+ - [Test-API2AAD.postman_environment.json](https://github.com/AzureAD/entra-id-inbound-provisioning/blob/main/Postman/Test-API2AAD.postman_environment.json) (Environment collection for API-driven provisioning to Azure AD)-

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Application proxy**.

+Azure Active Directory (Azure AD) has an Application Proxy service that enables users to access on-premises applications by signing in with their Azure AD account. To learn more about Application Proxy, see [What is App Proxy?](what-is-application-proxy.md). This tutorial prepares your environment for use with Application Proxy. Once your environment is ready, use the Entra admin center to add an on-premises application to your tenant.

+Before you get started, make sure you're familiar with app management and **single sign-on (SSO)** concepts. Check out the following links:

+- [What is single sign-on (SSO)?](../manage-apps/what-is-single-sign-on.md)

+* User identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants. Identity synchronization allows Azure AD to preauthenticate users before granting them access to App Proxy published applications and to have the necessary user identifier information to perform single sign-on (SSO).

+To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. You install the Application Proxy connector on the server. This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish.

+> If you're installing the connector on Windows Server 2019, you must disable HTTP2 protocol support in the WinHttp component for Kerberos Constrained Delegation to properly work. This is disabled by default in earlier versions of supported operating systems. Adding the following registry key and restarting the server disables it on Windows Server 2019. Note that this is a machine-wide registry key.

+> Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the C).

+You can allow connections to `*.msappproxy.net`, `*.servicebus.windows.net`, and other URLs if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the [Azure IP ranges and Service Tags - Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). The IP ranges are updated each week.

+Public DNS records for Azure AD Application Proxy endpoints are chained CNAME records pointing to an A record. Setting up the records this way ensures fault tolerance and flexibility. ItΓÇÖs guaranteed that the Azure AD Application Proxy Connector always accesses host names with the domain suffixes `*.msappproxy.net` or `*.servicebus.windows.net`. However, during the name resolution the CNAME records might contain DNS records with different host names and suffixes. Due to the difference, you must ensure that the device (depending on your setup - connector server, firewall, outbound proxy) can resolve all the records in the chain and allows connection to the resolved IP addresses. Since the DNS records in the chain might be changed from time to time, we can't provide you with any list DNS records.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Application proxy**.

+If you choose to have more than one Windows server for your on-premises applications, you need to install and register the connector on each server. You can organize the connectors into connector groups. For more information, see [Connector groups](./application-proxy-connector-groups.md).

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Select your username in the upper-right corner. Verify you're signed in to a directory that uses Application Proxy. If you need to change directories, select **Switch directory** and choose a directory that uses Application Proxy.

+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Application proxy**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select **New application**.

+1. Select **Add an on-premises application** button, which appears about halfway down the page in the **On-premises applications** section. Alternatively, you can select **Create your own application** at the top of the page and then select **Configure Application Proxy for secure remote access to an on-premises application**.

+1. In the **Add your own on-premises application** section, provide the following information about your application:

+ | **Name** | The name of the application that appears on My Apps and in the Azure portal. |

+1. If necessary, configure **Additional settings**. For most applications, you should keep these settings in their default states.

+ | **Backend Application Timeout** | Set this value to **Long** only if your application is slow to authenticate and connect. At default, the backend application timeout has a length of 85 seconds. When set too long, the backend timeout is increased to 180 seconds. |

+ | **Use HTTP-Only Cookie** | Select to have Application Proxy cookies include the HTTPOnly flag in the HTTP response header. If using Remote Desktop Services, keep the option unselected. |

+ | **Use Persistent Cookie**| Keep the option unselected. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see [Cookie settings for accessing on-premises applications in Azure Active Directory](./application-proxy-configure-cookie-settings.md).

+ | **Translate URLs in Headers** | Keep the option selected unless your application required the original host header in the authentication request. |

+ | **Translate URLs in Application Body** | Keep the option unselected unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see [Link translation with Application Proxy](./application-proxy-configure-hard-coded-link-translation.md).<br><br>Select if you plan to monitor this application with Microsoft Defender for Cloud Apps. For more information, see [Configure real-time application access monitoring with Microsoft Defender for Cloud Apps and Azure Active Directory](./application-proxy-integrate-with-microsoft-cloud-application-security.md). |

+1. Select **Add**.

+You're ready to test the application is added correctly. In the following steps, you add a user account to the application, and try signing in.

+Don't forget to delete any of the resources you created in this tutorial when you're done.

+## Next steps

+[Enable passwordless sign-in with Microsoft Authenticator](howto-authentication-passwordless-phone.md)

+To check settings in the Authentication methods policy, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator) and browse to **Protection** > **Authentication methods** > **Policies**. A new tenant has all methods **Off** by default, which makes migration easier because legacy policy settings don't need to be merged with existing settings.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods** >

+| My Apps portal | ΓùÅ |Not available|

+The above mentioned Microsoft apps support SMS sign-in is because they use the Microsoft Identity login (`https://login.microsoftonline.com/`), which allows users to enter phone number and SMS code.

+For the same reason, Microsoft Office mobile apps (except Microsoft Teams, Company portal, and Microsoft Azure) don't support SMS sign-in.

+| Native mobile Microsoft apps (except Microsoft Teams, Company portal, and Microsoft Azure) | Outlook, Edge, Power BI, Stream, SharePoint, Power Apps, Word, etc.|

+You can configure CAs by using the Microsoft Entra admin center or PowerShell.

+### Configure certification authorities using the Microsoft Entra admin center

+To enable the certificate-based authentication and configure user bindings in the Microsoft Entra admin center, complete the following steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Certifacte-based authentication**.

+To enable the certificate-based authentication in the Microsoft Entra admin center, complete the following steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Certificate-based Authentication**.

+To enable Azure AD CBA and configure user bindings in the Microsoft Entra admin center, complete the following steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Policies**.

+- Your organization needs to enable Microsoft Authenticator passwordless and push notifications for some users or groups by using the new Authentication methods policy. You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API.

+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Microsoft Entra admin center.

+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Microsoft Entra admin center.

+Inside the **includeTarget** for each featureSetting, change the **id** from **all_users** to the ObjectID of the group from the Microsoft Entra admin center.

+In addition, for each of the features, you'll change the id of the excludeTarget to the ObjectID of the group from the Microsoft Entra admin center. This change excludes that group from seeing application name or geographic location.

+## Enable additional context in the Microsoft Entra admin center

+To enable application name or geographic location in the Microsoft Entra admin center, complete the following steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Microsoft Authenticator**.

+>- On June 26, the Microsoft managed value of this feature changed from **Disabled** to **Enabled** in the Authentication methods policy. If you no longer wish for this feature to be enabled, move the state from **Default** to **Disabled** or scope it to only a group of users.

+>- Starting September 18, Authenticator Lite will be enabled as part of the **Notification through mobile app* verification option in the per-user MFA policy. If you don't want this feature enabled, you can disable it in the Authentication methods policy following the steps below.

+- Your organization needs to enable Microsoft Authenticator (second factor) push notifications for all users or select groups. We recommend enabling Microsoft Authenticator by using the modern [Authentication methods policy](concept-authentication-methods-manage.md#authentication-methods-policy). You can edit the Authentication methods policy by using the Microsoft Entra admin center or Microsoft Graph API. Organizations with an active MFA server are not eligible for this feature.

+### Disabling Authenticator Lite in the Microsoft Entra admin center

+To disable Authenticator Lite in the Microsoft Entra admin center, complete the following steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Microsoft Authenticator**.

+2. On the **Enable and Target** tab, click **Enable** and **All users** to enable the Authenticator policy for everyone or add select groups. Set the Authentication mode for these users/groups to **Any** or **Push**.

+ Users who aren't enabled for Microsoft Authenticator can't see the feature. Users who have Microsoft Authenticator downloaded on the same device Outlook is downloaded on will not be prompted to register for Authenticator Lite in Outlook. Android users utilizing a personal and work profile on their device may be prompted to register if Authenticator is present on a different profile from the Outlook application.

+ <img width="1112" alt="Microsoft Entra admin center Authenticator settings" src="https://user-images.githubusercontent.com/108090297/228603771-52c5933c-f95e-4f19-82db-eda2ba640b94.png">

+3. On the **Configure** tab, for **Microsoft Authenticator on companion applications**, change Status to **Disabled**, and click **Save**.

+ <img width="664" alt="Authenticator Lite configuration settings" src="https://user-images.githubusercontent.com/108090297/228603364-53f2581f-a4e0-42ee-8016-79b23e5eff6c.png">

+ >[!NOTE]

+ > If your organization still manages authentication methods in the per-user MFA policy, you need to disable *Notification through mobile app* as a verification option there in addition to the preceding steps. We recommend doing this only after you enable Microsoft Authenticator in the Authentication methods policy. You can contine to manage the remainder of your authentication methods in the per-user MFA policy while Microsoft Authenticator is managed in the modern Authentication methods policy. However, we recommend [migrating](how-to-authentication-methods-manage.md) management of all authentication methods to the modern Authentication methods policy. The ability to manage authentication methods in the per-user MFA policy will be retired September 30, 2024.

+You can nudge users to set up Microsoft Authenticator during sign-in. Users go through their regular sign-in, perform multifactor authentication as usual, and then get prompted to set up Microsoft Authenticator. You can include or exclude users or groups to control who gets nudged to set up the app. This allows targeted campaigns to move users from less secure authentication methods to Authenticator.

+You can also define how many days a user can postpone, or "snooze," the nudge. If a user taps **Not now** to postpone the app setup, they get nudged again on the next MFA attempt after the snooze duration has elapsed. Users with free and trial subscriptions can postpone the app setup up to three times.

+- Your organization must have enabled Azure AD Multi-Factor Authentication. Every edition of Azure AD includes Azure AD Multi-Factor Authentication. No other license is needed for a registration campaign.

+## Enable the registration campaign policy using the Microsoft Entra admin center

+To enable a registration campaign in the Microsoft Entra admin center, complete the following steps:

+In addition to using the Microsoft Entra admin center, you can also enable the registration campaign policy using Graph Explorer. To enable the registration campaign policy, you must use the Authentication Methods Policy using Graph APIs. **Global Administrators** and **Authentication Method Policy Administrators** can update the policy.

+ If you want to include ALL users in your tenant, [download this JSON](https://download.microsoft.com/download/1/4/E/14E6151E-C40A-42FB-9F66-D8D374D13B40/All%20Users%20Enabled.json) and paste it in Graph Explorer and run `PATCH` on the endpoint.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+**How long does the campaign run for?**

+You can enable the campaign for as long as you like. Whenever you want to be done running the campaign, use the admin center or APIs to disable the campaign.

+**If a user just went through MFA registration, are they nudged in the same sign-in session?**

+Users in organizations with free and trial subscriptions can postpone the app setup up to three times. There is no way to hide the snooze option on the nudge for organizations with paid subscriptions yet. You can set the snoozeDuration to 0, which ensures that users see the nudge during each MFA attempt.

+No. The nudge only works for users who are doing MFA using the Azure AD Multi-Factor Authentication service.

+To access the Audit logs in the Microsoft Entra admin center to view details of MFA Server to Azure MFA user migrations, follow these steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).

+1. Browse to **Identity** > **Monitoring & health** > **Audit logs**. To filter the logs, click **Add filters**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication Methods** > **Activity**.

+You can access the **Registration** tab to show the number of users capable of multi-factor authentication, passwordless authentication, and self-service password reset.

+The [Microsoft Entra admin center](https://entra.microsoft.com) has a passwordless methods wizard that will help you to select the appropriate method for each of your audiences. If you haven't yet determined the appropriate methods, see [https://aka.ms/passwordlesswizard](https://aka.ms/passwordlesswizard), then return to this article to continue planning for your selected methods. **You need administrator rights to access this wizard.**

+| Test rolling back phone sign-in registration by turning off passwordless sign-in in the Authenticator app. Do this within the Authentication methods screen in the [Microsoft Entra admin center](https://entra.microsoft.com)| Previously enabled users unable to use passwordless sign-in from the Authenticator app. |

+| Test rolling back FIDO2 device registration by turning off FIDO2 Security Keys within the Authentication method window in the [Microsoft Entra admin center](https://entra.microsoft.com)| Users will: <li> be prompted to sign in using their security key <li> successfully sign in and see an error: "Your company policy requires that you use a different method to sign in". <li>be able to select a different method and successfully sign in. Close the window and sign in again to verify they do not see the same error message. |

+To manage your user's passwordless authentication methods in the [Microsoft Entra admin center](https://entra.microsoft.com), select your user account, and then select Authentication methods.

+Rolling back requires the administrator to sign in to the [Microsoft Entra admin center](https://entra.microsoft.com), select the desired strong authentication methods, and change the enable option to No. This process turns off the passwordless functionality for all users.

+**Azure AD keeps most auditing data for 30 days** and makes the data available by using the [Microsoft Entra admin center](https://entra.microsoft.com) or API for you to download into your analysis systems. If you require longer retention, export and consume logs in a SIEM tool such as [Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md), Splunk, or Sumo Logic. We recommend longer retention for auditing, trend analysis, and other business needs as applicable

+The **Registration** tab shows the number of users capable of passwordless authentication as well as other authentication methods. This tab displays two graphs:

+The **Usage** tab shows the sign-ins by authentication method.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Policies**.

+To delete an enrolled security key, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com), and then go to the **Security info** page.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Authentication method policy**.

+- **Allow self-service set up** should remain set to **Yes**. If set to no, your users won't be able to register a FIDO key through MySecurityInfo, even if enabled by Authentication Methods policy.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) and search for the user account from which the FIDO key is to be removed.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Policies**.

+This article shows you how to enable and use a Temporary Access Pass in Azure AD using the the [Microsoft Entra admin center](https://entra.microsoft.com).

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods** > **Policies**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Authentication methods**.

+1. Select **Temporary Access Pass**.

+During preview, you currently need *Global Administrator* permissions to enable sign-in with email as an alternate login ID. You can use either Microsoft Entra admin center or Graph PowerShell to set up the feature.

+### Microsoft Entra admin center

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+ 

+ 

+With the policy applied, it can take up to one hour to propagate and for users to be able to sign in using their alternate login ID.

+### Configure Azure AD Multi-Factor Authentication Trusted IPs with federated users

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Conditional Access** > **Named locations**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Conditional Access** > **Named locations**.

+ 

+NPS extension and AD FS logs for cloud MFA activity are now included in the [Sign-in logs](../reports-monitoring/concept-sign-ins.md), and no longer published to the **Activity report**.

+| **HTTPS_COMMUNICATION_ERROR** | The NPS server is unable to receive responses from Azure AD MFA. Verify that your firewalls are open bidirectionally for traffic to and from `https://adnotifications.windowsazure.com` and that TLS 1.2 is enabled (default). If TLS 1.2 is disabled, user authentication fails and event ID 36871 with source SChannel is entered in the System log in Event Viewer. To verify TLS 1.2 is enabled, see [TLS registry settings](/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings). |

+| **NPS Extension for Azure AD MFA (AccessReject):** <br> NPS Extension for Azure AD MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessReject, ignoring request. | This error usually reflects an authentication failure in AD or that the NPS server is unable to receive responses from Azure AD. Verify that your firewalls are open bidirectionally for traffic to and from `https://adnotifications.windowsazure.com` and `https://login.microsoftonline.com` using ports 80 and 443. It's also important to check that on the DIAL-IN tab of Network Access Permissions, the setting is set to "control access through NPS Network Policy". This error can also trigger if the user isn't assigned a license. |

+| **NPS Extension for Azure AD MFA (AccessChallenge):** <br> NPS Extension for Azure AD MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessChallenge, ignoring request. | This response is used when additional information is required from the user to complete the authentication or authorization process. The NPS server sends a challenge to the user, requesting further credentials or information. It usually precedes an Access-Accept or Access-Reject response. |

+| **REQUEST_FORMAT_ERROR** <br> Radius Request missing mandatory Radius userName\Identifier attribute. Verify that NPS is receiving RADIUS requests | This error usually reflects an installation issue. The NPS extension must be installed in NPS servers that can receive RADIUS requests. NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. NPS Extension doesn't work when installed over such installations and errors out since it can't read the details from the authentication request. |

+| **USERNAME_CANONICALIZATION_ERROR** | Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. If you use forest trusts, [contact support](#contact-microsoft-support) for further help. |

+| **Challenge requested in Authentication Ext for User** | Organizations using a RADIUS protocol other than PAP see user VPN authorization failing with these events appearing in the AuthZOptCh event log of the NPS Extension server. You can configure the NPS Server to support PAP. If PAP isn't an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications. For further help, please check [Number matching using NPS Extension](how-to-mfa-number-match.md#nps-extension). |

+| **ALTERNATE_LOGIN_ID_ERROR** | Error: userObjectSid lookup failed | Verify that the user exists in your on-premises Active Directory instance. If you use forest trusts, [contact support](#contact-microsoft-support) for further help. |

+| **AccessDenied** | Caller tenant doesn't have access permissions to do authentication for the user | Check whether the tenant domain and the domain of the user principal name (UPN) are the same. For example, make sure that user@contoso.com is trying to authenticate to the Contoso tenant. The UPN represents a valid user for the tenant in Azure. |

+| **AuthenticationMethodNotSupported** | Specified authentication method isn't supported. | Collect all your logs that include this error, and [contact support](#contact-microsoft-support). When you contact support, provide the username and the secondary verification method that triggered the error. |

+| **BecAccessDenied** | MSODS Bec call returned access denied, probably the username isn't defined in the tenant | The user is present in Active Directory on-premises but isn't synced into Azure AD by AD Connect. Or, the user is missing for the tenant. Add the user to Azure AD and have them add their verification methods according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). |

+| **OathCodePinIncorrect** | Wrong code and pin entered. | This error isn't expected in the NPS extension. If your user encounters this, [contact support](#contact-microsoft-support) for troubleshooting help. |

+| **ProofDataNotFound** | Proof data was not configured for the specified authentication method. | Have the user try a different verification method, or add a new verification method according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). If the user continues to see this error after you confirmed that their verification method is set up correctly, [contact support](#contact-microsoft-support). |

+| **SMSAuthFailedWrongCodePinEntered** | Wrong code and pin entered. (OneWaySMS) | This error isn't expected in the NPS extension. If your user encounters this, [contact support](#contact-microsoft-support) for troubleshooting help. |

+| **TenantIsBlocked** | Tenant is blocked | [Contact support](#contact-microsoft-support) with the *Tenant ID* from the Azure AD properties page in the Microsoft Entra admin center. |

+| **AuthenticationThrottled** | Too many attempts by user in a short period of time. Throttling. | Microsoft may limit repeated authentication attempts that are performed by the same user in a short period of time. This limitation doesn't apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes. |

+| **AuthenticationMethodLimitReached** | Authentication Method Limit Reached. Throttling. | Microsoft may limit repeated authentication attempts that are performed by the same user using the same authentication method type in a short period of time, specifically Voice call or SMS. This limitation doesn't apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes.|

+| **InvalidParameter** | The provided TenantId isn't in correct format |

+If you need additional help, contact a support professional through [MFA support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, the ID of the user who saw the error, and debug logs.

+### Obtain the directory tenant ID

+As part of the configuration of the NPS extension, you must supply administrator credentials and the ID of your Azure AD tenant. To get the tenant ID, complete the following steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Global Administrator](../roles/permissions-reference.md#global-administrator).

+1. Browse to **Identity** > **Settings**.

+ 

+If the configuration is not working as expected, the first place to start to troubleshoot is to verify that the user is configured to use Azure AD MFA. Have the user sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). If users are prompted for secondary verification and can successfully authenticate, you can eliminate an incorrect configuration of Azure AD MFA.

+### Obtain the directory tenant ID

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Global Administrator](../roles/permissions-reference.md#global-administrator).

+1. Browse to **Identity** > **Settings**.

+ 

+If the configuration is not working as expected, begin troubleshooting by verifying that the user is configured to use MFA. Have the user sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). If the user is prompted for secondary authentication and can successfully authenticate, you can eliminate an incorrect configuration of MFA as an issue.

+### Obtain the directory tenant ID

+As part of the configuration of the NPS extension, you must supply administrator credentials and the ID of your Azure AD tenant. To get the tenant ID, complete the following steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Global Administrator](../roles/permissions-reference.md#global-administrator).

+1. Browse to **Identity** > **Settings**.

+ 

+Before you install the NPS extension, prepare your environment to handle the authentication traffic.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).

+1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator).

+1. Browse to **Protection** > **Multifactor authentication** and enable for the test account.

+1. PowerShell prompts for your tenant ID. Use the *Tenant ID* GUID that you copied in the prerequisites section.

+1. For Azure Government customers, set the following key values:

+If for any reason the "Azure Multi-Factor Auth Client" service principal was not created in the tenant, it can be manually created by running the `New-MsolServicePrincipal` cmdlet as shown below.

+Once done, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). Browse to **Identity** > **Applications** > **Enterprise applications** > and search for "Azure Multi-Factor Auth Client". Then click **Check properties for this app**. Confirm if the service principal is enabled or disabled. Click the application entry > **Properties**. If the option **Enabled for users to sign-in?** is set to **No**, set it to **Yes**.

+Run the `AzureMfaNpsExtnConfigSetup.ps1` script again and it should not return the **Service principal was not found** error.

+description: Learn how to configure settings for Azure MFA Server

+This article helps you to manage Azure MFA Server settings.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).

+1. Browse to **Protection** > **Multifactor authentication** > **One-time bypass**.

+You can add authentication methods for a user by using the Microsoft Entra admin center or Microsoft Graph.

+To add authentication methods for a user in the Microsoft Entra admin center:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+ :::image type="content" source="media/howto-mfa-userdevicesettings/manage-authentication-methods-in-azure.png" alt-text="Manage authentication methods from the Microsoft Entra admin center":::

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+1. Select **Multi-Factor Authentication**. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full window and menu location:

+To view and manage user states, complete the following steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **App registrations** then select **New registration**.

+1. Browse to **Identity** > **Applications** > **App registrations**, then select your application.

+1. Browse to **Identity** > **Applications** > **App registrations**, then select your application.

+1. Browse to **Identity** > **Applications** > **App registrations**, then select your application.

+1. Browse to **Identity** > **Applications** > **App registrations**, then select your application.

+Shared device mode allows you to configure an Android device so that it can be easily shared by multiple employees. Employees can sign in and access customer information quickly. When they're finished with their shift or task, they can sign out of the device, and it will be immediately ready for the next employee to use.

+You need to do a type check and cast to the appropriate interface when you get your `PublicClientApplication` object. The following code checks for multiple account modes or single account modes, and casts the application object appropriately:

+If you're writing an app that will only be used for frontline workers using a shared device, we recommend you write your application to only support single-account mode. This includes most applications that are task focused such as medical records apps, invoice apps, and most line-of-business apps. Only supporting single-account mode simplifies development because you won't need to implement the other features that are part of multiple-account apps.

+## Third-party MDMs that support shared device mode

+This third-party Mobile Device Management (MDM) that supports Azure AD's shared device mode:

+- [VMware Workspace ONE](https://blogs.vmware.com/euc/2023/08/announcing-general-availability-of-shared-device-conditional-access-with-vmware-workspace-one-and-microsoft-entra-id.html)

+When a user signs out, you need to take action to protect the privacy and data of the user. For example, if you're building a medical records app you want to make sure that when the user signs out previously displayed patient records are cleared. Your application must be prepared for data privacy and check every time it enters the foreground.

+The following diagram shows the overall app lifecycle and common events that may occur while your app runs. The diagram covers from the time an activity launch, signing in and signing out an account, and how events such as pausing, resuming, and stopping the activity fit in.

+We had multiple reports of issues with authentication in IE and Microsoft Edge (since the update of the *Microsoft Edge browser version to 40.15063.0.0*). We're tracking these and have informed the Microsoft Edge team. While Microsoft Edge works on a resolution, here's a description of the frequently occurring issues and the possible workarounds that can be implemented.

+- **Infinite redirect loops and page reloads during authentication**. When users sign in to the application on Microsoft Edge, they're redirected back from the AAD login page and are stuck in an infinite redirect loop resulting in repeated page reloads. This is usually accompanied by an `invalid_state` error in the session storage.

+- **Infinite acquire token loops and AADSTS50058 error**. When an application that is run on Microsoft Edge tries to acquire a token for a resource, the application may get stuck in an infinite loop of the acquire token call. The following error is returned from AAD in your network trace:

+- **Cannot log in using redirect URL prefixed with tauri**. The only supported schemes for redirect URIs are `https:` for production apps and `http://localhost` for local development. If you attempt to use a different scheme, like `tauri://localhost`, for a mobile or desktop application, the below error message appears. This error arises as a result of how the backend of the SPA is designed.

+ `AADSTS90023: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type or 'Native' client-type with origin registered in AllowedOriginForNativeAppCorsRequestInOAuthToken allow list.`

+When the `storeAuthStateInCookie` flag is enabled, MSAL.js uses the browser cookies to store the request state required for validation of the auth flows.

+> This fix is not yet available for the `msal-angular` and `msal-angularjs` wrappers. This fix doesn't address the issue with pop-up windows.

+1. As a first step to get around these issues, ensure that the application domain and any other sites involved in the redirects of the authentication flow are added as trusted sites in the security settings of the browser. This ensures the redirects belong to the same security zone.

+4. As mentioned before, since only the session storage is cleared during the regular navigation, you may configure MSAL.js to use the local storage instead. This can be set as the `cacheLocation` config parameter while initializing MSAL.

+Note, these workarounds won't solve the issue for InPrivate browsing since both session and local storage are cleared.

+There are cases when popups are blocked in IE or Microsoft Edge, for example when a second popup occurs during [multi-factor authentication](../authentication/concept-mfa-howitworks.md). You'll get an alert in the browser to allow for the pop-up window once or always. If you choose to allow, the browser opens the pop-up window automatically and returns a `null` handle for it. As a result, the library doesn't have a handle for the window and there's no way to close the pop-up window. The same issue doesn't happen in Chrome when it prompts you to allow pop-up windows because it doesn't automatically open a pop-up window.

+As a **workaround**, developers need to allow popups in IE and Microsoft Edge before they start using their app to avoid this issue.

+> | .NET Core | &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/1-Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi) <br/> &#8226; [Using managed identity and Azure Key Vault](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/3-Using-KeyVault)| [MSAL.NET](/entra/msal/dotnet) | Client credentials grant|

+1. Under **Platform configurations**, select **Add a platform**.

+1. In the pane that opens, select the appropriate platform for your application. For example, select **Web** for a web application.

+1. Under Redirect URIs, add the redirect URI of your application. For example, `https://localhost:8080/`.

+ > In June 2024, the setting **Restrict users access to My Groups** will change to **Restrict users ability to see and edit security groups in My Groups.** If the setting is currently set to ΓÇÿYes,ΓÇÖ end users will be able to access My Groups in June 2024, but will not be able to see security groups.

+## Use the Microsoft Entra admin center to reset redemption status

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **External Identities** > **Overview**.

+1. Select **All API connectors**, and then select **New API connector**.

+1. Provide a display name for the call. For example, **Check approval status**.

+1. Provide the **Endpoint URL** for the API call.

+1. Choose the **Authentication type** and configure the authentication information for calling your API. Learn how to [Secure your API Connector](self-service-sign-up-secure-api-connector.md).

+1. Select **Save**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **External Identities** > **Overview**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Applications** > **App registrations**, and then select **New registration**.

+1. Enter a **Name** for the application, for example, _Sign-up Approvals_.

+1. Select **Register**. You can leave other fields at their defaults.

+1. Under **Manage** in the left menu, select **API permissions**, and then select **Add a permission**.

+1. On the **Request API permissions** page, select **Microsoft Graph**, and then select **Application permissions**.

+1. Under **Select permissions**, expand **User**, and then select the **User.ReadWrite.All** check box. This permission allows the approval system to create the user upon approval. Then select **Add permissions**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **External identities** > **User flows**, and then select the user flow you want to enable the API connector for.

+1. Select **API connectors**, and then select the API endpoints you want to invoke at the following steps in the user flow:

+1. Select **Save**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **External Identities** > **Overview**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **External Identities** > **Overview**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Users** > **User settings**, and then under **External users**, select **Manage external collaboration settings**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **External Identities** > **User flows**, and then select **New user flow**.

+1. Select the user flow type (for example, **Sign up and sign in**), and then select the version (**Recommended** or **Preview**).

+1. On the **Create** page, enter a **Name** for the user flow. The name is automatically prefixed with **B2X_1_**.

+1. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Azure Active Directory Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.)

+1. Under **User attributes**, choose the attributes you want to collect from the user. For more attributes, select **Show more**. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Select **OK**.

+1. Select **Create**.

+1. The new user flow appears in the **User flows** list. If necessary, refresh the page.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **External Identities** > **User flows**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **External Identities** > **User flows**

+1. Under **Self-service sign up**, select **User flows**.

+1. Select the self-service sign-up user flow from the list.

+1. In the left menu, under **Use**, select **Applications**.

+1. Select **Add application**.

+1. Select the application from the list. Or use the search box to find the application, and then select it.

+1. Click **Select**.

+> This article describes how to configure tenant restrictions v2 using the Microsoft Entra admin center. You can also use the [Microsoft Graph cross-tenant access API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta&preserve-view=true) to create these same tenant restrictions policies.

+|**Portal support** |No user interface in the Microsoft Entra admin center for configuring the policy. | User interface available in the Microsoft Entra admin center for setting up the cloud policy. |

+Settings for tenant restrictions v2 are located in the Microsoft Entra admin center under **Cross-tenant access settings**. First, configure the default tenant restrictions you want to apply to all users, groups, apps, and organizations. Then, if you need partner-specific configurations, you can add a partner's organization and customize any settings that differ from your defaults.

+ΓÇ£\#ΓÇ¥ is a reserved character in UPNs for Azure AD B2B collaboration or external users, because the invited account user@contoso.com becomes user_contoso.com#EXT#@fabrikam.onmicrosoft.com. Therefore, \# in UPNs coming from on-premises aren't allowed to sign in to the Microsoft Entra admin center.

+Rarely, you might see this message: ΓÇ£This action can't be completed because the Microsoft B2B Cross Cloud Worker application has been disabled in the invited userΓÇÖs tenant. Ask the invited userΓÇÖs admin to re-enable it, then try again.ΓÇ¥ This error means that the Microsoft B2B Cross Cloud Worker application has been disabled in the B2B collaboration userΓÇÖs home tenant. This app is typically enabled, but it might have been disabled by an admin in the userΓÇÖs home tenant, either through PowerShell or the portal (see [Disable how a user signs in](../manage-apps/disable-user-sign-in-portal.md)). An admin in the userΓÇÖs home tenant can re-enable the app through PowerShell or the Microsoft Entra admin center. In the admin center, search for ΓÇ£Microsoft B2B Cross Cloud WorkerΓÇ¥ to find the app, select it, and then choose to re-enable it.

+You should now see the restored app in the Microsoft Entra admin center.

+If you use Azure Active Directory (Azure AD) B2B collaboration to work with external partners, you can invite multiple guest users to your organization at the same time. In this tutorial, you learn how to use the Microsoft Entra admin center to send bulk invitations to external users. Specifically, you'll follow these steps:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Users** > **All Users**.

+Check to see that the guest users you added exist in the directory either in the Microsoft Entra admin center or by using PowerShell.

+### View guest users in the Microsoft Entra admin center

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Users** > **All users**.

+A dynamic group is a dynamic configuration of security group membership for Azure Active Directory (Azure AD) available in the [Microsoft Entra admin center](https://entra.microsoft.com). Administrators can set rules to populate groups that are created in Azure AD based on user attributes (such as [userType](user-properties.md), department, or country/region). Members can be automatically added to or removed from a security group based on their attributes. These groups can provide access to applications or cloud resources (SharePoint sites, documents) and to assign licenses to members. Learn more about [dedicated groups in Azure Active Directory](../fundamentals/how-to-manage-groups.md).

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **Groups** > **All groups**, and then select **New group**.

+You can create custom attributes in the Microsoft Entra admin center and use them in your [self-service sign-up user flows](self-service-sign-up-user-flow.md). You can also read and write these attributes by using the [Microsoft Graph API](../../active-directory-b2c/microsoft-graph-operations.md). Microsoft Graph API supports creating and updating a user with extension attributes. Extension attributes in the Graph API are named by using the convention `extension_<extensions-app-id>_attributename`. For example:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](../roles/permissions-reference.md#user-administrator).

+1. Browse to **Identity** > **External Identities** > **Overview**.

+In this article, you use the Microsoft Entra admin center to enable single sign-on (SSO) for an enterprise application that you added to your Azure Active Directory (Azure AD) tenant. After you configure SSO, your users can sign in by using their Azure AD credentials.

+In this quickstart, you use the Microsoft Entra admin center to add an enterprise application to your Azure Active Directory (Azure AD) tenant. Azure AD has a gallery that contains thousands of enterprise applications that have been preintegrated. Many of the applications your organization uses are probably already in the gallery. This quickstart uses the application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most [enterprise applications in the gallery](../saas-apps/tutorial-list.md).

+- If you still want to retain admin-only consent for certain permissions but want to assist your end-users in onboarding their application, you can use the admin consent workflow to evaluate and respond to admin consent requests. This way, you can have a queue of all the requests for admin consent for your tenant and can track and respond to them directly through the Microsoft Entra admin center.

+When the user submits a consent request, the request shows up in the admin consent request page in the Microsoft Entra admin center. Administrators and designated reviewers sign in to [view and act on the new requests](review-admin-consent-requests.md). Reviewers only see consent requests that were created after they were designated as reviewers. Requests show up in the following two tabs in the admin consent requests blade.

+ 2 - [How do I grant admin consent in the Microsoft Entra admin center](https://www.youtube.com/watch?v=LSYcelwdhHI&list=PLlrxD0HtieHiBPIyUWkqVzoMrgfwKi4dY&index=5)(1:19)

+ - **Azure AD - Enterprise applications** ΓÇô Apps added to your tenant using the **Enterprise applications** option on the Microsoft Entra admin center. Usually apps integrated using the SAML standard.

+ - **Azure AD - App registrations** ΓÇô Apps added to your tenant using the **App registrations** option on the Microsoft Entra admin center. Usually custom developed apps using the Open ID Connect and OAuth standards.

+The owner of the application or Global Administrator or Application Administrator can update the certificates through Microsoft Entra admin center UI, PowerShell or Microsoft Graph.

+These applications are configured on behalf of the user in the Microsoft Entra admin center. The application must be configured properly and assigned to the user or a group the user is a member of to see the application in My Apps.

+* Granting the application permissions via the Microsoft Entra admin center

+You can use the [Microsoft Entra admin center](https://entra.microsoft.com), or you can query [Microsoft Graph](/graph/api/resources/serviceprincipal). You can also go to the [Graph Explorer Tool](https://developer.microsoft.com/graph/graph-explorer) and sign in to your Azure AD account to see all your organization's service principals.

+To configure group and team owner consent settings through the Microsoft Entra admin center:

+To configure user consent settings through the Microsoft Entra admin center:

+To provide more sign-in security, you can enforce Microsoft Entra ID Multi-Factor Authentication. The process starts in the Microsoft Entra admin center.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).

+2. Browse to **Identity** > **Overview** > **Properties** tab.

+3. Under **Security defaults**, select **Manage security defaults**.

+4. On the **Security defaults** pane, toggle the dropdown menu to select **Enabled**.

+5. Select **Save**.

+In this article, you learn how to prevent users from signing in to an application in Azure Active Directory through both the Microsoft Entra admin center and PowerShell. If you're looking for how to block specific users from accessing an application, use [user or group assignment](./assign-user-or-group-access-portal.md).

+ * See, the [Microsoft Entra admin center](https://entra.microsoft.com)

+* One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+2. Browse to **Identity** > **Applications** > **App registrations** > **New registration**.

+For applications your organization has developed, or which are registered directly in your Azure AD tenant, you can also grant tenant-wide admin consent from **App registrations** in the Microsoft Entra admin centerMicrosoft Entra admin center.

+When granting tenant-wide admin consent using either method described above, a window opens from the Microsoft Entra admin center to prompt for tenant-wide admin consent. If you know the client ID (also known as the application ID) of the application, you can build the same URL to grant tenant-wide admin consent.

+Before you start, record the following details from the Microsoft Entra admin center:

+For step-by-step instructions for granting tenant-wide admin consent from the Microsoft Entra admin center, see [Grant tenant-wide admin consent to an application](grant-admin-consent.md).

+Azure AD provides a centralized access location to manage your migrated apps. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) and enable the following capabilities:

+You can also use the [Microsoft Entra admin center](https://entra.microsoft.com) to audit all your apps from a centralized location,

+My Apps is a web-based portal that is used for managing and launching applications in Azure Active Directory (Azure AD). To work with applications in My Apps, use an organizational account in Azure AD and obtain access granted by the Azure AD administrator. My Apps is separate from the Microsoft Entra admin center and doesn't require users to have an Azure subscription or Microsoft 365 subscription.

+The following conditions determine whether an application in the enterprise applications list in the Microsoft Entra admin center appears to a user or group in the My Apps portal:

+> The **Users can only see Office 365 apps in the Office 365 portal** property in the Microsoft Entra admin center can affect whether users can only see Office 365 applications in the Office 365 portal. If this setting is set to **No**, then users will be able to see Office 365 applications in both the My Apps portal and the Office 365 portal. This setting can be found under **Manage** in **Enterprise applications > User settings**.

+When signed in to the [My Apps](https://myapps.microsoft.com) portal, the applications that have been made visible are shown. For an application to be visible in the My Apps portal, set the appropriate properties in the [Microsoft Entra admin center](https://entra.microsoft.com). Also in the Microsoft Entra admin center, assign a user or group with the appropriate members.

+> It can take several minutes for an application to appear in the My Apps portal after it has been added to the tenant in the Microsoft Entra admin center. There may also be a delay in how soon users can access the application after it has been added.

+In the Microsoft Entra admin center, define the logo and name for the application to represent company branding in the My Apps portal. The banner logo appears at the top of the page, such as the Contoso demo logo shown below.

+Access can be granted on a tenant level, assigned to specific users, or from self-service access. Before users can self-discover applications from the My Apps portal, enable self-service application access in the Microsoft Entra admin center. This feature is available for applications when added using these methods:

+Enable users to discover and request access to applications by using the My Apps portal. To do so, complete the following tasks in the Microsoft Entra admin center:

+Enable single sign-on (SSO) in the Microsoft Entra admin center for all applications that are made available in the My Apps portal whenever possible. If SSO is set up, users have a seamless experience without the need to enter their credentials. To learn more, see [Single sign-on options in Azure AD](what-is-single-sign-on.md#single-sign-on-options).

+10. After the configuration is successful, you're signed out of the application and returned to the [Microsoft Entra admin center](https://entra.microsoft.com).

+For in-depth information, you can download Azure Active Directory deployment plans from [GitHub](../architecture/deployment-plans.md). For gallery applications, you can download deployment plans for single sign-on, Conditional Access, and user provisioning through the [Microsoft Entra admin center](https://entra.microsoft.com).

+To download a deployment plan from the Microsoft Entra admin center:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).

+You change that certificate duration in the Microsoft Entra admin center. Make sure to document the expiration and know how you'll manage your certificate renewal. ItΓÇÖs important to identify the right roles and email distribution lists involved with managing the lifecycle of the signing certificate. The following roles are recommended:

+>If you deleted an [application registration](../develop/howto-remove-app.md) in its home tenant through app registrations in the Microsoft Entra admin center, the enterprise application, which is its corresponding service principal also got deleted. If you restore the deleted application registration through the Microsoft Entra admin center, its corresponding service principal, is also restored. You'll therefore be able to recover the service principal's previous configurations, except its previous policies such as Conditional Access policies, which aren't restored.

+Currently, restoring permissions is only possible through Microsoft Graph PowerShell and Microsoft Graph API calls. You can't restore permissions through the Microsoft Entra admin center. In this article, you learn how to restore permissions using Microsoft Graph PowerShell.

+First, set the servicePrincipalId value in the script to the ID value for the enterprise app whose permissions you want to restore. This ID is also called the `object ID` in the Microsoft Entra admin center **Enterprise applications** page.

+By choosing which application consent policies apply for all users, you can set limits on when users are allowed to grant consent to applications and on when theyΓÇÖll be required to request administrator review and approval. The Microsoft Entra admin center provides the following built-in options:

+For step-by-step instructions for granting tenant-wide admin consent from the Microsoft Entra admin center, see [Grant tenant-wide admin consent to an application](grant-admin-consent.md).

+After users submit the admin consent request, the admins who have been designated as reviewers receive a notification. The users are notified after a reviewer has acted on their request. For step-by-step instructions for configuring the admin consent workflow by using the Microsoft Entra admin center, see [configure the admin consent workflow](configure-admin-consent-workflow.md).

+In this quickstart, you learn how to use the Microsoft Entra admin center to search for and view the enterprise applications that are already configured in your Azure Active Directory (Azure AD) tenant.

+As with enterprise apps, you can [assign users](assign-user-or-group-access-portal.md) to certain Microsoft applications via the Microsoft Entra admin center or, using PowerShell.

+The [new Microsoft Teams](/microsoftteams/new-teams-desktop-admin) experience improves upon Microsoft 365 people search and Teams external access for a unified seamless collaboration experience. For this improved experience to light up, the multi-tenant organization representation in Azure AD is required and collaborating users shall be provisioned as B2B members. For more information, see [Announcing more seamless collaboration in Microsoft Teams for multi-tenant organizations](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/announcing-more-seamless-collaboration-in-microsoft-teams-for/ba-p/3901092).

+ In new Microsoft Teams, multi-tenant organization users can expect an improved collaborative experience across tenants with chat, calling, and meeting start notifications from all connected tenants across the multi-tenant organization. Tenant switching is more seamless and faster. For more information, see [Announcing more seamless collaboration in Microsoft Teams for multi-tenant organizations](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/announcing-more-seamless-collaboration-in-microsoft-teams-for/ba-p/3901092) and [Microsoft Teams: Advantages of the new architecture](https://techcommunity.microsoft.com/t5/microsoft-teams-blog/microsoft-teams-advantages-of-the-new-architecture/ba-p/3775704).

+Privileged Identity Management (PIM) in Microsoft Entra ID (Azure AD), enables you to view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Microsoft Entra admin center that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md).

+1. Under **Action**, select **(activity)** for a user to see that user's activity detail in Azure resources.

+Microsoft Entra ID, formerly known as Azure AD, allows you to grant users just-in-time membership and ownership of groups through Privileged Identity Management (PIM) for Groups. Groups can be used to control access to a variety of scenarios, including Azure AD roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third-party applications.

+PIM for Groups is part of Azure AD Privileged Identity Management ΓÇô alongside with PIM for Azure AD Roles and PIM for Azure Resources, PIM for Groups enables users to activate the ownership or membership of an Azure AD security group or Microsoft 365 group. Groups can be used to govern access to various scenarios that include Azure AD roles, Azure roles, Azure SQL, Azure Key Vault, Intune, other application roles, and third party applications.

+## What are Entra ID role-assignable groups?

+When working with Entra ID, you can assign an Entra ID security group or Microsoft 365 group to an Entra ID role. This is possible only with groups that are created as role-assignable.

+To learn more about Entra ID role-assignable groups, see [Create a role-assignable group in Azure Active Directory](../roles/groups-create-eligible.md).

+- **Role-assignable groups** - only the Global Administrator, Privileged Role Administrator, or the group Owner can manage the group. Also, no other users can change the credentials of the users who are (active) members of the group. This feature helps prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.

+- **Non-role-assignable groups** - various Azure AD roles can manage these groups ΓÇô that includes Exchange Administrators, Groups Administrators, User Administrators, etc. Also, various roles Azure AD roles can change the credentials of the users who are (active) members of the group ΓÇô that includes Authentication Administrators, Helpdesk Administrators, User Administrators, etc.

+To learn more about Entra ID built-in roles and their permissions, see [Azure AD built-in roles](../roles/permissions-reference.md).

+Groups can be role-assignable or non-role-assignable. The group can be enabled in PIM for Groups or not enabled in PIM for Groups. These are independent properties of the group. Any Entra ID security group and any Microsoft 365 group (except dynamic groups and groups synchronized from on-premises environment) can be enabled in PIM for Groups. The group doesn't have to be role-assignable group to be enabled in PIM for Groups.

+If you want to assign an Entra ID role to a group, it has to be role-assignable. Even if you don't intend to assign an Entra ID role to the group but the group provides access to sensitive resources, it is still recommended to consider creating the group as role-assignable. This is because of extra protections role-assignable groups have ΓÇô see [ΓÇ£What are Entra ID role-assignable groups?ΓÇ¥](#what-are-entra-id-role-assignable-groups) in the section above.

+>[!IMPORTANT]

+> Up until January 2023, it was required that every Privileged Access Group (former name for this PIM for Groups feature) had to be role-assignable group. This restriction is currently removed. Because of that, it is now possible to enable more than 500 groups per tenant in PIM, but only up to 500 groups can be role-assignable.

+## Making group of users eligible for Entra ID role

+There are two ways to make a group of users eligible for Entra ID role:

+To provide a group of users with just-in-time access to Azure AD roles with permissions in SharePoint, Exchange, or Security & Microsoft Purview compliance portal (for example, Exchange Administrator role), be sure to make active assignments of users to the group, and then assign the group to a role as eligible for activation (Option #1 above). If you choose to make active assignment of a group to a role and assign users to be eligible to group membership instead, it may take significant time to have all permissions of the role activated and ready to use.

+In Entra ID, role-assignable groups canΓÇÖt have other groups nested inside them. To learn more, see [Use Azure AD groups to manage role assignments](../roles/groups-concept.md). This is applicable to active membership: one group can't be an active member of another group that is role-assignable.

+If a user is an active member of Group A, and Group A is an eligible member of Group B, the user can activate their membership in Group B. This activation is only for the user that requested the activation for, it doesn't mean that the entire Group A becomes an active member of Group B.

+You can use Privileged Identity Management (PIM) In Microsoft Entra ID, previously known as Azure Active Directory (Azure AD), to have just-in-time membership in the group or just-in-time ownership of the group.

+1. Depending on the groupΓÇÖs setting, justification for activation may be required. If needed, provide the justification in the **Reason** box.

+You can view the status of your pending requests to activate. It is important when your requests undergo approval of another person.

+When you select **Cancel**, the request is canceled. To activate the role again, you have to submit a new request for activation.

+With Privileged Identity Management (PIM) and Entra ID (Previously known as Azure AD), you can configure activation of group membership and ownership to require approval. You can also choose users or groups from your Azure AD organization as delegated approvers.

+ :::image type="content" source="media/pim-for-groups/pim-group-10.png" alt-text="Screenshot that shows what an Azure notification generated by your approval looks like." lightbox="media/pim-for-groups/pim-group-10.png":::

+- Approvers receive notifications by email when a request for a group assignment is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny.

+In Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group.

+Follow these steps to make a user eligible member or owner of a group. You'll need permissions to manage groups. For role-assignable groups, you need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group. For non-role-assignable groups, you need to have Global Administrator, Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level).

+Follow these steps to update or remove an existing role assignment. You'll need permissions to manage groups. For role-assignable groups, you need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group. For non-role-assignable groups, you need to have Global Administrator, Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level).

+When working with your organization's groups in Privileged Identity Management (PIM), you can view activity, activations, and audit history for Entra ID (Azure AD) group membership or ownership changes.

+In Entra ID (Azure AD), you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group. Groups can be used to provide access to Azure AD Roles, Azure roles, and various other scenarios. To manage an Azure AD group in PIM, you must bring it under management in PIM.

+Before starting, you need an Entra ID Security group or Microsoft 365 group. To learn more about group management in Azure AD, see [Manage Azure Active Directory groups and group membership](../fundamentals/how-to-manage-groups.md).

+Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, provides controls to manage the access and assignment lifecycle for group membership and ownership. Administrators can assign start and end date-time properties for group membership and ownership. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access isn't extended.

+In Privileged Identity Management (PIM) for groups in Entra ID (Azure AD), role settings define membership or ownership assignment properties. These properties include multifactor authentication and approval requirements for activation, assignment maximum duration, and notification settings. This article shows you how to configure role settings and set up the approval workflow to specify who can approve or deny requests to elevate privilege.

+- [PIM Alerts for Azure AD Roles API reference](/graph/api/resources/privilegedidentitymanagementv3-overview?view=graph-rest-beta#building-blocks-of-the-pim-alerts-apis&preserve-view=true)

+Under the /beta/privilegedRoles endpoint, Microsoft had a classic version of the PIM API, which only supported Azure AD roles and is no longer supported. Access to this API was deprecated in June 2021.

+As a delegated approver, you receive an email notification when an Azure AD role request is pending your approval. You can view these pending requests in Privileged Identity Management.

+All access reviews have an end date, but you can use the **Stop** button to finish it early. The **Stop** button is only selectable when the review instance is active. You can't restart a review after it's been stopped.

+After an access review is completed, either because you've reached the end date or stopped it manually, the **Apply** button removes denied users' access to the role. If a user's access was denied during the review, this is the step that removes their role assignment. If the **Auto apply** setting is configured on review creation, this button will always be disabled because the review will be applied automatically instead of manually.

+If you aren't interested in the review any further, delete it. To remove the access review from the Privileged Identity Management service, select the **Delete** button.

+Once you set up Privileged Identity Management, you'll see **Tasks**, **Manage**, and **Activity** options in the left navigation menu. As an administrator, you can choose between options such as managing **Azure AD roles**, managing **Azure resource** roles, or PIM for Groups. When you choose what you want to manage, you see the appropriate set of options for that option.

+| activated | State | A user that has an eligible role assignment, performed the actions to activate the role, and is now active. Once activated, the user can use the role for a preconfigured period of time before they need to activate again. |

+If the role requires [approval](pim-resource-roles-approval-workflow.md) to activate, a notification appears in the upper right corner of the user's browser informing them the request is pending approval. If an approval isn't required, the member can start using the role.

+Delegated approvers receive email notifications when a role request is pending their approval. Approvers can view, approve or deny these pending requests in PIM. After the request has been approved, the member can start using the role. For example, if a user or a group was assigned with Contribution role to a resource group, they are able to manage that particular resource group.

+With the PIM for Groups preview, you can give workload-specific administrators quick access to multiple roles with a single just-in-time request. For example, your Tier 3 Office Admins might need just-in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate incidents daily. Before today it would require four consecutive requests, which are a process that takes some time. Instead, you can create a role assignable group called ΓÇ£Tier 3 Office AdminsΓÇ¥, assign it to each of the four roles previously mentioned (or any Azure AD built-in roles) and enable it for Privileged Access in the groupΓÇÖs Activity section. Once enabled for privileged access, you can configure the just-in-time settings for members of the group and assign your admins and owners as eligible. When an admin elevates into the group, they become members of all four Azure AD roles.

+* **Groups**- Anyone in a group to get just-in-time access to Azure AD roles and Azure roles. For Azure AD roles, the group must be a newly created cloud group thatΓÇÖs marked as assignable to a role while for Azure roles, the group can be any Azure AD security group. We don't recommend assigning/nesting a group to a PIM for Groups.

+Communication is critical to the success of any new service. Proactively communicate with your users how their experience changes, when it changes, and how to gain support if they experience issues.

+For both Azure AD and Azure resource role, make sure that you have users represented who will take those roles. In addition, consider the following roles when you test PIM in your staged environment:

+**We recommend** you have at least one administrator read through all audit events on a weekly basis and export your audit events on a monthly basis.

+[Configure security alerts for the Azure AD roles](pim-how-to-configure-security-alerts.md) which triggers an alert in case of suspicious and unsafe activity.

+[Configure security alerts for the Azure resource roles](pim-resource-roles-configure-alerts.md) which triggers an alert in case of any suspicious and unsafe activity.

+It may be the case that an individual has five or six eligible assignments to Azure AD roles through PIM. They have to activate each role individually, which can reduce productivity. Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.

+| Owner| :heavy_check_mark:| :heavy_check_mark:| :heavy_check_mark:| Other owners of the resource| One Hour| None| n/a| Three months |

+| Member| :heavy_check_mark:| :heavy_check_mark:| :x:| None| Five Hours| None| n/a| 3 months |

+When group assignment nears its expiration, use [PIM to extend or renew the group assignment](groups-renew-extend.md). This operation requires group owner approval.

+Privileged Identity Management (PIM) lets you know when important events occur in your Entra ID (Previously known as Azure AD) organization, such as when a role is assigned or activated. Privileged Identity Management keeps you informed by sending you and other participants email notifications. These emails might also include links to relevant tasks, such activating or renewing a role. This article describes what these emails look like, when they are sent, and who receives them.

+When users activate their role and the role setting requires approval, approvers receive two emails for each approval:

+The first two emails sent by the request approval engine can be delayed. Currently, 90% of emails take three to ten minutes, but for 1% customers it can be longer, up to fifteen minutes.

+If an approval request is approved in the Azure portal before the first email is sent, the first email will no longer be triggered and other approvers won't be notified by email of the approval request. It might appear as if they didn't get an email but it's the expected behavior.

+Use Privileged Identity Management (PIM) to manage, control, and monitor access within your Entra ID (Azure AD) organization. With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD resources, and other Microsoft online services like Microsoft 365 or Microsoft Intune.

+Microsoft Entra Privileged Identity Management (PIM) simplifies how enterprises manage privileged access to resources in Azure AD and other Microsoft online services like Microsoft 365 or Microsoft Intune.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).

+1. Browse to **Identity governance** > **Privileged Identity Management** > **My requests**.

+1. When you select **My requests** you see a list of your Azure AD role and Azure resource role requests.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged role administrator](../roles/permissions-reference.md#privileged-role-administrator).

+1. Browse to **Identity governance** > **Privileged Identity Management** > **My requests**.

+description: Learn how to extend or renew Azure Active Directory role assignments in Microsoft Entra Privileged Identity Management (PIM)

+Microsoft Entra Privileged Identity Management (PIM) provides controls to manage the access and assignment lifecycle for roles in Microsoft Entra ID (Azure AD). Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to Azure AD administrators to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.

+Entra ID administrators can access the renewal request from the link in the email notification, or by accessing Privileged Identity Management from the Microsoft Entra admin center and selecting **Approve requests** in PIM.

+You can use the Microsoft Entra Privileged Identity Management (PIM) audit history to see all role assignments and activations within the past 30 days for all privileged roles. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Azure AD logs to an Azure storage account](../reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md). If you want to see the full audit history of activity in your organization in Azure Active Directory (Azure AD), part of Microsoft Entra, including administrator, end user, and synchronization activity, you can use the [Azure Active Directory security and activity reports](../reports-monitoring/overview-reports.md).

+Use Microsoft Entra Privileged Identity Management (PIM), to allow eligible role members for Azure resources to schedule activation for a future date and time. They can also select a specific activation duration within the maximum (configured by administrators).

+1. Browse to **Identity governance** > **Privileged Identity Management** > **My roles**.

+Microsoft Entra Privileged Identity Management (PIM) enables you to configure roles so that they require approval for activation, and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each role to reduce workload for the privileged role administrator. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window isn't configurable.

+As a delegated approver, you receive an email notification when an Azure resource role request is pending your approval. You can view these pending requests in Privileged Identity Management.

+ In the **Requests for role activations** section, you see a list of requests pending your approval.

+With Microsoft Entra Privileged Identity Management (PIM), you can manage the built-in Azure resource roles, and custom roles, including (but not limited to):

+ - **Eligible** assignments require the member to activate the role before using it. Administrator may require role member to perform certain actions before role activation, which might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

+1. Browse to **Identity governance** > **Privileged Identity Management** > **Azure Resources**. This page shows a list of Azure resources discovered in Privileged Identity Management. Use the **Resource type** filter to select all required resource types.

+You might need to apply stricter just-in-time settings to some users in a privileged role in your organization in Microsoft Entra ID (Azure AD), while providing greater autonomy for others. For example, if your organization hired several contract associates to help develop an application that will run in an Azure subscription.

+You can view and manage the management groups or subscriptions to which you have Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner roles. If you aren't a subscription owner, but are a Global Administrator and don't see any Azure subscriptions or management groups to manage, then you can [elevate access to manage your resources](../../role-based-access-control/elevate-access-global-admin.md).

+Microsoft Entra Privileged Identity Management (PIM), provides controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended.

+If a user assigned to a role doesn't request an extension for the role assignment, an administrator can extend an assignment on behalf of the user. Administrative extensions of role assignment don't require approval, but notifications are sent to all other administrators after the role has been extended.

+This problem can happen when the User Access Administrator role for the PIM service principal was accidentally removed from the subscription. For the Privileged Identity Management service to be able to access Azure resources, the MS-PIM service principal should always have the [User Access Administrator role](../../role-based-access-control/built-in-roles.md#user-access-administrator) role assigned.

+ :::image type="content" source="media/best-practices/roles-administrators.png" alt-text="Roles and administrators page in admin center with Service filter open." lightbox="media/best-practices/roles-administrators.png":::

+One of the principles of least privilege is that access should be granted only when required. [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) lets you grant just-in-time access to your administrators. Microsoft recommends that you use PIM in Azure AD. Using PIM, a user can be made eligible for an Azure AD role where they can then activate the role for a limited time when needed. Privileged access is automatically removed when the timeframe expires. You can also configure PIM settings to require approval, receive notification emails when someone activates their role assignment, or other role settings. Notifications provide an alert when new users are added to highly privileged roles. For more information, see [Configure Azure AD role settings in Privileged Identity Management](../privileged-identity-management/pim-how-to-change-default-settings.md).

+- People move teams within a company. If there's no auditing, they can amass unnecessary access over time.

+Microsoft recommends that you use access reviews to find and remove role assignments that are no longer needed. This helps you reduce the risk of unauthorized or excessive access and maintain your compliance standards.

+For information about access reviews for roles, see [Create an access review of Azure resource and Azure AD roles in PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md). For information about access reviews of groups that are assigned roles, see [Create an access review of groups and applications in Azure AD](../governance/create-access-review.md).

+If you have 5 or more privileged Global Administrator role assignments, a **Global Administrators** alert card is displayed on the Azure AD Overview page to help you monitor Global Administrator role assignments.

+By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is created and the user is assigned the Global Administrators role. Users who are assigned the Global Administrator role can read and modify almost every administrative setting in your Azure AD organization. With a few exceptions, Global Administrators can also read and modify all configuration settings in your Microsoft 365 organization. Global Administrators also have the ability to elevate their access to read data.

+Some roles include privileged permissions, such as the ability to update credentials. Since these roles can potentially lead to elevation of privilege, you should limit the use of these privileged role assignments to **fewer than 10** in your organization. If you exceed 10 privileged role assignments, a warning is displayed on the Roles and administrators page.

+ You can identity roles, permissions, and role assignments that are privileged by looking for the **PRIVILEGED** label. For more information, see [Privileged roles and permissions in Azure AD](privileged-roles-permissions.md).

+If you have an external governance system that takes advantage of groups, then you should consider assigning roles to Azure AD groups, instead of individual users. You can also manage role-assignable groups in PIM to ensure that there are no standing owners or members in these privileged groups. For more information, see [Privileged Identity Management (PIM) for Groups](../privileged-identity-management/concept-pim-for-groups.md).

+It may be the case that an individual has five or six eligible assignments to Azure AD roles through PIM. They'll have to activate each role individually, which can reduce productivity. Worse still, they can also have tens or hundreds of Azure resources assigned to them, which aggravates the problem.

+In this case, you should use [Privileged Identity Management (PIM) for Groups](../privileged-identity-management/concept-pim-for-groups.md). Create a PIM for Groups and grant it permanent access to multiple roles (Azure AD and/or Azure). Make that user an eligible member or owner of this group. With just one activation, they'll have access to all the linked resources.

+Azure Active Directory (Azure AD) has roles and permissions that are identified as privileged. These roles and permissions can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data. Privileged role assignments can lead to elevation of privilege if not used in a secure and intended manner. This article describes privileged roles and permissions and best practices for how to use.

+| privileged permission | In Azure AD, permissions that can be used to delegate management of directory resources to other users, modify credentials, authentication or authorization policies, or access restricted data. |

+ Title: Migrate from HTTP application routing to the application routing add-on

+description: Learn how to migrate from the HTTP application routing feature to the application routing add-on.

+# Migrate from HTTP application routing to the application routing add-on

+In this article, you'll learn how to migrate your Azure Kubernetes Service (AKS) cluster from HTTP application routing feature to the [application routing add-on](./app-routing.md). The HTTP application routing add-on has been retired and won't work on any cluster Kubernetes version currently in support, so we recommend migrating as soon as possible to maintain a supported configuration.

+## Prerequisites

+Azure CLI version `2.49.0` or later. If you haven't yet, follow the instructions to [Install Azure CLI][install-azure-cli]. Run `az --version` to find the version, and run `az upgrade` to upgrade the version if not already on the latest.

+> [!NOTE]

+> These steps detail migrating from an unsupported configuration. As such, AKS cannot offer support for issues that arise during the migration process.

+## Update your cluster's add-ons, ingresses, and IP usage

+1. Enable the application routing add-on.

+ ```azurecli-interactive

+ az aks enable-addons -g <ResourceGroupName> -n <ClusterName> --addons web_application_routing

+ ```

+2. Update your ingresses, setting `ingressClassName` to `webapprouting.kubernetes.azure.com`. Remove the `kubernetes.io/ingress.class` annotation. You'll also need to update the host to one that you own, as the application routing add-on doesn't have a managed cluster DNS zone. If you don't have a DNS zone, follow instructions to [create][app-routing-dns-create] and [configure][app-routing-dns-configure] one.

+ Initially, your ingress configuration will look something like this:

+ ```yaml

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: aks-helloworld

+ annotations:

+ kubernetes.io/ingress.class: addon-http-application-routing # Remove the ingress class annotation

+ spec:

+ rules:

+ - host: aks-helloworld.<CLUSTER_SPECIFIC_DNS_ZONE>

+ http:

+ paths:

+ - path: /

+ pathType: Prefix

+ backend:

+ service:

+ name: aks-helloworld

+ port:

+ number: 80

+ ```

+ After you've properly updated, the same configuration will look like the following:

+ ```yaml

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: aks-helloworld

+ spec:

+ ingressClassName: webapprouting.kubernetes.azure.com # Set the ingress class property to refer to the application routing add-on ingress class

+ rules:

+ - http:

+ host: aks-helloworld.<CLUSTER_SPECIFIC_DNS_ZONE> # Replace with your own hostname

+ paths:

+ - path: /

+ pathType: Prefix

+ backend:

+ service:

+ name: aks-helloworld

+ port:

+ number: 80

+ ```

+3. Update the ingress controller's IP (such as in DNS records) with the new IP address. You can find the new IP by using `kubectl get`. For example:

+ ```bash

+ kubectl get svc nginx --namespace app-routing-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

+ ```

+4. Disable the HTTP application routing add-on.

+ ```azurecli-interactive

+ az aks disable-addons -g <ResourceGroupName> -n <ClusterName> --addons http_application_routing

+ ```

+## Remove and delete all HTTP application routing resources

+1. After the HTTP application routing add-on is disabled, some related Kubernetes resources may remain in your cluster. These resources include *configmaps* and *secrets* that are created in the *kube-system* namespace. To maintain a clean cluster, you may want to remove these resources. Look for *addon-http-application-routing* resources using the following [`kubectl get`][kubectl-get] commands:

+ ```bash

+ kubectl get deployments --namespace kube-system

+ kubectl get services --namespace kube-system

+ kubectl get configmaps --namespace kube-system

+ kubectl get secrets --namespace kube-system

+ ```

+ The following example output shows *configmaps* that should be deleted:

+ ```output

+ NAMESPACE NAME DATA AGE

+ kube-system addon-http-application-routing-nginx-configuration 0 9m7s

+ kube-system addon-http-application-routing-tcp-services 0 9m7s

+ kube-system addon-http-application-routing-udp-services 0 9m7s

+ ```

+1. Delete remaining resources using the [`kubectl delete`][kubectl-delete] command. Make sure to specify the resource type, resource name, and namespace. The following example deletes one of the previous configmaps:

+ ```bash

+ kubectl delete configmaps addon-http-application-routing-nginx-configuration --namespace kube-system

+ ```

+1. Repeat the previous `kubectl delete` step for all *addon-http-application-routing* resources remaining in your cluster.

+## Next steps

+After migrating to the application routing add-on, learn how to [monitor ingress controller metrics with Prometheus and Grafana](./app-routing-nginx-prometheus.md).

+<!-- INTERNAL LINKS -->

+[install-azure-cli]: /cli/azure/install-azure-cli

+[ingress-https]: ./ingress-tls.md

+[app-routing-dns-create]: ./app-routing.md?tabs=without-osm#create-an-azure-dns-zone

+[app-routing-dns-configure]: ./app-routing.md?tabs=without-osm#configure-the-add-on-to-use-azure-dns-to-manage-dns-zones

+<!-- EXTERNAL LINKS -->

+[dns-pricing]: https://azure.microsoft.com/pricing/details/dns/

+[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get

+[kubectl-delete]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#delete

+ Title: Azure CNI networking in Azure Kubernetes Service (AKS) overview

+description: Learn about the requirements and limitations of Azure CNI networking in Azure Kubernetes Service (AKS).

+#CustomerIntent: As a network administrator, I want learn about Azure CNI networking so that I can deploy Azure CNI networking in an AKS cluster.

+# Azure CNI networking in Azure Kubernetes Service (AKS) overview

+By default, AKS clusters use [kubenet][kubenet] and create a virtual network and subnet. With *kubenet*, nodes get an IP address from a virtual network subnet. Network address translation (NAT) is then configured on the nodes, and pods receive an IP address "hidden" behind the node IP. This approach reduces the number of IP addresses that you need to reserve in your network space for pods to use.

+With [Azure Container Networking Interface (CNI)][cni-networking], every pod gets an IP address from the subnet and can be accessed directly. Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod. These IP addresses must be unique across your network space and must be planned in advance. Each node has a configuration parameter for the maximum number of pods that it supports. The equivalent number of IP addresses per node are then reserved up front for that node. This approach requires more planning, and often leads to IP address exhaustion or the need to rebuild clusters in a larger subnet as your application demands grow.

+## Prerequisites

+* The virtual network for the AKS cluster must allow outbound internet connectivity.

+* AKS clusters may not use `169.254.0.0/16`, `172.30.0.0/16`, `172.31.0.0/16`, or `192.0.2.0/24` for the Kubernetes service address range, pod address range, or cluster virtual network address range.

+* The cluster identity used by the AKS cluster must have at least [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) permissions on the subnet within your virtual network. If you wish to define a [custom role](../role-based-access-control/custom-roles.md) instead of using the built-in Network Contributor role, the following permissions are required:

+ * `Microsoft.Network/virtualNetworks/subnets/join/action`

+ * `Microsoft.Network/virtualNetworks/subnets/read`

+ * `Microsoft.Authorization/roleAssignments/write`

+* The subnet assigned to the AKS node pool can't be a [delegated subnet](../virtual-network/subnet-delegation-overview.md).

+* AKS doesn't apply Network Security Groups (NSGs) to its subnet and doesn't modify any of the NSGs associated with that subnet. If you provide your own subnet and add NSGs associated with that subnet, you must ensure the security rules in the NSGs allow traffic within the node CIDR range. For more information, see [Network security groups][aks-network-nsg].

+## Plan IP addressing for your cluster

+Clusters configured with Azure CNI networking require extra planning. The size of your virtual network and its subnet must accommodate the number of pods you plan to run and the number of nodes for the cluster.

+IP addresses for the pods and the cluster's nodes are assigned from the specified subnet within the virtual network. Each node is configured with a primary IP address. Azure CNI preconfigures 30 extra IP addresses by default. These IP addresses are assigned to pods scheduled on the node. When you scale out your cluster, each node is similarly configured with IP addresses from the subnet. You can also view the [maximum pods per node](#maximum-pods-per-node).

+> [!IMPORTANT]

+> The number of IP addresses required should include considerations for upgrade and scaling operations. If you set the IP address range to only support a fixed number of nodes, you can't upgrade or scale your cluster.

+>

+> * When you **upgrade** your AKS cluster, a new node is deployed into the cluster. Services and workloads begin to run on the new node, and an older node is removed from the cluster. This rolling upgrade process requires a minimum of one additional block of IP addresses to be available. Your node count is then `n + 1`.

+> * This consideration is particularly important when you use Windows Server node pools. Windows Server nodes in AKS do not automatically apply Windows Updates, instead you perform an upgrade on the node pool. This upgrade deploys new nodes with the latest Window Server 2019 base node image and security patches. For more information on upgrading a Windows Server node pool, see [Upgrade a node pool in AKS][nodepool-upgrade].

+>

+> * When you **scale** an AKS cluster, a new node is deployed into the cluster. Services and workloads begin to run on the new node. Your IP address range needs to take into considerations how you may want to scale up the number of nodes and pods your cluster can support. One additional node for upgrade operations should also be included. Your node count is then `n + number-of-additional-scaled-nodes-you-anticipate + 1`.

+If you expect your nodes to run the maximum number of pods, and regularly destroy and deploy pods, you should also factor in some extra IP addresses per node. A few seconds may be required to delete a service and release its IP address for a new service to be deployed and acquire the address. These extra IP addresses consider this possibility.

+The IP address plan for an AKS cluster consists of a virtual network, at least one subnet for nodes and pods, and a Kubernetes service address range.

+| Address range / Azure resource | Limits and sizing |

+| | - |

+| Virtual network | The Azure virtual network can be as large as /8, but is limited to 65,536 configured IP addresses. Consider all your networking needs, including communicating with services in other virtual networks, before configuring your address space. For example, if you configure too large of an address space, you may run into issues with overlapping other address spaces within your network.|

+| Subnet | Must be large enough to accommodate the nodes, pods, and all Kubernetes and Azure resources that might be provisioned in your cluster. For example, if you deploy an internal Azure Load Balancer, its front-end IPs are allocated from the cluster subnet, not public IPs. The subnet size should also take into account upgrade operations or future scaling needs.<p/> To calculate the *minimum* subnet size including an extra node for upgrade operations: `(number of nodes + 1) + ((number of nodes + 1) * maximum pods per node that you configure)`<p/> Example for a 50 node cluster: `(51) + (51 * 30 (default)) = 1,581` (/21 or larger)<p/>Example for a 50 node cluster that also includes preparation to scale up an extra 10 nodes: `(61) + (61 * 30 (default)) = 1,891` (/21 or larger)<p>If you don't specify a maximum number of pods per node when you create your cluster, the maximum number of pods per node is set to *30*. The minimum number of IP addresses required is based on that value. If you calculate your minimum IP address requirements on a different maximum value, see [how to configure the maximum number of pods per node](#configure-maximumnew-clusters) to set this value when you deploy your cluster. |

+| Kubernetes service address range | Any network element on or connected to this virtual network must not use this range. Service address CIDR must be smaller than /12. You can reuse this range across different AKS clusters. |

+| Kubernetes DNS service IP address | IP address within the Kubernetes service address range that is used by cluster service discovery. Don't use the first IP address in your address range. The first address in your subnet range is used for the *kubernetes.default.svc.cluster.local* address. |

+## Maximum pods per node

+The maximum number of pods per node in an AKS cluster is 250. The *default* maximum number of pods per node varies between *kubenet* and *Azure CNI* networking, and the method of cluster deployment.

+| Deployment method | Kubenet default | Azure CNI default | Configurable at deployment |

+| | | | |

+| Azure CLI | 110 | 30 | Yes (up to 250) |

+| Resource Manager template | 110 | 30 | Yes (up to 250) |

+| Portal | 110 | 110 (configurable in the Node Pools tab) | Yes (up to 250) |

+### Configure maximum - new clusters

+You're able to configure the maximum number of pods per node at cluster deployment time or as you add new node pools. You can set the maximum pods per node value as high as 250.

+If you don't specify maxPods when creating new node pools, you receive a default value of 30 for Azure CNI.

+A minimum value for maximum pods per node is enforced to guarantee space for system pods critical to cluster health. The minimum value that can be set for maximum pods per node is 10 if and only if the configuration of each node pool has space for a minimum of 30 pods. For example, setting the maximum pods per node to the minimum of 10 requires each individual node pool to have a minimum of 3 nodes. This requirement applies for each new node pool created as well, so if 10 is defined as maximum pods per node each subsequent node pool added must have at least 3 nodes.

+| Networking | Minimum | Maximum |

+| | | |

+| Azure CNI | 10 | 250 |

+| Kubenet | 10 | 250 |

+> [!NOTE]

+> The minimum value in the previous table is strictly enforced by the AKS service. You can not set a maxPods value lower than the minimum shown as doing so can prevent the cluster from starting.

+* **Azure CLI**: Specify the `--max-pods` argument when you deploy a cluster with the [`az aks create`][az-aks-create] command. The maximum value is 250.

+* **Resource Manager template**: Specify the `maxPods` property in the [ManagedClusterAgentPoolProfile] object when you deploy a cluster with a Resource Manager template. The maximum value is 250.

+* **Azure portal**: Change the `Max pods per node` field in the node pool settings when creating a cluster or adding a new node pool.

+### Configure maximum - existing clusters

+The maxPod per node setting can be defined when you create a new node pool. If you need to increase the maxPod per node setting on an existing cluster, add a new node pool with the new desired maxPod count. After migrating your pods to the new pool, delete the older pool. To delete any older pool in a cluster, ensure you're setting node pool modes as defined in the [system node pools document][system-node-pools].

+## Deployment parameters

+When you create an AKS cluster, the following parameters are configurable for Azure CNI networking:

+**Virtual network**: The virtual network into which you want to deploy the Kubernetes cluster. If you want to create a new virtual network for your cluster, select *Create new* and follow the steps in the *Create virtual network* section. If you want to select an existing virtual network, make sure it's in the same location and Azure subscription as your Kubernetes cluster. For information about the limits and quotas for an Azure virtual network, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-resource-manager-virtual-networking-limits).

+**Subnet**: The subnet within the virtual network where you want to deploy the cluster. If you want to create a new subnet in the virtual network for your cluster, select *Create new* and follow the steps in the *Create subnet* section. For hybrid connectivity, the address range shouldn't overlap with any other virtual networks in your environment.

+**Azure Network Plugin**: When Azure network plugin is used, the internal LoadBalancer service with "externalTrafficPolicy=Local" can't be accessed from VMs with an IP in clusterCIDR that doesn't belong to AKS cluster.

+**Kubernetes service address range**: This parameter is the set of virtual IPs that Kubernetes assigns to internal [services][services] in your cluster. This range can't be updated after you create your cluster. You can use any private address range that satisfies the following requirements:

+* Must not be within the virtual network IP address range of your cluster

+* Must not overlap with any other virtual networks with which the cluster virtual network peers

+* Must not overlap with any on-premises IPs

+* Must not be within the ranges `169.254.0.0/16`, `172.30.0.0/16`, `172.31.0.0/16`, or `192.0.2.0/24`

+Although it's technically possible to specify a service address range within the same virtual network as your cluster, doing so isn't recommended. Unpredictable behavior can result if overlapping IP ranges are used. For more information, see the [FAQ](#frequently-asked-questions) section of this article. For more information on Kubernetes services, see [Services][services] in the Kubernetes documentation.

+**Kubernetes DNS service IP address**: The IP address for the cluster's DNS service. This address must be within the *Kubernetes service address range*. Don't use the first IP address in your address range. The first address in your subnet range is used for the *kubernetes.default.svc.cluster.local* address.

+## Frequently asked questions

+* **Can I deploy VMs in my cluster subnet?**

+ Yes.

+* **What source IP do external systems see for traffic that originates in an Azure CNI-enabled pod?**

+ Systems in the same virtual network as the AKS cluster see the pod IP as the source address for any traffic from the pod. Systems outside the AKS cluster virtual network see the node IP as the source address for any traffic from the pod.

+* **Can I configure per-pod network policies?**

+ Yes, Kubernetes network policy is available in AKS. To get started, see [Secure traffic between pods by using network policies in AKS][network-policy].

+* **Is the maximum number of pods deployable to a node configurable?**

+ Yes, when you deploy a cluster with the Azure CLI or a Resource Manager template. See [Maximum pods per node](#maximum-pods-per-node).

+ You can't change the maximum number of pods per node on an existing cluster.

+* **How do I configure additional properties for the subnet that I created during AKS cluster creation? For example, service endpoints.**

+ The complete list of properties for the virtual network and subnets that you create during AKS cluster creation can be configured in the standard virtual network configuration page in the Azure portal.

+* **Can I use a different subnet within my cluster virtual network for the *Kubernetes service address range*?**

+ It's not recommended, but this configuration is possible. The service address range is a set of virtual IPs (VIPs) that Kubernetes assigns to internal services in your cluster. Azure Networking has no visibility into the service IP range of the Kubernetes cluster. Due to the lack of visibility into the cluster's service address range, it's possible to later create a new subnet in the cluster virtual network that overlaps with the service address range. If such an overlap occurs, Kubernetes could assign a service an IP that's already in use by another resource in the subnet, causing unpredictable behavior or failures. By ensuring you use an address range outside the cluster's virtual network, you can avoid this overlap risk.

+## Next step

+> [!div class="nextstepaction"]

+> [Configure Azure CNI networking in Azure Kubernetes Service (AKS)](configure-azure-cni.md)

+Learn more about networking in AKS in the following articles:

+* [Use a static IP address with the Azure Kubernetes Service (AKS) load balancer](static-ip.md)

+* [Use an internal load balancer with Azure Kubernetes Service (AKS)](internal-lb.md)

+* [Create a basic ingress controller with external network connectivity][aks-ingress-basic]

+* [Enable the HTTP application routing add-on][aks-http-app-routing]

+* [Create an ingress controller that uses an internal, private network and IP address][aks-ingress-internal]

+* [Create an ingress controller with a dynamic public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-tls]

+* [Create an ingress controller with a static public IP and configure Let's Encrypt to automatically generate TLS certificates][aks-ingress-static-tls]

+<!-- IMAGES -->

+[advanced-networking-diagram-01]: ./media/networking-overview/advanced-networking-diagram-01.png

+[portal-01-networking-advanced]: ./media/networking-overview/portal-01-networking-advanced.png

+<!-- LINKS - External -->

+[services]: https://kubernetes.io/docs/concepts/services-networking/service/

+[cni-networking]: https://github.com/Azure/azure-container-networking/blob/master/docs/cni.md

+[kubenet]: concepts-network.md#kubenet-basic-networking

+[github]: https://raw.githubusercontent.com/microsoft/Docker-Provider/ci_prod/kubernetes/container-azm-ms-agentconfig.yaml

+<!-- LINKS - Internal -->

+[az-aks-create]: /cli/azure/aks#az_aks_create

+[aks-ssh]: ssh.md

+[ManagedClusterAgentPoolProfile]: /azure/templates/microsoft.containerservice/managedclusters#managedclusteragentpoolprofile-object

+[aks-network-concepts]: concepts-network.md

+[aks-network-nsg]: concepts-network.md#network-security-groups

+[aks-ingress-basic]: ingress-basic.md

+[aks-ingress-tls]: ingress-tls.md

+[aks-ingress-static-tls]: ingress-static-ip.md

+[aks-http-app-routing]: http-application-routing.md

+[aks-ingress-internal]: ingress-internal-ip.md

+[az-extension-add]: /cli/azure/extension#az_extension_add

+[az-extension-update]: /cli/azure/extension#az_extension_update

+[az-feature-register]: /cli/azure/feature#az_feature_register

+[az-feature-list]: /cli/azure/feature#az_feature_list

+[az-provider-register]: /cli/azure/provider#az_provider_register

+[network-policy]: use-network-policies.md

+[nodepool-upgrade]: manage-node-pools.md#upgrade-a-single-node-pool

+[network-comparisons]: concepts-network.md#compare-network-models

+[system-node-pools]: use-system-pools.md

+[prerequisites]: configure-azure-cni.md#prerequisites

+> The HTTP application routing add-on is in the process of being retired and isn't recommended for production use. We recommend migrating to the [Application Routing add-on](./app-routing-migration.md) instead.

+### Third-party integrations for Windows containers

+Microsoft has collaborated with partners to ensure your build, test, deployment, configuration, and monitoring of your applications perform optimally with Windows containers on AKS.

+For more details, see [Windows AKS partner solutions][windows-aks-partner-solutions].

+[windows-aks-partner-solutions]: windows-aks-partner-solutions.md

+- **[Policy sections:](./api-management-howto-policies.md#sections)** inbound, outbound, backend, on-error

+- **[Policy scopes:](./api-management-howto-policies.md#scopes)** global, workspace, product, API, operation

+- **[Gateways:](api-management-gateways-overview.md)** dedicated, consumption, self-hosted

+### Usage notes

+If your API Management instance is deployed (injected) in a VNet in *internal* mode and you use this policy to send an API request to an API that's exposed in the same API Management instance, you may encounter a timeout with an HTTP 500 BackendConnectionFailure error. This is the result of an [Azure Load Balancer limitation](../load-balancer/load-balancer-troubleshoot-backend-traffic.md).

+

+To chain API requests to the gateway in this scenario, configure `set-url` to use the localhost loopback URL `https://127.0.0.1`. Additionally, set the `HOST` header to specify this API Management instance's gateway host. You may use the default `azure-api.net` or your custom domain host. For example:

+

+```xml

+<send-request>

+ <set-url>https://127.0.0.1/myapi/myoperation</set-url>

+ <set-header name="Host">

+ <value>myapim.azure-api.net</value>

+ </set-header>

+</send-request>

+```

+For more information, see this [blog post](https://techcommunity.microsoft.com/t5/azure-paas-blog/self-chained-apim-request-limitation-in-internal-virtual-network/ba-p/1940417).

+|FTPS endpoint structure |ftps://APP-NAME.ASE-NAME.appserviceenvironment.net |ftps://APP-NAME.ASE-NAME.appserviceenvironment.net - Custom domain suffix is supported if you have one configured by replacing the App Service Environment name and the default domain suffix with your custom domain suffix. |ftps://ASE-NAME.ftp.appserviceenvironment.net/site/wwwroot - Custom domain suffix isn't supported. Each app on the same App Service Environment v3 uses the same FTPS endpoint but has its own unique application scope credentials for authentication. |

+ --version 1.0.0-preview4 \

+|configMapData|The setting that specifies how the retrieved data should be populated in the generated ConfigMap|false|object|

+If the `spec.target.configMapData` property is not set, the generated ConfigMap will be populated with the list of key-values retrieved from Azure App Configuration, which allows the ConfigMap to be consumed as environment variables. Update this property if you wish to consume the ConfigMap as a mounted file. This property has the following child properties.

+|Name|Description|Required|Type|

+|||||

+|type|The setting that indicates how the retrieved data is constructed in the generated ConfigMap. The allowed values include `default`, `json`, `yaml` and `properties`|optional|string|

+|key|The key name of the retrieved data when the `type` is set to `json`, `yaml` or `properties`. Set it to the file name if the ConfigMap is set up to be consumed as a mounted file|conditional|string|

+The `spec.auth` property isn't required if the connection string of your App Configuration store is provided by setting the `spec.connectionStringReference` property. Otherwise, one of the identities, service principal, workload identity, or managed identity, will be used for authentication. The `spec.auth` has the following child properties. Only one of them should be specified. If none of them are set, the system-assigned managed identity of the virtual machine scale set will be used.

+|workloadIdentity|The settings for using workload identity|false|object|

+|managedIdentityClientId|The Client ID of user-assigned managed identity of virtual machine scale set|false|string|

+The `spec.auth.workloadIdentity` property has the following child property.

+|Name|Description|Required|Type|

+|||||

+|managedIdentityClientId|The Client ID of the user-assigned managed identity associated with the workload identity|true|string|

+The `spec.keyValues` has the following child properties. The `spec.keyValues.keyVaults` property is required if any Key Vault references are expected to be downloaded.

+

+|workloadIdentity|The settings of the workload identity used for authentication with vaults that don't have individual authentication methods specified. It has the same child properties as `spec.auth.workloadIdentity`|false|object|

+|managedIdentityClientId|The client ID of a user-assigned managed identity of virtual machine scale set used for authentication with vaults that don't have individual authentication methods specified|false|string|

+The authentication method of each *vault* can be specified with the following properties. One of `managedIdentityClientId`, `servicePrincipalReference` or `workloadIdentity` must be provided.

+|workloadIdentity|The settings of the workload identity used for authentication with a vault. It has the same child properties as `spec.auth.workloadIdentity`|false|object|

+|managedIdentityClientId|The client ID of a user-assigned managed identity of virtual machine scale set used for authentication with a vault|false|string|

+#### Use system-assigned managed identity of virtual machine scale set

+#### Use user-assigned managed identity of virtual machine scale set

+#### Use service principal

+#### Use workload identity

+1. [Enable Workload Identity](/azure/aks/workload-identity-deploy-cluster#update-an-existing-aks-cluster) on the Azure Kubernetes Service (AKS) cluster.

+1. [Get the OIDC issuer URL](/azure/aks/workload-identity-deploy-cluster#retrieve-the-oidc-issuer-url) of the AKS cluster.

+1. [Create a user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity) and note down its client ID after creation.

+1. Create the federated identity credential between the managed identity, OIDC issuer, and subject using the Azure CLI.

+ ``` azurecli

+ az identity federated-credential create --name "${FEDERATED_IDENTITY_CREDENTIAL_NAME}" --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:azappconfig-system:az-appconfig-k8s-provider --audience api://AzureADTokenExchange

+ ```

+1. [Grant the user-assigned managed identity **App Configuration Data Reader** role](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vmss#user-assigned-managed-identity) in Azure App Configuration.

+1. Set the `spec.auth.workloadIdentity.managedIdentityClientId` property to the client ID of the user-assigned managed identity in the following sample `AzureAppConfigurationProvider` resource and deploy it to the AKS cluster.

+ ``` yaml

+ apiVersion: azconfig.io/v1beta1

+ kind: AzureAppConfigurationProvider

+ metadata:

+ name: appconfigurationprovider-sample

+ spec:

+ endpoint: <your-app-configuration-store-endpoint>

+ target:

+ configMapName: configmap-created-by-appconfig-provider

+ auth:

+ workloadIdentity:

+ managedIdentityClientId: <your-managed-identity-client-id>

+ ```

+#### Use connection string

+```

+### Consume ConfigMap

+Applications running in Kubernetes typically consume the ConfigMap either as environment variables or as configuration files. If the `configMapData.type` property is absent or is set to default, the ConfigMap is populated with the itemized list of data retrieved from Azure App Configuration, which can be easily consumed as environment variables. If the `configMapData.type` property is set to json, yaml or properties, data retrieved from Azure App Configuration is grouped into one item with key name specified by the `configMapData.key` property in the generated ConfigMap, which can be consumed as a mounted file.

+The following examples show how the data is populated in the generated ConfigMap with different settings of the `configMapData.type` property.

+Assuming an App Configuration store has these key-values:

+|key|value|

+|||

+|key1|value1|

+|key2|value2|

+|key3|value3|

+#### [default](#tab/default)

+and the `configMapData.type` property is absent or set to `default`,

+``` yaml

+apiVersion: azconfig.io/v1beta1

+kind: AzureAppConfigurationProvider

+metadata:

+ name: appconfigurationprovider-sample

+spec:

+ endpoint: <your-app-configuration-store-endpoint>

+ target:

+ configMapName: configmap-created-by-appconfig-provider

+```

+the generated ConfigMap will be populated with the following data:

+``` yaml

+data:

+ key1: value1

+ key2: value2

+ key3: value3

+```

+#### [json](#tab/json)

+and the `configMapData.type` property is set to `json`,

+``` yaml

+apiVersion: azconfig.io/v1beta1

+kind: AzureAppConfigurationProvider

+metadata:

+ name: appconfigurationprovider-sample

+spec:

+ endpoint: <your-app-configuration-store-endpoint>

+ target:

+ configMapName: configmap-created-by-appconfig-provider

+ configMapData:

+ type: json

+ key: appSettings.json

+```

+the generated ConfigMap will be populated with the following data:

+``` yaml

+data:

+ appSettings.json: >-

+ {"key1":"value1","key2":"value2","key3":"value3"}

+```

+#### [yaml](#tab/yaml)

+and the `configMapData.type` property is set to `yaml`,

+``` yaml

+apiVersion: azconfig.io/v1beta1

+kind: AzureAppConfigurationProvider

+metadata:

+ name: appconfigurationprovider-sample

+spec:

+ endpoint: <your-app-configuration-store-endpoint>

+ target:

+ configMapName: configmap-created-by-appconfig-provider

+ configMapData:

+ type: yaml

+ key: appSettings.yaml

+```

+the generated ConfigMap will be populated with the following data:

+``` yaml

+data:

+ appSettings.yaml: >-

+ key1: value1

+ key2: value2

+ key3: value3

+```

+#### [properties](#tab/properties)

+and the `configMapData.type` property is set to `properties`,

+``` yaml

+apiVersion: azconfig.io/v1beta1

+kind: AzureAppConfigurationProvider

+metadata:

+ name: appconfigurationprovider-sample

+spec:

+ endpoint: <your-app-configuration-store-endpoint>

+ target:

+ configMapName: configmap-created-by-appconfig-provider

+ configMapData:

+ type: properties

+ key: app.properties

+```

+the generated ConfigMap will be populated with the following data:

+``` yaml

+data:

+ app.properties: >-

+ key1=value1

+ key2=value2

+ key3=value3

+Flexibility is critical when enrolling end of support infrastructure in Extended Security Updates (ESUs) through Azure Arc to receive critical patches. To give ease of options across virtualization and disaster recovery scenarios, you must first provision Windows Server 2012 Arc ESU licenses and then link those licenses to your Azure Arc-enabled servers. The linking and provisioning of licenses can be done through the Azure portal.

+When provisioning WS2012 ESU licenses, you need to specify:

+* Either virtual core or physical core license

+* Standard or datacenter license

+* Attest to the number of associated cores (broken down by the number of 2-core and 16-core packs).

+To assist with the license provisioning process, this article provides general guidance and sample customer scenarios for planning your deployment of WS2012 ESUs through Azure Arc.

+## General guidance: Standard vs. Datacenter, Physical vs. Virtual Cores

+If you choose to license based on physical cores, the licensing requires a minimum of 16 physical cores per license. Most customers choose to license based on physical cores and select Standard or Datacenter edition to match their original Windows Server licensing. While Standard licensing can be applied to up to two virtual machines (VMs), Datacenter licensing has no limit to the number of VMs it can be applied to. Depending on the number of VMs covered, it may make sense to choose the Datacenter license instead of the Standard license.

+If you choose to license based on virtual cores, the licensing requires a minimum of eight virtual cores per Virtual Machine. There are two main scenarios where this model is advisable:

+> In all cases, you are required to attest to their conformance with SA or SPLA. There is no exception for these requirements. Software Assurance or an equivalent Server Subscription is required for you to purchase Extended Security Updates on-premises and in hosted environments. You will be able to purchase Extended Security Updates from Enterprise Agreement (EA), Enterprise Subscription Agreement (EAS), a Server & Cloud Enrollment (SCE), and Enrollment for Education Solutions (EES). On Azure, you do not need Software Assurance to get free Extended Security Updates, but Software Assurance or Server Subscription is required to take advantage of the Azure Hybrid Benefit.

+>

+## Scenario based examples: Compliant and Cost Effective Licensing

+In this scenario, you can use virtual core-based licensing to avoid covering the entire host by provisioning eight Windows Server 2012 Standard licenses for eight virtual cores each and link each of those licenses to the VMs running Windows Server 2012 R2. Alternatively, you could consider consolidating your Windows Server 2012 R2 VMs into two of the hosts to take advantage of physical core-based licensing options.

+In this case, you should provision two WS2012 Standard licenses for 16 physical cores each and apply to the four Arc-enabled servers. Alternatively, you could provision four WS2012 Standard licenses for eight virtual cores each and apply individually to the four Arc-enabled servers.

+### Scenario 3: Eight physical servers in retail stores, each server is standard with eight cores each and there's no virtualization

+In this scenario, you should apply eight WS2012 Standard licenses for 16 physical cores each and link each license to a physical server. Note that the 16 physical core minimum applies to the provisioned licenses.

+### Scenario 5: You have already purchased the traditional Windows Server 2012 ESUs through Volume Licensing

+In this scenario, the Azure Arc-enabled servers that have been enrolled in Extended Security Updates through an activated MAK Key are as enrolled in ESUs in the Azure portal. You have the flexibility to switch from this key-based traditional ESU model to WS2012 ESUs enabled by Azure Arc between Year one and Year two.

+In this scenario, you should provision a Windows Server 2012 Datacenter license associated with 128 physical cores and link this license to the Arc-enabled Windows Server 2012 R2 VMs running on it. The deletion of the underlying VM also deletes the corresponding Arc-enabled server resource, enabling you to link another Arc-enabled server.

+In this scenario, you should purchase an Arc ESU Windows Server 2012 Datacenter edition license associated with 506 physical cores and link this license to their 44 machines. Each of the 44 machines should be onboarded to Azure Arc, and can be onboarded at scale with Arc-enabled VMware vSphere (AVS). If you migrate to AVS, these servers are eligible for free WS2012 ESUs.

+ Title: 'Tutorial: Get started connecting an AKS application to a cache'

+description: In this tutorial, you learn how to connect your AKS-hosted application to an Azure Cache for Redis instance.

+#CustomerIntent: As a developer, I want to see how to use a Azure Cache for Redis instance with an AKS container so that I see how I can use my cache instance with a Kubernetes cluster.

+# Tutorial: Connect to Azure Cache for Redis from your application hosted on Azure Kubernetes Service

+In this tutorial, you adapt the [AKS sample voting application](https://github.com/Azure-Samples/azure-voting-app-redis/tree/master) to use with an Azure Cache for Redis instance instead. The original sample uses a Redis cache deployed as a container to your AKS cluster. Following some simple steps, you can configure the AKS sample voting application to connect to your Azure Cache for Redis instance.

+## Prerequisites

+- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An Azure Kubernetes Service Cluster - For more information on creating a cluster, see [Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal](/azure/aks/learn/quick-kubernetes-deploy-portal).

+> [!IMPORTANT]

+> This tutorial assumes that you are familiar with basic Kubernetes concepts like containers, pods and service.

+## Set up an Azure Cache for Redis instance

+1. Create a new Azure Cache for Redis instance by using the Azure portal or your preferred CLI tool. Use the [quickstart guide](quickstart-create-redis.md) to get started.

+ For this tutorial, use a Standard C1 cache.

+ :::image type="content" source="media/cache-tutorial-aks-get-started/cache-new-instance.png" alt-text="Screenshot of creating a Standard C1 cache in the Azure portal":::

+1. On the **Advanced** tab, enable **Non-TLS port**.

+ :::image type="content" source="media/cache-tutorial-aks-get-started/cache-non-tls.png" alt-text="Screenshot of the Advanced tab with Non-TLS enabled during cache creation.":::

+1. Follow the steps through to create the cache.

+> [!IMPORTANT]

+> This tutorial uses a non-TLS port for demonstration, but we highly recommend that you use a TLS port for anything in production.

+Creating the cache can take a few minutes. You can move to the next section while the process finishes.

+## Install and connect to your AKS cluster

+In this section, you first install the Kubernetes CLI and then connect to an AKS cluster.

+### Install the Kubernetes CLI

+Use the Kubernetes CLI, _kubectl_, to connect to the Kubernetes cluster from your local computer. If you're running locally, then you can use the following command to install _kubectl_.

+```bash

+az aks install-cli

+```

+If you use Azure Cloud Shell, _kubectl_ is already installed, and you can skip this step.

+### Connect to your AKS cluster

+Use the portal to copy the resource group and cluster name for your AKS cluster. To configure _kubectl_ to connect to your AKS cluster, use the following command with your resource group and cluster name:

+```bash

+ az aks get-credentials --resource-group myResourceGroup --name myClusterName

+ ```

+Verify that you're able to connect to your cluster by running the following command:

+```bash

+kubectl get nodes

+```

+You should see similar output showing the list of your cluster nodes.

+```output

+NAME STATUS ROLES AGE VERSION

+aks-agentpool-21274953-vmss000001 Ready agent 1d v1.24.15

+aks-agentpool-21274953-vmss000003 Ready agent 1d v1.24.15

+aks-agentpool-21274953-vmss000006 Ready agent 1d v1.24.15

+```

+## Update the voting application to use Azure Cache for Redis

+Use the [.yml file](https://github.com/Azure-Samples/azure-voting-app-redis/blob/master/azure-vote-all-in-one-redis.yaml) in the sample for reference.

+Make the following changes to the deployment file before you save the file as _azure-vote-sample.yaml_.

+1. Remove the deployment and service named `azure-vote-back`. This deployment is used to deploy a Redis container to your cluster that is not required when using Azure Cache for Redis.

+2. Replace the value `REDIS` variable from "azure-vote-back" to the _hostname_ of the Azure Cache for Redis instance that you created earlier. This change indicates that your application should use Azure Cache for Redis instead of a Redis container.

+3. Define variable named `REDIS_PWD`, and set the value to the _access key_ for the Azure Cache for Redis instance that you created earlier.

+After all the changes, the deployment file should look like following file with your _hostname_ and _access key_. Save your file as _azure-vote-sample.yaml_.

+```YAML

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: azure-vote-front

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: azure-vote-front

+ strategy:

+ rollingUpdate:

+ maxSurge: 1

+ maxUnavailable: 1

+ minReadySeconds: 5

+ template:

+ metadata:

+ labels:

+ app: azure-vote-front

+ spec:

+ nodeSelector:

+ "kubernetes.io/os": linux

+ containers:

+ - name: azure-vote-front

+ image: mcr.microsoft.com/azuredocs/azure-vote-front:v1

+ ports:

+ - containerPort: 80

+ resources:

+ requests:

+ cpu: 250m

+ limits:

+ cpu: 500m

+ env:

+ - name: REDIS

+ value: myrediscache.redis.cache.windows.net

+ - name: REDIS_PWD

+ value: myrediscacheaccesskey

+apiVersion: v1

+kind: Service

+metadata:

+ name: azure-vote-front

+spec:

+ type: LoadBalancer

+ ports:

+ - port: 80

+ selector:

+ app: azure-vote-front

+```

+## Deploy and test your application

+Run the following command to deploy this application to your AKS cluster:

+```bash

+kubectl apply -f azure-vote-sample.yaml

+```

+You get a response indicating your deployment and service was created:

+```output

+deployment.apps/azure-vote-front created

+service/azure-vote-front created

+```

+To test the application, run the following command to check if the pod is running:

+```bash

+kubectl get pods

+```

+You see your pod running successfully like:

+```output

+NAME READY STATUS RESTARTS AGE

+azure-vote-front-7dd44597dd-p4cnq 1/1 Running 0 68s

+```

+Run the following command to get the endpoint for your application:

+```bash

+kubectl get service azure-vote-front

+```

+You might see that the EXTERNAL-IP has status `<pending>` for a few minutes. Keep retrying until the status is replaced by an IP address.

+```output

+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

+azure-vote-front LoadBalancer 10.0.166.147 20.69.136.105 80:30390/TCP 90s

+```

+Once the External-IP is available, open a web browser to the External-IP address of your service and you see the application running as follows:

+## Clean up your deployment

+To clean up your cluster, run the following commands:

+```bash

+kubectl delete deployment azure-vote-front

+kubectl delete service azure-vote-front

+```

+## Related content

+- [Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using the Azure portal](/azure/aks/learn/quick-kubernetes-deploy-portal)

+- [AKS sample voting application](https://github.com/Azure-Samples/azure-voting-app-redis/tree/master)

+The deployment technology you use to publish code to your function app in Azure depends on your specific needs and the point in the development cycle. For example, during development and testing you may deploy directly from your development tool, such as Visual Studio Code. When your app is in production, you're more likely to publish continuously from source control or by using an automated publishing pipeline, which can include validation and testing.

+The following table describes the available deployment methods for your code project.

+| | | |

+| Tools-based | &bull;&nbsp;[Visual&nbsp;Studio&nbsp;Code&nbsp;publish](functions-develop-vs-code.md#publish-to-azure)<br/>&bull;&nbsp;[Visual Studio publish](functions-develop-vs.md#publish-to-azure)<br/>&bull;&nbsp;[Core Tools publish](functions-run-local.md#publish) | Deployments during development and other improvised deployments. Deploying your code on-demand using [local development tools](functions-develop-local.md#local-development-environments). |

+| External pipelines|&bull;&nbsp;[Azure Pipelines](functions-how-to-azure-devops.md)<br/>&bull;&nbsp;[GitHub Actions](functions-how-to-github-actions.md) | Production pipelines that include validation, testing, and other actions that must be run as part of an automated deployment. Deployments are managed by the pipeline. |

+Specific deployments should use the best technology based on the specific scenario. Many of the deployment methods are based on [zip deployment](#zip-deploy), which is recommended for deployment.

+The deployment method also depends on the hosting plan and operating system on which you run your function app.

+Currently, Functions offers three hosting plans:

+Each plan has different behaviors. Not all deployment technologies are available for each hosting plan and operating system. This chart provides information on the supported deployment technologies:

+| [External package URL](#external-package-url)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

+| [Zip deploy](#zip-deploy) |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö|

+| [Docker container](#docker-container) | | | | |Γ£ö|Γ£ö|

+| [Web Deploy](#web-deploy-msdeploy) |Γ£ö|Γ£ö|Γ£ö| | | |

+| [Source control](#source-control) |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|

+| [Local Git](#local-git)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|

+| [Cloud sync](#cloud-sync)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|

+| [FTPS](#ftps)<sup>1</sup> |Γ£ö|Γ£ö|Γ£ö| |Γ£ö|Γ£ö|

+| [In-portal editing](#portal-editing)<sup>2</sup> |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö<sup>3</sup>|Γ£ö<sup>3</sup>|

+<sup>1</sup> Deployment technologies that require you to [manually sync triggers](#trigger-syncing) aren't recommended.

+When you deploy using an external package URL, you need to manually restart your function app to fully sync your updates when the package changes without changing the URL.

+#### [Windows](#tab/windows)

+#### [Linux](#tab/linux)

+To enable remote build on Linux, you must set these application settings:

+Several deployment methods store the deployed or built application payload on the storage account associated with the function app. Functions tries to use the Azure Files content share when configured, but some methods instead store the payload in the blob storage instance associated with the `AzureWebJobsStorage` connection. See the details in the _Where app content is stored_ paragraphs of each deployment technology covered in the next section.

+>__When to use it:__ To reduce the chance of errors, you should avoid using deployment methods that require the additional step of [manually syncing triggers](#trigger-syncing). Use [zip deployment](run-functions-from-deployment-package.md) when possible.

+>__When to use it:__ To reduce the chance of errors, you should avoid using deployment methods that require the additional step of [manually syncing triggers](#trigger-syncing). Use [zip deployment](run-functions-from-deployment-package.md) when possible.

+### FTP/S

+You can use FTP/S to directly transfer files to Azure Functions, although this deployment method isn't recommended. When you're not planning on using FTP, you should disable it. If you do choose to use FTP, you should enforce FTPS. To learn how in the Azure portal, see [Enforce FTPS](../app-service/deploy-ftp.md#enforce-ftps).

+>__How to use it:__ Follow the instructions in [FTPS deployment settings](functions-how-to-use-azure-function-app-settings.md#ftps-deployment-settings) to get the URL and credentials you can use to deploy to your function app using FTPS.

+>__When to use it:__ To reduce the chance of errors, you should avoid using deployment methods that require the additional step of [manually syncing triggers](#trigger-syncing). Use [zip deployment](run-functions-from-deployment-package.md) when possible.

+>__How to use it:__ To be able to edit your functions in the [Azure portal](https://portal.azure.com), you must have [created your functions in the portal](./functions-get-started.md). To preserve a single source of truth, using any other deployment method makes your function read-only and prevents continued portal editing. To return to a state in which you can edit your files in the Azure portal, you can manually turn the edit mode back to `Read/Write` and remove any deployment-related application settings (like [`WEBSITE_RUN_FROM_PACKAGE`](functions-app-settings.md#website_run_from_package)).

+When you deploy updates to your function app code, currently executing functions are terminated. After deployment completes, the new code is loaded to begin processing requests. Review [Improve the performance and reliability of Azure Functions](performance-reliability.md#write-functions-to-be-stateless) to learn how to write stateless and defensive functions.

+### [Portal](#tab/portal)

+### [Azure CLI](#tab/azure-cli)

+### [Azure PowerShell](#tab/azure-powershell)

+## FTPS deployment settings

+Azure Functions supports deploying project code to your function app by using FTPS. Because this deployment method requires you to [sync triggers](functions-deployment-technologies.md#trigger-syncing), it's not recommended. To securely transfer project files, always use FTPS and not FTP.

+You can get the credentials required for FTPS deployment using one of these methods:

+### [Portal](#tab/portal)

+You can get the FTPS publishing credentials in the Azure portal by downloading the publishing profile for your function app.

+> [!IMPORTANT]

+> The publishing profile contains important security credentials. You should always secure the downloaded file on your local computer.

+3. In the file, locate the `publishProfile` element with the attribute `publishMethod="FTP"`. In this element, the `publishUrl`, `userName`, and `userPWD` attributes contain the target URL and credentials for FTPS publishing.

+### [Azure CLI](#tab/azure-cli)

+Run this Azure CLI command that returns the FTPS credentials from the publishing profile.

+```azurecli

+az functionapp deployment list-publishing-profiles --name <APP_NAME> --resource-group <GROUP_NAME> --query "[?publishMethod=='FTP'].{URL:publishUrl, username:userName, password:userPWD}" -o table

+```

+In this example, replace `<APP_NAME>` with your function app name and `<GROUP_NAME>` with the resource group. The returned `URL`, `username`, and `password` columns contain the target URL and credentials for FTPS publishing.

+### [Azure PowerShell](#tab/azure-powershell)

+Run this Azure PowerShell command that returns the FTPS credentials from the publishing profile.

+```azurepowershell

+$profile = [xml](Get-AzWebAppPublishingProfile -ResourceGroupName "<GROUP_NAME>" -Name "<APP_NAME>" -Format "Ftp")

+$profile.publishData.publishProfile | Where-Object -Property publishMethod -eq Ftp | Select-Object -Property @{Name="URL"; Expression = {$_.publishUrl}},

+@{Name="username"; Expression = {$_.userName}}, @{Name="password"; Expression = {$_.userPWD}} | Format-Table

+```

+In this example, replace `<APP_NAME>` with your function app name and `<GROUP_NAME>` with the resource group. The returned `URL`, `username`, and `password` columns contain the target URL and credentials for FTPS publishing.

+### [Portal](#tab/portal)

+### [Azure CLI](#tab/azure-cli)

+FTP isn't recommended for deploying your function code. FTP deployments are manual, and they require you to synchronize triggers. To learn more, see [FTP deployment](functions-deployment-technologies.md#ftps).

+> [!NOTE]

+>

+> **Azure Maps Gen1 price tier retirement**

+>

+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1) pricing tier. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 pricing before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].

+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md

+> By default the style picker control lists all the styles available under the Gen1 (S0) pricing tier of Azure Maps. If you want to reduce the number of styles in this list, pass an array of the styles you want to appear in the list into the `mapStyle` option of the style picker. If you are using Gen1 (S1) or Gen2 pricing tier and want to show all available styles, set the `mapStyles` option of the style picker to `"all"`.

+>

+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1) pricing tier. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 pricing before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].

+[Add a bubble layer]: map-add-bubble-layer.md

+[Add a symbol layer]: map-add-pin.md

+[Add map controls]: map-add-controls.md

+[Azure Maps Samples]: https://samples.azuremaps.com

+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md

+[Map style options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Map/Map%20style%20options/Map%20style%20options.html

+[Map style options]: https://samples.azuremaps.com/map/map-style-options

+[Map]: /javascript/api/azure-maps-control/atlas.map

+[StyleOptions]: /javascript/api/azure-maps-control/atlas.styleoptions

+You can manage the pricing tier of your Azure Maps account through the [Azure portal] or an [Azure Resource Manager (ARM) template].

+>

+> **Azure Maps Gen1 Price Tier Retirement**

+>

+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 before itΓÇÖs retired, otherwise it will automatically be updated.

+>

+> After 9/14/23, Gen1 pricing tier will no longer be available when creating new Azure Maps accounts via the Azure Portal. After 10/12/23, Gen1 pricing tier will no longer be available when creating new Azure Maps accounts using ARM templates.

+>

+> For more information on Gen2 pricing tier, see [Azure Maps pricing].

+### Azure portal

+To change your pricing tier from Gen1 to Gen2 in the Azure Portal, navigate to the Pricing tier option in the settings menu of your Azure Maps account. Select Gen2 from the Pricing tier drop-down list then the Save button.

+> You don't have to generate new subscription keys, client ID (for Azure AD authentication) or shared access signature (SAS) tokens if you change the pricing tier for your Azure Maps account.

+### ARM template

+To change your pricing tier from Gen1 to Gen2 in the ARM template, update `pricingTier` to **G2** and `kind` to **Gen2**. For more info on using ARM templates, see [Create account with ARM template].

+<!

+```json

+ "pricingTier": {

+ "type": "string",

+ "allowedValues":[

+ "G2"

+ ],

+ "defaultValue": "G2",

+ "metadata": {

+ "description": "The pricing tier SKU for the account."

+ }

+ },

+ "kind": {

+ "type": "string",

+ "allowedValues":[

+ "Gen2"

+ ],

+ "defaultValue": "Gen2",

+ "metadata": {

+ "description": "The pricing tier for the account."

+ }

+ }

+```

+>

+[Azure Maps pricing]: https://azure.microsoft.com/pricing/details/azure-maps/

+[Azure Portal]: https://portal.azure.com/

+[Azure Resource Manager (ARM) template]: how-to-create-template.md

+[Create account with ARM template]: how-to-create-template.md

+> The procedure in this section requires an Azure Maps account in the Gen1 or Gen2 pricing tier.

+The Azure Maps account Gen1 Standard S0 tier supports only a single instance of the `pins` parameter. It allows you to render up to five pushpins, specified in the URL request, with a custom image.

+>

+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].

+> The procedure in this section requires an Azure Maps account Gen1 (S1) or Gen2 pricing tier.

+> The procedure in this section requires an Azure Maps account Gen1 (S1) or Gen2 pricing tier.

+> The procedure in this section requires an Azure Maps account Gen1 (S1) or Gen2 pricing tier.

+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md

+</br>

+ >The [Get Minute Forecast API] requires a Gen1 (S1) or Gen2 pricing tier.

+>In the S0 pricing tier, you can request daily forecast for the next 1, 5, 10, and 15 days. In either Gen1 (S1) or Gen2 pricing tier, you can request daily forecast for the next 25 days, and 45 days.

+>

+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].

+>In the Gen1 (S0) pricing tier, you can request hourly forecast for the next 1, 12, 24 hours (1 day), and 72 hours (3 days). In either Gen1 (S1) or Gen2 pricing tier, you can request hourly forecast for the next 120 (5 days) and 240 hours (10 days).

+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md

+ > [!NOTE]

+ >

+ > **Azure Maps Gen1 Price Tier Retirement**

+ >

+ > Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1) pricing tier. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 pricing before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].

+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md

+> [!NOTE]

+>

+> **Azure Maps Web SDK Map Control v1 retirement**

+>

+> Version 1 of the Web SDK Map Control is now deprecated and will be retired on 9/19/26. To avoid service disruptions, migrate to version 3 of the Web SDK Map Control by 9/19/26. Version 3 is backwards compatible and has several benifits including [WebGL 2 Compatibility], increased performance and support for [3D terrain tiles]. For more information, see [The Azure Maps Web SDK v1 migration guide].

+[The Azure Maps Web SDK v1 migration guide]: web-sdk-migration-guide.md

+Azure Maps has a batch geocoding service, however it allows up to 10,000 addresses to be passed in a single request and is processed over seconds to a few minutes depending on the size of the data set and the load on the service. Each address in the request generated a transaction.

+Another option for geocoding a large number addresses with Azure Maps is to make parallel requests to the standard search APIs. These services only accept a single address per request but can be used with the S0 tier that also provides free usage limits. The S0 tier allows up to 50 requests per second to the Azure Maps platform from a single account. So if you process limit these to stay within that limit, it's possible to geocode upwards of 180,000 address an hour. The Gen2 or Gen1 (S1) pricing tier doesnΓÇÖt have a documented limit on the number of queries per second that can be made from an account, so a lot more data can be processed faster when using that pricing tier, however using the batch geocoding service helps reduce the total amount of data transferred, reducing network traffic.

+> [!NOTE]

+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1). If your Azure Maps account has Gen1 selected, you can switch to Gen2 before itΓÇÖs retired, otherwise it will automatically be updated.

+For more information on the Gen1 pricing tier retirement, see [Manage the pricing tier of your Azure Maps account].

+[Manage the pricing tier of your Azure Maps account]: how-to-manage-pricing-tier.md

+If you don't have an Azure subscription, create a [free Azure account] before you begin.

+[Choose a map style]: choose-map-style.md

+> [!NOTE]

+>

+> **Azure Maps Gen1 price tier retirement**

+>

+> Gen1 pricing tier is now deprecated and will be retired on 9/15/26. Gen2 pricing tier replaces Gen1 (both S0 and S1) pricing tier. If your Azure Maps account has Gen1 pricing tier selected, you can switch to Gen2 pricing before itΓÇÖs retired, otherwise it will automatically be updated. For more information, see [Manage the pricing tier of your Azure Maps account].

+The following table summarizes the Azure Maps services that generate transactions, billable and nonbillable, along with any notable aspects that are helpful to understand in how the number of transactions are calculated.

+ > The only columns that are available to apply transforms against are TimeGenerated and RawData. Other columns are added to the table automatically after the transformation and are not available at the time of transformation.

+ > The _ResourceId column can't be used in the transformation.

+ Title: 'Plan your Alerts and automated actions'

+# Plan your alerts and automated actions

+1. Select **Add** for **Application ID URI**.

+Auto instrumentation of Logs are currently only supported when using `applicationinsights` v3 Beta package. (https://www.npmjs.com/package/applicationinsights/v/beta)

+ const { metrics, trace, ProxyTracerProvider } = require("@opentelemetry/api");

+ const tracerProvider = (trace.getTracerProvider() as ProxyTracerProvider).getDelegate();

+ const { trace, ProxyTracerProvider } = require("@opentelemetry/api");

+ const { NodeTracerProvider } = require("@opentelemetry/sdk-trace-node");

+ const tracerProvider = ((trace.getTracerProvider() as ProxyTracerProvider).getDelegate() as NodeTracerProvider);

+ import { Logger } from "@opentelemetry/sdk-logs";

+ const logger = (logs.getLogger("testLogger") as Logger);

+ body: "testEvent",

+ attributes: {

+ logger.emit(logRecord);

+ const { HttpInstrumentationConfig }= require("@opentelemetry/instrumentation-http");

+1. Install the [OpenTelemetry Collector Trace Exporter](https://www.npmjs.com/package/@opentelemetry/exporter-trace-otlp-http) and other OpenTelemetry packages in your project.

+ npm install @opentelemetry/api

+ npm install @opentelemetry/@opentelemetry/sdk-trace-base

+ npm install @opentelemetry/sdk-trace-node

+ const { trace, ProxyTracerProvider } = require("@opentelemetry/api");

+ const { NodeTracerProvider } = require('@opentelemetry/sdk-trace-node');

+ const tracerProvider = ((trace.getTracerProvider() as ProxyTracerProvider).getDelegate() as NodeTracerProvider);

+ In this example, SamplingPercentage is 20, so **20%** of all items will be sampled. Values in Metrics Explorer will be multiplied by (100/20) = **5** to compensate.

+ <SamplingPercentage>20</SamplingPercentage>

+* [Private Link](../logs/private-link-security.md) (private endpoints) and [IP restrictions](/azure/data-explorer/security-network-restrict-public-access) are not support cross-service queries.

+description: This article describes the Bicep functions to be used in Bicep parameter files.

+## getSecret

+`getSecret(subscriptionId, resourceGroupName, keyVaultName, secretName, secretVersion)`

+Returns a secret from an [Azure Key Vault](../../key-vault/secrets/about-secrets.md). Use this function to pass a secret to a secure string parameter of a Bicep file.

+> [!NOTE]

+> You can also use the [keyVaultName.getSecret(secretName)](./bicep-functions-resource.md#getsecret) function from within a `.bicep` file.

+```bicep

+using './main.bicep'

+param secureUserName = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretUserName')

+param securePassword = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword')

+```

+You'll get an error if you use this function with string interpolation.

+A [namespace qualifier](bicep-functions.md#namespaces-for-functions) (`az`) can be used, but it's optional, because the function is available from the _default_ Azure Namespace.

+### Parameters

+| Parameter | Required | Type | Description |

+|: |: |: |: |

+| subscriptionId | Yes | string | The ID of the subscription that has the key vault resource. |

+| resourceGroupName | Yes | string | The name of the resource group that has the key vault resource. |

+| keyVaultName | Yes | string | The name of the key vault. |

+| secretName | Yes | string | The name of the secret stored in the key vault. |

+| secretVersion | No | string | The version of the secret stored in the key vault. |

+### Return value

+The value for the secret.

+### Example

+The following `.bicepparam` file has a `securePassword` parameter that will have the latest value of the _\<secretName\>_ secret.

+```bicep

+using './main.bicep'

+param securePassword = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword')

+```

+The following `.bicepparam` file has a `securePassword` parameter that will have the value of the _\<secretName\>_ secret, but it's pinned to a specific _\<secretValue\>_.

+```bicep

+using './main.bicep'

+param securePassword = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword', 'exampleSecretVersion')

+```

+> [!NOTE]

+> `az.getSecret(subscriptionId, resourceGroupName, keyVaultName, secretName, secretVersion)` function can be used in `.bicepparam` files to retrieve key vault secrets. For more information, see [getSecret](./bicep-functions-parameters-file.md#getsecret).

+You get an error if you attempt to use this function in any other part of the Bicep file. You also get an error if you use this function with string interpolation, even when used in the params section.

+The following Bicep file is used as a module. It has an `adminPassword` parameter defined with the `@secure()` decorator.

+The [getSecret function](./bicep-functions-parameters-file.md) is available in Bicep to get secure value from a KeyVault. This function is in the `az` namespace.

+Also, `getSecret` function (or with the namespace qualifier `az.getSecret`) can be used in a `.bicepparam` file to retrieve the value of a secret from a key vault.

+```bicep

+using './main.bicep'

+param secureUserName = getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretUserName', 'exampleSecretVersion')

+param securePassword = az.getSecret('exampleSubscription', 'exampleResourceGroup', 'exampleKeyVault', 'exampleSecretPassword')

+```

+You can define and use variables. Bicep CLI version 0.21.1 or newer is required for using variables in .bicepparam file. Here are some examples:

+```bicep

+using './main.bicep'

+var storagePrefix = 'myStorage'

+param primaryStorageName = '${storagePrefix}Primary'

+param secondaryStorageName = '${storagePrefix}Secondary'

+```

+```bicep

+using './main.bicep'

+var testSettings = {

+ instanceSize: 'Small'

+ instanceCount: 1

+}

+var prodSettings = {

+ instanceSize: 'Large'

+ instanceCount: 4

+}

+param environmentSettings = {

+ test: testSettings

+ prod: prodSettings

+}

+```

+### Use a key vault in a .bicepparam file

+When you use `.bicepparam` file format, you can provide secure values to parameters by using [the `getSecret` function](bicep-functions-parameters-file.md#getsecret).

+Reference the KeyVault by providing the subscription ID, resource group name, and key vault name. You can get the value of the secret by providing the secret name. You can optionally provide the secret version. If you don't provide the secret version, the latest version is used.

+```bicep

+using './main.bicep'

+param secureUserName = az.getSecret('<subscriptionId>', '<resourceGroupName>', '<keyVaultName>', '<secretName>', '<secretVersion>')

+param securePassword = az.getSecret('<subscriptionId>', '<resourceGroupName>', '<keyVaultName>', '<secretName>')

+```

+User-defined functions support using [user-defined data types](./user-defined-data-types.md). For example:

+```bicep

+@minValue(0)

+type positiveInt = int

+func typedArg(input string[]) positiveInt => length(input)

+param inArray array = [

+ 'Bicep'

+ 'ARM'

+ 'Terraform'

+]

+output elements positiveInt = typedArg(inArray)

+```

+The output from the preceding example is:

+| Name | Type | Value |

+| - | - | -- |

+| elements | positiveInt | 3 |

+> [Check out more Socket.IO samples](https://aka.ms/awps/sio/sample)

+The preceding sections covered the core logic related to synchronizing the editor state between viewers and the writer. You can find the complete code in the [examples repository](https://aka.ms/awps/sio/sample/codestream).

+Code shown in this quickstart is in CommonJS. If you want to use an ECMAScript module, see the [chat demo for Socket.IO with Azure Web PubSub](https://aka.ms/awps/sio/sample/quickstart-esm).

+ - **Retention range**: Options for retention range are autoselected based on backup frequency you choose. The default retention for daily, weekly, monthly, and yearly backup points are set to 180 days, 12 weeks, 60 months, and 10 years respectively. You can customize these values as required.

+This sample cmdlet contains the following parameters:

+- `$ScheduleWindowStartTime`: The time at which the first backup job is triggered in case of *hourly backups*. The current limits (in policy's timezone) are:

+## Enable selective disk backup and restore

+You can exclude noncritical disks from backup by using selective disk backup to save costs. Using this capability, you can selectively back up a subset of the data disks that are attached to your VM, and then restore a subset of the disks that are available in a recovery point, both from instant restore and vault tier. [Learn more](selective-disk-backup-restore.md).

+This is supported both for Enhanced Policy as well as Standard Policy. This provides an efficient and cost-effective solution for your backup and restore needs. Each recovery point contains only the disks that are included in the backup operation. This further allows you to have a subset of disks restored from the given recovery point during the restore operation. This applies to both restore from snapshots and the vault.

+>- The *Selective disk backup and restore in Enhanced policy* is available in all Azure regions including Public, Government, and Air-Gapped regions.

+>- If you use selective disk backup with *Enhanced policy* on a Linux VM, ensure that *lsblk* and *lssci* are available in your distribution so that the disks are [excluded](selective-disk-backup-restore.md#enhanced-policy).

+## Configure Selective Disk Backup in the Azure portal (Enhanced Policy)

+>[!NOTE]

+>Currently, you can only configure a set of disks in a portal when the VM is protected for the first time. You need to use the [CLI](selective-disk-backup-restore.md#modify-protection-for-already-backed-up-vms-with-azure-cli) or [PowerShell](selective-disk-backup-restore.md#modify-protection-for-already-backed-up-vms-with-powershell) commands to edit the set of disks backed up after protection or during a *resume protection* operation.

+| Linux | - **Logical volumes**: For logical volumes spread across more than one disk, ensure that all disks are included in the backup. If not, Azure Backup might not be able to reliably restore the data and exclude it in billing. <br><br> - **Distro support**: Azure Backup uses *lsscsi* and *lsblk* to determine the disks being excluded for backup and to estimate the size of the data backed up for the [Protected Instance fee](selective-disk-backup-restore.md#how-is-protected-instance-pi-cost-calculated-for-only-os-disk-backup-in-windows-and-linux) calculation. If your distro (Debian 8.11, 10.13, and so on) doesn't support *lsscsi*, install it using `sudo apt install lsscsi` to ensure Selective disk backup works. If not, the Protected Instance fee will be calculated based on the backup data transferred instead of using *lsscsi* and *lsblk*. |

+- September 2023

+ - [Support for selective disk backup with enhanced policy for Azure VM is now generally available](whats-new.md#support-for-selective-disk-backup-with-enhanced-policy-for-azure-vm-is-now-generally-available)

+ - [Support for selective disk backup with enhanced policy for Azure VM (preview)](whats-new.md#support-for-selective-disk-backup-with-enhanced-policy-for-azure-vm-is-now-generally-available)

+## Support for selective disk backup with enhanced policy for Azure VM is now generally available

+* VMs migrated from on-premises to Azure aren't currently supported for Kerberos. 

+* Cross-realm authentication isn't currently supported for Kerberos. 

+* Changes to DNS server aren't currently supported for Kerberos. After making any changes to DNS server, you'll need to delete and re-create the Bastion resource.

+* If additional DCs are added for different domains, the added domains can't successfully authenticate with Kerberos.

+1. Bastion updates with the new configuration settings.

+> [!NOTE]

+ > [!NOTE]

+ > To prevent failback to NTLM, make sure you follow the preceding steps. Enabling Kerberos (without following the procedure) won't prevent failback to NTLM.

+## Quickstart: Set up Bastion with Kerberos - Resource Manager template

+ - [**Microsoft.Network/bastionHosts**](/azure/templates/microsoft.network/bastionHosts): create a Standard SKU Bastion with a public IP and Kerberos feature enabled.

+ - Create a Windows 10 ClientVM and a Windows Server 2019 ServerVM.

+- Have the DNS Server of the VNet point to the private IP address of the ServerVM (domain controller).

+To set up Kerberos, deploy the preceding ARM template by running the following PowerShell cmd:

+Now, sign in to ClientVM using Bastion with Kerberos authentication:

+node communication model. The classic node communication model will be

+[retired on March 31, 2026](batch-pools-to-simplified-compute-node-communication-model-migration-guide.md).

+- **Images with impending end-of-life (EOL) dates:** It's strongly recommended to avoid images with impending Batch support

+outbound access for baseline operation, the recommendation is to use the simplified node communication model. The classic

+node communication model will be

+[retired on March 31, 2026](batch-pools-to-simplified-compute-node-communication-model-migration-guide.md).

+### Batch pool compute nodes

+#### Batch compute node OS

+Batch supports both Linux and Windows operating systems. Batch supports Linux with an aligned node agent for a subset of Linux OS

+distributions. It's recommended that the operating system is kept up-to-date with the latest patches provided by the OS

+publisher.

+Batch support for images and node agents phase out over time, typically aligned with publisher support timelines. It's

+recommended to avoid using images with impending end-of-life (EOL) dates or images that are past their EOL date.

+It's your responsibility to periodically refresh your view of the EOL dates pertinent to your pools and migrate your workloads

+before the EOL date occurs. If you're using a custom image with a specified node agent, ensure that you follow Batch support

+end-of-life dates for the image for which your custom image is derived or aligned with. An image without a specified

+`batchSupportEndOfLife` date indicates that such a date hasn't been determined yet by the Batch service. Absence of a date

+doesn't indicate that the respective image will be supported indefinitely. An EOL date may be added or updated in the future

+at any time. EOL dates can be discovered via the

+[`ListSupportedImages` API](/rest/api/batchservice/account/listsupportedimages),

+[PowerShell](/powershell/module/az.batch/get-azbatchsupportedimage), or

+[Azure CLI](/cli/azure/batch/pool/supported-images).

+#### Windows OS Transport Layer Security (TLS)

+The Batch node agent doesn't modify operating system level defaults for SSL/TLS versions or cipher suite ordering. In Windows,

+SSL/TLS versions and cipher suite order is controlled at the operating system level, and therefore the Batch node agent adopts

+the settings set by the image used by each compute node. Although the Batch node agent attempts to utilize the

+most secure settings available when possible, it can still be limited by operating system level settings. We recommend that

+you review your OS level defaults and set them appropriately for the most secure mode that is amenable for your workflow and

+organizational requirements. For more information, please visit

+[Manage TLS](https://learn.microsoft.com/windows-server/security/tls/manage-tls) for cipher suite order enforcement and

+[TLS registry settings](https://learn.microsoft.com/windows-server/security/tls/tls-registry-settings) for SSL/TLS version

+control for Schannel SSP. Note that some setting changes require a reboot to take effect. Utilizing a newer operating system

+with modern security defaults or a [custom image](batch-sig-images.md) with modified settings is recommended instead of

+application of such settings with a Batch start task.

+zone_pivot_groups: acs-azcli-js-csharp-java-python-portal-nocode

+To provide Intel SGX support on confidential compute instances, all deployments must run on Generation 2 images. Azure confidential computing supports workloads running on **Ubuntu 20.04 Gen 2**, **Windows Server 2019 Gen 2** and **Ubuntu 22.04 Gen 2**. For more information about supported and unsupported scenarios, see [support for Generation 2 VMs on Azure](../virtual-machines/generation-2.md).

+* [Create an Azure Managed Instance for Apache Cassandra cluster in Azure portal](../../managed-instance-apache-cassandr)

+The current provisioning process that provides the installation and configuration of both agents (MMA/AMA), will be adjusted according to the plan mentioned above: 

+1. MMA auto-provisioning mechanism and its related policy initiative will remain optional and supported until August 2024 through the Defender for Cloud platform.   

+1. In October 2023: 

+ 1. The current shared ‘Log Analytics agent’/’Azure Monitor agent’ auto-provisioning mechanism will be updated and applied to ‘Log Analytics agent’ only.  

+ 1. **Azure Monitor agent** (AMA) related Public Preview policy initiatives will be deprecated and replaced with the new auto-provisioning process for Azure Monitor agent (AMA), targeting only Azure registered SQL servers (SQL Server on Azure VM/ Arc-enabled SQL Server). 

+1. Current customers with AMA with the Public Preview policy initiative enabled will still be supported but are recommended to migrate to the new policy. 

+#### Agents migration planning 

+**First, all Defender for Servers customers are advised to enable Defender for Endpoint integration and agentless disk scanning as part of the Defender for Servers offering, at no additional cost.** This will ensure you are automatically covered with the new alternative deliverables, with no additional onboarding required.    

+Following that, plan your migration plan according to your organization requirements: 

+||Azure Monitor agent (AMA) required (for Defender for SQL or other scenarios)|FIM/EPP discovery/Baselined is required as part of Defender for Server|What should I do|

+| -- | -- | -- | -- |

+| |No |Yes |You can remove MMA starting April 2024, using GA version of Defender for Server capabilities according to your needs (preview versions will be available earlier)  |

+| |No |No |You can remove MMA starting now |

+| |Yes |No |You can start migration from MMA to AMA now |

+| |Yes |Yes |You can either start migration from MMA to AMA starting April 2024 or alternatively, you can use both agents side by side starting now. |

+**Customers with Log analytics Agent** **(MMA) enabled** 

+- If the following features are required in your organization: File Integrity Monitoring (FIM), Endpoint Protection recommendations, OS misconfigurations (security baselines recommendations), you can start retiring from MMA in April 2024 when an alternative will be delivered in GA (preview versions will be available earlier). 

+- If the features mentioned above are required in your organization, and Azure Monitor agent (AMA) is required for other services as well, you can start migrating from MMA to AMA in April 2024. Alternatively, use both MMA and AMA to get all GA features, then remove MMA in April 2024. 

+- If the features mentioned above are not required, and Azure Monitor agent (AMA) is required for other services, you can start migrating from MMA to AMA now. However, note that the preview Defender for Servers capabilities over AMA will be deprecated in April 2024. 

+**Customers with Azure Monitor agent (AMA) enabled** 

+No action is required from your end. 

+- YouΓÇÖll receive all Defender for Servers GA capabilities through Agentless and Defender for Endpoint. The following features will be available in GA in April 2024: File Integrity Monitoring (FIM), Endpoint Protection recommendations, OS misconfigurations (security baselines recommendations). The preview Defender for Servers capabilities over AMA will be deprecated in April 2024.

+|**GE** | ADL (MarkVIe) <br>Bentley Nevada (System 1 / BN3500)<br>ClassicSDI (MarkVle) <br> EGD<br> GSM (GE MarkVI and MarkVIe)<br> InterSite<br> SDI (MarkVle) <br> SRTP (GE)<br> GE_CMP |

+| **Jenesys** |FOX <br>Niagara |

+|**Omron** | FINS <br>HTTP |

+|**OPC** | AE <br>Common <br> DA <br>HDA <br> UA |

+| **SEL** | FTP <br> Telnet |

+|**Filter devices shown** | Either use the **Search** box to search for specific device details, or select **Add filter** to filter the devices shown. <br><br> In the **Add filter** box, define your filter by column name, operator, and value. Select **Apply** to apply your filter.<br><br> You can apply multiple filters at the same time. Search results and filters aren't saved when you refresh the **Device inventory** page. <br><br> The **Last active time** and **Network location (Preview)** filters are on by default. |

+ Title: Troubleshoot the sensor | Microsoft Defender for IoT

+description: Learn how to troubleshoot your Microsoft Defender for IoT OT sensor.

+#CustomerIntent: As a Defender for IoT sensor admin, I want to know how to troubleshoot sensor issues so that I can get it back online quickly.

+## Check sensor - cloud connectivity issues

+OT sensors automatically run connectivity checks to ensure that your sensor has access to all required endpoints. If a sensor isn't connected, an error is indicated in the Azure portal, on the **Sites and sensors** page, and on the sensor's **Overview** page. For example:

+Use the **Cloud connectivity troubleshooting** page in your OT sensor to learn more about the error that occurred and recommended mitigation actions you can take.

+**To troubleshoot connectivity errors**, sign into your OT sensor and do one of the following:

+- From the sensor's **Overview** page, select the **Troubleshoot*** link in the error at the top of the page

+- Select **System settings > Sensor management > Health and troubleshooting > Cloud connectivity troubleshooting**

+The **Cloud connectivity troubleshooting** pane opens on the right. If the sensor is connected to the Azure portal, the pane indicates that **The sensor is connected to cloud successfully**. If the sensor isn't connected, a description of the issue and any mitigation instructions are listed instead. For example: <!--need new image-->

+The **Cloud connectivity troubleshooting** pane covers the following types of issues:

+|Issue |Description |

+|||

+|**Errors establishing secure connections** | Occurs for SSL errors, which typically means that the sensor doesn't trust the certificate found. <br><br>This might occur due to an incorrect sensor time configuration, or using an SSL inspection service. SSL inspection services are often found in proxies and can lead to potential certificate errors. <br><br>For more information, see [Manage SSL/TLS certificates](how-to-manage-individual-sensors.md#manage-ssltls-certificates) and [Synchronize time zones on an OT sensor](how-to-manage-individual-sensors.md#synchronize-time-zones-on-an-ot-sensor).|

+|**General connection errors** | Occurs when the sensor can't connect with one or more required endpoints. <br><br>In such cases, ensure that all required endpoints are accessible from your sensor, and consider configuring more endpoints in your firewall. For more information, see [Provision sensors for cloud management](ot-deploy/provision-cloud-management.md). |

+|**Unreachable DNS server errors** | Occurs when the sensor can't perform name resolution due to an unreachable DNS server. In such cases, verify that your sensor can access the DNS server. For more information, see [Update the OT sensor network configuration](how-to-manage-individual-sensors.md#update-the-ot-sensor-network-configuration) |

+|**Proxy authentication issues** | Occurs when a proxy demands authentication, but no credentials, or incorrect credentials, are provided. <br><br>In such cases, make sure that you've configured the proxy credentials correctly. For more information, see [Update the OT sensor network configuration](how-to-manage-individual-sensors.md#update-the-ot-sensor-network-configuration). |

+|**Name resolution failures** | Occurs when the sensor can't perform name resolution for a specific endpoint. <br><br>In such cases, if your DNS server is reachable, make sure that the DNS server is configured on your sensor correctly. If the configuration is correct, we recommend reaching out to your DNS administrator. <br><br>For more information, see [Update the OT sensor network configuration](how-to-manage-individual-sensors.md#update-the-ot-sensor-network-configuration). |

+|**Unreachable proxy server errors** | Occurs when the sensor can't establish a connection with the proxy server. In such cases, confirm the reachability of your proxy server with your network team. <br><br>For more information, see [Update the OT sensor network configuration](how-to-manage-individual-sensors.md#update-the-ot-sensor-network-configuration). |

+| 23.1.3 | 09/2023 | Patch | 08/2024 |

+### Version 23.1.3

+**Release date**: 09/2023

+**Supported until**: 08/2024

+This version includes the following updates and enhancements:

+- [Connectivity troubleshooting enhancements from the OT sensor](how-to-troubleshoot-sensor.md#check-sensorcloud-connectivity-issues)

+- [Read Only users can access the Event Timeline](roles-on-premises.md)

+| **View events in a timeline** | Γ£ö | Γ£ö | Γ£ö |

+## September 2023

+|Service area |Updates |

+|||

+| **OT networks** | **Version 23.1.3**: <br>- [Troubleshoot OT sensor connectivity](#troubleshoot-ot-sensor-connectivity) <br>- [Event timeline access for OT sensor Read Only users](#event-timeline-access-for-ot-sensor-read-only-users)|

+### Troubleshoot OT sensor connectivity

+Starting in version 23.1.3, OT sensors automatically help you troubleshoot connectivity issues with the Azure portal. If a cloud-managed sensor isn't connected, an error is indicated in the Azure portal on the **Sites and sensors** page, and on the sensor's **Overview** page.

+For example:

+From your sensor, do one of the following to open the **Cloud connectivity troubleshooting** pane, which provides details about the connectivity issues and mitigation steps:

+- On the **Overview** page, select the **Troubleshoot** link at the top of the page

+- Select **System settings > Sensor management > Health and troubleshooting > Cloud connectivity troubleshooting**

+For more information, see [Check sensor - cloud connectivity issues](how-to-troubleshoot-sensor.md#check-sensorcloud-connectivity-issues).

+### Event timeline access for OT sensor Read Only users

+Starting in version 23.1.3, *Read Only* users on the OT sensor can view the **Event Timeline** page. For example:

+For more information, see:

+- [Track network and sensor activity with the event timeline](how-to-track-sensor-activity.md)

+- [On-premises users and roles for OT monitoring with Defender for IoT](roles-on-premises.md)

+ :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-open-in-browser.png" alt-text="Screenshot of dev box card that shows the option for opening in a browser.":::

+If you use **Log Analytics** to store the diagnostic logging information, the information is stored in tables named **AzureDiagnostics** / **AzureMetrics** or **resource specific tables**

+### [AzureDiagnostics](#tab/AzureDiagnostics)

+ ```

+

+### [Resource Specific Table](#tab/Resourcespecifictable)

+ ```Kusto

+ AZMSOperationalLogs

+ | where Timegenerated > ago(7d)

+ | where Provider == "EVENTHUB"

+ | where resourceId == "<Resource Id>" // Replace your resource Id

+ ```Kusto

+ AZMSArchiveLogs

+ | where EventhubName == "<Event Hub Name>" //Enter event hub entity name

+ | where TimeGenerated > ago(7d)

+ ```

+### [AzureDiagnostics](#tab/AzureDiagnosticsforRuntimeAudit)

+### [Resource Specific Table](#tab/ResourcespecifictableforRuntimeAudit)

+```kusto

+AZMSRuntimeAuditLogs

+| where TimeGenerated > ago(1h)

+| where Provider == "EVENTHUB"

+```

+### [AzureDiagnostics](#tab/AzureDiagnosticsforAppMetrics)

+### [Resource Specific Table](#tab/ResourcespecifictableforAppMetrics)

+```kusto

+AZMSApplicationMetricLogs

+| where TimeGenerated > ago(1h)

+| where Provider == "EVENTHUB"

+```

+| BadRequest | 40000 | The event hub can't be disabled. | The Capture feature is enabled for continuous flow of messages. | Disable the Capture feature and then try disabling the event hub. |

+description: Valid Global Secure Access configurations for custom remote network device links settings, including IKE, ASN, IPSec, and DH group.

+| IPSec encryption | GCMAES256 | GCMAES192 | GCMAES128 |

+| IPSec integrity | GCMAES256 | GCMAES192 | GCMAES128 |

+* **Bash on Ubuntu on Windows 10** provides a Linux subsystem on Windows. Bash allows you to directly run Linux utilities without having to maintain a dedicated Linux installation. See [Windows Subsystem for Linux Installation Guide for Windows 10](/windows/wsl/install-win10) for installation steps. Other [Unix shells](https://www.gnu.org/software/bash/) work as well.

+If you're new to work in Linux-based clusters, see the following articles:

+WLM Metrics can be accessed directly via `HS2Interactive` UI under the Metrics Dump Tab. <br>

+`HS2Interactive` UI may not work for the ESP(Enterprise Security Package) enabled clusters released before Apr 2021. In such cases, WLM-related metrics can be obtained from customized Grafana dashboards.

+2. When WLM is disabled, all the inflight queries fail with following exception pattern:

+1. Configure the Spark machine learning pipeline that consists of three stages: `tokenizer`, `hashingTF`, and `lr`.

+| `--master MASTER_URL` | Specifies the master URL. In HDInsight, this value is always `yarn`. | `--master yarn`|

+| `--jars JAR_LIST` | Comma-separated list of local jars to include on the driver and executor classpaths. In HDInsight, this list is composed of paths to the default filesystem in Azure Storage or Data Lake Storage. | `--jars /path/to/examples.jar` |

+| `--packages MAVEN_COORDS` | Comma-separated list of maven coordinates of jars to include on the driver and executor classpaths. Searches the local maven repo, then maven central, then any additional remote repositories specified with `--repositories`. The format for the coordinates is *groupId*:*artifactId*:*version*. | `--packages "com.microsoft.azure:azure-eventhubs:0.14.0"`|

+| `--py-files LIST` | For Python only, a comma-separated list of `.zip`, `.egg`, or `.py` files to place on the PYTHONPATH. | `--pyfiles "samples.py"` |

+ "valueString": "{url of custom search parameter. In case of multiple custom search parameters, url list can be comma separated.}"

+ :::image type="content" source="media/import-update/device-twin-ppr.png" alt-text="Screenshot that shows twin with tag information." lightbox="media/import-update/device-twin-ppr.png":::

+ _This screenshot shows the section where the tag needs to be added in the twin._

+| node_request | counter | flow,node,exception,run_status | node execution count |

+- Other non Azure resources such as SerpAPI, pinecone etc. If you have strict outbound rule, you need add FQDN rule to access them.

+Workspace managed virtual network is the recommended way to support network isolation in prompt flow. It provides easily configuration to secure your workspace. After you enable managed virtual network in the workspace level, resources related to workspace in the same virtual network, will use the same network setting in the workspace level. You can also configure the workspace to use private endpoint to access other Azure resources such as Azure OpenAI, Azure content safety, and Azure cognitive search. You also can configure FQDN rule to approve outbound to non-Azure resources use by your prompt flow such as OpenAI, Pinecone etc.

+- Only public access enable storage account is supported. You can't use private storage account now.

+## FAQ

+### Why I can't create or upgrade my flow when I disable public network access of storage account?

+Prompt flow rely on fileshare to store snapshot of flow. Prompt flow didn't support private storage account now. Here are some workarounds you can try:

+- Make the storage account as public access enabled if there is no security concern.

+- If you are only use UI to authoring promptflow, you can add following flights (flight=PromptFlowCodeFirst=false) to use our old UI.

+- You can use our CLI/SDK to authoring promptflow, CLI/SDK authong didn't rely on fileshare. See [Integrate Prompt Flow with LLM-based application DevOps ](how-to-integrate-with-llm-app-devops.md).

+|acpt-pytorch-2.0-cuda11.7|Ubuntu 20.04|cu117|3.8|2.0.1|1.15.1|0.9.5 |1.15.0|0.16.5|

+|acpt-pytorch-1.13-cuda11.7|Ubuntu 20.04|cu117|3.8|1.13.1|1.15.1|0.9.5|1.15.0|0.16.5|

+> [Sync Grafana teams with Azure Active Directory groups](./how-to-sync-teams-with-azure-ad-groups.md)

+ Title: Sync Grafana teams with Azure Active Directory groups

+description: Learn how to set up Grafana teams using Azure Active Directory groups in Azure Managed Grafana

+

+# Sync Grafana teams with Azure Active Directory groups (preview)

+In this guide, you learn how to use Azure Active Directory (Azure AD) groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) (Azure AD group sync) to set dashboard permissions in Azure Managed Grafana. Grafana allows you to control access to its resources at multiple levels. In Managed Grafana, you use the built-in Azure RBAC roles for Grafana to define access rights users have. These permissions are applied to all resources in your Grafana workspace by default. You can't, for example, grant someone edit permission to only one particular dashboard with RBAC. If you assign a user to the Grafana Editor role, that user can make changes to any dashboard in your Grafana workspace. Using Grafana's [granular permission model](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/), you can elevate or demote a user's default permission level for specific dashboards (or dashboard folders).

+Setting up dashboard permissions for individual users in Managed Grafana is a little tricky. Managed Grafana stores the user assignments for its built-in RBAC roles in Azure AD. For performance reasons, it doesn't automatically synchronize the user assignments to Grafana workspaces. Users in these roles don't show up in Grafana's **Configuration** UI until they've signed in once. You can only grant users extra permissions after they appear in the Grafana user list in **Configuration**. Azure AD group sync gets around this issue. With this feature, you create a *Grafana team* in your Grafana workspace linked with an Azure AD group. You then use that team in configuring your dashboard permissions. For example, you can grant a viewer the ability to modify a dashboard or block an editor from being able to make changes. You don't need to manage the team's member list separately since its membership is already defined in the associated Azure AD group.

+> [!IMPORTANT]

+> Azure AD group sync is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+## Set up Azure AD group sync

+To use Azure AD group sync, you add a new team to your Grafana workspace and link it to an existing Azure AD group through its group ID. Follow these steps to set up an Azure AD-backed Grafana team.

+1. In the Azure portal, open your Grafana instance and select **Configuration** under *Settings*.

+1. Select the **Azure AD Team Sync Settings** tab.

+1. Select **+ Create new Grafana team**.

+ :::image type="content" source="media/azure-ad-group-sync/team-sync-settings.png" alt-text="Screenshot of the Azure portal. Configuring Azure AD team sync.":::

+1. Enter a name for the Grafana team and select **Add**.

+ :::image type="content" source="media/azure-ad-group-sync/create-new-grafana-team.png" alt-text="Screenshot of the Azure portal. Creating a new Grafana team.":::

+1. In **Assign access to**, select the newly created Grafana team.

+1. Select **+ Add an Azure AD Group**.

+ :::image type="content" source="media/azure-ad-group-sync/add-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Adding an Azure AD group to Grafana team.":::

+1. In the **Select** search box, enter an Azure AD group name.

+1. Select the group name in the search result and **Select**.

+ :::image type="content" source="media/azure-ad-group-sync/select-azure-ad-group.png" alt-text="Screenshot of the Azure portal. Finding and selecting an Azure AD group.":::

+1. Repeat the previous three steps to add more Azure AD groups to the Grafana team as appropriate.

+ :::image type="content" source="media/azure-ad-group-sync/view-grafana-team.png" alt-text="Screenshot of the Azure portal. Viewing a Grafana team and Azure AD group(s) linked to it.":::

+## Remove Azure AD group sync

+If you no longer need a Grafana team, follow these steps to delete it, which also removes the link to the Azure AD group.

+1. In the Azure portal, open your Azure Managed Grafana workspace.

+1. Select **Administration > Teams**.

+1. Select the **X** button to the right of a team you're deleting.

+ :::image type="content" source="media/azure-ad-group-sync/remove-azure-ad-group-sync.png" alt-text="Screenshot of the Grafana platform. Removing a Grafana team.":::

+1. Select **Delete** to confirm.

+## Next steps

+In this how-to guide, you learned how to set up Grafana teams backed by Azure AD groups. To learn how to use teams to control access to dashboards in your workspace, see [Manage dashboard permissions](https://grafana.com/docs/grafana/latest/administration/user-management/manage-dashboard-permissions/).

+**Target storage disk (performance-based sizing)** | Specifies the type of target storage disk as Premium-managed, Standard HDD-managed, Standard SSD-managed, or Ultra disk.<br><br> **Premium or Standard or Ultra disk**: The assessment recommends a disk SKU within the storage type selected.<br><br> If you want a single-instance VM service-level agreement (SLA) of 99.9%, consider using Premium-managed disks. This use ensures that all disks in the assessment are recommended as Premium-managed disks.<br><br> If you're looking to run data-intensive workloads that need high throughput, high IOPS, and consistent low latency disk storage, consider using Ultra disks.<br><br> Azure Migrate supports only managed disks for migration assessment.

+**Savings options (compute)** | Specify the savings option that you want the assessment to consider to help optimize your Azure compute cost. <br><br> [Azure reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) (1 year or 3 year reserved) are a good option for the most consistently running resources.<br><br> [Azure Savings Plan](../cost-management-billing/savings-plan/savings-plan-compute-overview.md) (1 year or 3 year savings plan) provide additional flexibility and automated cost optimization. Ideally post migration, you could use Azure reservation and savings plan at the same time (reservation will be consumed first), but in the Azure Migrate assessments, you can only see cost estimates of 1 savings option at a time. <br><br> When you select 'None', the Azure compute cost is based on the Pay as you go rate or based on actual usage.<br><br> You need to select pay-as-you-go in offer/licensing program to be able to use Reserved Instances or Azure Savings Plan. When you select any savings option other than 'None', the 'Discount (%)' and 'VM uptime' properties are not applicable. The monthly cost estimates are calculated by multiplying 744 hours in the VM uptime field with the hourly price of the recommended SKU.

+- Learn about setting up [dependency visualization](concepts-dependency-visualization.md).

+## Common assessment errors

+Assessment service uses the [configuration data](discovered-metadata.md) and the [performance data](concepts-assessment-calculation.md#how-does-the-appliance-calculate-performance-data) for calculating the assessments. The data is fetched by the Azure Migrate appliance at specific intervals in case of appliance-based discovery and assessments.

+The following table summarizes the errors encountered while fetching the data by the assessment service.

+**Error** | **Cause** | **Action**

+ | |

+60001:UnableToConnectToPhysicalServer | Either the prerequisites to connect to the server have not been met or there are network issues in connecting to the server, for instance some proxy settings. | - Ensure that the server meets the prerequisites and port access requirements. <br/><br/> - Add the IP addresses of the remote machines (discovered servers) to the WinRM TrustedHosts list on the Azure Migrate appliance and retry the operation. This is to allow remote inbound connections on servers: *Windows: WinRM port 5985 (HTTP) and Linux: SSH port 22 (TCP)*. <br/><br/> - Ensure that you have chosen the correct authentication method on the appliance to connect to the server. <br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+60002: InvalidServerCredentials | Unable to connect to server due to incorrect credentials on the appliance, or the credentials previously provided have expired or the server credentials have changed. | - Ensure that you have provided the correct credentials for the server on the appliance. You can check that by trying to connect to the server using those credentials. <br/><br/> - If the credentials added are incorrect or have expired, edit the credentials on the appliance and revalidate the added servers. If the validation succeeds, the issue is resolved. <br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+60004: NoPerfDataAvailableForServers | The appliance is unable to fetch the required performance data from the server due to network issues or the credentials provided on the appliance do not have enough permissions to fetch the metadata. | - Ensure that the server is accessible from the appliance. <br/><br/> - Ensure that the guest credentials provided on the appliance have [required permissions](migrate-support-matrix-physical.md#physical-server-requirements). <br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+60005: SSHOperationTimeout | The operation took longer than expected either due to network latency issues or due to the lack of latest updates on Linux server.| - Ensure that the impacted server has the latest kernel and OS updates installed. <br/><br/> - Ensure that there is no network latency between the appliance and the server. It is recommended to have the appliance and source server on the same domain to avoid latency issues.<br/><br/> - Connect to the impacted server from the appliance and run the commands documented here to check if they return null or empty data. <br/><br/> - If the issue persists, submit a Microsoft support case providing the appliance machine ID (available in the footer of the appliance configuration manager).

+60006: ServerAccessDenied | The operation could not be completed due to forbidden access on the server. The guest credentials provided do not have enough permissions to access the servers. |

+60011: ServerWindowsWMICallFailed | WMI call failed due to WMI service failure. This might be a transient error, if the server is unreachable due to network issue or in case of physical sever the server might be switched off. | - Please ensure WinRM is running and the server is reachable from the appliance VM. <br/><br/> - Ensure that the server is switched on.<br/><br/> - For troubleshooting with physical servers, follow the [instructions](migrate-support-matrix-physical.md#physical-server-requirements).<br/><br/> - If the issue persists, submit a Microsoft support case providing the appliance machine ID (available in the footer of the appliance configuration manager).

+10004: CredentialNotProvidedForGuestOSType | The credentials for the server OS type weren't added on the appliance. | - Ensure that you add the credentials for the OS type of the affected server on the appliance.<br/><br/> - You can now add multiple server credentials on the appliance.

+751: Unable to connect to Server | Unable to connect to the server due to connectivity issues. | Resolve the connectivity issue mentioned in the error message.

+754: Performance Data not available | Azure Migrate is unable to collect performance data if the vCentre is not configured to give out the performance data | Configure the statistics level on VCentre server to 3 to make the performance data available. Wait for a day before running the assessment for the data to populate.

+757: Virtual Machine not found | The Azure Migrate service is unable to locate the specified virtual machine. This may occur if the virtual machine has been deleted by the administrator on the VMware environment.| Please verify that the virtual machine still exists in the VMware environment.

+758: Request timeout while fetching Performance data | Azure Migrate assessment service is unable to retrieve performance data. This could happen if the vCenter server is not reachable. | - Please verify the vCenter server credentials are correct.<br/><br/> - Ensure that the server is reachable before attempting to retrieve performance data again.<br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+760: Unable to get Performance counters | Azure Migrate assessment service is unable to retrieve performance counters. This can happen due to multiple reasons. Check the error message to find the exact reason.| - Ensure that you resolve the error flagged in the error message.<br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+8002: Virtual Machine could not be found | Azure Migrate discovery service could not find the virtual machine. This could happen if the virtual machine is deleted or its UUID has changed. | - Ensure that the on-premises virtual machine exists and then restart the job. <br/><br/> - If the issue persists, submit a Microsoft support case, providing the appliance machine ID (available in the footer of the appliance configuration manager).

+9003: Operating system type running on the server isn't supported. | The operating system running on the server isn't Windows or Linux. | Only Windows and Linux OS types are supported. If the server is running Windows or Linux OS, check the operating system type specified in vCenter Server.

+9004: Server isn't in a running state. | The server is in a powered-off state. | Ensure that the server is in a running state.

+9010: The server is powered off. | The server is in a powered-off state. | Ensure that the server is in a running state.

+9014: Unable to retrieve the file containing the discovered metadata because of an error encountered on the ESXi host | The error details will be mentioned with the error.| Ensure that port 443 is open on the ESXi host on which the server is running. Learn more on how to remediate the issue.

+9015: The vCenter Server user account provided for server discovery doesn't have guest operations privileges enabled. | The required privileges of guest operations haven't been enabled on the vCenter Server user account. | Ensure that the vCenter Server user account has privileges enabled for **Virtual Machines** > **Guest Operations** to interact with the server and pull the required data. [Learn more](troubleshoot-discovery.md#error-9014-httpgetrequesttoretrievefilefailed) on how to set up the vCenter Server account with required privileges.

+9022: The access is denied to run the Get-WmiObject cmdlet on the server. | The role associated with the credentials provided on the appliance or a group policy on-premises is restricting access to the WMI object. You encounter this issue when you try the following credentials on the server: `FriendlyNameOfCredentials`. | Check if the credentials provided on the appliance have created file administrator privileges and have WMI enabled.<br/><br/> If the credentials on the appliance don't have the required permissions, either provide another set of credentials or edit an existing one. (Find the friendly name of the credentials tried by Azure Migrate in the possible causes.) <br/><br/> [Learn more](tutorial-discover-vmware.md#prepare-vmware) on how to remediate the issue.

+### Review issues

+In the Assessment report, you can see a list of errors if there are any issues faced by the assessment service for any VM. To troubleshoot the issues, select **Details** in the **Issues** column to view errors corresponding to a VM. A context pane will open with detailed information about the errors. Use this information to resolve the issues.

+

+- **Azure MySQL Import Smart Defaults for Azure Database for MySQL - Single to Flexible Server migration (Public Preview)**

+You can now migrate an Azure Database for MySQL Single Server to an Azure Database for MySQL Flexible Server by running a single CLI command with minimal inputs as the command leverages smart defaults for target Flexible Server provisioning based on the source server SKU and properties! [Learn more](../migrate/migrate-single-flexible-mysql-import-cli.md)

+- **Nominate eligible Azure DB for MySQL Single Server instance for in-place automigration to Flexible Server**

+If you own a Azure DB for MySQL Single Server workload with Basic or GP SKU, data storage used < 10 GiB and no complex features (CMK, AAD, Read Replica, Private Link) enabled, you can now nominate yourself (if not already scheduled by the service) for in-place automigration to Flexible Server by submitting your server details through this [form](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR4lhLelkCklCuumNujnaQ-ZUQzRKSVBBV0VXTFRMSDFKSUtLUDlaNTA5Wi4u)

+* The **migrated Flexible Server is online** and can now be managed via Azure portal/CLI. Stopped Single Server is deleted 7 days after the migration.

+To learn more about Network Watcher features and capabilities, see [What is Azure Network Watcher?](network-watcher-overview.md)

+- To learn about other Network Watcher tools, see [What is Azure Network Watcher?](network-watcher-overview.md)

+For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](network-watcher-connectivity-cli.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL over time using the Network Watcher connection monitor capability. For more information, see [Monitor a network connection](monitor-vm-communication.md).

+For outbound VM connections, you can also determine the latency and allowed and denied network traffic between the VM and an endpoint using Network Watcher's [connection troubleshoot](network-watcher-connectivity-powershell.md) capability. You can monitor communication between a VM and an endpoint, such as an IP address or URL over time using the Network Watcher connection monitor capability. For more information, see [Monitor a network connection](monitor-vm-communication.md).

+> [Monitor a network connection](monitor-vm-communication.md)

+- To learn about Network Watcher, see [What is Azure Network Watcher?](network-watcher-overview.md)

+* For more information about Network Watcher, see [What is Azure Network Watcher?](network-watcher-overview.md)

+* For answers to the frequently asked questions, see [Network Watcher FAQ](frequently-asked-questions.yml).

+- **Session pooling:** This method assigns a server connection to the client application for the entire duration of the client's connection. Upon disconnection of the client application, **PgBouncer** promptly returns the server connection back to the pool. Session pooling mechanism is the default mode in Open Source PgBouncer. See [PgBouncer configuration](https://www.pgbouncer.org/config.html)

+- **Transaction pooling:** With transaction pooling, a server connection is dedicated to the client application during a transaction. Once the transaction is successfully completed, **PgBouncer** intelligently releases the server connection, making it available again within the pool. Transaction pooling is the default mode in Azure PostgreSQL Flexible Server's in-built PgBouncer, and it does not support prepared transactions.

+- **Connection Performance Issues:** Large-scale applications that utilize thousands of pods, each running sidecar PgBouncer, may encounter potential challenges related to database connection exhaustion. This situation can result in performance degradation and service disruptions. Deploying a sidecar PgBouncer for each pod increases the number of concurrent connections to the database server, which can exceed its capacity. As a result, the database may struggle to handle the high volume of incoming connections, may lead to performance issues such as increased response times or even service outages.

+- **Scaling Challenges:** It's important to note that the sidecar pattern may not be the ideal choice for applications that demand high scalability. The inclusion of a sidecar container can impose more resource requirements, potentially limiting the number of pods that can be effectively created and managed.

+## 2. Application independent - Centralized PgBouncer deployment

+### I. PgBouncer deployed in ubuntu VM behind Azure Load Balancer

+**PgBouncer** connection proxy is set up between the application and database layer behind a Azure Load Balancer as shown in the image. In this pattern multiple PgBouncer instances are deployed behind a load balancer as a service to mitigate single point of failure.This pattern is also suitable in scenarios where the application is running on a managed service like Azure App Services or Azure Functions and connecting to **PgBouncer** service for easy integration with your existing infrastructure.

+- **Removing Single Point of Failure:** Application connectivity may not be affected by the failure of a single PgBouncer VM, as there are several PgBouncer instances behind Azure Load Balancer.

+ | **Authorization URL** | In the local monitoring app registration Overview page, select **Endpoints**. Copy the contents of the **OAuth 2.0 authorization endpoint (v2)** field. <br /><br /> **Note:** <br />If the string contains `organizations`, replace `organizations` with the Tenant ID value. For example, <br />`https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize`<br /> becomes <br />`https://login.microsoftonline.com/72f998bf-86f1-31af-91ab-2d7cd001db56/oauth2/v2.0/authorize`. | `auth_url` |

+ | **Token URL** | In the local monitoring app registration Overview page, select **Endpoints**. Copy the contents of the **OAuth 2.0 token endpoint (v2)** field. <br /><br /> **Note:** <br />If the string contains `organizations`, replace `organizations` with the Tenant ID value. For example, <br />`https://login.microsoftonline.com/organizations/oauth2/v2.0/token`<br /> becomes <br />`https://login.microsoftonline.com/72f998bf-86f1-31af-91ab-2d7cd001db56/oauth2/v2.0/token`. | `token_url` |

+[Open Worldwide Application Security Project](https://www.owasp.org/) (OWASP) - OWASP is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.

+### [AzureDiagnostics](#tab/AzureDiagnostics)

+ ```kusto

+ ```kusto

+ ```kusto

+ ```kusto

+ ```kusto

+ ### [Resource Specific Table](#tab/Resourcespecifictable)

+ ```kusto

+ AZMSVNetConnectionEvents

+ | extend NamespaceName = tostring(split(_ResourceId, "/")[8])

+ | where Provider =~ "ServiceBus"

+ | where Action == "Deny Connection"

+ | project Action, SubscriptionId, NamespaceName, AddressIp, Reason, Count

+ | summarize by Action, NamespaceName

+ ```

+ ```kusto

+ AZMSOperationalLogs

+ | extend NamespaceName = tostring(split(_ResourceId, "/")[8])

+ | where Provider =~ "ServiceBus"

+ | where isnotnull(NamespaceName) and Status != "Succeeded"

+ | project NamespaceName, ResourceId, EventName, Status, Caller, SubscriptionId

+ | summarize by NamespaceName, EventName

+ ```

+ ```kusto

+ AZMSRunTimeAuditLogs

+ | extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])

+ | where Provider =~ "ServiceBus"

+ | where isnotnull(NamespaceInfo) and ActivityName = "SendMessage"

+ | project NamespaceInfo, ActivityName, Protocol, NetworkType, ClientIp, ResourceId

+ | summarize by NamespaceInfo, ActivityName

+ ```

+ ```kusto

+ AZMSRunTimeAuditLogs

+ | extend NamespaceInfo = tostring(split(_ResourceId, "/")[8])

+ | where Provider =~ "ServiceBus"

+ | where isnotnull(NamespaceInfo) and isnotnull(AuthKey) and AuthType == "AAD" and Status != "Success"

+ | project NamespaceInfo, AuthKey, ActivityName, Protocol, NetworkType, ClientIp, ResourceId

+ | summarize by NamespaceInfo, AuthKey, ActivityName

+ ```

+20.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic <br> 5.4.0-155-generic <br> 5.4.0-1112-azure <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-79-generic <br> 5.4.0-156-generic|

+22.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-1044-azure <br> 5.15.0-79-generic |

+Debian 10 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.10.0-0.deb10.23-amd64 <br> 5.10.0-0.deb10.23-cloud-amd64 <br> 4.19.0-25-amd64 <br> 4.19.0-25-cloud-amd64 <br> 5.10.0-0.deb10.24-amd64 <br> 5.10.0-0.deb10.24-cloud-amd64 |

+Debian 11 | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.10.0-24-amd64 <br> 5.10.0-24-cloud-amd64 <br> 5.10.0-25-amd64 <br> 5.10.0-25-cloud-amd64 |

+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.136-azure:5 <br> 4.12.14-16.139-azure:5 <br> 4.12.14-16.146-azure:5 |

+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.52-azure:4 <br> 4.12.14-16.139-azure:5 <br> 5.14.21-150400.14.55-azure:4 <br> 5.14.21-150400.14.60-azure:4 |

+2. Ensure that the Azure VMs are using managed disks. Failback of Hyper-V virtual machines, that failed over to Azure machines using managed disks, is supported. It is not recommended to use storage accounts, as they will be [fully retired on September 30, 2025](../virtual-machines/unmanaged-disks-deprecation.md).

+Managed disks | Yes, for both failover and failback. | Yes, both failover and failback.

+- [Troubleshoot ClientOtherErrors](/troubleshoot/azure/azure-storage/files-client-other-errors?toc=/azure/storage/files/toc.json)

+By default, the Windows Update client is configured to provide updates only for Windows operating system. In Windows update, select **Check online for Windows updates**. It will check updates for other Microsoft products to enable the **Give me updates for other Microsoft products when I update Windows** to receive updates for other Microsoft products, including security patches for Microsoft SQL Server and other Microsoft software.

+## Configure a Windows server for Microsoft updates

+The Windows update client on Windows servers can get their patches from either of the following Microsoft hosted patch repositories:

+- Windows update - hosts operating system patches.

+- Microsoft update - hosts operating system and other Microsoft patches. For example MS Office, SQL Server and so on.

+> [!NOTE]

+> For the application of patches, you can choose the update client at the time of installation, or later using Group policy or by directly editing the registry.

+> To get the non-operating system Microsoft patches or to install only the OS patches, we recommend you to change the patch repository as this is an operating system setting and not an option that you can configure within Update management center (preview).

+### Edit the registry

+If scheduled patching is configured on your machine using the Update management center (preview), the Auto update on the client is disabled. To edit the registry and configure the setting, see [First party updates on Windows](support-matrix.md#first-party-updates-on-windows).

+### Patching using group policy on Azure Update management

+If your machine is patched using Automation Update management, and has Automatic updates enabled on the client, you can use the group policy to have complete control. To patch using group policy, follow these steps:

+1. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Manage end user experience**.

+1. Select **Configure Automatic Updates**.

+1. Select or deselect the **Install updates for other Microsoft products** option.

+ :::image type="content" source="./media/configure-wu-agent/configure-updates-group-policy-inline.png" alt-text="Screenshot of selection or deselection of install updates for other Microsoft products." lightbox="./media/configure-wu-agent/configure-updates-group-policy-expanded.png":::

+# Guidance on migrating Azure VMs from Microsoft Configuration Manager to Azure Update Manager

+1. If the service stops after you started and refreshed it, you may have a registration failure. For more information, see [INVALID_REGISTRATION_TOKEN or EXPIRED_MACHINE_TOKEN](#error-invalid_registration_token-or-expired_machine_token).

+## Error: INVALID_REGISTRATION_TOKEN or EXPIRED_MACHINE_TOKEN

+On your session host VM, go to **Event Viewer** > **Windows Logs** > **Application**. If you see an event with ID 3277 with **INVALID_REGISTRATION_TOKEN** or **EXPIRED_MACHINE_TOKEN** in the description, the registration token that has been used isn't recognized as valid.

+1. Make sure [your VM has a valid registration token](#error-invalid_registration_token-or-expired_machine_token).

+Ebsv5-series sizes run on the Intel® Xeon® Platinum 8272CL (Cascade Lake). These VMs are ideal for memory-intensive enterprise applications and applications that benefit from high remote storage performance but with no local SSD storage. Ebsv5-series VMs feature Intel® Hyper-Threading Technology. Remote Data disk storage is billed separately from VMs.