+ | **Pre Authentication** | How Application Proxy verifies users before giving them access to your application.<br><br>**Azure Active Directory** - Application Proxy redirects users to sign in with Azure AD, which authenticates their permissions for the directory and application. We recommend keeping this option as the default so that you can take advantage of Azure AD security features like Conditional Access and Multi-Factor Authentication. **Azure Active Directory** is required for monitoring the application with Microsoft Defender for Cloud Apps.<br><br>**Passthrough** - Users don't have to authenticate against Azure AD to access the application. You can still set up authentication requirements on the backend. |

+ Title: Use additional context in Microsoft Authenticator notifications (Preview) - Azure Active Directory

+# How to use additional context in Microsoft Authenticator notifications (Preview) - Authentication methods policy

+ Title: Use number matching in multifactor authentication (MFA) notifications (Preview) - Azure Active Directory

+# How to use number matching in multifactor authentication (MFA) notifications (Preview) - Authentication methods policy

+ |login.windows.us </br>secure.aadcdn.microsoftonline-p.com </br>&#42;.microsoftonline.us </br>&#42;.microsoftonline-p.us </br>&#42;.msauth.net </br>&#42;.msauthimages.net </br>&#42;.msecnd.net</br>&#42;.msftauth.net </br>&#42;.msftauthimages.net</br>&#42;.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctldl.windowsupdate.us:80 </br>aadcdn.msftauthimages.us </br>*.microsoft.us </br>msauthimages.us </br>mfstauthimages.us| The agent uses these URLs during the registration process.

+- You can only sync up to 59 separate OUs or Security Groups for a given configuration.

+Because secure applications are essential to the organization, any downtime to them because of security issues can affect the business or some critical service that the business depends upon. So, it's important to allocate time and resources to ensure applications always stay in a healthy and secure state. Conduct a periodic security and health assessment of applications, much like a Security Threat Model assessment for code. For a broader perspective on security for organizations, see the [security development lifecycle](https://www.microsoft.com/securityengineering/sdl) (SDL).

+- Maintain ownership of all URIs. A lapse in the ownership of one of the redirect URIs can lead to application compromise.

+- Make sure all DNS records are updated and monitored periodically for changes.

+- Use Key Vault with [managed identities](../managed-identities-azure-resources/overview.md) to manage credentials for an application.

+- Review the credentials used in applications for freshness of use and their expiration. An unused credential on an application can result in a security breach. Rollover credentials frequently and don't share credentials across applications. Don't have many credentials on one application.

+The **Application ID URI** property of the application specifies the globally unique URI used to identify the web API. It's the prefix for scopes and in access tokens, it's also the value of the audience claim and it must use a verified customer owned domain. For multi-tenant applications, the value must also be globally unique. It's also referred to as an identifier URI. Under **Expose an API** for the application in the Azure portal, the **Application ID URI** property can be defined.

+- Use the Application ID URI to expose the WebApi in the organization. Don't use the Application ID URI to identify the application, and instead use the Application (client) ID property.

+>This information last updated on September 22nd, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+| Microsoft Teams Essentials | Teams_Ess | fde42873-30b6-436b-b361-21af5a6b84ae | TeamsEss (f4f2f6de-6830-442b-a433-e92249faebe2) | Microsoft Teams Essentials (f4f2f6de-6830-442b-a433-e92249faebe2) |

+ * Azure AD Connect support all mainstream supported SQL Server versions up to SQL Server 2019. Please refer to the [SQL Server lifecycle article](https://learn.microsoft.com/lifecycle/products/?products=sql-server) to verify the support status of your SQL Server version. Azure SQL Database *isn't supported* as a database. This includes both Azure SQL Database and Azure SQL Managed Instance.

+In order to configure the Active Directory connector, AADConnect server must have both name resolution

+for the forest it's attempting to connect to as well as to the domain controllers

+ Title: 'Tutorial: Azure AD SSO integration with Crayon'

+description: Learn how to configure single sign-on between Azure Active Directory and Crayon.

+# Tutorial: Azure AD SSO integration with Crayon

+In this tutorial, you'll learn how to integrate Crayon with Azure Active Directory (Azure AD). When you integrate Crayon with Azure AD, you can:

+* Control in Azure AD who has access to Crayon.

+* Enable your users to be automatically signed-in to Crayon with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Crayon single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Crayon supports **SP** and **IDP** initiated SSO.

+* Crayon supports **Just In Time** user provisioning.

+## Add Crayon from the gallery

+To configure the integration of Crayon into Azure AD, you need to add Crayon from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Crayon** in the search box.

+1. Select **Crayon** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+## Configure and test Azure AD SSO for Crayon

+Configure and test Azure AD SSO with Crayon using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at Crayon.

+To configure and test Azure AD SSO with Crayon, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Crayon SSO](#configure-crayon-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Crayon test user](#create-crayon-test-user)** - to have a counterpart of B.Simon in Crayon that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Crayon** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://app.crayon.co/auth/sso/<CustomerName>/`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://app.crayon.co/auth/sso/<CustomerName>/acs/`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type the URL:

+ `https://app.crayon.co/login/`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Crayon support team](mailto:support@crayon.co) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Crayon application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Crayon application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | firstName | user.givenname |

+ | lastName | user.surname |

+ | jobTitle | user.jobtitle |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Crayon** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Crayon.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Crayon**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Crayon SSO

+To configure single sign-on on **Crayon** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Crayon support team](mailto:support@crayon.co). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Crayon test user

+In this section, a user called B.Simon is created in Crayon. Crayon supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Crayon, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Crayon Sign-on URL where you can initiate the login flow.

+* Go to Crayon Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Crayon for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Crayon tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Crayon for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Crayon you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Cytric'

+description: Learn how to configure single sign-on between Azure Active Directory and Cytric.

+# Tutorial: Azure AD SSO integration with Cytric

+In this tutorial, you'll learn how to integrate Cytric with Azure Active Directory (Azure AD). When you integrate Cytric with Azure AD, you can:

+* Control in Azure AD who has access to Cytric.

+* Enable your users to be automatically signed-in to Cytric with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Cytric single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Cytric supports **SP** initiated SSO.

+## Add Cytric from the gallery

+To configure the integration of Cytric into Azure AD, you need to add Cytric from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Cytric** in the search box.

+1. Select **Cytric** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)

+## Configure and test Azure AD SSO for Cytric

+Configure and test Azure AD SSO with Cytric using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Cytric.

+To configure and test Azure AD SSO with Cytric, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Cytric SSO](#configure-cytric-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Cytric test user](#create-cytric-test-user)** - to have a counterpart of B.Simon in Cytric that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Cytric** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<domain>.cytric.net/saml2`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<domain>.cytric.net/saml2/sp/acs/post`

+ c. In the **Sign on URL** text box, type a URL using the following pattern:

+ `https://<domain>.cytric.net/svc/SAML2/cWS/pre/AUTH?clientId=<Customer>`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Cytric support team](mailto:ifao.cgs@amadeus.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Cytric** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Cytric.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Cytric**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Cytric SSO

+To configure single sign-on on **Cytric** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Cytric support team](mailto:ifao.cgs@amadeus.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Cytric test user

+In this section, you create a user called Britta Simon in Cytric. Work with [Cytric support team](mailto:ifao.cgs@amadeus.com) to add the users in the Cytric platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Cytric Sign-on URL where you can initiate the login flow.

+* Go to Cytric Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Cytric tile in the My Apps, this will redirect to Cytric Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Cytric you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Valence Security Platform'

+description: Learn how to configure single sign-on between Azure Active Directory and Valence Security Platform.

+# Tutorial: Azure AD SSO integration with Valence Security Platform

+In this tutorial, you'll learn how to integrate Valence Security Platform with Azure Active Directory (Azure AD). When you integrate Valence Security Platform with Azure AD, you can:

+* Control in Azure AD who has access to Valence Security Platform.

+* Enable your users to be automatically signed-in to Valence Security Platform with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Valence Security Platform single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Valence Security Platform supports **IDP** initiated SSO.

+## Add Valence Security Platform from the gallery

+To configure the integration of Valence Security Platform into Azure AD, you need to add Valence Security Platform from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Valence Security Platform** in the search box.

+1. Select **Valence Security Platform** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide&preserve-view=true).

+## Configure and test Azure AD SSO for Valence Security Platform

+Configure and test Azure AD SSO with Valence Security Platform using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Valence Security Platform.

+To configure and test Azure AD SSO with Valence Security Platform, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Valence Security Platform SSO](#configure-valence-security-platform-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Valence Security Platform test user](#create-valence-security-platform-test-user)** - to have a counterpart of B.Simon in Valence Security Platform that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Valence Security Platform** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://app.valencesecurity.com/auth/realms/valence/broker/<CustomerName>/endpoint/clients/oktasamlapp`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://app.valencesecurity.com/auth/realms/valence/broker/<CustomerName>/endpoint/clients/oktasamlapp`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Valence Security Platform support team](mailto:support@valencesecurity.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Valence Security Platform** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Valence Security Platform.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Valence Security Platform**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Valence Security Platform SSO

+To configure single sign-on on **Valence Security Platform** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Valence Security Platform support team](mailto:support@valencesecurity.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Valence Security Platform test user

+In this section, you create a user called Britta Simon in Valence Security Platform. Work with [Valence Security Platform support team](mailto:support@valencesecurity.com) to add the users in the Valence Security Platform platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the Valence Security Platform for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the Valence Security Platform tile in the My Apps, you should be automatically signed in to the Valence Security Platform for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Valence Security Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+> For the delayed Writeback to work as expected, an operation in on-premises AD or Azure AD must trigger a change to the user just a day before the arrival or on the hire date, so that this user's profile is updated and is considered for Writeback. It must be a change, that updates an attribute value on the user profile, where the new attribute value is different from the old attribute value.

+|`uri`| string (uri) | uri of the logo (optional if image is specified) |

+|`image` | string | the base-64 encoded image (optional if uri is specified) |

+## How can I verify that the verification is working?

+The portal verifies that the `did-configuration.json` is reachable and correct when you click the **Refresh verification status** button. You should also consider verifying that you can request that URL in a browser to avoid errors like not using https, a bad SSL certificate or the URL not being public. If the `did-configuration.json` file cannot be requested anonymously in a browser or via tools such as `curl`, without warnings or errors, the portal will not be able to complete the **Refresh verification status** step either.

+>[!NOTE]

+> If you are experiencing problems refreshing your verification status, you can troubleshoot it via running `curl -Iv https://yourdomain.com/.well-known/did-configuration.json` on an machine with Ubuntu OS. Windows Subsystem for Linux with Ubuntu will work too. If curl fails, refreshing the verification status will not work.

+The portal verifies that the `did.json` is reachable and correct when you click the [**Refresh registration status** button](#how-do-i-register-my-website-id). You should also consider verifying that you can request that URL in a browser to avoid errors like not using https, a bad SSL certificate or the URL not being public. If the `did.json` file cannot be requested anonymously in a browser or via tools such as `curl`, without warnings or errors, the portal will not be able to complete the **Refresh registration status** step either.

+>[!NOTE]

+> If you are experiencing problems refreshing your registration status, you can troubleshoot it via running `curl -Iv https://yourdomain.com/.well-known/did.json` on an machine with Ubuntu OS. Windows Subsystem for Linux with Ubuntu will work too. If curl fails, refreshing the registration status will not work.

+## Set the outbound proxy for Dapr extension for Azure Arc on-prem

+If you want to use an outbound proxy with the Dapr extension for AKS, you can do so by:

+1. Setting the proxy environment variables using the [`dapr.io/env` annotations](https://docs.dapr.io/reference/arguments-annotations-overview/):

+ - `HTTP_PROXY`

+ - `HTTPS_PROXY`

+ - `NO_PROXY`

+1. [Installing the proxy certificate in the sidecar](https://docs.dapr.io/operations/configuration/install-certificates/).

+## Meet network requirements

+The Dapr extension for AKS and Arc for Kubernetes requires outbound URLs on `https://:443` to function. In addition to the `https://mcr.microsoft.com/daprio` URL for pulling Dapr artifacts, verify you've included the [outbound URLs required for AKS or Arc for Kubernetes](../azure-arc/kubernetes/quickstart-connect-cluster.md#meet-network-requirements).

+> Once applied the deallocated mode and scale down operation occured, those nodes keep registered in APIserver and appear as NotReady state.

+[spot-node-pool]: spot-node-pool.md

+- [PostgreSQL](https://jdbc.postgresql.org/documentation/ssl/)

+| PostgreSQL | `org.postgresql.Driver` | [Download](https://jdbc.postgresql.org/download/) |

+| PostgreSQL | `org.postgresql.Driver` | [Download](https://jdbc.postgresql.org/download/) |

+ url="${connURL}"

+ username="${dbuser}"

+ password="${dbpassword}"

+|gr-prod-\*.azurewebsites.windows.net:443 |

+A common use case is to configure your app as a client in a client-server model. If you secure your server with a private CA certificate, you'll need to upload the client certificate to your app. The following instructions will load certificates to the trust store of the workers that your app is running on. You only need to upload the certificate once to use it with apps that are in the same App Service plan.

+> Private client certificates are only supported from custom code in Windows code apps. Private client certificates are not supported outside the app. This limits usage in scenarios such as pulling the app container image from a registry using a private certificate and TLS validating through the front-end servers using a private certificate.

+1. Go to **Configuration** > **Application Settings**. Create an app setting WEBSITE_LOAD_ROOT_CERTIFICATES with the thumbprint as the value. If you have multiple certificates, you can put them in the same setting separated by commas and no whitespace like

+The certificate will be available by all the apps in the same app service plan as the app, which configured that setting, but all apps that depend on the private CA certificate should have the Application Setting configured to avoid timing issues.

+If you need it to be available for apps in a different App Service plan, you'll need to repeat the app setting operation for the apps in that App Service plan. To check that the certificate is set, go to the Kudu console and issue the following command in the PowerShell debug console:

+The ID document model combines Optical Character Recognition (OCR) with deep learning models to analyze and extract key information from US Drivers Licenses (all 50 states and District of Columbia), international passport biographical pages, US state IDs, social security cards, and permanent resident (green) cards. The API analyzes identity documents, extracts key information, and returns a structured JSON data representation.

+> * OCP 4.11 is not supported.

+For more details on the commands see [`az arcappliance get-credentials`](/cli/azure/arcappliance#az-arcappliance-get-credentials) and [`az arcappliance update-infracredentials vmware`](/cli/azure/arcappliance/update-infracredentials#az-arcappliance-update-infracredentials-vmware).

+- Supported on Basic, Standard, and Premium Azure Cache for Redis instances.

+- By using [Azure Private Link](../private-link/private-link-overview.md), you can connect to an Azure Cache instance from your virtual network via a private endpoint. The endpoint is assigned a private IP address in a subnet within the virtual network. With this private link, cache instances are available from both within the VNet and publicly.

+- Once a private endpoint is created, access to the public network can be restricted through the `publicNetworkAccess` flag. This flag is set to `Disabled` by default, which will only allow private link access. You can set the value to `Enabled` or `Disabled` with a PATCH request. For more information, see [Azure Cache for Redis with Azure Private Link](cache-private-link.md).

+- All external cache dependencies won't affect the VNet's NSG rules.

+- Network security groups (NSG) are disabled for private endpoints. However, if there are other resources on the subnet, NSG enforcement will apply to those resources.

+- Currently, portal console support, and persistence to firewall storage accounts aren't supported.

+- To connect to a clustered cache, `publicNetworkAccess` needs to be set to `Disabled`, and there can only be one private endpoint connection.

+> When adding a private endpoint to a cache instance, all Redis traffic is moved to the private endpoint because of the DNS.

+- When an Azure Cache for Redis instance is configured with a VNet, it's not publicly addressable. It can only be accessed from virtual machines and applications within the VNet.

+- When VNet is combined with restricted NSG policies, it helps reduce the risk of data exfiltration.

+- VNet deployment provides enhanced security and isolation for your Azure Cache for Redis. Subnets, access control policies, and other features further restrict access.

+- Geo-replication is supported.

+- VNet injected caches are only available for Premium Azure Cache for Redis.

+- When using a VNet injected cache, you must change your VNet to cache dependencies such as CRLs/PKI, AKV, Azure Storage, Azure Monitor, and more.

+- When firewall rules are configured, only client connections from the specified IP address ranges can connect to the cache. Connections from Azure Cache for Redis monitoring systems are always permitted, even if firewall rules are configured. NSG rules that you define are also permitted.

+- Firewall rules can be used with VNet injected caches, but not private endpoints.

+- Firewall rules configuration is available for all Basic, Standard, and Premium tiers.

+- Firewall rules configuration isn't available for Enterprise nor Enterprise Flash tiers.

+- Learn how to configure a [VNet injected cache for a Premium Azure Cache for Redis instance](cache-how-to-premium-vnet.md).

+- Learn how to configure [firewall rules for all Azure Cache for Redis tiers](cache-configure.md#firewall).

+- Learn how to [configure private endpoints for all Azure Cache for Redis tiers](cache-private-link.md).

+| Cloud |Endpoint |Purpose |Port |Direction |Bypass HTTPS inspection| Example |

+|||||--|--||

+| Azure Commercial |global.handler.control.monitor.azure.com |Access control service|Port 443 |Outbound|Yes | - |

+| Azure Commercial |`<virtual-machine-region-name>`.handler.control.monitor.azure.com |Fetch data collection rules for specific machine |Port 443 |Outbound|Yes | westus2.handler.control.monitor.azure.com |

+| Azure Commercial |`<log-analytics-workspace-id>`.ods.opinsights.azure.com |Ingest logs data |Port 443 |Outbound|Yes | 1234a123-aa1a-123a-aaa1-a1a345aa6789.ods.opsinsights.azure.com

+| Azure Commercial | management.azure.com | Only needed if sending time series data (metrics) to Azure Monitor [Custom metrics](../essentials/metrics-custom-overview.md) database | Port 443 | Outbound | Yes | - |

+| Azure Commercial | `<virtual-machine-region-name>`.monitoring.azure.com | Only needed if sending time series data (metrics) to Azure Monitor [Custom metrics](../essentials/metrics-custom-overview.md) database | Port 443 | Outbound | Yes | westus2.monitoring.azure.com |

+>[!NOTE]

+> If you use private links on the agent, you must also add the [DCE endpoints](../essentials/data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint).

+> Azure Monitor metrics (custom metrics) preview is not available in Azure Government and Azure China clouds

+Set-AzVMExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <version-number> -EnableAutomaticUpgrade $true -SettingString '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+Set-AzVMExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <version-number> -EnableAutomaticUpgrade $true -SettingString '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+Set-AzVMExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <version-number> -EnableAutomaticUpgrade $true

+Set-AzVMExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -VMName <virtual-machine-name> -Location <location> -TypeHandlerVersion <version-number> -EnableAutomaticUpgrade $true

+New-AzConnectedMachineExtension -Name AzureMonitorWindowsAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -EnableAutomaticUpgrade

+New-AzConnectedMachineExtension -Name AzureMonitorLinuxAgent -ExtensionType AzureMonitorLinuxAgent -Publisher Microsoft.Azure.Monitor -ResourceGroupName <resource-group-name> -MachineName <arc-server-name> -Location <arc-server-location> -EnableAutomaticUpgrade

+az vm extension set --name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true --settings '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+az vm extension set --name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true --settings '{"authentication":{"managedIdentity":{"identifier-name":"mi_res_id","identifier-value":/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<my-user-assigned-identity>"}}}'

+az vm extension set --name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true

+az vm extension set --name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor --ids <vm-resource-id> --enable-auto-upgrade true

+az connectedmachine extension create --name AzureMonitorWindowsAgent --publisher Microsoft.Azure.Monitor --type AzureMonitorWindowsAgent --machine-name <arc-server-name> --resource-group <resource-group-name> --location <arc-server-location> --enable-auto-upgrade true

+az connectedmachine extension create --name AzureMonitorLinuxAgent --publisher Microsoft.Azure.Monitor --type AzureMonitorLinuxAgent --machine-name <arc-server-name> --resource-group <resource-group-name> --location <arc-server-location> --enable-auto-upgrade true

+> This article is only relevant to Azure public and government clouds (**not** to Azure China cloud).

+az rest --method put --url /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.OperationalInsights/workspaces/<workspaceName>/alertsversion?api-version=2017-04-26-preview --body "{\"scheduledQueryRulesEnabled\" : true}"

+This scenario describes how to use Azure Monitor to monitor the health and performance of virtual machines and their workloads. It includes collection of telemetry critical for monitoring and analysis and visualization of collected data to identify trends. It also shows you how to configure alerting to be proactively notified of critical issues.

+> This scenario describes how to implement complete monitoring of your Azure and hybrid virtual machine environment. To get started monitoring your first Azure virtual machine, see [Monitor Azure virtual machines](../../virtual-machines/monitor-vm.md).

+| [Enable monitoring](monitor-virtual-machine-configure.md) | Configure Azure Monitor to monitor virtual machines, which includes enabling VM insights and enabling each virtual machine for monitoring. |

+| [Alerts](monitor-virtual-machine-alerts.md) | Create alerts to proactively identify critical issues in your monitoring data. |

+> This scenario doesn't include features that aren't generally available. Features in public preview, such as [virtual machine guest health](vminsights-health-overview.md), have the potential to significantly modify the recommendations made here. The scenario will be updated as preview features move into general availability.

+This scenario includes monitoring of the following types of machines using Azure Monitor. Many of the processes described here are the same regardless of the type of machine. Considerations for different types of machines are clearly identified where appropriate. The types of machines include:

+| Application | The business application that depends on your virtual machines can be monitored by using [Application Insights](../app/app-insights-overview.md).

+- Simplified onboarding of agents to enable monitoring of a virtual machine guest operating system and workloads.

+Any monitoring tool, such as Azure Monitor, requires an agent installed on a machine to collect data from its guest operating system. Azure Monitor currently has multiple agents that collect different data, send data to different locations, and support different features. VM insights manages the deployment and configuration of the agents that most customers will use.

+Different agents are described in the following table in case you require the particular scenarios that they support. For a detailed description and comparison of the different agents, see [Overview of Azure Monitor agents](../agents/agents-overview.md).

+> The Azure Monitor agent will completely replace the Log Analytics agent, Azure Diagnostics extension, and Telegraf agent after it gains required functionality. These other agents are still required for features such as VM insights, Microsoft Defender for Cloud, and Microsoft Sentinel.

+| Agent | Description |

+|:|:|

+| [Azure Monitor agent](../agents/agents-overview.md) | Supports virtual machines in Azure, other cloud environments, and on-premises. Sends data to Azure Monitor Metrics and Logs. When it fully supports VM insights, Microsoft Defender for Cloud, and Microsoft Sentinel, it will completely replace the Log Analytics agent and Azure Diagnostics extension. |

+| [Log Analytics agent](../agents/log-analytics-agent.md) | Supports virtual machines in Azure, other cloud environments, and on-premises. Sends data to Azure Monitor Logs. Supports VM insights and monitoring solutions. This agent is the same agent used for System Center Operations Manager. |

+| [Dependency agent](vminsights-dependency-agent-maintenance.md) | Collects data about the processes running on the virtual machine and their dependencies. Relies on the Log Analytics agent to transmit data into Azure and supports VM insights, Service Map, and Wire Data 2.0 solutions. |

+| [Azure Diagnostics extension](../agents/diagnostics-extension-overview.md) | Available for Azure Monitor virtual machines only. Can send data to Azure Event Hubs and Azure Storage.

+ Title: Use the Service Map solution in Azure | Microsoft Docs

+description: Learn how to deploy and use the Service Map solution to automatically discover application components on Windows and Linux systems and map communication between services.

+# Use the Service Map solution in Azure

+Service Map automatically discovers application components on Windows and Linux systems and maps the communication between services. With Service Map, you can view your servers as interconnected systems that deliver critical services. Service Map shows connections between servers, processes, inbound and outbound connection latency, and ports across any TCP-connected architecture. No configuration is required other than the installation of an agent.

+> Service Map will be retired on September 30, 2025. To monitor connections between servers, processes, inbound and outbound connection latency, and ports across any TCP-connected architecture, make sure to [migrate to Azure Monitor VM insights](../vm/vminsights-migrate-from-service-map.md) before this date.

+This article describes how to deploy and use Service Map. The prerequisites of the solution are:

+>If you've already deployed Service Map, you can now also view your maps in VM insights, which includes more features to monitor VM health and performance. To learn more, see [VM insights overview](../vm/vminsights-overview.md). To learn about the differences between the Service Map solution and the VM insights Map feature, see [this FAQ](../faq.yml).

+Sign in to the [Azure portal](https://portal.azure.com).

+1. Enable the Service Map solution from [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.ServiceMapOMS?tab=Overview). Or use the process described in [Add monitoring solutions from the Solutions Gallery](../insights/solutions.md).

+1. [Install the Dependency agent on Windows](../vm/vminsights-enable-hybrid.md#install-the-dependency-agent-on-windows) or [install the Dependency agent on Linux](../vm/vminsights-enable-hybrid.md#install-the-dependency-agent-on-linux) on each computer where you want to get data. The Dependency agent can monitor connections to immediate neighbors, so you might not need an agent on every computer.

+1. Access Service Map in the Azure portal from your Log Analytics workspace. Select the **Solutions** option from the left pane.

+ .

+1. From the list of solutions, select **ServiceMap(workspaceName)**. On the **Service Map** solution overview page, select the **Service Map** summary tile.

+ .

+Service Map automatically builds a common reference map of dependencies across your servers, processes, and third-party services. It discovers and maps all TCP dependencies. It identifies surprise connections, remote third-party systems you depend on, and dependencies to traditional dark areas of your network, such as Active Directory. Service Map discovers failed network connections that your managed systems are attempting to make. This information helps you identify potential server misconfiguration, service outage, and network issues.

+Service Map helps eliminate the guesswork of problem isolation by showing you how systems are connected and affect each other. Along with identifying failed connections, it helps identify misconfigured load balancers, surprising or excessive load on critical services, and rogue clients, such as developer machines talking to production systems. By using integrated workflows with Change Tracking, you can also see whether a change event on a back-end machine or service explains the root cause of an incident.

+By using Service Map, you can effectively plan, accelerate, and validate Azure migrations to help ensure that nothing is left behind and surprise outages don't occur. You can:

+- Discover all interdependent systems that need to migrate together.

+- Assess system configuration and capacity.

+- Identify whether a running system is still serving users or is a candidate for decommissioning instead of migration.

+After the move is complete, you can check the client load and identity to verify that test systems and customers are connecting. If your subnet planning and firewall definitions have issues, failed connections in maps in Service Map point you to the systems that need connectivity.

+If you're using Azure Site Recovery and need help with defining the recovery sequence for your application environment, Service Map can automatically show you how systems rely on each other. This information helps to ensure that your recovery plan is reliable.

+By choosing a critical server or group and viewing its clients, you can identify which front-end systems to recover after the server is restored and available. Conversely, by looking at critical servers' back-end dependencies, you can identify which systems to recover before your focus systems are restored.

+Service Map enhances your use of the System Update Assessment by showing you which other teams and servers depend on your service. This way, you can notify them in advance before you take down your systems for patching. Service Map also enhances patch management by showing you whether your services are available and properly connected after they're patched and restarted.

+Service Map agents gather information about all TCP-connected processes on the server where they're installed. They also collect details about the inbound and outbound connections for each process.

+From the list in the left pane, you can select machines or groups that have Service Map agents to visualize their dependencies over a specified time range. Machine dependency maps focus on a specific machine. They show all the machines that are direct TCP clients or servers of that machine. Machine group maps show sets of servers and their dependencies.

+

+Machines can be expanded in the map to show the running process groups and processes with active network connections during the selected time range. When a remote machine with a Service Map agent is expanded to show process details, only those processes that communicate with the focus machine are shown.

+The count of agentless front-end machines that connect into the focus machine is indicated on the left side of the processes they connect to. If the focus machine is making a connection to a back-end machine that has no agent, the back-end server is included in a server port group. This group also includes other connections to the same port number.

+By default, maps in Service Map show the last 30 minutes of dependency information. You can use the time controls at the upper left to query maps for historical time ranges of up to one hour to see how dependencies looked in the past. For example, you might want to see how they looked during an incident or before a change occurred. Service Map data is stored for 30 days in paid workspaces and for 7 days in free workspaces.

+At the bottom of each server in the map, a list of status badges that convey status information about the server might appear. The badges indicate there's relevant information for the server from one of the solution integrations.

+Selecting a badge takes you directly to the details of the status in the right pane. The currently available status badges include **Alerts**, **Service Desk**, **Changes**, **Security**, and **Updates**.

+

+## Process groups

+Process groups combine processes that are associated with a common product or service into a process group. When a machine node is expanded, it will display standalone processes along with process groups. If an inbound or outbound connection to a process within a process group has failed, the connection is shown as failed for the entire process group.

+## Machine groups

+Machine groups allow you to see maps centered around a set of servers, not just one. In this way, you can see all the members of a multi-tier application or server cluster in one map.

+Users select which servers belong in a group together and choose a name for the group. You can then choose to view the group with all its processes and connections. You can also view it with only the processes and connections that directly relate to the other members of the group.

+

+### Create a machine group

+To create a group:

+1. Select the machine or machines you want in the **Machines** list and select **Add to group**.

+ 

+1. Select **Create new** and give the group a name.

+ 

+### View a group

+After you've created some groups, you can view them.

+1. Select the **Groups** tab.

+ 

+1. Select the group name to view the map for that machine group.

+ 

+ The machines that belong to the group are outlined in white in the map.

+1. Expand the group to list the machines that make up the machine group.

+ 

+You can toggle the map view to show all processes and connections in the group or only the ones that directly relate to the machine group. The default view shows all processes.

+1. Select the filter icon above the map to change the view.

+ 

+1. Select **All processes** to see the map with all processes and connections on each of the machines in the group.

+ 

+1. To create a simplified view, change the view to show only **group-connected processes**. The map is then narrowed down to show only those processes and connections directly connected to other machines in the group.

+ 

+### Add machines to a group

+To add machines to an existing group, select the checkboxes next to the machines you want and select **Add to group**. Then choose the group you want to add the machines to.

+### Remove machines from a group

+In the **Groups** list, expand the group name to list the machines in the machine group. Select the ellipsis menu next to the machine you want to remove and select **Remove**.

+

+### Remove or rename a group

+Select the ellipsis menu next to the group name in the **Groups** list.

+

+Certain processes serve particular roles on machines, such as web servers, application servers, and databases. Service Map annotates process and machine boxes with role icons to help identify at a glance the role a process or server plays.

+

+In Service Map, failed connections are shown in maps for processes and computers. A dashed red line indicates that a client system is failing to reach a process or port.

+Failed connections are reported from any system with a deployed Service Map agent if that system is the one attempting the failed connection. Service Map measures this process by observing TCP sockets that fail to establish a connection. This failure could result from a firewall, a misconfiguration in the client or server, or a remote service being unavailable.

+

+Understanding failed connections can help with troubleshooting, migration validation, security analysis, and overall architectural understanding. Failed connections are sometimes harmless, but they often point directly to a problem. A failover environment might suddenly become unreachable or two application tiers might be unable to talk after a cloud migration.

+## Client groups

+Client groups are boxes on the map that represent client machines that don't have Dependency agents. A single client group represents the clients for an individual process or machine.

+

+To see the IP addresses of the servers in a client group, select the group. The contents of the group are listed in the **Client Group Properties** pane.

+

+## Server port groups

+Server port groups are boxes that represent server ports on servers that don't have Dependency agents. The box contains the server port and a count of the number of servers with connections to that port. Expand the box to see the individual servers and connections. If there's only one server in the box, the name or IP address is listed.

+

+Select the ellipsis (...) at the top right of any server to display the context menu for that server.

+

+Select **Load Server Map** to go to a new map with the selected server as the new focus machine.

+Select **Show Self-Links** to redraw the server node, including any self-links, which are TCP connections that start and end on processes within the server. If self-links are shown, the menu command changes to **Hide Self-Links** so that you can turn them off.

+

+When you navigate a map in Service Map, you can select machines and processes to gain more context about their properties. Machines provide information about DNS name, IPv4 addresses, CPU and memory capacity, VM type, operating system and version, last reboot time, and the IDs of their OMS and Service Map agents.

+

+You can gather process details from operating-system metadata about running processes. Details include process name, process description, user name and domain (on Windows), company name, product name, product version, working directory, command line, and process start time.

+

+The **Process Summary** pane provides more information about the process's connectivity, including its bound ports, inbound and outbound connections, and failed connections.

+

+

+- Include a clause to group by computer. An example is **by Computer interval 1 minute**.

+Service Map integrates with Log Search to show a count of all available log events for the selected server during the selected time range. You can select any row in the list of event counts to jump to Log Search and see the individual log events.

+

+

+To open the item in your connected ITSM solution, select **View Work Item**.

+To view the details of the item in Log Search, select **Show in Log Search**.

+Connection metrics are written to two new tables in Log Analytics.

+The **Machine Change Tracking** pane lists all changes, with the most recent first, along with a link to drill down to Log Search for more details.

+

+The following image is a detailed view of a *ConfigurationChange* event that you might see after you select **Show in Log Analytics**.

+

+

+To see performance data, you might need to [enable the appropriate Log Analytics performance counters](../agents/data-sources-performance-counters.md). The counters you'll want to enable:

+The **Machine Security** pane shows data from the Security and Audit solution for the selected server. The pane lists a summary of any outstanding security issues for the server during the selected time range. Selecting any of the security issues drills down into a log search for details about them.

+

+

+One record is generated per hour for each unique computer and process, in addition to the records that are generated when a process or computer starts or is on-boarded to Service Map. These records have the properties in the following tables.

+The fields and values in the *ServiceMapComputer_CL* events map to fields of the Machine resource in the ServiceMap Azure Resource Manager API. The fields and values in the *ServiceMapProcess_CL* events map to the fields of the Process resource in the ServiceMap Azure Resource Manager API. The *ResourceName_s* field matches the name field in the corresponding Resource Manager resource.

+You can use internally generated properties to identify unique processes and computers:

+- **Computer**: Use *ResourceId* or *ResourceName_s* to uniquely identify a computer within a Log Analytics workspace.

+- **Process**: Use *ResourceId* to uniquely identify a process within a Log Analytics workspace. *ResourceName_s* is unique within the context of the machine on which the process is running *MachineResourceName_s*.

+Because multiple records can exist for a specified process and computer in a specified time range, queries can return more than one record for the same computer or process. To include only the most recent record, add `"| dedup ResourceId"` to the query.

+Connection metrics are written to a new table in Log Analytics named *VMConnection*. This table provides information about the inbound and outbound connections for a machine. Connection Metrics are also exposed with APIs that provide the means to obtain a specific metric during a time window.

+TCP connections resulting from accepting on a listening socket are inbound. Those connections created by connecting to a given IP and port are outbound. The direction of a connection is represented by the `Direction` property, which can be set to either `inbound` or `outbound`.

+Records in these tables are generated from data reported by the Dependency agent. Every record represents an observation over a one-minute time interval. The `TimeGenerated` property indicates the start of the time interval. Each record contains information to identify the respective entity, that is, the connection or port, and the metrics associated with that entity. Currently, only network activity that occurs by using TCP over IPv4 is reported.

+To manage cost and complexity, connection records don't represent individual physical network connections. Multiple physical network connections are grouped into a logical connection, which is then reflected in the respective table. So records in the *VMConnection* table represent a logical grouping and not the individual physical connections that are being observed.

+Physical network connections that share the same value for the following attributes during a given one-minute interval are aggregated into a single logical record in *VMConnection*.

+| `Direction` |Direction of the connection. The value is *inbound* or *outbound*. |

+| `Machine` |The computer FQDN. |

+| `Process` |Identity of process or groups of processes initiating or accepting the connection. |

+| `SourceIp` |IP address of the source. |

+| `DestinationIp` |IP address of the destination. |

+| `DestinationPort` |Port number of the destination. |

+| `Protocol` |Protocol used for the connection. Value is *tcp*. |

+To account for the impact of grouping, information about the number of grouped physical connections is provided in the following properties of the record.

+| `LinksEstablished` |The number of physical network connections that have been established during the reporting time window. |

+| `LinksTerminated` |The number of physical network connections that have been terminated during the reporting time window. |

+| `LinksLive` |The number of physical network connections that were open at the end of the reporting time window.|

+In addition to connection count metrics, information about the volume of data sent and received on a specific logical connection or network port is also included in the following properties of the record.

+| `BytesSent` |Total number of bytes that have been sent during the reporting time window. |

+| `BytesReceived` |Total number of bytes that have been received during the reporting time window. |

+| `Responses` |The number of responses observed during the reporting time window.

+| `ResponseTimeMax` |The largest response time in milliseconds observed during the reporting time window. If there's no value, the property is blank.|

+| `ResponseTimeMin` |The smallest response time in milliseconds observed during the reporting time window. If there's no value, the property is blank.|

+| `ResponseTimeSum` |The sum of all response times in milliseconds observed during the reporting time window. If there's no value, the property is blank|

+The third type of data being reported is response time. How long does a caller spend waiting for a request sent over a connection to be processed and responded to by the remote endpoint?

+The response time reported is an estimation of the true response time of the underlying application protocol. It's computed by using heuristics based on the observation of the flow of data between the source and destination end of a physical network connection.

+Conceptually, response time is the difference between the time the last byte of a request leaves the sender and the time when the last byte of the response arrives back to it. These two timestamps are used to delineate request and response events on a specific physical connection. The difference between them represents the response time of a single request.

+In this first release of this feature, our algorithm is an approximation that might work with varying degrees of success depending on the actual application protocol used for a specific network connection. For example, the current approach works well for request-response-based protocols, such as HTTP/HTTPS. But this approach doesn't work with one-way or message queue-based protocols.

+- If a process accepts connections on the same IP address but over multiple network interfaces, a separate record for each interface will be reported.

+- Records with wildcard IP will contain no activity. They're included to represent the fact that a port on the machine is open to inbound traffic.

+- To reduce verbosity and data volume, records with wildcard IP will be omitted when there's a matching record (for the same process, port, and protocol) with a specific IP address. When a wildcard IP record is omitted, the `IsWildcardBind` record property with the specific IP address will be set to `True.` This setting indicates that the port is exposed over every interface of the reporting machine.

+- Ports that are bound only on a specific interface have `IsWildcardBind` set to `False`.

+#### Naming and classification

+For convenience, the IP address of the remote end of a connection is included in the `RemoteIp` property. For inbound connections, `RemoteIp` is the same as `SourceIp`, while for outbound connections, it's the same as `DestinationIp`. The `RemoteDnsCanonicalNames` property represents the DNS canonical names reported by the machine for `RemoteIp`. The `RemoteDnsQuestions` and `RemoteClassification` properties are reserved for future use.

+*VMConnection* also includes geolocation information for the remote end of each connection record in the following properties of the record.

+| `RemoteCountry` |The name of the country/region hosting `RemoteIp`. An example is *United States*. |

+| `RemoteLatitude` |The geolocation latitude. An example is *47.68*. |

+| `RemoteLongitude` |The geolocation longitude. An example is *-122.12*. |

+Every `RemoteIp` property in the *VMConnection* table is checked against a set of IPs with known malicious activity. If the `RemoteIp` is identified as malicious, the following properties will be populated (they're empty when the IP isn't considered malicious) in the following properties of the record.

+| `MaliciousIp` |The `RemoteIp` address. |

+| `IndicatorThreadType` |Threat indicator detected is one of the following values: *Botnet*, *C2*, *CryptoMining*, *Darknet*, *DDos*, *MaliciousUrl*, *Malware*, *Phishing*, *Proxy*, *PUA*, or *Watchlist*. |

+| `TLPLevel` |Traffic Light Protocol (TLP) Level is one of the defined values: *White*, *Green*, *Amber*, *Red*. |

+| `Severity` |Values are *0 ΓÇô 5*, where *5* is the most severe and *0* isn't severe. The default value is *3*. |

+| `AdditionalInformation` |Provides more information, if applicable, about the observed threat. |

+Records with a type of *ServiceMapComputer_CL* have inventory data for servers with Service Map agents. These records have the properties in the following table.

+Records with a type of *ServiceMapProcess_CL* have inventory data for TCP-connected processes on servers with Service Map agents. These records have the properties in the following table.

+| `ResourceName_s` | The unique identifier for a process within the machine on which it's running|

+This section lists log search samples.

+### List the physical memory capacity of all managed computers

+### List computer name, DNS, IP, and OS

+Microsoft automatically collects usage and performance data through your use of Service Map. Microsoft uses this data to provide and improve the quality, security, and integrity of Service Map.

+To provide accurate and efficient troubleshooting capabilities, the data includes information about the configuration of your software. This information can be the operating system and version, IP address, DNS name, and workstation name. Microsoft doesn't collect names, addresses, or other contact information.

+If you have any problems installing or running Service Map, this section can help you. If you still can't resolve your problem, contact Microsoft Support.

+This section addresses issues with Dependency agent installation.

+The Dependency agent *generally* doesn't require a reboot upon installation or removal. In certain rare cases, Windows Server requires a reboot to continue with an installation. This issue happens when a dependency, usually the Microsoft Visual C++ Redistributable library, requires a reboot because of a locked file.

+The Microsoft Dependency agent is built on the Microsoft Visual Studio runtime libraries. You'll get a message if there's a problem during installation of the libraries.

+The runtime library installers create logs in the %LOCALAPPDATA%\temp folder. The file is `dd_vcredist_arch_yyyymmddhhmmss.log`, where *arch* is `x86` or `amd64` and *yyyymmddhhmmss* is the date and time (based on a 24-hour clock) when the log was created. The log provides details about the problem that's blocking installation.

+| 0x17 | The library installer requires a Windows update that hasn't been installed. | Look in the most recent library installer log.<br><br>If a reference to `Windows8.1-KB2999226-x64.msu` is followed by a line `Error 0x80240017: Failed to execute MSU package,` you don't have the prerequisites to install KB2999226. Follow the instructions in the prerequisites section in the [Universal C Runtime in Windows](https://support.microsoft.com/kb/2999226) article. You might need to run Windows Update and reboot multiple times to install the prerequisites.<br><br>Run the Microsoft Dependency agent installer again. |

+This section addresses post-installation issues.

+* Is the Dependency agent installed successfully? Check to see if the service is installed and running.<br><br>

+ - **Windows**: Look for the service named **Microsoft Dependency agent**.

+ - **Linux**: Look for the running process **microsoft-dependency-agent**.

+* Are you on the [Log Analytics free tier](https://azure.microsoft.com/pricing/details/monitor/)? The Free plan allows for up to five unique Service Map machines. Any subsequent machines won't appear in Service Map, even if the prior five are no longer sending data.

+* Is your server sending log and perf data to Azure Monitor Logs? Go to Azure Monitor\Logs and run the following query for your computer:

+Did you get a variety of events in the results? Is the data recent? If so, your Log Analytics agent is operating correctly and communicating with the workspace. If not, check the agent on your machine. See [Log Analytics agent for Windows troubleshooting](../agents/agent-windows-troubleshoot.md) or [Log Analytics agent for Linux troubleshooting](../agents/agent-linux-troubleshoot.md).

+You see your machine in Service Map, but it has no process or connection data. That behavior indicates the Dependency agent is installed and running but the kernel driver didn't load.

+Check `C:\Program Files\Microsoft Dependency Agent\logs\wrapper.log file` for Windows or `/var/opt/microsoft/dependency-agent/log/service.log file` for Linux. The last lines of the file should indicate why the kernel didn't load. For example, the kernel might not be supported on Linux if you updated your kernel.

+Do you have any feedback for us about Service Map or this documentation? See our [User Voice page](https://feedback.azure.com/d365community/forum/aa68334e-1925-ec11-b6e6-000d3a4f09d0?c=ad4304e4-1925-ec11-b6e6-000d3a4f09d0) where you can suggest features or vote up existing suggestions.

+description: Learn how to deploy and configure VM insights and find out about the system requirements.

+This article provides an overview of the options available to enable VM insights to monitor the health and performance of:

+- Azure virtual machines.

+- Azure virtual machine scale sets.

+- Hybrid virtual machines connected with Azure Arc.

+- On-premises virtual machines.

+- Virtual machines hosted in another cloud environment.

+| [Azure Resource Manager templates](../vm/vminsights-enable-resource-manager.md) | Enable multiple machines by using any of the supported methods to deploy a Resource Manager template, such as the Azure CLI and PowerShell. |

+| [Manual install](vminsights-enable-hybrid.md) | Virtual machines or physical computers on-premises with other cloud environments. Log Analytics agent only. |

+VM insights is available for Azure Arc-enabled servers in regions where the Arc extension service is available. You must be running version 0.9 or above of the Azure Arc agent.

+VM insights supports any operating system that supports the Dependency agent and either the Azure Monitor agent (preview) or Log Analytics agent. For a complete list, see [Azure Monitor agent overview](../agents/agents-overview.md#supported-operating-systems).

+> If the Ethernet device for your virtual machine has more than nine characters, it won't be recognized by VM insights and data won't be sent to the InsightsMetrics table. The agent will collect data from [other sources](../agents/agent-data-sources.md).

+- Nonstandard kernel releases, such as physical address extension (PAE) and Xen, aren't supported for any Linux distribution. For example, a system with the release string of *2.6.16.21-0.8-xen* isn't supported.

+- For Debian distros other than version 9.4, the Map feature isn't supported. The Performance feature is available only from the Azure Monitor menu. It isn't available directly from the left pane of the Azure VM.

+The Linux kernel must be patched for the Spectre and Meltdown vulnerabilities. For more information, consult your Linux distribution vendor. Run the following command to check for availability if Spectre/Meltdown has been mitigated:

+VM insights requires a Log Analytics workspace. For requirements of this workspace, see [Configure Log Analytics workspace for VM insights](vminsights-configure-workspace.md).

+> VM Insights doesn't support sending data to more than one Log Analytics workspace (multi-homing).

+>

+- For the network requirements for the Log Analytics agent, see [Network requirements](../agents/log-analytics-agent.md#network-requirements).

+- The Dependency agent requires a connection from the virtual machine to the address 169.254.169.254. This address identifies the Azure metadata service endpoint. Ensure that firewall settings allow connections to this endpoint.

+When you enable VM insights for a machine, the following agents are installed. For the network requirements for these agents, see [Network requirements](../agents/log-analytics-agent.md#network-requirements).

+> [!IMPORTANT]

+> VM insights support for the Azure Monitor agent is currently in public preview. The Azure Monitor agent has several advantages over the Log Analytics agent. It's the preferred agent for virtual machines and virtual machine scale sets. For a comparison of the agent and information on migrating, see [Migrate to Azure Monitor agent from Log Analytics agent](../agents/azure-monitor-agent-migration.md).

+- **[Azure Monitor agent](../agents/azure-monitor-agent-overview.md) or [Log Analytics agent](../agents/log-analytics-agent.md):** Collects data from the virtual machine or virtual machine scale set and delivers it to the Log Analytics workspace.

+- **Dependency agent**: Collects discovered data about processes running on the virtual machine and external process dependencies, which are used by the [Map feature in VM insights](../vm/vminsights-maps.md). The Dependency agent relies on the Azure Monitor agent or Log Analytics agent to deliver its data to Azure Monitor.

+## Changes for the Azure Monitor agent

+There are several changes in the process for enabling VM insights when you use the Azure Monitor agent:

+- **Workspace configuration:** You no longer need to [enable VM insights on the Log Analytics workspace](vminsights-configure-workspace.md) because the Azure Monitor agent doesn't use the *VMInsights* management pack.

+- **Data collection rule (DCR):** The Azure Monitor agent uses [data collection rules](../essentials/data-collection-rule-overview.md) to configure its data collection. VM insights creates a DCR that's automatically deployed if you enable your machine by using the Azure portal. If you use other methods to onboard your machines, you might need to install the DCR first.

+- **Agent deployment:** There are minor changes to the process for onboarding virtual machines and virtual machine scale sets to VM insights in the Azure portal. You must now select which agent you want to use, and you must select a DCR for the Azure Monitor agent. For more information, see [Enable VM insights in the Azure portal](vminsights-enable-portal.md).

+When you enable VM insights on a machine with the Azure Monitor agent, you must specify a [data collection rule](../essentials/data-collection-rule-overview.md) to use. The DCR specifies the data to collect and the workspace to use. VM insights creates a default DCR if one doesn't already exist. For more information on how to create and edit the VM insights DCR, see [Enable VM insights for the Azure Monitor agent

+](vminsights-enable-portal.md#enable-vm-insights-for-azure-monitor-agent).

+> Don't create your own DCR to support VM insights. The DCR created by VM insights includes a special data stream required for its operation. You can edit this DCR to collect more data, such as Windows and Syslog events, but you should create more DCRs and associate them with the machine.

+The DCR is defined by the options in the following table.

+| Guest performance | Specifies whether to collect performance data from the guest operating system. This option is required for all machines. |

+| Processes and dependencies | Collects information about processes running on the virtual machine and dependencies between machines. This information enables the [Map feature in VM insights](vminsights-maps.md). This is optional and enables the [VM insights Map feature](vminsights-maps.md) for the machine. |

+| Log Analytics workspace | Workspace to store the data. Only workspaces with VM insights are listed. |

+When a Log Analytics workspace is configured for VM insights, two management packs are forwarded to all the Windows computers connected to that workspace. The management packs are named *Microsoft.IntelligencePacks.ApplicationDependencyMonitor* and *Microsoft.IntelligencePacks.VMInsights*. They're written to *%Programfiles%\Microsoft Monitoring Agent\Agent\Health Service State\Management Packs*.

+The Azure Monitor agent and the Log Analytics agent can both be installed on the same machine during migration. Running both agents might lead to duplication of data and increased cost. If a machine has both agents installed, you'll see a warning in the Azure portal that you might be collecting duplicate data.

+> - Extra ingestion cost from sending duplicate data to the Log Analytics workspace.

+> - The Map feature of VM insights might be inaccurate because it doesn't check for duplicate data.

+You must remove the Log Analytics agent yourself from any machines that are using it. Before you do this step, ensure that the machine isn't relying on any other solutions that require the Log Analytics agent. For more information, see [Migrate to Azure Monitor agent from Log Analytics agent](../agents/azure-monitor-agent-migration.md).

+After you verify that no Log Analytics agents are still connected to your Log Analytics workspace, you can [remove the *VMInsights* solution from the workspace](vminsights-configure-workspace.md#remove-vminsights-solution-from-workspace). It's no longer needed.

+> To check if you have any machines with both agents sending data to your Log Analytics workspace, run the following [log query](../logs/log-query-overview.md) in [Log Analytics](../logs/log-analytics-overview.md). This query will show the last heartbeat for each computer. If a computer has both agents, it will return two records, each with a different `category`. The Azure Monitor agent will have a `category` of *Azure Monitor Agent*. The Log Analytics agent will have a `category` of *Direct Agent*.

+Microsoft automatically collects usage and performance data through your use of Azure Monitor. Microsoft uses this data to improve the quality, security, and integrity of the service.

+description: Overview of VM insights, which monitors the health and performance of Azure VMs and automatically discovers and maps application components and their dependencies.

+VM insights monitors the performance and health of your virtual machines and virtual machine scale sets. It monitors their running processes and dependencies on other resources. VM insights can help deliver predictable performance and availability of vital applications by identifying performance bottlenecks and network issues. It can also help you understand whether an issue is related to other dependencies.

+> VM insights now supports [Azure Monitor agent](../agents/azure-monitor-agent-overview.md). For more information, see [Enable VM insights overview](vminsights-enable-overview.md#agents).

+VM insights supports Windows and Linux operating systems on:

+- Azure virtual machines.

+- Azure virtual machine scale sets.

+- Hybrid virtual machines connected with Azure Arc.

+- On-premises virtual machines.

+- Virtual machines hosted in another cloud environment.

+VM insights stores its data in Azure Monitor Logs, which allows it to deliver powerful aggregation and filtering and to analyze data trends over time. You can view this data in a single VM from the virtual machine directly. Or, you can use Azure Monitor to deliver an aggregated view of multiple VMs.

+

+- Health state data collected from guest health (preview).

+The log size varies by the string lengths of performance counters. It can increase with the number of logical disks and network adapters allocated to the VM. If you're already using Service Map, the only change you'll see is the extra performance data that's sent to the Azure Monitor `InsightsMetrics` data type.ΓÇï

+## Access VM insights

+Access VM insights for all your virtual machines and virtual machine scale sets by selecting **Virtual Machines** from the **Monitor** menu in the Azure portal. To access VM insights for a single virtual machine or virtual machine scale set, select **Insights** from the machine's menu in the Azure portal.

+## Configure VM insights

+To configure VM insights, follow the steps in each link for detailed guidance:

+- [Create a Log Analytics workspace](./vminsights-configure-workspace.md#create-log-analytics-workspace).

+- [Add the VMInsights solution to a workspace](./vminsights-configure-workspace.md#add-vminsights-solution-to-workspace) (Log Analytics agent only).

+- [Install agents on the virtual machine and virtual machine scale set to be monitored](./vminsights-enable-overview.md).

+> VM insights doesn't support sending data to more than one Log Analytics workspace (multi-homing).

+See [Deploy VM insights](./vminsights-enable-overview.md) for requirements and methods to enable monitoring for your virtual machines.

+* Korea Central

+* UAE Central

+ "max-outputs": {

+ "level": "warning"

+ },

+ "max-params": {

+ "level": "warning"

+ },

+ "max-resources": {

+ "level": "warning"

+ },

+ "max-variables": {

+ "level": "warning"

+ },

+ "no-hardcoded-location": {

+ "level": "warning"

+ },

+ "no-loc-expr-outside-params": {

+ "level": "warning"

+ },

+ "secure-params-in-nested-deploy": {

+ "simplify-interpolation": {

+ "level": "warning"

+ },

+ "use-protectedsettings-for-commandtoexecute-secrets": {

+ "level": "warning"

+ },

+ Title: Linter rule - secure params in nested deploy

+description: Linter rule - secure params in nested deploy

+# Linter rule - secure params in nested deploy

+Outer-scoped nested deployment resources shouldn't use for secure parameters or list* functions. You could expose the secure values in the deployment history.

+## Linter rule code

+Use the following value in the [Bicep configuration file](bicep-config-linter.md) to customize rule settings:

+`secure-params-in-nested-deploy`

+## Solution

+Either set the [deployment's properties.expressionEvaluationOptions.scope](/azure/templates/microsoft.resources/deployments?pivots=deployment-language-bicep) to `inner` or use a Bicep module instead.

+The following example fails this test because a secure parameter is referenced in an outer-scoped nested deployment resource.

+```bicep

+@secure()

+param secureValue string

+resource nested 'Microsoft.Resources/deployments@2021-04-01' = {

+ name: 'nested'

+ properties: {

+ mode: 'Incremental'

+ template: {

+ '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'

+ contentVersion: '1.0.0.0'

+ variables: {}

+ resources: [

+ {

+ name: 'outerImplicit'

+ type: 'Microsoft.Network/networkSecurityGroups'

+ apiVersion: '2019-11-01'

+ location: '[resourceGroup().location]'

+ properties: {

+ securityRules: [

+ {

+ name: 'outerImplicit'

+ properties: {

+ description: format('{0}', secureValue)

+ protocol: 'Tcp'

+ }

+ }

+ ]

+ }

+ }

+ ]

+ }

+ }

+}

+```

+You can fix it by setting the deployment's properties.expressionEvaluationOptions.scope to 'inner':

+```bicep

+@secure()

+param secureValue string

+resource nested 'Microsoft.Resources/deployments@2021-04-01' = {

+ name: 'nested'

+ properties: {

+ mode: 'Incremental'

+ expressionEvaluationOptions: {

+ scope: 'Inner' // Set to inner scope

+ }

+ template: {

+ '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'

+ contentVersion: '1.0.0.0'

+ variables: {}

+ resources: [

+ {

+ name: 'outerImplicit'

+ type: 'Microsoft.Network/networkSecurityGroups'

+ apiVersion: '2019-11-01'

+ location: '[resourceGroup().location]'

+ properties: {

+ securityRules: [

+ {

+ name: 'outerImplicit'

+ properties: {

+ description: format('{0}', secureValue)

+ protocol: 'Tcp'

+ }

+ }

+ ]

+ }

+ }

+ ]

+ }

+ }

+}

+```

+## Next steps

+For more information about the linter, see [Use Bicep linter](./linter.md).

+- [no-hardcoded-location](./linter-rule-no-hardcoded-location.md)

+- [no-loc-expr-outside-params](./linter-rule-no-loc-expr-outside-params.md)

+- [protect-commandtoexecute-secrets](./linter-rule-protect-commandtoexecute-secrets.md)

+- [secure-params-in-nested-deploy](./linter-rule-secure-params-in-nested-deploy.md)

+Sometimes a rule can have false positives. For example, you may need to include a link to a blob storage directly without using the [environment()](./bicep-functions-deployment.md#environment) function.

+It's good practice to add a comment explaining why the rule doesn't apply to this line.

+}

+1. In the **Authentication** page, click **Add identity provider**

+3. Select **Microsoft** in the identity provider dropdown. The option to create a new registration is selected by default. You can change the name of the registration. For more details on enabling Azure AD provider, please refer to [Configure your App Service or Azure Functions app to use Azure AD login](../app-service/configure-authentication-provider-aad.md)

+4. Navigate to SignalR Service and follow [steps](howto-use-managed-identity.md#add-a-system-assigned-identity) to add a system-assigned identity or user-assigned identity.

+5. Get into **Upstream settings** in SignalR Service and choose **Use Managed Identity** and **Select from existing Applications**. Select the application you created previously.

+> To pass the authentication, the *Issuer Url* must match the *iss* claim in token. Currently, we only support v1 endpoint (see [v1.0 and v2.0](../active-directory/develop/access-tokens.md)), so the *Issuer Url* should look like `https://sts.windows.net/<tenant-id>/`. Check the *Issuer Url* configured in Azure Function. For **Authentication**, go to *Identity provider* -> *Edit* -> *Issuer Url*

+ Title: Configure external identity source for NSX-T

+description: Learn how to use the Azure VMware Solution to configure an external identity source for NSX-T.

+# Configure external identity source for NSX-T

+In this article, you'll learn how to configure an external identity source for NSX-T in an Azure VMware Solution. The NSX-T Data Center can be configured with external LDAP directory service to add remote directory users or groups. The users can be assigned an NSX-T Data Center Role-based access control (RBAC) role like you've on-premises.

+## Prerequisites

+- A working connectivity from your Active Directory network to your Azure VMware Solution private cloud.

+- If you require Active Directory authentication with LDAPS:

+ - You'll need access to the Active Directory Domain Controller(s) with Administrator permissions.

+ - Your Active Directory Domain Controller(s) must have LDAPS enabled with a valid certificate. The certificate could be issued by an [Active Directory Certificate Services Certificate Authority (CA)](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) or a [third-party CA](https://docs.microsoft.com/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority).

+ >[!Note]

+ > Self-sign certificates are not recommended for production environments. ΓÇ»

+

+- Ensure your Azure VMware Solution has DNS resolution configured to your on-premises AD. Enable DNS Forwarder from Azure portal. For more information, see [Configure NSX-T DNS for resolution to your Active Directory Domain and Configure DNS forwarder for Azure VMware Solution](configure-dns-azure-vmware-solution.md) .

+>[!NOTE]

+> For more information about LDAPS and certificate issuance, see with your security or identity management team.

+## Add Active Directory as LDAPS identity source

+1. Sign-in to NSX-T and Navigate to System > Users and Roles > LDAP.

+1. Select on the Add Identity Source.

+1. Enter a name for the identity source. For example, avslab.local.

+1. Enter a domain name. The name must correspond to the domain name of your Active Directory server, if using Active Directory. For example, `avslab.local`.

+1. Select the type as Active Directory over LDAP, if using Active Directory.

+1. Enter the Base DN. Base DN is the starting point that an LDAP server uses when searching for user authentication within an Active Directory domain. For example: DC=avslab,DC=local.

+ >[!NOTE]

+ > All of the user and group entries you intend to use to control access to NSX-T Data Center must be contained within the LDAP directory tree rooted at the specified Base DN. If the Base DN is set to something too specific, such as an Organizational Unit deeper in your LDAP tree, NSX may not be able to find the entries it needs to locate users and determine group membership. Selecting a broad Base DN is a best practice if you are unsure.

+1. After filling in the required fields, you can select Set to configure LDAP servers. One LDAP server is supported for each domain.

+ | **Field** | **Value** |

+ | -- | -- |

+ |Hostname/IP | The hostname or IP address of your LDAP server. For example,ΓÇ»`dc.avslab.local.`|

+ | LDAP Protocol | SelectΓÇ»**LDAPS**ΓÇ»(LDAP is unsecured). |

+ | Port | The default port is populated based on the selected protocol 636 for LDAPS and 389 for LDAP. If your LDAP server is running on a non-standard port, you can edit this text box to give the port number. |

+ | Connection Status | After filling in the mandatory text boxes, including the LDAP server information, select **Connection Status** to test the connection. |

+ | Use StartTLS | If selected, the LDAPv3 StartTLS extension is used to upgrade the connection to use encryption. To determine if you should use this option, consult your LDAP server administrator. This option can only be used if LDAP protocol is selected. |

+ | Certificate | If you're using LDAPS or LDAP + StartTLS, this text box should contain the PEM-encoded X.509 certificate of the server. If you leave this text box blank and select the **Check Status** link, NSX connects to the LDAP server. NSX will then retrieve the LDAP server's certificate, and prompt you if you want to trust that certificate. If you've verified that the certificate is correct, select **OK**, and the certificate text box will be populated with the retrieved certificate. |

+ |Bind Identity | The format is `user@domainName`, or you can specify the distinguished name. For Active Directory, you can use either the userPrincipalName (user@domainName) or the distinguished name. For OpenLDAP, you must supply a distinguished name. This text box is required unless your LDAP server supports anonymous bind, then it's optional. Consult your LDAP server administrator if you aren't sure.|

+ |Password |Enter a password for the LDAP server. This text box is required unless your LDAP server supports anonymous bind, then it's optional. Consult your LDAP server administrator.|

+1. SelectΓÇ»**Add**.ΓÇ»

+ :::image type="content" source="./media/nsxt/set-ldap-server.png" alt-text="Screenshot showing how to set an LDAP server." border="true" lightbox="./media/nsxt/set-ldap-server.png":::

+

+

+1. Select **Save** to complete the changes.

+ :::image type="content" source="./media/nsxt/user-roles-ldap-server.png" alt-text="Screenshot showing user roles on an LDAP server." border="true" lightbox="./media/nsxt/user-roles-ldap-server.png":::

+## Assign other NSX-T roles to Active Directory identities

+After adding an external identity, you can assign NSX-T Roles to Active Directory security groups based on your organization's security controls.

+1. Sign in to NSX-T and navigate toΓÇ»**System** > **Users and Roles**.

+

+1. Select **Add** >ΓÇ»**Role Assignment for LDAP**.ΓÇ»

+ 1. Select a domain.

+ 1. Enter the first few characters of the user's name, sign in ID, or a group name to search the LDAP directory, then select a user or group from the list that appears.

+ 1. Select a role.

+ 1. Select **Save**.

+ :::image type="content" source="./media/nsxt/user-roles-ldap-review.png" alt-text="Screenshot showing how to review different roles on the LDAP server." border="true" lightbox="./media/nsxt/user-roles-ldap-review.png":::

+1. Verify the permission assignment is displayed underΓÇ»**Users and Roles**.

+1. Users should now be able to sign in to NSX-T using their Active Directory credentials.

+## Next steps

+Now that you've configured the external source, you can also learn about:

+- [Configure external identity source for vCenter Server](configure-identity-source-vcenter.md)

+- [Azure VMware Solution identity concepts](concepts-identity.md)

+- [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html)

+ | **GroupName** | The group to give cloudadmin access in your external identity source, for example, **avs-admins**. |

+You'll run the `Add-GroupToCloudAdmins` cmdlet to add an existing AD group to a cloudadmin group. Users in the cloudadmin group have privileges equal to the cloudadmin (cloudadmin@vsphere.local) role defined in vCenter Server SSO.

+1. After you sign in to vCenter Server with cloudadmin privileges, you can select an item from the inventory, select **ACTIONS** menu and select **Add Permission**.

+- [Azure VMware Solution identity concepts](concepts-identity.md) - Use vCenter Server to manage virtual machine (VM) workloads and NSX-T Manager to manage and extend the private cloud. Access and identity management use the cloudadmin role for vCenter Server and restricted administrator rights for NSX-T Manager.

+- [Configure external identity source for NSX-T](configure-external-identity-source-nsx-t.md)

+- [Azure VMware Solution identity concepts](concepts-identity.md)

+- [VMware product documentation](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-DB5A44F1-6E1D-4E5C-8B50-D6161FFA5BD2.html)

+ Title: Deploy vSAN stretched clusters

+description: Learn how to deploy vSAN stretched clusters.

+# Deploy vSAN stretched clusters

+In this article, you'll learn how to implement a vSAN stretched cluster for an Azure VMware Solution private cloud.

+## Background

+AzureΓÇÖs global infrastructure is broken up into Regions. Each region supports the services for a given geography. Within each region, Azure builds isolated, and redundant islands of infrastructure called availability zones (AZ). An AZ acts as a boundary for resource management. The compute and other resources available to an AZ are finite and may become exhausted by customer demands. An AZ is built to be independently resilient, meaning failures in one AZ doesn't affect other AZs.

+With Azure VMware Solution, ESXi hosts deployed in a standard vSphere cluster traditionally reside in a single Azure Availability Zone (AZ) and are protected by vSphere high availability (HA). However, it doesn't protect the workloads against an Azure AZ failure. To protect against an AZ failure, a single vSAN cluster can be enabled to span two separate availability zones, called a [vSAN stretched cluster](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vsan-planning.doc/GUID-4172337E-E25F-4C6B-945E-01623D314FDA.html?hWord=N4IghgNiBcIG4GcwDsAECAuAnAphgxgBY4Amq+EArpjliAL5A).

+Stretched clusters allow the configuration of vSAN Fault Domains across two AZs to notify vCenter Server that hosts reside in each Availability Zone (AZ). Each fault domain is named after the AZ it resides within to increase clarity. When you stretch a vSAN cluster across two AZs within a region, should an AZ go down, it's treated as a vSphere HA event and the virtual machine is restarted in the other AZ.

+**Stretched cluster benefits:**

+- Improve application availability.

+- Provide a zero recovery point objective (RPO) capability for enterprise applications without needing to redesign them, or deploy expensive disaster recovery (DR) solutions.

+- A private cloud with stretched clusters is designed to provide 99.99% availability due to its resilience to AZ failures.

+- Enable customers to focus on core application requirements and features, instead of infrastructure availability.

+To protect against split-brain scenarios and help measure site health, a managed vSAN Witness is created in a third AZ. With a copy of the data in each AZ, vSphere HA attempts to recover from any failure using a simple restart of the virtual machine.

+**vSAN stretched cluster**

+In summary, stretched clusters simplify protection needs by providing the same trusted controls and capabilities in addition to the scale and flexibility of the Azure infrastructure.

+It's important to understand that stretched cluster private clouds only offer an extra layer of resiliency, and they don't address all failure scenarios. For example, stretched cluster private clouds:

+- Don't protect against region-level failures within Azure or data loss scenarios caused by application issues or poorly planned storage policies.

+- Provides protection against a single zone failure but aren't designed to provide protection against double or progressive failures. For example:

+ - Despite various layers of redundancy built into the fabric, if an inter-AZ failure results in the partitioning of the secondary site, vSphere HA starts powering off the workload VMs on the secondary site. The following diagram shows the secondary site partitioning scenario.

+

+ :::image type="content" source="media/stretch-clusters/diagram-2-secondary-site-power-off-workload.png" alt-text="Diagram shows vSphere high availability powering off the workload virtual machines on the secondary site.":::

+ - If the secondary site partitioning progressed into the failure of the primary site instead, or resulted in a complete partitioning, vSphere HA would attempt to restart the workload VMs on the secondary site. If vSphere HA attempted to restart the workload VMs on the secondary site, it would put the workload VMs in an unsteady state. The following diagram shows the preferred site failure or complete partitioning scenario.

+ :::image type="content" source="media/stretch-clusters/diagram-3-restart-workload-secondary-site.png" alt-text="Diagram shows vSphere high availability trying to restart the workload virtual machines on the secondary site when preferred site failure or complete partitioning occurs.":::

+It should be noted that these types of failures, although rare, fall outside the scope of the protection offered by a stretched cluster private cloud. Because of this, a stretched cluster solution should be regarded as a multi-AZ high availability solution reliant upon vSphere HA. It's important you understand that a stretched cluster solution isn't meant to replace a comprehensive multi-region Disaster Recovery strategy that can be employed to ensure application availability. The reason is because a Disaster Recovery solution typically has separate management and control planes in separate Azure regions. Azure VMware Solution stretched clusters have a single management and control plane stretched across two availability zones within the same Azure region. For example, one vCenter Server, one NSX-T Manager cluster, one NSX-T Data Center Edge VM pair.

+## Deploy a stretched cluster private cloud

+Currently, Azure VMware Solution stretched clusters is in a limited availability phase. In the limited availability phase, you must contact Microsoft to request and qualify for support.

+## Prerequisites

+To request support, send an email request to **avsStretchedCluster@microsoft.com** with the following details:

+- Company name

+- Point of contact (email)

+- Subscription (a new, separate subscription is required)

+- Region requested (West Europe, UK South, Germany West Central)

+- Number of nodes in first stretched cluster (minimum 6, maximum 16 - in multiples of two)

+- Estimated provisioning date (used for billing purposes)

+When the request support details are received, quota will be reserved for a stretched cluster environment in the region requested. The subscription gets enabled to deploy a stretched cluster SDDC through the Azure portal. A confirmation email will be sent to the designated point of contact within two business days upon which you should be able to [self-deploy a stretched cluster private cloud via the Azure portal](https://docs.microsoft.com/azure/azure-vmware/tutorial-create-private-cloud?tabs=azure-portal#create-a-private-cloud). Be sure to select **Hosts in two availability zones** to ensure that a stretched cluster gets deployed in the region of your choice.

+Once the private cloud is created, you can peer both availability zones (AZs) to your on-premises ExpressRoute circuit with Global Reach that helps connect your on-premises data center to the private cloud. Peering both the AZs will ensure that an AZ failure doesn't result in a loss of connectivity to your private cloud. Since an ExpressRoute Auth Key is valid for only one connection, repeat the [Create an ExpressRoute auth key in the on-premises ExpressRoute circuit](https://docs.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud#create-an-expressroute-auth-key-in-the-on-premises-expressroute-circuit) process to generate another authorization.

+Next, repeat the process to [peer ExpressRoute Global Reach](https://docs.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud#peer-private-cloud-to-on-premises) two availability zones to the on-premises ExpressRoute circuit.

+## Supported scenarios

+The following scenarios are supported:

+- Workload connectivity to internet from both AZs via Customer vWAN or On-premises data center

+- Private DNS resolution

+- Placement policies (except for VM-AZ affinity)

+- Cluster scale out and scale in

+- The following SPBM policies are supported, with a PFTT of ΓÇ£Dual Site MirroringΓÇ¥ and SFTT of ΓÇ£RAID 1 (Mirroring)ΓÇ¥ enabled as the default policies for the cluster:

+ - Site disaster tolerance settings (PFTT):

+ - Dual site mirroring

+ - None - keep data on preferred

+ - None - keep data on non-preferred

+ - Local failures to tolerate (SFTT):

+ - 1 failure ΓÇô RAID 1 (Mirroring)

+ - 1 failure ΓÇô RAID 5 (Erasure coding), requires a minimum of 4 hosts in each AZ

+ - 2 failures ΓÇô RAID 1 (Mirroring)

+ - 2 failures ΓÇô RAID 6 (Erasure coding), requires a minimum of 6 hosts in each AZ

+ - 3 failures ΓÇô RAID 1 (Mirroring)

+In this phase, while the creation of the private cloud and the first stretched cluster is enabled via the Azure portal, open a [support ticket](https://rc.portal.azure.com/#create/Microsoft.Support) from the Azure portal for other supported scenarios and configurations listed below. While doing so, make sure you select **Stretched Clusters** as a Problem Type.

+Once stretched clusters are made generally available, it's expected that all the following supported scenarios will be enabled in an automated self-service fashion.

+- HCX installation, deployment, removal, and support for migration

+- Connect a private cloud in another region to a stretched cluster private cloud

+- Connect two stretched cluster private clouds in a single region

+- Configure Active Directory as an identity source for vCenter Server

+- A PFTT of ΓÇ£Keep data on preferredΓÇ¥ or ΓÇ£Keep data on non-preferredΓÇ¥ requires keeping VMs on either one of the availability zones. For such VMs, open a support ticket to ensure that those VMs are pinned to an availability zone.

+- Cluster addition

+- Cluster deletion

+- Private cloud deletion

+## Supported regions

+Azure VMware Solution stretched clusters are available in the following regions:

+- UK South

+- West Europe

+- Germany West Central

+## FAQ

+### Are any other regions planned?

+As of now, the only 3 regions listed above are planned for support of stretched clusters.

+### What kind of SLA does Azure VMware Solution provide with the stretched clusters limited availability release?

+A private cloud created with a vSAN stretched cluster is designed to offer a 99.99% infrastructure availability commitment when the following conditions exist:

+- A minimum of 6 nodes are deployed in the cluster (3 in each availability zone)

+- When a VM storage policy of PFTT of "Dual-Site Mirroring" and an SFTT of 1 is used by the workload VMs

+- Compliance with the **Additional Requirements** captured in the [SLA details of Azure VMware Solution](https://azure.microsoft.com/support/legal/sla/azure-vmware/v1_1/) is required to achieve the availability goals

+### Do I get to choose the availability zone in which a private cloud is deployed?

+No. A stretched cluster is created between two availability zones, while the third zone is used for deploying the witness node. Because all of the zones are effectively used for deploying a stretched cluster environment, a choice isn't provided to the customer. Instead, the customer chooses to deploy hosts in multiple AZs at the time of private cloud creation.

+### What are the limitations I should be aware of?

+- Once a private cloud has been created with a stretched cluster, it can't be changed to a standard cluster private cloud. Similarly, a standard cluster private cloud can't be changed to a stretched cluster private cloud after creation.

+- Scale out and scale-in of stretched clusters can only happen in pairs. A minimum of 6 nodes and a maximum of 16 nodes are supported in a stretched cluster environment.

+- Customer workload VMs are restarted with a medium vSphere HA priority. Management VMs have the highest restart priority.

+- The solution relies on vSphere HA and vSAN for restarts and replication. Recovery time objective (RTO) is determined by the amount of time it takes vSphere HA to restart a VM on the surviving AZ after the failure of a single AZ.

+- Preview features for standard private cloud environments aren't supported in a stretched cluster environment. For example, external storage options like disk pools and Azure NetApp Files (ANF), Customer Management Keys, Public IP via NSX-T Data Center Edge, and others.

+- Disaster recovery addons like, VMware SRM, Zerto, and JetStream are currently not supported in a stretched cluster environment.

+### What kind of latencies should I expect between the availability zones (AZs)?

+vSAN stretched clusters operate within a 5 minute round trip time (RTT) and 10 Gb/s or greater bandwidth between the AZs that host the workload VMs. The Azure VMware Solution stretched cluster deployment follows that guiding principle. Consider that information when deploying applications (with SFTT of dual site mirroring, which uses synchronous writes) that have stringent latency requirements.

+### Can I mix stretched and standard clusters in my private cloud?

+No. A mix of stretched and standard clusters aren't supported within the same private cloud. A stretched or standard cluster environment is selected when you create the private cloud. Once a private cloud has been created with a stretched cluster, it's assumed that all clusters created within that private cloud are stretched in nature.

+### How much does the solution cost?

+Customers will be charged based on the number of nodes deployed within the private cloud.

+### Will I be charged for the witness node and for inter-AZ traffic?

+No. While in limited availability, customers won't see a charge for the witness node and the inter-AZ traffic. The witness node is entirely service managed, and Azure VMware Solution provides the required lifecycle management of the witness node. As the entire solution is service managed, the customer only needs to identify the appropriate SPBM policy to set for the workload virtual machines. The rest is managed by Microsoft.

+### Which SKUs are available?

+Stretched clusters will solely be supported on the AV36 SKU.

+>[!IMPORTANT]

+>The use of Public IP down to the NSX Edge is not compatible with reverse DNS Lookup.

+In this article, youΓÇÖll learn how to configure SQL Azure hybrid benefits to an Azure VMware Solution private cloud by configuring a placement policy. The placement policy defines the hosts that are running SQL as well as the virtual machines on that host.

+For example, if each host in Azure VMware Solution has 36 cores and you signal that two hosts run SQL, then SQL Azure hybrid benefit will apply to 72 cores irrespective of the number of SQL or other virtual machines on that host.

+ 2. **Type** ΓÇô Select the type of policy. This type must be a VM-Host affinity rule only.

+ 4. **Cluster** ΓÇô Select the correct cluster. The policy is scoped to host in this cluster only.

+ 1. **Add Hosts** ΓÇô Select the hosts that will be running SQL. When hosts are replaced, policies are re-created on the new hosts automatically.

+## Does Microsoft BareMetal service store customer data outside the Azure region that a customer has chosen?

+No.

+description: Learn how to sign up, set up, and use Nutanix Cloud Clusters on Azure Public Preview.

+# Getting started with Nutanix Cloud Clusters on Azure

+Learn how to sign up for, set up, and use Nutanix Cloud Clusters (NC2) on Azure Public Preview.

+ Title: What is BareMetal Infrastructure for Nutanix Cloud Clusters on Azure?

+# What is BareMetal Infrastructure for Nutanix Cloud Clusters on Azure?

+> [!TIP]

+> The Speech service provides [profanity filter](display-text-format.md#profanity-filter) options. You can specify whether to mask, remove, or show profanity.

+ Title: Display text formatting with speech to text - Speech service

+description: An overview of key concepts for display text formatting with speech to text.

+zone_pivot_groups: programming-languages-speech-sdk-cli

+# Display text formatting with speech to text

+Speech-to-text offers an array of formatting features to ensure that the transcribed text is clear and legible. Below is an overview of these features and how each one is used to improve the overall clarity of the final text output.

+## ITN

+Inverse Text Normalization (ITN) is a process that converts spoken words into their written form. For example, the spoken word "four" is converted to the written form "4". This process is performed by the speech-to-text service and isn't configurable. Some of the supported text formats include dates, times, decimals, currencies, addresses, emails, and phone numbers. You can speak naturally, and the service formats text as expected. The following table shows the ITN rules that are applied to the text output.

+|Recognized speech|Display text|

+|||

+|`that will cost nine hundred dollars`|`That will cost $900.`|

+|`my phone number is one eight hundred, four five six, eight nine ten`|`My phone number is 1-800-456-8910.`|

+|`the time is six forty five p m`|`The time is 6:45 PM.`|

+|`I live on thirty five lexington avenue`|`I live on 35 Lexington Ave.`|

+|`the answer is six point five`|`The answer is 6.5.`|

+|`send it to support at help dot com`|`Send it to support@help.com.`|

+## Capitalization

+Speech-to-text models recognize words that should be capitalized to improve readability, accuracy, and grammar. For example, the Speech service will automatically capitalize proper nouns and words at the beginning of a sentence. Some examples are shown in this table.

+|Recognized speech|Display text|

+|||

+|`i got an x l t shirt`|`I got an XL t-shirt.`|

+|`my name is jennifer smith`|`My name is Jennifer Smith.`|

+|`i want to visit new york city`|`I want to visit New York City.`|

+## Disfluency removal

+When speaking, it's common for someone to stutter, duplicate words, and say filler words like "uhm" or "uh". Speech-to-text can recognize such disfluencies and remove them from the display text. Disfluency removal is great for transcribing live unscripted speeches to read them back later. Some examples are shown in this table.

+|Recognized speech|Display text|

+|||

+|`i uh said that we can go to the uhmm movies`|`I said that we can go to the movies.`|

+|`its its not that big of uhm a deal`|`It's not that big of a deal.`|

+|`umm i think tomorrow should work`|`I think tomorrow should work.`|

+## Punctuation

+Speech-to-text automatically punctuates your text to improve clarity. Punctuation is helpful for reading back call or conversation transcriptions. Some examples are shown in this table.

+|Recognized speech|Display text|

+|||

+|`how are you`|`How are you?`|

+|`we can go to the mall park or beach`|`We can go to the mall, park, or beach.`|

+When you're using speech-to-text with continuous recognition, you can configure the Speech service to recognize explicit punctuation marks. Then you can speak punctuation aloud in order to make your text more legible. This is especially useful in a situation where you want to use complex punctuation without having to merge it later. Some examples are shown in this table.

+|Recognized speech|Display text|

+|||

+|`they entered the room dot dot dot`|`They entered the room...`|

+|`i heart emoji you period`|`I <3 you.`|

+|`the options are apple forward slash banana forward slash orange period`|`The options are apple/banana/orange.`|

+|`are you sure question mark`|`Are you sure?`|

+Use the Speech SDK to enable dictation mode when you're using speech-to-text with continuous recognition. This mode will cause the speech configuration instance to interpret word descriptions of sentence structures such as punctuation.

+```csharp

+speechConfig.EnableDictation();

+```

+```cpp

+speechConfig->EnableDictation();

+```

+```go

+speechConfig.EnableDictation()

+```

+```java

+speechConfig.enableDictation();

+```

+```javascript

+speechConfig.enableDictation();

+```

+```objective-c

+[self.speechConfig enableDictation];

+```

+```swift

+self.speechConfig!.enableDictation()

+```

+```python

+speech_config.enable_dictation()

+```

+## Profanity filter

+You can specify whether to mask, remove, or show profanity in the final transcribed text. Masking replaces profane words with asterisk (*) characters so that you can keep the original sentiment of your text while making it more appropriate for certain situations

+> [!NOTE]

+> Microsoft also reserves the right to mask or remove any word that is deemed inappropriate. Such words will not be returned by the Speech service, whether or not you enabled profanity filtering.

+The profanity filter options are:

+- `Masked`: Replaces letters in profane words with asterisk (*) characters. Masked is the default option.

+- `Raw`: Include the profane words verbatim.

+- `Removed`: Removes profane words.

+For example, to remove profane words from the speech recognition result, set the profanity filter to `Removed` as shown here:

+```csharp

+speechConfig.SetProfanity(ProfanityOption.Removed);

+```

+```cpp

+speechConfig->SetProfanity(ProfanityOption::Removed);

+```

+```go

+speechConfig.SetProfanity(common.Removed)

+```

+```java

+speechConfig.setProfanity(ProfanityOption.Removed);

+```

+```javascript

+speechConfig.setProfanity(sdk.ProfanityOption.Removed);

+```

+```objective-c

+[self.speechConfig setProfanityOptionTo:SPXSpeechConfigProfanityOption.SPXSpeechConfigProfanityOption_ProfanityRemoved];

+```

+```swift

+self.speechConfig!.setProfanityOptionTo(SPXSpeechConfigProfanityOption_ProfanityRemoved)

+```

+```python

+speech_config.set_profanity(speechsdk.ProfanityOption.Removed)

+```

+```console

+spx recognize --file caption.this.mp4 --format any --profanity masked --output vtt file - --output srt file -

+```

+Profanity filter is applied to the result `Text` and `MaskedNormalizedForm` properties. Profanity filter isn't applied to the result `LexicalForm` and `NormalizedForm` properties. Neither is the filter applied to the word level results.

+## Next steps

+* [Speech-to-text quickstart](get-started-speech-to-text.md)

+* [Get speech recognition results](get-speech-recognition-results.md)

+# What are Azure Cognitive Services containers?

+Personalizer can help you to understand which features of a chosen action are the most and least influential to then model during inference. When enabled, inference explainability includes feature scores from the underlying model into the Rank API response, so your application receives this information at the time of inference.

+ "probability": 0.15

+ "probability": 0.05

+In the example above, three action IDs are returned in the _ranking_ collection along with their respective probabilities scores. The action with the largest probability is the_ best action_ as determined by the model trained on data sent to the Personalizer APIs, which in this case is `"id": "EntertainmentArticle"`. The action ID can be seen again in the _inferenceExplanation_ collection, along with the feature names and scores determined by the model for that action and the features and values sent to the Rank API.

+Recall that Personalizer will either return the _best action_ or an _exploratory action_ chosen by the exploration policy. The best action is the one that the model has determined has the highest probability of maximizing the average reward, whereas exploratory actions are chosen among the set of all possible actions provided in the Rank API call. Actions taken during exploration do not leverage the feature scores in determining which action to take, therefore **feature scores for exploratory actions should not be used to gain an understanding of why the action was taken.** [You can learn more about exploration here](/azure/cognitive-services/personalizer/concepts-exploration).

+* Larger positive scores provide more support for the model choosing this action.

+* Larger negative scores provide more support for the model not choosing this action.

+* Scores close to zero have a small effect on the decision to choose this action.

+* **Default exploration only.** Currently, Inference Explainability supports only the default exploration algorithm. Future releases will enable the use of this capability with additional exploration algorithms.

+ Title: Managed connector overview

+description: Learn about Microsoft-managed connectors hosted on Azure in Azure Logic Apps.

+Using custom user-defined routes (UDRs) or ExpressRoutes, other than with UDRs of selected destinations that you own, are not yet supported for Container App Environments with VNETs. Therefore, securing outbound traffic with a firewall is not yet supported.

+- Before you transition to the Microsoft Customer Agreement, **delete users using the EA portal that don't need access to the new billing account**.

+ - Deleting the users will simplify the transition and improve the security of your new billing account.

+ΓÇö And ΓÇö

+When you invite the users, they're added to the tenant as guest users and get access to the billing account. To invite the users, guest access must be turned on for the tenant. For more information, see [control guest access in Azure Active Directory](/microsoftteams/teams-dependencies#control-guest-access-in-azure-active-directory). If the guest access is turned off, contact the global administrators of your tenant to turn it on.

+Charges and credits balance prior to transition can be viewed in your Enterprise Agreement enrollment through the Azure portal.

+A reservation discount is _use-it-or-lose-it_. So, if you don't have matching resources for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.

+When you shut down a resource, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are lost.

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+A reservation discount is ***use-it-or-lose-it***. So, if you don't have matching resources for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+A reservation discount is ***use-it-or-lose-it***. So, if you don't have matching resources for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+The Azure Database for PostgreSQL Single server reserved capacity discount is applied to running your PostgreSQL Single server on an hourly basis. The reservation that you buy is matched to the compute usage emitted by the running Azure Database for PostgreSQL Single server. For PostgreSQL Single servers that don't run the full hour, the reservation is automatically applied to other Azure Database for PostgreSQL Single server matching the reservation attributes. The discount can apply to Azure Database for PostgreSQL Single servers that are running concurrently. If you don't have a PostgreSQL Single server that run for the full hour that matches the reservation attributes, you don't get the full benefit of the reservation discount for that hour.

+If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+Stopped resources are billed and continue to use reservation hours. Deallocate or delete resources or scale-in other resources to use your available reservation hours with other workloads.

+The ratio for 5 or more vCPUs is 2.6. So a reservation for SUSE with a VM with 5 or more vCPUs covers only a portion of the software cost, which is about 77%.

+3. Turn on [Auto Optimize](/azure/databricks/optimizations/auto-optimize) by adding the following properties to your [Spark configuration](/azure/databricks/clusters/configure#spark-config):

+2. Make sure to get access to the key vault where the [Column Master Key (CMK)](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15&preserve-view=true) is stored. Refer to this [article](/sql/relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted?view=sql-server-ver15&preserve-view=true#key-vaults) for required permissions.

+1. Select the new Get Metadata activity on the canvas if it is not already selected, and its **Settings** tab, to edit its details.

+ Title: Azure Stack Edge 2209 release notes

+description: Describes critical open issues and resolutions for the Azure Stack Edge running 2209 release.

+

+# Azure Stack Edge 2209 release notes

+The following release notes identify the critical open issues and the resolved issues for the 2209 release for your Azure Stack Edge devices. Features and issues that correspond to a specific model of Azure Stack Edge are called out wherever applicable.

+The release notes are continuously updated, and as critical issues requiring a workaround are discovered, they're added. Before you deploy your device, carefully review the information contained in the release notes.

+This article applies to the **Azure Stack Edge 2209** release, which maps to software version **2.2.2088.5593**. This software can be applied to your device if you're running at least **Azure Stack Edge 2207** (2.2.2307.5375).

+> [!IMPORTANT]

+> Azure Stack Edge 2209 update contains critical security fixes. As with any new release, we strongly encourage customers to apply this update at the earliest opportunity.

+## What's new

+The 2209 release has the following features and enhancements:

+**Security update** - This release includes a security update for the cluster connect feature of Azure Arc-enabled Kubernetes clusters. The Arc agent running on your Azure Stack Edge device will be upgraded to the latest version. No further action is required of you after the update to Azure Stack Edge 2209 is complete.

+If you have questions or concerns, [open a support case through the Azure portal](azure-stack-edge-contact-microsoft-support.md).

+## Known issues in 2209 release

+| No. | Feature | Issue | Workaround/comments |

+| | | | |

+|**1.**|Preview features |For this release, the following features are available in preview: <br> - Clustering and Multi-Access Edge Computing (MEC) for Azure Stack Edge Pro GPU devices only. <br> - VPN for Azure Stack Edge Pro R and Azure Stack Edge Mini R only. <br> - Local Azure Resource Manager, VMs, Cloud management of VMs, Kubernetes cloud management, and Multi-process service (MPS) for Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, and Azure Stack Edge Mini R. |These features will be generally available in later releases. |

+## Known issues from previous releases

+The following table provides a summary of known issues carried over from the previous releases.

+| No. | Feature | Issue | Workaround/comments |

+| | | | |

+| **1.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [Create-the-sql-database](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <br> - In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**<br> - Download `sqlcmd` on your client machine from [SQL command utility](/sql/tools/sqlcmd-utility). <br> - Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.<br> - Final command will look like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd". After this, steps 3-4 from the current documentation should be identical. |

+| **2.** |Refresh| Incremental changes to blobs restored via **Refresh** are NOT supported |For Blob endpoints, partial updates of blobs after a Refresh, may result in the updates not getting uploaded to the cloud. For example, sequence of actions such as:<br> 1. Create blob in cloud. Or delete a previously uploaded blob from the device.<br> 2. Refresh blob from the cloud into the appliance using the refresh functionality.<br> 3. Update only a portion of the blob using Azure SDK REST APIs. These actions can result in the updated sections of the blob to not get updated in the cloud. <br>**Workaround**: Use tools such as robocopy, or regular file copy through Explorer or command line, to replace entire blobs.|

+|**3.**|Throttling|During throttling, if new writes to the device aren't allowed, writes by the NFS client fail with a "Permission Denied" error.| The error will show as below:<br>`hcsuser@ubuntu-vm:~/nfstest$ mkdir test`<br>mkdir: can't create directory 'test': Permission deniedΓÇï|

+|**4.**|Blob Storage ingestion|When using AzCopy version 10 for Blob storage ingestion, run AzCopy with the following argument: `Azcopy <other arguments> --cap-mbps 2000`| If these limits aren't provided for AzCopy, it could potentially send a large number of requests to the device, resulting in issues with the service.|

+|**5.**|Tiered storage accounts|The following apply when using tiered storage accounts:<br> - Only block blobs are supported. Page blobs aren't supported.<br> - There's no snapshot or copy API support.<br> - Hadoop workload ingestion through `distcp` isn't supported as it uses the copy operation heavily.||

+|**6.**|NFS share connection|If multiple processes are copying to the same share, and the `nolock` attribute isn't used, you may see errors during the copy.ΓÇï|The `nolock` attribute must be passed to the mount command to copy files to the NFS share. For example: `C:\Users\aseuser mount -o anon \\10.1.1.211\mnt\vms Z:`.|

+|**7.**|Kubernetes cluster|When applying an update on your device that is running a Kubernetes cluster, the Kubernetes virtual machines will restart and reboot. In this instance, only pods that are deployed with replicas specified are automatically restored after an update. |If you have created individual pods outside a replication controller without specifying a replica set, these pods won't be restored automatically after the device update. You'll need to restore these pods.<br>A replica set replaces pods that are deleted or terminated for any reason, such as node failure or disruptive node upgrade. For this reason, we recommend that you use a replica set even if your application requires only a single pod.|

+|**8.**|Kubernetes cluster|Kubernetes on Azure Stack Edge Pro is supported only with Helm v3 or later. For more information, go to [Frequently asked questions: Removal of Tiller](https://v3.helm.sh/docs/faq/).|

+|**9.**|Kubernetes |Port 31000 is reserved for Kubernetes Dashboard. Port 31001 is reserved for Edge container registry. Similarly, in the default configuration, the IP addresses 172.28.0.1 and 172.28.0.10, are reserved for Kubernetes service and Core DNS service respectively.|Don't use reserved IPs.|

+|**10.**|Kubernetes |Kubernetes doesn't currently allow multi-protocol LoadBalancer services. For example, a DNS service that would have to listen on both TCP and UDP. |To work around this limitation of Kubernetes with MetalLB, two services (one for TCP, one for UDP) can be created on the same pod selector. These services use the same sharing key and spec.loadBalancerIP to share the same IP address. IPs can also be shared if you have more services than available IP addresses. <br> For more information, see [IP address sharing](https://metallb.universe.tf/usage/#ip-address-sharing).|

+|**11.**|Kubernetes cluster|Existing Azure IoT Edge marketplace modules may require modifications to run on IoT Edge on Azure Stack Edge device.|For more information, see [Run existing IoT Edge modules from Azure Stack Edge Pro FPGA devices on Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-modify-fpga-modules-gpu.md).|

+|**12.**|Kubernetes |File-based bind mounts aren't supported with Azure IoT Edge on Kubernetes on Azure Stack Edge device.|IoT Edge uses a translation layer to translate `ContainerCreate` options to Kubernetes constructs. Creating `Binds` maps to `hostpath` directory and thus file-based bind mounts can't be bound to paths in IoT Edge containers. If possible, map the parent directory.|

+|**13.**|Kubernetes |If you bring your own certificates for IoT Edge and add those certificates on your Azure Stack Edge device after the compute is configured on the device, the new certificates aren't picked up.|To work around this problem, you should upload the certificates before you configure compute on the device. If the compute is already configured, [Connect to the PowerShell interface of the device and run IoT Edge commands](azure-stack-edge-gpu-connect-powershell-interface.md#use-iotedge-commands). Restart `iotedged` and `edgehub` pods.|

+|**14.**|Certificates |In certain instances, certificate state in the local UI may take several seconds to update. |The following scenarios in the local UI may be affected. <br> - **Status** column in **Certificates** page. <br> - **Security** tile in **Get started** page. <br> - **Configuration** tile in **Overview** page.<br> |

+|**15.**|Certificates|Alerts related to signing chain certificates aren't removed from the portal even after uploading new signing chain certificates.| |

+|**16.**|Web proxy |NTLM authentication-based web proxy isn't supported. ||

+|**17.**|Internet Explorer|If enhanced security features are enabled, you may not be able to access local web UI pages. | Disable enhanced security, and restart your browser.|

+|**18.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. This is also required for Event Grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|

+|**19.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources aren't deleted from the Kubernetes cluster. |To allow the deletion of resources when they're deleted from the git repository, set `--sync-garbage-collection` in Arc OperatorParams. For more information, see [Delete a configuration](../azure-arc/kubernetes/tutorial-use-gitops-connected-cluster.md#additional-parameters). |

+|**20.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. That ensures the writes are written to the disk.| |

+|**21.**|Compute configuration |Compute configuration fails in network configurations where gateways or switches or routers respond to Address Resolution Protocol (ARP) requests for systems that don't exist on the network.| |

+|**22.**|Compute and Kubernetes |If Kubernetes is set up first on your device, it claims all the available GPUs. Hence, it isn't possible to create Azure Resource Manager VMs using GPUs after setting up the Kubernetes. |If your device has 2 GPUs, then you can create one VM that uses the GPU and then configure Kubernetes. In this case, Kubernetes will use the remaining available one GPU. |

+|**23.**|Custom script VM extension |There's a known issue in the Windows VMs that were created in an earlier release and the device was updated to 2103. <br> If you add a custom script extension on these VMs, the Windows VM Guest Agent (Version 2.7.41491.901 only) gets stuck in the update causing the extension deployment to time out. | To work around this issue: <br> - Connect to the Windows VM using remote desktop protocol (RDP). <br> - Make sure that the `waappagent.exe` is running on the machine: `Get-Process WaAppAgent`. <br> - If the `waappagent.exe` isn't running, restart the `rdagent` service: `Get-Service RdAgent` \| `Restart-Service`. Wait for 5 minutes.<br> - While the `waappagent.exe` is running, kill the `WindowsAzureGuest.exe` process. <br> - After you kill the process, the process starts running again with the newer version. <br> - Verify that the Windows VM Guest Agent version is 2.7.41491.971 using this command: `Get-Process WindowsAzureGuestAgent` \| `fl ProductVersion`.<br> - [Set up custom script extension on Windows VM](azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md). |

+|**24.**|Multi-Process Service (MPS) |When the device software and the Kubernetes cluster are updated, the MPS setting isn't retained for the workloads. |[Re-enable MPS](azure-stack-edge-gpu-connect-powershell-interface.md#connect-to-the-powershell-interface) and redeploy the workloads that were using MPS. |

+|**25.**|Wi-Fi |Wi-Fi doesn't work on Azure Stack Edge Pro 2 in this release. | |

+## Next steps

+- [Update your device](azure-stack-edge-gpu-install-update.md)

+description: Describes how to apply updates using the Azure portal and local web UI for Azure Stack Edge Pro GPU device and the Kubernetes cluster on the device.

+The current update is Update 2209. This update installs two updates, the device update followed by Kubernetes updates. The associated versions for this update are:

+- Device software version: Azure Stack Edge 2209 (2.2.2088.5593)

+- Device Kubernetes version: Azure Stack Kubernetes Edge 2209 (2.2.2088.5593)

+- Kubernetes server version: v1.22.6

+- IoT Edge version: 0.1.0-beta15

+- Azure Arc version: 1.7.18

+- GPU driver version: 515.48.07

+- CUDA version: 11.7

+For information on what's new in this update, go to [Release notes](azure-stack-edge-gpu-2209-release-notes.md).

+**To apply 2209 update, your device must be running version 2207.**

+- If you are not running the minimum required version, you'll see this error:

+

+ *Update package cannot be installed as its dependencies are not met.*

+- You can update to 2207 from 2106, and then install 2209.

+ The update listing appears as **Azure Stack Edge Update 2209**.

+| If the diagnostic setting creation fails for your key vault, you'll see this error. <!--<br> . |

+| If the storage account creation fails, for example, because an account already exists for the name you specified, you'll see this error. <!--<br> . |

+| If the storage account resource that is used for audit logs, is moved across resource groups or subscriptions, you won't see an error. | You can [Create a new storage account and configure it to store the audit logs](../key-vault/general/howto-logging.md). |

+Bring Defender for IoT's rich telemetry into Microsoft Sentinel to bridge the gap between OT and SOC teams with the Microsoft Sentinel data connector for Defender for IoT and the **Microsoft Defender for IoT** solution.

+The **Microsoft Defender for IoT** solution installs out-of-the-box security content to your Microsoft Sentinel, including analytics rules to automatically open incidents, workbooks to visualize and monitor data, and playbooks to automate response actions.

+To visualize and monitor your Defender for IoT data, use the workbooks deployed to your Microsoft Sentinel workspace as part of the **Microsoft Defender for IoT** solution.

+Defender for IoT workbooks provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.

+- [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](../../sentinel/iot-solution.md)

+- [Detect threats out-of-the-box with Defender for IoT data](../../sentinel/iot-advanced-threat-monitoring.md#detect-threats-out-of-the-box-with-defender-for-iot-data)

+- [Create custom analytics rules to detect threats](../../sentinel/detect-threats-custom.md)

+## Site management options from the Azure portal

+When onboarding a new OT sensor to the Defender for IoT, you can add it to a new or existing site. When working with OT networks, organizing your sensors into sites allows you to manage your sensors more efficiently. Enterprise IoT sensors are all automatically added to the same site, named **Enterprise network**.

+To edit a site's details, select the site's name on the **Sites and sensors** page. In the **Edit site** pane that opens on the right, modify any of the following values:

+- **Display name**: Enter a meaningful name for your site.

+- **Tags**: (Optional) Enter values for the **Key** and **Value** fields for each new tag you want to add to your site. Select **+ Add** to add a new tag.

+- **Owner**: For sites with OT sensors only. Enter one or more email addresses for the user you want to designate as the owner of the devices at this site. The site owner is inherited by all devices at the site, and is shown on the IoT device entity pages and in incident details in Microsoft Sentinel.

+ In Microsoft Sentinel, use the **AD4IoT-SendEmailtoIoTOwner** and **AD4IoT-CVEAutoWorkflow** playbooks to automatically notify device owners about important alerts or incidents. For more information, see [Investigate and detect threats for IoT devices](../../sentinel/iot-advanced-threat-monitoring.md).

+When you're done, select **Save** to save your changes.

+Use the options on the **Sites and sensor** page and a sensor details page to do any of the following tasks. If you're on the **Sites and sensors** page, select multiple sensors to apply your actions in bulk using toolbar options. For individual sensors, use the **Sites and sensors** toolbar options, the **...** options menu at the right of a sensor row, or the options on a sensor details page.

+|:::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-edit.png" border="false"::: **Edit a sensor zone** | For individual sensors only, from the **...** options menu or a sensor details page. <br><br>Select **Edit**, and then select a new zone from the **Zone** menu or select **Create new zone**. Select **Submit** to save your changes. |

+ Title: Release notes for the Microsoft Defender for IoT solution in Microsoft Sentinel

+description: Learn about the updates available in each version of the Microsoft Defender for IoT solution, available from the Microsoft Sentinel content hub.

+# Release notes for the Microsoft Defender for IoT solution in Microsoft Sentinel

+This article lists the updates to out-of-the-box security content available from each version of the **Microsoft Defender for IoT** solution. The **Microsoft Defender for IoT** solution is available from the Microsoft Sentinel content hub.

+The **Microsoft Defender for IoT** solution enhances the integration between Defender for IoT and Microsoft Sentinel, helping to streamline SOC workflows to analyze, investigate, and respond efficiently to OT incidents.

+For more information, see:

+- [What's new in Microsoft Defender for IoT?](release-notes.md)

+- [Tutorial: Integrate Microsoft Sentinel and Microsoft Defender for IoT](/azure/sentinel/iot-solution?toc=%2Fazure%2Fdefender-for-iot%2Forganizations%2Ftoc.json&bc=%2Fazure%2Fdefender-for-iot%2Fbreadcrumb%2Ftoc.json)

+- [Tutorial: Investigate and detect threats for IoT devices](/azure/sentinel/iot-advanced-threat-monitoring?toc=%2Fazure%2Fdefender-for-iot%2Forganizations%2Ftoc.json&bc=%2Fazure%2Fdefender-for-iot%2Fbreadcrumb%2Ftoc.json).

+## Version 2.1

+**Released**: September 2022

+New features in this version include:

+- Solution name changed to **Microsoft Defender for IoT**

+- Workbook improvements:

+ - A new overview dashboard

+ - A new vulnerability dashboard

+ - Inventory dashboard improvements

+- New SOC playbooks for automation with CVEs, triaging incidents that involve sensitive devices, and email notifications to device owners for new incidents.

+For more information, see [Updates to the Microsoft Defender for IoT solution](release-notes.md#updates-to-the-microsoft-defender-for-iot-solution-in-microsoft-sentinels-content-hub).

+## Version 2.0

+**Released**: September 2022

+This version provides enhanced experiences for managing, installing, and updating the solution package in the Microsoft Sentinel content hub.

+For more information, see [Centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions](/azure/sentinel/sentinel-solutions-deploy)

+## Version 1.0.14

+**Released**: July 2022

+New features in this version include:

+- [Microsoft Sentinel incident synch with Defender for IoT alerts](release-notes.md#microsoft-sentinel-incident-synch-with-defender-for-iot-alerts)

+- IoT device entities displayed in related Microsoft Sentinel incidents.

+## Version 1.0.13

+**Released**: March 2022

+New features in this version include:

+- A bug fix to prevent new incidents from being created in Microsoft Sentinel each time an alert in Defender for IoT is updated or deleted.

+- A new analytics rule for the **No traffic on sensor detected** Defender for IoT alert.

+- Updates in the **Unauthorized PLC changes** analytics rule to support the **Illegal Beckhoff AMS Command** Defender for IoT alert.

+- A new, deep link to Defender for IoT alerts directly from related Microsoft Sentinel incidents.

+## Earlier versions

+For more information about earlier versions of the **Microsoft Defender for IoT** solution, contact us via the [Defender for IoT community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-iot/bd-p/MicrosoftDefenderIoT).

+## Next steps

+Learn more in [What's new in Microsoft Defender for IoT?](release-notes.md) and the [Microsoft Sentinel documentation](/azure/sentinel/).

+|**OT networks** |**Sensor software version 22.2.6**: <br> - Bug fixes and stability improvements <br>- Enhancements to the device type classification algorithm<br><br>- **Microsoft Sentinel integration**: <br>- [Investigation enhancements with IOT device entities](#investigation-enhancements-with-iot-device-entities-in-microsoft-sentinel)<br>- [Updates to the Microsoft Defender for IoT solution](#updates-to-the-microsoft-defender-for-iot-solution-in-microsoft-sentinels-content-hub) |

+### Investigation enhancements with IOT device entities in Microsoft Sentinel

+Defender for IoT's integration with Microsoft Sentinel now supports an IoT device entity page. When investigating incidents and monitoring IoT security in Microsoft Sentinel, you can now identify your most sensitive devices and jump directly to more details on each device entity page.

+The IoT device entity page provides contextual device information about an IoT device, with basic device details and device owner contact information. Device owners are defined by site in the **Sites and sensors** page in Defender for IoT.

+The IoT device entity page can help prioritize remediation based on device importance and business impact, as per each alert's site, zone, and sensor. For example:

+You can also now hunt for vulnerable devices on the Microsoft Sentinel **Entity behavior** page. For example, view the top five IoT devices with the highest number of alerts, or search for a device by IP address or device name:

+For more information, see [Investigate further with IoT device entities](https://review.learn.microsoft.com/en-us/azure/sentinel/iot-advanced-threat-monitoring#investigate-further-with-iot-device-entities) and [Site management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#site-management-options-from-the-azure-portal).

+### Updates to the Microsoft Defender for IoT solution in Microsoft Sentinel's content hub

+This month, we've released version 2.0 of the **Microsoft Defender for IoT** solution in Microsoft Sentinel's content hub, previously known as the **IoT/OT Threat Monitoring with Defender for IoT** solution.

+Updates in this version of the solution include:

+- **A name change**. If you'd previously installed the **IoT/OT Threat Monitoring with Defender for IoT** solution in your Microsoft Sentinel workspace, the solution is automatically renamed to **Microsoft Defender for IoT**, even if you don't update the solution.

+- **Workbook improvements**: The **Defender for IoT** workbook now includes:

+ - A new **Overview** dashboard with key metrics on the device inventory, threat detection, and security posture. For example:

+ :::image type="content" source="media/release-notes/sentinel-workbook-overview.png" alt-text="Screenshot of the new Overview tab in the IoT OT Threat Monitoring with Defender for IoT workbook." lightbox="media/release-notes/sentinel-workbook-overview.png":::

+ - A new **Vulnerabilities** dashboard with details about CVEs shown in your network and their related vulnerable devices. For example:

+ :::image type="content" source="media/release-notes/sentinel-workbook-vulnerabilities.png" alt-text="Screenshot of the new Vulnerability tab in the IoT OT Threat Monitoring with Defender for IoT workbook." lightbox="media/release-notes/sentinel-workbook-vulnerabilities.png":::

+ - Improvements on the **Device inventory** dashboard, including access to device recommendations, vulnerabilities, and direct links to the Defender for IoT device details pages. The **Device inventory** dashboard in the **IoT/OT Threat Monitoring with Defender for IoT** workbook is fully aligned with the Defender for IoT [device inventory data](how-to-manage-device-inventory-for-organizations.md).

+- **Playbook updates**: The **Microsoft Defender for IoT** solution now supports the following SOC automation functionality with new playbooks:

+ - **Automation with CVE details**: Use the *AD4IoT-CVEAutoWorkflow* playbook to enrich incident comments with CVEs of related devices based on Defender for IoT data. The incidents are triaged, and if the CVE is critical, the asset owner is notified about the incident by email.

+ - **Automation for email notifications to device owners**. Use the *AD4IoT-SendEmailtoIoTOwner* playbook to have a notification email automatically sent to a device's owner about new incidents. Device owners can then reply to the email to update the incident as needed. Device owners are defined at the site level in Defender for IoT.

+ - **Automation for incidents with sensitive devices**: Use the *AD4IoT-AutoTriageIncident* playbook to automatically update an incident's severity based on the devices involved in the incident, and their sensitivity level or importance to your organization. For example, any incident involving a sensitive device can be automatically escalated to a higher severity level.

+For more information, see [Investigate Microsoft Defender for IoT incidents with Microsoft Sentinel](/azure/sentinel/iot-advanced-threat-monitoring?toc=%2Fazure%2Fdefender-for-iot%2Forganizations%2Ftoc.json&bc=%2Fazure%2Fdefender-for-iot%2Fbreadcrumb%2Ftoc.json).

+Update your **IoT OT Threat Monitoring with Defender for IoT** solution to use the latest synchronization support, including the new [**AD4IoT-AutoAlertStatusSync** playbook](../../sentinel/iot-advanced-threat-monitoring.md#update-alert-statuses-in-defender-for-iot). After updating the solution, make sure that you also take the [required steps](../../sentinel/iot-advanced-threat-monitoring.md#playbook-prerequisites) to ensure that the new playbook works as expected.

+- [Integrate Defender for Iot and Sentinel](../../sentinel/iot-advanced-threat-monitoring.md)

+- [Update alert statuses playbook](../../sentinel/iot-advanced-threat-monitoring.md#update-alert-statuses-in-defender-for-iot)

+For more information, see [OT threat monitoring in enterprise SOCs](concept-sentinel-integration.md) and [Tutorial: Investigate Microsoft Defender for IoT devices with Microsoft Sentinel](../../sentinel/iot-advanced-threat-monitoring.md).

+For information on integrating with Microsoft Sentinel, see [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](../../sentinel/iot-solution.md) and [Tutorial: Investigate and detect threats for IoT devices](../../sentinel/iot-advanced-threat-monitoring.md).

+## Data residency

+Azure DNS Private Resolver doesn't move or store customer data out of the region where the resolver is deployed.

+From an Event Grid perspective, an event handler is the place where the event is sent. The handler takes some further action to process the event. Event Grid supports several handler types. You can use a supported Azure service, or your own webhook as the handler. Depending on the type of handler, Event Grid follows different mechanisms to guarantee the delivery of the event. For HTTP webhook event handlers, the event is retried until the handler returns a status code of `200 ΓÇô OK`. For Azure Storage Queue, the events are retried until the Queue service successfully processes the message push into the queue.

+1. [Create a **channel** and a **partner topic** in a single step](#create-a-channel).

+ > You may be able to create an event channel (legacy), which supports partner topics. **Channel** is the new routing resource type and is the preferred option, which supports both sending events via partner topics. An **event channel** is a legacy resource and will be deprecated soon.

+ 1. For the channel type, select **Partner Topic**.

+ Partner topics are resources that hold published events. Select **Partner Topic** if you want to **forward events to a partner topic** that holds events to be processed by a handler later.

+> - **Channel** is the new routing resource type and is the preferred option.

+## Activate partner topics

+4. Customer authorizes you to create a [partner topic](concepts.md#partner-topics) in customer's Azure subscription.

+6. Create a partner topic in customer's Azure subscription and resource group by using channels. [Channels](#channel) are resources contained by partner namespaces.

+7. Customer activates the partner topic that you created in their Azure subscription and resource group.

+8. Start publishing events to your partner namespace.

+ - It's the resource type that allows you to create partner resources on a customer's Azure subscription. When you create a channel of type `partner topic`, a partner topic is created on a customer's Azure subscription. A partner topic is a customer's resource to which events are routed when a partner system publishes events.

+## Customer's authorization to create partner topics

+Customers authorize you to create partner topics in their Azure subscription. The authorization is granted for a given resource group in a customer Azure subscription and it's time bound. You must create the channel before the expiration date set by the customer. You should have documentation suggesting the customer an adequate window of time for configuring your system to send or receive events and to create the channel before the authorization expires. If you attempt to create a channel without authorization or after it has expired, the channel creation will fail and no resource will be created on the customer's Azure subscription.

+> Event Grid started **enforcing authorization checks to create partner topics** around June 30th, 2022. Your documentation should ask your customers to grant you the authorization as a prerequisite before you create a channel.

+> **A verified partner is not an authorized partner**. Even if a partner has been vetted by Microsoft, you still need to be authorized before you can create a partner topic in the customer's Azure subscription.

+## Partner topic activation

+- **[Event subscriptions](subscribe-through-portal.md)** is where you select what events to forward to an Azure service or to a public webhook on Azure or elsewhere.

+You must authorize partners to create partner topics before they attempt to create those resources. If you don't grant your authorization, the partners' attempt to create the partner resource will fail.

+You consent the partner to create partner topics by creating a **partner configuration** resource. You add a partner authorization to a partner configuration identifying the partner and providing an authorization expiration time by which a partner topic/destination must be created. The only types of resources that partners can create with your permission are partner topics.

+> Event Grid started enforcing authorization checks to create partner topics around June 30th, 2022.

+ 1. In the **Project Details** section, select the **Azure subscription** and the **resource group** where you want to allow the partner to create a partner topic.

+ 1. To provide your authorization for a partner to create partner topics in the specified resource group, select **+ Partner Authorization** link.

+1. On the **Add partner authorization to create resources** page, you see a list of **verified partners**. A verified partner is a partner whose identity has been validated by Microsoft. You can select a verified partner, and select **Add** button at the bottom to give the partner the authorization to add a partner topic in your resource group. This authorization is effective up to the expiration time.

+ 1. For **Endpoint Type**, select an Azure service (Azure Function, Storage Queues, Event Hubs, Service Bus Queue, Service Bus Topic, Hybrid Connections. etc.), or webhook.

+## Scenarios that impact long running TCP sessions

+Session disconnection isnΓÇÖt an issue for resilient applications that can handle session reset gracefully. However, there are a few applications (like traditional SAP GUI and SAP RFC based apps) which are sensitive to sessions resets. Secure sensitive applications with Network Security Groups (NSGs).

+ `backupPolicyId` that sets a scope for resource selection when the assignment is edited in the

+- `evidenceStorages` (object): An array of storage containers that holds attestation evidence for policy assignments with a `manual` effect. The `displayName` property is the name of the storage account. The `evidenceStorageAccountID` property is the resource ID of the storage account. The `evidenceBlobContainer` property is the blob container name in which you plan to store the evidence.

+ ```json

+ {

+ "properties": {

+ "displayName": "A contingency plan should be in place to ensure operational continuity for each Azure subscription."

+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/{definitionId}",

+ "metadata": {

+ "evidenceStorages": [

+ {

+ "displayName": "Default evidence storage",

+ "evidenceStorageAccountId": "/subscriptions/{subscriptionId}/resourceGroups/{rg-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}",

+ "evidenceBlobContainer": "evidence-container"

+ }

+ ]

+ }

+ }

+ }

+ ```

+## Enforcement mode

+[Azure Activity log](../../../azure-monitor/essentials/platform-logs-overview.md).

+This scenario is

+For policy assignments with effect set to **deployIfNotExist** or **modify**, it is required to have an identity property to do remediation on non-compliant resources. When using identity, the user must also specify a location for the assignment.

+- [Manual (preview)](#manual-preview)

+ > Don't use SAS URIs, URL tokens, or or anything else that could expose secrets in plain text.

+ - Defining `["*"]` for _kinds_ is disallowed.

+ - For _Subscription_, queries the entire subscription for the related resource. Assignment scope should be set at subscription or higher for proper evaluation.

+when the condition is met. Policy assignments with effect set as DeployIfNotExists require a [managed identity](../how-to/remediate-resources.md) to do remediation.

+ - For _Subscription_, queries the entire subscription for the related resource. Assignment scope should be set at subscription or higher for proper evaluation.

+## Manual (preview)

+The new `manual` (preview) effect enables you to define and track your own custom attestation

+resources. Unlike other Policy definitions that actively scan for evaluation, the Manual effect

+allows for manual changes to the compliance state. To change the compliance for a manual policy,

+you'll need to create an attestation for that compliance state.

+> [!NOTE]

+> During Public Preview, support for manual policy is available through various Microsoft Defender

+> for Cloud regulatory compliance initiatives. If you are a Microsoft Defender for Cloud [Premium tier](https://azure.microsoft.com/pricing/details/defender-for-cloud/) customer, refer to their experience overview.

+The following example targets Azure subscriptions and sets the initial compliance state to `Unknown`.

+```json

+{

+ "if": {

+ "field": "type",

+ "equals": "Microsoft.Resources/subscriptions"

+ },

+ "then": {

+ "effect": "manual",

+ "details": {

+ "defaultState": "Unknown"

+ }

+ }

+}

+```

+The `defaultState` property has three possible values:

+- **Unknown**: The initial, default state of the targeted resources.

+- **Compliant**: Resource is compliant according to your manual policy standards

+- **Non-compliant**: Resource is non-compliant according to your manual policy standards

+The Azure Policy compliance engine evaluates all applicable resources to the default state specified

+in the definition (`Unknown` if not specified). An `Unknown` compliance state indicates that you

+must manually attest the resource compliance state. If the effect state is unspecified, it defaults

+to `Unknown`. The `Unknown` compliance state indicates that you must attest the compliance state yourself.

+The following screenshot shows how a manual policy assignment with the `Unknown`

+state appears in the Azure portal:

+

+When a policy definition with `manual` effect is assigned, you have the option to include **evidence**, which refers to optional supplemental information which supports the custom compliance attestation. Evidence itself is stored in Azure Storage, and you can specify the storage blob container in the [policy assignment's metadata](../concepts/assignment-structure.md#metadata) under the property `evidenceStorages`. Further details of the evidence file are described in the attestation JSON resource.

+### Attestations

+`Microsoft.PolicyInsights/attestations`, called an Attestation resource, is a new proxy resource type

+ that sets the compliance states for targeted resources in a manual policy. You can only have one

+ attestation on one resource for an individual policy. In preview, Attestations are available

+only through the Azure Resource Manager (ARM) API.

+Below is an example of creating a new attestation resource:

+```http

+PUT http://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/attestations/{name}?api-version=2019-10-01

+```

+#### Request body

+Below is a sample attestation resource JSON object:

+```json

+"properties": {

+ "policyAssignmentId": "/subscriptions/{subscriptionID}/providers/microsoft.authorization/policyassignments/{assignmentID}",

+ "policyDefinitionReferenceId": "{definitionReferenceID}",

+ "complianceState": "Compliant",

+ "expiresOn": "2023-07-14T00:00:00Z",

+ "owner": "{AADObjectID}",

+ "comments": "This subscription has passed a security audit. See attached details for evidence",

+ "evidence": [

+ {

+ "description": "The results of the security audit.",

+ "sourceUri": "https://gist.github.com/contoso/9573e238762c60166c090ae16b814011"

+ },

+ {

+ "description": "Description of the attached evidence document.",

+ "sourceUri": "https://storagesamples.blob.core.windows.net/sample-container/contingency_evidence_adendum.docx"

+ },

+ ],

+}

+```

+|Property |Description |

+|||

+|policyAssignmentId |Required assignment ID for which the state is being set. |

+|policyDefinitionReferenceId |Optional definition reference ID, if within a policy initiative. |

+|complianceState |Desired state of the resources. Allowed values are `Compliant`, `NonCompliant`, and `Unknown`. |

+|owner |Optional Azure AD object ID of responsible party. |

+|comments |Optional description of why state is being set. |

+|evidence |Optional link array for attestation evidence. |

+Because attestations are a separate resource from policy assignments, they have their own lifecycle. You can PUT, GET and DELETE attestations by using the ARM API. See the [Policy REST API Reference](/rest/api/policy) for more details.

+operations. Policy assignments with effect set as Modify require a [managed identity](../how-to/remediate-resources.md) to do remediation.

+when it's applied. Operations with _false_ condition evaluations are skipped.

+ Title: Azure Policy applicability logic

+description: Describes the rules Azure Policy uses to determine whether the policy is applied to its assigned resources.

+# What is applicability in Azure Policy?

+When a policy definition is assigned to a scope, Azure Policy scans every resource in that scope to determine what should be considered for compliance evaluation. A resource will only be assessed for compliance if it is considered **applicable** to the given policy assignment.

+Applicability is determined by several factors:

+- **Conditions** in the `if` block of the [policy rule](../concepts/definition-structure.md#policy-rule).

+- **Mode** of the policy definition.

+- **Excluded scopes** specified in the assignment.

+- **Exemptions** of resources or resource hierarchies.

+Condition(s) in the `if` block of the policy rule are evaluated for applicability in slightly different ways based on the effect.

+> [!NOTE]

+> Applicability is different from compliance, and the logic used to determine each is different. If a resource is **applicable** that means it is relevant to the policy. If a resource is **compliant** that means it adheres to the policy. Sometimes only certain conditions from the policy rule impact applicability, while all conditions of the policy rule impact compliance state.

+## Applicability logic for Append/Modify/Audit/Deny/DataPlane effects

+Azure Policy evaluates only `type`, `name`, and `kind` conditions in the policy rule `if` expression and treats other conditions as true (or false when negated). If the final evaluation result is true, the policy is applicable. Otherwise, it's not applicable.

+Following are special cases to the previously described applicability logic:

+|Scenario |Result |

+|||

+|Any invalid aliases in the `if` conditions |The policy is not applicable |

+|When the `if` conditions consist of only `kind` conditions |The policy is applicable to all resources |

+|When the `if` conditions consist of only `name` conditions |The policy is applicable to all resources |

+|When the `if` conditions consist of only `type` and `kind` or `type` and `name` conditions |Only type conditions are considered when deciding applicability |

+|When any conditions (including deployment parameters) include a `location` condition |Will not be applicable to subscriptions |

+## Applicability logic for AuditIfNotExists and DeployIfNotExists policy effects

+The applicability of AuditIfNotExists and DeployIfNotExists policies is based off the entire `if` condition of the policy rule. When the `if` evaluates to false, the policy is not applicable.

+## Next steps

+- Learn how to [Get compliance data of Azure resources](../how-to/get-compliance-data.md).

+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).

+- Review the [update in policy compliance for resource type policies](https://azure.microsoft.com/updates/general-availability-update-in-policy-compliance-for-resource-type-policies/).

+|Account Lockout Duration<br />_{(AZ-WIN-73312)} |**Description**: This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them. Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer. The recommended state for this setting is: `15 or more minute(s)`. **Note:** Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the **Default Domain Policy** GPO in order to be globally in effect on **domain** user accounts as their default behavior. If these settings are configured in another GPO, they will only affect **local** user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.<br />**Key Path**: [System Access]LockoutDuration<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\>\= 15<br />_(Policy) |Warning |

+## Administrative Template - Windows Defender

+|Configure detection for potentially unwanted applications<br />_{(AZ-WIN-202219)} |**Description**: This policy setting controls detection and action for Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications that can deliver adware or malware. The recommended state for this setting is: `Enabled: Block`. For more information, see this link: [Block potentially unwanted applications with Microsoft Defender Antivirus | Microsoft Docs](/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus)<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Critical |

+|Scan all downloaded files and attachments<br />_{(AZ-WIN-202221)} |**Description**: This policy setting configures scanning for all downloaded files and attachments. The recommended state for this setting is: `Enabled`.<br />**Key Path**: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br />_(Registry) |Warning |

+|Turn off Microsoft Defender AntiVirus<br />_{(AZ-WIN-202220)} |**Description**: This policy setting turns off Microsoft Defender Antivirus. If the setting is configured to Disabled, Microsoft Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software. The recommended state for this setting is: `Disabled`.<br />**Key Path**: Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br />_(Registry) |Critical |

+|Turn off real-time protection<br />_{(AZ-WIN-202222)} |**Description**: This policy setting configures real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. The recommended state for this setting is: `Disabled`.<br />**Key Path**: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br />_(Registry) |Warning |

+|Turn on e-mail scanning<br />_{(AZ-WIN-202218)} |**Description**: This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender\Scan\DisableEmailScanning<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br />_(Registry) |Warning |

+|Turn on script scanning<br />_{(AZ-WIN-202223)} |**Description**: This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system. The recommended state for this setting is: `Enabled`.<br />**Key Path**: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br />_(Registry) |Warning |

+|Disable SMB v1 client (remove dependency on LanmanWorkstation)<br />_{(AZ-WIN-00122)} |**Description**: SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.<br />**Key Path**: SYSTEM\CurrentControlSet\Services\LanmanWorkstation\DependOnService<br />**OS**: WS2008, WS2008R2, WS2012<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= Bowser\0MRxSmb20\0NSI\0\0<br />_(Registry) |Critical |

+|WDigest Authentication<br />_{(AZ-WIN-73497)} |**Description**: When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. For more information about local accounts and credential theft, review the "[Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques](https://www.microsoft.com/download/details.aspx?id=36036)" documents. For more information about `UseLogonCredential`, see Microsoft Knowledge Base article 2871997: [Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014](https://support.microsoft.com/en-us/kb/2871997). The recommended state for this setting is: `Disabled`.<br />**Key Path**: SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br />_(Registry) |Important |

+|MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)<br />_{(AZ-WIN-202213)} |**Description**: IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: `Enabled: Highest protection, source routing is completely disabled`.<br />**Key Path**: System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 2<br />_(Registry) |Informational |

+|MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)<br />_{(AZ-WIN-202244)} |**Description**: IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: `Enabled: Highest protection, source routing is completely disabled`.<br />**Key Path**: System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 2<br />_(Registry) |Informational |

+|MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers<br />_{(AZ-WIN-202214)} |**Description**: NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: `Enabled`.<br />**Key Path**: System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Informational |

+|MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)<br />_{(AZ-WIN-202215)} |**Description**: The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: - Search folders specified in the system path first, and then search the current working folder. - Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: `Enabled`. **Note:** More information on how Safe DLL search mode works is available at this link: [Dynamic-Link Library Search Order - Windows applications | Microsoft Docs](/windows/win32/dlls/dynamic-link-library-search-order)<br />**Key Path**: SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning<br />_{(AZ-WIN-202212)} |**Description**: This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: `Enabled: 90% or less`. **Note:** If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated.<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | 90<br />_(Registry) |Informational |

+|Windows Server must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.<br />_{(AZ-WIN-73503)} |**Description**: Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: `Disabled`.<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br />_(Registry) |Informational |

+|Hardened UNC Paths - NETLOGON<br />_{(AZ_WIN_202250)} |**Description**: This policy setting configures secure access to UNC paths. This policy setting configures secure access to UNC paths<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths?ValueName=\\*\NETLOGON<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= RequireMutualAuthentication=1, RequireIntegrity=1<br />_(Registry) |Warning |

+|Hardened UNC Paths - SYSVOL<br />_{(AZ_WIN_202251)} |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths?ValueName=\\*\SYSVOL<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= RequireMutualAuthentication=1, RequireIntegrity=1<br />_(Registry) |Warning |

+|Enable Structured Exception Handling Overwrite Protection (SEHOP)<br />_{(AZ-WIN-202210)} |**Description**: Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br />_(Registry) |Critical |

+|NetBT NodeType configuration<br />_{(AZ-WIN-202211)} |**Description**: This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are: - The B-node (broadcast) method only uses broadcasts. - The P-node (point-to-point) method only uses name queries to a name server (WINS). - The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed. - The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed. The recommended state for this setting is: `Enabled: P-node (recommended)` (point-to-point). **Note:** Resolution through LMHOSTS or DNS follows these methods. If the `NodeType` registry value is present, it overrides any `DhcpNodeType` registry value. If neither `NodeType` nor `DhcpNodeType` is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured.<br />**Key Path**: SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NodeType<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 2<br />_(Registry) |Warning |

+|Do not enumerate connected users on domain-joined computers<br />_{(AZ-WIN-202216)} |**Description**: This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: `Enabled`.<br />**Key Path**: Software\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|Encryption Oracle Remediation for CredSSP protocol<br />_{(AZ-WIN-201910)} |**Description**: Some versions of the CredSSP protocol that is used by some applications (such as Remote Desktop Connection) are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers and allows you to set the level of protection desired for the encryption oracle vulnerability. The recommended state for this setting is: `Enabled: Force Updated Clients`.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br />_(Registry) |Critical |

+|Enumerate local users on domain-joined computers<br />_{(AZ_WIN_202204)} |**Description**: This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: `Disabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\System\EnumerateLocalUsers<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Member |Doesn't exist or \= 0<br />_(Registry) |Warning |

+|Prevent device metadata retrieval from the Internet<br />_{(AZ-WIN-202251)} |**Description**: This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. The recommended state for this setting is: `Enabled`. **Note:** This will not prevent the installation of basic hardware drivers, but does prevent associated 3rd-party utility software from automatically being installed under the context of the `SYSTEM` account.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\Device Metadata\PreventDeviceMetadataFromNetwork<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Informational |

+|Remote host allows delegation of non-exportable credentials<br />_{(AZ-WIN-20199)} |**Description**: Remote host allows delegation of non-exportable credentials. When you use credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: `Enabled`. **Note:** More detailed information on Windows Defender Remote Credential Guard and how it compares to Restricted Admin Mode can be found at this link: [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) | Microsoft Docs](/windows/access-protection/remote-credential-guard)<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(Registry) |Critical |

+|Turn off background refresh of Group Policy<br />_{(CCE-14437-8)} |**Description**: This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: `Disabled`.<br />**Key Path**: Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br />_(Registry) |Warning |

+|Turn off cloud consumer account state content<br />_{(AZ-WIN-202217)} |**Description**: This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableConsumerAccountStateContent<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|Do not allow drive redirection<br />_{(AZ-WIN-73569)} |**Description**: This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: `\\TSClient\<driveletter>$` If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|Turn on PowerShell Transcription<br />_{(AZ-WIN-202208)} |**Description**: This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: `Disabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br />_(Registry) |Warning |

+|Prevent users from modifying settings<br />_{(AZ-WIN-202209)} |**Description**: This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Security settings. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+## Administrative Templates - Windows Defender

+|Configure Attack Surface Reduction rules<br />_{(AZ_WIN_202205)} |**Description**: This policy setting controls the state for the Attack Surface Reduction (ASR) rules. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ExploitGuard_ASR_Rules<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|Prevent users and apps from accessing dangerous websites<br />_{(AZ_WIN_202207)} |**Description**: This policy setting controls Microsoft Defender Exploit Guard network protection. The recommended state for this setting is: `Enabled: Block`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|Audit Computer Account Management<br />_{(CCE-38004-8)} |**Description**: This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: - 4741: A computer account was created. - 4742: A computer account was changed. - 4743: A computer account was deleted. The recommended state for this setting is to include: `Success`.<br />**Key Path**: {0CCE9236-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\= Success<br />_(Audit) |Critical |

+|Enable boot DMA protection<br />_{(AZ-WIN-202250)} |**Description**: Secured-core capable servers support system firmware which provides protection against malicious and unintended Direct Memory Access (DMA) attacks for all DMA-capable devices during the boot process.<br />**Key Path**: BootDMAProtection<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(OsConfig) |Critical |

+|Enable hypervisor enforced code integrity<br />_{(AZ-WIN-202246)} |**Description**: HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. HVCI is a critical component that protects and hardens the isolated virtual environment created by VBS by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.<br />**Key Path**: HypervisorEnforcedCodeIntegrityStatus<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br />_(OsConfig) |Critical |

+|Enable secure boot<br />_{(AZ-WIN-202248)} |**Description**: Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM).<br />**Key Path**: SecureBootState<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(OsConfig) |Critical |

+|Enable system guard<br />_{(AZ-WIN-202247)} |**Description**: Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, System Guard puts firmware in a hardware-based sandbox helping to limit the impact of vulnerabilities in millions of lines of highly privileged firmware code. <br />**Key Path**: SystemGuardStatus<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br />_(OsConfig) |Critical |

+|Enable virtualization based security<br />_{(AZ-WIN-202245)} |**Description**: Virtualization-based security, or VBS, uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. This helps to ensure that servers remain devoted to running critical workloads and helps protect related applications and data from attack and exfiltration. VBS is enabled and locked by default on Azure Stack HCI.<br />**Key Path**: VirtualizationBasedSecurityStatus<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br />_(OsConfig) |Critical |

+|Set TPM version<br />_{(AZ-WIN-202249)} |**Description**: Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPM2.0 is required for the Secured-core features.<br />**Key Path**: TPMVersion<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member | 2.0<br />_(OsConfig) |Critical |

+|Accounts: Block Microsoft accounts<br />_{(AZ-WIN-202201)} |**Description**: This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: `Users can't add or log on with Microsoft accounts`.<br />**Key Path**: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 3<br />_(Registry) |Warning |

+|Accounts: Rename guest account<br />_{(AZ-WIN-202255)} |**Description**: The built-in local guest account is another well-known name to attackers. It is recommended to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. On Domain Controllers, since they do not have their own local accounts, this rule refers to the built-in Guest account that was established when the domain was first created.<br />**Key Path**: [System Access]NewGuestName<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member | Guest<br />_(Policy) |Warning |

+|Network access: Allow anonymous SID/Name translation<br />_{(CCE-10024-8)} |**Description**: This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: `Disabled`.<br />**Key Path**: [System Access]LSAAnonymousNameLookup<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br />_(Policy) |Warning |

+|Limits print driver installation to Administrators<br />_{(AZ_WIN_202202)} |**Description**: This policy setting controls whether users that aren't Administrators can install print drivers on the system. The recommended state for this setting is: `Enabled`. **Note:** On August 10, 2021, Microsoft announced a [Point and Print Default Behavior Change](https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change/) which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in [KB5005652�Manage new Point and Print default driver installation behavior (CVE-2021-34481)](https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872).<br />**Key Path**: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'<br />_{(CCE-36142-8)} |**Description**: This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |Doesn't exist or \= 1<br />_(Registry) |Critical |

+|Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'<br />_{(CCE-37130-2)} |**Description**: This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |Doesn't exist or \= 1<br />_(Registry) |Critical |

+|Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'<br />_{(CCE-37614-5)} |**Description**: When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |Doesn't exist or \= 1<br />_(Registry) |Critical |

+|Caching of logon credentials must be limited<br />_{(AZ-WIN-73651)} |**Description**: This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: `4 or fewer logon(s)`.<br />**Key Path**: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |In 1-4<br />_(Registry) |Informational |

+|Interactive logon: Machine inactivity limit<br />_{(AZ-WIN-73645)} |**Description**: Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: `900 or fewer second(s), but not 0`. **Note:** A value of `0` does not conform to the benchmark as it disables the machine inactivity limit.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |In 1-900<br />_(Registry) |Important |

+|Interactive logon: Message text for users attempting to log on<br />_{(AZ-WIN-202253)} |**Description**: This policy setting specifies a text message that displays to users when they log on. Configure this setting in a manner that is consistent with the security and operational requirements of your organization.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | <br />_(Registry) |Warning |

+|Interactive logon: Message title for users attempting to log on<br />_{(AZ-WIN-202254)} |**Description**: This policy setting specifies the text displayed in the title bar of the window that users see when they log on to the system. Configure this setting in a manner that is consistent with the security and operational requirements of your organization.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | <br />_(Registry) |Warning |

+|Interactive logon: Prompt user to change password before expiration<br />_{(CCE-10930-6)} |**Description**: This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: `between 5 and 14 days`.<br />**Key Path**: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |In 5-14<br />_(Registry) |Informational |

+|Microsoft network server: Server SPN target name validation level<br />_{(CCE-10617-9)} |**Description**: This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client; this behavior prevents SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: `Accept if provided by client`. Configuring this setting to `Required from client` also conforms to the benchmark. **Note:** Since the release of the MS [KB3161561](https://support.microsoft.com/en-us/kb/3161561) security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used _simultaneously_ with UNC path hardening (i.e. Rule 18.5.14.1). **CIS therefore recommends against deploying this setting on Domain Controllers.**<br />**Key Path**: System\CurrentControlSet\Services\LanManServer\Parameters\SMBServerNameHardeningLevel<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Member |\= 1<br />_(Registry) |Warning |

+|Accounts: Rename administrator account<br />_{(CCE-10976-9)} |**Description**: The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console). On Domain Controllers, since they do not have their own local accounts, this rule refers to the built-in Administrator account that was established when the domain was first created.<br />**Key Path**: [System Access]NewAdministratorName<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | Administrator<br />_(Policy) |Warning |

+|Users must be required to enter a password to access private keys stored on the computer.<br />_{(AZ-WIN-73699)} |**Description**: If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Cryptography\ForceKeyProtection<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 2<br />_(Registry) |Important |

+|Windows Server must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.<br />_{(AZ-WIN-73701)} |**Description**: This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.<br />**Key Path**: SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Member |\= 1<br />_(Registry) |Important |

+|Account lockout threshold<br />_{(AZ-WIN-73311)} |**Description**: This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to `0` does not conform to the benchmark as doing so disables the account lockout threshold. The recommended state for this setting is: `5 or fewer invalid logon attempt(s), but not 0`. **Note:** Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the **Default Domain Policy** GPO in order to be globally in effect on **domain** user accounts as their default behavior. If these settings are configured in another GPO, they will only affect **local** user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.<br />**Key Path**: [System Access]LockoutBadCount<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |In 1-3<br />_(Policy) |Important |

+|Password must meet complexity requirements<br />_{(CCE-37063-5)} |**Description**: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Does not contain the user's account name or parts of the user's full name that exceed two consecutive characters - Be at least six characters in length - Contain characters from three of the following four categories: - English uppercase characters (A through Z) - English lowercase characters (a through z) - Base 10 digits (0 through 9) - Non-alphabetic characters (for example, !, $, #, %) - A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific. Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@". Proper use of the password settings can help make it difficult to mount a brute force attack. The recommended state for this setting is: `Enabled`.<br />**Key Path**: [System Access]PasswordComplexity<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(Policy) |Critical |

+|Reset account lockout counter after<br />_{(AZ-WIN-73309)} |**Description**: This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting. If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically. The recommended state for this setting is: `15 or more minute(s)`. **Note:** Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the **Default Domain Policy** GPO in order to be globally in effect on **domain** user accounts as their default behavior. If these settings are configured in another GPO, they will only affect **local** user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.<br />**Key Path**: [System Access]ResetLockoutCount<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\>\= 15<br />_(Policy) |Important |

+|Windows Firewall: Domain: Inbound connections<br />_{(AZ-WIN-202252)} |**Description**: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: `Block (default)`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Critical |

+|Windows Firewall: Domain: Logging: Log dropped packets<br />_{(AZ-WIN-202226)} |**Description**: Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word `DROP` in the action column of the log. The recommended state for this setting is: `Yes`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogDroppedPackets<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(Registry) |Informational |

+|Windows Firewall: Domain: Logging: Log successful connections<br />_{(AZ-WIN-202227)} |**Description**: Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word `ALLOW` in the action column of the log. The recommended state for this setting is: `Yes`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogSuccessfulConnections<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|Windows Firewall: Domain: Logging: Name<br />_{(AZ-WIN-202224)} |**Description**: Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: `%SystemRoot%\System32\logfiles\firewall\domainfw.log`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFilePath<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= %SystemRoot%\System32\logfiles\firewall\domainfw.log<br />_(Registry) |Informational |

+|Windows Firewall: Domain: Logging: Size limit (KB)<br />_{(AZ-WIN-202225)} |**Description**: Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: `16,384 KB or greater`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFileSize<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\>\= 16384<br />_(Registry) |Warning |

+|Windows Firewall: Domain: Settings: Display a notification<br />_{(CCE-38041-0)} |**Description**: <p><span>When this option is selected, no notification is displayed to the user when a program is blocked from receiving inbound connections. In a server environment, the popups are not useful as the users is not logged in, popups are not necessary and can add confusion for the administrator.  </span></p><p><span>Configure this policy setting to ‘No’, this will set the registry value to 1.  Windows Firewall will not display a notification when a program is blocked from receiving inbound connections.</span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|Windows Firewall: Private: Inbound connections<br />_{(AZ-WIN-202228)} |**Description**: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: `Block (default)`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Critical |

+|Windows Firewall: Private: Logging: Log dropped packets<br />_{(AZ-WIN-202231)} |**Description**: Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word `DROP` in the action column of the log. The recommended state for this setting is: `Yes`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogDroppedPackets<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Informational |

+|Windows Firewall: Private: Logging: Log successful connections<br />_{(AZ-WIN-202232)} |**Description**: Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word `ALLOW` in the action column of the log. The recommended state for this setting is: `Yes`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogSuccessfulConnections<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Warning |

+|Windows Firewall: Private: Logging: Name<br />_{(AZ-WIN-202229)} |**Description**: Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: `%SystemRoot%\System32\logfiles\firewall\privatefw.log`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogFilePath<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= %SystemRoot%\System32\logfiles\firewall\privatefw.log<br />_(Registry) |Informational |

+|Windows Firewall: Private: Logging: Size limit (KB)<br />_{(AZ-WIN-202230)} |**Description**: Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: `16,384 KB or greater`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogFileSize<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\>\= 16384<br />_(Registry) |Warning |

+|Windows Firewall: Private: Settings: Display a notification<br />_{(CCE-37621-0)} |**Description**: <p><span>When this option is selected, no notification is displayed to the user when a program is blocked from receiving inbound connections. In a server environment, the popups are not useful as the users is not logged in, popups are not necessary and can add confusion for the administrator.  </span></p><p><span> Configure this policy setting to ‘No’, this will set the registry value to 1.  Windows Firewall will not display a notification when a program is blocked from receiving inbound connections.</span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(Registry) |Warning |

+|Windows Firewall: Public: Inbound connections<br />_{(AZ-WIN-202234)} |**Description**: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: `Block (default)`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Critical |

+|Windows Firewall: Public: Logging: Log dropped packets<br />_{(AZ-WIN-202237)} |**Description**: Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word `DROP` in the action column of the log. The recommended state for this setting is: `Yes`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogDroppedPackets<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br />_(Registry) |Informational |

+|Windows Firewall: Public: Logging: Log successful connections<br />_{(AZ-WIN-202233)} |**Description**: Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word `ALLOW` in the action column of the log. The recommended state for this setting is: `Yes`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogSuccessfulConnections<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(Registry) |Warning |

+|Windows Firewall: Public: Logging: Name<br />_{(AZ-WIN-202235)} |**Description**: Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: `%SystemRoot%\System32\logfiles\firewall\publicfw.log`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogFilePath<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= %SystemRoot%\System32\logfiles\firewall\publicfw.log<br />_(Registry) |Informational |

+|Windows Firewall: Public: Logging: Size limit (KB)<br />_{(AZ-WIN-202236)} |**Description**: Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: `16,384 KB or greater`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogFileSize<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= 16384<br />_(Registry) |Informational |

+|Windows Firewall: Public: Settings: Apply local connection security rules<br />_{(CCE-36268-1)} |**Description**: <p><span>This setting controls whether local administrators are allowed to create local connection rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is ‘Yes’, this will set the registry value to 1.</span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br />_(Registry) |Critical |

+|Audit Kerberos Authentication Service<br />_{(AZ-WIN-00004)} |**Description**: This subcategory reports the results of events generated after a Kerberos authentication TGT request. Kerberos is a distributed authentication service that allows a client running on behalf of a user to prove its identity to a server without sending data across the network. This helps mitigate an attacker or server from impersonating a user. - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authentication failed. - 4772: A Kerberos authentication ticket request failed. The recommended state for this setting is: `Success and Failure`.<br />**Key Path**: {0CCE9242-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= Success and Failure<br />_(Audit) |Critical |

+|Audit Distribution Group Management<br />_{(CCE-36265-7)} |**Description**: This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of group accounts. Events for this subcategory include: - 4744: A security-disabled local group was created. - 4745: A security-disabled local group was changed. - 4746: A member was added to a security-disabled local group. - 4747: A member was removed from a security-disabled local group. - 4748: A security-disabled local group was deleted. - 4749: A security-disabled global group was created. - 4750: A security-disabled global group was changed. - 4751: A member was added to a security-disabled global group. - 4752: A member was removed from a security-disabled global group. - 4753: A security-disabled global group was deleted. - 4759: A security-disabled universal group was created. - 4760: A security-disabled universal group was changed. - 4761: A member was added to a security-disabled universal group. - 4762: A member was removed from a security-disabled universal group. - 4763: A security-disabled universal group was deleted. The recommended state for this setting is to include: `Success`.<br />**Key Path**: {0CCE9238-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= Success<br />_(Audit) |Critical |

+|Audit Process Creation<br />_{(CCE-36059-4)} |**Description**: This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: [Description of security events in Windows Vista and in Windows Server 2008](https://support.microsoft.com/en-us/kb/947226) for the most recent information about this setting. The recommended state for this setting is: `Success`.<br />**Key Path**: {0CCE922B-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Success<br />_(Audit) |Critical |

+|Audit Directory Service Access<br />_{(CCE-37433-0)} |**Description**: This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This subcategory applies only to Domain Controllers. Events for this subcategory include: - 4662 : An operation was performed on an object. The recommended state for this setting is to include: `Failure`.<br />**Key Path**: {0CCE923B-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= Failure<br />_(Audit) |Critical |

+|Audit Directory Service Changes<br />_{(CCE-37616-0)} |**Description**: This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. This subcategory applies only to Domain Controllers. Events for this subcategory include: - 5136 : A directory service object was modified. - 5137 : A directory service object was created. - 5138 : A directory service object was undeleted. - 5139 : A directory service object was moved. The recommended state for this setting is to include: `Success`.<br />**Key Path**: {0CCE923C-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= Success<br />_(Audit) |Critical |

+|Audit Directory Service Replication<br />_{(AZ-WIN-00093)} |**Description**: This subcategory reports when replication between two domain controllers begins and ends. Events for this subcategory include: - 4932: Synchronization of a replica of an Active Directory naming context has begun. ΓÇô 4933: Synchronization of a replica of an Active Directory naming context has ended. Refer to the Microsoft Knowledgebase article ΓÇ£Description of security events in Windows Vista and in Windows Server 2008ΓÇ¥ for the most recent information about this setting: http:--support.microsoft.com-default.aspx-kb-947226<br />**Key Path**: {0CCE923D-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= No Auditing<br />_(Audit) |Critical |

+|Audit Detailed File Share<br />_{(AZ-WIN-00100)} |**Description**: This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: `Failure`<br />**Key Path**: {0CCE9244-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Failure<br />_(Audit) |Critical |

+|Audit File Share<br />_{(AZ-WIN-00102)} |**Description**: This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: `Success and Failure`. **Note:** There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited.<br />**Key Path**: {0CCE9224-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= Success and Failure<br />_(Audit) |Critical |

+|Audit Authorization Policy Change<br />_{(CCE-36320-0)} |**Description**: This subcategory reports changes in authorization policy. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: `Success`.<br />**Key Path**: {0CCE9231-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Success<br />_(Audit) |Critical |

+|Audit Other Policy Change Events<br />_{(AZ-WIN-00114)} |**Description**: This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - 5063: A cryptographic provider operation was attempted. - 5064: A cryptographic context operation was attempted. - 5065: A cryptographic context modification was attempted. - 5066: A cryptographic function operation was attempted. - 5067: A cryptographic function modification was attempted. - 5068: A cryptographic function provider operation was attempted. - 5069: A cryptographic function property operation was attempted. - 5070: A cryptographic function property modification was attempted. - 6145: One or more errors occurred while processing security policy in the group policy objects. The recommended state for this setting is to include: `Failure`.<br />**Key Path**: {0CCE9234-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Failure<br />_(Audit) |Critical |

+|Audit Sensitive Privilege Use<br />_{(CCE-36267-3)} |**Description**: This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directories, Create a token object, Debug programs, Enable computer and user accounts to be trusted for delegation, Generate security audits, Impersonate a client after authentication, Load and unload device drivers, Manage auditing and security log, Modify firmware environment values, Replace a process-level token, Restore files and directories, and Take ownership of files or other objects. Auditing this subcategory will create a high volume of events. Events for this subcategory include: ΓÇö 4672: Special privileges assigned to new logon. ΓÇö 4673: A privileged service was called. ΓÇö 4674: An operation was attempted on a privileged object. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows Server 2008' for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.<br />**Key Path**: {0CCE9228-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= Success and Failure<br />_(Audit) |Critical |

+|Audit IPsec Driver<br />_{(CCE-37853-9)} |**Description**: This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. - 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. - 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. - 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. - 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. - 5478: IPsec Services has started successfully. - 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. - 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started. - 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The recommended state for this setting is: `Success and Failure`.<br />**Key Path**: {0CCE9213-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Success and Failure<br />_(Audit) |Critical |

+|Audit Other System Events<br />_{(CCE-38030-3)} |**Description**: This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. - 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. - 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. - 5030: The Windows Firewall Service failed to start. - 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. - 5033 : The Windows Firewall Driver has started successfully. - 5034 : The Windows Firewall Driver has been stopped. - 5035 : The Windows Firewall Driver failed to start. - 5037 : The Windows Firewall Driver detected critical runtime error. Terminating. - 5058: Key file operation. - 5059: Key migration operation. The recommended state for this setting is: `Success and Failure`.<br />**Key Path**: {0CCE9214-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= Success and Failure<br />_(Audit) |Critical |

+|Access Credential Manager as a trusted caller<br />_{(CCE-37056-9)} |**Description**: This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to the Winlogon process. Users' saved credentials might be compromised if this user right is assigned to other entities. The recommended state for this setting is: `No One`.<br />**Key Path**: [Privilege Rights]SeTrustedCredManAccessPrivilege<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= No One<br />_(Policy) |Warning |

+|Back up files and directories<br />_{(CCE-35912-5)} |**Description**: This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply. The recommended state for this setting is: `Administrators`.<br />**Key Path**: [Privilege Rights]SeBackupPrivilege<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Member, Workgroup Member | Administrators, Backup Operators, Server Operators<br />_(Policy) |Critical |

+|Create a pagefile<br />_{(CCE-35821-8)} |**Description**: This policy setting allows users to change the size of the pagefile. By configuring the pagefile to be either extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. The recommended state for this setting is: `Administrators`.<br />**Key Path**: [Privilege Rights]SeCreatePagefilePrivilege<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= Administrators<br />_(Policy) |Critical |

+|Debug programs<br />_{(AZ-WIN-73755)} |**Description**: This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user right; however, developers who are debugging new system components will need it. The recommended state for this setting is: `Administrators`. **Note:** This user right is considered a "sensitive privilege" for the purposes of auditing.<br />**Key Path**: [Privilege Rights]SeDebugPrivilege<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= Administrators<br />_(Policy) |Critical |

+|Shut down the system<br />_{(CCE-38328-1)} |**Description**: This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. The recommended state for this setting is: `Administrators`.<br />**Key Path**: [Privilege Rights]SeShutdownPrivilege<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member | Administrators, Backup Operators<br />_(Policy) |Warning |

+|The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.<br />_{(AZ-WIN-73785)} |**Description**: The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not be able to convince a client to connect�for example, by remote procedure call (RPC) or named pipes�to a service that they have created to impersonate that client, which could elevate the unauthorized user's permissions to administrative or system levels. Services that are started by the Service Control Manager have the built-in Service group added by default to their access tokens. COM servers that are started by the COM infrastructure and configured to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started. Also, a user can impersonate an access token if any of the following conditions exist: - The access token that is being impersonated is for this user. - The user, in this logon session, logged on to the network with explicit credentials to create the access token. - The requested level is less than Impersonate, such as Anonymous or Identify. An attacker with the **Impersonate a client after authentication** user right could create a service, trick a client to make them connect to the service, and then impersonate that client to elevate the attacker's level of access to that of the client. The recommended state for this setting is: `Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE`. **Note:** This user right is considered a "sensitive privilege" for the purposes of auditing. **Note #2:** A Member Server with Microsoft SQL Server _and_ its optional "Integration Services" component installed will require a special exception to this recommendation for additional SQL-generated entries to be granted this user right.<br />**Key Path**: [Privilege Rights]SeImpersonatePrivilege<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member | Administrators, Service, Local Service, Network Service<br />_(Policy) |Important |

+|Allow Diagnostic Data<br />_{(AZ-WIN-00169)} |**Description**: This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A value of 0 will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1. A value of 1 sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device. A value of 2 sends enhanced diagnostic and usage data. A value of 3 sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: `Enabled: 0 - Security [Enterprise Only]`. **Note:** If the "Allow Telemetry" setting is configured to "0 - Security [Enterprise Only]", then the options in Windows Update to defer upgrades and updates will have no effect.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= 1<br />_(Registry) |Warning |

+|Application: Control Event Log behavior when the log file reaches its maximum size<br />_{(CCE-37775-4)} |**Description**: This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\Retention<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 0<br />_(Registry) |Critical |

+|Block all consumer Microsoft account user authentication<br />_{(AZ-WIN-20198)} |**Description**: This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows `OnlineID` and `WebAccountManager` APIs. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\MicrosoftAccount\DisableUserAuth<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(Registry) |Critical |

+|Configure Windows SmartScreen<br />_{(CCE-35859-8)} |**Description**: This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy setting, Windows SmartScreen behavior may be controlled by setting one of the following options: ΓÇó Give user a warning before running downloaded unknown software ΓÇó Turn off SmartScreen. If you disable or do not configure this policy setting, Windows SmartScreen behavior is managed by administrators on the PC by using Windows SmartScreen Settings in Security and Maintenance. Options: ΓÇó Give user a warning before running downloaded unknown software ΓÇó Turn off SmartScreen<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(Registry) |Warning |

+|Do not use temporary folders per session<br />_{(CCE-38180-6)} |**Description**: By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the session ID. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: `Disabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 1<br />_(Registry) |Critical |

+|Security: Control Event Log behavior when the log file reaches its maximum size<br />_{(CCE-37145-0)} |**Description**: This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\Retention<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 0<br />_(Registry) |Critical |

+|Setup: Control Event Log behavior when the log file reaches its maximum size<br />_{(CCE-38276-2)} |**Description**: This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\Retention<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 0<br />_(Registry) |Critical |

+|System: Control Event Log behavior when the log file reaches its maximum size<br />_{(CCE-36160-0)} |**Description**: This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\EventLog\System\Retention<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 0<br />_(Registry) |Critical |

+|The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.<br />_{(AZ-WIN-73543)} |**Description**: Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\AppCompat\DisableInventory<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Member |\= 1<br />_(Registry) |Informational |

+|Turn off shell protocol protected mode<br />_{(CCE-36809-2)} |**Description**: This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: `Disabled`.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 0<br />_(Registry) |Warning |

+|Turn on PowerShell Script Block Logging<br />_{(AZ-WIN-73591)} |**Description**: This policy setting enables logging of all PowerShell script input to the `Applications and Services Logs\Microsoft\Windows\PowerShell\Operational` Event Log channel. The recommended state for this setting is: `Enabled`. **Note:** If logging of _Script Block Invocation Start/Stop Events_ is enabled (option box checked), PowerShell will log additional events when invocation of a command, script block, function, or script starts or stops. Enabling this option generates a high volume of event logs. CIS has intentionally chosen not to make a recommendation for this option, since it generates a large volume of events. **If an organization chooses to enable the optional setting (checked), this also conforms to the benchmark.**<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br />_(Registry) |Important |

+|Adjust memory quotas for a process<br />_{(CCE-10849-8)} |**Description**: This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack. The recommended state for this setting is: `Administrators, LOCAL SERVICE, NETWORK SERVICE`. **Note:** A Member Server that holds the _Web Server (IIS)_ Role with _Web Server_ Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right. **Note #2:** A Member Server with Microsoft SQL Server installed will require a special exception to this recommendation for additional SQL-generated entries to be granted this user right.<br />**Key Path**: [Privilege Rights]SeIncreaseQuotaPrivilege<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | Administrators, Local Service, Network Service<br />_(Policy) |Warning |

+ Title: Before you start with Azure HDInsight

+description: In Azure HDInsight, few points to be considered before starting to create a cluster.

+# Consider the below points before starting to create a cluster.

+As part of the best practices, consider the following points before starting to create a cluster.

+## Bring your own database

+HDInsight have two options to configure the databases in the clusters.

+1. Bring your own database (external)

+1. Default database (internal)

+

+During cluster creation, default configuration will use internal database. Once the cluster is created, customer canΓÇÖt change the database type. Hence, it's recommended to create and use the external database. You can create custom databases for Ambari, Hive, and Ranger.

+For more information, see how to [Set up HDInsight clusters with a custom Ambari DB](/azure/hdinsight/hdinsight-custom-ambari-db.md)

+

+## Keep your clusters up to date

+To take advantage of the latest HDInsight features, we recommend regularly migrating your HDInsight clusters to the latest version. HDInsight doesn't support in-place upgrades where existing clusters are upgraded to new component versions. You need to create a new cluster with the desired components and platform version and migrate your application to use the new cluster.

+As part of the best practices, we recommend you keep your clusters updated on regular basis.

+HDInsight release happens every 30 to 60 days. It's always good to move to the latest release as early possible. The recommended maximum duration for cluster upgrades is less than six months.

+For more information, see how to [Migrate HDInsight cluster to a newer version](/azure/hdinsight/hdinsight-upgrade-cluster.md)

+## Next steps

+* [Create Apache Hadoop cluster in HDInsight](./hadoop/apache-hadoop-linux-create-cluster-get-started-portal.md)

+* [Create Apache Spark cluster - Portal](./spark/apache-spark-jupyter-spark-sql-use-portal.md)

+* [Enterprise security in Azure HDInsight](./domain-joined/hdinsight-security-overview.md)

+Azure HDInsight is a managed, full-spectrum, open-source analytics service in the cloud for enterprises. With HDInsight, you can use open-source frameworks such as, Apache Spark, Apache Hive, LLAP, Apache Kafka, Hadoop and more, in your Azure environment.

+Spark, Hadoop, and LLAP don't store customer data, so these services automatically satisfy in-region data residency requirements specified in the [Trust Center](https://azuredatacentermap.azurewebsites.net/).

+Kafka and HBase do store customer data. This data is automatically stored by Kafka and HBase in a single region, so this service satisfies in-region data residency requirements specified in the [Trust Center](https://azuredatacentermap.azurewebsites.net/).

+ Title: Disable Events and delete workspaces - Azure Health Data Services

+description: This article provides resources on how to disable the Events service and delete workspaces.

+# Disable Events and delete workspaces

+## Disable Events

+To disable Events from sending event messages for a single **Event Subscription**, the **Event Subscription** must be deleted.

+1. Select the **Event Subscription** to be deleted. In this example, we'll be selecting an Event Subscription named **fhir-events**.

+3. To completely disable Events, delete all **Event Subscriptions** so that no **Event Subscriptions** remain.

+For more information about troubleshooting Events, see the Events troubleshooting guide:

+ Title: Using custom allocation policies with Azure IoT Hub Device Provisioning Service

+description: Understand custom allocation policies with the Azure IoT Hub Device Provisioning Service (DPS)

+# Understand custom allocation policies with Azure IoT Hub Device Provisioning Service

+Custom allocation policies give you more control over how devices are assigned to your IoT hubs. By using custom allocation policies, you can define your own allocation policies when the built-in policies provided by the Device Provisioning Service (DPS) don't meet the requirements of your scenario.

+For example, maybe you want to examine the certificate a device is using during provisioning and assign the device to an IoT hub based on a certificate property. Or, maybe you have information stored in a database for your devices and need to query the database to determine which IoT hub a device should be assigned to or how the device's initial twin should be set.

+You implement a custom allocation policy in a webhook hosted in [Azure Functions](../azure-functions/functions-overview.md). You can then configure the webhook in one or more individual enrollments and enrollment groups. When a device registers through a configured enrollment entry, DPS calls the webhook which returns the IoT hub to register the device to and, optionally, the initial twin settings for the device and any information to be returned directly to the device.

+## Overview

+The following steps describe how custom allocation polices work:

+1. A custom allocation developer develops a webhook that implements the intended allocation policy and deploys it as an HTTP Trigger function to Azure Functions. The webhook takes information about the DPS enrollment entry and the device and returns the IoT hub that the device should be registered to and, optionally, information about the device's initial state.

+1. An IoT operator configures one or more individual enrollments and/or enrollment groups for custom allocation and provides calling details for the custom allocation webhook in Azure Functions.

+1. When a device [registers](/rest/api/iot-dps/device/runtime-registration/register-device) through an enrollment entry configured for the custom allocation webhook, DPS sends a POST request to the webhook with the request body set to an **AllocationRequest** request object. The **AllocationRequest** object contains information about the device trying to provision and the individual enrollment or enrollment group it's provisioning through. The device information can include an optional custom payload sent from the device in its registration request. For more information, see [Custom allocation policy request](#custom-allocation-policy-request).

+1. The Azure Function executes and returns an **AllocationResponse** object on success. The **AllocationResponse** object contains the IoT hub the device should be provisioned to, the initial twin state, and an optional custom payload to return to the device. For more information, see [Custom allocation policy response](#custom-allocation-policy-response).

+1. DPS assigns the device to the IoT hub indicated in the response, and, if an initial twin is returned, sets the initial twin for the device accordingly. If a custom payload is returned by the webhook, it's passed to the device along with the assigned IoT hub and authentication details in the [registration response](/rest/api/iot-dps/device/runtime-registration/register-device#deviceregistrationresult) from DPS.

+1. The device connects to the assigned IoT hub and downloads its initial twin state. If a custom payload is returned in the registration response, the device uses it according to its own client-side logic.

+The following sections provide more detail about the custom allocation request and response, custom payloads, and policy implementation. For a complete end-to-end example of a custom allocation policy, see [Use custom allocation policies](tutorial-custom-allocation-policies.md).

+## Custom allocation policy request

+DPS sends a POST request to your webhook on the following endpoint: `https://{your-function-app-name}.azurewebsites.net/api/{your-http-trigger}`

+The request body is an **AllocationRequest** object:

+| Property name | Description |

+||-|

+| individualEnrollment | An [individual enrollment record](/rest/api/iot-dps/service/individual-enrollment/get#individualenrollment) that contains properties associated with the individual enrollment that the allocation request originated from. Present if the device is registering through an individual enrollment. |

+| enrollmentGroup | An [enrollment group record](/rest/api/iot-dps/service/enrollment-group/get#enrollmentgroup) that contains the properties associated with the enrollment group that the allocation request originated from. Present if the device is registering through an enrollment group. |

+| deviceRuntimeContext | An object that contains properties associated with the device that is registering. Always present. |

+| linkedHubs | An array that contains the hostnames of the IoT hubs that are linked to the enrollment entry that the allocation request originated from. The device may be assigned to any one of these IoT hubs. Always present. |

+The **DeviceRuntimeContext** object has the following properties:

+| Property | Type | Description |

+|-||-|

+| registrationId | string | The registration ID provided by the device at runtime. Always present. |

+| currentIotHubHostName | string | The hostname of the IoT hub the device was previously assigned to (if any). Not present if this is an initial assignment. You can use this property to determine whether this is an initial assignment for the device or whether the device has been previously assigned. |

+| currentDeviceId | string | The device ID from the device's previous assignment (if any). Not present if this is an initial assignment. |

+| x509 | X509DeviceAttestation | For X.509 attestation, contains certificate details. |

+| symmetricKey | SymmetricKeyAttestation | For symmetric key attestation, contains primary and secondary key details. |

+| tpm | TpmAttestation | For TPM attestation, contains endorsement key and storage root key details. |

+| payload | object | Contains properties specified by the device in the payload property during registration. Present if the device sends a custom payload in the DPS registration request. |

+The following JSON shows the **AllocationRequest** object sent by DPS for a device registering through a symmetric key based enrollment group.

+```json

+{

+ "enrollmentGroup":{

+ "enrollmentGroupId":"contoso-custom-allocated-devices",

+ "attestation":{

+ "type":"symmetricKey"

+ },

+ "capabilities":{

+ "iotEdge":false

+ },

+ "etag":"\"13003fea-0000-0300-0000-62d1d5e50000\"",

+ "provisioningStatus":"enabled",

+ "reprovisionPolicy":{

+ "updateHubAssignment":true,

+ "migrateDeviceData":true

+ },

+ "createdDateTimeUtc":"2022-07-05T21:27:16.8123235Z",

+ "lastUpdatedDateTimeUtc":"2022-07-15T21:02:29.5922255Z",

+ "allocationPolicy":"custom",

+ "iotHubs":[

+ "custom-allocation-toasters-hub.azure-devices.net",

+ "custom-allocation-heatpumps-hub.azure-devices.net"

+ ],

+ "customAllocationDefinition":{

+ "webhookUrl":"https://custom-allocation-function-app-3.azurewebsites.net/api/HttpTrigger1?****",

+ "apiVersion":"2021-10-01"

+ }

+ },

+ "deviceRuntimeContext":{

+ "registrationId":"breakroom499-contoso-tstrsd-007",

+ "symmetricKey":{

+

+ }

+ },

+ "linkedHubs":[

+ "custom-allocation-toasters-hub.azure-devices.net",

+ "custom-allocation-heatpumps-hub.azure-devices.net"

+ ]

+}

+```

+Because this is the initial registration for the device, the **deviceRuntimeContext** property contains only the registration ID and the authentication details for the device. The following JSON shows the **deviceRuntimeContext** for a subsequent call to register the same device. Notice that the current IoT Hub hostname and device ID are included in the request.

+```json

+{

+ "deviceRuntimeContext":{

+ "registrationId":"breakroom499-contoso-tstrsd-007",

+ "currentIotHubHostName":"custom-allocation-toasters-hub.azure-devices.net",

+ "currentDeviceId":"breakroom499-contoso-tstrsd-007",

+ "symmetricKey":{

+

+ }

+ },

+}

+```

+## Custom allocation policy response

+A successful request returns an **AllocationResponse** object.

+| Property | Description |

+|-|-|

+| initialTwin | Optional. An object that contains the desired properties and tags to set in the initial twin on the assigned IoT hub. DPS uses the initialTwin property to set the initial twin on the assigned IoT hub on initial assignment or when re-provisioning if the enrollment entry's migration policy is set to *Re-provision and reset to initial config*. In both of these cases, if the initialTwin is not returned or is set to null, DPS sets the twin on the assigned IoT hub to the initial twin settings in the enrollment entry. DPS ignores the initialTwin for all other re-provisioning settings in the enrollment entry. To learn more, see [Implementation details](#implementation-details). |

+| iotHubHostName | Required. The hostname of the IoT hub to assign the device to. This must be one of the IoT hubs passed in the **linkedHubs** property in the request. |

+| payload | Optional. An object that contains data to be passed back to the device in the Registration response. The exact data will depend on the implicit contract defined by the developer between the device and the custom allocation function. |

+The following JSON shows the **AllocationResponse** object returned by a custom allocation function to DPS for the example registration above.

+```json

+{

+ "iotHubHostName":"custom-allocation-toasters-hub.azure-devices.net",

+ "initialTwin":{

+ "properties":{

+ "desired":{

+ "state":"ready",

+ "darknessSetting":"medium"

+ }

+ },

+ "tags":{

+ "deviceType":"toaster"

+ }

+ }

+}

+```

+## Use device payloads in custom allocation

+Devices can send a custom payload that is passed by DPS to your custom allocation webhook, which can then use that data in its logic. The webhook may use this data in a number of ways, perhaps to determine which IoT hub to assign the device to, or to look up information in an external database that might be used to set properties on the initial twin. Conversely, your webhook can return data back to the device through DPS, which may be used in the device's client-side logic.

+For example, you may want to allocate devices based on the device model. In this case, you can configure the device to report its model information in the request payload when it registers with DPS. DPS will pass this payload to the custom allocation webhook, which will determine which IoT hub the device will be provisioned to based on the device model information. If needed, the webhook can return data back to the DPS as a JSON object in the webhook response, and DPS will return this data to your device in the registration response.

+### Device sends data payload to DPS

+A device calls the [register](/rest/api/iot-dps/device/runtime-registration/register-device) API to register with DPS. The request can be enhanced with the optional **payload** property. This property can contain any valid JSON object. The exact contents will depend on the requirements of your solution.

+For attestation with TPM, the request body looks like the following:

+```json

+{

+ "registrationId": "mydevice",

+ "tpm": {

+ "endorsementKey": "xxxx-device-endorsement-key-xxxxx",

+ "storageRootKey": "xxxx-device-storage-root-key-xxxxx"

+ },

+ "payload": { "property1": "value1", "property2": {"propertyA":"valueA", "property2-2":1234}, .. }

+}

+```

+### DPS sends data payload to custom allocation webhook

+If a device includes a payload its registration request, DPS passes the payload in the **AllocationRequest.deviceRuntimeContext.payload** property when it calls the custom allocation webhook.

+For the TPM registration request in the previous section, the device runtime context will look like the following:

+```json

+{

+ "registrationId": "mydevice",

+ "tpm": {

+ "endorsementKey": "xxxx-device-endorsement-key-xxxxx",

+ "storageRootKey": "xxxx-device-storage-root-key-xxxxx"

+ },

+ "payload": { "property1": "value1", "property2": {"propertyA":"valueA", "property2-2":1234}, .. }

+}

+```

+If this isn't the initial registration for the device, then the runtime context will also include the **currentIoTHubHostname** and the **currentDeviceId** properties.

+### Custom allocation webhook returns data to DPS

+The custom allocation policy webhook can return data intended for a device to DPS in a JSON object using the **AllocationResponse.payload** property in the webhook response.

+The following JSON shows a webhook response that includes a payload:

+```json

+{

+ "iotHubHostName":"custom-allocation-toasters-hub.azure-devices.net",

+ "initialTwin":{

+ "properties":{

+ "desired":{

+ "state":"ready",

+ "darknessSetting":"medium"

+ }

+ },

+ "tags":{

+ "deviceType":"toaster"

+ }

+ },

+ "payload": { "property1": "value1" }

+}

+```

+### DPS sends data payload to device

+If DPS receives a payload in the webhook response, it passes this data back to the device in the **RegistrationOperationStatus.registrationState.payload** property in the response on a successful registration. The **registrationState** property is of type [DeviceRegistrationResult](/rest/api/iot-dps/device/runtime-registration/register-device#deviceregistrationresult).

+The following JSON shows a successful registration response for a TPM device that includes the **payload** property:

+```json

+{

+ "operationId":"5.316aac5bdc130deb.b1e02da8-xxxx-xxxx-xxxx-7ea7a6b7f550",

+ "status":"assigned",

+ "registrationState":{

+ "assignedHub":"myIotHub",

+ "createdDateTimeUtc" : "2022-08-01T22:57:47Z",

+ "deviceId" : "myDeviceId",

+ "etag" : "xxxx-etag-value-xxxxx",

+ "lastUpdatedDateTimeUtc" : "2022-08-01T22:57:47Z",

+ "payload": { "property1": "value1" },

+ "registrationId": "mydevice",

+ "status": assigned,

+ "substatus": initialAssignment,

+ "tpm": {"authenticationKey": "xxxx-encrypted-authentication-key-xxxxx"}

+ }

+}

+```

+## Implementation details

+The custom allocation webhook can be called for a device that has not been previously registered through DPS (initial assignment) or for a device that has been previously registered through DPS (reprovisioning). DPS supports the following reprovisioning policies: *Re-provision and migrate data*, *Re-provision and reset to initial config*, and *Never re-provision*. These policies are applied whenever a previously provisioned device is assigned to a new IoT hub. For more details, see [Reprovisioning](concepts-device-reprovision.md).

+The following points describe the requirements that your custom allocation webhook must observe and behavior that you should be aware of when designing your webhook:

+* The device should be assigned to one of the IoT hubs in the **AllocationRequest.linkedHubs** property. This property contains the list of IoT hubs by hostname that the device can be assigned to. This is typically composed of the IoT hubs selected for the enrollment entry. If no IoT hubs are selected in the enrollment entry, it will contain all the IoT hubs linked to the DPS instance. Finally, if the device is reprovisioning and the *Never re-provision* policy is set on the enrollment entry, it will contain only the IoT hub that the device is currently assigned to.

+* On initial assignment, if the **initialTwin** property is returned by the webhook, DPS will set the initial twin for the device on the assigned IoT hub accordingly. If the **initialTwin** property is omitted or is **null**, DPS sets the initial twin for the device to the initial twin setting specified in the enrollment entry.

+* On reprovisioning, DPS follows the reprovisioning policy set in the enrollment entry. DPS only uses **initialTwin** property in the response if the current IoT hub is changed and the reprovisioning policy set on the enrollment entry is *Re-provision and reset to initial config*. In this case, DPS sets the initial twin for the device on the new IoT hub exactly as it would during initial assignment in the previous bullet. In all other cases, DPS ignores the **initialTwin** property.

+* If the **payload** property is set in the response, DPS will always return it to the device regardless of whether the request is for initial assignment or reprovisioning.

+* If a device has previously been provisioned to an IoT hub, the **AllocationRequest.deviceRuntimeContext** will contain a **currentIotHubHostName** property, which will be set to the hostname of the IoT hub where the device is currently assigned.

+* You can determine which of the reprovisioning policies is currently set on the enrollment entry, by examining the **reprovisionPolicy** property of either the **AllocationRequest.individualEnrollment** or the **AllocationRequest.enrollmentGroup** property in the request. the following JSON shows the settings for the *Re-provision and migrate data* policy:

+ ```json

+ "reprovisionPolicy":{

+ "updateHubAssignment":true,

+ "migrateDeviceData":true

+ }

+ ```

+## SDK support

+The DPS device SDKs provide APIs in C, C#, Java, and Node.js to help you register devices with DPS. Both the IoT Hub SDKs and the DPS SDKs provide classes that represent device and service artifacts like device twins and enrollment entries that might be helpful when developing custom allocation webhooks. To learn more about the Azure IoT SDKs available for IoT Hub and IoT Hub Device Provisioning service, see [Azure IoT Hub SDKs](../iot-hub/iot-hub-devguide-sdks.md) and [Azure DPS SDKs](./libraries-sdks.md).

+## Next steps

+* For an end-to-end example using a custom allocation policy, see [Use custom allocation policies](tutorial-custom-allocation-policies.md)

+* To learn more about Azure Functions, see the [Azure Functions documentation](../azure-functions/index.yml)

+> DPS will always call the custom allocation webhook regardless of re-provisioning policy in case there is new [ReturnData](concepts-custom-allocation.md#use-device-payloads-in-custom-allocation) for the device. If the re-provisioning policy is set to **never re-provision**, the webhook will be called but the device will not change its assigned hub.

+* **Custom (Use Azure Function)**: A [custom allocation policy](concepts-custom-allocation.md) gives you more control over how devices are assigned to an IoT hub. This is accomplished by using custom code in an Azure Function to assign devices to an IoT hub. The device provisioning service calls your Azure Function code providing all relevant information about the device and the enrollment to your code. Your function code is executed and returns the IoT hub information used to provisioning the device.

+Devices that register with DPS are required to provide a registration ID and valid credentials (keys or X.509 certificates) when they register. However, there may be IoT solutions or scenarios in which additional data is needed from the device. For example, a custom allocation policy webhook may use information like a device model number to select an IoT hub to provision the device to. Likewise, a device may require additional data in the registration response to facilitate its client-side logic. DPS provides the capability for devices to both send and receive an optional payload when they register.

+Common scenarios for sending optional payloads are:

+* [Custom allocation policies](concepts-custom-allocation.md) can use the device payload to help select an IoT hub for a device or set its initial twin. For example, you may want to allocate your devices based on the device model. In this case, you can configure the device to report its model information when it registers. DPS will pass the deviceΓÇÖs payload to the custom allocation webhook. Then your webhook can decide which IoT hub the device will be provisioned to based on the device model information. If needed, the webhook can also return data back to the device as a JSON object in the webhook response. To learn more, see [Use device payloads in custom allocation](concepts-custom-allocation.md#use-device-payloads-in-custom-allocation).

+* [IoT Plug and Play (PnP)](../iot-develop/overview-iot-plug-and-play.md) devices *may* use the payload to send their model ID when they register with DPS. You can find examples of this usage in the PnP samples in the SDK or sample repositories. For example, [C# PnP thermostat](https://github.com/Azure-Samples/azure-iot-samples-csharp/blob/main/iot-hub/Samples/device/PnpDeviceSamples/Thermostat/Program.cs) or [Node.js PnP temperature controller](https://github.com/Azure/azure-iot-sdk-node/blob/main/device/samples/javascript/pnp_temperature_controller.js).

+* [IoT Central](../iot-central/core/overview-iot-central.md) devices that connect through DPS *should* follow [IoT Plug and Play conventions](..//iot-develop/concepts-convention.md) and send their model ID when they register. IoT Central uses the model ID to assign the device to the correct device template. To learn more, see [Device implementation and best practices for IoT Central](../iot-central/core/concepts-device-implementation.md).

+When your device calls [Register Device](/rest/api/iot-dps/device/runtime-registration/register-device) to register with DPS, it can include additional data in the **payload** property. For example, the following JSON shows the body for a request to register using TPM attestation:

+ "endorsementKey": "xxxx-device-endorsement-key-xxxx",

+ "storageRootKey": "xxx-device-storage-root-key-xxxx"

+The **payload** property must be a JSON object and can contain any data relevant to your IoT solution or scenario.

+DPS can return data back to the device in the registration response. Currently, this feature is exclusively used in custom allocation scenarios. If the custom allocation policy webhook needs to return data to the device, it can pass the data back as a JSON object in the webhook response. DPS will then pass that data back in the **registrationState.payload** property in the [Register Device response](/rest/api/iot-dps/device/runtime-registration/register-device#registrationoperationstatus). For example, the following JSON shows the body of a successful response to register using TPM attestation.

+{

+ "operationId":"5.316aac5bdc130deb.b1e02da8-xxxx-xxxx-xxxx-7ea7a6b7f550",

+ "status":"assigned",

+ "registrationState":{

+ "registrationId":"my-tpm-device",

+ "createdDateTimeUtc":"2022-08-31T22:02:50.5163352Z",

+ "assignedHub":"sample-iot-hub-1.azure-devices.net",

+ "deviceId":"my-tpm-device",

+ "status":"assigned",

+ "substatus":"initialAssignment",

+ "lastUpdatedDateTimeUtc":"2022-08-31T22:02:50.7370676Z",

+ "etag":"xxxx-etag-value-xxxx",

+ "tpm": {"authenticationKey": "xxxx-encrypted-authentication-key-xxxxx"},

+ "payload": { A JSON object that contains the data returned by the webhook }

+ }

+}

+The **payload** property must be a JSON object and can contain any data relevant to your IoT solution or scenario.

+## SDK support

+This feature is available in C, C#, JAVA and Node.js client SDKs. To learn more about the Azure IoT SDKs available for IoT Hub and IoT Hub Device Provisioning service, see [Microsoft Azure IoT SDKs]( https://github.com/Azure/azure-iot-sdks).

+* For an overview of custom allocation policies, see [Understand custom allocation policies](./concepts-custom-allocation.md)

+* To learn how to provision devices using a custom allocation policy, see [Use custom allocation policies](./tutorial-custom-allocation-policies.md)

+ Title: Tutorial - Use custom allocation policies with Azure IoT Hub Device Provisioning Service

+description: This tutorial shows how to provision devices using a custom allocation policy in your Azure IoT Hub Device Provisioning Service (DPS) instance.

+Custom allocation policies give you more control over how devices are assigned to your IoT hubs. With custom allocation policies, you can define your own allocation policies when the policies provided by the Azure IoT Hub Device Provisioning Service (DPS) don't meet the requirements of your scenario. A custom allocation policy is implemented in a webhook hosted in [Azure functions](../azure-functions/functions-overview.md) and configured on one or more individual enrollments and/or enrollment groups. When a device registers with DPS using a configured enrollment entry, DPS calls the webhook to find out which IoT hub the device should be registered to and, optionally, its initial state. To learn more, see [Understand custom allocation policies](concepts-custom-allocation.md).

+This tutorial demonstrates a custom allocation policy using an Azure Function written in C#. Devices are assigned to one of two IoT hubs representing a *Contoso Toasters Division* and a *Contoso Heat Pumps Division*. Devices requesting provisioning must have a registration ID with one of the following suffixes to be accepted for provisioning:

+* **-contoso-tstrsd-007** for the Contoso Toasters Division

+* **-contoso-hpsd-088** for the Contoso Heat Pumps Division

+Devices will be simulated using a provisioning sample included in the [Azure IoT C SDK](https://github.com/Azure/azure-iot-sdk-c).

+In this tutorial, you'll do the following:

+> * Use the Azure CLI to create a DPS instance and to create and link two Contoso division IoT hubs (**Contoso Toasters Division** and **Contoso Heat Pumps Division**) to it

+> * Create an Azure Function that implements the custom allocation policy

+> * Create a new enrollment group uses the Azure Function for the custom allocation policy

+> * Create device symmetric keys for two simulated devices

+> * Set up the development environment for the Azure IoT C SDK

+> * Simulate the devices and verify that they are provisioned according to the example code in the custom allocation policy

+The following prerequisites are for a Windows development environment. For Linux or macOS, see the appropriate section in [Prepare your development environment](https://github.com/Azure/azure-iot-sdk-c/blob/master/doc/devbox_setup.md) in the SDK documentation.

+- [Visual Studio](https://visualstudio.microsoft.com/vs/) 2022 with the ['Desktop development with C++'](/cpp/ide/using-the-visual-studio-ide-for-cpp-desktop-development) workload enabled. Visual Studio 2015 and Visual Studio 2017 are also supported.

+- Latest version of [Git](https://git-scm.com/download/) installed.

+## Create the provisioning service and two divisional IoT hubs

+In this section, you use the Azure Cloud Shell to create a provisioning service and two IoT hubs representing the **Contoso Toasters Division** and the **Contoso Heat Pumps division**.

+> [!TIP]

+> The commands used in this tutorial create the provisioning service and other resources in the West US location. We recommend that you create your resources in the region nearest you that supports Device Provisioning Service. You can view a list of available locations by running the command `az provider show --namespace Microsoft.Devices --query "resourceTypes[?resourceType=='ProvisioningServices'].locations | [0]" --out table` or by going to the [Azure Status](https://azure.microsoft.com/status/) page and searching for "Device Provisioning Service". In commands, locations can be specified either in one word or multi-word format; for example: westus, West US, WEST US, etc. The value is not case sensitive. If you use multi-word format to specify location, enclose the value in quotes; for example, `-- location "West US"`.

+>

+1. Use the Azure Cloud Shell to create a resource group with the [az group create](/cli/azure/group#az-group-create) command. An Azure resource group is a logical container into which Azure resources are deployed and managed.

+ The following example creates a resource group named *contoso-us-resource-group* in the *westus* region. It is recommended that you use this group for all resources created in this tutorial. This approach will make clean up easier after you're finished.

+ ```azurecli-interactive

+ az group create --name contoso-us-resource-group --location westus

+ ```

+2. Use the Azure Cloud Shell to create a device provisioning service (DPS) with the [az iot dps create](/cli/azure/iot/dps#az-iot-dps-create) command. The provisioning service will be added to *contoso-us-resource-group*.

+ The following example creates a provisioning service named *contoso-provisioning-service-1098* in the *westus* location. You must use a unique service name. Make up your own suffix in the service name in place of **1098**.

+ ```azurecli-interactive

+ az iot dps create --name contoso-provisioning-service-1098 --resource-group contoso-us-resource-group --location westus

+ ```

+ This command may take a few minutes to complete.

+3. Use the Azure Cloud Shell to create the **Contoso Toasters Division** IoT hub with the [az iot hub create](/cli/azure/iot/hub#az-iot-hub-create) command. The IoT hub will be added to *contoso-us-resource-group*.

+ The following example creates an IoT hub named *contoso-toasters-hub-1098* in the *westus* location. You must use a unique hub name. Make up your own suffix in the hub name in place of **1098**.

+ > [!CAUTION]

+ > The example Azure Function code for the custom allocation policy requires the substring `-toasters-` in the hub name. Make sure to use a name containing the required toasters substring.

+

+ ```azurecli-interactive

+ az iot hub create --name contoso-toasters-hub-1098 --resource-group contoso-us-resource-group --location westus --sku S1

+ ```

+ This command may take a few minutes to complete.

+4. Use the Azure Cloud Shell to create the **Contoso Heat Pumps Division** IoT hub with the [az iot hub create](/cli/azure/iot/hub#az-iot-hub-create) command. This IoT hub will also be added to *contoso-us-resource-group*.

+ The following example creates an IoT hub named *contoso-heatpumps-hub-1098* in the *westus* location. You must use a unique hub name. Make up your own suffix in the hub name in place of **1098**.

+ > [!CAUTION]

+ > The example Azure Function code for the custom allocation policy requires the substring `-heatpumps-` in the hub name. Make sure to use a name containing the required heatpumps substring.

+ ```azurecli-interactive

+ az iot hub create --name contoso-heatpumps-hub-1098 --resource-group contoso-us-resource-group --location westus --sku S1

+ ```

+ This command may take a few minutes to complete.

+5. The IoT hubs must be linked to the DPS resource.

+ Run the following two commands to get the connection strings for the hubs you just created. Replace the hub resource names with the names you chose in each command:

+ ```azurecli-interactive

+ hubToastersConnectionString=$(az iot hub connection-string show --hub-name contoso-toasters-hub-1098 --key primary --query connectionString -o tsv)

+ hubHeatpumpsConnectionString=$(az iot hub connection-string show --hub-name contoso-heatpumps-hub-1098 --key primary --query connectionString -o tsv)

+ ```

+ Run the following commands to link the hubs to the DPS resource. Replace the DPS resource name with the name you chose in each command:

+ ```azurecli-interactive

+ az iot dps linked-hub create --dps-name contoso-provisioning-service-1098 --resource-group contoso-us-resource-group --connection-string $hubToastersConnectionString --location westus

+ az iot dps linked-hub create --dps-name contoso-provisioning-service-1098 --resource-group contoso-us-resource-group --connection-string $hubHeatpumpsConnectionString --location westus

+ ```

+In this section, you create an Azure function that implements your custom allocation policy. This function decides which divisional IoT hub a device should be registered to based on whether its registration ID contains the string **-contoso-tstrsd-007** or **-contoso-hpsd-088**. It also sets the initial state of the device twin based on whether the device is a toaster or a heat pump.

+3. On the **Function App** create page, under the **Basics** tab, enter the following settings for your new function app and select **Review + create**:

+ **Resource Group**: Select the **contoso-us-resource-group** to keep all resources created in this tutorial together.

+ **Function App name**: Enter a unique function app name. This example uses **contoso-function-app-1098**.

+ **Runtime Stack**: Select **.NET** from the drop-down.

+ **Version**: Select **3.1** from the drop-down.

+ > By default, Application Insights is enabled. Application Insights is not necessary for this tutorial, but it might help you understand and investigate any issues you encounter with the custom allocation. If you prefer, you can disable Application Insights by selecting the **Monitoring** tab and then selecting **No** for **Enable Application Insights**.

+5. On the left pane of the function app **Overview** page, select **Functions** and then **+ Create** to add a new function.

+6. On the **Create function** page, make sure that **Development environment** is set to **Develop in portal**. Then select the **HTTP Trigger** template followed by the **Create** button.

+7. When the **HttpTrigger1** function opens, select **Code + Test** on the left pane. This allows you to edit the code for the function. The **run.csx** code file should be opened for editing.

+8. Reference required NuGet packages. To create the initial device twin, the custom allocation function uses classes that are defined in two NuGet packages that must be loaded into the hosting environment. With Azure Functions, NuGet packages are referenced using a *function.proj* file. In this step, you save and upload a *function.proj* file for the required assemblies. For more information, see [Using NuGet packages with Azure Functions](../azure-functions/functions-reference-csharp.md#using-nuget-packages).

+ 1. Copy the following lines into your favorite editor and save the file on your computer as *function.proj*.

+ ```xml

+ <Project Sdk="Microsoft.NET.Sdk">

+ <PropertyGroup>

+ <TargetFramework>netstandard2.0</TargetFramework>

+ </PropertyGroup>

+ <ItemGroup>

+ <PackageReference Include="Microsoft.Azure.Devices.Provisioning.Service" Version="1.18.1" />

+ <PackageReference Include="Microsoft.Azure.Devices.Shared" Version="1.30.1" />

+ </ItemGroup>

+ </Project>

+ ```

+ 2. Click the **Upload** button located above the code editor to upload your *function.proj* file. After uploading, select the file in the code editor using the drop down box to verify the contents.

+ 3. Select the *function.proj* file in the code editor and verify its contents. If the *function.proj* file is empty copy the lines above into the file and save it. (Sometimes the upload will create the file without uploading the contents.)

+9. Make sure *run.csx* for **HttpTrigger1** is selected in the code editor. Replace the code for the **HttpTrigger1** function with the following code and select **Save**:

+ using Microsoft.Azure.Devices.Shared; // For TwinCollection

+ using Microsoft.Azure.Devices.Provisioning.Service; // For TwinState

+ string[] hubs = data?.linkedHubs?.ToObject<string[]>();

+ // This is a Contoso Toaster Model 007

+ if (regId.Contains("-contoso-tstrsd-007"))

+ //Find the "-toasters-" IoT hub configured on the enrollment

+ if (hubString.Contains("-toasters-"))

+ obj.iotHubHostName = hubString;

+ if (obj.iotHubHostName == null)

+ {

+ message = "No toasters hub found for the enrollment.";

+ log.LogInformation(message);

+ fail = true;

+ }

+ else

+ {

+ // Specify the initial tags for the device.

+ TwinCollection tags = new TwinCollection();

+ tags["deviceType"] = "toaster";

+ // Specify the initial desired properties for the device.

+ TwinCollection properties = new TwinCollection();

+ properties["state"] = "ready";

+ properties["darknessSetting"] = "medium";

+ // Add the initial twin state to the response.

+ TwinState twinState = new TwinState(tags, properties);

+ obj.initialTwin = twinState;

+ }

+ // This is a Contoso Heat pump Model 008

+ else if (regId.Contains("-contoso-hpsd-088"))

+ {

+ //Find the "-heatpumps-" IoT hub configured on the enrollment

+ foreach(string hubString in hubs)

+ {

+ if (hubString.Contains("-heatpumps-"))

+ obj.iotHubHostName = hubString;

+ }

+ if (obj.iotHubHostName == null)

+ {

+ message = "No heat pumps hub found for the enrollment.";

+ log.LogInformation(message);

+ fail = true;

+ }

+ else

+ {

+ // Specify the initial tags for the device.

+ TwinCollection tags = new TwinCollection();

+ tags["deviceType"] = "heatpump";

+ // Specify the initial desired properties for the device.

+ TwinCollection properties = new TwinCollection();

+ properties["state"] = "on";

+ properties["temperatureSetting"] = "65";

+ // Add the initial twin state to the response.

+ TwinState twinState = new TwinState(tags, properties);

+ obj.initialTwin = twinState;

+ }

+ }

+ // Unrecognized device.

+ public TwinState initialTwin {get; set;}

+In this section, you'll create a new enrollment group that uses the custom allocation policy. For simplicity, this tutorial uses [Symmetric key attestation](concepts-symmetric-key-attestation.md) with the enrollment. For a more secure solution, consider using [X.509 certificate attestation](concepts-x509-attestation.md) with a chain of trust.

+3. On **Add Enrollment Group**, enter the following information, and select the **Save** button.

+ **Group name**: Enter **contoso-custom-allocated-devices**.

+ **Attestation Type**: Select **Symmetric Key**.

+ **Auto Generate Keys**: This checkbox should already be checked.

+ **Select how you want to assign devices to hubs**: Select **Custom (Use Azure Function)**.

+ **Subscription**: Select the subscription where you created your Azure Function.

+ **Function App**: Select your function app by name. **contoso-function-app-1098** was used in this example.

+ **Function**: Select the **HttpTrigger1** function.

+4. After saving the enrollment, reopen it and make a note of the **Primary Key**. You must save the enrollment first to have the keys generated. This key will be used to generate unique device keys for simulated devices later.

+Devices don't use the enrollment group's primary symmetric key directly. Instead, you use the primary key to derive a device key for each device. In this section, you create two unique device keys. One key will be used for a simulated toaster device. The other key will be used for a simulated heat pump device.

+To derive the device key, you use the enrollment group **Primary Key** you noted earlier to compute the [HMAC-SHA256](https://wikipedia.org/wiki/HMAC) of the device registration ID for each device and convert the result into Base64 format. For more information on creating derived device keys with enrollment groups, see the group enrollments section of [Symmetric key attestation](concepts-symmetric-key-attestation.md).

+For the example in this tutorial, use the following two device registration IDs and compute a device key for both devices. Both registration IDs have a valid suffix to work with the example code for the custom allocation policy:

+* **breakroom499-contoso-tstrsd-007**

+* **mainbuilding167-contoso-hpsd-088**

+The IoT extension for the Azure CLI provides the [`iot dps enrollment-group compute-device-key`](/cli/azure/iot/dps/enrollment-group#az-iot-dps-enrollment-group-compute-device-key) command for generating derived device keys. This command can be used on Windows-based or Linux systems, from PowerShell or a Bash shell.

+az iot dps enrollment-group compute-device-key --key oiK77Oy7rBw8YB6IS6ukRChAw+Yq6GC61RMrPLSTiOOtdI+XDu0LmLuNm11p+qv2I+adqGUdZHm46zXAQdZoOA== --registration-id breakroom499-contoso-tstrsd-007

+az iot dps compute-device-key --key oiK77Oy7rBw8YB6IS6ukRChAw+Yq6GC61RMrPLSTiOOtdI+XDu0LmLuNm11p+qv2I+adqGUdZHm46zXAQdZoOA== --registration-id mainbuilding167-contoso-hpsd-088

+> [!NOTE]

+> You can also supply the enrollment group ID rather than the symmetric key to the `iot dps enrollment-group compute-device-key` command. For example:

+>

+> ```azurecli

+> az iot dps enrollment-group compute-device-key -g contoso-us-resource-group --dps-name contoso-provisioning-service-1098 --enrollment-id contoso-custom-allocated-devices --registration-id breakroom499-contoso-tstrsd-007

+> ```

+Replace the value of **KEY** with the **Primary Key** you noted earlier.

+$REG_ID1='breakroom499-contoso-tstrsd-007'

+$REG_ID2='mainbuilding167-contoso-hpsd-088'

+$hmacsha256.key = [Convert]::FromBase64String($KEY)

+breakroom499-contoso-tstrsd-007 : JC8F96eayuQwwz+PkE7IzjH2lIAjCUnAa61tDigBnSs=

+mainbuilding167-contoso-hpsd-088 : 6uejA9PfkQgmYylj8Zerp3kcbeVrGZ172YLa7VSnJzg=

+If you're using a Linux workstation, you can use openssl to generate your derived device keys as shown in the following example.

+Replace the value of **KEY** with the **Primary Key** you noted earlier.

+REG_ID1=breakroom499-contoso-tstrsd-007

+REG_ID2=mainbuilding167-contoso-hpsd-088

+breakroom499-contoso-tstrsd-007 : JC8F96eayuQwwz+PkE7IzjH2lIAjCUnAa61tDigBnSs=

+mainbuilding167-contoso-hpsd-088 : 6uejA9PfkQgmYylj8Zerp3kcbeVrGZ172YLa7VSnJzg=

+The simulated devices will use the derived device keys with each registration ID to perform symmetric key attestation.

+## Prepare an Azure IoT C SDK development environment

+6. In the `main()` function, find the call to `Prov_Device_Register_Device()`. Just before that call, add the following lines of code that use [`Prov_Device_Set_Provisioning_Payload()`](/azure/iot-hub/iot-c-sdk-ref/prov-device-client-h/prov-device-set-provisioning-payload) to pass a custom JSON payload during provisioning. This can be used to provide more information to your custom allocation functions. This could also be used to pass the device type instead of examining the registration ID. For more information on sending and receiving custom data payloads with DPS, see [How to transfer payloads between devices and DPS](concepts-custom-allocation.md#use-device-payloads-in-custom-allocation).

+ prov_dev_set_symmetric_key_info("breakroom499-contoso-tstrsd-007", "JC8F96eayuQwwz+PkE7IzjH2lIAjCUnAa61tDigBnSs=");

+ The following output is an example of the simulated toaster device successfully booting up and connecting to the provisioning service instance to be assigned to the toasters IoT hub by the custom allocation policy:

+ Provisioning API Version: 1.8.0

+ Registration Information received from service: contoso-toasters-hub-1098.azure-devices.net, deviceId: breakroom499-contoso-tstrsd-007

+ The following output is example logging output from the custom allocation function code running for the toaster device. Notice a hub is successfully selected for a toaster device. Also notice the `payload` property that contains the custom JSON content you added to the code. This is available for your code to use within the `deviceRuntimeContext`.

+ This logging is available by clicking **Logs** under the function code in the portal:

+ ```output

+ 2022-08-03T20:34:41.178 [Information] Executing 'Functions.HttpTrigger1' (Reason='This function was programmatically called via the host APIs.', Id=12950752-6d75-4f41-844b-c253a6653d4f)

+ 2022-08-03T20:34:41.340 [Information] C# HTTP trigger function processed a request.

+ 2022-08-03T20:34:41.341 [Information] Request.Body:...

+ 2022-08-03T20:34:41.341 [Information] {"enrollmentGroup":{"enrollmentGroupId":"contoso-custom-allocated-devices","attestation":{"type":"symmetricKey"},"capabilities":{"iotEdge":false},"etag":"\"0000f176-0000-0700-0000-62eaad1e0000\"","provisioningStatus":"enabled","reprovisionPolicy":{"updateHubAssignment":true,"migrateDeviceData":true},"createdDateTimeUtc":"2022-08-03T17:15:10.8464255Z","lastUpdatedDateTimeUtc":"2022-08-03T17:15:10.8464255Z","allocationPolicy":"custom","iotHubs":["contoso-toasters-hub-1098.azure-devices.net","contoso-heatpumps-hub-1098.azure-devices.net"],"customAllocationDefinition":{"webhookUrl":"https://contoso-function-app-1098.azurewebsites.net/api/HttpTrigger1?****","apiVersion":"2021-10-01"}},"deviceRuntimeContext":{"registrationId":"breakroom499-contoso-tstrsd-007","currentIotHubHostName":"contoso-toasters-hub-1098.azure-devices.net","currentDeviceId":"breakroom499-contoso-tstrsd-007","symmetricKey":{},"payload":{"MyDeviceFirmwareVersion":"12.0.2.5","MyDeviceProvisioningVersion":"1.0.0.0"}},"linkedHubs":["contoso-toasters-hub-1098.azure-devices.net","contoso-heatpumps-hub-1098.azure-devices.net"]}

+ 2022-08-03T20:34:41.382 [Information] Response

+ 2022-08-03T20:34:41.398 [Information] {"iotHubHostName":"contoso-toasters-hub-1098.azure-devices.net","initialTwin":{"properties":{"desired":{"state":"ready","darknessSetting":"medium"}},"tags":{"deviceType":"toaster"}}}

+ 2022-08-03T20:34:41.399 [Information] Executed 'Functions.HttpTrigger1' (Succeeded, Id=12950752-6d75-4f41-844b-c253a6653d4f, Duration=227ms)

+ ```

+ prov_dev_set_symmetric_key_info("mainbuilding167-contoso-hpsd-088", "6uejA9PfkQgmYylj8Zerp3kcbeVrGZ172YLa7VSnJzg=");

+ The following output is an example of the simulated heat pump device successfully booting up and connecting to the provisioning service instance to be assigned to the Contoso heat pumps IoT hub by the custom allocation policy:

+ Provisioning API Version: 1.8.0

+ Registration Information received from service: contoso-heatpumps-hub-1098.azure-devices.net, deviceId: mainbuilding167-contoso-hpsd-088

+ Press enter key to exit:

+## Troubleshooting custom allocation policies

+The following table shows expected scenarios and the results error codes you might receive. Use this table to help troubleshoot custom allocation policy failures with your Azure Functions.

+| Scenario | Registration result from Provisioning Service | Provisioning SDK Results |

+| -- | | |

+| The webhook returns 200 OK with ΓÇÿiotHubHostNameΓÇÖ set to a valid IoT hub host name | Result status: Assigned | SDK returns PROV_DEVICE_RESULT_OK along with hub information |

+| The webhook returns 200 OK with ΓÇÿiotHubHostNameΓÇÖ present in the response, but set to an empty string or null | Result status: Failed<br><br> Error code: CustomAllocationIotHubNotSpecified (400208) | SDK returns PROV_DEVICE_RESULT_HUB_NOT_SPECIFIED |

+| The webhook returns 401 Unauthorized | Result status: Failed<br><br>Error code: CustomAllocationUnauthorizedAccess (400209) | SDK returns PROV_DEVICE_RESULT_UNAUTHORIZED |

+| An Individual Enrollment was created to disable the device | Result status: Disabled | SDK returns PROV_DEVICE_RESULT_DISABLED |

+| The webhook returns error code >= 429 | DPSΓÇÖ orchestration will retry a number of times. The retry policy is currently:<br><br>&nbsp;&nbsp;- Retry count: 10<br>&nbsp;&nbsp;- Initial interval: 1s<br>&nbsp;&nbsp;- Increment: 9s | SDK will ignore error and submit another get status message in the specified time |

+| The webhook returns any other status code | Result status: Failed<br><br>Error code: CustomAllocationFailed (400207) | SDK returns PROV_DEVICE_RESULT_DEV_AUTH_ERROR |

+If you plan to continue working with the resources created in this tutorial, you can leave them. If you don't plan to continue using the resources, use the following steps to delete all of the resources created in this tutorial to avoid unnecessary charges.

+The steps here assume you created all resources in this tutorial as instructed in the same resource group named **contoso-us-resource-group**.

+* To learn more about custom allocation policies, see

+ > [!div class="nextstepaction"]

+ > [Understand custom allocation policies](concepts-custom-allocation.md)

+ > [!div class="nextstepaction"]

+ > [IoT Hub Device reprovisioning concepts](concepts-device-reprovision.md)

+ > [!div class="nextstepaction"]

+ > [How to deprovision devices that were previously autoprovisioned](how-to-unprovision-devices.md)

+* Currently, [custom allocation policies with Azure Functions](concepts-custom-allocation.md) for DPS will not work when the Azure function is locked down to a VNET and private endpoints.

+To use the sample with a private endpoint, the highlighted code above would be changed to use the service endpoint for your DPS resource. For example, if your service endpoint was `mydps.azure-devices-provisioning.net`, the code would look as follows.

+Both Intel-based VMware ESXi [6.7](https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-67-installation-setup-guide.pdf) and [7.0](https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html) versions can host Azure IoT Edge for Linux on Windows on top of a Windows virtual machine.

+>[!NOTE]

+> Per [VMware KB2009916](https://kb.vmware.com/s/article/2009916), currently nested virtualization is limited to Microsoft Hyper-V, strictly for VBS only and not for virtualizing multiple VMs. We are working to extend this support to EFLOW.

+You can use the [IoT Hub Resource](/rest/api/iothub/iothubresource) REST API to create and manage Azure IoT hubs programmatically. This article shows you how to use the IoT Hub Resource to create an IoT hub using **Postman**. Alternatively, you can use **cURL**. If any of these REST commands fail, find help with the [IoT Hub API common error codes](/rest/api/iothub/common-error-codes).

+* [Azure PowerShell module](/powershell/azure/install-az-ps) or [Azure Cloud Shell](/azure/cloud-shell/overview)

+* [Postman](/rest/api/azure/#how-to-call-azure-rest-apis-with-postman) or [cURL](https://curl.se/)

+## Get an Azure access token

+1. In the Azure PowerShell cmdlet or Azure Cloud Shell, sign in and then retrieve a token with the following command. If you're using Cloud Shell you are already signed in, so skip this step.

+ ```azurecli-interactive

+ az account get-access-token --resource https://management.azure.com

+ ```

+ You should see a response in the console similar to this JSON (except the access token is long):

+ ```json

+ {

+ "accessToken": "eyJ ... pZA",

+ "expiresOn": "2022-09-16 20:57:52.000000",

+ "subscription": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",

+ "tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",

+ "tokenType": "Bearer"

+ }

+ ```

+1. In a new **Postman** request, from the **Auth** tab, select the **Type** dropdown list and choose **Bearer Token**.

+ :::image type="content" source="media/iot-hub-rm-rest/select-bearer-token.png" alt-text="Screenshot that shows how to select the Bearer Token type of authorization in **Postman**.":::

+1. Paste the access token into the field labeled **Token**.

+Keep in mind the access token expires after 5-60 minutes, so you may need to generate another one.

+## Create an IoT hub

+1. Select the REST command dropdown list and choose the PUT command. Copy the URL below, replacing the values in the `{}` with your own values. The `{resourceName}` value is the name you'd like for your new IoT hub. Paste the URL into the field next to the PUT command.

+ ```rest

+ PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Devices/IotHubs/{resourceName}?api-version=2021-04-12

+ ```

+ :::image type="content" source="media/iot-hub-rm-rest/paste-put-command.png" alt-text="Screenshot that shows how to add a PUT command in Postman.":::

+ See the [PUT command in the IoT Hub Resource](/rest/api/iothub/iot-hub-resource/create-or-update?tabs=HTTP).

+1. From the **Body** tab, select **raw** and **JSON** from the dropdown lists.

+ :::image type="content" source="media/iot-hub-rm-rest/add-body-for-put.png" alt-text="Screenshot that shows how to add JSON to the body of your request in Postman.":::

+1. Copy the following JSON, replacing values in `<>` with your own. Paste the JSON into the box in **Postman** on the **Body** tab. Make sure your IoT hub name matches the one in your PUT URL. Change the location to your location (the location assigned to your resource group).

+ ```json

+ "name": "<my-iot-hub>",

+ "location": "<region>",

+ "tags": {},

+ "properties": {},

+ "sku": {

+ "name": "S1",

+ "tier": "Standard",

+ "capacity": 1

+ }

+ See the [PUT command in the IoT Hub Resource](/rest/api/iothub/iot-hub-resource/create-or-update?tabs=HTTP).

+1. Select **Send** to send your request and create a new IoT hub. A successful request will return a **201 Created** response with a JSON printout of your IoT hub specifications. You can save your request if you're using **Postman**.

+## View an IoT hub

+To see all the specifications of your new IoT hub, use a GET request. You can use the same URL that you used with the PUT request, but must erase the **Body** of that request (if not already blank) because a GET request can't have a body. Here's the GET request template:

+```rest

+GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Devices/IotHubs/{resourceName}?api-version=2018-04-01

+```

+See the [GET command in the IoT Hub Resource](/rest/api/iothub/iot-hub-resource/get?tabs=HTTP).

+## Update an IoT hub

+Updating is as simple as using the same PUT request from when we created the IoT hub and editing the JSON body to contain parameters of your choosing. Edit the body of the request by adding a **tags** property, then run the PUT request.

+```json

+{

+ "name": "<my-iot-hub>",

+ "location": "westus2",

+ "tags": {

+ "Animal": "Cat"

+ },

+ "properties": {},

+ "sku": {

+ "name": "S1",

+ "tier": "Standard",

+ "capacity": 1

+ }

+}

+```

+```rest

+PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Devices/IotHubs/{resourceName}?api-version=2018-04-01

+```

+The response will show the new tag added in the console. Remember, you may need to refresh your access token if too much time has passed since the last time you generated one.

+See the [PUT command in the IoT Hub Resource](/rest/api/iothub/iot-hub-resource/create-or-update?tabs=HTTP).

+Alternatively, use the [PATCH command in the IoT Hub Resource](/rest/api/iothub/iot-hub-resource/update?tabs=HTTP) to update tags.

+## Delete an IoT hub

+If you're only testing, you might want to clean up your resources and delete your new IoT hub, by sending a DELETE request. be sure to replace the values in `{}` with your own values. The `{resourceName}` value is the name of your IoT hub.

+```rest

+DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Devices/IotHubs/{resourceName}?api-version=2018-04-01

+```

+See the [DELETE command in the IoT Hub Resource](/rest/api/iothub/iot-hub-resource/delete?tabs=HTTP).

+* [Deploying AI to edge devices with Azure IoT Edge](../iot-edge/quickstart-linux.md)

+|DigitalSignature|sign, verify| Key Vault default without a usage specification at certificate creation time |

+|KeyEncipherment|wrapKey, unwrapKey| Key Vault default without a usage specification at certificate creation time |

+1. Admin creates requester credentials for Key Vault to enroll (and renew) TLS/SSL certificates

+1. On the page for your key vault, select **Certificates**.

+To complete this tutorial, you will need an Azure key vault. You can create a new key vault using one of these methods:

+ - [Create a key vault using the Azure CLI](quick-create-cli.md)

+ - [Create a key vault using Azure PowerShell](quick-create-powershell.md)

+ - [Create a key vault using the Azure portal](quick-create-portal.md)

+You will also need a destination for your logs. This can be an existing or new Azure storage account and/or Log Analytics workspace.

+> [!IMPORTANT]

+> If you use an existing Azure storage account or Log Analytics workspace, it must be in the same subscription as your key vault. It must also use the Azure Resource Manager deployment model, rather than the classic deployment model.

+>

+> If you create a new Azure storage account or Log Analytics workspace, we recommend you create it in the same resource group as your key vault, for ease of management.

+You can create a new Azure storage account using one of these methods:

+ - [Create a storage account using the Azure CLI](../../storage/common/storage-account-create.md?tabs=azure-cli)

+ - [Create a storage account using Azure PowerShell](../../storage/common/storage-account-create.md?tabs=azure-powershell)

+ - [Create a storage account using the Azure portal](../../storage/common/storage-account-create.md?tabs=azure-portal)

+You can create a new Log Analytics workspace using one of these methods:

+ - [Create a Log Analytics workspace using the Azure CLI](../../azure-monitor/logs/quick-create-workspace.md?tabs=azure-cli)

+ - [Create a Log Analytics workspace using Azure PowerShell](../../azure-monitor/logs/quick-create-workspace.md?tabs=azure-powershell)

+ - [Create a Log Analytics workspace the Azure portal](../../azure-monitor/logs/quick-create-workspace.md?tabs=azure-portal)

+## Obtain resource IDs

+To enable logging on a key vault, you will need the resource ID of the key vault, as well as the destination (Azure Storage or Log Analytics account).

+If you can't remember the name of your key vault, you can use the Azure CLI [az keyvault list](/cli/azure/keyvault#az-keyvault-list) command, or the Azure PowerShell [Get-AzKeyVault](/powershell/module/az.keyvault/get-azkeyvault) cmdlet, to find it.

+1. From the **Resource** pane menu, select **Diagnostic settings**, and then **Add diagnostic setting**

+1. Under **Category groups**, select both **audit** and **allLogs**.

+1. If Azure Log Analytics is the destination, select **Send to Log Analytics workspace** and choose your subscription and workspace from the drop-down menus. You may also select **Archive to a storage account** and choose your subscription and storage account from the drop-down menus.

+ :::image type="content" source="../media/diagnostics-portal-2.png" alt-text="Screenshot of diagnostic settings options.":::

+ :::image type="content" source="../media/diagnostics-portal-3.png" alt-text="Screenshot that shows how to save the options you selected.":::

+> [!NOTE]

+> Key vault secret, certificate, key scope role assignments should only be used for limited scenarios described [here](rbac-guide.md?i#best-practices-for-individual-keys-secrets-and-certificates-role-assignments) to comply with security best practices.

+> Virtual network support for Azure Load Testing is available in the following Azure regions: Australia East, East US, East US 2, North Europe, and South Central US.

+ Title: Overview

+description: Azure Logic Apps is a cloud platform for creating and running automated workflows that integrate apps, data, services, and systems using little to no code. Workflows can run in a multi-tenant, single-tenant, or dedicated environment.

+Azure Logic Apps is a cloud-based platform for creating and running automated workflows that integrate your apps, data, services, and systems. With this platform, you can quickly develop highly scalable integration solutions for your enterprise and business-to-business (B2B) scenarios. As a member of [Azure Integration Services](https://azure.microsoft.com/product-categories/integration/), Azure Logic Apps simplifies the way that you connect legacy, modern, and cutting-edge systems across cloud, on premises, and hybrid environments. Learn more about [Azure Logic Apps on the Azure website](https://azure.microsoft.com/services/logic-apps).

+The following list describes just a few example tasks, business processes, and workloads that you can automate using Azure Logic Apps:

+Based on the logic app resource type that you choose, your logic app workflows can run in either multi-tenant Azure Logic Apps, single-tenant Azure Logic Apps, a dedicated integration service environment, or an App Service Environment (v3). With the last three environments, your workflows can access an Azure virtual network more easily. You can also run logic app workflows in containers when you create single tenant-based workflows using Azure Arc enabled Logic Apps.

+To communicate with any service endpoint, run your own code, organize your workflow, or manipulate data, you can use [*built-in* connector operations](#built-in-operations) in your workflow. These operations run natively on the Azure Logic Apps runtime. To securely access and run operations on data and entities in many services such as Azure, Microsoft, and other web apps or on-premises systems, you can use [*managed* (Azure-hosted) connector operations](#managed-connector) in your workflows. Choose from [many hundreds of connectors in an abundant and growing Azure ecosystem](/connectors/connector-reference/connector-reference-logicapps-connectors), for example:

+For more information, review the following documentation:

+* [Connectors overview for Azure Logic Apps](../connectors/apis-list.md)

+* [Managed connectors](../connectors/managed.md)

+* [Built-in connectors](../connectors/built-in.md)

+* [Single-tenant versus multi-tenant and integration service environment for Azure Logic Apps](single-tenant-overview-compare.md)

+* [What is Azure Arc enabled Logic Apps?](azure-arc-enabled-logic-apps-overview.md)

+> [!VIDEO https://learn.microsoft.com/Shows/Azure-Friday/Go-serverless-Enterprise-integration-with-Azure-Logic-Apps/player]

+The following list briefly defines terms and core concepts in Azure Logic Apps.

+A *logic app* is the Azure resource you create when you want to build a workflow. There are [multiple logic app resource types that run in different environments](#resource-environment-differences).

+In a logic app resource, each workflow always starts with a single [trigger](#trigger). A trigger fires when a condition is met, for example, when a specific event happens or when data meets specific criteria. Many triggers include [scheduling capabilities](concepts-schedule-automated-recurring-tasks-workflows.md) that control how often your workflow runs. After the trigger fires, one or more [actions](#action) run operations that process, handle, or convert data that travels through the workflow, or that advance the workflow to the next step.

+The following table briefly summarizes differences between the original **Logic App (Consumption)** resource type and the **Logic App (Standard)** resource type. You'll also learn the differences between the *single-tenant environment*, *multi-tenant environment*, *integration service environment* (ISE), and *App Service Environment v3 (ASEv3)* for deploying, hosting, and running your logic app workflows.

+Azure Logic Apps is fully managed by Microsoft Azure, which frees you from worrying about hosting, scaling, managing, monitoring, and maintaining solutions built with these services. When you use these capabilities to create ["serverless" apps and solutions](logic-apps-serverless-overview.md), you can just focus on the business logic and functionality. These services automatically scale to meet your needs, make integrations faster, and help you build robust cloud apps using little to no code.

+If you're creating a multi-tenant based logic app, get started faster when you [create a workflow from the templates gallery](logic-apps-create-logic-apps-from-templates.md). These templates are available for common workflow patterns, which range from simple connectivity for Software-as-a-Service (SaaS) apps to advanced B2B solutions plus "just for fun" templates.

+Create your logic apps as Azure Resource Manager templates so that you can [set up and automate deployments](logic-apps-azure-resource-manager-templates-overview.md) across multiple environments and regions.

+Businesses and organizations electronically communicate with each other by using industry-standard but different message protocols and formats, such as EDIFACT, AS2, X12, and RosettaNet. By using the [enterprise integration capabilities](logic-apps-enterprise-integration-overview.md) supported by Azure Logic Apps, you can create workflows that transform message formats used by trading partners into formats that your organization's systems can interpret and process. Azure Logic Apps handles these exchanges smoothly and securely with encryption and digital signatures.

+* Exchange messages using [EDIFACT](logic-apps-enterprise-integration-edifact.md), [AS2](logic-apps-enterprise-integration-as2.md), [X12](logic-apps-enterprise-integration-x12.md), and [RosettaNet](logic-apps-enterprise-integration-rosettanet.md) protocols.

+* Process [XML messages](logic-apps-enterprise-integration-xml.md) and [flat files](logic-apps-enterprise-integration-flatfile.md).

+* Create an [integration account](./logic-apps-enterprise-integration-create-integration-account.md) to store and manage B2B artifacts, such as [trading partners](logic-apps-enterprise-integration-partners.md), [agreements](logic-apps-enterprise-integration-agreements.md), [maps](logic-apps-enterprise-integration-maps.md), [schemas](logic-apps-enterprise-integration-schemas.md), and more.

+For example, if you use Microsoft BizTalk Server, your workflows can communicate with your BizTalk Server using the [BizTalk Server connector](../connectors/managed.md#on-premises-connectors). You can then run or extend BizTalk-like operations in your workflows by using [integration account connectors](../connectors/managed.md#integration-account-connectors). In the other direction, BizTalk Server can communicate with your workflows by using the [Microsoft BizTalk Server Adapter for Azure Logic Apps](https://www.microsoft.com/download/details.aspx?id=54287). Learn how to [set up and use the BizTalk Server Adapter](/biztalk/core/logic-app-adapter) in your BizTalk Server.

+If no suitable connector is available to run the code you want, you can create and call your own code snippets from your workflow by using [Azure Functions](../azure-functions/functions-overview.md). Or, create your own [APIs](logic-apps-create-api-app.md) and [custom connectors](custom-connector-overview.md) that you can call from your workflows.

+Logic app workflows can access secured resources such as virtual machines (VMs), other services, and systems that are inside an [Azure virtual network](../virtual-network/virtual-networks-overview.md) when you create an [*integration service environment* (ISE)](connect-virtual-network-vnet-isolated-environment-overview.md). An ISE is a dedicated instance of the Azure Logic Apps service that uses dedicated resources and runs separately from the global multi-tenant Azure Logic Apps service.

+* Increased limits on run duration, storage retention, throughput, HTTP request and response timeouts, message sizes, and custom connector requests. For more information, review [Limits and configuration for Azure Logic Apps](logic-apps-limits-and-config.md).

+When you create an ISE, Azure *injects* or deploys that ISE into your Azure virtual network. You can then use this ISE as the location for the logic apps and integration accounts that need access. For more information about creating an ISE, review [Connect to Azure virtual networks from Azure Logic Apps](connect-virtual-network-vnet-isolated-environment.md).

+Each logic app resource type, which differs by capabilities and where they run (multi-tenant, single-tenant, integration service environment), has a different [pricing model](logic-apps-pricing.md). For example, multi-tenant based logic apps use consumption pricing, while logic apps in an integration service environment use fixed pricing. Learn more about [pricing and metering](logic-apps-pricing.md) for Azure Logic Apps.

+* [Create a multi-tenant based logic app in the Azure portal](quickstart-create-first-logic-app-workflow.md)

+* [Quickstart: Create your first logic app workflow](quickstart-create-first-logic-app-workflow.md)

+With MLflow Tracking, you can connect Azure Machine Learning as the back end of your MLflow experiments. The workspace provides a centralized, secure, and scalable location to store training metrics and models.

+Capabilities include:

+You can also use MLflow to [Query & compare experiments and runs with MLflow](how-to-track-experiments-mlflow.md).

+> [!IMPORTANT]

+> - MLflow in R support is limited to tracking experiment's metrics, parameters and models on Azure Machine Learning jobs. Interactive training on RStudio or Jupyter Notebooks with R kernels is not supported. Model management and registration is not supported using the MLflow R SDK. As an alternative, use Azure ML CLI or Azure ML studio for model registration and management. View the following [R example about using the MLflow tracking client with Azure Machine Learning](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/single-step/r).

+> - MLflow in Java support is limited to tracking experiment's metrics and parameters on Azure Machine Learning jobs. Artifacts and models can't be tracked using the MLflow Java SDK. As an alternative, use the `Outputs` folder in jobs along with the method `mlflow.save_model` to save models (or artifacts) you want to capture. View the following [Java example about using the MLflow tracking client with the Azure Machine Learning](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/single-step/java/iris).

+| Retrieve metrics, parameters, and models | **&check;** | <sup>1</sup> | **&check;** |

+| Submit training jobs with MLflow projects | **&check;** <sup>2</sup> | | |

+| Submit training jobs by using machine learning pipelines | | **&check;** | **&check;** |

+| Manage experiments and runs | **&check;** | **&check;** | **&check;** |

+| Deploy MLflow models to Azure Machine Learning (Online & Batch) | **&check;**<sup>4</sup> | **&check;** | **&check;** |

+> - <sup>1</sup> Only artifacts and models can be downloaded.

+> - <sup>2</sup> On preview.

+> - <sup>3</sup> Some operations may not be supported. View [Manage model registries in Azure Machine Learning with MLflow](how-to-manage-models-mlflow.md) for details.

+> - <sup>4</sup> Deployment of MLflow models to batch inference by using the MLflow SDK is not possible at the moment. View [Deploy MLflow models to Azure Machine Learning](how-to-deploy-mlflow-models.md) for details.

+## Next steps

+* [Track machine learning experiments and models running locally or in the cloud](how-to-use-mlflow-cli-runs.md) with MLflow in Azure Machine Learning.

+> [!IMPORTANT]

+> Items marked (preview) in this article are currently in public preview.

+> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+Additionally, we are excited to offer Azure DSVM for PyTorch (preview), which is an Ubuntu 20.04 image from Azure Marketplace that is optimized for large, distributed deep learning workloads. It comes preinstalled and validated with the latest PyTorch version to reduce setup costs and accelerate time to value. It comes packaged with various optimization functionalities (ONNX Runtime​, DeepSpeed​, MSCCL​, ORTMoE​, Fairscale​, Nvidia Apex​), as well as an up-to-date stack with the latest compatible versions of Ubuntu, Python, PyTorch, CUDA.

+The following table is a summary of Azure Machine Learning activities and the permissions required to perform them at the least scope. For example, if an activity can be performed with a workspace scope (Column 4), then all higher scope with that permission will also work automatically. Note that for certain activities the permissions differ between V1 and V2 APIs.

+| Submitting any type of run (V1) | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/*/read", "/workspaces/environments/write", "/workspaces/experiments/runs/write", "/workspaces/metadata/artifacts/write", "/workspaces/metadata/snapshots/write", "/workspaces/environments/build/action", "/workspaces/experiments/runs/submit/action", "/workspaces/environments/readSecrets/action"` |

+| Submitting any type of run (V2) | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/*/read", "/workspaces/environments/write", "/workspaces/jobs/*", "/workspaces/metadata/artifacts/write", "/workspaces/metadata/codes/*/write", "/workspaces/environments/build/action", "/workspaces/environments/readSecrets/action"` |

+| Publishing pipelines and endpoints (V1) | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/modules/*"` |

+| Publishing pipelines and endpoints (V2) | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/components/*"` |

+### Differences between actions for V1 and V2 APIs

+There are certain differences between actions for V1 APIs and V2 APIs.

+| Asset | Action path for V1 API | Action path for V2 API

+| -- | -- | -- |

+| Dataset | Microsoft.MachineLearningServices/workspaces/datasets | Microsoft.MachineLearningServices/workspaces/datasets/versions |

+| Experiment runs and jobs | Microsoft.MachineLearningServices/workspaces/experiments | Microsoft.MachineLearningServices/workspaces/jobs |

+| Models | Microsoft.MachineLearningServices/workspaces/models | Microsoft.MachineLearningServices/workspaces/models/verstions |

+| Snapshots and code | Microsoft.MachineLearningServices/workspaces/snapshots | Microsoft.MachineLearningServices/workspaces/codes/versions |

+| Modules and components | Microsoft.MachineLearningServices/workspaces/modules | Microsoft.MachineLearningServices/workspaces/components |

+You can make custom roles compatible with both V1 and V2 APIs by including both actions, or using wildcards that include both actions, for example Microsoft.MachineLearningServices/workspaces/datasets/*/read.

+| (V1) List, read, create, update or delete experiments | `Microsoft.MachineLearningServices/workspaces/experiments/*` |

+| (V2) List, read, create, update or delete jobs | `Microsoft.MachineLearningServices/workspaces/jobs/*` |

+| Get registered model by name, fetch a list of all registered models in the registry, search for registered models, latest version models for each requests stage, get a registered model's version, search model versions, get URI where a model version's artifacts are stored, search for runs by experiment ids | `Microsoft.MachineLearningServices/workspaces/models/*/read` |

+| Create a new registered model, update a registered model's name/description, rename existing registered model, create new version of the model, update a model version's description, transition a registered model to one of the stages | `Microsoft.MachineLearningServices/workspaces/models/*/write` |

+| Delete a registered model along with all its version, delete specific versions of a registered model | `Microsoft.MachineLearningServices/workspaces/models/*/delete` |

+ "Microsoft.MachineLearningServices/workspaces/models/*/write",

+ "Microsoft.MachineLearningServices/workspaces/components/*/write",

+ "Microsoft.MachineLearningServices/workspaces/datasets/*/write",

+ "Microsoft.MachineLearningServices/workspaces/datasets/*/delete",

+ "Microsoft.MachineLearningServices/workspaces/experiments/*",

+ "Microsoft.MachineLearningServices/workspaces/jobs/*",

+ "Microsoft.MachineLearningServices/workspaces/models/*"

+ "Microsoft.MachineLearningServices/workspaces/components/read",

+ "Microsoft.MachineLearningServices/workspaces/datasets/*/read",

+ "Microsoft.MachineLearningServices/workspaces/experiments/runs/read",

+ "Microsoft.MachineLearningServices/workspaces/experiments/runs/submit/action",

+ "Microsoft.MachineLearningServices/workspaces/experiments/jobs/read",

+ "Microsoft.MachineLearningServices/workspaces/experiments/jobs/write",

+ "Microsoft.MachineLearningServices/workspaces/metadata/codes/*/write",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/update/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/update/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/approve_unapprove/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/approve_unapprove/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/reject/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/update/action",

+ "Microsoft.MachineLearningServices/workspaces/labeling/labels/approve_unapprove/action",

+* Detect the non-stationary time series and automatically differencing them to mitigate the impact of unit roots.

+ Title: Manage workspaces in portal or Python SDK (v2)

+description: Learn how to manage Azure Machine Learning workspaces in the Azure portal or with the SDK for Python (v2).

+# Manage Azure Machine Learning workspaces in the portal or with the Python SDK (v2)

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning SDK you are using:"]

+> * [v1](v1/how-to-manage-workspace.md)

+> * [v2 (preview)](how-to-manage-workspace.md)

+In this article, you create, view, and delete [**Azure Machine Learning workspaces**](concept-workspace.md) for [Azure Machine Learning](overview-what-is-azure-machine-learning.md), using the [Azure portal](https://portal.azure.com) or the [SDK for Python](/python/api/overview/azure/ml/).

+As your needs change or requirements for automation increase you can also manage workspaces [using the CLI](how-to-manage-workspace-cli.md), or [via the VS Code extension](how-to-setup-vs-code.md).

+* If using the Python SDK:

+ 1. [Install the SDK v2](https://aka.ms/sdk-v2-install).

+ 1. Provide your subscription details

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/workspace/workspace.ipynb?name=subscription_id)]

+ 1. Get a handle to the subscription. `ml_client` will be used in all the Python code in this article.

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/workspace/workspace.ipynb?name=ml_client)]

+

+ * (Optional) If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use into the `DefaultAzureCredential`. Find your tenant ID from the [Azure portal](https://portal.azure.com) under **Azure Active Directory, External Identities**.

+

+ ```python

+ DefaultAzureCredential(interactive_browser_tenant_id="<TENANT_ID>")

+ ```

+

+ * (Optional) If you're working on a [sovereign cloud](reference-machine-learning-cloud-parity.md)**, specify the sovereign cloud to authenticate with into the `DefaultAzureCredential`..

+

+ ```python

+ from azure.identity import AzureAuthorityHosts

+ DefaultAzureCredential(authority=AzureAuthorityHosts.AZURE_GOVERNMENT))

+ ```

+* By default, creating a workspace also creates an Azure Container Registry (ACR). Since ACR doesn't currently support unicode characters in resource group names, use a resource group that doesn't contain these characters.

+* Azure Machine Learning doesn't support hierarchical namespace (Azure Data Lake Storage Gen2 feature) for the workspace's default storage account.

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/workspace/workspace.ipynb?name=basic_workspace_name)]

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/workspace/workspace.ipynb?name=basic_ex_workspace_name)]

+For more information, see [Workspace SDK reference](/python/api/azure-ai-ml/azure.ai.ml.entities.workspace).

+ :::image type="content" source="media/how-to-manage-workspace/create-workspace.gif" alt-text="Screenshot show how to create a workspace in Azure portal.":::

+ | Container Registry | The Azure Container Registry for the workspace. By default, a new one isn't_ initially created for the workspace. Instead, it's created once you need it when creating a Docker image during training or deployment. |

+[!notebook-python[](~/azureml-examples-main/sdk/resources/workspace/workspace.ipynb?name=basic_private_link_workspace_name)]

+

+This class requires an existing virtual network.

+1. The default network configuration is to use a __Public endpoint__, which is accessible on the public internet. To limit access to your workspace to an Azure Virtual Network you've created, you can instead select __Private endpoint__ as the __Connectivity method__, and then use __+ Add__ to configure the endpoint.

+1. When you're finished configuring networking, you can select __Review + Create__, or advance to the optional __Advanced__ configuration.

+#### Use your own data encryption key

+You can provide your own key for data encryption. Doing so creates the Azure Cosmos DB instance that stores metadata in your Azure subscription. For more information, see [Customer-managed keys](concept-customer-managed-keys.md).

+from azure.ai.ml.entities import Workspace, CustomerManagedKey

+# specify the workspace details

+ws = Workspace(

+ name="my_workspace",

+ location="eastus",

+ display_name="My workspace",

+ description="This example shows how to create a workspace",

+ customer_managed_key=CustomerManagedKey(

+ key_vault="/subscriptions/<SUBSCRIPTION_ID>/resourcegroups/<RESOURCE_GROUP>/providers/microsoft.keyvault/vaults/<VAULT_NAME>"

+ key_uri="<KEY-IDENTIFIER>"

+ )

+ tags=dict(purpose="demo")

+)

+ml_client.workspaces.begin_create(ws)

+If you'll be running your code on a [compute instance](quickstart-create-resources.md), skip this step. The compute instance will create and store copy of this file for you.

+If you plan to use code on your local environment that references this workspace, download the file:

+1. Select your workspace in [Azure studio](https://ml.azure.com)

+1. At the top right, select the workspace name, then select **Download config.json**

+When running machine learning tasks using the SDK, you require a MLClient object that specifies the connection to your workspace. You can create an `MLClient` object from parameters, or with a configuration file.

+* **With a configuration file:** This code will read the contents of the configuration file to find your workspace. You'll get a prompt to sign in if you aren't already authenticated.

+ from azure.ai.ml import MLClient

+ # read the config from the current directory

+ ws_from_config = MLClient.from_config()

+* **From parameters**: There's no need to have a config.json file available if you use this approach.

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/workspace/workspace.ipynb?name=ws)]

+## Find a workspace

+See a list of all the workspaces you can use.

+You can also search for workspace inside studio. See [Search for Azure Machine Learning assets (preview)](how-to-search-assets.md).

+[!notebook-python[](~/azureml-examples-main/sdk/resources/workspace/workspace.ipynb?name=my_ml_client)]

+[!notebook-python[](~/azureml-examples-main/sdk/resources/workspace/workspace.ipynb?name=ws_name)]

+To get details of a specific workspace:

+[!notebook-python[](~/azureml-examples-main/sdk/resources/workspace/workspace.ipynb?name=ws_location)]

+ml_client.workspaces.begin_delete(name=ws_basic.name, delete_dependent_resources=True)

+The default action isn't to delete resources associated with the workspace, that is, container registry, storage account, key vault, and application insights. Set `delete_dependent_resources` to True to delete these resources as well.

+Examples in this article come from [workspace.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/resources/workspace/workspace.ipynb).

+| Azure portal/</br>Python SDK | [Create and manage a workspace](how-to-manage-workspace.md#use-your-own-data-encryption-key) |

+* [Create and manage a workspace](how-to-manage-workspace.md#use-your-own-data-encryption-key) |

+1. [View your workspace](../how-to-manage-workspace.md#find-a-workspace).

+1. [View your workspace](../how-to-manage-workspace.md#find-a-workspace).

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning CLI extension you are using:"]

+ Title: Manage workspaces in portal or Python SDK (v1)

+description: Learn how to manage Azure Machine Learning workspaces in the Azure portal or with the SDK for Python (v1).

+# Manage Azure Machine Learning workspaces with the Python SDK (v1)

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning SDK you are using:"]

+> * [v1](how-to-manage-workspace.md)

+> * [v2 (preview)](../how-to-manage-workspace.md)

+In this article, you create, view, and delete [**Azure Machine Learning workspaces**](../concept-workspace.md) for [Azure Machine Learning](../overview-what-is-azure-machine-learning.md), using the [SDK for Python](/python/api/overview/azure/ml/).

+As your needs change or requirements for automation increase you can also manage workspaces [using the CLI](reference-azure-machine-learning-cli.md), or [via the VS Code extension](../how-to-setup-vs-code.md).

+## Prerequisites

+* An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/) today.

+* If using the Python SDK, [install the SDK](/python/api/overview/azure/ml/install).

+## Limitations

+* By default, creating a workspace also creates an Azure Container Registry (ACR). Since ACR doesn't currently support unicode characters in resource group names, use a resource group that doesn't contain these characters.

+* Azure Machine Learning doesn't support hierarchical namespace (Azure Data Lake Storage Gen2 feature) for the workspace's default storage account.

+## Create a workspace

+You can create a workspace [directly in Azure Machine Learning studio](../quickstart-create-resources.md#create-the-workspace), with limited options available. Or use one of the methods below for more control of options.

+* **Default specification.** By default, dependent resources and the resource group will be created automatically. This code creates a workspace named `myworkspace` and a resource group named `myresourcegroup` in `eastus2`.

+

+ [!INCLUDE [sdk v1](../../../includes/machine-learning-sdk-v1.md)]

+ ```python

+ from azureml.core import Workspace

+

+ ws = Workspace.create(name='myworkspace',

+ subscription_id='<azure-subscription-id>',

+ resource_group='myresourcegroup',

+ create_resource_group=True,

+ location='eastus2'

+ )

+ ```

+ Set `create_resource_group` to False if you have an existing Azure resource group that you want to use for the workspace.

+* **Multiple tenants.** If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use. Find your tenant ID from the [Azure portal](https://portal.azure.com) under **Azure Active Directory, External Identities**.

+ [!INCLUDE [sdk v1](../../../includes/machine-learning-sdk-v1.md)]

+ ```python

+ from azureml.core.authentication import InteractiveLoginAuthentication

+ from azureml.core import Workspace

+

+ interactive_auth = InteractiveLoginAuthentication(tenant_id="my-tenant-id")

+ ws = Workspace.create(name='myworkspace',

+ subscription_id='<azure-subscription-id>',

+ resource_group='myresourcegroup',

+ create_resource_group=True,

+ location='eastus2',

+ auth=interactive_auth

+ )

+ ```

+* **[Sovereign cloud](../reference-machine-learning-cloud-parity.md)**. You'll need extra code to authenticate to Azure if you're working in a sovereign cloud.

+

+ [!INCLUDE [sdk v1](../../../includes/machine-learning-sdk-v1.md)]

+ ```python

+ from azureml.core.authentication import InteractiveLoginAuthentication

+ from azureml.core import Workspace

+

+ interactive_auth = InteractiveLoginAuthentication(cloud="<cloud name>") # for example, cloud="AzureUSGovernment"

+ ws = Workspace.create(name='myworkspace',

+ subscription_id='<azure-subscription-id>',

+ resource_group='myresourcegroup',

+ create_resource_group=True,

+ location='eastus2',

+ auth=interactive_auth

+ )

+ ```

+* **Use existing Azure resources**. You can also create a workspace that uses existing Azure resources with the Azure resource ID format. Find the specific Azure resource IDs in the Azure portal or with the SDK. This example assumes that the resource group, storage account, key vault, App Insights, and container registry already exist.

+

+ [!INCLUDE [sdk v1](../../../includes/machine-learning-sdk-v1.md)]

+ ```python

+ import os

+ from azureml.core import Workspace

+ from azureml.core.authentication import ServicePrincipalAuthentication

+ service_principal_password = os.environ.get("AZUREML_PASSWORD")

+ service_principal_auth = ServicePrincipalAuthentication(

+ tenant_id="<tenant-id>",

+ username="<application-id>",

+ password=service_principal_password)

+ auth=service_principal_auth,

+ subscription_id='<azure-subscription-id>',

+ resource_group='myresourcegroup',

+ create_resource_group=False,

+ location='eastus2',

+ friendly_name='My workspace',

+ storage_account='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.storage/storageaccounts/mystorageaccount',

+ key_vault='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.keyvault/vaults/mykeyvault',

+ app_insights='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.insights/components/myappinsights',

+ container_registry='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.containerregistry/registries/mycontainerregistry',

+ exist_ok=False)

+ ```

+For more information, see [Workspace SDK reference](/python/api/azureml-core/azureml.core.workspace.workspace).

+If you have problems in accessing your subscription, see [Set up authentication for Azure Machine Learning resources and workflows](how-to-setup-authentication.md), as well as the [Authentication in Azure Machine Learning](https://aka.ms/aml-notebook-auth) notebook.

+### Networking

+> [!IMPORTANT]

+> For more information on using a private endpoint and virtual network with your workspace, see [Network isolation and privacy](how-to-network-security-overview.md).

+The Azure Machine Learning Python SDK provides the [PrivateEndpointConfig](/python/api/azureml-core/azureml.core.privateendpointconfig) class, which can be used with [Workspace.create()](/python/api/azureml-core/azureml.core.workspace.workspace#create-name--auth-none--subscription-id-none--resource-group-none--location-none--create-resource-group-true--sku--basictags-none--friendly-name-none--storage-account-none--key-vault-none--app-insights-none--container-registry-none--adb-workspace-none--cmk-keyvault-none--resource-cmk-uri-none--hbi-workspace-false--default-cpu-compute-target-none--default-gpu-compute-target-none--private-endpoint-config-none--private-endpoint-auto-approval-true--exist-ok-false--show-output-true-) to create a workspace with a private endpoint. This class requires an existing virtual network.

+### Advanced

+By default, metadata for the workspace is stored in an Azure Cosmos DB instance that Microsoft maintains. This data is encrypted using Microsoft-managed keys.

+To limit the data that Microsoft collects on your workspace, select __High business impact workspace__ in the portal, or set `hbi_workspace=true ` in Python. For more information on this setting, see [Encryption at rest](../concept-data-encryption.md#encryption-at-rest).

+> [!IMPORTANT]

+> Selecting high business impact can only be done when creating a workspace. You cannot change this setting after workspace creation.

+#### Use your own data encryption key

+You can provide your own key for data encryption. Doing so creates the Azure Cosmos DB instance that stores metadata in your Azure subscription. For more information, see [Customer-managed keys for Azure Machine Learning](../concept-customer-managed-keys.md).

+Use the following steps to provide your own key:

+> [!IMPORTANT]

+> Before following these steps, you must first perform the following actions:

+>

+> Follow the steps in [Configure customer-managed keys](../how-to-setup-customer-managed-keys.md) to:

+> * Register the Azure Cosmos DB provider

+> * Create and configure an Azure Key Vault

+> * Generate a key

+Use `cmk_keyvault` and `resource_cmk_uri` to specify the customer managed key.

+```python

+from azureml.core import Workspace

+ ws = Workspace.create(name='myworkspace',

+ subscription_id='<azure-subscription-id>',

+ resource_group='myresourcegroup',

+ create_resource_group=True,

+ location='eastus2'

+ cmk_keyvault='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.keyvault/vaults/<keyvault-name>',

+ resource_cmk_uri='<key-identifier>'

+ )

+```

+### Download a configuration file

+If you'll be using a [compute instance](../quickstart-create-resources.md) in your workspace to run your code, skip this step. The compute instance will create and store a copy of this file for you.

+If you plan to use code on your local environment that references this workspace (`ws`), write the configuration file:

+

+```python

+ws.write_config()

+```

+Place the file into the directory structure with your Python scripts or Jupyter Notebooks. It can be in the same directory, a subdirectory named *.azureml*, or in a parent directory. When you create a compute instance, this file is added to the correct directory on the VM for you.

+## Connect to a workspace

+In your Python code, you create a workspace object to connect to your workspace. This code will read the contents of the configuration file to find your workspace. You'll get a prompt to sign in if you aren't already authenticated.

+

+```python

+from azureml.core import Workspace

+ws = Workspace.from_config()

+```

+* **Multiple tenants.** If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use. Find your tenant ID from the [Azure portal](https://portal.azure.com) under **Azure Active Directory, External Identities**.

+

+ [!INCLUDE [sdk v1](../../../includes/machine-learning-sdk-v1.md)]

+ ```python

+ from azureml.core.authentication import InteractiveLoginAuthentication

+ from azureml.core import Workspace

+

+ interactive_auth = InteractiveLoginAuthentication(tenant_id="my-tenant-id")

+ ws = Workspace.from_config(auth=interactive_auth)

+ ```

+* **[Sovereign cloud](../reference-machine-learning-cloud-parity.md)**. You'll need extra code to authenticate to Azure if you're working in a sovereign cloud.

+ [!INCLUDE [sdk v1](../../../includes/machine-learning-sdk-v1.md)]

+ ```python

+ from azureml.core.authentication import InteractiveLoginAuthentication

+ from azureml.core import Workspace

+

+ interactive_auth = InteractiveLoginAuthentication(cloud="<cloud name>") # for example, cloud="AzureUSGovernment"

+ ws = Workspace.from_config(auth=interactive_auth)

+ ```

+

+If you have problems in accessing your subscription, see [Set up authentication for Azure Machine Learning resources and workflows](../how-to-setup-authentication.md), as well as the [Authentication in Azure Machine Learning](https://aka.ms/aml-notebook-auth) notebook.

+## Find a workspace

+See a list of all the workspaces you can use.

+Find your subscriptions in the [Subscriptions page in the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade). Copy the ID and use it in the code below to see all workspaces available for that subscription.

+```python

+from azureml.core import Workspace

+Workspace.list('<subscription-id>')

+```

+The Workspace.list(..) method doesn't return the full workspace object. It includes only basic information about existing workspaces in the subscription. To get a full object for specific workspace, use Workspace.get(..).

+## Delete a workspace

+When you no longer need a workspace, delete it.

+If you accidentally deleted your workspace, you may still be able to retrieve your notebooks. For details, see [Failover for business continuity and disaster recovery](../how-to-high-availability-machine-learning.md#workspace-deletion).

+Delete the workspace `ws`:

+

+```python

+ws.delete(delete_dependent_resources=False, no_wait=False)

+```

+The default action isn't to delete resources associated with the workspace, that is, container registry, storage account, key vault, and application insights. Set `delete_dependent_resources` to True to delete these resources as well.

+## Clean up resources

+## Troubleshooting

+* **Supported browsers in Azure Machine Learning studio**: We recommend that you use the most up-to-date browser that's compatible with your operating system. The following browsers are supported:

+ * Microsoft Edge (The new Microsoft Edge, latest version. Not Microsoft Edge legacy)

+ * Safari (latest version, Mac only)

+ * Chrome (latest version)

+ * Firefox (latest version)

+* **Azure portal**:

+ * If you go directly to your workspace from a share link from the SDK or the Azure portal, you can't view the standard **Overview** page that has subscription information in the extension. In this scenario, you also can't switch to another workspace. To view another workspace, go directly to [Azure Machine Learning studio](https://ml.azure.com) and search for the workspace name.

+ * All assets (Data, Experiments, Computes, and so on) are available only in [Azure Machine Learning studio](https://ml.azure.com). They're *not* available from the Azure portal.

+ * Attempting to export a template for a workspace from the Azure portal may return an error similar to the following text: `Could not get resource of the type <type>. Resources of this type will not be exported.` As a workaround, use one of the templates provided at [https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices) as the basis for your template.

+### Workspace diagnostics

+### Resource provider errors

+

+### Deleting the Azure Container Registry

+The Azure Machine Learning workspace uses Azure Container Registry (ACR) for some operations. It will automatically create an ACR instance when it first needs one.

+## Next steps

+Once you have a workspace, learn how to [Train and deploy a model](tutorial-train-deploy-notebook.md).

+To learn more about planning a workspace for your organization's requirements, see [Organize and set up Azure Machine Learning](/azure/cloud-adoption-framework/ready/azure-best-practices/ai-machine-learning-resource-organization).

+* If you need to move a workspace to another Azure subscription, see [How to move a workspace](../how-to-move-workspace.md).

+* To find a workspace, see [Search for Azure Machine Learning assets (preview)](../how-to-search-assets.md).

+For information on how to keep your Azure ML up to date with the latest security updates, see [Vulnerability management](../concept-vulnerability-management.md).

+You can [download our TTK](/azure/azure-resource-manager/templates/test-toolkit) and test your offers locally before you submit them to ensure that they will pass once you go live.

+Asia Pacific | East Asia

+Yes, read replicas are supported for HA servers.</br>

+>[!IMPORTANT]

+>Read Replica on HA server uses storage based replication technology, which no longer uses 'SLAVE_IO_RUNNING' metric available in MySQL's 'SHOW SLAVE STATUS' command. The value of it will always be displayed as "No" and is not indicative of replication status.

+>

+> When you **Stop** the server it remains in that state for the next 30 days in a stretch. If you do not manually **Start** it during this time, the server will automatically be started at the end of 30 days. You can chose to **Stop** it again if you are not using the server.

+- **Read replica for HA enabled Azure Database for MySQL - Flexible Server (General Availability)**

+ The read replica feature allows you to replicate data from an Azure Database for MySQL flexible server to a read-only server. You can replicate the source server to up to 10 replicas. This functionality is now extended to support HA enabled servers within same region.[Learn more](concepts-read-replicas.md)

+- **Azure Active Directory authentication for Azure Database for MySQL ΓÇô Flexible Server (Public Preview)**

+ You can now authenticate to Azure Database for MySQL - Flexible server using Microsoft Azure Active Directory (Azure AD) using identities. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. [Learn More](concepts-azure-ad-authentication.md)

+If you followed steps mentioned under [Create a combined CA certificate](#create-a-combined-ca-certificate) below, you can continue to connect as long as **BaltimoreCyberTrustRoot certificate is not removed** from the combined CA certificate. **To maintain connectivity, we recommend that you retain the BaltimoreCyberTrustRoot in your combined CA certificate until further notice.**

+## September 2022

+Clients’ devices using SSL to connect to Azure Database for MySQL – Single Server instances must have their CA certificates updated. To address compliance requirements, starting October 2022 the CA certificates were changed from BaltimoreCyberTrustRoot to DigiCertGlobalRootG2.

+To avoid interruption of your application's availability as a result of certificates being unexpectedly revoked, or to update a certificate that has been revoked, use the steps explained in the [article](./concepts-certificate-rotation.md#create-a-combined-ca-certificate), to maintain connectivity.

+Use the steps mentioned to [create a combined certificate](./concepts-certificate-rotation.md#create-a-combined-ca-certificate) and connect to your server but do not remove BaltimoreCyberTrustRoot certificate until we send a communication to remove it.

+Azure Database for PostgreSQL Single Server planning the root certificate change starting **October, 2022 (10/2022)** as part of standard maintenance and security best practices. This article gives you more details about the changes, the resources affected, and the steps needed to ensure that your application maintains connectivity to your database server.

+Historically, Azure database for PostgreSQL users could only use the predefined certificate to connect to their PostgreSQL server, which is located [here](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem). However, [Certificate Authority (CA) Browser forum](https://cabforum.org/) recently published reports of multiple certificates issued by CA vendors to be non-compliant.

+The new certificate is rolled out and in effect starting October, 2022 (10/2022).

+## What change will be performed starting October 2022 (10/2022)?

+Starting October 2022, the [BaltimoreCyberTrustRoot root certificate](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) will be replaced with a **compliant version** known as [DigiCertGlobalRootG2 root certificate ](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem). If your applications take advantage of **verify-ca** or **verify-full** as value of [**sslmode** parameter](https://www.postgresql.org/docs/current/libpq-ssl.html) in the database client connectivity will need to follow directions below to add new certificates to certificate store to maintain connectivity.

+There are no code or application changes required on client side. if you follow our previous recommendation below, you will still be able to continue to connect as long as **BaltimoreCyberTrustRoot certificate isn't removed** from the combined CA certificate. **We recommend to not remove the BaltimoreCyberTrustRoot from your combined CA certificate until further notice to maintain connectivity.**

+* Optionally, to prevent future disruption, it is also recommended to add the following roots to the trusted store:

+ * [DigiCert Global Root G3](https://www.digicert.com/kb/digicert-root-certificates.htm) (thumbprint: 7e04de896a3e666d00e687d33ffad93be83d349e)

+ * [Microsoft RSA Root Certificate Authority 2017](https://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt) (thumbprint: 73a5e64a3bff8316ff0edccc618a906e4eae4d74)

+ * [Microsoft ECC Root Certificate Authority 2017](https://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt) (thumbprint: 999a64c37ff47d9fab95f14769891460eec4c3c5)

+ * For .NET (Npgsql) users on Windows, make sure **Baltimore CyberTrust Root** and **DigiCert Global Root G2** both exist in Windows Certificate Store, Trusted Root Certification Authorities. If any certificates don't exist, import the missing certificate.

+ * For .NET (Npgsql) users on Linux using SSL_CERT_DIR, make sure **BaltimoreCyberTrustRoot** and **DigiCertGlobalRootG2** both exist in the directory indicated by SSL_CERT_DIR. If any certificates don't exist, create the missing certificate file.

+> Please don't drop or alter **Baltimore certificate** until the cert change is made. We will send a communication once the change is done, after which it is safe for them to drop the Baltimore certificate.

+No actions required if you aren't using SSL/TLS.

+No, you don't need to restart the database server to start using the new certificate. This is a client-side change and the incoming client connections need to use the new certificate to ensure that they can connect to the database server.

+- If your connection string doesn't specify sslmode, you don't need to update certificates.

+No. Since the change here is only on the client side to connect to the database server, there's no maintenance downtime needed for the database server for this change.

+### 8. If I create a new server after October 2022 (10/2022), will I be impacted?

+For servers created after October 2022 (10/2022), you will continue to use the [BaltimoreCyberTrustRoot](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) together with new [DigiCertGlobalRootG2](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) root certificates in your database client SSL certificate store for your applications to connect using SSL.

+No. There's no action needed if your certificate file already has the **DigiCertGlobalRootG2**.

+A new docker image which supports both [**Baltimore**](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) and [**DigiCert**](https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) is published to below [here](https://hub.docker.com/_/microsoft-azure-oss-db-tools-pgbouncer-sidecar) (Latest tag). You can pull this new image to avoid any interruption in connectivity starting October, 2022.

+If you have questions, get answers from community experts in [Microsoft Q&A](mailto:AzureDatabaseforPostgreSQL@service.microsoft.com). If you have a support plan and you need technical help please create a [support request](https://learn.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request):

+* ForΓÇ»*Issue type*, selectΓÇ»*Technical*.

+* ForΓÇ»*Subscription*, select your *subscription*.

+* ForΓÇ»*Service*, selectΓÇ»*My Services*, then selectΓÇ»*Azure Database for PostgreSQL ΓÇô Single Server*.

+* ForΓÇ»*Problem type*, selectΓÇ»*Security*.

+* ForΓÇ»*Problem subtype*, selectΓÇ» *Azure Encryption and Infrastructure Double Encryption*

+| Java | [JDBC](https://jdbc.postgresql.org/) | Type 4 JDBC driver | [Download](https://jdbc.postgresql.org/download/)  |

+1. If delegated authentication is used, in the Power BI Azure AD tenant, validate the following Power BI admin user settings:

+1. Enter a name for the secret. For **Value**, type the newly created secret for the App registration. Select **Create** to complete.

+

+2. Under **Certificates & secrets**, create a new secret and save it securely for next steps.

+3. In Azure portal, navigate to your Azure key vault.

+4. Select **Settings** > **Secrets** and select **+ Generate/Import**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-key-vault.png" alt-text="Screenshot how to navigate to Azure Key Vault.":::

+5. Enter a name for the secret and for **Value**, type the newly created secret for the App registration. Select **Create** to complete.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-key-vault-secret-spn.png" alt-text="Screenshot how to generate an Azure Key Vault secret for SPN.":::

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-spn-authentication.png" alt-text="Screenshot of the new credential menu, showing Power BI credential for SPN with all required values supplied.":::

+ - If you are using **delegated authentication** or **service principal** as authentication method, add your **service principal** to this security group. Select **Members**, then select **+ Add members**.

+1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory** and create an App Registration in the tenant. Provide a web URL in the **Redirect URI**. Take note of Client ID(App ID).

+2. Under **Certificates & secrets**, create a new secret and save it securely for next steps.

+3. In Azure portal, navigate to your Azure key vault.

+4. Select **Settings** > **Secrets** and select **+ Generate/Import**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-key-vault.png" alt-text="Screenshot how to navigate to Azure Key Vault.":::

+5. Enter a name for the secret and for **Value**, type the newly created secret for the App registration. Select **Create** to complete.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-key-vault-secret-spn.png" alt-text="Screenshot how to generate an Azure Key Vault secret for SPN.":::

+6. If your key vault isn't connected to Microsoft Purview yet, you'll need to [create a new key vault connection](manage-credentials.md#create-azure-key-vaults-connections-in-your-microsoft-purview-account)

+

+7. In the Microsoft Purview Studio, navigate to the **Data map** in the left menu.

+8. Navigate to **Sources**.

+9. Select the registered Power BI source.

+10. Select **+ New scan**.

+11. Give your scan a name. Then select the option to include or exclude the personal workspaces.

+12. Select your self-hosted integration runtime from the drop-down list.

+13. For the **Credential**, select **service principal** and select **+ New** to create a new credential.

+14. Create a new credential and provide required parameters:

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-spn-authentication.png" alt-text="Screenshot of the new credential menu, showing Power BI credential for SPN with all required values supplied.":::

+15. Select **Test Connection** before continuing to next steps. If **Test Connection** failed, select **View Report** to see the detailed status and troubleshoot the problem

+16. Set up a scan trigger. Your options are **Recurring**, and **Once**.

+17. On **Review new scan**, select **Save and run** to launch your scan.

+2. Select **Test Connection** before continuing to next steps. If **Test Connection** failed, select **View Report** to see the detailed status and troubleshoot the problem

+3. Set up a scan trigger. Your options are **Recurring**, and **Once**.

+4. On **Review new scan**, select **Save and run** to launch your scan.

+| - [Microsoft Defender for IoT](../../sentinel/sentinel-solutions-catalog.md#domain-solutions) | Public Preview | Public Preview |

+|[Microsoft Sentinel](../../sentinel/overview.md)| A scalable, cloud-native solution that delivers intelligent security analytics and threat intelligence across the enterprise.|

+|[Web application firewall](../../web-application-firewall/overview.md) (WAF)|A feature that provides centralized protection of your web applications from common exploits and vulnerabilities|

+|[Azure Bastion](../../bastion/bastion-overview.md)|A service you deploy that lets you connect to a virtual machine using your browser and the Azure portal.|

+|[Azure Front Door](../../frontdoor/front-door-application-security.md)|Provides web application protection capability to safeguard your web applications from network attacks and common web vulnerabilities exploits like SQL Injection or Cross Site Scripting (XSS).|

+ Title: Investigate and detect threats for IoT devices | Microsoft Docs

+description: This tutorial describes how to use the Microsoft Sentinel data connector and solution for Microsoft Defender for IoT to secure your entire OT environment. Detect and respond to OT threats, including multistage attacks that may cross IT and OT boundaries.

+# Tutorial: Investigate and detect threats for IoT devices

+The integration between Microsoft Defender for IoT and Microsoft Sentinel enable SOC teams to efficiently and effectively detect and respond to Operational Technology (OT) threats. Enhance your security capabilities with the **Microsoft Defender for IoT** solution, a set of bundled content configured specifically for Defender for IoT data that includes analytics rules, workbooks, and playbooks. While Defender for IoT supports both Enterprise IoT and OT networks, the **Microsoft Defender for IoT** solution supports OT networks only.

+In this tutorial, you:

+> [!div class="checklist"]

+>

+> * Install the **Microsoft Defender for IoT** solution in your Microsoft Sentinel workspace

+> * Learn how to investigate Defender for IoT alerts in Microsoft Sentinel incidents

+> * Learn about the analytics rules, workbooks, and playbooks deployed to your Microsoft Sentinel workspace with the **Microsoft Defender for IoT** solution

+## Prerequisites

+Before you start, make sure you have:

+- **Read** and **Write** permissions on your Microsoft Sentinel workspace. For more information, see [Permissions in Microsoft Sentinel](roles.md).

+- Completed [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](iot-solution.md).

+## Install the Defender for IoT solution

+Microsoft Sentinel [solutions](sentinel-solutions.md) can help you onboard Microsoft Sentinel security content for a specific data connector using a single process.

+The **Microsoft Defender for IoT** solution integrates Defender for IoT data with Microsoft Sentinel's security orchestration, automation, and response (SOAR) capabilities by providing out-of-the-box and OT-optimized playbooks for automated response and prevention capabilities.

+**To install the solution**:

+1. In Microsoft Sentinel, under **Content management**, select **Content hub** and then locate the **Microsoft Defender for IoT** solution.

+1. At the bottom right, select **View details**, and then **Create**. Select the subscription, resource group, and workspace where you want to install the solution, and then review the related security content that will be deployed.

+1. When you're done, select **Review + Create** to install the solution.

+For more information, see [About Microsoft Sentinel content and solutions](sentinel-solutions.md) and [Centrally discover and deploy out-of-the-box content and solutions](sentinel-solutions-deploy.md).

+## Detect threats out-of-the-box with Defender for IoT data

+The **Microsoft Defender for IoT** data connector includes a default *Microsoft Security* rule named **Create incidents based on Azure Defender for IOT alerts**, which automatically creates new incidents for any new Defender for IoT alerts detected.

+The **Microsoft Defender for IoT** solution includes a more detailed set of out-of-the-box analytics rules, which are built specifically for Defender for IoT data and fine-tune the incidents created in Microsoft Sentinel for relevant alerts.

+**To use out-of-the-box Defender for IoT alerts**:

+1. On the Microsoft Sentinel **Analytics** page, search for and disable the **Create incidents based on Azure Defender for IOT alerts** rule. This step prevents duplicate incidents from being created in Microsoft Sentinel for the same alerts.

+1. Search for and enable any of the following out-of-the-box analytics rules, installed with the **Microsoft Defender for IoT** solution:

+ | Rule Name | Description|

+ | - | -|

+ | **Illegal function codes for ICS/SCADA traffic** | Illegal function codes in supervisory control and data acquisition (SCADA) equipment may indicate one of the following: <br><br>- Improper application configuration, such as due to a firmware update or reinstallation. <br>- Malicious activity. For example, a cyber threat that attempts to use illegal values within a protocol to exploit a vulnerability in the programmable logic controller (PLC), such as a buffer overflow. |

+ | **Firmware update** | Unauthorized firmware updates may indicate malicious activity on the network, such as a cyber threat that attempts to manipulate PLC firmware to compromise PLC function. |

+ | **Unauthorized PLC changes** | Unauthorized changes to PLC ladder logic code may be one of the following: <br><br>- An indication of new functionality in the PLC. <br>- Improper configuration of an application, such as due to a firmware update or reinstallation. <br>- Malicious activity on the network, such as a cyber threat that attempts to manipulate PLC programming to compromise PLC function. |

+ | **PLC insecure key state** | The new mode may indicate that the PLC is not secure. Leaving the PLC in an insecure operating mode may allow adversaries to perform malicious activities on it, such as a program download. <br><br>If the PLC is compromised, devices and processes that interact with it may be impacted. which may affect overall system security and safety. |

+ | **PLC stop** | The PLC stop command may indicate an improper configuration of an application that has caused the PLC to stop functioning, or malicious activity on the network. For example, a cyber threat that attempts to manipulate PLC programming to affect the functionality of the network. |

+ | **Suspicious malware found in the network** | Suspicious malware found on the network indicates that suspicious malware is trying to compromise production. |

+ | **Multiple scans in the network** | Multiple scans on the network can be an indication of one of the following: <br><br>- A new device on the network <br>- New functionality of an existing device <br>- Misconfiguration of an application, such as due to a firmware update or reinstallation <br>- Malicious activity on the network for reconnaissance |

+ | **Internet connectivity** | An OT device communicating with internet addresses may indicate an improper application configuration, such as anti-virus software attempting to download updates from an external server, or malicious activity on the network. |

+ | **Unauthorized device in the SCADA network** | An unauthorized device on the network may be a legitimate, new device recently installed on the network, or an indication of unauthorized or even malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |

+ | **Unauthorized DHCP configuration in the SCADA network** | An unauthorized DHCP configuration on the network may indicate a new, unauthorized device operating on the network. <br><br>This may be a legitimate, new device recently deployed on the network, or an indication of unauthorized or even malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |

+ | **Excessive login attempts** | Excessive sign in attempts may indicate improper service configuration, human error, or malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |

+ | **High bandwidth in the network** | An unusually high bandwidth may be an indication of a new service/process on the network, such as backup, or an indication of malicious activity on the network, such as a cyber threat attempting to manipulate the SCADA network. |

+ | **Denial of Service** | This alert detects attacks that would prevent the use or proper operation of the DCS system. |

+ | **Unauthorized remote access to the network** | Unauthorized remote access to the network can compromise the target device. <br><br> This means that if another device on the network is compromised, the target devices can be accessed remotely, increasing the attack surface. |

+ | **No traffic on Sensor Detected** | A sensor that no longer detects network traffic indicates that the system may be insecure. |

+For more information, see:

+- [Detect threats out-of-the-box](detect-threats-built-in.md)

+- [Create custom analytics rules to detect threats](detect-threats-custom.md)

+> [!TIP]

+> You can also manually create and manage analytics rules in the Microsoft Sentinel **Analytics > Active rules** page. For example, you might use this option to use the out-of-the box analytics rules as templates for customized rules, or to configure analytics rules for scenarios not yet covered by the solution.

+>

+> For more information, see [Detect threats out-of-the-box](detect-threats-built-in.md).

+## Investigate Defender for IoT incidents

+After youΓÇÖve [configured your Defender for IoT data to trigger new incidents in Microsoft Sentinel](#detect-threats-out-of-the-box-with-defender-for-iot-data), start investigating those incidents in Microsoft Sentinel as you would other incidents.

+**To investigate Microsoft Defender for IoT incidents**:

+1. In Microsoft Sentinel, go to the **Incidents** page.

+1. Above the incident grid, select the **Product name** filter and clear the **Select all** option. Then, select **Microsoft Defender for IoT** to view only incidents triggered by Defender for IoT alerts. For example:

+ :::image type="content" source="media/iot-solution/filter-incidents-defender-for-iot.png" alt-text="Screenshot of filtering incidents by product name for Defender for IoT devices.":::

+1. Select a specific incident to begin your investigation.

+ In the incident details pane on the right, view details such as incident severity, a summary of the entities involved, any mapped MITRE ATT&CK tactics or techniques, and more.

+ :::image type="content" source="media/iot-solution/investigate-iot-incidents.png" alt-text="Screenshot of a Microsoft Defender for IoT incident in Microsoft Sentinel.":::

+ > [!TIP]

+ > To investigate the incident in Defender for IoT, select the **Investigate in Microsoft Defender for IoT** link at the top of the incident details pane.

+For more information on how to investigate incidents and use the investigation graph, see [Investigate incidents with Microsoft Sentinel](investigate-cases.md).

+### Investigate further with IoT device entities

+When investigating an incident in Microsoft Sentinel, in an incident details pane, select an IoT device entity from the **Entities** list to open its device entity page. You can identify an IoT device by the IoT device icon: :::image type="icon" source="media/iot-solution/iot-device-icon.png" border="false":::

+If you don't see your IoT device entity right away, select **View full details** under the entities listed to open the full incident page. In the **Entities** tab, select an IoT device to open its entity page. For example:

+ :::image type="content" source="media/iot-solution/incident-full-details-iot-device.png" alt-text="Screenshot of a full detail incident page.":::

+The IoT device entity page provides contextual device information, with basic device details and device owner contact information. The device entity page can help prioritize remediation based on device importance and business impact, as per each alert's site, zone, and sensor. For example:

+For more information on entity pages, see [Investigate entities with entity pages in Microsoft Sentinel](entity-pages.md).

+You can also hunt for vulnerable devices on the Microsoft Sentinel **Entity behavior** page. For example, view the top five IoT devices with the highest number of alerts, or search for a device by IP address or device name:

+For more information on how to investigate incidents and use the investigation graph, see [Investigate incidents with Microsoft Sentinel](investigate-cases.md).

+## Visualize and monitor Defender for IoT data

+To visualize and monitor your Defender for IoT data, use the workbooks deployed to your Microsoft Sentinel workspace as part of the [Microsoft Defender for IoT](#install-the-defender-for-iot-solution) solution.

+The Defenders for IoT workbooks provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.

+View workbooks in Microsoft Sentinel on the **Threat management > Workbooks > My workbooks** tab. For more information, see [Visualize collected data](get-visibility.md).

+The following table describes the workbooks included in the **Microsoft Defender for IoT** solution:

+|Workbook |Description |Logs |

+||||

+|**Overview** | Dashboard displaying a summary of key metrics for device inventory, threat detection and vulnerabilities. | Uses data from Azure Resource Graph (ARG) |

+|**Device Inventory** | Displays data such as: OT device name, type, IP address, Mac address, Model, OS, Serial Number, Vendor, Protocols, Open alerts, and CVEs and recommendations per device. Can be filtered by site, zone, and sensor. | Uses data from Azure Resource Graph (ARG) |

+|**Incidents** | Displays data such as: <br><br>- Incident Metrics, Topmost Incident, Incident over time, Incident by Protocol, Incident by Device Type, Incident by Vendor, and Incident by IP address.<br><br>- Incident by Severity, Incident Mean time to respond, Incident Mean time to resolve and Incident close reasons. | Uses data from the following log: SecurityAlert |

+|**Alerts** | Displays data such as: Alert Metrics, Top Alerts, Alert over time, Alert by Severity, Alert by Engine, Alert by Device Type, Alert by Vendor and Alert by IP address. | Uses data from Azure Resource Graph (ARG) |

+|**MITRE ATT&CK® for ICS** | Displays data such as: Tactic Count, Tactic Details, Tactic over time, Technique Count. | Uses data from the following log: SecurityAlert |

+|**Vulnerabilities** | Displays vulnerabilities and CVEs for vulnerable devices. Can be filtered by device site and CVE severity. | Uses data from Azure Resource Graph (ARG) |

+## Automate response to Defender for IoT alerts

+Playbooks are collections of automated remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response; it can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.

+The [Microsoft Defender for IoT](#install-the-defender-for-iot-solution) solution includes out-of-the-box playbooks that provide the following functionality:

+- [Automatically close incidents](#automatically-close-incidents)

+- [Send email notifications by production line](#send-email-notifications-by-production-line)

+- [Create a new ServiceNow ticket](#create-a-new-servicenow-ticket)

+- [Update alert statuses in Defender for IoT](#update-alert-statuses-in-defender-for-iot)

+- [Automate workflows for incidents with active CVEs](#automate-workflows-for-incidents-with-active-cves)

+- [Send email to the IoT/OT device owner](#send-email-to-the-iotot-device-owner)

+- [Triage incidents involving highly important devices](#triage-incidents-involving-highly-important-devices)

+Before using the out-of-the-box playbooks, make sure to perform the prerequisite steps as listed [below](#playbook-prerequisites).

+For more information, see:

+- [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md)

+- [Automate threat response with playbooks in Microsoft Sentinel](automate-responses-with-playbooks.md)

+### Playbook prerequisites

+Before using the out-of-the-box playbooks, make sure you perform the following prerequisites, as needed for each playbook:

+- [Ensure valid playbook connections](#ensure-valid-playbook-connections)

+- [Add a required role to your subscription](#add-a-required-role-to-your-subscription)

+- [Connect your incidents, relevant analytics rules, and the playbook](#connect-your-incidents-relevant-analytics-rules-and-the-playbook)

+#### Ensure valid playbook connections

+This procedure helps ensure that each connection step in your playbook has valid connections, and is required for all solution playbooks.

+**To ensure your valid connections**:

+1. In Microsoft Sentinel, open the playbook from **Automation** > **Active playbooks**.

+1. Select a playbook to open it as a Logic app.

+1. With the playbook opened as a Logic app, select **Logic app designer**. Expand each step in the logic app to check for invalid connections, which are indicated by an orange warning triangle. For example:

+ :::image type="content" source="media/iot-solution/connection-steps.png" alt-text="Screenshot of the default AD4IOT AutoAlertStatusSync playbook." lightbox="media/iot-solution/connection-steps.png":::

+ > [!IMPORTANT]

+ > Make sure to expand each step in the logic app. Invalid connections may be hiding inside other steps.

+1. Select **Save**.

+#### Add a required role to your subscription

+This procedure describes how to add a required role to the Azure subscription where the playbook is installed, and is required only for the following playbooks:

+- [AD4IoT-AutoAlertStatusSync](#update-alert-statuses-in-defender-for-iot)

+- [AD4IoT-CVEAutoWorkflow](#automate-workflows-for-incidents-with-active-cves)

+- [AD4IoT-SendEmailtoIoTOwner](#send-email-to-the-iotot-device-owner)

+- [AD4IoT-AutoTriageIncident](#triage-incidents-involving-highly-important-devices)

+Required roles differ per playbook, but the steps remain the same.

+**To add a required role to your subscription**:

+1. In Microsoft Sentinel, open the playbook from **Automation** > **Active playbooks**.

+1. Select a playbook to open it as a Logic app.

+1. With the playbook opened as a Logic app, select **Identity > System assigned**, and then in the **Permissions** area, select the **Azure role assignments** button.

+1. In the **Azure role assignments** page, select **Add role assignment**.

+1. In the **Add role assignment** pane:

+ 1. Define the **Scope** as **Subscription**.

+ 1. From the dropdown, select the **Subscription** where your playbook is installed.

+ 1. From the **Role** dropdown, select one of the following roles, depending on the playbook youΓÇÖre working with:

+ |Playbook name |Role |

+ |||

+ |[AD4IoT-AutoAlertStatusSync](#update-alert-statuses-in-defender-for-iot) |Security Admin |

+ |[AD4IoT-CVEAutoWorkflow](#automate-workflows-for-incidents-with-active-cves) |Reader |

+ |[AD4IoT-SendEmailtoIoTOwner](#send-email-to-the-iotot-device-owner) |Reader |

+ |[AD4IoT-AutoTriageIncident](#triage-incidents-involving-highly-important-devices) |Reader |

+1. When you're done, select **Save**.

+#### Connect your incidents, relevant analytics rules, and the playbook

+This procedure describes how to configure a Microsoft Sentinel analytics rule to automatically run your playbooks based on an incident trigger, and is required for all solution playbooks.

+**To add your analytics rule**:

+1. In Microsoft Sentinel, go to **Automation** > **Automation rules**.

+1. To create a new automation rule, select **Create** > **Automation rule**.

+1. In the **Trigger** field, select one of the following triggers, depending on the playbook youΓÇÖre working with:

+ - The [AD4IoT-AutoAlertStatusSync](#update-alert-statuses-in-defender-for-iot) playbook: Select the **When an incident is updated** trigger

+ - All other solution playbooks: Select the **When an incident is created** trigger

+1. In the **Conditions** area, select **If > Analytic rule name > Contains**, and then select the specific analytics rules relevant for Defender for IoT in your organization.

+ For example:

+ :::image type="content" source="media/iot-solution/automate-playbook.png" alt-text="Screenshot of a Defender for IoT alert status sync automation rule." lightbox="media/iot-solution/automate-playbook.png":::

+ You may be using out-of-the-box analytics rules, or you may have modified the out-of-the-box content, or created your own. For more information, see [Detect threats out-of-the-box with Defender for IoT data](#detect-threats-out-of-the-box-with-defender-for-iot-data).

+1. In the **Actions** area, select **Run playbook** > *playbook name*.

+1. Select **Run**.

+> [!TIP]

+> You can also manually run a playbook on demand. This can be useful in situations where you want more control over orchestration and response processes. For more information, see [Run a playbook on demand](tutorial-respond-threats-playbook.md#run-a-playbook-on-demand).

+### Automatically close incidents

+**Playbook name**: AD4IoT-AutoCloseIncidents

+In some cases, maintenance activities generate alerts in Microsoft Sentinel that can distract a SOC team from handling the real problems. This playbook automatically closes incidents created from such alerts during a specified maintenance period, explicitly parsing the IoT device entity fields.

+To use this playbook:

+- Enter the relevant time period when the maintenance is expected to occur, and the IP addresses of any relevant assets, such as listed in an Excel file.

+- Create a watchlist that includes all the asset IP addresses on which alerts should be handled automatically.

+### Send email notifications by production line

+**Playbook name**: AD4IoT-MailByProductionLine

+This playbook sends mail to notify specific stakeholders about alerts and events that occur in your environment.

+For example, when you have specific security teams assigned to specific product lines or geographic locations, you'll want that team to be notified about alerts that are relevant to their responsibilities.

+To use this playbook, create a watchlist that maps between the sensor names and the mailing addresses of each of the stakeholders you want to alert.

+### Create a new ServiceNow ticket

+**Playbook name**: AD4IoT-NewAssetServiceNowTicket

+Typically, the entity authorized to program a PLC is the Engineering Workstation. Therefore, attackers might create new Engineering Workstations in order to create malicious PLC programming.

+This playbook opens a ticket in ServiceNow each time a new Engineering Workstation is detected, explicitly parsing the IoT device entity fields.

+### Update alert statuses in Defender for IoT

+**Playbook name**: AD4IoT-AutoAlertStatusSync

+This playbook updates alert statuses in Defender for IoT whenever a related alert in Microsoft Sentinel has a **Status** update.

+This synchronization overrides any status defined in Defender for IoT, in the Azure portal or the sensor console, so that the alert statuses match that of the related incident.

+### Automate workflows for incidents with active CVEs

+**Playbook name**: AD4IoT-CVEAutoWorkflow

+This playbook adds active CVEs into the incident comments of affected devices. An automated triage is performed if the CVE is critical, and an email notification is sent to the device owner, as defined on the site level in Defender for IoT.

+To add a device owner, edit the site owner on the **Sites and sensors** page in Defender for IoT. For more information, see [Site management options from the Azure portal](../defender-for-iot/organizations/how-to-manage-sensors-on-the-cloud.md#site-management-options-from-the-azure-portal).

+### Send email to the IoT/OT device owner

+**Playbook name**: AD4IoT-SendEmailtoIoTOwner

+This playbook sends an email with the incident details to the device owner as defined on the site level in Defender for IoT, so that they can start investigating, even responding directly from the automated email. Response options include:

+- **Yes this is expected**. Select this option to close the incident.

+- **No this is NOT expected**. Select this option to keep the incident active, increase the severity, and add a confirmation tag to the incident.

+The incident is automatically updated based on the response selected by the device owner.

+To add a device owner, edit the site owner on the **Sites and sensors** page in Defender for IoT. For more information, see [Site management options from the Azure portal](../defender-for-iot/organizations/how-to-manage-sensors-on-the-cloud.md#site-management-options-from-the-azure-portal).

+### Triage incidents involving highly important devices

+**Playbook name**: AD4IoT-AutoTriageIncident

+This playbook updates the incident severity according to the importance level of the devices involved.

+## Next steps

+For more information, see:

+- [Investigate incidents with Microsoft Sentinel](investigate-cases.md)

+- [Investigate entities with entity pages in Microsoft Sentinel](entity-pages.md)

+- [Visualize collected data](get-visibility.md)

+- [Tutorial: Use playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md)

+- [Defending Critical Infrastructure with the Microsoft Sentinel: IT/OT Threat Monitoring Solution](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/defending-critical-infrastructure-with-the-microsoft-sentinel-it/ba-p/3061184)

+- [Microsoft Defender for IoT documentation](../defender-for-iot/index.yml)

+- [Microsoft Defender for IoT solution](sentinel-solutions-catalog.md#microsoft)

+ Title: Connect Microsoft Defender for IoT with Microsoft Sentinel

+description: This tutorial describes how to integrate Microsoft Sentinel and Microsoft Defender for IoT with the Microsoft Sentinel data connector to secure your entire OT environment. Detect and respond to OT threats, including multistage attacks that may cross IT and OT boundaries.

+# Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel

+ΓÇï[Microsoft Defender for IoT](../defender-for-iot/index.yml) enables you to secure your entire OT and Enterprise IoT environment, whether you need to protect existing devices or build security into new innovations.

+This connector allows you to stream Microsoft Defender for IoT data into Microsoft Sentinel, so you can view, analyze, and respond to Defender for IoT alerts, and the incidents they generate, in a broader organizational threat context.

+The Microsoft Sentinel integration is supported only for OT networks.

+In this tutorial, you will learn how to:

+> * Connect Defender for IoT data to Microsoft Sentinel

+> * Use Log Analytics to query Defender for IoT alert data

+- **Read** and **Write** permissions on your Microsoft Sentinel workspace. For more information, see [Permissions in Microsoft Sentinel](roles.md).

+- **Contributor** or **Owner** permissions on the subscription you want to connect to Microsoft Sentinel.

+- A Defender for IoT plan on your Azure subscription with data streaming into Defender for IoT. For more information, see [Quickstart: Get started with Defender for IoT](../defender-for-iot/organizations/getting-started.md).

+After you've connected a subscription to Microsoft Sentinel, you'll be able to view Defender for IoT alerts in the Microsoft Sentinel **Logs** area.

+## Next steps

+[Install the **Microsoft Defender for IoT** solution](iot-advanced-threat-monitoring.md) to your Microsoft Sentinel workspace.

+The **Microsoft Defender for IoT** solution is a set of bundled, out-of-the-box content that's configured specifically for Defender for IoT data, and includes analytics rules, workbooks, and playbooks.

+- [Tutorial: Investigate and detect threats for IoT devices](iot-advanced-threat-monitoring.md)

+- [Microsoft Defender for IoT solution](sentinel-solutions-catalog.md#microsoft)

+azure_resource_id = <Azure _ResourceId>

+# Used to force a specific resource group for the SAP tables in Log Analytics, useful for applying RBAC on SAP data

+# example - /subscriptions/1234568-qwer-qwer-qwer-123456789/resourcegroups/RESOURCE_GROUP_NAME/providers/microsoft.compute/virtualmachines/VIRTUAL_MACHINE_NAME

+# for more information - https://learn.microsoft.com/azure/azure-monitor/logs/log-standard-columns#_resourceid.

+| **Microsoft Defender for IoT** | [Analytics rules, playbooks, workbook](iot-advanced-threat-monitoring.md) | Internet of Things (IoT), Security - Threat Protection | Microsoft |

+For more information, see [Tutorial: Investigate Microsoft Defender for IoT devices with Microsoft Sentinel](iot-advanced-threat-monitoring.md).

+- Azure Service Fabric will block deployments that do not meet Silver or Gold durability requirements starting on 9/30/2022. 5 VMs or more will be enforced with this change to help avoid data loss from VM-level infrastructure requests for production workloads. Enforcement for existing clusters will be rolled out in the coming months.

+- Azure Service Fabric node types with VMSS durability of Silver or Gold should always have Windows update explicitly disabled to avoid unintended OS restarts due to the Windows updates, which can impact the production workloads. This can be done by setting the "enableAutomaticUpdates": false, in the VMSS OSProfile. Consider enabling Automatic VMSS Image upgrades instead. The deployments will start failing from 09/30/2022 for new clusters, if the WindowsUpdates are not disabled on the VMSS. Enforcement for existing clusters will be rolled out in the coming months.

+| September 13, 2022 | [Azure Service Fabric 9.0 Third Refresh Release](https://techcommunity.microsoft.com/t5/azure-service-fabric-blog/microsoft-azure-service-fabric-9-0-third-refresh-update-release/ba-p/3631367) | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_90CU3.md)|

+Each service instance in Azure Spring Apps is backed by Azure Kubernetes Service with multiple worker nodes. Azure Spring Apps manages the underlying Kubernetes cluster for you, including high availability, scalability, Kubernetes version upgrade, and so on.

+ Title: Use built-in persistent storage in Azure Spring Apps | Microsoft Docs

+description: Learn how to use built-in persistent storage in Azure Spring Apps

+By default, Azure Spring Apps provides temporary storage for each application instance. Temporary storage is limited to 5 GB per instance with */tmp* as the default mount path.

+Persistent storage is a file-share container managed by Azure and allocated per application. Data stored in persistent storage is shared by all instances of an application. An Azure Spring Apps instance can have a maximum of 10 applications with persistent storage enabled. Each application is allocated 50 GB of persistent storage. The default mount path for persistent storage is */persistent*.

+You can enable or disable built-in persistent storage using the Azure portal or Azure CLI.

+Use the following steps to enable or disable built-in persistent storage using the Azure portal.

+1. Go to your Azure Spring Apps instance in the Azure portal.

+1. Select **Apps** to view apps for your service instance, and then select an app to display the app's **Overview** page.

+ :::image type="content" source="media/how-to-built-in-persistent-storage/app-selected.png" lightbox="media/how-to-built-in-persistent-storage/app-selected.png" alt-text="Screenshot of Azure portal showing the Apps page.":::

+1. On the **Overview** page, select **Configuration**.

+ :::image type="content" source="media/how-to-built-in-persistent-storage/select-configuration.png" lightbox="media/how-to-built-in-persistent-storage/select-configuration.png" alt-text="Screenshot of Azure portal showing details for an app.":::

+1. On the **Configuration** page, select **Persistent Storage**.

+ :::image type="content" source="media/how-to-built-in-persistent-storage/select-persistent-storage.png" lightbox="media/how-to-built-in-persistent-storage/select-persistent-storage.png" alt-text="Screenshot of Azure portal showing the Configuration page.":::

+1. On the **Persistent Storage** tab, select **Enable** to enable persistent storage, or **Disable** to disable persistent storage.

+ :::image type="content" source="media/how-to-built-in-persistent-storage/enable-persistent-storage.png" lightbox="media/how-to-built-in-persistent-storage/enable-persistent-storage.png" alt-text="Screenshot of Azure portal showing the Persistent Storage tab.":::

+If persistent storage is enabled, the **Persistent Storage** tab displays the storage size and path.

+- To create an app with built-in persistent storage enabled:

+- To enable built-in persistent storage for an existing app:

+- To disable built-in persistent storage in an existing app:

+- [Quotas and service plans for Azure Spring Apps](./quotas.md)

+- [Scale an application in Azure Spring Apps](./how-to-scale-manual.md)

+ :::image type="content" source="media/agent-deploy/agent-vm-create-sml.png" alt-text="Image showing how to launch the New Virtual Machine Wizard from within the Hyper-V Manager." lightbox="media/agent-deploy/agent-vm-create-lrg.png":::

+ :::image type="content" source="media/agent-deploy/agent-name-select-sml.png" alt-text="Image showing the location of the Name and Location fields within the New Virtual Machine Wizard." lightbox="media/agent-deploy/agent-name-select-lrg.png":::

+ :::image type="content" source="media/agent-deploy/agent-memory-allocate-sml.png" lightbox="media/agent-deploy/agent-memory-allocate-lrg.png" alt-text="Image showing the location of the Startup Memory field within the New Virtual Machine Wizard.":::

+ :::image type="content" source="media/agent-deploy/agent-networking-configure-sml.png" lightbox="media/agent-deploy/agent-networking-configure-lrg.png" alt-text="Image showing the location of the network Connection field within the New Virtual Machine Wizard.":::

+ :::image type="content" source="media/agent-deploy/agent-disk-connect-sml.png" lightbox="media/agent-deploy/agent-disk-connect-lrg.png" alt-text="Image showing the location of the Virtual Hard Disk Connection fields within the New Virtual Machine Wizard.":::

+ :::image type="content" source="media/agent-deploy/agent-configuration-details-sml.png" lightbox="media/agent-deploy/agent-configuration-details-lrg.png" alt-text="Image showing the user-assigned values in the Summary pane of the New Virtual Machine Wizard.":::

+ :::image type="content" source="media/agent-deploy/agent-created-sml.png" lightbox="media/agent-deploy/agent-created-lrg.png" alt-text="Image showing the agent VM deployed within the New Virtual Machine Wizard.":::

+- **Standard priority**: The rehydration request will be processed in the order it was received and may take up to 15 hours to complete for objects under 10 GB in size.

+- BlockBlobClient.[url](/javascript/api/@azure/storage-blob/blockblobclient#@azure-storage-blob-blockblobclient-url)

+ [Create a container](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/samples/v12/javascript/errorsAndResponses.js#L23)

+ [Delete a container](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/samples/v12/javascript/errorsAndResponses.js#L132)

+ [Create a blob service client](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/samples/v12/javascript/listContainers.js#L23)

+ [Upload a blob](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/samples/v12/javascript/errorsAndResponses.js#L59)

+ [Download a blob](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/storage-blob/samples/v12/javascript/errorsAndResponses.js#L90)

+>[!NOTE]

+> - For [Azure VMs](../virtual-machines/index.yml), we currently support a combination of Offer, Publisher, and SKU of the VM image. Ensure you match all three to confirm support.

+> - See the list of [supported OS images](../virtual-machines/automatic-vm-guest-patching.md#supported-os-images).

+> - Custom images are currently not supported.

+ - Sign in to [the Azure portal](https://portal.azure.com/) and open [Azure Cloud Shell](../cloud-shell/overview.md) with PowerShell as the shell type.

+- NCasT4_v3-series

+- NVadsA10 v5-series

+- Redhat Enterprise Linux 8.3, 8.4, 8.5, 8.6, 9.0 LVM

+- Oracle Linux 8.3, 8.4, 8.5, 8.6, 9.0 LVM

+> When you use a [specialized](shared-image-galleries.md#generalized-and-specialized-images) disk to create a new VM, the new VM retains the computer name of the original VM. Other computer-specific information (e.g. CMID) is also kept and, in some cases, this duplicate information could cause issues. When copying a VM, be aware of what types of computer-specific information your applications rely on.

+> Don't use a specialized disk if you want to create multiple VMs. Instead, for larger deployments, create an image and then use that image to create multiple VMs.

+> For more information, see [Store and share images in an Azure Compute Gallery](shared-image-galleries.md).

+ If building a cluster on **RHEL 8.x**, use the following commands:

+To create a managed identity (MSI), [create a system-assigned](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity) managed identity for each VM in the cluster. Should a system-assigned managed identity already exist, it will be used. User assigned managed identities should not be used with Pacemaker at this time. Fence device, based on managed identity is supported on RHEL 7.9 and RHEL 8.x.

+Neither managed identity nor service principal has permissions to access your Azure resources by default. You need to give the managed identity or service principal permissions to start and stop (power-off) all virtual machines of the cluster. If you did not already create the custom role, you can create it using [PowerShell](../../../role-based-access-control/custom-roles-powershell.md) or [Azure CLI](../../../role-based-access-control/custom-roles-cli.md)

+For RHEL **7.x**, use the following command to configure the fence device:

+For RHEL **8.x**, use the following command to configure the fence device:

+If you are using fencing device, based on service principal configuration, read [Change from SPN to MSI for Pacemaker clusters using Azure fencing](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-high-availability-change-from-spn-to-msi-for/ba-p/3609278) and learn how to convert to managed identity configuration.

+If there is a need to collect diagnostic information within the VM, it may be useful to configure additional fencing device, based on fence agent `fence_kdump`. The `fence_kdump` agent can detect that a node entered kdump crash recovery and can allow the crash recovery service to complete, before other fencing methods are invoked. Note that `fence_kdump` is not a replacement for traditional fence mechanisms, like Azure Fence Agent when using Azure VMs.

+To create a managed identity (MSI), [create a system-assigned](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity) managed identity for each VM in the cluster. Should a system-assigned managed identity already exist, it will be used. User assigned managed identities should not be used with Pacemaker at this time. Fence device, based on managed identity is supported on SLES 15 SP1 and above.

+ > Currently only SLES 15 SP1 and newer are supported for managed identity configuration.

+ If you are using fencing device, based on service principal configuration, read [Change from SPN to MSI for Pacemaker clusters using Azure fencing](https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/sap-on-azure-high-availability-change-from-spn-to-msi-for/ba-p/3609278) and learn how to convert to managed identity configuration.

+Create five virtual networks using the portal. This example creates virtual networks named VNetA, VNetB, VNetC and VNetD in the West US location. Each virtual network will have a tag of networkType used for dynamic membership. If you have existing virtual networks for your mesh configuration, you'll need to add tags listed below to your virtual networks and skip to the next section.

+1. Once your network group is created, you'll add virtual networks as members. Choose one of the options: *[Manually add membership](#manually-add-membership)* or *[Create policy to dynamically add members](#create-azure-policy-for-dynamic-membership)* with Azure Policy.

+Azure Virtual Network manager allows you two methods for adding membership to a network group. You can manually add virtual networks or use Azure Policy to dynamically add virtual networks based on conditions. Choose the option below for your mesh membership configuration:

+### Manually add membership

+In this task, you'll manually add three virtual networks for your Mesh configuration to your network group using the steps below:

+1. From the list of network groups, select **myNetworkGroup** and select **Add virtual networks** under *Manually add members* on the *myNetworkGroup* page.

+1. On the *Manually add members* page, select three virtual networks created previously (VNetA, VNetB, and VNetC). Then select **Add** to add the 3 virtual networks to the network group.

+### Create Azure Policy for dynamic membership

+Using [Azure Policy](concept-azure-policy-integration.md), you'll define a condition to dynamically add three virtual networks tagged as **Prod** to your network group using the steps below.

+1. From the list of network groups, select **myNetworkGroup** and select **Create Azure Policy** under *Create policy to dynamically add members*.

+ | Condition | Enter **Prod** to dynamically add the three previously created virtual networks into this network group. |

+1. Select **Save** to deploy the group membership. It can take up to one minute for the policy to take effect and be added to your network group.

+1. Select **Network Groups** under *Settings*, then select **+ Create**.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-network-group-2.png" alt-text="Screenshot of add a network group button.":::

+1. On the *Create a network group* page, enter a **Name** for the network group. This example will use the name **myNetworkGroup**. Select **Add** to create the network group.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/network-group-basics.png" alt-text="Screenshot of create a network group page.":::

+1. You'll see the new network group added to the *Network Groups* page.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/network-groups-list.png" alt-text="Screenshot of network group page with list of network groups.":::

+1. Once your network group is created, you'll add virtual networks as members. Choose one of the options: *[Manually add membership](concept-network-groups.md#static-membership)* or *[Create policy to dynamically add members](concept-network-groups.md#dynamic-membership)*.

+## Define network group members

+Azure Virtual Network manager allows you two methods for adding membership to a network group. You can manually add virtual networks or use Azure Policy to dynamically add virtual networks based on conditions. Choose the option below for your mesh membership configuration:

+### Manually adding members

+To manually add the desired virtual networks for your Mesh configuration to your Network Group, follow the steps below:

+1. From the list of network groups, select your network group and select **Add virtual networks** under *Manually add members* on the network group page.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-static-member.png" alt-text="Screenshot of add a virtual network.":::

+1. On the *Manually add members* page, select all the virtual networks and select **Add**.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-virtual-networks.png" alt-text="Screenshot of add virtual networks to network group page.":::

+1. To review the network group membership manually added, select **Group Members** on the *Network Group* page under **Settings**.

+ :::image type="content" source="media/create-virtual-network-manager-portal/group-members-list-thumb.png" alt-text="Screenshot of group membership under Group Membership." lightbox="media/create-virtual-network-manager-portal/group-members-list.png":::

+### Dynamic membership with Azure Policy

+To dynamically add members using [Azure Policy](concept-azure-policy-integration.md), follow the steps below:

+1. From the list of network groups, select your network group and select **Create Azure Policy** under *Create policy to dynamically add members*.

+ :::image type="content" source="media/create-virtual-network-manager-portal/define-dynamic-membership.png" alt-text="Screenshot of Create Azure Policy button.":::

+1. On the **Create Azure Policy** page, create a conditional statement to populate your network group. You can choose different conditional parameters including *Name* and *Tags*.

+

+ :::image type="content" source="media/how-to-create-hub-and-spoke/create-azure-policy.png" alt-text="Screenshot of Create Azure Policy page with conditional parameters displayed.":::

+1. To review the network group membership based on the conditions defined in Azure Policy, select **Group Members** on the *Network Group* page under **Settings**

+To have this configuration take effect in your environment, you'll need to deploy the configuration to the regions where your selected virtual networks are created.

+## <a name="group"></a> Create a network group

+1. Select **Network Groups** under *Settings*, then select **+ Create**.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-network-group-2.png" alt-text="Screenshot of add a network group button.":::

+1. On the *Create a network group* page, enter a **Name** for the network group. This example will use the name **myNetworkGroup**. Select **Add** to create the network group.

+1. Once your network group is created, you'll add virtual networks as members. Choose one of the options: *[Manually add membership](concept-network-groups.md#static-membership)* or *[Create policy to dynamically add members](concept-network-groups.md#dynamic-membership)*.

+## Define network group members

+Azure Virtual Network manager allows you two methods for adding membership to a network group. You can manually add virtual networks or use Azure Policy to dynamically add virtual networks based on conditions. Choose the option below for your mesh membership configuration:

+### Manually adding members

+To manually add the desired virtual networks for your Mesh configuration to your Network Group, follow the steps below:

+1. From the list of network groups, select your network group and select **Add virtual networks** under *Manually add members* on the network group page.

+ :::image type="content" source="./media/create-virtual-network-manager-portal/add-static-member.png" alt-text="Screenshot of add a virtual network.":::

+1. On the *Manually add members* page, select all the virtual networks and select **Add**.

+1. To review the network group membership manually added, select **Group Members** on the *Network Group* page under **Settings**.

+ :::image type="content" source="media/create-virtual-network-manager-portal/group-members-list-thumb.png" alt-text="Screenshot of group membership under Group Membership." lightbox="media/create-virtual-network-manager-portal/group-members-list.png":::

+### Dynamic membership with Azure Policy

+To dynamically add members using [Azure Policy](concept-azure-policy-integration.md), follow the steps below:

+1. From the list of network groups, select your network group and select **Create Azure Policy** under *Create policy to dynamically add members*.

+ :::image type="content" source="media/create-virtual-network-manager-portal/define-dynamic-membership.png" alt-text="Screenshot of Create Azure Policy button.":::

+1. On the **Create Azure Policy** page, create a conditional statement to populate your network group. You can choose different conditional parameters including *Name* and *Tags*.

+

+ :::image type="content" source="media/how-to-create-hub-and-spoke/create-azure-policy.png" alt-text="Screenshot of Create Azure Policy page with conditional parameters displayed.":::

+1. To review the network group membership based on the conditions defined in Azure Policy, select **Group Members** on the *Network Group* page under **Settings**

+1. On the *Add network groups* page, select the network groups you want to add to this configuration. Then select **Select** to save.

+- **VM3**: If *NSG2* has a security rule that denies port 80, the traffic is denied. If not, the traffic is allowed by the [AllowInternetOutbound](./network-security-groups-overview.md#allowinternetoutbound) default security rule in NSG2, since a network security group isn't associated to Subnet2.

+* Learn how to enable [network security group flow logs](../network-watcher/network-watcher-nsg-flow-logging-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) to analyze network traffic to and from resources that have an associated network security group.

+The global profile associated with a User VPN configuration points to a Global Traffic Manager. The Global Traffic Manager includes all active User VPN hubs that are using that User VPN configuration. However, you can choose to exclude hubs from the Global Traffic Manager if necessary. A user connected to the global profile is directed to the hub that's closest to the user's geographic location. This is especially useful if you have users that travel between multiple locations frequently.

+ In other words, when Traffic Routing Policy is configured on a Virtual WAN hub, the Virtual WAN will advertise a **default** route to all spokes, Gateways and Network Virtual Appliances (deployed in the hub or spoke). This includes the **Network Virtual Appliance** that is the next hop for the Itnernet Traffic routing policy.

+ > At this point in time, Routing Policies for **Network Virtual Appliances** do not allow you to edit the RFC1918 prefixes. Virtual WAN will propagate the RFC1918 aggregate prefixes to all spoke Virtual networks, Gateways as well as the **Network Virtual Appliances**. Be mindful of the implications about the propagation of these prefixes into your environment and create the appropriate policies inside your **Network Virtual Appliance** to control routing behavior.

+ Title: 'Quickstart: Create an Azure WAF v2 by using an Azure Resource Manager template'

+description: Use a quickstart Azure Resource Manager template (ARM template) to create a Web Application Firewall v2 on Azure Application Gateway.

+# Customer intent: As a cloud administrator, I want to quickly deploy a Web Application Firewall v2 on Azure Application Gateway for production environments or to evaluate WAF v2 functionality.

+# Quickstart: Create an Azure Web Application Firewall v2 by using an ARM template

+In this quickstart, you use an Azure Resource Manager template (ARM template) to create an Azure Web Application Firewall (WAF) v2 on Azure Application Gateway.

+If your environment meets the prerequisites and you're familiar with using ARM templates, you can select the **Deploy to Azure** button to open the template in the Azure portal.

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fdemos%2Fag-docs-wafv2%2Fazuredeploy.json)

+- An Azure account with an active subscription. If you don't have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+This template creates a simple Web Application Firewall v2 on Azure Application Gateway. The template creates a public IP frontend IP address, HTTP settings, a rule with a basic listener on port 80, and a backend pool. A WAF policy with a custom rule blocks traffic to the backend pool based on an IP address match type.

+The template defines the following Azure resources:

+- [Microsoft.Network/applicationgateways](/azure/templates/microsoft.network/applicationgateways)

+- [Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies](/azure/templates/microsoft.network/ApplicationGatewayWebApplicationFirewallPolicies)

+- [Microsoft.Network/publicIPAddresses](/azure/templates/microsoft.network/publicipaddresses), one for the application gateway and two for the virtual machines (VMs)

+- [Microsoft.Network/networkSecurityGroups](/azure/templates/microsoft.network/networksecuritygroups)

+- [Microsoft.Network/virtualNetworks](/azure/templates/microsoft.network/virtualnetworks)

+- [Microsoft.Compute/virtualMachines](/azure/templates/microsoft.compute/virtualmachines), two VMs

+- [Microsoft.Network/networkInterfaces](/azure/templates/microsoft.network/networkinterfaces), one for each VM

+- [Microsoft.Compute/virtualMachine/extensions](/azure/templates/microsoft.compute/virtualmachines/extensions) to configure IIS and the web pages

+This template is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/ag-docs-wafv2/).

+1. Select **Deploy to Azure** to sign in to Azure and open the template. The template creates an application gateway, the network infrastructure, and two VMs in the backend pool running IIS.

+ [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fdemos%2Fag-docs-wafv2%2Fazuredeploy.json)

+1. Select or create a resource group.

+1. Select **Review + create**, and when validation passes, select **Create**. The deployment can take 10 minutes or longer to complete.

+Although IIS isn't required, the template installs IIS on the backend servers so you can verify that Azure successfully created a WAF v2 on the application gateway.

+1. Copy the public IP address for the application gateway from its **Overview** page.

+ 

+ You can also search for *application gateways* in the Azure search box. The list of application gateways shows the public IP addresses in the **Public IP address** column.

+1. Paste the IP address into the address bar of your browser to browse that address.

+1. Check the response. A **403 Forbidden** response verifies that the WAF is successfully blocking connections to the backend pool.

+1. To change the custom rule to allow traffic, run the following Azure PowerShell script, replacing your resource group name:

+1. Refresh your browser several times. You should see connections to both myVM1 and myVM2.

+When you no longer need the resources you created in this quickstart, delete the resource group to remove the application gateway and all its related resources.

+> [Tutorial: Create an application gateway with a Web Application Firewall by using the Azure portal](application-gateway-web-application-firewall-portal.md)