for the organization.

-1. Go to **Azure Active Directory** > **Users** and select a user.

-> [!Note]

-> [!Note]

-In the **User settings** area of Azure AD, you can adjust several settings that affect all users. Some settings are managed in a separate area of Azure AD and linked from this page. These settings require the Global Administrator role.

-Go to **Azure AD** > **User settings**.

-The following settings can be managed from Azure AD **User settings**.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) and navigate to **Diagnose and solve problems**.

-There are three user-initiated activities that you can see in your Azure AD audit logs. These are actions requested by administrators of your tenant.

-#Customer intent: As an IT admin, I want understand the identity secure score, so that I can maximize the security posture of my tenant.

-Identity secure score is available to free and paid customers. Organizations can access their identity secure score in the [Microsoft Entra admin center](https://entra.microsoft.com/) under **Protection** > **Identity Secure Score**.

-Every 48 hours, Azure looks at your security configuration and compares your settings with the recommended best practices. Based on the outcome of this evaluation, a new score is calculated for your directory. ItΓÇÖs possible that your security configuration isnΓÇÖt fully aligned with the best practice guidance and the improvement actions are only partially met. In these scenarios, you're awarded a portion of the max score available for the control.

-Each recommendation is measured based on your Azure AD configuration. If you're using third-party products to enable a best practice recommendation, you can indicate this configuration in the settings of an improvement action. You may set recommendations to be ignored if they don't apply to your environment. An ignored recommendation doesn't contribute to the calculation of your score.

-* Service support Administrator

-Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in the **Azure Active Directory &gt; Users &gt;** select a user **&gt; Properties &gt; Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization.

-1. Sign in to the [Azure portal](https://portal.azure.com) using a License administrator account in your Azure AD organization.

-1. Select **Azure Active Directory**, and then select **Licenses**.

-1. On the **Products** page, select the name of the license plan you want to assign to the user.

- > Not all Microsoft services are available in all locations. Before a license can be assigned to a user, you must specify the **Usage location**. You can set this value in the **Azure Active Directory &gt; Users &gt; Profile &gt; Settings** area in Azure AD. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the Azure AD organization.

-1. On the **Products** page, select the name of the license plan you want to assign to the user.

-1. On the **Azure Active Directory Premium Plan 2** page, select **Assign**.

-1. On the **Licensed users** page for the service plan, select the user that should no longer have the license. For example, _Alain Charon_.

-description: Instructions about how to add your organization's privacy info to the Azure Active Directory Properties area.

-# Add your organization's privacy info using Azure Active Directory

-This article explains how a tenant admin can add privacy-related info to an organization's Azure Active Directory (Azure AD) tenant, through the Azure portal.

-## Add your privacy info on Azure AD

-You add your organization's privacy information in the **Properties** area of Azure AD.

-### To access the Properties area and add your privacy information

-1. Sign in to the [Azure portal](https://portal.azure.com) as a tenant administrator.

-2. On the left navbar, select **Azure Active Directory**, and then select **Properties**.

- The **Properties** area appears.

- :::image type="content" source="media/properties-area/properties-area.png" alt-text="Screenshot showing the properties area highlighting the privacy info area.":::

-3. Add your privacy info for your employees:

- - **Technical contact.** Type the email address for the person to contact for technical support within your organization.

- - **Global privacy contact.** Type the email address for the person to contact for inquiries about personal data privacy. This person is also who Microsoft contacts if there's a data breach related to Azure Active Directory services. If there's no person listed here, Microsoft contacts your global administrators. For Microsoft 365 related privacy incident notifications, see [Microsoft 365 Message center FAQs](/microsoft-365/admin/manage/message-center?preserve-view=true&view=o365-worldwide#frequently-asked-questions)

- - **Privacy statement URL.** Type the link to your organization's document that describes how your organization handles both internal and external guest's data privacy.

- >[!Important]

- >If you don't include either your own privacy statement or your privacy contact, your external guests will see text in the **Review Permissions** box that says, **<_your org name_> has not provided links to their terms for you to review**. For example, a guest user will see this message when they receive an invitation to access an organization through B2B collaboration.

- :::image type="content" source="media/properties-area/no-privacy-statement-or-contact.png" alt-text="Screenshot showing the B2B Collaboration Review Permissions box with message.":::

-4. Select **Save**.

-1. Sign in to theΓÇ»[Microsoft Entra admin center](https://entra.microsoft.com/).

-1. Sign in to theΓÇ»[Microsoft Entra admin center](https://entra.microsoft.com/).

-The ability to manage Azure resources is granted by assigning roles that provide the required permissions. Roles can be assigned to individual users or groups. To align with the [Zero Trust guiding principles](../../security/fundamentals/zero-trust.md), use Just-In-Time and Just-Enough-Access policies when assigning roles.

-1. Sign in to the [Azure portal](https://portal.azure.com) using the Privileged Role Administrator role for the directory.

-1. Go to **Azure Active Directory** > **Users**.

-1. Go to **Azure Active Directory** > **Users**.

-1. Go to **Azure Active Directory** > **Users**.

-| **Create security groups** | Setting this option to **No** prevents users from creating security groups. Global administrators and user administrators can still create security groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |

-| **Create Microsoft 365 groups** | Setting this option to **No** prevents users from creating Microsoft 365 groups. Setting this option to **Some** allows a set of users to create Microsoft 365 groups. Global administrators and user administrators can still create Microsoft 365 groups. To learn how, see [Azure Active Directory cmdlets for configuring group settings](../enterprise-users/groups-settings-cmdlets.md). |

-| **Restrict users from recovering the BitLocker key(s) for their owned devices** | This setting can be found in the Azure AD and Entral portal in the Device Settings. Setting this option to **Yes** restricts users from being able to self-service recover BitLocker key(s) for their owned devices. Users will have to contact their organization's helpdesk to retrieve their BitLocker keys. Setting this option to **No** allows users to recover their BitLocker key(s). |

-An owner can also add or remove other owners. Unlike global administrators, owners can manage only the applications that they own.

-An owner can also add or remove other owners. Unlike global administrators, owners can manage only the applications that they own.

-An owner can also add or remove other owners. Unlike global administrators and user administrators, owners can manage only the groups that they own.

-> Owners of dynamic groups must have a global administrator, group administrator, Intune administrator, or user administrator role to edit group membership rules. For more information, see [Create or update a dynamic group in Azure Active Directory](../enterprise-users/groups-create-rule.md).

-# Reset a user's password using Azure Active Directory

-Azure Active Directory (Azure AD) administrators can reset a user's password if the password is forgotten, if the user gets locked out of a device, or if the user never received a password.

->[!Note]

->Unless your Azure AD tenant is the home directory for a user, you won't be able reset their password. This means that if your user is signing in to your organization using an account from another organization, a Microsoft account, or a Google account, you won't be able to reset their password.

->If your user has a source of authority as Windows Server Active Directory, you'll only be able to reset the password if you've turned on password writeback and the user domain is managed. Changing the user password from Azure Active Directory for federated domains is not supported. In this case, you should change the user password in the on-premises Active Directory.<br><br>If your user has a source of authority as External Azure AD, you won't be able to reset the password. Only the user, or an administrator in External Azure AD, can reset the password.

->[!Note]

->If you're not an administrator and you need instructions on how to reset your own work or school password, see [Reset your work or school password](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e).

-1. Sign in to the [Azure portal](https://portal.azure.com) as a user administrator, or password administrator. For more information about the available roles, see [Azure AD built-in roles](../roles/permissions-reference.md)

-2. Select **Azure Active Directory**, select **Users**, search for and select the user that needs the reset, and then select **Reset Password**.

-3. In the **Reset password** page, select **Reset password**.

- > [!Note]

-4. Copy the password and give it to the user. The user will be required to change the password during the next sign-in process.

- >[!Note]

- >The temporary password never expires. The next time the user signs in, the password will still work, regardless how much time has passed since the temporary password was generated.

-# Restore or remove a recently deleted user using Azure Active Directory

-You can view your restorable users, restore a deleted user, or permanently delete a user using Azure Active Directory (Azure AD) in the Azure portal.

->[!Important]

->Neither you nor Microsoft customer support can restore a permanently deleted user.

-1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account for the organization.

-2. Select **Azure Active Directory**, select **Users**, and then select **Deleted users**.

-1. On the **Users - Deleted users** page, search for and select one of the available users. For example, _Mary Parker_.

-1. On the **Users - Deleted users** page, search for and select one of the available users. For example, _Rae Huff_.

-|Azure AD Global administrator|This administrator role is automatically assigned to whomever created the Azure AD tenant. You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users. For more information about the various administrator roles, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md).|

-Groups Administrators assigned over the scope of an administrative unit can now create groups within the administrative unit. This enables scoped group administrators to create groups that they can manage directly, without needing to elevate to Global Administrator or Privileged Role Administrator. For more information, see: [Administrative units in Azure Active Directory](../roles/administrative-units.md).

-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Figaelmprodportalhosting.blob.core.windows.net%2Farm-deployment-template%2FLogicAppServiceNowIntegration.json ).

- 1. In the Azure portal, select **Azure Active Directory**.

- 2. Select **Azure AD Connect**.

- 3. Select **Manage cloud sync**.

- 4. Under **Configuration**, select your configuration.

- 5. Select **Click to edit mappings**. This link opens the **Attribute mappings** screen.

- 6. Select **Add attribute**.

- 7. Fill in the following information:

- 8. Select **Apply**.

- 9. Back on the **Attribute mappings** screen, you should see your new attribute mapping.

- 10. Select **Save schema**.

-The tool is located in: **C:\Program Files\Microsoft Azure Active Directory Connect\Tools\ ADConnectivityTool.psm1**

- # Import Module

- Import-Module Microsoft.Graph.Identity.DirectoryManagement

- #Connect to MgGraph with necessary scope and select the Beta API Version

- Connect-MgGraph -Scopes Directory.ReadWrite.All

- Select-MgProfile -Name beta

- # Verify if "Group.Unified" directory settings exist

- $DirectorySetting = Get-MgDirectorySetting | Where-Object {$_.DisplayName -eq "Group.Unified"}

- # If "Group.Unified" directory settings exist, update the value for new unified group writeback default

- if ($DirectorySetting) {

- $DirectorySetting.Values | ForEach-Object {

- if ($_.Name -eq "NewUnifiedGroupWritebackDefault") {

- $_.Value = "false"

- }

- }

- Update-MgDirectorySetting -DirectorySettingId $DirectorySetting.Id -BodyParameter $DirectorySetting

- }

- else

- {

- # In case the directory setting doesn't exist, create a new "Group.Unified" directory setting

- # Import "Group.Unified" template values to a hashtable

- $Template = Get-MgDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}

- $TemplateValues = @{}

- $Template.Values | ForEach-Object {

- $TemplateValues.Add($_.Name, $_.DefaultValue)

- # Update the value for new unified group writeback default

- $TemplateValues["NewUnifiedGroupWritebackDefault"] = "false"

- # Create a directory setting using the Template values hashtable including the updated value

- $params = @{}

- $params.Add("TemplateId", $Template.Id)

- $params.Add("Values", @())

- $TemplateValues.Keys | ForEach-Object {

- $params.Values += @(@{Name = $_; Value = $TemplateValues[$_]})

- New-MgDirectorySetting -BodyParameter $params

- }

- Import-module Microsoft.Graph

- #Connect to MgGraph with necessary scope and select the Beta API Version

- Select-MgProfile -Name beta

- $Groups = Get-MgGroup -All | Where-Object {$_.GroupTypes -like "*unified*"}

- Update-MgGroup -GroupId $group.id -WritebackConfiguration @{isEnabled=$false}

- For Windows 10, Windows Server 2016 and later versions, itΓÇÖs recommended to use SSO via [Primary Refresh Token (PRT)](../../devices/concept-primary-refresh-token.md) with [Azure AD joined devices](../../devices/concept-directory-join.md), [hybrid Azure AD joined devices](../../devices/concept-hybrid-join.md) or [personal registered devices](../../devices/concept-device-registration.md) via Add Work or School Account.

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator).

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator).

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator).

-* An account with Azure AD Application Administrator permissions. For more information, see [Azure AD built-in roles](../roles/permissions-reference.md).

-To provide more security for sign-ins, you can enable Multi-Factor Authentication in the Azure portal:

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.

-2. Select **Azure Active Directory** > **Manage** > **Properties**.

-3. Under **Properties**, select **Manage security defaults**.

- [](./media/datawiza-sso-mfa-oracle-ebs/manage-security-defaults.png#lightbox)

-4. Under **Enable security defaults**, select **Yes**.

- [](./media/datawiza-sso-mfa-oracle-ebs/enable-security-defaults.png#lightbox)

-* An account with Azure AD and the Application administrator role

- * See, [Azure AD built-in roles, all roles](../roles/permissions-reference.md#all-roles)

-* (Optional) An SSL web certificate to publish services over HTTPS. You can also use default Datawiza self-signed certs for testing.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.

-2. Select **Azure Active Directory** > **Manage** > **Properties**.

-3. Under **Properties**, select **Manage security defaults**.

-4. Under **Enable Security defaults**, select **Yes**.

-* Manage identities and access from one control plane, the [Azure portal](https://portal.azure.com)

-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with Application Administrative rights.

-2. From the left navigation pane, select the **Azure Active Directory** service.

-3. Under Manage, select **App registrations > New registration**.

-4. Enter a display name for your application. For example, F5 BIG-IP Easy Button.

-5. Specify who can use the application > **Accounts in this organizational directory only**.

-6. Select **Register**.

-7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**:

- * See, the [Azure portal](https://azure.microsoft.com/features/azure-portal)

-* For the account, have Azure AD Application Administrator permissions

- * F5 BIG-IP® Best bundle

- * F5 BIG-IP Access Policy ManagerΓäó (APM) standalone license

- * F5 BIG-IP Access Policy Manager™ (APM) add-on license on a BIG-IP F5 BIG-IP® Local Traffic Manager™ (LTM)

-1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

-2. In the left navigation pane, select the **Azure Active Directory** service.

-3. Under **Manage**, select **App registrations > New registration**.

-3. (Optional) In **Security Settings**, select or clear the **Enable Encrypted Assertion** option. Encrypting assertions between Azure AD and the BIG-IP APM means the content tokens canΓÇÖt be intercepted, nor personal or corporate data compromised.

- * [K42052145: Configuring automatic session termination (logout) based on a URI-referenced file name](https://support.f5.com/csp/article/K42052145

-3. YouΓÇÖre redirected to the BIG-IP virtual server for the application and signed in by SSO.

-Learn more: [Tutorial: Configure F5 BIG-IPΓÇÖs Access Policy Manager for header-based SSO](./f5-big-ip-header-advanced.md).

-* Manage identities and access from the [Azure portal](https://portal.azure.com)

-* An account with Azure AD Application Admin permissions

- * See, [Azure AD built-in roles](../roles/permissions-reference.md)

-1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrative permissions.

-2. From the left navigation pane, select the **Azure Active Directory** service.

-3. Under **Manage**, select **App registrations > New registration**.

-4. Enter an application **Name**.

-5. For **Accounts in this organizational directory only**, specify who uses the application.

-6. Select **Register**.

-7. Navigate to **API permissions**.

-8. Authorize the following Microsoft Graph **Application permissions**:

-* Manage identities and access from the [Azure portal](https://portal.azure.com)

-* An account with Azure AD Application Admin permissions

- * See, [Azure AD built-in roles](../roles/permissions-reference.md)

-1. Sign in to the [Azure portal](https://portal.azure.com) with Application Administrator permissions.

-2. In the left navigation pane, select the **Azure Active Directory** service.

-3. Under Manage, select **App registrations > New registration**.

-4. Enter a **Name**.

-5. In **Accounts in this organizational directory only**, specify who can use the application.

-6. Select **Register**.

-7. Navigate to **API permissions**.

-8. Authorize the following Microsoft Graph Application permissions:

-This article describes the key steps to configure cross-tenant synchronization using Microsoft Graph PowerShell or Microsoft Graph API. When configured, Azure AD automatically provisions and de-provisions B2B users in your target tenant. For detailed steps using the Azure portal, see [Configure cross-tenant synchronization](cross-tenant-synchronization-configure.md).

-description: Learn how to configure cross-tenant synchronization in Azure Active Directory using the Azure portal.

-This article describes the steps to configure cross-tenant synchronization using the Azure portal. When configured, Azure AD automatically provisions and de-provisions B2B users in your target tenant. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator in the target tenant.

-1. Select **Azure Active Directory** > **External Identities**.

-1. Select **Cross-tenant access settings**.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an administrator of the source tenant.

-1. Select **Azure Active Directory** > **External Identities**.

-1. Select **Cross-tenant access settings**.

-1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization**.

- :::image type="content" source="./media/cross-tenant-synchronization-configure/azure-ad-overview.png" alt-text="Screenshot that shows the Azure Active Directory Overview page." lightbox="./media/cross-tenant-synchronization-configure/azure-ad-overview.png":::

-1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization**.

-1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization**.

-1. In the target tenant, select **Azure Active Directory**.

-1. Select **External Identities** > **External collaboration settings**.

-1. In the source tenant, select **Azure Active Directory** > **Cross-tenant synchronization**.

-For cross-tenant synchronization, users don't receive an email or have to accept a consent prompt. If users want to see what tenants they belong to, they can open their [My Account](https://support.microsoft.com/account-billing/my-account-portal-for-work-or-school-accounts-eab41bfe-3b9e-441e-82be-1f6e568d65fd) page and select **Organizations**. In the Azure portal, users can open their [Azure portal settings](../../azure-portal/set-preferences.md), view their **Directories + subscriptions**, and switch directories.

-You can assign an Azure AD role with an administrative unit scope by using the Azure portal, PowerShell, or Microsoft Graph.

-### Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Administrative units** and then select the administrative unit that you want to assign a user role scope to.

-You can view a list of Azure AD role assignments with administrative unit scope by using the Azure portal, PowerShell, or Microsoft Graph.

-### Azure portal

-You can view all the role assignments created with an administrative unit scope in the [Administrative units section of Azure AD](https://portal.azure.com/?microsoft_aad_iam_adminunitprivatepreview=true&microsoft_aad_iam_rbacv2=true#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AdminUnit).

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Administrative units** and then select the administrative unit for the list of role assignments you want to view.

-You can create a new administrative unit by using either the Azure portal, PowerShell or Microsoft Graph.

-### Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Administrative units**.

-### Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Administrative units** and then select the administrative unit you want to delete.

-1. Select **Azure Active Directory** > **Administrative units**.

-## Azure portal

-You can add users, groups, or devices to administrative units using the Azure portal. You can also add users in a bulk operation or create a new group in an administrative unit.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select one of the following:

- - **Users**

- - **Groups**

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Administrative units** and then select the administrative unit you want to add users, groups, or devices to.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Administrative units** and then select the administrative unit you want to add users to.

-1. Select the administrative unit to which you want to add users.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Administrative units** and then select the administrative unit you want to create a new group in.

-You can add or remove users or devices for administrative units manually. With this preview, you can add or remove users or devices for administrative units dynamically using rules. This article describes how to create administrative units with dynamic membership rules using the Azure portal, PowerShell, or Microsoft Graph API.

-### Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Administrative units** and then select the administrative unit that you want to add users or devices to.

-### Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Administrative units** and then select the administrative unit that has the dynamic membership rules you want to edit.

-### Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Administrative units** and then select the administrative unit that you want to change to assigned.

-## Azure portal

-You can list the users, groups, or devices in administrative units using the Azure portal.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select one of the following:

- - **Users**

- - **Groups**

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Administrative units** and then select the administrative unit that you want to list the users, groups, or devices for.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Devices** > **All devices**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Users** or **Groups** and then select the user or group you want to list their restricted management administrative units.

-## Azure portal

-You can remove users, groups, or devices from administrative units individually using the Azure portal. You can also remove users in a bulk operation.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select one of the following:

- - **Users**

- - **Groups**

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Administrative units** and then select the administrative unit that you want to remove users, groups, or devices from.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory**.

-1. Select **Administrative units** and then select the administrative unit that you want to remove users from.

-You can manage administrative units by using the Azure portal, PowerShell cmdlets and scripts, or Microsoft Graph API. For more information, see:

-As a Global Administrator or a Privileged Role Administrator, you can use the Azure portal to:

-Administrative units apply scope only to management permissions. They don't prevent members or administrators from using their [default user permissions](../fundamentals/users-default-permissions.md) to browse other users, groups, or resources outside the administrative unit. In the Microsoft 365 admin center, users outside a scoped admin's administrative units are filtered out. But you can browse other users in the Azure portal, PowerShell, and other Microsoft services.

-| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center |

-| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center |

-| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center |

-| Permissions | Microsoft Graph/PowerShell | Azure portal | Microsoft 365 admin center |

-### Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles.

-### Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory > Administrative units** to see the list of all administrative units.

-### Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory > App registrations** to see the list of all app registrations.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** to see the list of Azure AD roles.

-Microsoft 365 has a number of role-based access control systems that developed independently over time, each with its own service portal. To make it convenient for you to manage identity across Microsoft 365 from the Azure portal, we have added some service-specific built-in roles, each of which grants administrative access to a Microsoft 365 service. An example of this addition is the Exchange Administrator role in Azure AD. This role is equivalent to the [Organization Management role group](/exchange/organization-management-exchange-2013-help) in the Exchange role-based access control system, and can manage all aspects of Exchange. Similarly, we added the Intune Administrator role, Teams Administrator, SharePoint Administrator, and so on. Service-specific roles is one category of Azure AD built-in roles in the following section.

-This article describes how to create a role assignment at organization-wide scope in Azure Active Directory (Azure AD). Assigning a role at organization-wide scope grants access across the Azure AD organization. To create a role assignment with a scope of a single Azure AD resource, see [How to create a custom role and assign it at resource scope](custom-create.md). This article uses the [Azure Active Directory PowerShell Version 2](/powershell/module/azuread/#directory_roles) module.

-description: Preview app consent permissions for custom Azure AD roles in the Azure portal, PowerShell, or Graph API.

-> The Azure portal does not yet support adding the permissions listed in this article to a custom directory role definition. You must [use Azure AD PowerShell to create a custom directory role](custom-create.md#create-a-role-using-powershell) with the permissions listed in this article.

-Custom roles can be created in the [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) tab on the Azure AD overview page.

-## Create a role in the Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** > **New custom role**.

-1. Sign in to the [Azure portal](https://portal.azure.com) with Application Developer permissions.

-1. Select **Azure Active Directory** > **App registrations**.

-description: Device management permissions for Azure AD custom roles in the Azure portal, PowerShell, or Microsoft Graph API.

-This article lists the permissions you can use in your custom roles for different device management scenarios. For information about how to create custom roles, see [Create and assign a custom role](custom-create.md).

-You can read device settings in the Azure portal.

-description: Preview enterprise app permissions for custom Azure AD roles in the Azure portal, PowerShell, or Graph API.

-## Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** and then select **New custom role**.

-### Assign the role to a user using the Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators**.

-1. Select the **Grant permissions to manage user and group assignments** role.

-For more detail, see [Create and assign a custom role](custom-create.md) and [Assign custom roles with resource scope using PowerShell](custom-assign-powershell.md).

-Use the [Create unifiedRoleDefinition](/graph/api/rbacapplication-post-roledefinitions) API to create a custom role. For more information, see [Create and assign a custom role](custom-create.md) and [Assign custom admin roles using the Microsoft Graph API](custom-assign-graph.md).

-description: Group management permissions for Azure AD custom roles in the Azure portal, PowerShell, or Microsoft Graph API.

-This article lists the permissions you can use in your custom roles for different group management scenarios. For information about how to create custom roles, see [Create and assign a custom role](custom-create.md).

-You can [create role assignments](manage-roles-portal.md) and [list the role assignments](view-assignments.md) using the Azure portal, Azure AD PowerShell, or Microsoft Graph API. Azure CLI is not supported for Azure AD role assignments.

-description: User management permissions for Azure AD custom roles in the Azure portal, PowerShell, or Microsoft Graph API.

-This article lists the permissions you can use in your custom roles for different user management scenarios. For information about how to create custom roles, see [Create and assign a custom role](custom-create.md).

-1. Sign in to your Azure AD organization with an account that eligible for the Global Administrator role in your Azure AD organization.

-1. Set one or both of the following:

- - On the [User settings page for your organization](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/UserSettings), set the **Users can register applications** setting to No. This will disable the default ability for users to create application registrations.

- - On the [user settings for enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/), set the **Users can consent to applications accessing company data on their behalf** setting to No. This will disable the default ability for users to consent to applications accessing company data on their behalf.

-You can further restrict permissions by assigning roles at smaller scopes or by creating your own custom roles. For more information, see [Assign Azure AD roles at different scopes](assign-roles-different-scopes.md) or [Create and assign a custom role](custom-create.md).

-description: Assign Azure AD roles to role-assignable groups in the Azure portal, PowerShell, or Microsoft Graph API.

-To simplify role management, you can assign Azure AD roles to a group instead of individuals. This article describes how to assign Azure AD roles to [role-assignable groups](groups-concept.md) using the Azure portal, PowerShell, or Microsoft Graph API.

-## Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com) or [Microsoft Entra admin center](https://entra.microsoft.com).

-1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles.

-To assign a role to a group, you must create a new security or Microsoft 365 group with the `isAssignableToRole` property set to `true`. In the Azure portal, you set the **Azure AD roles can be assigned to the group** option to **Yes**. Either way, you can then assign one or more Azure AD roles to the group in the same way as you assign roles to users.

-description: Learn how to a role-assignable group in Azure Active Directory using the Azure portal, PowerShell, or Microsoft Graph API.

-This article describes how to create a role-assignable group using the Azure portal, PowerShell, or Microsoft Graph API.

-## Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Groups** > **All groups** > **New group**.

-1. On the **New Group** tab, provide group type, name and description.

-description: Remove role assignments from a group in Azure Active Directory using the Azure portal, PowerShell, or Microsoft Graph API.

-This article describes how an IT admin can remove Azure AD roles assigned to groups. In the Azure portal, you can now remove both direct and indirect role assignments to a user. If a user is assigned a role by a group membership, remove the user from the group to remove the role assignment.

-## Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** > *role name*.

-description: Learn how the roles assigned to a group can be viewed using the Azure portal. Viewing groups and assigned roles are default user permissions.

-This section describes how the roles assigned to a group can be viewed using the Azure portal. Viewing groups and assigned roles are default user permissions.

-## Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Groups**.

-## Azure portal

-Follow these steps to list Azure AD roles for a user using the Azure portal. Your experience will be different depending on whether you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-2. Select **Azure Active Directory** > **Users** > *user name* > **Assigned roles**.

-To grant access to users in Azure Active Directory (Azure AD), you assign Azure AD roles. A role is a collection of permissions. This article describes how to assign Azure AD roles using the Azure portal and PowerShell.

-## Azure portal

-Follow these steps to assign Azure AD roles using the Azure portal. Your experience will be different depending on whether you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles.

-If you have [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enabled, you have additional role assignment capabilities. For example, you can make a user eligible for a role or set the duration. When PIM is enabled, there are two ways that you can assign roles using the Azure portal. You can use the Roles and administrators page or the PIM experience. Either way uses the same PIM service.

-Follow these steps to assign roles using the [Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) page. If you want to assign roles using the [Privileged Identity Management](https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart) page, see [Assign Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-add-role-to-user.md).

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles.

-1. Use [New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest](/powershell/module/microsoft.graph.identity.governance/new-mgrolemanagementdirectoryroleeligibilityschedulerequest?view=graph-powershell-1.0&preserve-view=true) to assign the role as eligible. Once the role has been assigned, it will reflect on the Azure portal under **Privileged Identity Management -> Azure AD Roles -> Assignments -> Eligible Assignments** section.

-1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator, User Administrator, or Group Administrator.

-1. Select **Azure Active Directory** > **User settings** > **User feature** > **Manage user feature settings**.

-You can view audit logs for actions taken in My Staff in the Azure portal. If an audit log was generated by an action taken in My Staff, you will see this indicated under ADDITIONAL DETAILS in the audit event.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Enterprise applications**.

-In this quick start guide, you will create a custom role with permission to create an unlimited number of app registrations, and then assign that role to a user. The assigned user can then use the Azure portal, Azure AD PowerShell, or Microsoft Graph API to create application registrations. Unlike the built-in Application Developer role, this custom role grants the ability to create an unlimited number of application registrations. The Application Developer role grants the ability, but the total number of created objects is limited to 250 to prevent hitting [the directory-wide object quota](../enterprise-users/directory-service-limits-restrictions.md). The least privileged role required to create and assign Azure AD custom roles is the Privileged Role Administrator.

-## Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** and then select **New custom role**.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators**.

-> To assign the role to an application using the Azure portal, enter the name of the application into the search box of the assignment page. Applications are not shown in the list by default, but are returned in search results.

-## Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** to see the list of all available roles.

-1. Sign in to the [Azure portal](https://portal.azure.com) as an existing Global Administrator.

-1. Select **Azure Active Directory** > **Users**.

-1. Sign in to the [Azure portal](https://portal.azure.com) with an account assigned to the User Administrator role.

-1. Select **Azure Active Directory** > **Users**.

-1. Sign in to the [Azure portal](https://portal.azure.com) with an account assigned to the Monitoring Contributor role in Azure Monitor.

-1. Select **All services**", enter "log analytics" in Search and then select **Log Analytics workspaces**.

-1. Sign in to the [Azure portal](https://portal.azure.com/) with an account that is a Global Administrator of your Azure AD production organization.

-2. To select the Azure AD organization where you want to use Privileged Identity Management, select your user name in the upper right-hand corner of the Azure portal.

-3. On the Azure portal menu, select **All services** and filter the list for **Azure AD Privileged Identity Management**.

-4. Open Privileged Identity Management from the **All services** list and pin it to your dashboard.

-Make sure the first person to use PIM in your organization is assigned to the **Security Administrator** and **Privileged Role Administrator** roles. Only Privileged Role Administrators can manage the Azure AD directory role assignments of users. The PIM security wizard walks you through the initial discovery and assignment experience. You can exit the wizard without making any additional changes at this time.

-If you don't have Azure AD Privileged Identity Management in your organization, you can use the [PowerShell API](/powershell/module/azuread/get-azureaddirectoryrolemember). Start with the Global Administrator role because a Global Administrator has the same permissions across all cloud services for which your organization has subscribed. These permissions are granted no matter where they were assigned: in the Microsoft 365 admin center, the Azure portal, or by the Azure AD module for Microsoft PowerShell.

-ΓÇÄ

-ΓÇÄ

-description: You can now see and manage members of an Azure Active Directory administrator role in the Azure portal.

-## Azure portal

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **Roles and administrators** and then select a role to open it and view its properties.

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Select **Azure Active Directory** > **App registrations**, and then select the app registration to view its properties. You might have to select **All applications** to see the complete list of app registrations in your Azure AD organization.

- 

-1. Log in to [Cisco Umbrella dashboard](https://login.umbrella.com ). Navigate to **Deployments** > **Core Identities** > **Users and Groups**.

- 

-1. On the Single Sign-On Settings screen, select **Enable Single Sign-On**. Under **Selected Single Sign-On Type** choose **Kerberos**. Replace **session.saml.last.Identity** with **session.saml.last.attr.name.Identity** under **Username Source** ( this variable it set using claims mapping in the Azure AD ). Select **Show Advanced Setting**. Under **Kerberos Realm** type the Domain Name. Under **Account Name/ Account Password** Specify the APM Delegation Account and Password. Specify the Domain Controller IP in the **KDC** Field. Click **Save & Next**.

- | Environment | URL |

- > [!NOTE]

- > These values are not real. Check the actual Identifier and Reply URL values on the **Sansan admin settings**.

- * [Japanese](https://jp-help.sansan.com/hc/ja/articles/900001551383 ) version.

- * [English](https://jp-help.sansan.com/hc/en-us/articles/900001551383 ) version.

-Once you configure Sansan you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

-1. Login to [Shopify Plus organization admin](https://shopify.plus ). Navigate to **Users > Security**.

- string contractid = "ZjViZjJmYzYtNzEzNS00ZDk0LWE2ZmUtYzI2ZTQ1NDNiYzVhdGVzdDM";

-To be considered into Entra Verified ID partner documentation, submit your application [request](https://aka.ms/isvconnectvc)

-Our Services partner network extends and accelerates Microsoft Entra Verified ID adoption. Service partners offer advisory, implementation, integration and managed service capabilities that can help you build seamless end-user experiences using Verified ID.

-You could select a partner from the list and build seamless end-user experiences for onboarding, secure access to critical services, self-service and custom business application scenarios.

-For example, assume you want your customers to cancel subscriptions for various products that you offer through your chatbot. You can create a _Cancel_ intent with various examples like _"Cancel the Contoso service"_, or _"stop charging me for the Fabrikam subscription"_. The user's intent here is to _cancel_, the _Contoso service_ or _Fabrikam subscription_ are the subscriptions they would like to cancel. Therefore, you can create an entity for _subscriptions_. You can then model your entire project to capture actions as intents and use entities to fill in those actions. This allows you to cancel anything you define as an entity, such as other products. You can then have intents for signing up, renewing, upgrading, etc. that all make use of the _subscriptions_ and other entities.

-Another approach is to model the _information_ as intents and _actions_ as entities. Let's take the same example, allowing your customers to cancel subscriptions through your chatbot. You can create an intent for each subscription available, such as _Contoso_ with utterances like _"cancel Contoso"_, _"stop charging me for contoso services"_, _"Cancel the Contoso subscription"_. You would then create an entity to capture the action, _cancel_. You can define different entities for each action or consolidate actions as one entity with a list component to differentiate between actions with different keys.

-An embedding is a special format of data representation that can be easily utilized by machine learning models and algorithms. The embedding is an information dense representation of the semantic meaning of a piece of text. Each embedding is a vector of floating-point numbers, such that the distance between two embeddings in the vector space is correlated with semantic similarity between two inputs in the original format. For example, if two texts are similar, then their vector representations should also be similar.

-Learn more about using Azure OpenAI and embeddings to perform document search with our [embeddings tutorial](../tutorials/embeddings.md).

-An embedding is a special format of data representation that can be easily utilized by machine learning models and algorithms. The embedding is an information dense representation of the semantic meaning of a piece of text. Each embedding is a vector of floating point numbers, such that the distance between two embeddings in the vector space is correlated with semantic similarity between two inputs in the original format. For example, if two texts are similar, then their vector representations should also be similar.

-Now that we understand more about how tokenization works we can move on to embedding. It is important to note, that we haven't actually tokenized the documents yet. The `n_tokens` column is simply a way of making sure none of the data we pass to the model for tokenization and embedding exceeds the input token limit of 8,192. When we pass the documents to the embeddings model, it will break the documents into tokens similar (though not necessarily identical) to the examples above and then convert the tokens to a series of floating point numbers that will be accessible via vector search. These embeddings can be stored locally or in an Azure Database. As a result, each bill will have its own corresponding embedding vector in the new `ada_v2` column on the right side of the DataFrame.

-* Speech SDK 1.31.0 was released in August 2023.

- * Real-time diarization is in public preview.

-| [Speech language identification](speech-container-lid.md)^{1, 2} | Detects the language spoken in audio files. | Latest: 1.11.0<br/><br/>For all supported versions and locales, see the [Microsoft Container Registry (MCR)](https://mcr.microsoft.com/product/azure-cognitive-services/speechservices/language-detection/tags) and [JSON tags](https://mcr.microsoft.com/v2/azure-cognitive-services/speechservices/language-detection/tags/list). |

- labels:

- azure.workload.identity/use: "true"

-Logs from the AKS control plane components are collected separately in Azure as resource logs and sent to different locations, such as [Azure Monitor Logs][azure-monitor-logs]. For more information, see [Collect control plane logs][monitor-aks.md#collect-control-plane-logs].

-1. Wait for every instance in the source slot to complete its restart. If any instance fails to restart, the swap operation reverts all changes to the source slot and stops the operation.

-The output contains the URL to your deployed application (in this example, `https://spring-todo-app.azurewebsites.net` ). You can copy this URL into your web browser or run the following command in your Terminal window to load your app.

-New scripts are added to the Azure Automation [GitHub repository](https://github.com/azureautomation) to address one of Azure Automation's key scenarios of VM management based on Azure Monitor alert. For more information, see [Trigger runbook from Azure alert](./automation-create-alert-triggered-runbook.md#common-azure-vm-management-operations).

-If you'd like to contribute to Azure Automation documentation, see our [contributor guide](/contribute/).

-* Spread your requests across multiple App Configuration stores. For example, use a different store from each geographic region for a globally deployed application. Each App Configuration store has its own request quota. This setup gives you a model for scalability and avoids the single point of failure.

-App Configuration is regional service. For applications with different configurations per region, storing these configurations in one instance can create a single point of failure. Deploying one App Configuration instances per region across multiple regions may be a better option. It can help with regional disaster recovery, performance, and security siloing. Configuring by region also improves latency and uses separated throttling quotas, since throttling is per instance. To apply disaster recovery mitigation, you can use [multiple configuration stores](./concept-disaster-recovery.md).

-* [Grant VC Permissions to the Build Service](/azure/devops/pipelines/scripts/git-commands?preserve-view=true&tabs=yaml&view=azure-devops#version-control )

- > For new AKS clusters created with `az aks create`, the cluster will be MSI-based by default. For already created SPN-based clusters that need to be converted to MSI, run `az aks update -g $RESOURCE_GROUP -n $CLUSTER_NAME --enable-managed-identity`ΓÇ¥`. For more information, see [Use a managed identity in AKS](../../aks/use-managed-identity.md).

- > For new AKS clusters created with `az aks create`, the cluster will be MSI-based by default. For already created SPN-based clusters that need to be converted to MSI, run `az aks update -g $RESOURCE_GROUP -n $CLUSTER_NAME --enable-managed-identity`ΓÇ¥`. For more information, see [Use a managed identity in AKS](../../aks/use-managed-identity.md).

-[Drift detection for Helm releases](https://fluxcd.io/flux/components/helm/helmreleases/#drift-detection ) isn't enabled by default. Starting with [`microsoft.flux` v1.7.5](extensions-release.md#flux-gitops), you can enable Helm drift detection by running the following command:

-You can also [Cancel the order](azure-edge-hardware-center-manage-order.md#cancel-order) or [Return hardware](azure-edge-hardware-center-manage-order.md#return-hardware ) once you are done.

-The `@BlobTrigger` attribute is used to give you access to the blob that triggered the function. Refer to the [trigger example](#example) for details.

-> [Azure Container Apps hosting of Azure Functions](./functions-container-apps-hosting.md)

-zone_pivot_groups: programming-languages-set-functions-lang-workers

- |**Select how you would like to open your project**| Select `Add to workspace`. |

- |**Select how you would like to open your project**| Select `Add to workspace`. |

- |**Select how you would like to open your project**| Select `Add to workspace`. |

- |**Select how you would like to open your project**| Select `Add to workspace`. |

- |**Select how you would like to open your project**| Select `Add to workspace`. |

- ::: zone pivot="programming-language-javascript,programming-language-powershell,programming-language-python,programming-language-csharp"

- |Override query time range| If you want the alert evaluation period to be different than the query time range, enter a time range here.<br> The alert time range is limited to a maximum of two days. Even if the query contains an **ago** command with a time range of longer than two days, the two-day maximum time range is applied. For example, even if the query text contains **ago(7d)**, the query only scans up to two days of data.<br> If the query requires more data than the alert evaluation, and there's no **ago** command in the query, you can change the time range manually.|

-The **Alerts** page summarizes all alert instances in all your Azure resources generated in the last 30 days. You can search for a specific alert and manage alert instances.

-An *alert rule* monitors your data and captures a signal that indicates something is happening on the specified resource. The alert rule captures the signal and checks to see if the signal meets the criteria of the condition. If the conditions are met, an alert is triggered, which initiates the associated action group and updates the state of the alert.

-If you're monitoring more than one resource, the condition is evaluated separately for each of the resources. Alerts are fired for each resource separately.

-You can see all alert instances in all your Azure resources generated in the last 30 days on the [Alerts page](alerts-page.md) in the Azure portal.

-## Alerts and state

-You can configure whether log or metric alerts are stateful or stateless. Activity log alerts are stateless.

- The frequency of notifications for stateless metric alerts differs based on the alert rule's configured frequency:

- - **Alert frequency of less than 5 minutes**: While the condition continues to be met, a notification is sent sometime between one and six minutes.

- - **Alert frequency of more than 5 minutes**: While the condition continues to be met, a notification is sent between the configured frequency and double the frequency. For example, for an alert rule with a frequency of 15 minutes, a notification is sent sometime between 15 to 30 minutes.

- |Alert type |The alert is resolved when |

- |||

- |Metric alerts|The alert condition isn't met for three consecutive checks.|

- |Log alerts| The alert condition isn't met for a specific time range. The time range differs based on the frequency of the alert:<ul> <li>**1 minute**: The alert condition isn't met for 10 minutes.</li> <li>**5 to 15 minutes**: The alert condition isn't met for three frequency periods.</li> <li>**15 minutes to 11 hours**: The alert condition isn't met for two frequency periods.</li> <li>**11 to 12 hours**: The alert condition isn't met for one frequency period.</li></ul>|

-When an alert is considered resolved, the alert rule sends out a resolved notification by using webhooks or email. The monitor state in the Azure portal is set to **resolved**.

-| `\Processor(_Total)\% Processor Time` | default metrics | Difference in [system wide CPU load tick counters](https://oshi.github.io/oshi/oshi-core/apidocs/oshi/hardware/CentralProcessor.html#getProcessorCpuLoadTicks())(Only User and System) divided by the number of [logical processors count](https://oshi.github.io/oshi/oshi-core/apidocs/oshi/hardware/CentralProcessor.html#getLogicalProcessorsΓÇö) in a given interval of time | no |

-For the full specification of OSS prom APIs, see [Prometheus HTTP API](https://prometheus.io/docs/prometheus/latest/querying/api/#http-api )

- 

-## WhatΓÇÖs the performance impact of Kerberos on NFSv4.1?

-

-* AVS to Azure NetApp Files protocol: [NFS version 3](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md?tabs=azure-portal#faqs )

-It scales poorly to increase the number of VMs driving IO to a single datastore from a single host. This fact is due to the single network flow. When maximum performance is reached for a given workload, it's often the result of a single queue used along the way to the hostΓÇÖs single NFS datastore over a single TCP connection. Using an 8-KB block size, total IOPS increased between 3% and 16% when scaling from one VM with a single VMDK to four VMs with 16 total VMDKs (four per VM, all on a single datastore).

-If you stripe volumes across multiple disks, ensure the backup software or disaster recovery software supports backing up multiple virtual disks simultaneously. As individual writes are striped across multiple disks, the file system needs to ensure disks are ΓÇ£frozenΓÇ¥ during the snapshot or backup operations. Most modern file systems include a freeze or snapshot operation such as xfs (xfs_freeze) and NTFS (volume shadow copies), which backup software can take advantage of.

-For example, as you approach the end of a fiscal year you find that you need more storage performance on Standard datastore. You can increase the datastoresΓÇÖ service level for a month to enable all VMs on those datastores to have more performance available to them, while maintaining other datastores at a lower service level. You not only save cost but gain more performance by having workloads spread among more TCP connections between each datastore to each AVS host.

-You can monitor your datastore metrics through vCenter or through the Azure API/Console. From vCenter, you can monitor a datastoreΓÇÖs aggregate average IOPS in the [Performance/Advanced Charts](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-B3D99B36-E856-41A5-84DB-9B7C8FABCF83.html) , as long as you enable Storage IO Control Metrics collection on the datastore. The Azure [API](monitor-volume-capacity.md#using-rest-api) and [console](monitor-azure-netapp-files.md) present metrics for `WriteIops`, `ReadIops`, `ReadThroughput`, and `WriteThroughput`, among others, to measure your workloads at the datastore level. With Azure metrics, you can set alert rules with actions to automatically resize a datastore via an Azure function, a webhook, or other actions.

-az bicep decompile-params -- file azuredeploy.parameters.json --bicep-file ./dir/main.bicep

-This command decompiles a _azuredeploy.parameters.json_ parameters file into a _azuredeploy.parameters.bicepparam_ file. `-bicep-file` specifies the path to the Bicep file (relative to the .bicepparam file) that is referenced in the `using` declaration.

-This article describes the data types supported in [Bicep](./overview.md). [User-defined data types](./user-defined-data-types.md) are currently in preview.

-# User-defined data types in Bicep (Preview)

-## Enable the preview feature

-To enable this preview, modify your project's [bicepconfig.json](./bicep-config.md) file to include the following JSON:

-```json

-{

- "experimentalFeaturesEnabled": {

- "userDefinedTypes": true

- }

-}

-```

-| Microsoft.DynamicsLcs | [Lifecycle Services](https://lcs.dynamics.com/Logon/Index ) |

-

-

-

-

-

-

-

-

-* [Aggregation types in Azure Monitor](../azure-monitor/essentials/metrics-supported.md#microsoftsignalrservicesignalr )

-<kbd></kbd>

- <kbd></kbd>

-

-

-

-

-

-

-

-

- As part of extension installation, a user identity is created in the AKS cluster's Node Pool Resource Group. For the extension to access the storage account, you need to provide this identity the **Storage Account Contributor** role. To assign the required role, [run these command](azure-kubernetes-service-cluster-manage-backups.md#grant-permission-on-storage-account )

-3. **Enable Trusted Access**

-To use this feature, you must first [enable task dependencies](batch-task-dependencies.md#enable-task-dependencies

-) on your Batch job. Then, for each task that depends on another (or many others), you specify the tasks which that task depends on.

-Add a task collection to the job using the appropriate overload of the [AddTaskAsync](/dotnet/api/microsoft.azure.batch.cloudjob.addtaskasync) or [AddTask](/dotnet/api/microsoft.azure.batch.cloudjob.addtask

-) method. For example:

-| Alphanumeric Sender ID\** | Public Preview | - | - | - |

-| Alphanumeric Sender ID\** | Public Preview | - | - | - |

-| Alphanumeric Sender ID\* | Public Preview | - | - | - |

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-| Alphanumeric Sender ID\* | Public Preview | - | - | - |

-| Alphanumeric Sender ID\* | Public Preview\* | - | - | - |

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-| Alphanumeric Sender ID\** | Public Preview | - | - | - |

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-|Alphanumeric Sender ID\**|Public Preview|-|-|-|

-1. Complete the following procedure: [Add your custom domain name to Azure AD](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name-to-azure-ad).

- },

- "18_04-lts-gen2": {

- "offer": "UbuntuServer",

- "publisher": "Canonical",

- "sku": "18_04-lts-gen2",

- "version": "latest"

-verify_quote.sh https://<ledgername>.confidential-ledger.azure.com:443

-| [ASP.NET Core front-end with two back-end APIs on Azure Container Apps](https://github.com/Azure-Samples/dotNET-FrontEnd-to-BackEnd-on-Azure-Container-Apps )<br /> | This sample demonstrates ASP.NET Core 6.0 can be used to build a cloud-native application hosted in Azure Container Apps. |

-| [ASP.NET Core front-end with two back-end APIs on Azure Container Apps (with Dapr)](https://github.com/Azure-Samples/dotNET-FrontEnd-to-BackEnd-with-DAPR-on-Azure-Container-Apps )<br /> | Demonstrates how ASP.NET Core 6.0 is used to build a cloud-native application hosted in Azure Container Apps using Dapr. |

-You can also deploy a container group to an existing virtual network by using a YAML file, a [Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.containerinstance/aci-vnet

-), or another programmatic method such as with the Python SDK.

-| **Connection string** | `` |

-| JavaScript SDK v3 | 3.17.4-beta.1 | <https://www.npmjs.com/package/@azure/cosmos/v/3.17.4-beta.1/> |

-## Choosing between RU-based and vCore-based options

-Here are a few key factors to help you decide which is the right architecture for you:

-| Factor | RU-based | vCore-based |

-| -- | -- | -|

-| What do you want to do | &bull; Works well if you're trying to build new cloud-native MongoDB apps or refactor existing apps for all the benefits of a cloud-native offering | &bull; Works well if you're trying to lift and shift existing MongoDB apps and run them as-is on a fully supported managed service. |

-| What are your availability needs | &bull; Offers upto [99.999%](../high-availability.md#slas) of availability with multi-region deployments | &bull; Offers competitive SLA (once generally available) |

-| How do you want to scale | &bull; Offers limitless horizontal scalability, instantaneous scale up and granular throughput control. | &bull; Offers high-capacity vertical and horizontal scaling with familiar vCore-based cluster tier options to choose from. |

-| What are your top read & query patterns | &bull; Works well for workloads with more point reads *(fetching a single item by its ID and shard key value)* and lesser long running queries and complex aggregation pipeline operations. | &bull; Works irrespective of the operation types in your workload. Operations may include workloads with long-running queries, complex aggregation pipelines, distributed transactions, joins, etc. |

-There are differences between the offerings in the way the resources are assigned and billed on the platform:

-| Resource details | RU-based | vCore-based |

-| -- | -- | -|

-| How are the resources assigned | &bull; This option is a multi-tenant service that instantly assigns resources to the workload to meet its storage and throughput needs. <br/>&bull; Throughput uses the concept of [Request Units (RUs)](../request-units.md). | &bull; This option provides dedicated instances using preset CPU, memory and storage resources that scale to meet your needs. |

-| How are the resources billed | &bull; You pay variable fees for the RUs and consumed storage. <br/>&bull; RU charges are based on the choice of the model: provisioned throughput (standard or autoscale) or serverless. | &bull; You pay consistent flat fee based on the compute (CPU, memory and the number of nodes) and storage. |

-description: Use Azure Cosmos DB for MongoDB to store and query massive amounts of data using popular open-source drivers.

-# What is Azure Cosmos DB for MongoDB?

-[Azure Cosmos DB](../introduction.md) is a fully managed NoSQL and relational database for modern app development.

-Azure Cosmos DB for MongoDB makes it easy to use Azure Cosmos DB as if it were a MongoDB database. You can use your existing MongoDB skills and continue to use your favorite MongoDB drivers, SDKs, and tools by pointing your application to the connection string for your account using the API for MongoDB.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWXr4T]

-> [!TIP]

-> Want to try the Azure Cosmos DB for MongoDB with no commitment? Create an Azure Cosmos DB account using [Try Azure Cosmos DB](../try-free.md) for free.

-## Cosmos DB for MongoDB benefits

-Cosmos DB for MongoDB has numerous benefits compared to other MongoDB service offerings such as MongoDB Atlas:

-## How Cosmos DB for MongoDB works

-Cosmos DB for MongoDB implements the wire protocol for MongoDB. This implementation allows transparent compatibility with MongoDB client SDKs, drivers, and tools. Azure Cosmos DB doesn't host the MongoDB database engine. Any MongoDB client driver compatible with the API version you're using should be able to connect, with no special configuration.

-> [!IMPORTANT]

-> This article describes a feature of Azure Cosmos DB that provides wire protocol compatibility with MongoDB databases. Microsoft does not run MongoDB databases to provide this service. Azure Cosmos DB is not affiliated with MongoDB, Inc.

-### MongoDB feature compatibility

-Cosmos DB for MongoDB is compatible with the following MongoDB server versions:

-### Choosing a server version

-All versions run on the same codebase, making upgrades a simple task that can be completed in seconds with zero downtime. Azure Cosmos DB simply flips a few feature flags to go from one version to another. The feature flags also enable continued support for older API versions such as 3.2 and 3.6. You can choose the server version that works best for you.

-Not sure if your workload is ready? [Reach out to us](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR9aWEKTdeoxPpcB2ORTA2_1UQk44OEhBRjlIWjJMTUxLTzhJVVpPU0M4My4u) to leverage automated tooling to determine if you're ready to migrate to Cosmos DB for MongoDB.

-## What you need to know to get started

- - [Provisioned throughput](../set-throughput.md): Set a RU/sec number and change it manually. This model best fits consistent workloads.

- - [Autoscale](../provision-throughput-autoscale.md): Set an upper bound on the throughput you need. Throughput instantly scales to match your needs. This model best fits workloads that change frequently and optimizes their costs.

- - [Serverless](../serverless.md): Only pay for the throughput you use, period. This model best fits dev/test workloads.

-## Frequently asked questions

-1. Does Cosmos DB for MongoDB support my data residency requirements?

- Yes, data residency is governed at the database account level which is associated with one or more regions. Customers typically create a database account for each residency requirement. For example, if you have a requirement to store data in the US and EU, you would create two database accounts, one in the US and one in the EU.

-2. Does Cosmos DB for MongoDB support documents larger than 2 MB?

- Yes, documents as large as 16 MB are fully supported.

-3. Does Cosmos DB for MongoDB support multi-field sort?

- Yes, multi-field sort is supported. A compound index is required for the fields in the sort to ensure the operation is efficient and scalable.

-4. Does Cosmos DB for MongoDB scale linearly?

- In many cases, Cosmos DB's costs scale better than linear. For example, if you read a 1KB document, this equates to 1 Request Unit (RU). But if you read a 10KB document, this still equates to roughly 1RU. The [Cosmos DB capacity calculator](https://cosmos.azure.com/capacitycalculator/) can help you estimate your throughput needs.

-4. How can I encrypt data and manage access at the field level?

- Cosmos DB for MongoDB supports Field Level Encryption.

-5. How do I pay for Request Units (RUs)?

- Cosmos DB for MongoDB offers three capacity modes: provisioned throughput, autoscale, and serverless. **None require an upfront commitment**. Autoscale instantaneously scales to meet your needs, and serverless only charges for the throughput you use.

-6. Which features are supported in Cosmos DB for MongoDB?

- Cosmos DB for MongoDB supports a rich set of MongoDB features backed by Cosmos DB's limitless scale architecture. These features include: Aggregation pipelines, Change streams, Indexes, Geospatial queries, and more. See the [feature support matrix](feature-support-42.md) for more details. Not sure if your workload is ready? [Reach out to us](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR9aWEKTdeoxPpcB2ORTA2_1UQk44OEhBRjlIWjJMTUxLTzhJVVpPU0M4My4u) to leverage automated tooling to determine if you're ready to migrate to Cosmos DB for MongoDB.

-4. Does Cosmos DB for MongoDB run on-premises?

- Cosmos DB for MongoDB is a cloud-native multi-tenant service and is not available on-premises. Cosmos DB offers an [emulator for local development and testing](../local-emulator.md).

-## Next steps

-This document describes the various options to lift and shift your MongoDB workloads to Azure Cosmos DB for MongoDB vCore-based offering.

-You can use the native MongoDB tools such as *mongodump/mongorestore*, *mongoexport/mongoimport* to migrate datasets offline (without replicating live changes) to Azure Cosmos DB for MongoDB vCore-based offering.

-Vector search is a method that helps you find similar items based on their data characteristics rather than by exact matches on a property field. This technique is useful in applications such as searching for similar text, finding related images, making recommendations, or even detecting anomalies. It works by taking the vector representations (lists of numbers) of your data that you created by using a machine learning model by using or an embeddings API. Examples of embeddings APIs are [Azure OpenAI Embeddings](/azure/ai-services/openai/how-to/embeddings) or [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure/). It then measures the distance between the data vectors and your query vector. The data vectors that are closest to your query vector are the ones that are found to be most similar semantically.

-By integrating vector search capabilities natively, you can unlock the full potential of your data in applications that are built on top of the OpenAI API. You can also create custom-built solutions that use vector embeddings.

-To add vectors to your database's collection, you first need to create the embeddings by using your own model, [Azure OpenAI Embeddings](../../../cognitive-services/openai/tutorials/embeddings.md), or another API (such as [Hugging Face on Azure](https://azure.microsoft.com/solutions/hugging-face-on-azure/)). In this example, new documents are added through sample embeddings:

-This guide demonstrates how to create a vector index, add documents that have vector data, perform a similarity search, and retrieve the index definition. By using vector search, you can efficiently store, index, and query high-dimensional vector data directly in Azure Cosmos DB for MongoDB vCore. Vector search enables you to unlock the full potential of your data via vector embeddings, and it empowers you to build more accurate, efficient, and powerful applications.

-When you have to [denormalize data across partitions and containers](model-partition-example.md#v2-introducing-denormalization-to-optimize-read-queries

-), you can read from your container's change feed as a source for this data replication. Real-time data replication with the change feed can guarantee only eventual consistency. You can [monitor how far the change feed processor lags behind](how-to-use-change-feed-estimator.md) in processing changes in your Azure Cosmos DB container.

-2. Initialize [`ChangeFeedProcessor`](/java/api/com.azure.cosmos.changefeedprocessor) with relevant configurations, including the host name, feed container, lease container, and data handling logic. The [`start()`](/java/api/com.azure.cosmos.changefeedprocessor#com-azure-cosmos-changefeedprocessor-start()) method initiates the data processing, enabling concurrent and real-time processing of incoming data changes from the feed container.

-distributed table. When specifying `shard_count` you canΓÇÖt specify a value of

-or colocation group, use the [alter_distributed_table](#alter_distributed_table

-function.

-**new_access_method:** (name) either ΓÇÿheapΓÇÖ for row-based storage, or

-ΓÇÿcolumnarΓÇÖ for columnar storage.

- hostname | port | database_name | connection_count_to_node

-You created managed private endpoint from ADF and obtained an approved private endpoint. But, after deleting or rejecting the private endpoint later, the managed private endpoint in ADF still persists to exist and shows ΓÇ£ApprovedΓÇ¥.

-"Failed to get service token from ADF service with key *************** and time cost is: 0.1250079 second, the error code is: InvalidGatewayKey, activityId is: XXXXXXX and detailed error message is Client IP address is not valid private ip Cause Data factory couldnΓÇÖt access the public network thereby not able to reach out to the cloud to make the successful connection."

-### Service private DNS zone overrides Azure Resource Manager DNS resolution causing ΓÇÿNot foundΓÇÖ error

-Both Azure Resource Manager and the service are using the same private zone creating a potential conflict on customerΓÇÖs private DNS with a scenario where the Azure Resource Manager records will not be found.

-3. Go to **Virtual network links**, delete all records.

-4. Navigate to your service in Azure portal and recreate the private endpoint for the portal.

-5. Go back to Private DNS zones, and check if there is a new private DNS zone **privatelink.adf.azure.com**.

-Please review [Recover deleted Key](../key-vault/general/key-vault-recovery.md?tabs=azure-portal#list-recover-or-purge-soft-deleted-secrets-keys-and-certificates ) and [Deleted Key Value](../key-vault/general/key-vault-recovery.md?tabs=azure-portal#list-recover-or-purge-a-soft-deleted-key-vault)

- If it isn't in the trusted root CA, [download it here](http://cacerts.digicert.com/DigiCertGlobalRootG2.crt ).

-

- :::image type="content" source="./media/quickstart-create-dev-box/add-dev-box.png" alt-text="Screenshot of the dialog for adding a dev box.":::

-4. Select **Add** to begin creating your dev box.

-5. Use the home page of the developer portal to track the progress of creation.

- :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-creating.png" alt-text="Screenshot of the developer portal that shows the dev box card with a status of Creating.":::

-After you provision a dev box, one way to access it quickly is through a browser:

-In this quickstart, you created a dev box through the developer portal and connected to it by using a browser. To learn how to connect to a dev box by using a Remote Desktop app, see [Tutorial: Use a Remote Desktop client to connect to a dev box](./tutorial-connect-to-dev-box-with-remote-desktop-app.md).

-> Microsoft Graph API's ability to send events to Azure Event Grid is currently in **private preview**. If you have questions or need support, please email us [mailto:ask-graph-and-grid@microsoft.com?subject=Support Request](<mailto:ask-graph-and-grid@microsoft.com?subject=Support Request>).

- Database](../stream-analytics/sql-database-output.md), [Azure Cosmos DB](../stream-analytics/azure-cosmos-db-output.md) ).

- - [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/schemaregistry/schema-registry-avro/samples )

- - [JavaScript](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/schemaregistry/schema-registry-avro/samples )

-

-| **[Telecom Italia Sparkle](https://www.tisparkle.com/our-platform/corporate-platform/sparkle-cloud-connect#catalogue)**| Equinix | Amsterdam |

-| **[QTS Data Centers](https://www.qtsdatacenters.com/hybrid-solutions/connectivity/azure-cloud )** | Megaport<br/>PacketFabric |

- Azure Firewall Premium provides advanced capabilities include signature-based IDPS to allow rapid detection of attacks by looking for specific patterns. These patterns can include byte sequences in network traffic, or known malicious instruction sequences used by malware. There are more than 58,000 signatures in over 50 categories that are updated in real time to protect against new and emerging exploits. The exploit categories include malware, phishing, coin mining, and Trojan attacks.

-|Direction |The traffic direction for which the signature is applied.<br>- **Inbound**: Signature is applied only on traffic arriving from the Internet and destined to your [configured private IP address range](#idps-private-ip-ranges).<br>- **Outbound**: Signature is applied only on traffic sent from your [configured private IP address range](#idps-private-ip-ranges) to the Internet.<br>- **Bidirectional**: Signature is always applied on any traffic direction.|

-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](../active-directory/roles/permissions-reference.md#global-secure-access-administrator).

-|[Azure Automation accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F56a5ee18-2ae6-4810-86f7-18e39ce5629b) |Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/automation-cmk](../../../automation/automation-secure-asset-encryption.md#:~:text=Secure assets in Azure Automation include credentials, certificates, connections,,Using Microsoft-managed keys). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AutomationAccount_CMK_Audit.json) |

-|[Azure Automation accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.us/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F56a5ee18-2ae6-4810-86f7-18e39ce5629b) |Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at [https://aka.ms/automation-cmk](../../../automation/automation-secure-asset-encryption.md#:~:text=Secure assets in Azure Automation include credentials, certificates, connections,,Using Microsoft-managed keys). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/AutomationAccount_CMK_Audit.json) |

-|Ensure core dumps are restricted.<br />_(1.5.1) |Description: Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see `limits.conf(5)` ). In addition, setting the `fs.suid_dumpable` variable to 0 will prevent setuid programs from dumping core. |Add `hard core 0` to /etc/security/limits.conf or a file in the limits.d directory and set `fs.suid_dumpable = 0` in sysctl or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-core-dumps' |

-If you are running HBase cluster v3.4, you might have been hit by a potential bug caused by upgrade of jdk to version 1.7.0_151. The symptom we see is region server process starts occupying close to 200% CPU (to verify this run the `top` command; if there is a process occupying close to 200% CPU get its pid and confirm it is region server process by running `ps -aux | grep` ).

-[Apache Livy](https://livy.incubator.apache.org/) configuration is supported. You can configure it in the **.VSCode\settings.json** file in the workspace folder. Currently, Livy configuration only supports Python script. For more information, see [Livy README](https://github.com/cloudera/livy/blob/master/README.rst ).

- >The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md).

- >The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md).

->The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md).

->The samples used in this tutorial are in the **v2** branch of the azure-iot-sdk-python repository. V3 of the Python SDK is available to use in beta. For information about updating V2 code samples to use a V3 release of the Python SDK, see [Azure IoT Device SDK for Python migration guide](https://github.com/Azure/azure-iot-sdk-python/blob/main/migration_guide_provisioning.md).

-

-Cross-region load balancer shares the [SLA](https://azure.microsoft.com/support/legal/sla/load-balancer/v1_0/ ) of standard load balancer.

-1. (Optional) You are able to configure algorithm settings. Visit this link for a {list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#supported-model-algorithms

-1. (Optional) You are able to configure algorithm settings. Visit this link for a {list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#supported-model-algorithms

-1. (Optional) You are able to configure algorithm settings. Visit this link for a {list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#supported-model-algorithms

-1. (Optional) You are able to configure algorithm settings. Visit this link for a {list of supported algorithms for computer vision.](../how-to-auto-train-image-models.md#supported-model-algorithms

-1. (Optional) Select the language your dataset consists of. Visit this link for a [full list of supported languages.](../how-to-auto-train-nlp-models.md#language-settings

-1. (Optional) Select the language your dataset consists of. Visit this link for a [full list of supported languages.](../how-to-auto-train-nlp-models.md#language-settings

-1. (Optional) Select the language your dataset consists of. Visit this link for a [full list of supported languages.](../how-to-auto-train-nlp-models.md#language-settings

-Review detailed code examples and use cases in the [GitHub notebook repository for automated machine learning samples](https://github.com/Azure/azureml-examples/tree/main/sdk/python/jobs/automl-standalone-jobs.

-* Starts encrypting the local scratch disk in your Azure Machine Learning compute cluster, provided you havenΓÇÖt created any previous clusters in that subscription. Else, you need to raise a support ticket to enable encryption of the scratch disk of your compute clusters.

-* The customer-managed key for resources the workspace depends on canΓÇÖt be updated after workspace creation.

-* Resources managed by Microsoft in your subscription canΓÇÖt transfer ownership to you.

-| Service | How itΓÇÖs used |

-* The `hbi_workspace` flag can only be set when a workspace is created. It canΓÇÖt be changed for an existing workspace.

-* When this flag is set to True, it may increase the difficulty of troubleshooting issues because less telemetry data is sent to Microsoft. ThereΓÇÖs less visibility into success rates or problem types. Microsoft may not be able to react as proactively when this flag is True.

-Reference for more available credentials if it doesn't work for you: [configure credential example](https://github.com/Azure/MachineLearningNotebooks/blob/master/configuration.ipynb), [azure-identity reference doc](/python/api/azure-identity/azure.identity?view=azure-python&preserve-view=true ).

- | Microsoft.Storage Azure | Storage Account is used as the default storage for the workspace.

-* The customer-managed key for resources the workspace depends on canΓÇÖt be updated after workspace creation.

-* Resources managed by Microsoft in your subscription canΓÇÖt transfer ownership to you.

-* [AciWebservice.deploy_configuration()](/python/api/azureml-core/azureml.core.webservice.aci.aciwebservice#deploy-configuration-cpu-cores-none--memory-gb-none--tags-none--properties-none--description-none--location-none--auth-enabled-none--ssl-enabled-none--enable-app-insights-none--ssl-cert-pem-file-none--ssl-key-pem-file-none--ssl-cname-none--dns-name-label-none--primary-key-none--secondary-key-none--collect-model-data-none--cmk-vault-base-url-none--cmk-key-name-none--cmk-key-version-none-) reference

-* [Where and how to deploy](how-to-deploy-online-endpoints.md)

-* [InferencingClientCallFailed](#error-inferencingclientcallfailed )

-* You can follow the [Configure required network traffic](../machine-learning/how-to-access-azureml-behind-firewall.md#scenario-use-kubernetes-compute ) to check the outbound proxy, make sure the cluster can connect to workspace.

-* `azureml-core` - [Install the Azure Machine Learning SDK (v1) for Python](/python/api/overview/azure/ml/install?view=azure-ml-py&preserve-view=true )

- Optionally, if you want to implement client-to-node certificate authentication or mutual Transport Layer Security (mTLS) as well, you need to provide the certificates in the same format as when creating the hybrid cluster. See Azure CLI sample below - the certificates are provided in the `--client-certificates` parameter. This will upload and apply your client certificates to the truststore for your Cassandra Managed Instance cluster (i.e. you do not need to edit cassandra.yaml settings). Once applied, your cluster will require Cassandra to verify the certificates when a client connects (see `require_client_auth: true` in Cassandra [client_encryption_options](https://cassandra.apache.org/doc/latest/cassandra/configuration/cass_yaml_file.html#client_encryption_options )).

-If you want to implement client-to-node certificate authentication or mutual Transport Layer Security (mTLS), you need to provide the certificates via Azure CLI. The below command will upload and apply your client certificates to the truststore for your Cassandra Managed Instance cluster (i.e. you do not need to edit `cassandra.yaml` settings). Once applied, your cluster will require Cassandra to verify the certificates when a client connects (see `require_client_auth: true` in Cassandra [client_encryption_options](https://cassandra.apache.org/doc/latest/cassandra/configuration/cass_yaml_file.html#client_encryption_options )).

-If you want to implement client-to-node certificate authentication or mutual Transport Layer Security (mTLS), you need to provide the certificates via Azure CLI. The below command will upload and apply your client certificates to the truststore for your Cassandra Managed Instance cluster (i.e. you do not need to edit `cassandra.yaml` settings). Once applied, your cluster will require Cassandra to verify the certificates when a client connects (see `require_client_auth: true` in Cassandra [client_encryption_options](https://cassandra.apache.org/doc/latest/cassandra/configuration/cass_yaml_file.html#client_encryption_options )).

- > - If you selected private endpoint as the connectivity method for the Azure Migrate project, grant the Recovery Services vault access to the cache storage account. [**Learn more**](migrate-servers-to-azure-using-private-link.md#grant-access-permissions-to-the-recovery-services-vault )

-[!code-azurecli-interactive[main](../../../cli_scripts/load-balancer/load-balance-multiple-web-sites-vm/load-balance-multiple-web-sites-vm.sh "Load balance multiple web sites")]

-> The following feature is available in preview:

-> Availability zones support will incur an additional cost on top of existing tier pricing. You will not be charged to preview the feature. Once it becomes generally available, you are automatically billed.

-| PG bouncer support | No | Yes (New Servers) |

-The concept of quotas is designed to help protect customers from things like inaccurately resourced deployments and mistaken consumption. For Azure, it helps minimize risks from deceptive or inappropriate consumption and unexpected demand. Quotas are set and enforced in the scope of the [subscription](/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings.

- - [Oracle on Azure architecture design](/azure/architecture/solution-ideas/articles/oracle-on-azure-start-here )

-[GitHub repository: SAP on Azure Deployment Automation Framework](https://github.com/Azure/sap-automation )

- All analyzers with names annotated with **Lucene** are powered by [Apache Lucene's language analyzers](https://lucene.apache.org/core/6_6_1/core/overview-summary.html ).

-|  | [**Agolo**](https://www.agolo.com) is the leading summarization engine for enterprise use. AgoloΓÇÖs AI platform analyzes hundreds of thousands of media articles, research documents and proprietary information to give each customer a summary of key points specific to their areas of interest. </br></br>Our partnership with Microsoft combines the power and adaptability of the Azure Cognitive Search platform, integrated with Agolo summarization. Rather than typical search engine snippets, the results page displays contextually relevant Agolo summaries, instantly enabling the user to determine the relevance of that document to their specific needs. The impact of summarization-powered search is that users find more relevant content faster, enabling them to do their job more effectively and gaining a competitive advantage. | [Product page](https://www.agolo.com/microsoft-azure-cognitive-search ) |

-|  | [**Enlighten Designs**](https://www.enlighten.co.nz) is an award-winning innovation studio that has been enabling client value and delivering digitally transformative experiences for over 22 years. We are pushing the boundaries of the Microsoft technology toolbox, harnessing Cognitive Search, application development, and advanced Azure services that have the potential to transform our world. As experts in Power BI and data visualization, we hold the titles for the most viewed, and the most downloaded Power BI visuals in the world and are MicrosoftΓÇÖs Data Journalism agency of record when it comes to data storytelling. | [Product page](https://www.enlighten.co.nz/Services/Data-Visualisation/Azure-Cognitive-Search) |

-The following example (from [azure-search-dotnet-samples/multiple-data-sources/](https://github.com/Azure-Samples/azure-search-dotnet-samples/blob/master/multiple-data-sources/v11/src/Program.cs)) illustrates the [**ResetIndexers**](/dotnet/api/azure.search.documents.indexes.searchindexerclient.resetindexer) and [**RunIndexers**](/dotnet/api/azure.search.documents.indexes.searchindexerclient.runindexer) methods in the Azure .NET SDK.

-|[Install Service Fabric Runtime for Windows](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabric.9.1.1833.9590.exe) | 9.1.1833 |

-|[Install Service Fabric SDK](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabricSDK.6.1.1833.msi) | 6.1.1833 |

-| 9.1 CU5<br>9.1.1833.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |

-| 9.1 CU4<br>9.1.1799.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |

-| 9.1 CU3<br>9.1.1653.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |

-| 9.1 CU2<br>9.1.1583.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 7, .NET 6, All, <br> >= .NET Framework 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |

-| 9.1 CU1<br>9.1.1436.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |

-| 9.1 RTO<br>9.1.1390.9590 | 8.2 CU6<br>8.2.1686.9590 | 8.2 | Less than or equal to version 6.0 | .NET 6.0 (GA), >= .NET Core 3.1, <br>All >= .NET Framework 4.5 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version |

-| 9.1 CU5<br>9.1.1625.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |

-| 9.1 CU4<br>9.1.1592.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |

-| 9.1 CU3<br>9.1.1457.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |

-| 9.1 CU2<br>9.1.1388.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | .NET 7, .NET 6, All | N/A | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |

-| 9.1 CU1<br>9.1.1230.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |

-| 9.1 RTO<br>9.1.1206.1 | 8.2 CU6<br>8.2.1485.1 | 8.2 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |

-> While you can modify the schema of a key, you must ensure that your key's hash code and equals algorithms are stable. If you change how either of these algorithms operate, you will not be able to look up the key within the reliable dictionary ever again.

-Alternatively, you can perform what is typically referred to as a two upgrade. With a two-phase upgrade, you upgrade your service from V1 to V2: V2 contains the code that knows how to deal with the new schema change but this code doesn't execute. When the V2 code reads V1 data, it operates on it and writes V1 data. Then, after the upgrade is complete across all upgrade domains, you can somehow signal to the running V2 instances that the upgrade is complete. (One way to signal this is to roll out a configuration upgrade; this is what makes this a two-phase upgrade.) Now, the V2 instances can read V1 data, convert it to V2 data, operate on it, and write it out as V2 data. When other instances read V2 data, they do not need to convert it, they just operate on it, and write out V2 data.

-20.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic |

-22.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic |

-SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.136-azure:5 |

-SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.52-azure:4 |

-You have insufficient permissions to create an application in Azure Active Directory (AAD) using the [Open Virtualization Application (OVA)](vmware-azure-deploy-configuration-server.md#deploy-a-configuration-server-through-an-ova-template

-) template.

-> [!NOTE]

-> Config Server uses RSA keys with SHA-1 signatures for now. If you're using GitHub, for RSA public keys added to GitHub before November 2, 2021, the corresponding private key is supported. For RSA public keys added to GitHub after November 2, 2021, the corresponding private key is not supported, and we suggest using basic authentication instead.

- > [!NOTE]

- > You must enable VMware Spring Cloud Gateway when you provision your Azure Spring Apps service instance. You cannot enable VMware Spring Cloud Gateway after provisioning.

- > [!NOTE]

- > You must enable VMware Spring Cloud Gateway when you provision your Azure Spring Apps service instance. You can't enable VMware Spring Cloud Gateway after provisioning.

-[Application Configuration Service for VMware Tanzu](https://docs.pivotal.io/tcs-k8s/0-1/) is one of the commercial VMware Tanzu components. It enables the management of Kubernetes-native `ConfigMap` resources that are populated from properties defined in one or more Git repositories.

- > [!NOTE]

- > To use Tanzu Service Registry, you must enable it when you provision your Azure Spring Apps service instance. You cannot enable it after provisioning at this time.

- > [!NOTE]

- > You must enable VMware Spring Cloud Gateway when you provision your Azure Spring Apps service instance. You can't enable VMware Spring Cloud Gateway after provisioning.

- > [!NOTE]

- > To use API portal, you must enable it when you provision your Azure Spring Apps service instance. You cannot enable it after provisioning at this time.

- > [!NOTE]

- > To use Spring Cloud Gateway, you must enable it when you provision your Azure Spring Apps service instance. You cannot enable it after provisioning at this time.

-)

-)

-## Next steps

-Now you can create a storage pool and persistent volume claim, and then deploy a pod and attach a persistent volume. Depending on the back-end storage type you want to use, follow the steps in the appropriate how-to article.

-## Delete the original pod

-Before you create a new pod, you'll need to delete the original pod that you created the snapshot from.

-1. Run `kubectl get pods` to list the pods. Make sure you're deleting the right one.

-Once you've deleted the original pod, you can create a new pod using the restored persistent volume claim. Create the pod using [Fio](https://github.com/axboe/fio) (Flexible I/O Tester) for benchmarking and workload simulation, and specify a mount path for the persistent volume.

-Run the following commands to get these values:

-$connectVolume = Get-AzElasticSanVolume -ResourceGroupName $resourceGroupName -ElasticSanName $sanName -VolumeGroupName $searchedVolumeGroup -Name $searchedVolume

-1. Download the [HelloWorldASA-InputStream.json](https://github.com/Azure/azure-stream-analytics/blob/master/Samples/GettingStarted/HelloWorldASA-InputStream.json

-) from GitHub.

-> [!IMPORTANT]

-> Azure Virtual Desktops Insights support for the Azure Monitor Agent is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Windows Event Logs are data sources collected by either the Log Analytics Agent or the Azure Monitor Agent (preview) on Windows virtual machines. You can collect events from standard logs like System and Application as well as custom logs created by applications you need to monitor.

-> [!IMPORTANT]

-> Azure Virtual Desktops Insights support for the Azure Monitor Agent is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Windows Event Logs are data sources collected by either the Log Analytics agents or the Azure Monitor Agent (preview) on Windows virtual machines. You can collect events from standard logs like System and Application as well as custom logs created by applications you need to monitor.

-> [!IMPORTANT]

-> Azure Virtual Desktops Insights support for the Azure Monitor Agent is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-# [Azure Monitor Agent (preview)](#tab/monitor)

-To collect information on your Azure Virtual Desktop session hosts, you must configure a [Data Collection Rule (DCR)](../azure-monitor/essentials/data-collection-rule-overview.md) to collect performance data and Windows Event Logs, associate the session hosts with the DCR, install the Azure Monitor Agent on all session hosts in host pools you're collecting data from, and ensure the session hosts are sending data to a Log Analytics workspace.

-The Log Analytics workspace you send session host data to doesn't have to be the same one you send diagnostic data to.

-To configure a DCR and select a Log Analytics workspace destination using the configuration workbook:

-1. Select the **Session host data settings** tab in the configuration workbook.

-1. Select the **Log Analytics workspace** you want to send session host data to.

-1. If you haven't already created a resource group for the DCR, select **Create a resource group** to create one.

-1. If you haven't already configured a DCR, select **Create data collection rule** to automatically configure the DCR using the configuration workbook.

-#### Session hosts

-You need to install the Azure Monitor Agent on all session hosts in the host pool and send data from those hosts to your selected Log Analytics workspace. If the session hosts don't all meet the requirements, you'll see a **Session hosts** section at the top of **Session host data settings** with the message *Some hosts in the host pool are not sending data to the selected Log Analytics workspace.*

->[!NOTE]

-> If you don't see the **Session hosts** section or error message, all session hosts are set up correctly. Automated deployment is limited to 1000 session hosts or fewer.

-To set up your remaining session hosts using the configuration workbook:

-1. Select the DCR you're using for data collection.

-1. Select **Deploy association** to create the DCR association.

-1. Select **Add extension** to deploy the Azure Monitor Agent.

-1. Select **Add system managed identity** to configure the required [managed identity](../azure-monitor/agents/azure-monitor-agent-manage.md#prerequisites).

->[!NOTE]

->For larger host pools (over 1,000 session hosts) or if you encounter deployment issues, we recommend you [install the Azure Monitor Agent](../azure-monitor/agents/azure-monitor-agent-manage.md#install) when you create a session host by using an Azure Resource Manager template.

-> [!IMPORTANT]

-> Azure Virtual Desktops Insights support for the Azure Monitor Agent is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

->[The Log Analytics Agent is currently being deprecated](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). While Azure Virtual Desktop Insights currently uses the Log Analytics Agent for Azure Virtual Desktop support, you'll eventually need to migrate to the [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) by August 31, 2024.

-# [Log Analytics agent](#tab/analytics)

- - [Azure Monitor Outgoing ports](../azure-monitor/app/ip-addresses.md)

- - [Log Analytics Firewall Requirements](../azure-monitor/agents/log-analytics-agent.md#firewall-requirements).

-# [Azure Monitor Agent (preview)](#tab/monitor)

-# [Log Analytics agent](#tab/analytics)

-If you want to monitor more Performance counters or Windows Event Logs, you can enable them to send diagnostics info to your Log Analytics workspace and monitor them in **Host Diagnostics: Host browser**.

-Can't find a data point to help diagnose an issue? Send us feedback!

-# [Azure Monitor Agent (preview)](#tab/monitor)

-If this article doesn't have the data point you need to resolve an issue, you can send us feedback at the following places:

-| Redhat | RHEL | 8, 8.1, 81gen2, 8.2, 82gen2, 8_3, 83-gen2, 8_4, 84-gen2, 8_5, 85-gen2, 8_6, 86-gen2, 8-lvm, 8-lvm-gen2 |

-# Basv2-series (Public Preview)

-# Bsv2-series (Public Preview)