+2. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Open your API-driven provisioning app.

+ :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png" alt-text="Screenshot of edit attribute mapping." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png":::

+ :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png" alt-text="Screenshot of edit API attribute list." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png":::

+ :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png" alt-text="Screenshot of adding custom attributes." lightbox="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png":::

+1. **Save** your changes

+[Download the PowerShell setup files from our GitHub repository](https://github.com/microsoft/MIMPowerShellConnectors/tree/master/src/ECMA2HostCSV). The setup files consist of the configuration file, the input file, schema file and the scripts used.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).

+1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync** > **Agents**.

+1. Select **Download on-premises agent**, review the terms of service, then select **Accept terms & download**.

+ > [!NOTE]

+ > Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.

+1. Open the provisioning agent installer, agree to the terms of service, and select **next**.

+1. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.

+1. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Azure AD, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.

+1. Provide credentials for an Azure AD administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.

+1. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select **New application**.

+1. Search for the **On-premises ECMA app** application, give the app a name, and select **Create** to add it to your tenant.

+1. Navigate to the **Provisioning** page of your application.

+1. Select **Get started**.

+1. On the **Provisioning** page, change the mode to **Automatic**.

+1. On the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**.

+1. Keep this browser window open, as you complete the next step of configuration using the configuration wizard.

+## Place the InputFile.txt and Schema.xml file in locations

+Before you can create the PowerShell connector for this tutorial, you need to copy the InputFile.txt and Schema.xml file into the correct locations. These files are the ones you needed to download in section [Download the PowerShell setup files](#download-the-powershell-setup-files).

+1. On the Windows Server where the provisioning agent is installed, right click the **Microsoft ECMA2Host Configuration Wizard** from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs.

+2. After the ECMA Connector Host Configuration starts, if it's the first time you have run the wizard, it will ask you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate will be self-signed as part of the trusted root. The certificate SAN matches the host name.

+3. Select **Save**.

+1. Launch the Microsoft ECMA2Host Configuration Wizard from the start menu.

+2. At the top, select **Import** and select the configuration.xml file from step 1.

+3. The new connector should be created and appear in red. Click **Edit**.

+4. Generate a secret token used for authenticating Microsoft Entra ID to the connector. It should be 12 characters minimum and unique for each application. If you do not already have a secret generator, you can use a PowerShell command such as the following to generate an example random string.

+5. On the **Properties** page, all of the information should be populated. The table is provided as reference. Click **Next**.

+ |Property|Value|

+ |--|--|

+ |Name|The name you chose for the connector, which should be unique across all connectors in your environment. For example, `PowerShell`.|

+ |Autosync timer (minutes)|120|

+ |Secret Token|Enter your secret token here. It should be 12 characters minimum.|

+ |Extension DLL|For the PowerShell connector, select **Microsoft.IAM.Connector.PowerShell.dll**.|

+- On the **Connectivity** page, all of the information should be populated. The table is provided as reference. Click **Next**.

+- On the **Global Parameters** page, all of the information should be populated. The table is provided as reference. Click **Next**.

+1. On the server running the Microsoft Entra ECMA Connector Host, select **Start**.

+2. Select **run** if needed, then enter **services.msc** in the box.

+3. In the **Services** list, ensure that **Microsoft ECMA2Host** is present and running. If it is not running, select **Start**.

+4. On the server running the Microsoft Entra ECMA Connector Host, launch PowerShell.

+5. Change to the folder where the ECMA host was installed, such as `C:\Program Files\Microsoft ECMA2Host`.

+6. Change to the subdirectory `Troubleshooting`.

+7. Run the script `TestECMA2HostConnection.ps1` in the directory as shown, and provide as arguments the connector name and the `ObjectTypePath` value `cache`. If your connector host is not listening on TCP port 8585, then you may also need to provide the `-Port` argument as well. When prompted, type the secret token configured for that connector.

+8. If the script displays an error or warning message, then check that the service is running, and the connector name and secret token match those values you configured in the configuration wizard.

+9. If the script displays the output `False`, then the connector has not seen any entries in the source target system for existing users. If this is a new target system installation, then this behavior is to be expected, and you can continue at the next section.

+10. However, if the target system already contains one or more users but the script displayed `False`, then this status indicates the connector could not read from the target system. If you attempt to provision, then Microsoft Entra ID may not correctly match users in that source directory with users in Microsoft Entra ID. Wait several minutes for the connector host to finish reading objects from the existing target system, and then rerun the script. If the output continues to be `False`, then check the configuration of your connector and the permissions in the target system are allowing the connector to read existing users.

+1. Return to the web browser window where you were configuring the application provisioning in the portal.

+ > [!NOTE]

+ > If the window had timed out, then you need to re-select the agent.

+

+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+ 1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+ 1. Select the **On-premises ECMA app** application.

+ 1. Select **Provisioning**.

+ 1. If **Get started** appears, then change the mode to **Automatic**, on the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**, and wait 10 minutes. Otherwise go to **Edit Provisioning**.

+1. Under the **Admin credentials** section, enter the following URL. Replace the `connectorName` portion with the name of the connector on the ECMA host, such as `PowerShell`. If you provided a certificate from your certificate authority for the ECMA host, then replace `localhost` with the host name of the server where the ECMA host is installed.

+ |Property|Value|

+ |--|--|

+ |Tenant URL|https://localhost:8585/ecma2host_connectorName/scim|

+1. Enter the **Secret Token** value that you defined when you created the connector.

+ > [!NOTE]

+ > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent** service, right-click the service, and restart.

+1. Select **Test Connection**, and wait one minute.

+1. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.

+## Configure the application connection

+> [!NOTE]

+> If the window had timed out, then you need to re-select the agent.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select the **On-premises ECMA app** application.

+1. Select **Provisioning**.

+1. If **Get started** appears, then change the mode to **Automatic**, on the **On-Premises Connectivity** section, select the agent that you deployed and select **Assign Agent(s)**. Otherwise go to **Edit Provisioning**.

+1. Under the **Admin credentials** section, enter the following URL. Replace the `{connectorName}` portion with the name of the connector on the ECMA connector host, such as **CSV**. The connector name is case sensitive and should be the same case as was configured in the wizard. You can also replace `localhost` with your machine hostname.

+ |Property|Value|

+ |--|--|

+ |Tenant URL| `https://localhost:8585/ecma2host_CSV/scim`|

+1. Enter the **Secret Token** value that you defined when you created the connector.

+ > [!NOTE]

+ > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent Service**, right-click the service, and restart.

+1. Select **Test Connection**, and wait one minute.

+1. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select the **On-premises ECMA app** application.

+1. Select **Provisioning**.

+1. Select **Edit provisioning**, and wait 10 seconds.

+1. Expand **Mappings** and select **Provision Azure Active Directory Users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder.

+1. To confirm that the schema is available in Azure AD, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, and then reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list.

+1. Now, on the click on the **userPrincipalName** PLACEHOLDER mapping. This mapping is added by default when you first configure on-premises provisioning. Change the value to match the following:

+ |Mapping type|Source attribute|Target attribute|

+ |--|--|--|

+ |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:UserName|

+

+1. Now select **Add New Mapping**, and repeat the next step for each mapping.

+1. Specify the source and target attributes for each of the mappings in the following table.

+ |Mapping type|Source attribute|Target attribute|

+ |--|--|--|

+ |Direct|objectId|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:AzureObjectID|

+ |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:UserName|

+ |Direct|displayName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:DisplayName|

+ |Direct|employeeId|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:EmployeeId|

+ |Direct|jobTitle|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:Title|

+ |Direct|mail|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:Email|

+ |Expression|Switch([IsSoftDeleted],, "False", "True", "True", "False")|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:IsActive|

+ :::image type="content" source="media/on-premises-powershell-connector/powershell-8.png" alt-text="Screenshot of attribute mappings." lightbox="media/on-premises-powershell-connector/powershell-8.png":::

+1. Once all of the mappings have been added, select **Save**.

+1. Ensure that the user selected has all the properties, mapped to the required attributes of the schema.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select the **On-premises ECMA app** application.

+1. On the left, under **Manage**, select **Users and groups**.

+1. Select **Add user/group**.

+1. Under **Users**, select **None Selected**.

+1. Select users from the right and select the **Select** button.

+1. Now select **Assign**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select the **On-premises ECMA app** application.

+1. Select **Provisioning**.

+1. Select **Provision on demand**.

+1. Search for one of your test users, and select **Provision**.

+1. After several seconds, then the message **Successfully created user in target system** appears, with a list of the user attributes.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).

+1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync** > **Agents**.

+ :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::

+1. Select **Download on-premises agent**, and select **Accept terms & download**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).

+1. From the left hand menu navigate to the **Provisioning** option and select **Get started**.

+1. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.

+1. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.

+1. Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection.

+1. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim

+ 

+1. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues.

+ > [!NOTE]

+ > If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above.

+1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.

+1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.

+1. Test provisioning a few users [on demand](provision-on-demand.md).

+1. Add more users into scope by assigning them to your application.

+1. Go to the **Provisioning** pane, and select **Start provisioning**.

+1. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).

+- [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure the Connect provisioning agent.

+- [Application Administrator](../roles/permissions-reference.md#application-administrator) role to configure the provisioning app.

+2. Browse to **Identity** > **Applications** > **Enterprise applications** > select your application.

+3. Select **Provisioning**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select your application and go to Properties section of your provisioning app. In this example we are using Workday.

+1. Copy the GUID value in the *Object ID* field. This value is also called the **ServicePrincipalId** of your app and it's used in Graph Explorer operations.

+* Don't require a case-sensitive match on structural elements in SCIM, in particular **PATCH** `op` operation values, as defined in [section 3.5.2](https://tools.ietf.org/html/rfc7644#section-3.5.2). Azure AD emits the values of `op` as **Add**, **Replace**, and **Remove**.

+* Microsoft Azure AD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the **Test Connection** flow.

+* The attribute that the resources can be queried on should be set as a matching attribute on the application, see [Customizing User Provisioning Attribute Mappings](customize-application-attributes.md).

+* The Microsoft Entra provisioning service makes the /schemas request when you save the provisioning configuration. The request is also made when you open the edit provisioning page. Other attributes discovered are surfaced to customers in the attribute mappings under the target attribute list. Schema discovery only leads to more target attributes being added. Attributes aren't removed.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select your application and go to **Provisioning**.

+1. Select **Authorize**.

+ 1. Users are redirected to the Authorization URL (sign in page for the third party app).

+ 1. The third party app redirects user back and provides the grant code

+ 1. The Provisioning Service calls the token URL and provides the grant code. The third party application responds with the access token, refresh token, and expiry date

+When you have more than 1000 service principals, you may find extensions missing in the source attribute list. If an attribute you've created doesn't automatically appear, then verify the attribute was created and add it manually to your schema. To verify it was created, use Microsoft Graph and [Graph Explorer](/graph/graph-explorer/graph-explorer-overview). To add it manually to your schema, see [Editing the list of supported attributes](customize-application-attributes.md#editing-the-list-of-supported-attributes).

+Next, create the extension attribute. Replace the **ID** property below with the **ID** retrieved in the previous step. You need to use the **"ID"** attribute and not the "appId". To learn more, see [Create extensionProperty]/graph/api/application-post-extensionproperty).

+Finally, verify the attribute for the user. To learn more, see [Get a user](/graph/api/user-get). Graph v1.0 doesn't by default return any of a user's directory extension attributes, unless the attributes are specified in the request as one of the properties to return.

+```PowerShell

+Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping. Use the steps below to autodiscover these attributes and set up a corresponding mapping to Azure AD.

+1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync**.

+1. Select the configuration you wish to add the extension attribute and mapping.

+1. Under **Manage attributes** select **click to edit mappings**.

+1. Select **Add attribute mapping**. The attributes will automatically be discovered.

+1. The new attributes are available in the drop-down under **source attribute**.

+1. Fill in the type of mapping you want and select **Apply**.

+1. Check with the on-premises Active Directory domain admins whether the required attributes are part of the AD DS schema, and if they aren't, extend the AD DS schema in the domains where those users have accounts.

+2. Sign in as a [Global Administrator](../roles/permissions-reference.md#global-administrator).

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select your Workday to AD/Azure AD user provisioning application.

+1. Select **Provisioning**.

+1. Edit the mappings and open the Workday attribute list from the advanced section.

+1. Add the following attributes definitions and mark them as "Required". These attributes aren't mapped to any attribute in AD or Azure AD. They serve as signals to the connector to retrieve the Cost Center, Cost Center Hierarchy and Pay Group information.

+To retrieve pronouns from Workday, update your Azure AD provisioning app to query Workday using v38.1 of the Workday Web Services. We recommend testing this configuration first in your test/sandbox environment before implementing the change in production.

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select your Workday to AD/Azure AD user provisioning application and go to **Provisioning** .

+| \<Tenant ID> | **Identity** > **Overview** > **Properties** |

+1. Browse to **Identity** > **Applications** > **App registrations** > **All applications**.

+If you already have your apps published but don't remember their external URLs, look them up in the [Microsoft Entra admin center](https://entra.microsoft.com). Sign in, then browse to **Identity** > **Applications** > **Enterprise applications** > select your app > **Application proxy**.

+* [Microsoft Entra admin center](https://entra.microsoft.com)

+* [Microsoft Entra admin center](https://entra.microsoft.com)

+* [External Identities in Azure AD](../external-identities/external-identities-overview.md)

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).

+1. Browse to **Identity** > **External Identities** > **External collaboration settings**.

+Start by documenting which methods are available in the legacy MFA policy. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). Go to **Identity** > **Users** > **All users** > **Per-user MFA** > **service settings** to view the settings. These settings are tenant-wide, so there's no need for user or group information.

+To get the authentication methods available in the legacy SSPR policy, go to **Identity** > **Users** > **Password reset** > **Authentication methods**. The following table lists the available methods in the legacy SSPR policy and corresponding methods in the Authentication method policy.

+1. Browse to **Protection** > **Multifactor authentication** > **Block/unblock users**.

+1. Go to **Protection** > **Multifactor authentication** > **Block/unblock users**.

+- To view the risk detections report, select **Protection** > **Identity Protection** > **Risk detection**. The risk event is part of the standard **Risk Detections** report, and will appear as Detection Type **User Reported Suspicious Activity**, Risk level **High**, Source **End user reported**.

+- To view fraud reports in the Sign-ins report, select **Identity** > **Monitoring & health** > **Sign-in logs** > **Authentication Details**. The fraud report is part of the standard **Azure AD Sign-ins** report and appears in the Result Detail as MFA denied, Fraud Code Entered.

+- To view fraud reports in the Audit logs, select **Identity** > **Monitoring & health** > **Audit logs**. The fraud report appears under Activity type Fraud reported - user is blocked for MFA or Fraud reported - no action taken based on the tenant-level settings for fraud report.

+1. Go to **Protection** > **Multi-Factor Authentication** > **Notifications**.

+1. Go to **Protection** > **Multifactor authentication** > **Phone call settings**.

+1. Go to **Protection** > **Multifactor authentication** > **Phone call settings**.

+1. Browse to **Protection** > **Multifactor authentication** > **Caching rules**.

+- Microsoft Power Automate

+- Viva Engage (Android, iOS, and iPadOS)

+description: This article shows how to migrate a classic Conditional Access policy.

+To test your policy, try to sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) using your test account. You should see a dialog that requires you to accept your terms of use.

+Once you've added app roles in your application, you can assign an app role to a client app by using the Microsoft Entra admin center or programmatically by using [Microsoft Graph](/graph/api/user-post-approleassignments). This is not to be confused with [assigning roles to users](../roles/manage-roles-portal.md).

+1. Under **Permission**, select the role(s) you want to assign.

+## Assign users and groups to Microsoft Entra roles

+Once you've added app roles in your application, you can assign users and groups to [Microsoft Entra roles](../roles/permissions-reference.md). Assignment of users and groups to roles can be done through the portal's UI, or programmatically using [Microsoft Graph](/graph/api/user-post-approleassignments). When the users assigned to the various roles sign in to the application, their tokens will have their assigned roles in the `roles` claim.

+To assign users and groups to roles by using the Microsoft Entra admin center:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. If you have access to multiple tenants, use the **Directories + subscriptions** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant that contains the app registration to which you want to add an app role.

+1. Browse to **Identity** > **Applications** > **Enterprise applications**.

+1. Select **All applications** to view a list of all your applications. If your application doesn't appear in the list, use the filters at the top of the **All applications** list to restrict the list, or scroll down the list to locate your application.

+1. Select the application in which you want to assign users or security group to roles.

+1. Under **Manage**, select **Users and groups**.

+1. Select **Add user** to open the **Add Assignment** pane.

+1. Select the **Users and groups** selector from the **Add Assignment** pane. A list of users and security groups is displayed. You can search for a certain user or group and select multiple users and groups that appear in the list.

+1. Once you've selected users and groups, select the **Select** button to proceed.

+1. Select **Select a role** in the **Add assignment** pane. All the roles that you've defined for the application are displayed.

+1. Choose a role and select the **Select** button.

+1. Select the **Assign** button to finish the assignment of users and groups to the app.

+Confirm that the users and groups you added appear in the **Users and groups** list.

+### Option 3: Create a new client secret

+If you choose not to use a certificate, you can create a new client secret.

+Once you've saved the client secret, the value of the client secret is displayed. This is only displayed once, so copy this value and store it where your application can retrieve it, usually where your application keeps values like `clientId`, or `authoruty` in the source code. You'll provide the secret value along with with the application's client ID to sign in as the application.

+1. Select **Add access policy**, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously.

+ 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../roles/permissions-reference.md#reports-reader).

+ 1. Browse to **Identity** > **Monitoring & health** > **Workbooks**.

+- Device admins prepare the device to be shared by installing the authenticator app, and setting the device to shared mode using the authenticator app. Only users who are in the [Cloud Device Administrator](../roles/permissions-reference.md#cloud-device-administrator) role can put a device into shared mode by using the [Authenticator app](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc). You can configure the membership of your organizational roles in the Microsoft Entra admin center under:

+**Identity** > **Roles & Admins** > **Roles & Admins** > **Cloud Device Administrator**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+1. Browse to **Identity** > **Applications** > **App registrations**.

+1. Select **New registration**.

+ ```

+ "TENANT_ID": "Enter_the_Tenant_Id_Here",

+ - `Enter_the_Application_Id_Here` - is the **Application (client) ID** of the application you registered earlier. Find this ID on the app registration's **Overview**.

+ - `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant ID** or **Tenant name** (for example, contoso.microsoft.com). Find these values on the app registration's **Overview**.

+ - `Enter_the_Client_Secret_Here` - replace this value with the client secret you created earlier. To generate a new key, use **Certificates & secrets** in the app registration settings.

+1. Edit *.env* and replace the Microsoft Entra ID and Microsoft Graph endpoints with the following values:

+If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires **admin consent**: an [Application Administrator](../roles/permissions-reference.md#application-administrator) or [Global Administrator](../roles/permissions-reference.md#global-administrator) must give consent to your application. Select one of the options below depending on your role:

+##### Administrators

+If you're assigned the [Application Administrator](../roles/permissions-reference.md#application-administrator) or [Global Administrator](../roles/permissions-reference.md#global-administrator) roles, go to **API Permissions** page in the Azure portal's Application Registration and select **Grant admin consent for {Tenant Name}** (where {Tenant Name} is the name of your directory).

+##### Standard users

+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-javascript/archive/refs/heads/main.zip). Extract it to a file path where the length of the name is fewer than 260 characters.

+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-javascript-tutorial/archive/refs/heads/main.zip). Extract it to a file path where the length of the name is fewer than 260 characters.

+ :::code language="csharp" source="~/ms-identity-docs-code-javascript/js-spa/App/authConfig.js":::

+1. Copy the `https` URL that appears in the terminal, for example, `https://localhost:3000`, and paste it into a browser. We recommend using a private or incognito browser session.

+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-javascript/tree/main). Extract it to a file path where the length of the name is fewer than 260 characters.

+> 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+> 1. Browse to **Identity** > **Applications** > **App registrations**.

+> 1. Select **New registration**.

+> |*appsettings.json* key | Description |

+> | | -- |

+> | `ClientId` | Application (client) ID of the application registered. |

+> | `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |

+> | `TenantId` | Name of your tenant or its tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |

+> 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+> 1. Browse to **Identity** > **Applications** > **App registrations**.

+> 1. Select **New registration**.

+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-dotnet/archive/refs/heads/main.zip). Extract it to a file path where the length of the name is fewer than 260 characters.

+1. In the [Microsoft Entra admin center](https://entra.microsoft.com), select your app under **Identity** > **Applications** > **App registrations**.

+ npm install @azure/msal-browser @azure/msal-react @azure/msal-common

+Viewing your production tenant Conditional Access policies may need to be performed by a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator).

+In a new tab or browser session, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](../roles/permissions-reference.md#conditional-access-administrator) to access your test tenant.

+1. Browse to **Protection** > **Conditional Access**.

+1. Select **Identity** > **Applications** > **App registrations** > *\<your application\>* > **Manifest**.

+**Identity** > **Applications** > **App registrations** > \<YOUR-APPLICATION\> > **Endpoints**

+> 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+> 1. Browse to **Identity** > **Applications** > **App registrations**.

+> 1. Select **New registration**.

+> - Replace `Enter_the_Application_Id_here` with the application (client) ID of the application that you registered. You can find the application (client) ID on the app's **Overview** page.

+> | *appsettings.json* key | Description |

+> |--|--|

+> | `ClientId` | Application (client) ID of the application registered. |

+> | `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |

+> | `TenantId` | Name of your tenant or its tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |

+> 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).

+> 1. Browse to **Identity** > **Applications** > **App registrations**.

+> 1. Select **New registration**.

+- To get an overview of how to manage devices, see [managing device identities](manage-device-identities.md).

+Microsoft Entra Registration is not the same as device enrollment. If Administrators permit users to enroll their devices, organizations can further control these Microsoft Entra registered devices by enrolling the device(s) into Mobile Device Management (MDM) tools like Microsoft Intune. MDM provides a means to enforce organization-required configurations like requiring storage to be encrypted, password complexity, and security software kept updated.

+- [Manage device identities](manage-device-identities.md)

+- [Manage device identities](manage-device-identities.md)

+- [Manage device identities](manage-device-identities.md)

+- For more information about managing devices, see [managing device identities](manage-device-identities.md).

+The [Microsoft Entra admin center](https://entra.microsoft.com) allows you to control the deployment of Microsoft Entra joined devices in your organization. To configure the related settings, browse to **Identity** > **Devices** > **All devices** > **Device settings**. [Learn more](manage-device-identities.md)

+Enterprises that want to manage roaming for personal (unmanaged) devices can use the Microsoft Entra admin center to enable or disable roaming, rather than using Group Policy or MDM.

+**Potential issue**: The field for **SettingsUrl** is empty and the device doesn't sync. The user may have last logged in to the device before Enterprise State Roaming was enabled. Restart the device and have the user login. Optionally, in the portal, try having the IT Admin navigate to **Identity** > **Devices** > **Overview** > **Enterprise State Roaming** disable and re-enable **Users may sync settings and app data across devices**. Once re-enabled, restart the device and have the user login. If this doesn't resolve the issue, **SettingsUrl** may be empty if there's a bad device certificate. In this case, running ΓÇ£*dsregcmd.exe /leave*ΓÇ¥ in an elevated command prompt window, rebooting, and trying registration again may help with this issue.

+**Potential issue**: If your device is configured to require multifactor authentication on the Microsoft Entra admin center, you may fail to sync settings while signing in to a Windows 10 or newer device using a password. This type of multifactor authentication configuration is intended to protect an Azure administrator account. Admin users may still be able to sync by signing in to their Windows 10 or newer devices with their Windows Hello for Business PIN or by completing multifactor authentication while accessing other Azure services like Microsoft 365.

+4. You can use the **DeviceId** and compare the status on the service using either the Microsoft Entra admin center or PowerShell.

+## Using the Microsoft Entra admin center

+To list all Windows LAPS enabled devices, you can browse to **Identity** > **Devices** > **Overview** > **Local administrator password recovery (Preview)** or use the Microsoft Graph API.

+To view audit events, you can browse to **Identity** > **Devices** > **Overview** > **Audit logs**, then use the **Activity** filter and search for **Update device local administrator password** or **Recover device local administrator password** to view the audit events.

+ > Replace `<TenantID>` with the Azure AD tenant ID that's associated with the Azure subscription. If you need to find the tenant ID, you can hover over your account name or select **Identity** > **Overview** > **Properties** > **Tenant ID**.

+ 1. Value data: The GUID or **Tenant ID** of your Microsoft Entra instance (This value can be found in the **Microsoft Entra admin center** > **Identity** > **Properties** > **Tenant ID**).

+ Title: Manage devices in Microsoft Entra ID using the Microsoft Entra admin center

+description: This article describes how to use the Microsoft Entra admin center to manage device identities and monitor related event information.

+# Manage device identities using the Microsoft Entra admin center

+1. Go to **Identity** > **Devices** > **Overview**.

+If you want to manage device identities by using the Microsoft Entra admin center, the devices need to be either [registered or joined](overview.md) to Microsoft Entra ID. As an administrator, you can control the process of registering and joining devices by configuring the following device settings.

+- The **Activity** column on the all devices page.

+## Clean up stale devices

+While you can clean up stale devices in the Microsoft Entra admin center, it's more efficient to handle this process using a PowerShell script. Use the latest PowerShell V2 module to use the timestamp filter and to filter out system-managed devices such as Autopilot.

+To get an overview of how to manage devices, see [managing device identities](manage-device-identities.md)

+- To get an overview of how to manage device identities, see [Managing device identities](manage-device-identities.md).

+Microsoft Entra ID enables your organization to meet these goals with device identity management. You can now get your devices in Microsoft Entra ID and control them from a central location in the [Microsoft Entra admin center](https://entra.microsoft.com). This process gives you a unified experience, enhanced security, and reduces the time needed to configure a new device.

+* Simplify deployment and management ΓÇô Simplify the process of bringing devices to Microsoft Entra ID with [Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot), [bulk provisioning](/mem/intune/enrollment/windows-bulk-enroll), or [self-service: Out of Box Experience (OOBE)](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973). Manage devices with Mobile Device Management (MDM) tools like [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), and their identities in the [Microsoft Entra admin center](https://entra.microsoft.com).

+Once you've registered or joined your devices to Microsoft Entra ID, use the [Microsoft Entra admin center](https://entra.microsoft.com) as a central place to manage your device identities. The Microsoft Entra devices page enables you to:

+ :::image type="content" source="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png" alt-text="A screenshot showing the Windows troubleshooter located in the diagnose and solve pane." lightbox="media/troubleshoot-device-windows-joined/devices-troubleshoot-windows.png":::

+1. Return to the Microsoft Entra admin center when you've collected and zipped the `authlogs` folder and contents.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com).

+1. Browse to **Identity governance** > **Dashboard**

+1. Access the inactive guest account report by navigating to the **Guest access governance** card then select **View inactive guests**.

+1. You will see the inactive guest report which will provide insights about inactive guest users based on 90 days of inactivity. The threshold is set to 90 days by default but can be configured using "Edit inactivity threshold" based on your organization's needs.

+1. The following insights are provided as part of this report:

+1. The inactive days are calculated based on last sign in date if the user has signed in atleast once. For users who have never signed in, the inactive days are calculated based on creation date.

+### License requirements

+Microsoft Entra ID provides the means to validate dynamic group rules (in public preview). On the **Validate rules** tab, you can validate your dynamic rule against sample group members to confirm the rule is working as expected. When you create or update dynamic group rules, you want to know whether a user or a device will be a member of the group. This knowledge helps you evaluate whether a user or device meets the rule criteria and help you troubleshoot when membership isn't expected.

+To get started, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator).

+Browse to **Identity** > **Groups** > **All groups**. Select an existing dynamic group or create a new dynamic group and select **Dynamic membership rules**. You can then see the **Validate Rules** tab.

+1. In the Microsoft Entra admin center browse to **Identity** > **Billing** > **Licenses** > **All products**, select one or more licenses, and then select **Assign**.

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Groups Administrator](../roles/permissions-reference.md#groups-administrator).

+1. Browse to **Groups** > **All groups**.

+1. Select the **Guest users Contoso** group, select the ellipsis (...), and then select **Delete**. When you delete the group, any assigned licenses are removed.

+1. Select **Identity** > **Groups** > **All groups**. Select the name of the **All users** group to open the group.

+1. Browse to **Identity** > **Groups** > **All groups** and then select **General**.

+1. Browse to **Identity** > **Groups** > **All groups** > **Expiration** to open the expiration settings.

+1. Browse to **Identity** > **Groups** > **All groups** > **Expiration**.

+1. Browse to **Identity** > **Groups** > **Group settings** > **General**.

+1. Set **Users can create Microsoft 365 groups in Azure portals** to **No**.

+To see how many licenses are available, go to **Identity** > **Billing** > **Licenses** > **All products**.

+In the [Microsoft Entra admin center](https://entra.microsoft.com), you can view or edit the claims that are sent in the SAML token to the application. To access the settings, browse to **Identity** > **Applications** > **Enterprise applications** > the application that's configured for single sign-on > **Single sign-on**. See the SAML token settings in the **User Attributes** section.

+Only user properties and custom attributes listed in the **Identity** > **External Identities** > **Overview** > **Custom user attributes** experience are available to be sent in the request.

+The `<extensions-app-id>` is specific to your tenant. To find this identifier, navigate to **Identity** > **Applications** > **App registrations** > **All applications**. Search for the app that starts with "aad-extensions-app" and select it. On the app's Overview page, note the Application (client) ID.

+When signed in to the [Microsoft Entra admin center](https://entra.microsoft.com) and you try to access the **Custom security attributes** page, it is disabled.

+Browse to **Identity** > **Overview** and check the license for your tenant.

+When signed in to the [Microsoft Entra admin center](https://entra.microsoft.com) and you try to click the **Custom security attributes** > **Add attribute set** option, it is disabled.

+1. Open a Windows PowerShell command prompt, with Administrative privileges, from a machine that has access to the Microsoft Entra admin center.

+### Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention

+Disables accidentalDeletionPrevention tenant feature

+``` powershell

+Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId <TenantId>

+```

+This cmdlet requires `TenantId` of the Azure AD tenant. It will verify if Accidental Deletion Prevention feature, set on the tenant with Azure AD Connect (ADSync, not Cloud Sync), is enabled and disables it.

+#### Example:

+``` powershell

+Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId "340ab039-1234-5678-9012-28fe88f83980"

+```

+1. In the portal, select **Identity** > **Applications** > **App registrations** > **Select Application** > **Manifest**.

+Ensure that the Seamless SSO feature is still **Enabled** on your tenant. You can check the status by going to the **Identity** > **Hybrid management** > **Azure AD Connect** > **Connect Sync** pane in the [[Microsoft Entra admin center](https://entra.microsoft.com)](https://portal.azure.com/).

+Browse to **Identity** > **Monitoring & health** > **Sign-ins** in the [[Microsoft Entra admin center](https://entra.microsoft.com)](https://portal.azure.com/), and then select a specific user's sign-in activity. Look for the **SIGN-IN ERROR CODE** field. Map the value of that field to a failure reason and resolution by using the following table:

+1. In about 8 hours, you'll be able to view a leaked credential detection under **Protection** > **Identity Protection** > **Risk Detection** > **Workload identity detections** where the additional info will contain the URL of your GitHub commit.

+1. To view the details of a given permission, select the permission from the list. The **Permission Details** pane opens.

+ After you've reviewed the permissions granted to an application, you can revoke permissions granted by admins for your entire organization.

+ > [!NOTE]

+ > You can't revoke permissions in the **User consent** tab using the portal. You can revoke these permissions using Microsoft Graph API calls or PowerShell cmdlets. Go to the PowerShell and Microsoft Graph tabs of this article for more information.

+To revoke permissions in the **Admin consent** tab:

+1. View the list of permissions in the **Admin consent** tab.

+1. Choose the permission you would like to revoke, then select the **...** control for that permission.

+ :::image type="content" source="media/manage-application-permissions/revoke-permissions.png" alt-text="Screenshot shows how to revoke admin consent.":::

+1. Select **Revoke permission**.

+1. Select the application to which you want to grant tenant-wide admin consent.

+1. Under **Security**, select **Permissions**.

+1. Carefully review the permissions that the application requires. If you agree with the permissions the application requires, select **Grant admin consent**.

+1. Navigate to **Identity** > **Monitoring & health** > **Workbooks**.

+ Title: 'Tutorial: Configure Bustle B2B Transport Systems for automatic user provisioning with Microsoft Entra ID'

+description: Learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Bustle B2B Transport Systems.

+writer: twimmers

+ms.assetid: 8bcb45f4-8f3d-4d7a-b2d7-ea7290bbc93b

+# Tutorial: Configure Bustle B2B Transport Systems for automatic user provisioning

+This tutorial describes the steps you need to perform in both Bustle B2B Transport Systems and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and deprovisions users to [Bustle B2B Transport Systems](https://app.bustle.tech) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](../app-provisioning/user-provisioning.md).

+## Supported capabilities

+> [!div class="checklist"]

+> * Create users in Bustle B2B Transport Systems.

+> * Remove users in Bustle B2B Transport Systems when they do not require access anymore.

+> * Keep user attributes synchronized between Microsoft Entra ID and Bustle B2B Transport Systems.

+> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to Bustle B2B Transport Systems (recommended).

+## Prerequisites

+The scenario outlined in this tutorial assumes that you already have the following prerequisites:

+* [A Microsoft Entra tenant](../develop/quickstart-create-new-tenant.md)

+* A user account in Microsoft Entra ID with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

+* A user account in Bustle B2B Transport Systems with Admin permissions.

+## Step 1: Plan your provisioning deployment

+* Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

+* Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Determine what data to [map between Microsoft Entra ID and Bustle B2B Transport Systems](../app-provisioning/customize-application-attributes.md).

+## Step 2: Configure Bustle B2B Transport Systems to support provisioning with Microsoft Entra ID

+Contact Bustle B2B Transport Systems support to configure Bustle B2B Transport Systems to support provisioning with Microsoft Entra ID.

+## Step 3: Add Bustle B2B Transport Systems from the Microsoft Entra application gallery

+Add Bustle B2B Transport Systems from the Microsoft Entra application gallery to start managing provisioning to Bustle B2B Transport Systems. If you have previously setup Bustle B2B Transport Systems for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

+## Step 4: Define who will be in scope for provisioning

+The Microsoft Entra provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users to the application. If you choose to scope who will be provisioned based solely on attributes of the user, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* Start small. Test with a small set of users before rolling out to everyone. When scope for provisioning is set to assigned users, you can control this by assigning one or two users to the app. When scope is set to all users, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

+## Step 5: Configure automatic user provisioning to Bustle B2B Transport Systems

+This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users in TestApp based on user assignments in Microsoft Entra ID.

+<a name='to-configure-automatic-user-provisioning-for-Bustle B2B Transport Systems-in-azure-ad'></a>

+### To configure automatic user provisioning for Bustle B2B Transport Systems in Microsoft Entra ID:

+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).

+1. Browse to **Identity** > **Applications** > **Enterprise applications**

+ 

+1. In the applications list, select **Bustle B2B Transport Systems**.

+ 

+1. Select the **Provisioning** tab.

+ 

+1. Set the **Provisioning Mode** to **Automatic**.

+ 

+1. Under the **Admin Credentials** section, input your Bustle B2B Transport Systems Tenant URL and Secret Token. Click **Test Connection** to ensure Microsoft Entra ID can connect to Bustle B2B Transport Systems. If the connection fails, ensure your Bustle B2B Transport Systems account has Admin permissions and try again.

+ 

+1. In the **Notification Email** field, enter the email address of a person who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

+ 

+1. Select **Save**.

+1. Under the **Mappings** section, select **Synchronize Microsoft Entra users to Bustle B2B Transport Systems**.

+1. Review the user attributes that are synchronized from Microsoft Entra ID to Bustle B2B Transport Systems in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Bustle B2B Transport Systems for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you need to ensure that the Bustle B2B Transport Systems API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

+ |Attribute|Type|Supported for filtering|Required by Bustle B2B Transport Systems|

+ |||||

+ |userName|String|&check;|&check;

+ |active|Boolean||

+ |emails[type eq "work"].value|String||&check;

+ |name.givenName|String||&check;

+ |name.familyName|String||&check;

+ |phoneNumbers[type eq "work"].value|String||&check;

+ |externalId|String||&check;

+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

+1. To enable the Microsoft Entra provisioning service for Bustle B2B Transport Systems, change the **Provisioning Status** to **On** in the **Settings** section.

+ 

+1. Define the users that you would like to provision to Bustle B2B Transport Systems by choosing the desired values in **Scope** in the **Settings** section.

+ 

+1. When you're ready to provision, click **Save**.

+ 

+This operation starts the initial synchronization cycle of all users defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running.

+## Step 6: Monitor your deployment

+Once you've configured provisioning, use the following resources to monitor your deployment:

+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion

+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

+## More resources

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

+* [What is application access and single sign-on with Microsoft Entra ID?](../manage-apps/what-is-single-sign-on.md)

+## Next steps

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+ },

+ "issuanceDate": "yyyy-MM-ddTHH:mm:ssZ",

+ "expirationDate": "yyyy-MM-ddTHH:mm:ssZ"

+## September 2023

+Verified ID is retiring old Request Service API endpoints that were available before Verified ID was General Available. These APIs should not have been used since GA in August 2022, but if they are used in your app, you need to migrate. The API endpoints being retired are:

+```http

+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/request

+GET https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/request/:requestId

+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/present

+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/issuance

+```

+The first API was for creating an issuance or presentation request. The second API was for retrieving a request and the last two APIs was for a wallet completing issuance or presentation. The API endpoints to use since preview are the following.

+```http

+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/createPresentationRequest

+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/createIssuanceRequest

+GET https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/presentationRequests/:requestId

+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/completeIssuance

+POST https://verifiedid.did.msidentity.com/v1.0/:tenant/verifiablecredentials/verifyPresentation

+```

+Please note that the `/request` API is split into two depending on if you are creating an issuance or presentation request.

+The retired API endpoints will not work after October 2023, 2023.

+## August 2023

+The `presentation_verified` callback from the Request Service API now returns when a Verified ID credential was issued and when it expires. Business rules can use these values to see the time windoww of when the presented Verified ID credential is valid. An example of this is that it expires in an hour while the business required in needs to be valid until the end of the day.

+Azure OpenAI Service includes a content filtering system that works alongside core models. This system works by running both the prompt and completion through an ensemble of classification models aimed at detecting and preventing the output of harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Variations in API configurations and application design may affect completions and thus filtering behavior.

+The content filtering models have been specifically trained and tested on the following languages: English, German, Japanese, Spanish, French, Italian, Portuguese, and Chinese. However, the service can work in many other languages, but the quality may vary. In all cases, you should do your own testing to ensure that it works for your application.

+When you access a private AKS cluster, you need to connect to the cluster from the cluster virtual network, a peered network, or a configured private endpoint. These approaches require configuring a VPN, Express Route, deploying a *jumpbox* within the cluster virtual network, or creating a private endpoint inside of another virtual network.

+With the Azure CLI, you can use `command invoke` to access private clusters without the need to configure a VPN or Express Route. `command invoke` allows you to remotely invoke commands, like `kubectl` and `helm`, on your private cluster through the Azure API without directly connecting to the cluster. The `Microsoft.ContainerService/managedClusters/runcommand/action` and `Microsoft.ContainerService/managedclusters/commandResults/read` actions control the permissions for using `command invoke`.

+With the Azure portal, you can use the `Run command` feature to run commands on your private cluster. The `Run command` feature uses the same `command invoke` functionality to run commands on your cluster.

+## Before you begin

+Before you begin, make sure you have the following resources and permissions:

+* An existing private cluster. If you don't have one, see [Create a private AKS cluster](./private-clusters.md).

+* The Azure CLI version 2.24.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

+## Connect to cluster using kubectl

+* Configure `kubectl` to connect to your cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.

+ ```azurecli-interactive

+ az aks get-credentials -g <resource-group> -n <cluster-name>

+ ```

+[az-aks-get-credentials]: /cli/azure/aks#az-aks-get-credentials

+Azure Kubernetes Service (AKS) uses certificates for authentication with many of its components. RBAC-enabled clusters created after March 2022 are enabled with certificate auto-rotation. You may need to periodically rotate those certificates for security or policy reasons. For example, you may have a policy to rotate all your certificates every 90 days.

+> Certificate auto-rotation is *only* enabled by default for RBAC enabled AKS clusters.

+This article requires the Azure CLI version 2.0.77 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].

+AKS generates and uses the following certificates, Certificate Authorities (CA), and Service Accounts (SA):

+* The AKS API server creates a CA called the Cluster CA.

+* Each kubelet creates a Certificate Signing Request (CSR), which the Cluster CA signs, for communication from the kubelet to the API server.

+* Each node uses an SA token, which the Cluster CA signs.

+Microsoft maintains all certificates mentioned in this section, except for the cluster certificate.

+> * **AKS clusters created *before* May 2019** have certificates that expire after two years.

+> * **AKS clusters created *after* May 2019** have Cluster CA certificates that expire after 30 years.

+>

+> You can verify when your cluster was created using the `kubectl get nodes` command, which shows you the *Age* of your node pools.

+## Check certificate expiration dates

+### Check cluster certificate expiration date

+* Check the expiration date of the cluster certificate using the `kubectl config view` command.

+ ```console

+ kubectl config view --raw -o jsonpath="{.users[?(@.name == 'clusterUser_rg_myAKSCluster')].user.client-certificate-data}" | base64 -d | openssl x509 -text | grep -A2 Validity

+ ```

+### Check API server certificate expiration date

+* Check the expiration date of the API server certificate using the following `curl` command.

+ ```console

+ curl https://{apiserver-fqdn} -k -v 2>&1 |grep expire

+ ```

+### Check VMAS agent node certificate expiration date

+* Check the expiration date of the VMAS agent node certificate using the `az vm run-command invoke` command.

+ ```azurecli-interactive

+ az vm run-command invoke -g MC_rg_myAKSCluster_region -n vm-name --command-id RunShellScript --query 'value[0].message' -otsv --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate"

+ ```

+### Check Virtual Machine Scale Set agent node certificate expiration date

+* Check the expiration date of the Virtual Machine Scale Set agent node certificate using the `az vm run-command invoke` command.

+ ```azurecli-interactive

+ az vmss run-command invoke --resource-group "MC_rg_myAKSCluster_region" --name "vmss-name" --command-id RunShellScript --instance-id 1 --scripts "openssl x509 -in /etc/kubernetes/certs/apiserver.crt -noout -enddate" --query "value[0].message"

+ ```

+## Certificate Auto Rotation

+For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/), which is enabled by default in all Azure regions.

+>

+> * If you have an existing cluster, you have to upgrade that cluster to enable Certificate Auto Rotation.

+> * Don't disable Bootstrap to keep auto rotation enabled.

+> * If the cluster is in a stopped state during the auto certificate rotation, only the control plane certificates are rotated. In this case, you should recreate the node pool after certificate rotation to initiate the node pool certificate rotation.

+For any AKS clusters created or upgraded after March 2022, Azure Kubernetes Service automatically rotates non-CA certificates on both the control plane and agent nodes within 80% of the client certificate valid time before they expire with no downtime for the cluster.

+### How to check whether current agent node pool is TLS Bootstrapping enabled?

+1. Verify if your cluster has TLS Bootstrapping enabled by browsing to one to the following paths:

+ * On a Linux node: */var/lib/kubelet/bootstrap-kubeconfig* or */host/var/lib/kubelet/bootstrap-kubeconfig*

+ * On a Windows node: *C:\k\bootstrap-config*

+ For more information, see [Connect to Azure Kubernetes Service cluster nodes for maintenance or troubleshooting][aks-node-access].

+ > [!NOTE]

+ > The file path may change as Kubernetes versions evolve.

+2. Once a region is configured, create a new cluster or upgrade an existing cluster to set auto rotation for the cluster certificate. You need to upgrade the control plane and node pool to enable this feature.

+> Rotating your certificates using `az aks rotate-certs` recreates all of your nodes, Virtual Machine Scale Sets and Disks and can cause up to *30 minutes of downtime* for your AKS cluster.

+1. Connect to your cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.

+ ```azurecli-interactive

+ az aks get-credentials -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME

+ ```

+2. Rotate all certificates, CAs, and SAs on your cluster using the [`az aks rotate-certs`][az-aks-rotate-certs] command.

+ ```azurecli-interactive

+ az aks rotate-certs -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME

+ ```

+ > [!IMPORTANT]

+ > It may take up to 30 minutes for `az aks rotate-certs` to complete. If the command fails before completing, use `az aks show` to verify the status of the cluster is *Certificate Rotating*. If the cluster is in a failed state, rerun `az aks rotate-certs` to rotate your certificates again.

+3. Verify the old certificates are no longer valid using any `kubectl` command, such as `kubectl get nodes`.

+ ```azurecli-interactive

+ kubectl get nodes

+ ```

+ If you haven't updated the certificates used by `kubectl`, you see an error similar to the following example output:

+ ```output

+ Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca")

+ ```

+4. Update the certificate used by `kubectl` using the [`az aks get-credentials`][az-aks-get-credentials] command with the `--overwrite-existing` flag.

+ ```azurecli-interactive

+ az aks get-credentials -g $RESOURCE_GROUP_NAME -n $CLUSTER_NAME --overwrite-existing

+ ```

+5. Verify the certificates have been updated using the [`kubectl get`][kubectl-get] command.

+ ```azurecli-interactive

+ kubectl get nodes

+ ```

+ > [!NOTE]

+ > If you have any services that run on top of AKS, you might need to update their certificates.

+This article showed you how to automatically rotate your cluster certificates, CAs, and SAs. For more information, see [Best practices for cluster security and upgrades in Azure Kubernetes Service (AKS)][aks-best-practices-security-upgrades].

+<!-- LINKS - internal -->

+[az-aks-rotate-certs]: /cli/azure/aks#az_aks_rotate_certs

+<!-- LINKS - external -->

+[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get

+ Title: Configure kube-proxy (iptables/IPVS) (Preview)

+# Configure `kube-proxy` in Azure Kubernetes Service (AKS) (Preview)

+`kube-proxy` is a component of Kubernetes that handles routing traffic for services within the cluster. There are two backends available for Layer 3/4 load balancing in upstream `kube-proxy`: iptables and IPVS.

+- **iptables** is the default backend utilized in the majority of Kubernetes clusters. It's simple and well-supported, but not as efficient or intelligent as IPVS.

+- **IPVS** uses the Linux Virtual Server, a layer 3/4 load balancer built into the Linux kernel. IPVS provides a number of advantages over the default iptables configuration, including state awareness, connection tracking, and more intelligent load balancing. IPVS *doesn't support Azure Network Policy*.

+For more information, see the [Kubernetes documentation on kube-proxy](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/).

+> [!NOTE]

+> If you want, you can disable the AKS-managed `kube-proxy` DaemonSet to support [bring-your-own CNI][aks-byo-cni].

+## Before you begin

+- If using the Azure CLI, you need the `aks-preview` extension. See [Install the `aks-preview` Azure CLI extension](#install-the-aks-preview-azure-cli-extension).

+- If using ARM or the REST API, the AKS API version must be *2022-08-02-preview or later*.

+- You need to register the `KubeProxyConfigurationPreview` feature flag. See [Register the `KubeProxyConfigurationPreview` feature flag](#register-the-kubeproxyconfigurationpreview-feature-flag).

+### Install the `aks-preview` Azure CLI extension

+1. Install the `aks-preview` extension using the [`az extension add`][az-extension-add] command.

+ ```azurecli-interactive

+ az extension add --name aks-preview

+ ```

+2. Update to the latest version of the extension using the [`az extension update`][az-extension-update] command.

+ ```azurecli-interactive

+ az extension update --name aks-preview

+ ```

+### Register the `KubeProxyConfigurationPreview` feature flag

+1. Register the `KubeProxyConfigurationPreview` feature flag using the [`az feature register`][az-feature-register] command.

+ ```azurecli-interactive

+ az feature register --namespace "Microsoft.ContainerService" --name "KubeProxyConfigurationPreview"

+ ```

+ It takes a few minutes for the status to show *Registered*.

+2. Verify the registration status using the [`az feature show`][az-feature-show] command.

+ ```azurecli-interactive

+ az feature show --namespace "Microsoft.ContainerService" --name "KubeProxyConfigurationPreview"

+ ```

+3. When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider using the [`az provider register`][az-provider-register] command.

+ ```azurecli-interactive

+ az provider register --namespace Microsoft.ContainerService

+ ```

+## `kube-proxy` configuration options

+You can view the full `kube-proxy` configuration structure in the [AKS Cluster Schema][aks-schema-kubeproxyconfig].

+- **`enabled`**: Determines deployment of the `kube-proxy` DaemonSet. Defaults to `true`.

+- **`mode`**: You can set to either `IPTABLES` or `IPVS`. Defaults to `IPTABLES`.

+- **`ipvsConfig`**: If `mode` is `IPVS`, this object contains IPVS-specific configuration properties.

+ - **`scheduler`**: Determines which connection scheduler to use. Supported values include:

+ - **`LeastConnection`**: Sends connections to the backend pod with the fewest connections.

+ - **`RoundRobin`**: Evenly distributes connections between backend pods.

+ - **`tcpFinTimeoutSeconds`**: Sets the timeout length value after a TCP session receives a FIN.

+ - **`tcpTimeoutSeconds`**: Sets the timeout length value for idle TCP sessions.

+ - **`udpTimeoutSeconds`**: Sets the timeout length value for idle UDP sessions.

+> [!NOTE]

+> IPVS load balancing operates in each node independently and is only aware of connections flowing through the local node. This means that while `LeastConnection` results in a more even load under a higher number of connections, when a low amount of connections (# connects < 2 * node count) occur, traffic may be relatively unbalanced

+## Use `kube-proxy` in a new or existing AKS cluster

+`kube-proxy` configuration is a cluster-wide setting. You don't need to update your services.

+> [!WARNING]

+> Changing the kube-proxy configuration may cause a slight interruption in cluster service traffic flow.

+1. Create a configuration file with the desired `kube-proxy` configuration. For example, the following configuration enables IPVS with the `LeastConnection` scheduler and sets the TCP timeout to 900 seconds.

+ ```json

+ {

+ "enabled": true,

+ "mode": "IPVS",

+ "ipvsConfig": {

+ "scheduler": "LeastConnection",

+ "TCPTimeoutSeconds": 900,

+ "TCPFINTimeoutSeconds": 120,

+ "UDPTimeoutSeconds": 300

+ }

+ }

+ ```

+2. Create a new cluster or update an existing cluster with the configuration file using the [`az aks create`][az-aks-create] or [`az aks update`][az-aks-update] command with the `--kube-proxy-config` parameter set to the configuration file.

+ ```azurecli-interactive

+ # Create a new cluster

+ az aks create -g <resourceGroup> -n <clusterName> --kube-proxy-config kube-proxy.json

+

+ # Update an existing cluster

+ az aks update -g <resourceGroup> -n <clusterName> --kube-proxy-config kube-proxy.json

+ ```

+This article covered how to configure `kube-proxy` in Azure Kubernetes Service (AKS). To learn more about load balancing in AKS, see the following articles:

+- [Use a standard public load balancer in AKS](load-balancer-standard.md)

+- [Use an internal load balancer in AKS](internal-lb.md)

+[az-extension-add]: /cli/azure/extension#az-extension-add

+[az-extension-update]: /cli/azure/extension#az-extension-update

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az-aks-update]: /cli/azure/aks#az-aks-update

+1. Access your key vault using the [`az aks show`][az-aks-show] command and the user-assigned managed identity created by the add-on when you [enabled the Azure Key Vault Provider for Secrets Store CSI Driver on your AKS Cluster](./csi-secrets-store-driver.md#create-an-aks-cluster-with-azure-key-vault-provider-for-secrets-store-csi-driver-support).

+## Login to your Azure Account

+> [!IMPORTANT]

+> Outbound type of UDR requires a route for 0.0.0.0/0 and a next hop destination of NVA in the route table.

+> The route table already has a default 0.0.0.0/0 to the Internet. Without a public IP address for Azure to use for Source Network Address Translation (SNAT), simply adding this route won't provide you outbound Internet connectivity. AKS validates that you don't create a 0.0.0.0/0 route pointing to the Internet but instead to a gateway, NVA, etc.

+> When using an outbound type of UDR, a load balancer public IP address for **inbound requests** isn't created unless you configure a service of type *loadbalancer*. AKS never creates a public IP address for **outbound requests** if you set an outbound type of UDR.

+> For more information, see [Outbound rules for Azure Load Balancer](../load-balancer/outbound-rules.md#scenario6out).

+* Generate a [client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret)

+[Microsoft Azure Attestation](overview.md) is a solution for attesting Trusted Execution Environments (TEEs). This quickstart focuses on the process of creating a Microsoft Azure Attestation policy using Terraform.

+> Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA) will be [retired in August 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Azure Automation Update Management solution relies on this agent and may encounter issues once the agent is retired as it does not work with Azure Monitoring Agent (AMA). Therefore, if you are using the Azure Automation Update Management solution, we recommend that you move to Azure Update Manager for your software update needs. All the capabilities of Azure Automation Update management solution will be available on Azure Update Manager before the retirement date. Follow the [guidance](../../update-center/guidance-migration-automation-update-management-azure-update-manager.md) to move your machines and schedules from Automation Update Management to Azure Update Manager.

+{ "extensions":

+ Title: Update Java versions in Azure Functions

+description: Learn how to update an existing function app in Azure Functions to run on a new version of Java.

+zone_pivot_groups: app-service-platform-windows-linux

+# Update Java versions in Azure Functions

+The Azure Functions supports specific versions of Java. This support changes based on the support or Java versions. As these supported versions change, you need to update your Java function apps. You may also want to update your apps to take advantage of features in newer supported version of Java. For more information, see [Supported versions](functions-reference-java.md#supported-versions) in the Java developer guide.

+The way that you update your function app depends on whether you run on Windows or Linux. This version is for Windows. Choose your OS at the [top](#top) of the article.

+The way that you update your function app depends on whether you run on Windows or Linux. This version is for Linux. Choose your OS at the [top](#top) of the article.

+## Prepare to update

+Before you update the Java version in Azure, you should complete these tasks:

+### 1. Verify your functions locally

+Before upgrading the Java version used by your function app in Azure, make sure that you have fully tested and verified your function code locally on the new target version of Java. Examples in this article assume you're updating to Java 17.

+### 2. Move to the latest Functions runtime

+

+Before updating your Java version, make sure your function app is running on the latest version of the Functions runtime (version 4.x).

+### [Azure portal](#tab/azure-portal)

+Use these steps to determine your Functions runtime version:

+1. In the [Azure portal](https://portal.azure.com), locate your function app and select **Configuration** on the left-hand side under **Settings**.

+1. Select the **Function runtime settings** tab and check the **Runtime version** value to see if your function app is running on version 4.x of the Functions runtime (`~4`).

+ :::image type="content" source="media/update-java-versions/update-functions-version-portal.png" alt-text="Screenshot of how to view the Functions runtime version for your app in the Azure portal.":::

+### [Azure CLI](#tab/azure-cli)

+Use this [`az functionapp config appsettings list`](/cli/azure/functionapp/config/appsettings#az-functionapp-config-appsettings-list) command to check your runtime version:

+```azurecli

+az functionapp config appsettings list --name "<FUNCTION_APP_NAME>" --resource-group "<RESOURCE_GROUP_NAME>"

+```

+The `FUNCTIONS_EXTENSION_VERSION` setting sets the runtime version. A value of `~4` means that your function app is already running on the latest minor version of the latest major version (4.x).

+If you need to first update your function app to version 4.x, seeΓÇ»[Migrate apps from Azure Functions version 3.x to version 4.x](./migrate-version-3-version-4.md). You should follow the instructions in this article rather than just manually changing the `FUNCTIONS_EXTENSION_VERSION` setting.

+## Update the Java version

+You can use the Azure portal, Azure CLI, or Azure PowerShell to update the Java version for your function app.

+These procedures apply to all [Functions hosting options](./functions-scale.md).

+>[!NOTE]

+> You can't change the Java version in the Azure portal when your function app is running on Linux in a [Consumption plan](./consumption-plan.md). Instead use the Azure CLI.

+### [Azure portal](#tab/azure-portal)

+You can only use these steps for function apps hosted in a [Premium plan](./functions-premium-plan.md) or a [Dedicated (App Service) plan](./dedicated-plan.md). For a [Consumption plan](./consumption-plan.md), you must instead use the Azure CLI.

+Use the following steps to update the Java version:

+1. In the [Azure portal](https://portal.azure.com), locate your function app and select **Configuration** on the left-hand side.

+1. In the **General settings** tab, update the **Java version** to `Java 17`.

+ :::image type="content" source="media/update-java-versions/update-java-version-portal.png" alt-text="Screenshot of how to set the desired Java version for a function app in the Azure portal.":::

+1. When notified about a restart, select **Continue**, and then **Save**.

+### [Azure CLI](#tab/azure-cli)

+You can use the Azure CLI to update the Java version for any hosting plan.

+Run the [`az functionapp config set`](/cli/azure/functionapp/config#az-functionapp-config-set) command to update the Java version site setting to `17`:

+```azurecli

+az functionapp config set --java-version "17" --name "<APP_NAME>" --resource-group "<RESOURCE_GROUP>"

+```

+Run the [`az functionapp config set`](/cli/azure/functionapp/config#az-functionapp-config-set) command to update the Linux site setting with the new Java version for your function app.

+```azurecli

+az functionapp config set --linux-fx-version "java|17" --name "<APP_NAME>" --resource-group "<RESOURCE_GROUP>"

+```

+In this example, replace `<APP_NAME>` and `<RESOURCE_GROUP>` with the name of your function app and resource group, respectively.

+Your function app restarts after you update the Java version. To learn more about Functions support for Java, seeΓÇ»[Language runtime support policy](language-support-policy.md).

+## Next steps

+> [!div class="nextstepaction"]

+> [Java developer guide](./functions-reference-java.md)

+

+Data is imperative for maps. Use the Data registry service to access geospatial data, used with spatial operations or image composition, previously uploaded to your [Azure Storage]. By bringing customer data closer to the Azure Maps service, you reduce latency and increase productivity. For more information, see [Data registry] in the Azure Maps REST API documentation.

+> The Azure Maps Data service (both [v1] and [v2]) is now deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service will need to be updated to use the Azure Maps [Data registry] service by 9/16/24. For more information, see [How to create data registry].

+For more information, see [Geolocation] in the Azure Maps REST API documentation.

+[Render] service introduces a new version of the [Get Map Tile] API that supports using Azure Maps tiles not only in the Azure Maps SDKs but other map controls as well. It includes raster and vector tile formats, 256x256 or 512x512 tile sizes (where applicable) and numerous map types such as road, weather, contour, or map tiles. For a complete list, see [TilesetID] in the REST API documentation. You're required to display the appropriate copyright attribution on the map anytime you use the Azure Maps Render service, either as basemaps or layers, in any third-party map control. For more information, see [How to use the Get Map Attribution API].

+For more information, see [Route] in the Azure Maps REST API documentation.

+For more information, see [Search] in the Azure Maps REST API documentation.

+The service enables customers to enhance their location intelligence with a library of common geospatial mathematical calculations. Common calculations include closest point, great circle distance, and buffers. For more information about the Spatial service and its various features, see [Spatial] in the Azure Maps REST API documentation.

+For more information, see [Timezone] in the Azure Maps REST API documentation.

+For more information, see [Traffic] in the Azure Maps REST API documentation.

+[Data registry]: /rest/api/maps/data-registry

+[Geolocation]: /rest/api/maps/geolocation

+[Render]: /rest/api/maps/render-v2

+[Route]: /rest/api/maps/route

+[Search]: /rest/api/maps/search

+[Spatial]: /rest/api/maps/spatial

+[Timezone]: /rest/api/maps/timezone

+[Traffic]: /rest/api/maps/traffic

+The first step in creating your indoor map is to upload a drawing package into your Azure Maps account. A drawing package contains one or more CAD (computer-aided design) drawings of your facility along with a manifest describing the drawings. The drawings define the elements of the facility while the manifest tells the Azure Maps [Conversion] service how to read the facility drawing files and metadata. For more

+ use the [Conversion] service to validate the data in the uploaded drawing

+[Conversion]: /rest/api/maps/v2/conversion

+¹ The Azure Maps Data service (both [v1] and [v2]) is now deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service will need to be updated to use the Azure Maps [Data Registry] service by 9/16/24. For more information, see [How to create data registry].

+[Data Registry]: /rest/api/maps/data-registry

+The [Search] service is a set of RESTful APIs designed to help developers search addresses, places, and business listings by name, category, and other geographic information. In addition to supporting traditional geocoding, services can also reverse geocode addresses and cross streets based on latitudes and longitudes. Latitude and longitude values returned by the search can be used as parameters in other Azure Maps services, such as [Route] and [Weather].

+[Search]: /rest/api/maps/search

+Regarding pin locations, Azure Maps requires the coordinates to be in `longitude,latitude` format whereas Bing Maps uses `latitude,longitude` format. Also note that **there is a space, not a comma** separating longitude and latitude in Azure Maps.

+When it comes to path locations, Azure Maps requires the coordinates to be in `longitude,latitude` format whereas Bing Maps uses `latitude,longitude` format. Also note that **there is a space, not a comma separating** longitude and latitude in Azure Maps. Azure Maps doesn't support encoded paths currently.

+In Azure Maps, the pin location needs to be in the "longitude,latitude" format. Google Maps uses "latitude,longitude" format. A space, not a comma, separates longitude and latitude in the Azure Maps format.

+When it comes to path locations, Azure Maps requires the coordinates to be in "longitude,latitude" format. Google Maps uses "latitude,longitude" format. A space, not a comma, separates longitude and latitude in the Azure Maps format. Azure Maps doesn't support encoded paths or addresses for points.

+¹ The Azure Maps Data service (both [v1] and [v2]) is now deprecated and will be retired on 9/16/24. To avoid service disruptions, all calls to the Data service will need to be updated to use the Azure Maps [Data Registry] service by 9/16/24. For more information, see [How to create data registry].

+src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",

+Python applications can be monitored by using the [Azure Monitor OpenTelemetry Distro](opentelemetry-enable.md?tabs=python).

+### [JavaScript](#tab/javascript)

+JavaScript requires the [Application Insights SDK](javascript.md).

+### Automatic instrumentation (enable without code changes)

+* [Autoinstrumentation supported environments and languages](codeless-overview.md#supported-environments-languages-and-resource-providers)

+### Manual instrumentation

+#### OpenTelemetry Distro

+* [ASP.NET](opentelemetry-enable.md?tabs=net)

+* [Java](opentelemetry-enable.md?tabs=java)

+* [Node.js](opentelemetry-enable.md?tabs=nodejs)

+* [Python](opentelemetry-enable.md?tabs=python)

+* [ASP.NET Core](opentelemetry-enable.md?tabs=aspnetcore) (preview)

+#### Application Insights SDK (Classic API)

+* [ASP.NET](./asp-net.md)

+* [ASP.NET Core](./asp-net-core.md)

+#### Client-side JavaScript SDK

+* [JavaScript](./javascript.md)

+ * [React](./javascript-framework-extensions.md)

+ * [React Native](./javascript-framework-extensions.md)

+ * [Angular](./javascript-framework-extensions.md)

+#### Logging frameworks

+* [`ILogger`](./ilogger.md)

+* [`Log4J`, Logback, or java.util.logging](./opentelemetry-add-modify.md?tabs=java#logs)

+#### Export and data analysis

+Many community-supported Application Insights SDKs exist. Azure Monitor only provides support when you use the supported instrumentation options listed in this article.

+We're constantly assessing opportunities to expand our support for other languages. For the latest news, see [Azure updates for Application Insights](https://azure.microsoft.com/updates/?query=application%20insights).

+* [Performance counters](./performance-counters.md): Performance counters are available when using:

+- [Azure Monitor Application Insights agent](application-insights-asp-net-agent.md)

+- [Azure monitoring for VMs or virtual machine scale sets](./azure-vm-vmss-apps.md)

+- [Application Insights `collectd` writer](/previous-versions/azure/azure-monitor/app/deprecated-java-2x#collectd-linux-performance-metrics-in-application-insights-deprecated).

+### How can I query Application Insights telemetry?

+Post coding questions to [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-application-insights) by using an `azure-application-insights` tag.

+### Why would a custom measurement succeed without error but the log doesn't show up?

+This can occur if you're using string values. Only numeric values work with custom measurements.

+For information on setting up the Application Insights Java agent, see [Enabling Azure Monitor OpenTelemetry for Java](./opentelemetry-enable.md?tabs=java). The following sections provide additional details which may be helpful when configuring the `-javaagent:...` JVM arg on different application servers.

+ src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",

+ "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js"

+ url: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js"

+The Microsoft Azure Monitor Application Insights JavaScript SDK collects usage data, which allows you to monitor and analyze the performance of JavaScript web applications. This is commonly referred to as Real User Monitoring or RUM.

+The Application Insights JavaScript SDK has a base SDK and several plugins for more capabilities.

+- If you're adding a [framework extension](./javascript-framework-extensions.md), which you can [add](#optional-add-advanced-sdk-configuration) after you follow the steps to get started below, you can optionally add Click Analytics when you add the framework extension.

+ If Internet Explorer 8 is detected, JavaScript SDK v2.x is automatically loaded.

+ !(function (cfg){function e(){cfg.onInit&&cfg.onInit(i)}var S,u,D,t,n,i,C=window,x=document,w=C.location,I="script",b="ingestionendpoint",E="disableExceptionTracking",A="ai.device.";"instrumentationKey"[S="toLowerCase"](),u="crossOrigin",D="POST",t="appInsightsSDK",n=cfg.name||"appInsights",(cfg.name||C[t])&&(C[t]=n),i=C[n]||function(l){var d=!1,g=!1,f={initialize:!0,queue:[],sv:"7",version:2,config:l};function m(e,t){var n={},i="Browser";function a(e){e=""+e;return 1===e.length?"0"+e:e}return n[A+"id"]=i[S](),n[A+"type"]=i,n["ai.operation.name"]=w&&w.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(f.sv||f.version),{time:(i=new Date).getUTCFullYear()+"-"+a(1+i.getUTCMonth())+"-"+a(i.getUTCDate())+"T"+a(i.getUTCHours())+":"+a(i.getUTCMinutes())+":"+a(i.getUTCSeconds())+"."+(i.getUTCMilliseconds()/1e3).toFixed(3).slice(2,5)+"Z",iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}},ver:4,seq:"1",aiDataContract:undefined}}var h=-1,v=0,y=["js.monitor.azure.com","js.cdn.applicationinsights.io","js.cdn.monitor.azure.com","js0.cdn.applicationinsights.io","js0.cdn.monitor.azure.com","js2.cdn.applicationinsights.io","js2.cdn.monitor.azure.com","az416426.vo.msecnd.net"],k=l.url||cfg.src;if(k){if((n=navigator)&&(~(n=(n.userAgent||"").toLowerCase()).indexOf("msie")||~n.indexOf("trident/"))&&~k.indexOf("ai.3")&&(k=k.replace(/(\/)(ai\.3\.)([^\d]*)$/,function(e,t,n){return t+"ai.2"+n})),!1!==cfg.cr)for(var e=0;e<y.length;e++)if(0<k.indexOf(y[e])){h=e;break}var i=function(e){var a,t,n,i,o,r,s,c,p,u;f.queue=[],g||(0<=h&&v+1<y.length?(a=(h+v+1)%y.length,T(k.replace(/^(.*\/\/)([\w\.]*)(\/.*)$/,function(e,t,n,i){return t+y[a]+i})),v+=1):(d=g=!0,o=k,c=(p=function(){var e,t={},n=l.connectionString;if(n)for(var i=n.split(";"),a=0;a<i.length;a++){var o=i[a].split("=");2===o.length&&(t[o[0][S]()]=o[1])}return t[b]||(e=(n=t.endpointsuffix)?t.location:null,t[b]="https://"+(e?e+".":"")+"dc."+(n||"services.visualstudio.com")),t}()).instrumentationkey||l.instrumentationKey||"",p=(p=p[b])?p+"/v2/track":l.endpointUrl,(u=[]).push((t="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",n=o,r=p,(s=(i=m(c,"Exception")).data).baseType="ExceptionData",s.baseData.exceptions=[{typeName:"SDKLoadFailed",message:t.replace(/\./g,"-"),hasFullStack:!1,stack:t+"\nSnippet failed to load ["+n+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(w&&w.pathname||"_unknown_")+"\nEndpoint: "+r,parsedStack:[]}],i)),u.push((s=o,t=p,(r=(n=m(c,"Message")).data).baseType="MessageData",(i=r.baseData).message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+s+")").replace(/\"/g,"")+'"',i.properties={endpoint:t},n)),o=u,c=p,JSON&&((r=C.fetch)&&!cfg.useXhr?r(c,{method:D,body:JSON.stringify(o),mode:"cors"}):XMLHttpRequest&&((s=new XMLHttpRequest).open(D,c),s.setRequestHeader("Content-type","application/json"),s.send(JSON.stringify(o))))))},a=function(e,t){g||setTimeout(function(){!t&&f.core||i()},500),d=!1},T=function(e){var n=x.createElement(I),e=(n.src=e,cfg[u]);return!e&&""!==e||"undefined"==n[u]||(n[u]=e),n.onload=a,n.onerror=i,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||a(0,t)},cfg.ld&&cfg.ld<0?x.getElementsByTagName("head")[0].appendChild(n):setTimeout(function(){x.getElementsByTagName(I)[0].parentNode.appendChild(n)},cfg.ld||0),n};T(k)}try{f.cookie=x.cookie}catch(p){}function t(e){for(;e.length;)!function(t){f[t]=function(){var e=arguments;d||f.queue.push(function(){f[t].apply(f,e)})}}(e.pop())}var r,s,n="track",o="TrackPage",c="TrackEvent",n=(t([n+"Event",n+"PageView",n+"Exception",n+"Trace",n+"DependencyData",n+"Metric",n+"PageViewPerformance","start"+o,"stop"+o,"start"+c,"stop"+c,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),f.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4},(l.extensionConfig||{}).ApplicationInsightsAnalytics||{});return!0!==l[E]&&!0!==n[E]&&(t(["_"+(r="onerror")]),s=C[r],C[r]=function(e,t,n,i,a){var o=s&&s(e,t,n,i,a);return!0!==o&&f["_"+r]({message:e,url:t,lineNumber:n,columnNumber:i,error:a,evt:C.event}),o},l.autoExceptionInstrumented=!0),f}(cfg.cfg),(C[n]=i).queue&&0===i.queue.length?(i.queue.push(e),i.trackPageView({})):e();})({

+ src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",

+ // cr: 0,

+ | cr | boolean | Optional | If the SDK fails to load and the endpoint value defined for `src` is the public CDN location, this configuration option attempts to immediately load the SDK from one of the following backup CDN endpoints:<ul><li>js.monitor.azure.com</li><li>js.cdn.applicationinsights.io</li><li>js.cdn.monitor.azure.com</li><li>js0.cdn.applicationinsights.io</li><li>js0.cdn.monitor.azure.com</li><li>js2.cdn.applicationinsights.io</li><li>js2.cdn.monitor.azure.com</li><li>az416426.vo.msecnd.net</li></ul>NOTE: az416426.vo.msecnd.net is partially supported, so it's not recommended.<br><br>If the SDK successfully loads from a backup CDN endpoint, it loads from the first available one, which is determined when the server performs a successful load check. If the SDK fails to load from any of the backup CDN endpoints, the SDK Failure error message appears.<br><br>When not defined, the default value is `true`. If you donΓÇÖt want to load the SDK from the backup CDN endpoints, set this configuration option to `false`.<br><br>If youΓÇÖre loading the SDK from your own privately hosted CDN endpoint, this configuration option is not applicable.

+ The `connectionString` format must follow "InstrumentationKey=xxxx;....". If the string provided does not meet this format, the SDK load process fails.

+ In some cases, if multiple instances of different versions of Application Insights are running on the same page, errors can occur during initialization. For these cases and the error message that appears, see [Running multiple versions of the Application Insights JavaScript SDK in one session](https://github.com/microsoft/ApplicationInsights-JS/blob/main/versionConflict.md). If you've encountered one of these errors, try changing the namespace by using the `name` setting. For more information, see [JavaScript (Web) SDK Loader Script configuration](#javascript-web-sdk-loader-script-configuration).

+Automatic instrumentation of Logs is currently only supported when using `applicationinsights` v3 Beta package. (https://www.npmjs.com/package/applicationinsights/v/beta)

+# Import the `configure_azure_monitor()`, `SQLAlchemyInstrumentor`, `create_engine`, and `text` functions from the appropriate packages.

+# Configure OpenTelemetry to use Azure Monitor.

+# Create a SQLAlchemy engine.

+# SQLAlchemy instrumentation is not officially supported by this package, however, you can use the OpenTelemetry `instrument()` method manually in conjunction with `configure_azure_monitor()`.

+# Database calls using the SQLAlchemy library will be automatically captured.

+# Import the `configure_azure_monitor()` and `metrics` functions from the appropriate packages.

+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.

+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.

+# Get a meter provider and a meter with the name "otel_azure_monitor_histogram_demo".

+# Record three values to the histogram.

+# Wait for background execution.

+# Import the `configure_azure_monitor()` and `metrics` functions from the appropriate packages.

+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.

+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.

+# Get a meter provider and a meter with the name "otel_azure_monitor_counter_demo".

+# Create a counter metric with the name "counter".

+# Add three values to the counter.

+# The first argument to the `add()` method is the value to add.

+# The second argument is a dictionary of dimensions.

+# Dimensions are used to group related metrics together.

+# Wait for background execution.

+# Import the necessary packages.

+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.

+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.

+# Get a meter provider and a meter with the name "otel_azure_monitor_gauge_demo".

+# Define two observable gauge generators.

+# The first generator yields a single observation with the value 9.

+# The second generator yields a sequence of 10 observations with the value 9 and a different dimension value for each observation.

+# Create two observable gauges using the defined generators.

+# Wait for background execution.

+# Import the necessary packages.

+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.

+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.

+# Get a tracer for the current module.

+ # Start a new span with the name "hello".

+# Start a new span with the name "hello" and disable exception recording.

+ # Raise an exception.

+# Import the necessary packages.

+# Get a tracer for the current module.

+# Start a new span with the name "my first span" and make it the current span.

+ # Do stuff within the context of this span.

+ # All telemetry generated within this scope will be attributed to this span.

+ # Record the exception on the span.

+# Import the necessary packages.

+# Get a tracer for the current module.

+# Start a new span with the name "my request span" and the kind set to SpanKind.SERVER.

+ # Do stuff within the context of this span.

+You need to use the `applicationinsights` v3 Beta package to send custom telemetry using the Application Insights classic API. (https://www.npmjs.com/package/applicationinsights/v/beta)

+# Import the necessary packages.

+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.

+# Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.

+# Create a SpanEnrichingProcessor instance.

+# Add the span enrich processor to the current TracerProvider.

+# Import the SpanProcessor class from the opentelemetry.sdk.trace module.

+ # Prefix the span name with the string "Updated-".

+ # Add the custom dimension "CustomDimension1" with the value "Value1".

+ # Add the custom dimension "CustomDimension2" with the value "Value2".

+# Set the `http.client_ip` attribute of the span to the specified IP address.

+# Set the `enduser.id` attribute of the span to the specified user ID.

+# Create a warning log message with the properties "key1" and "value1".

+ # Import the Flask and Azure Monitor OpenTelemetry SDK libraries.

+ # Configure OpenTelemetry to use Azure Monitor with the specified connection string.

+ # Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.

+

+ # Create a Flask application.

+ # Define a route. Requests sent to this endpoint will not be tracked due to

+ # flask_config configuration.

+ # Import the necessary libraries.

+ # Configure OpenTelemetry to use Azure Monitor with the specified connection string.

+ # Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.

+

+ # Add a SpanFilteringProcessor to the tracer provider.

+ # Import the necessary libraries.

+ # Define a custom span processor called `SpanFilteringProcessor`.

+ # Prevents exporting spans from internal activities.

+ # Check if the span is an internal activity.

+ # Create a new span context with the following properties:

+ # * The trace ID is the same as the trace ID of the original span.

+ # * The span ID is the same as the span ID of the original span.

+ # * The is_remote property is set to `False`.

+ # * The trace flags are set to `DEFAULT`.

+ # * The trace state is the same as the trace state of the original span.

+```python

+# Import the necessary libraries.

+from opentelemetry import trace

+# Get the trace ID and span ID of the current span.

+trace_id = trace.get_current_span().get_span_context().trace_id

+span_id = trace.get_current_span().get_span_context().span_id

+```

+# Import the `configure_azure_monitor()` function from the `azure.monitor.opentelemetry` package.

+# Configure OpenTelemetry to use Azure Monitor with the specified connection string.

+# Replace `<your-connection-string>` with the connection string of your Azure Monitor Application Insights resource.

+# Import the `ManagedIdentityCredential` class from the `azure.identity` package.

+# Import the `configure_azure_monitor()` function from the `azure.monitor.opentelemetry` package.

+# Configure OpenTelemetry to use Azure Monitor with a managed identity credential.

+# This will allow OpenTelemetry to authenticate to Azure Monitor without requiring you to provide a connection string.

+# Configure OpenTelemetry to use Azure Monitor with the specified connection string and storage directory.

+# Replace `your-connection-string` with the connection string to your Azure Monitor Application Insights resource.

+# Replace `C:\\SomeDirectory` with the directory where you want to store the telemetry data before it is sent to Azure Monitor.

+# Configure OpenTelemetry to use Azure Monitor with the specified connection string and disable offline storage.

+# Replace `your-connection-string` with the connection string to your Azure Monitor Application Insights resource.

+ # Import the `configure_azure_monitor()`, `trace`, `OTLPSpanExporter`, and `BatchSpanProcessor` classes from the appropriate packages.

+ # Configure OpenTelemetry to use Azure Monitor with the specified connection string.

+ # Replace `<your-connection-string>` with the connection string to your Azure Monitor Application Insights resource.

+

+ # Get the tracer for the current module.

+ # Create an OTLP span exporter that sends spans to the specified endpoint.

+ # Replace `http://localhost:4317` with the endpoint of your OTLP collector.

+

+ # Create a batch span processor that uses the OTLP span exporter.

+

+ # Add the batch span processor to the tracer provider.

+ # Start a new span with the name "test".

+To enable Container insights, you require the following permissions:

+- You must have at least [Contributor](../../role-based-access-control/built-in-roles.md#contributor) access to the AKS cluster.

+- You must have [Monitoring Reader](../roles-permissions-security.md#monitoring-reader) or [Monitoring Contributor](../roles-permissions-security.md#monitoring-contributor) role.

+ Title: Analyze application performance traces with Application Insights Profiler

+Diagnosing your application's performance issues can be difficult, especially when running on a production environment in the dynamic cloud. Slow responses in your application could be caused by infrastructure, framework, or application code handling the request in the pipeline.

+With Application Insights Profiler, you can capture, identify, and view performance traces for your application running in Azure, regardless of the scenario. The Profiler trace process occurs automatically, at scale, and doesn't negatively affect your users. The Profiler identifies:

+- The median, fastest, and slowest response times for each web request made by your customers.

+- The "hot" code path spending the most time handling a particular web request.

+Enable the Profiler on all your Azure applications to gather data with the following triggers:

+Each of these triggers can be [configured, enabled, or disabled](./profiler-settings.md#trigger-settings).

+Profiler randomly runs two minutes per hour on each virtual machine hosting applications with Profiler enabled. When Profiler is running, it adds from 5 percent to 15 percent CPU overhead to the server.

+- The **Profiler** button:

+- Operations:

+Application Insights needs to track requests for your application to provide profiles for your application on the **Performance** page in the Azure portal. For applications built on already-instrumented frameworks (like ASP.NET and ASP.NET Core), Application Insights can automatically track requests.

+In this article, you learn how to run Application Insights Profiler on your Azure virtual machine (VM) or Azure virtual machine scale set via three different methods:

+- Visual Studio and Azure Resource Manager

+- PowerShell

+- Azure Resource Explorer

+With any of these methods, you:

+- Within your ASP.NET Core application by using an Azure Resource Manager template and Visual Studio. **Recommended.**

+Application Insights Profiler is preinstalled as part of the Azure App Service runtime. You can run Profiler on ASP.NET and ASP.NET Core apps running on App Service by using the Basic service tier or higher. Follow these steps, even if you included the Application Insights SDK in your application at build time.

+> Codeless installation of Application Insights Profiler follows the .NET Core support policy. For more information about supported runtime, see [.NET Core Support Policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

+## Verify the "Always on" setting is enabled

+* `Location` - URL for determining when an operation has completed. Use this value only when `Azure-AsyncOperation` isn't returned.

+* For information about deploying templates through the Resource Manager REST API, see [Deploy resources with Resource Manager templates and Resource Manager REST API](../templates/deploy-rest.md).

+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/open-access-configuration.png" alt-text="Screenshot shows how to open access configuration under settings." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/open-access-configuration.png":::

+ Under **Details**, select **View** to view the permissions granted by the role and ensure *Set* permission on *Secret* is available.

+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/view-permission-details.png" alt-text="Screenshot shows how to view the permission details." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/view-permission-details.png":::

+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/check-set-permission-availability-on-secret.png" alt-text="Screenshot shows how to check the Set permission availability." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/check-set-permission-availability-on-secret.png":::

+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/add-members-in-managed-identity.png" alt-text="Screenshot shows how to add members in managed identity." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/add-members-in-managed-identity.png":::

+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/review-and-assign-permissions.png" alt-text="Screenshot shows how to review and assign permissions." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/review-and-assign-permissions.png":::

+7. Go to **Access control (IAM)** in the Key Vault, select **Role assignments** and ensure that the Recovery Services vault is listed.

+ :::image type="content" source="./media/save-backup-passphrase-securely-in-azure-key-vault/recovery-services-vault-listed-in-access-control.png" alt-text="Screenshot shows the Recovery Services vault is listed in access control." lightbox="./media/save-backup-passphrase-securely-in-azure-key-vault/recovery-services-vault-listed-in-access-control.png":::

+ Title: Target selection in Azure Chaos Studio Preview

+description: Understand two different ways to select experiment targets in Azure Chaos Studio Preview.

+# Target selection in Azure Chaos Studio Preview

+Every chaos experiment is made up of a different combination of faults and targets, building up to a unique outage scenario to test your system's resilience against. You may want to select a fixed set of targets for your chaos experiment, or provide a rule in which all matching fault-onboarded resources are included as targets in your experiment. Chaos Studio enables you to do both by providing both manual and query-based target selection.

+## List-based manual target selection

+List-based manual target selection allows you to select a fixed set of onboarded targets for a particular fault in your chaos experiment. Depending on the selected fault, you may select one or more onboarded resources to target. The aforementioned resources are added to the experiment upon creation time. In order to modify the list, you must navigate to the experiment's page and add or remove fault targets manually. An example of manual target selection is shown below.

+[  ](images/manual-target-selection.png#lightbox)

+## Query-based dynamic target selection

+Query-based dynamic target selection allows you to input a KQL query that will select all onboarded targets that match the query result set. Using your query, you may filter targets based on common Azure resource parameters including type, region, name, and more. Upon experiment creation time, only the query itself will be added to your chaos experiment.

+The inputted query will run and add onboarded targets that match its result set upon experiment execution time. Thus, any resources onboarded to Chaos Studio after experiment creation time that match the query result set upon experiment execution time will be targeted by your experiment. You may preview your query's result set when adding it to your experiment, but be aware that it may not match the result set at experiment execution time. An example of a possible dynamic target query is shown below.

+[  ](images/dynamic-target-selection-preview.png#lightbox)

+## Next steps

+Now that you understand both ways to select targets within a chaos experiment, you're ready to:

+- [Create and run your first experiment](chaos-studio-tutorial-service-direct-portal.md)

+For example, you can record 1:1 or 1:N audio and video calls:

+

+| **Maximum # of incoming remote streams that can be rendered simultaneously** | 9 videos + 1 screen sharing on desktop browsers*, 4 videos + 1 screen sharing on web mobile browsers | 9 videos + 1 screen sharing |

+\* Starting from ACS Web Calling SDK version [1.16.3](https://github.com/Azure/Communication/blob/master/releasenotes/acs-javascript-calling-library-release-notes.md#1163-stable-2023-08-24)

+ Title: Deploy a virtual machine scale set using a hardened Linux image

+description: Learn how to use vmss to deploy a scale set using the hardened linux image.

+m

+# Deploy a virtual machine scale set using a hardened Linux image

+**Applies to:** :heavy_check_mark: Hardened Linux Images

+Virtual machine scale set deployments using images from Azure marketplace can be done following the steps described for standard [VMSS deployments](/azure/virtual-machine-scale-sets/flexible-virtual-machine-scale-sets-cli).

+However, if you have chosen to create a hardened linux image by removing the Azure guest agents, it's crucial to comprehend what functionalities the VM loses before you decide to remove the Azure Linux Agent, and how it affects vmss deployment.

+This "how to" document describes the steps to deploy a virtual machine scale set instance while comprehending the functional limitations of the hardened image on deploying the vmss instance.

+## Prerequisites

+- Azure subscription - If you don't have an Azure subscription, [create a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- If your free trial accounts don't have access to the VMs used in this tutorial, one option is to use a [pay as you go subscription](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/).

+- A hardened linux image - you can create one from this [article](harden-a-linux-image-to-remove-azure-guest-agent.md).

+

+### VMSS confidential VM deployment from a hardened Linux image

+Steps to deploy a scale set using VMSS and a hardened image are as follows:

+1. Follow the steps to harden a Linux image.

+ [Harden a Linux image to remove Azure guest agent](harden-a-linux-image-to-remove-azure-guest-agent.md).

+

+ [Harden a Linux image to remove sudo users](harden-the-linux-image-to-remove-sudo-users.md).

+2. Log in to the Azure CLI.

+ Make sure that you've installed the latest [Azure CLI](/cli/azure/install-azure-cli) and are logged in to an Azure account with [az login](/cli/azure/reference-index).

+3. Launch Azure Cloud Shell.

+ The [Azure Cloud Shell](https://shell.azure.com/cli) is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

+ To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also open Cloud Shell in a separate browser tab by going to https://shell.azure.com/bash. Select Copy to copy the blocks of code, paste it into the Cloud Shell, and select Enter to run it.

+ If you prefer to install and use the CLI locally, this quickstart requires Azure CLI version 2.0.30 or later. Run az--version to find the version. If you need to install or upgrade, see Install Azure CLI.

+

+4. Create a resource group.

+ Create a resource group with the [az group create](/cli/azure/group) command. An Azure resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named myResourceGroup in the eastus location:

+

+

+ ```Azure CLI

+ az group create --name myResourceGroup --location eastus

+ ```

+ > [!NOTE]

+ > Confidential VMs are not available in all locations. For currently supported locations, see which [VM products are available by Azure region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines).

+5. Create a Virtual Machine Scale Set.

+ Now create a Virtual Machine Scale Set with az vmss create az cli. The following example creates a scale set called myScaleSet with an instance count of 2.

+

+ If you are looking to set an admin username, ensure that it isn't part of the [reserved words](/rest/api/compute/virtualmachines/createorupdate#osprofile) list for vmss.

+ In this case, the username is auto set to azureuser.

+ For the admin credentials, you will be able to use the credentials that you set from the hardened image while you create the vm.

+ > [!NOTE]

+ > For specalized images, [osprofile properties](/azure/virtual-machines/shared-image-galleries) are handled differently than generalized images.

+ > Using a [load balancer](/azure/load-balancer/load-balancer-overview) is optional but is encouraged for these reasons.

+

+ ```azurecli-interactive

+ az vmss create \

+ --resource-group myResourceGroup \

+ --name myScaleSet \

+ --vm-sku "Standard_DC4as_v5" \

+ --security-type ConfidentialVM \

+ --os-disk-security-encryption-type DiskwithVMGuestState \

+ --os-disk-secure-vm-disk-encryption-set "/subscriptions/.../disk-encryption-sets/<des-name>" \

+ --image "/subscriptions/.../images/<imageName>/versions/<version>" \

+ --enable-vtpm true \

+ --enable-secure-boot true \

+ --vnet-name <virtual-network-name> \

+ --subnet <subnet-name> \

+ --lb "/subscriptions/.../loadBalancers/<lb-name>" \

+ --specialized true \

+ --instance-count 2 \

+ --admin-username "azureuser" \

+ --admin-password ""

+ ```

+6. Access the virtual machine scale set from the portal.

+ You can access your cvm scale set and use the admin username and password set previously to log in. Please note that if you choose to update the admin credentials, do so directly in the scale set model using the cli.

+ > [!NOTE]

+ > If you are looking to deploy cvm scaled scale using the custom hardened image, please note that some features related to auto scaling will be restricted. Will manual scaling rules continue to work as expected, the autoscaling ability will be limited due to the agentless custom image. More details on the restrictions can be found here for the [provisioning agent](/azure/virtual-machines/linux/disable-provisioning). Alternatively, you can navigate to the metrics tab on the azure portal and confirm the same.

+ > However, you can continue to set up custom rules based on load balancer metrics such as SYN count, SNAT connection count, etc.

+## Next Steps

+In this article, you learned how to deploy a virtual machine scale set instance with a hardened linux image. For more information about CVM, see [DCasv5 and ECasv5 series confidential VMs](confidential-vm-overview.md).

+* [Create a new application secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret)

+* [Open a support ticket](https://azure.microsoft.com/support/create-ticket/) - based on information you provide, a quick diagnostic might be run for authentication failures in your registry

+**Range** indexes are based on an ordered tree-like structure. The range index type is used for:

+- Queries with a filter on two or more properties where at least one property is an equality filter

+- The above query will first filter for entries where firstName = "Andrew" by using the index. It then passes all of the firstName = "Andrew" entries through a subsequent pipeline to evaluate the CONTAINS filter predicate.

+When writing queries, you should use filter predicates that use the index as efficiently as possible. For example, if either `StartsWith` or `Contains` would work for your use case, you should opt for `StartsWith` since it does a precise index scan instead of a full index scan.

+In some cases, the index can return false positives. For example, when evaluating `Contains` on the index, the number of matches in the index may exceed the number of query results. The query engine loads all index matches, evaluates the filter on the loaded items, and returns only the correct results.

+For most queries, loading false positive index matches doesn't have any noticeable effect on index utilization.

+ "fileLoggingMode": "debugOnly",